These articles provide the basis information about how to identify the infection on the systems at first level. There are some basic levels IOC (Indicators of compromise) which can help to confirm malware infection.
Below are the methods/ways which help us to proceed for confirmation.
1)Manual Method
2)Using Sysinternals
3)Using Redline Tools (Mandiant)
Manual Method:
Unhide hidden files/Folders/Drives:
To view the hidden malicious binary kindly go open Windows Explorer Tools Folder Options –Go to View Tab (refer below snap)
I.Uncheck below highlighted options to view hidden files/folders.
a.Hide empty drives in the Computer Folder
b.Hide Extensions for known file types
c.Hide protected operating system files (Recommended)
II.Select the “Show Hidden files, folders and drives” options.
1. Using Netstat:
Netstat is a common command line TCP/IP networking utility available in most versions of Windows, Linux, UNIX and other operating systems.
This command is useful to see the currently established connection with foreign IPs with port & protocol wise details.
State Details:
C:\>netstat –ano | findstr ESTABLISHED
TCP 172.16.174.228:59011 172.129.4.10:443 ESTABLISHED 8116
TCP 172.16.174.228:59025 172.66.15.20:39331 ESTABLISHED 8116
TCP 172.16.174.228:59065 172.128.30.85:8000 ESTABLISHED 452
TCP 172.16.174.228:59102 172.128.27.42:10123 ESTABLISHED 4892
TCP 172.16.174.228:59158 172.77.4.16:58734 ESTABLISHED 160
TCP 172.16.174.228:59179 172.137.12.41:445 ESTABLISHED 4
TCP 172.16.174.228:59723 172.135.128.228:8080 ESTABLISHED 2220
TCP 172.16.174.228:59736 172.66.24.17:443 ESTABLISHED 8116
TCP 127.0.0.1:6129 127.0.0.1:53398 ESTABLISHED 1532
TCP 127.0.0.1:53398 127.0.0.1:6129 ESTABLISHED 4064
C:\>netstat –ano | findstr LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1056
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4080
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 172.16.77.174.228:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:8307 0.0.0.0:0 LISTENING 4080
TCP 127.0.0.1:53507 0.0.0.0:0 LISTENING 6904
TCP 192.168.56.1:139 0.0.0.0:0 LISTENING 4
Here we will get information about current foreign connection. Help to analyse the incident.
I recommend you to use this commend first while analysing the incidents because, we can filter out the query for live traffic as per our requirement like live port communication/foreign IP communication/State/PID Value and Protocol
2.Tasklist:
Syntax: TASKLIST [/S system [/U username [/P [password]]]] [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
(For GUI: use task manager)
Note: You may require the basic knowledge about system running default processes + whitelisted application processes.
3.Task Manager:
4.Msconfig:
Tick the “HIDE ALL MICROSOFT SERVICES” SO ALL MS services will get hide. Analyse the remaining services are related to whitelisted application or not and trace the unknown process/Application running the services and uninstall it asap.
We can validate which service is required to run on system start-up.
5.Registry:
Easiest way to identify is to use registry path:
HKLM\Software\Microsoft\Windows NT\current Version\Run & \Runonce
Here you will get details about the application which are set to run itself when OS boot.
6.Common Path to Dump The Binary Files:
Like: %temp%, %Appdata%, system32 etc & Documents Folder.
You may confirm the binary files is suspicious or not by uploading the same file on Virustotal.com /metascan.com site to confirm the status.
7.Scan With Anti-Virus:
8.Use Virus Total / Metascan:
This is simplest and fast method to detect the binary files malicious status.
You may scan files (upload limit: Max 128 MB size)/URLs/IPs and HASH to check the status. Security Analyst using this site for first level analysis.
9.Use Sandboxie:
Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
Download URL: http://www.sandboxie.com/SandboxieInstall.exe
Using Sysinternals utility:
10.Using Process Explorer to Identify Malware:
Process Explorer is a free 1.47 MB download from the Windows Sysinternals web page on the TechNet site. Tool
List: https://technet.microsoft.com/en-us/sysinternals/bb545027.aspx
Useful Links:
• Hunt Down and Kill Malware with Sysinternals Tools (Part 1)
• Hunt Down and Kill Malware with Sysinternals Tools (Part 2)
• Hunt Down and Kill Malware with Sysinternals Tools (Part 3)
Video Demonstration: Malware Hunting with the Sysinternals Tools https://www.youtube.com/watch?v=Wuy_Pm3KaV8
Using Redline Tools (Mandiant):
MANDIANT transforms how organizations detect, respond to, and contain security breaches. Through our commercial and free products, we equip front-line incident investigators with superlative tools and technologies that support them in providing a quick and effective response when organizations need it the most.
Redline is MANDIANT’s free tool for investigating hosts for signs of malicious activity through memory and file analysis, and subsequently developing a threat assessment profile.
User Guide: https://dl.mandiant.com/EE/library/Redline1.11.1_UserGuide.pdf
Redline Features:
Rapid Triage
Reveals Hidden Malware
Guided Analysis
With Redline you can:
Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing
Below are the methods/ways which help us to proceed for confirmation.
1)Manual Method
2)Using Sysinternals
3)Using Redline Tools (Mandiant)
Manual Method:
- In manual Method, we will use inbuilt utilities to confirm the status of infection like foreign connection from base OS, Unknown Processes running, system boot processes and application details from Msconfig and regedit. Learn step by step.
- Before Proceeding important note: Malware/Trojan/Virus/Worm Developer write a code in such a way that they always tried to evade detection from anti-virus.
- Initially they tried to hide once it dumped into the OS.
Unhide hidden files/Folders/Drives:
To view the hidden malicious binary kindly go open Windows Explorer Tools Folder Options –Go to View Tab (refer below snap)
I.Uncheck below highlighted options to view hidden files/folders.
a.Hide empty drives in the Computer Folder
b.Hide Extensions for known file types
c.Hide protected operating system files (Recommended)
II.Select the “Show Hidden files, folders and drives” options.
1. Using Netstat:
Netstat is a common command line TCP/IP networking utility available in most versions of Windows, Linux, UNIX and other operating systems.
This command is useful to see the currently established connection with foreign IPs with port & protocol wise details.
State Details:
- ESTABLISHED: Indicate that Still connection/communication is live.
C:\>netstat –ano | findstr ESTABLISHED
TCP 172.16.174.228:59011 172.129.4.10:443 ESTABLISHED 8116
TCP 172.16.174.228:59025 172.66.15.20:39331 ESTABLISHED 8116
TCP 172.16.174.228:59065 172.128.30.85:8000 ESTABLISHED 452
TCP 172.16.174.228:59102 172.128.27.42:10123 ESTABLISHED 4892
TCP 172.16.174.228:59158 172.77.4.16:58734 ESTABLISHED 160
TCP 172.16.174.228:59179 172.137.12.41:445 ESTABLISHED 4
TCP 172.16.174.228:59723 172.135.128.228:8080 ESTABLISHED 2220
TCP 172.16.174.228:59736 172.66.24.17:443 ESTABLISHED 8116
TCP 127.0.0.1:6129 127.0.0.1:53398 ESTABLISHED 1532
TCP 127.0.0.1:53398 127.0.0.1:6129 ESTABLISHED 4064
- LISTENING: Indicate that some service is running on listening ports or port may be opened for listening. This may ready to connect to the Server who hit on listening port.
C:\>netstat –ano | findstr LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1056
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4080
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 172.16.77.174.228:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:8307 0.0.0.0:0 LISTENING 4080
TCP 127.0.0.1:53507 0.0.0.0:0 LISTENING 6904
TCP 192.168.56.1:139 0.0.0.0:0 LISTENING 4
Here we will get information about current foreign connection. Help to analyse the incident.
I recommend you to use this commend first while analysing the incidents because, we can filter out the query for live traffic as per our requirement like live port communication/foreign IP communication/State/PID Value and Protocol
2.Tasklist:
- This command is useful to see currently running processes on the server or remote server.
Syntax: TASKLIST [/S system [/U username [/P [password]]]] [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
(For GUI: use task manager)
- It will give you details about the currently running application/services so easy to track unknown processes.
Note: You may require the basic knowledge about system running default processes + whitelisted application processes.
3.Task Manager:
- It provides limited information about computer performance and running applications, processes and CPU usage, commit charge and memory information, network activity and statistics, logged-in users, and system services. The Task Manager can also be used to set process priorities, processor affinity, forcibly terminate processes, and shut down, restart, hibernate or log off from Windows.
- The task list was capable of listing currently running processes and killing them, or creating a new process.
4.Msconfig:
- This utility we can use to see whether any unknown application is stucked at Start-up with Manufacturer details, command with full path of application, registry path.
- If we observed unknown application directly uncheck it & go to folder path, try to remove the file manually (use AV scan to validate/remove it).
- Go to registry path to remove the entry of application or use Ccleaner application to clear unwanted Data from registry.
- Advantage of this utility is to check the unknown process/services running.
Tick the “HIDE ALL MICROSOFT SERVICES” SO ALL MS services will get hide. Analyse the remaining services are related to whitelisted application or not and trace the unknown process/Application running the services and uninstall it asap.
We can validate which service is required to run on system start-up.
5.Registry:
Easiest way to identify is to use registry path:
HKLM\Software\Microsoft\Windows NT\current Version\Run & \Runonce
Here you will get details about the application which are set to run itself when OS boot.
6.Common Path to Dump The Binary Files:
- Whenever system get infected malicious binary file dump itself in windows file system. There is some common path where you can check for the same.
Like: %temp%, %Appdata%, system32 etc & Documents Folder.
You may confirm the binary files is suspicious or not by uploading the same file on Virustotal.com /metascan.com site to confirm the status.
7.Scan With Anti-Virus:
- Kindly update the Av version and scan whole drive using FULL scan method.
- It is recommended to use Full Version of AV, mostly tried to avoid cracked version as there is chances of infection from cracked version. Most of the hacker use this technique to infect the user systems.
8.Use Virus Total / Metascan:
This is simplest and fast method to detect the binary files malicious status.
You may scan files (upload limit: Max 128 MB size)/URLs/IPs and HASH to check the status. Security Analyst using this site for first level analysis.
9.Use Sandboxie:
Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
- It is useful when we find the file and need to understand the functionality or infection level, this tool is useful.
- Most of the analyst use sandboxie to check the behaviour of malicious binary files.
Download URL: http://www.sandboxie.com/SandboxieInstall.exe
Using Sysinternals utility:
10.Using Process Explorer to Identify Malware:
Process Explorer is a free 1.47 MB download from the Windows Sysinternals web page on the TechNet site. Tool
List: https://technet.microsoft.com/en-us/sysinternals/bb545027.aspx
Useful Links:
• Hunt Down and Kill Malware with Sysinternals Tools (Part 1)
• Hunt Down and Kill Malware with Sysinternals Tools (Part 2)
• Hunt Down and Kill Malware with Sysinternals Tools (Part 3)
Video Demonstration: Malware Hunting with the Sysinternals Tools https://www.youtube.com/watch?v=Wuy_Pm3KaV8
Using Redline Tools (Mandiant):
MANDIANT transforms how organizations detect, respond to, and contain security breaches. Through our commercial and free products, we equip front-line incident investigators with superlative tools and technologies that support them in providing a quick and effective response when organizations need it the most.
Redline is MANDIANT’s free tool for investigating hosts for signs of malicious activity through memory and file analysis, and subsequently developing a threat assessment profile.
User Guide: https://dl.mandiant.com/EE/library/Redline1.11.1_UserGuide.pdf
Redline Features:
Rapid Triage
Reveals Hidden Malware
Guided Analysis
With Redline you can:
- Collect run processes, files, registry data, and memory images.
- View imported data, including narrowing and filtering results around a given timeframe using Redline’s TimeWrinkle™ and TimeCrunch™ features.
- Identify processes more likely worth investigating based on their Redline Malware Risk Index (MRI) score.
- Perform Indicators of Compromise (IOC) analysis.
- Use whitelists to filter out known valid data based on MD5 hash values.
Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing
Trick to Identify the Malware Infection on Windows System | Infosecwithme Blog
Reviewed by BlackHat
on
8:33 PM
Rating:
Reviewed by BlackHat
on
8:33 PM
Rating:
No comments:
Thanks for Valuable Comment. I will review and get back.