Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: what is the best procedure to track down a potentially new virus/

from [H Carvey] Network Security [Permanent Link]
Subject: Re: what is the best procedure to track down a potentially new virus/worm/etc?
Date: 16 Dec 2004 16:42:51 -0000 
In-Reply-To: <41BF4C2B.5080704@technicalworks.net>

John,


It it were UNIX, I could use commands like socklist and netstat to
track down the malware processes. But in Windows XP, I don't know what
to use. Are there any built-in utilities? Some freeware stuff? All
help is welcome.


This is the link I meant to send :)
http://www.sysinternals.com/ntw2k/utilities.shtml


While these tools are excellent, they are just tools, and have limitations.  
For example, autoruns.exe (and the CLI variant, autorunsc.exe) are great tools. 
 Pslist.exe, however, does not provide information regarding the path to the 
executable image of the process, or the commandline used to launch the process. 
 When using the SysInternals utilities to collect data, you have to correlate 
between multiple tools (pslist, handle, listdlls) which can be extremely time 
consuming.  

For what the original poster (OP) asked for, all it takes is a tool to get the 
command line of the processes (ie, tlist.exe, from the MS Debugger Tools), and 
openports.exe (for process-to-port mapping...'nestat -ano' can also be used for 
this).  Once he has this information, he will know where the bot is located on 
the system.  Add in autoruns.exe (mentioned above), and he knows which 
autostart location is employed by the bot, if at all.  He can then clean the 
system and attempt to determine the infection vector.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: what is the best procedure to track down a potentially new virus/worm/etc?, H Carvey
Next by Date:  Re: what is the best procedure to track down a potentially new virus/worm/etc?, Angus Lou
Previous by Thread:  Re: what is the best procedure to track down a potentially new virus/worm/etc?, H Carvey
Next by Thread:  how to filter the xmas virus, lsi
Indexes:  [Date] [Thread] [Top] [All Lists]