Tuesday, February 15, 2005

Incidents Question, part 1

I've been thinking about some of the stuff I've presented on, as well as talked to others about, and a thought came up...has anyone seen a compromised system with suspicious TaskScheduler jobs? Let me know...

2 comments:

Steve said...

On Windows systems I've seen malware use the task scheduler to infect victims. Some SMB worms (like Gaobot variants) attempt to exploit weak usernames and passwords, copy their binaries over to an admin share once they succeed, and schedule a task to kick it off. The task is can be kept on the system to periodically start the malware in case it is killed.

On Unix systems, I've seen cronjobs to shovel an xterm back to the attacker. It's an old trick, and one of the first things a Unix incident responder should look for...

Keydet89 said...

Excellent comment, Steve. However, as this blog is specific to Windows, I think that incident responders should include tools to check the contents of the Tasks directory, as well.

Specifically, as I pointed out in my book, a scheduled job that has it's .job file with the hidden bit set (ie, attrib +h) will not appear by default in 'dir', or the unmodified Windows Explorer, or in the Scheduled Tasks window.