Wednesday, March 16, 2005

What is this thing called, love?

Okay, the title of this entry is an obscure reference to Benny Hill, but fans of the show may remember it...

I see it all the time, and I saw it again last night..."I found a strange program on my computer, with a reference in the Registry, and I don't know what it is...does anyone know anything about this program called enter name here?"

I've got to have a hotkey for the response to this, because it's encyclopedic, and getting tiresome to write it over and over again.

First off, files on Windows systems can be named anything, so posting just the name of the file can be pretty useless. Sometimes if you Google for it, you may get a hit, but you have to be very careful...if you Google on the name of a file you found and that's the same name as was used by a bit of malware a couple of years ago, you'll get erroneous information. So, go ahead and Google, but check what you find very carefully.

Next, saying that you ran anti-spyware and -virus tools doesn't say much, unless they're current versions and up-to-date. So, if you're going to run these tools, make sure they're updated just prior to running them. Also, if you're posting to the public lists, it might help to specify the tools and versions you're using.

Now, let's say that you find this unusual program, and it's actually running as a process. If this is the case, and you really want to know what that program is doing, try collecting information about the process. One thing you'll want to know is the command line used to launch the process...something you can't get from Task Manager. Tools I've recommended in the past include tlist.exe (free, part of the MS Debugging Tools), cmdline.exe, or WMI (using the Win32_Process class). The command line will give you the location of the executable image within the file system, as well as any command line arguments used...which can be important.

Now, let's get some info about the process itself. Tools I'd recommend running include handle.exe, listdlls.exe, and openports.exe (I prefer openports over fport, as it doesn't require an Admin account to run). If you're on XP SP2, run 'netstat -anob', as well. Another good tool for process-to-port mapping is PortQry v2.0. Then, dump the memory used by the process with pmdump.exe...this can create quite a large file, so you may want to zip it up.

You'll also want to check to see where the file is referenced in the Registry, if at all. One of the best tools for doing so that I've found is AutoRuns. Another good tool is SilentRunner.

Another important tidbit of information is how long the process has been running...something you can get with pslist.exe. Compare this to the uptime of the system (from psinfo.exe) and you will be able to ballpark about when the process was launched on the system. You may also want to get the LastWrite time of any Registry keys that reference the executable image...this may assist you in pinpointing when the program was installed.

If you're going to ask people about this file, use the tools I've listed to collect information about the file and process, piping the output to files. I recommend the use of command line tools, as they are easy to script. Archive this information, and make it available. Maks sure that you include a copy of the file itself.

If you want to look at the file yourself, I'd recommend pulling file version information (I use Perl and the Win32::File::VersionInfo module), as well as running strings, Dependency Walker, and any other tools you can think of against the file. If you're good with a debugger, try that.

So...posting the name of a file and nothing else is pretty pointless these days. If you're interested in knowing what a process is up to, or what file does, either collect some information about it and submit that information for analysis, or analyze it yourself. But keep in mind that determining how it got on your system is an entirely different matter...

3 comments:

Brandon said...

Good stuff again Harlan.

But on an unrelated note and kind of going back a post or two, I noticed that a new version of Helix was just released and I was wondering if you ever use any bootable distros in your forensic endeavors?

I haven't used it for a live acquisition but have been thinking about trying it as they have added some new functionality and features for the "Windows side" as it were.

Adam said...

You can make Goggle a little more accurate by making sure you find the default path to the file, but even then I still don't rely on it.

Here are some cool virus scanners you can use:

VirusTotal - At the top you can submit a file and have it scanned by multiple anti-virus vendors.

Jotti's Virus Scan - Same as the above but tries to run it in a sandbox to give more information.

Trend Micro's Online Virus Scan - Scans online which can be good if the malware disabled your AV software.

Panda Scan Online virus scanner - Same as above.

Keydet89 said...

Brandon,

Yes, I've looked at some of the Linux distros, but they don't serve well for "live acquisition", simply because by booting to Linux, you've "killed" the Windows side.

I like Helix...I met Dru at the HTCIA2004 conference, albiet briefly, and thanked him for providing some of the tools I've written on the Windows side of Helix.

I've started exploring the use of ProDiscover for live imaging, and so far, I like it.