Malware analysis is an essential activity of being security analyst. In this post I am going to provide a method of investigating windows machine for any malware instances. In this post you will learn how to do basic investigation in order to identify malware on windows system. Not only this you will also learn to know what type of mawlare that and to which domains it interacts with.
Get Microsoft Sysinternal tools.
The Sysinternals web site was created in 1996 by Mark Russinovich to host his advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.
From variety of sysinternal suite, we are going to use important tools such as:
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
|Click on the image to view in full size|
As you can see, some one part is highlighted as yellow. Yellow shows that file is not found on it's desired location which it intended to be. Apart from that whenever it appears as pink as shown in below picture: assume that process/file vendor signature verification/pattern matching is not found.
Those files are likely to be suspicious in most of the case.
|Click on the image to view in full size|
When such pink color entries appear you can do right click on that. It will show two options as follows:
1. Jump to entry
2. Jump to image
If you want to check registry entry of that suspicious process, you can select jump to entry as follows:
In case if you want to check the physical location of that file, click on jump to image option and it will land you on the location of that file.
Using Process Explorer:
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
After running process explorer, navigate to options and select 'Verify Image Signatures' option as shown in the below screenshot.
This options will check the image signatures of all running process with their respective vendors. Also check those pink entries in which signature verification got failed.That can be checked under 'Verified Signature' column in the main result body.
Checking for the unnecessary programs:
Visit control panel > add remove programs. Sort program entries by date and check if any unnecessary program is installed without your prior knowledge or not.
Checking port interaction with respective process:
Having an information of ports which interacts with certain processes also gives you a clue for further investigation. To know how each process interacts with their desired ports, you can simply give netstat -anb command in windows command prompt as follows:
Currently, my machine is not connected to internet so that is why it did not appear with any local or foreign port. If your machine is connected to internet and that suspicious file interacts with any foreign address, you can certainly investigate it by viewing this result.
Checking custom folders
Navigate to C\Users\
Checking startup programs
Run msconfig from 'Run' and check for startup programs entries. Find any unknown process and find the physical location of the file. Investigate that file further with www.virustotal.com and analyze the result carefully.
Checking with wireshark
Wireshark is good packet analysis tool. Using such tool you can always identify that if there are any unknown HTTP sites and servers where your machine is interacting? if yes you can further investigate those servers with various online domain tools.
AS you can see, this machine interacts with some website which its not intended to be. Now to investigate further lets open the packet.
As you can see this URL looks suspicious. Lets scan it with www.virustotal.com and then analyze the result carefully.
Thus how basic malware analysis for windows system can be carried away.