how to prove if windows machine is infected?
Hi,
Assume a window machine that did network scans on a specific port.
Multiple AV wear run on the machine and turned out nothing.
How would you prove/disprove that machine is infected?
Sin-cerely,
Trol
I would be pretty comfortable if md5 hashes of executables and configs matched a known-good record. "Proof" is a big word here, it is difficult to *prove* a machine is not infected.
EDIT: rkhunter is an example of a Linux program that does this sort of comparison
Then add the PID column to task manager. Close everything that you can and then watch netstat and see if any outgoing connections appear, see what program is doing it in taskmanager based upon the PID from netstat.Code:netstat -o 5
Search for that file and kill it.
BTW, I've been working on a personal machine from one of my users the past two days trying to trackdown all the infections and problems. I believe I got it cleaned up, but couldn't be 100% certain because of how badly in was rooted. I decided to take off and nuke it from orbit, it was the only way to be sure.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
Interesting question. The normal way to check is to have a look at the list of running processes, have a look at all programs set to run at startup and to have a look at all programs that are communicating over the network (listening or sending). Tools from the Sysinternals suite can do all of this. Comparison to a known good baseline is also a good method - and this can involve the checking of hashes of executables against known good copies as well as comparing the state of a system as it is currently to how it was yesterday, a week ago or a month ago.
However, rootkit techniques can be used to hide a program from these detection techniques if you are performing them on the suspected system. In that case what you need to do is offline analysis of the systems hard drive and a running memory dump - and you check for the same things I already mentioned - running programs, listening network connections and startup programs. The Volatility toolkit is excellent for doing this on memory dumps, and standard Linux tools can do this for the hard drive.
EDIT: Network forensic techniques can also be used to detect rootkit infected machines (see Richard Bejtlich's books or check his taosecurity blog for more info).
Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".
The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.
chkrootkit may solve the solution as lupin said some processes may be hidden or melt in the memmory,also use a program active ports to see the connections that are running and the processes for this connection.
And even use wireshark in analysing the outgoing packets and their intervals , and tracing back to the program wich does this would be fairly enough to check analyze the program
Posting Permissions
