Results 1 to 6 of 6

Thread: how to prove if windows machine is infected?

  1. #1
    Member webtrol's Avatar
    Join Date
    Jan 2010
    Posts
    113

    Default how to prove if windows machine is infected?

    Hi,

    Assume a window machine that did network scans on a specific port.
    Multiple AV wear run on the machine and turned out nothing.
    How would you prove/disprove that machine is infected?

    Sin-cerely,
    Trol

  2. #2
    Senior Member MikeCa's Avatar
    Join Date
    Jan 2010
    Location
    DC
    Posts
    129

    Default

    I would be pretty comfortable if md5 hashes of executables and configs matched a known-good record. "Proof" is a big word here, it is difficult to *prove* a machine is not infected.

    EDIT: rkhunter is an example of a Linux program that does this sort of comparison

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Code:
    netstat -o 5
    Then add the PID column to task manager. Close everything that you can and then watch netstat and see if any outgoing connections appear, see what program is doing it in taskmanager based upon the PID from netstat.

    Search for that file and kill it.

    BTW, I've been working on a personal machine from one of my users the past two days trying to trackdown all the infections and problems. I believe I got it cleaned up, but couldn't be 100% certain because of how badly in was rooted. I decided to take off and nuke it from orbit, it was the only way to be sure.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Interesting question. The normal way to check is to have a look at the list of running processes, have a look at all programs set to run at startup and to have a look at all programs that are communicating over the network (listening or sending). Tools from the Sysinternals suite can do all of this. Comparison to a known good baseline is also a good method - and this can involve the checking of hashes of executables against known good copies as well as comparing the state of a system as it is currently to how it was yesterday, a week ago or a month ago.

    However, rootkit techniques can be used to hide a program from these detection techniques if you are performing them on the suspected system. In that case what you need to do is offline analysis of the systems hard drive and a running memory dump - and you check for the same things I already mentioned - running programs, listening network connections and startup programs. The Volatility toolkit is excellent for doing this on memory dumps, and standard Linux tools can do this for the hard drive.

    EDIT: Network forensic techniques can also be used to detect rootkit infected machines (see Richard Bejtlich's books or check his taosecurity blog for more info).
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    18

    Default

    chkrootkit may solve the solution as lupin said some processes may be hidden or melt in the memmory,also use a program active ports to see the connections that are running and the processes for this connection.

  6. #6
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    19

    Default

    And even use wireshark in analysing the outgoing packets and their intervals , and tracing back to the program wich does this would be fairly enough to check analyze the program

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •