DOCSLIB.ORG

Windows Rootkit Analysis Report

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Windows Rootkit Analysis Report Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion..................................................................................................................................... 26 Windows Task Manager kinject.exe ...................................................................................... 27 Handle kinject.exe ................................................................................................................... 28 Process Explorer Threads kinject.exe ................................................................................... 28 Process Explorer Strings Memory kinject.exe ...................................................................... 29 Process Monitor kinject.exe .................................................................................................... 30 Windows Task Manager kNtiLoader.exe .............................................................................. 68 Handle kNtiLoader.exe ........................................................................................................... 69 Process Explorer Properties Memory kNtiLoader.exe ........................................................ 69 Process Monitor kNtiLoader.exe ........................................................................................... 71 Miscellaneous Information and Summary .......................................................................... 122 AFX ............................................................................................................................................. 125 Process Explorer Threads root.exe ...................................................................................... 129 The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -1- Process Monitor root.exe ...................................................................................................... 129 Process Explorer Memory Threads Root.exe ..................................................................... 131 Miscellaneous Information and Summary .......................................................................... 136 Migbot......................................................................................................................................... 137 PSList Migbot ........................................................................................................................ 137 Error Signature Generated by Migbot ................................................................................ 138 Windows Task Manager Applications Migloader.exe ....................................................... 139 Windows Task Manager Processes Migloader.exe & Dwwin.exe ..................................... 140 Handle Migloader.exe & Dwwin.exe ................................................................................... 140 Process Explorer Stack Migloader.exe ................................................................................ 141 Process Explorer String Memory Migloader.exe ............................................................... 142 Process Explorer String Memory Dwwin.exe ..................................................................... 145 Process Monitor Dlls Migloader.exe and Dwwin.exe ......................................................... 158 Miscellaneous Information and Summary .......................................................................... 161 Process Explorer Threads cfsd.exe ...................................................................................... 164 Process Explorer Strings Memory cfsd.exe ......................................................................... 164 Process Monitor cfsd.exe....................................................................................................... 165 HxDefender (Hacker Defender) ............................................................................................... 168 Process List HxDefender ....................................................................................................... 168 Windows Task Manager HxDefender ................................................................................. 169 Process Monitor Dlls HxDef100.exe ..................................................................................... 170 Process Monitor File Activity HxDef100.exe ...................................................................... 170 Process Explorer Thread Stacks HxDef100.exe.................................................................. 174 Process Monitor Dlls bdcli100.exe ....................................................................................... 175 Process Monitor File Activity bdcli100.exe ......................................................................... 175 Process Explorer Thread Stacks bdcli100.exe .................................................................... 178 The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -2- Process Monitor Dlls rbrbs100.exe ...................................................................................... 179 Process Monitor File Activity rdrbs100.exe ........................................................................ 179 Process Explorer Thread Stacks rdrbs100.exe ................................................................... 185 Process Monitor hxdOFena.exe ........................................................................................... 186 Process Monitor File Activity hxdOFena.exe ...................................................................... 186 Process Explorer Thread Stack hxdOFena.exe .................................................................. 191 Miscellaneous Information and Summary .......................................................................... 191 FUtoEnhanced ........................................................................................................................... 208 Process Monitor FUtoEnhanced (Process Start – Exit) ..................................................... 217 FUtoEnhanced Process Monitor (Threads) ........................................................................ 218 FUtoEnhanced Process Monitor Events .............................................................................. 219 Miscellaneous Information and Summary .......................................................................... 219 He4Hook ..................................................................................................................................... 220 He4HookControler Process Monitor (Process Start – Exit) .............................................. 220 Process Monitor (Threads) He4Hook .................................................................................. 221 Process Monitor Events H4HookController ....................................................................... 221 Miscellaneous Information and Summary .......................................................................... 237 Appendix: Windows Rootkit Monitoring Procedures ................................................................ i Ghost Image Boot Disks ................................................................................................................ ii Monitoring Tools ........................................................................................................................... ii Monitoring Process for BOT Analysis ........................................................................................ iv References ...................................................................................................................................... v The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -3- Introduction This report focuses on Windows Rootkits and their affects on computer
Load more

Recommended publications
  • The Origins of the Underline As Visual Representation of the Hyperlink on the Web: a Case Study in Skeuomorphism
    The Origins of the Underline as Visual Representation of the Hyperlink on the Web: A Case Study in Skeuomorphism The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citation Romano, John J. 2016. The Origins of the Underline as Visual Representation of the Hyperlink on the Web: A Case Study in Skeuomorphism. Master's thesis, Harvard Extension School. Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:33797379 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA The Origins of the Underline as Visual Representation of the Hyperlink on the Web: A Case Study in Skeuomorphism John J Romano A Thesis in the Field of Visual Arts for the Degree of Master of Liberal Arts in Extension Studies Harvard University November 2016 Abstract This thesis investigates the process by which the underline came to be used as the default signifier of hyperlinks on the World Wide Web. Created in 1990 by Tim Berners- Lee, the web quickly became the most used hypertext system in the world, and most browsers default to indicating hyperlinks with an underline. To answer the question of why the underline was chosen over competing demarcation techniques, the thesis applies the methods of history of technology and sociology of technology. Before the invention of the web, the underline–also known as the vinculum–was used in many contexts in writing systems; collecting entities together to form a whole and ascribing additional meaning to the content.
    [Show full text]
  • Process Explorer V16.05 (1.07 MB)
    United States (English) Sign in Windows Sysinternals Search TechNet with Bing Home Learn Downloads Community Windows Sysinternals > Downloads > Process Utilities > Process Explorer Utilities Process Explorer Download Sysinternals Suite Utilities Index Download Process Explorer v16.05 (1.07 MB) File and Disk Utilities By Mark Russinovich Run Process Explorer now from Networking Utilities Published: March 10, 2015 Live.Sysinternals.com Process Utilities Download Process Explorer Runs on: Security Utilities (1.07 MB) System Information Utilities Rate: Client: Windows XP and higher (Including IA64). Miscellaneous Utilities Server: Windows Server 2003 and higher (Including Share this content IA64). Additional Introduction Installation Resources Ever wondered which program has a particular file or directory open? Now Simply run Process Explorer (procexp.exe). Forum you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The help file describes Process Explorer operation and Site Blog usage. If you have problems or questions please visit The Process Explorer display consists of two sub-windows. The top window the Sysinternals Process Explorer Forum. Sysinternals Learning always shows a list of the currently active processes, including the names of Mark's Webcasts their owning accounts, whereas the information displayed in the bottom Mark's Blog window depends on the mode that Process Explorer is in: if it is in handle Learn More mode you'll see the handles that the process selected in the top window has Software License opened; if Process Explorer is in DLL mode you'll see the DLLs and memory- Here are some other handle and DLL viewing tools and Licensing FAQ mapped files that the process has loaded.
    [Show full text]
  • Crypto Ransomware Analysis and Detection Using
    CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR by ASHWINI BALKRUSHNA KARDILE Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT ARLINGTON December 2017 Copyright © by Ashwini Balkrushna Kardile 2017 All Rights Reserved ii Acknowledgements I would like to thank Dr. Ming for his timely guidance and motivation. His insights for this research were valuable. I would also like to thank my committee members Dr. David Levine and Dr. David Kung for taking out time from their schedule and attending my dissertation. I am grateful to John Podolanko; it would not have been possible without his help and support. Thank you, John, for helping me and foster my confidence. I would like to thank my colleagues for supporting me directly or indirectly. Last but not the least; I would like to thank my parents, my family and my friends for encouraging me and supporting me throughout my research. November 16, 2017 iii Abstract CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR Ashwini Balkrushna Kardile, MS The University of Texas at Arlington, 2017 Supervising Professor: Jiang Ming Ransomware is a faster growing threat that encrypts user’s files and locks the computer and holds the key required to decrypt the files for ransom. Over the past few years, the impact of ransomware has increased exponentially. There have been several reported high profile ransomware attacks, such as CryptoLocker, CryptoWall, WannaCry, Petya and Bad Rabbit which have collectively cost individuals and companies well over a billion dollars according to FBI.
    [Show full text]
  • P 240/1 Process Control on Windows
    P240.qxp_June 2018 03/05/2018 22:16 Page 41 Process Control on Windows P 240/1 Optimise and Stabilise Your Windows System by Taking Control of Your Processes Using the information given in this article you will be able to: Investigate exactly what processes are using your PC’s processor and memory, Optimise the performance of your system with perfect process management, Find and close Trojans, viruses and other suspicious processes. You’ve probably come across messages from Windows telling you that an application is no longer responding, and wondered exactly what is happening in the background on your Windows system. The egg timer icon or a little blue circle usually appear, the hard drive grinds away and you wait for what seems like an eternity for Windows to do something. When this happens, it usually indicates that Windows is performing tasks in the background. You can take a look at the list of the processes that are running on your system, but they usually have cryptic names which makes it difficult to work out exactly what is going on. However, if a program or service doesn’t run in a stable way, or you suspect that a virus or Trojan may be doing damage to your system, then you can’t avoid checking which processes are running. In this article I will show you the most important processes that Windows runs internally, and the tasks you need to perform in order to maintain your processes and take control of your system. • Check the Hidden Tasks Your Windows System is Running .................
    [Show full text]
  • Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals
    Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals - www.sysinternals.com Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded. The Process Explorer display consists of two sub-windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. You can obtain equivalent command-line tools, Handle and ListDLLs, at the Sysinternals Web site.
    [Show full text]
  • The Emoji Factor: Humanizing the Emerging Law of Digital Speech
    The Emoji Factor: Humanizing the Emerging Law of Digital Speech 1 Elizabeth A. Kirley and Marilyn M. McMahon Emoji are widely perceived as a whimsical, humorous or affectionate adjunct to online communications. We are discovering, however, that they are much more: they hold a complex socio-cultural history and perform a role in social media analogous to non-verbal behaviour in offline speech. This paper suggests emoji are the seminal workings of a nuanced, rebus-type language, one serving to inject emotion, creativity, ambiguity – in other words ‘humanity’ - into computer mediated communications. That perspective challenges doctrinal and procedural requirements of our legal systems, particularly as they relate to such requisites for establishing guilt or fault as intent, foreseeability, consensus, and liability when things go awry. This paper asks: are we prepared as a society to expand constitutional protections to the casual, unmediated ‘low value’ speech of emoji? It identifies four interpretative challenges posed by emoji for the judiciary or other conflict resolution specialists, characterizing them as technical, contextual, graphic, and personal. Through a qualitative review of a sampling of cases from American and European jurisdictions, we examine emoji in criminal, tort and contract law contexts and find they are progressively recognized, not as joke or ornament, but as the first step in non-verbal digital literacy with potential evidentiary legitimacy to humanize and give contour to interpersonal communications. The paper proposes a separate space in which to shape law reform using low speech theory to identify how we envision their legal status and constitutional protection. 1 Dr. Kirley is Barrister & Solicitor in Canada and Seniour Lecturer and Chair of Technology Law at Deakin University, MelBourne Australia; Dr.
    [Show full text]
  • Super Duper Semaphore Or, As We Like to Call It
    Super Duper Semaphore Or, as we like to call it ... Flag Texting! Hello Lieutenants ... You can have a whole lot of fun with just a couple of hand flags. Even if you don’t have actual flags, you can make your own using items found around your home, like tea towels, or even two smelly old socks tied to some sticks! As long as you’re having fun ... be inventive. What’s it all about? Well, believe it or not, a great way for ships near (in range of) each other or ships wanting to communicate to the land is to use ‘Flag Semaphore’. It’s a bit like sending a text message ... but with your arms. It has been used for hundreds of years on both land and sea (from the sea, red and yellow flags are used). The word semaphore is Greek for ‘Sign-bearer’ Here’s how it works… Each letter of the alphabet has its own arm position (plus a few extras that we will cover in later ranks). Once you can remember these, you can send loads of hidden messages to your friends and family. Check these out ... ABCDEFG HIJKLM NOPQR STUVWX YZ How cool is that? To send a message the ‘sender’ gets the attention of the ‘receiver’ by waving their arms (and flags) by their side in an up and down motion (imagine flapping your arms like a bird). Don’t worry if you make mistakes or the receiver translates your signals into silly words - we’ve had lots of fun practicing this, and it will take time to become a Super Signaller! Are you ready to send your message? One letter at a time? Remember to pause between each letter and a bit longer between words to accurately get your message through.
    [Show full text]
  • Development Environment
    BLUESPAWN BLUESPAWN Dev Team Apr 28, 2021 CONTENTS 1 Our Mission 3 2 What is BLUESPAWN 5 3 Get Involved & Contribute to the project7 4 Why we made BLUESPAWN9 4.1 Contact Us................................................9 4.2 Sponsoring................................................9 4.3 Licensing.................................................9 4.4 Project Authors.............................................. 10 4.5 Publications............................................... 11 4.6 Hunts................................................... 11 4.7 Scan Mode................................................ 11 4.8 Mitigations................................................ 11 4.9 Reactions................................................. 11 4.10 Logging and Output........................................... 11 4.11 Agent7 Integration............................................ 11 4.12 Getting Started.............................................. 11 4.13 Examples of BLUESPWAN in Action.................................. 13 4.14 Using Mitigations............................................ 14 4.15 Getting Involved............................................. 18 4.16 Setting up your Development Environment............................... 18 4.17 Software Architecture Info........................................ 19 4.18 Project Roadmap............................................. 21 i ii BLUESPAWN CONTENTS 1 BLUESPAWN 2 CONTENTS CHAPTER ONE OUR MISSION BLUESPAWN helps blue teams monitor systems in real-time against active attackers by detecting
    [Show full text]
  • Microej Documentation
    MicroEJ Documentation MicroEJ Corp. Revision ff3ccfde Nov 27, 2020 Copyright 2008-2020, MicroEJ Corp. Content in this space is free for read and redistribute. Except if otherwise stated, modification is subject to MicroEJ Corp prior approval. MicroEJ is a trademark of MicroEJ Corp. All other trademarks and copyrights are the property of their respective owners. CONTENTS 1 MicroEJ Glossary 2 2 Overview 4 2.1 MicroEJ Editions.............................................4 2.1.1 Introduction..........................................4 2.1.2 Determine the MicroEJ Studio/SDK Version..........................5 2.2 Licenses.................................................7 2.2.1 Overview............................................7 2.2.2 License Manager........................................7 2.2.3 Evaluation Licenses......................................7 2.2.4 Production Licenses......................................9 2.3 MicroEJ Runtime............................................. 13 2.3.1 Language............................................ 13 2.3.2 Scheduler............................................ 13 2.3.3 Garbage Collector....................................... 14 2.3.4 Foundation Libraries...................................... 14 2.4 MicroEJ Libraries............................................ 14 2.5 MicroEJ Central Repository....................................... 15 2.6 Embedded Specification Requests................................... 15 2.7 MicroEJ Firmware............................................ 15 2.7.1 Bootable Binary with
    [Show full text]
  • Multiband Plasma-Process Monitor C10346-01
    Multiband plasma-process monitor C10346-01 C10346-01 is a multiband plasma process monitor designed for real-time, monitoring of wide spectrum. Monitoring Plasma (Emission Spectrum) in Real-Time C10346-01 is a monitoring system to detect wide spectrum plasma emission during the process of etching, spattering and CVD in semiconductor manufacturing . With the various analysis functions, it can be used for setting up end-point detection conditions and automatic detection of etching and cleaning, estimation of plasma species and monitoring (plasma) contamination and abnormal discharges. Features Simultaneous measurements of wide (plasma) spectrum Easy measurement using optical fibers Captures wide spectrum (emission) from (plasma) radicals or ions. The equipped optical fiber can be easily attached to plasma C10346-01 : 200 nm to 950 nm chambers through a SMA connector widely used. Real-time plasma (emission) measurement Operation with multiple chambers Continuously measures up to 15 000 spectra at an interval of 20 ms A single analysis unit can control up to four C10346-01 (50 ms with concurrent running of detection software) Multiband plasma-process monitor via a USB 2.0 interface. Highly accurate and reliable measurements Data acquisition software A high resolution spectrometer and a ultra-high sensitive photo The data acquisition software stores the spectrum data into detector are firmly locked in position to assure the acquisition of the database during plasma process. This stored data can accurate spectrum and precise spectrum responsivity data then be used for spectrum data calculations. through sharply focused plasma emission spectrum images. Optional software High-sensitivity detection in UV spectrum region High sensitive endpoint detection and real-time monitoring of Detects the UV spectrum region from 200 nm with high process abnormality are achieved by creating ''detection model''.
    [Show full text]
  • Process Monitor
    Моим коллегам — специалистам по устранению неполадок Windows. Никогда не отступайте и не сдавайтесь! – Марк Руссинович Элизе, благодаря ей сбываются самые прекрасные мечты! (И она гораздо круче меня!) – Аарон Маргозис SIN_Titul.indd I 29.12.2011 13:41:15 Mark Russinovich Aaron Margosis Windows® Sysinternals Administrator's Reference SIN_Titul.indd II 29.12.2011 13:41:15 Марк Руссинович Аарон Маргозис Предисловие Дэвида Соломона Утилиты Sysinternals Справочник администратора 2012 SIN_Titul.indd III 29.12.2011 13:41:15 УДК 004.738.5 ББК 32.973.202 P89 Руссинович Марк, Маргозис Аарон P89 Утилиты Sysinternals. Справочник администратора. / Пер. с англ. — М. : Издательство «Русская редакция» ; СПб. : БХВ-Петербург, 2012. — 480 стр. : ил. ISBN 978-5-7502-0411-3 («Русская редакция») ISBN 978-5-9775-0826-1 («БХВ-Петербург») Эта книга — исчерпывающее руководство по использованию утилит Sysin- ternals. Авторы книги — создатель утилит Sysinternals Марк Руссинович и при- знанный эксперт по Windows Аарон Маргозис — подробно разбирают многочис- ленные функции утилит для диагностики и управления файлами, дисками, си- стемой безопасности и встроенным инструментарием Windows. Рекомендации авторов проиллюстрированы многочисленными примерами из реальной жизни. Изучив их, вы сможете справиться с неполадками в ИТ-системах так, как это делают настоящие профессионалы. Книга состоит из 18 глав и предметного указателя. Она предназначена для ИТ-специалистов и опытных пользователей Windows, которые хотят применять утилиты Sysinternals с максимальной эффективностью. УДК 004.738.5 ББК 32.973.202 © 2011-2012, Translation Russian Edition Publishers. Authorized Russian translation of the English edition of Windows® Sysinternals Administrator’s Reference, ISBN 978- 0-7356-5672-7 © Aaron Margosis and Mark Russinovich. This translation is published and sold by permission of O’Reilly Media, Inc., which owns or controls all rights to publish and sell the same.
    [Show full text]
  • JTB Process Monitor
    JTB Process Monitor About JTB Process Monitor makes it possible to monitor usage of more applications than the core JTB FlexReport handles. There is a service part and a client part of Process Monitor. You need to first install the service and configure it and then install the client and configure it. The data is saved into the JTB FlexReport core database and reports on the usage can be done in the normal way. This means that JTB FlexReport Core and JTB FlexReport Chart Service/Client also need to be installed. The client computer to monitor does not need to be connected to the network all the time. It still can monitor the usage and when connected again it will send back the data to the server. The client-server solution is based on WCF (Windows Communication Foundation) and XML Web services. System requirements .NET Framework 4.0 or newer is needed for the service and client. Other than that most Windows operating systems are supported like Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016. Both 32-bit and 64-bit systems are supported. One limitation is that processes that run in Windows compatibility mode cannot be monitored. Installation of Service The service needs to be installed on one location and it is recommended to be on the same computer where JTB FlexReport’s other services are installed as it needs to save the usage to the JTB FlexReport database. For a trial it can be installed on a workstation if that is easier for the evaluation.
    [Show full text]