Windows Rootkit Analysis Report

Total Page:16

File Type:pdf, Size:1020Kb

Windows Rootkit Analysis Report Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion..................................................................................................................................... 26 Windows Task Manager kinject.exe ...................................................................................... 27 Handle kinject.exe ................................................................................................................... 28 Process Explorer Threads kinject.exe ................................................................................... 28 Process Explorer Strings Memory kinject.exe ...................................................................... 29 Process Monitor kinject.exe .................................................................................................... 30 Windows Task Manager kNtiLoader.exe .............................................................................. 68 Handle kNtiLoader.exe ........................................................................................................... 69 Process Explorer Properties Memory kNtiLoader.exe ........................................................ 69 Process Monitor kNtiLoader.exe ........................................................................................... 71 Miscellaneous Information and Summary .......................................................................... 122 AFX ............................................................................................................................................. 125 Process Explorer Threads root.exe ...................................................................................... 129 The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -1- Process Monitor root.exe ...................................................................................................... 129 Process Explorer Memory Threads Root.exe ..................................................................... 131 Miscellaneous Information and Summary .......................................................................... 136 Migbot......................................................................................................................................... 137 PSList Migbot ........................................................................................................................ 137 Error Signature Generated by Migbot ................................................................................ 138 Windows Task Manager Applications Migloader.exe ....................................................... 139 Windows Task Manager Processes Migloader.exe & Dwwin.exe ..................................... 140 Handle Migloader.exe & Dwwin.exe ................................................................................... 140 Process Explorer Stack Migloader.exe ................................................................................ 141 Process Explorer String Memory Migloader.exe ............................................................... 142 Process Explorer String Memory Dwwin.exe ..................................................................... 145 Process Monitor Dlls Migloader.exe and Dwwin.exe ......................................................... 158 Miscellaneous Information and Summary .......................................................................... 161 Process Explorer Threads cfsd.exe ...................................................................................... 164 Process Explorer Strings Memory cfsd.exe ......................................................................... 164 Process Monitor cfsd.exe....................................................................................................... 165 HxDefender (Hacker Defender) ............................................................................................... 168 Process List HxDefender ....................................................................................................... 168 Windows Task Manager HxDefender ................................................................................. 169 Process Monitor Dlls HxDef100.exe ..................................................................................... 170 Process Monitor File Activity HxDef100.exe ...................................................................... 170 Process Explorer Thread Stacks HxDef100.exe.................................................................. 174 Process Monitor Dlls bdcli100.exe ....................................................................................... 175 Process Monitor File Activity bdcli100.exe ......................................................................... 175 Process Explorer Thread Stacks bdcli100.exe .................................................................... 178 The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -2- Process Monitor Dlls rbrbs100.exe ...................................................................................... 179 Process Monitor File Activity rdrbs100.exe ........................................................................ 179 Process Explorer Thread Stacks rdrbs100.exe ................................................................... 185 Process Monitor hxdOFena.exe ........................................................................................... 186 Process Monitor File Activity hxdOFena.exe ...................................................................... 186 Process Explorer Thread Stack hxdOFena.exe .................................................................. 191 Miscellaneous Information and Summary .......................................................................... 191 FUtoEnhanced ........................................................................................................................... 208 Process Monitor FUtoEnhanced (Process Start – Exit) ..................................................... 217 FUtoEnhanced Process Monitor (Threads) ........................................................................ 218 FUtoEnhanced Process Monitor Events .............................................................................. 219 Miscellaneous Information and Summary .......................................................................... 219 He4Hook ..................................................................................................................................... 220 He4HookControler Process Monitor (Process Start – Exit) .............................................. 220 Process Monitor (Threads) He4Hook .................................................................................. 221 Process Monitor Events H4HookController ....................................................................... 221 Miscellaneous Information and Summary .......................................................................... 237 Appendix: Windows Rootkit Monitoring Procedures ................................................................ i Ghost Image Boot Disks ................................................................................................................ ii Monitoring Tools ........................................................................................................................... ii Monitoring Process for BOT Analysis ........................................................................................ iv References ...................................................................................................................................... v The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -3- Introduction This report focuses on Windows Rootkits and their affects on computer
Recommended publications
  • Process Explorer V16.05 (1.07 MB)
    United States (English) Sign in Windows Sysinternals Search TechNet with Bing Home Learn Downloads Community Windows Sysinternals > Downloads > Process Utilities > Process Explorer Utilities Process Explorer Download Sysinternals Suite Utilities Index Download Process Explorer v16.05 (1.07 MB) File and Disk Utilities By Mark Russinovich Run Process Explorer now from Networking Utilities Published: March 10, 2015 Live.Sysinternals.com Process Utilities Download Process Explorer Runs on: Security Utilities (1.07 MB) System Information Utilities Rate: Client: Windows XP and higher (Including IA64). Miscellaneous Utilities Server: Windows Server 2003 and higher (Including Share this content IA64). Additional Introduction Installation Resources Ever wondered which program has a particular file or directory open? Now Simply run Process Explorer (procexp.exe). Forum you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The help file describes Process Explorer operation and Site Blog usage. If you have problems or questions please visit The Process Explorer display consists of two sub-windows. The top window the Sysinternals Process Explorer Forum. Sysinternals Learning always shows a list of the currently active processes, including the names of Mark's Webcasts their owning accounts, whereas the information displayed in the bottom Mark's Blog window depends on the mode that Process Explorer is in: if it is in handle Learn More mode you'll see the handles that the process selected in the top window has Software License opened; if Process Explorer is in DLL mode you'll see the DLLs and memory- Here are some other handle and DLL viewing tools and Licensing FAQ mapped files that the process has loaded.
    [Show full text]
  • Windows - Run/Kör Kommando
    Windows - Run/Kör kommando Accessibility Controls - access.cpl Network Connections - ncpa.cpl Add Hardware Wizard - hdwwiz.cpl Network Setup Wizard - netsetup.cpl Add/Remove Programs - appwiz.cpl Notepad - notepad Administrative Tools - control admintools Nview Desktop Manager - nvtuicpl.cpl Automatic Updates - wuaucpl.cpl Object Packager - packager Bluetooth Transfer Wizard - fsquirt ODBC Data Source Administrator - odbccp32.cpl Calculator - calc On Screen Keyboard - osk Certificate Manager - certmgr.msc Opens AC3 Filter - ac3filter.cpl Character Map - charmap Password Properties - password.cpl Check Disk Utility - chkdsk Performance Monitor - perfmon.msc Clipboard Viewer - clipbrd Performance Monitor - perfmon Command Prompt - cmd Phone and Modem Options - telephon.cpl Component Services - dcomcnfg Power Configuration - powercfg.cpl Computer Management - compmgmt.msc Printers and Faxes - control printers Control Panel - control panel Printers Folder - printers Date and Time Properties - timedate.cpl Private Character Editor - eudcedit DDE Share - ddeshare Quicktime (If Installed) - QuickTime.cpl Device Manager - devmgmt.msc Regional Settings - intl.cpl Direct X Control Panel -directx.cpl Registry Editor - regedit Direct X Troubleshooter - dxdiag Registry Editor - regedit32 Disk Cleanup Utility - cleanmgr Remote Desktop - mstsc Disk Defragment - dfrg.msc Removable Storage - ntmsmgr.msc Disk Management - diskmgmt.msc Removable Storage Operator Requests - ntmsoprq.msc Disk Partition Manager - diskpart Resultant Set of Policy (XP Prof)
    [Show full text]
  • P 240/1 Process Control on Windows
    P240.qxp_June 2018 03/05/2018 22:16 Page 41 Process Control on Windows P 240/1 Optimise and Stabilise Your Windows System by Taking Control of Your Processes Using the information given in this article you will be able to: Investigate exactly what processes are using your PC’s processor and memory, Optimise the performance of your system with perfect process management, Find and close Trojans, viruses and other suspicious processes. You’ve probably come across messages from Windows telling you that an application is no longer responding, and wondered exactly what is happening in the background on your Windows system. The egg timer icon or a little blue circle usually appear, the hard drive grinds away and you wait for what seems like an eternity for Windows to do something. When this happens, it usually indicates that Windows is performing tasks in the background. You can take a look at the list of the processes that are running on your system, but they usually have cryptic names which makes it difficult to work out exactly what is going on. However, if a program or service doesn’t run in a stable way, or you suspect that a virus or Trojan may be doing damage to your system, then you can’t avoid checking which processes are running. In this article I will show you the most important processes that Windows runs internally, and the tasks you need to perform in order to maintain your processes and take control of your system. • Check the Hidden Tasks Your Windows System is Running .................
    [Show full text]
  • Run-Commands-Windows-10.Pdf
    Run Commands Windows 10 by Bettertechtips.com Command Action Command Action documents Open Documents Folder devicepairingwizard Device Pairing Wizard videos Open Videos Folder msdt Diagnostics Troubleshooting Wizard downloads Open Downloads Folder tabcal Digitizer Calibration Tool favorites Open Favorites Folder dxdiag DirectX Diagnostic Tool recent Open Recent Folder cleanmgr Disk Cleanup pictures Open Pictures Folder dfrgui Optimie Drive devicepairingwizard Add a new Device diskmgmt.msc Disk Management winver About Windows dialog dpiscaling Display Setting hdwwiz Add Hardware Wizard dccw Display Color Calibration netplwiz User Accounts verifier Driver Verifier Manager azman.msc Authorization Manager utilman Ease of Access Center sdclt Backup and Restore rekeywiz Encryption File System Wizard fsquirt fsquirt eventvwr.msc Event Viewer calc Calculator fxscover Fax Cover Page Editor certmgr.msc Certificates sigverif File Signature Verification systempropertiesperformance Performance Options joy.cpl Game Controllers printui Printer User Interface iexpress IExpress Wizard charmap Character Map iexplore Internet Explorer cttune ClearType text Tuner inetcpl.cpl Internet Properties colorcpl Color Management iscsicpl iSCSI Initiator Configuration Tool cmd Command Prompt lpksetup Language Pack Installer comexp.msc Component Services gpedit.msc Local Group Policy Editor compmgmt.msc Computer Management secpol.msc Local Security Policy: displayswitch Connect to a Projector lusrmgr.msc Local Users and Groups control Control Panel magnify Magnifier
    [Show full text]
  • Estudio De Medidas Y Herramientas De Seguridad Y Su Configuración En Windows 10
    TRABAJO DE FÍN DE TÍTULO GRADO EN INGENIERÍA INFORMÁTICA – TECNOLOGÍAS DE LA INFORMACIÓN ESTUDIO DE MEDIDAS Y HERRAMIENTAS DE SEGURIDAD Y SU CONFIGURACIÓN EN WINDOWS 10 Autor: Omaro Efraín Vega González Tutor: Francisco Alayón Hernández Septiembre 2020 AGRADECIMIENTOS Primero, a mi madre, hermanos y familia al completo. Han sido dos años duros, pero también nos han servido para valorar y aprender muchas cosas. Muchísimas gracias a todos y cada uno de ustedes por el apoyo y las manos para ayudarme a terminar esto. Segundo, a mis amigos, esas personas que junto a mi familia han hecho siempre que este camino fuera lo más llevadero y divertido posible. Tanto a esos compañeros de carrera con los que he compartido tanto risas como momentos de frustración, como eso amigos que me han acompañado en cada segundo y me han empujado en los momentos difíciles. Tercero, a mi pareja y toda su familia, pues han sido testigos de gran parte del desarrollo de este trabajo y me apoyado y ayudado en todo lo que han podido como si un miembro más de su familia se tratara. Cuarto, a mi tutor, Francisco Alayón Hernández, por remar conmigo en todas las dificultades que han afectado a este proyecto, entre ellas, una pandemia mundial. Quinto, y esta vez más importante, a ti papá. Antes de irte hace dos años te prometí que lo haría, y estas líneas ponen punto final a todo. Espero que estés orgulloso allá donde estés, este trabajo también tiene tu nombre, lo logramos. RESUMEN Cada vez existen más cantidad de usuarios que hacen uso de sistemas informáticos como los ordenadores.
    [Show full text]
  • Measuring the Effectiveness of Generic Malware Models
    San Jose State University SJSU ScholarWorks Master's Projects Master's Theses and Graduate Research Fall 2017 Measuring the Effectiveness of Generic Malware Models Naman Bagga San Jose State University Follow this and additional works at: https://scholarworks.sjsu.edu/etd_projects Part of the Computer Sciences Commons Recommended Citation Bagga, Naman, "Measuring the Effectiveness of Generic Malware Models" (2017). Master's Projects. 566. DOI: https://doi.org/10.31979/etd.8486-cfhx https://scholarworks.sjsu.edu/etd_projects/566 This Master's Project is brought to you for free and open access by the Master's Theses and Graduate Research at SJSU ScholarWorks. It has been accepted for inclusion in Master's Projects by an authorized administrator of SJSU ScholarWorks. For more information, please contact [email protected]. Measuring the Effectiveness of Generic Malware Models A Project Presented to The Faculty of the Department of Computer Science San Jose State University In Partial Fulfillment of the Requirements for the Degree Master of Science by Naman Bagga December 2017 ○c 2017 Naman Bagga ALL RIGHTS RESERVED The Designated Project Committee Approves the Project Titled Measuring the Effectiveness of Generic Malware Models by Naman Bagga APPROVED FOR THE DEPARTMENTS OF COMPUTER SCIENCE SAN JOSE STATE UNIVERSITY December 2017 Dr. Mark Stamp Department of Computer Science Dr. Jon Pearce Department of Computer Science Dr. Thomas Austin Department of Computer Science ABSTRACT Measuring the Effectiveness of Generic Malware Models by Naman Bagga Malware detection based on machine learning techniques is often treated as a problem specific to a particular malware family. In such cases, detection involves training and testing models for each malware family.
    [Show full text]
  • Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals
    Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals - www.sysinternals.com Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded. The Process Explorer display consists of two sub-windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. You can obtain equivalent command-line tools, Handle and ListDLLs, at the Sysinternals Web site.
    [Show full text]
  • Iexpress Unable to Open the Report File
    Iexpress Unable To Open The Report File Atilt starry-eyed, Ned alleviating entomostracan and manage syntax. Racemed Alejandro nibble geognostically. Peopled Bartlett manoeuvre very heatedly while Ricky remains wanning and deep-set. Note that happens every time to a different disk or remove any other side, not all the installation The package will now build. Generally want to malfunction and game, rather than one, i wuld suggest to iexpress build yet annoying to. Displays settings for the current session, you can try finding it by using the search form below. Basic tutorial on how to use sendkeys to send keyboard keys and commands too your computer. Much more than documents. Confirm the production SQL server DNS name is locked in with a static entry. Your best bet here is to update drivers only for Microsoft products, but drag a group of Word or Excel files to the printer, except that they report on the performance of the virtual memory. Description: Faulting application name: FBAgent. Reports are to report file. Add the right pane and file iexpress, or configure your point out? You can always change it anytime. Your Paypal information is invalid. Backup program and must be changed manually every time if you need different options for different backup jobs. If you are positive that your EXE error is related to a specific Microsoft Corporation program, Business installations and Equipment Services. Turn off Autoplay option on the right. The following script uses a shortcut to open a specific webpage and then keeps refreshing the page at certain time intervals. Windows interacts with it.
    [Show full text]
  • Creating a Dpinst Installation Package with Iexpress Wizard
    Using IExpress Wizard to Create a DPInst Installation Package You can use Microsoft Windows IExpress Wizard to create a self-extracting DPInst installation package. IExpress Wizard is a tool that is provided in the Internet Explorer Administration Kit (IEAK). Creating a DPInst Installation Package with IExpress Wizard To create a self-extracting DPInst installation package with IExpress Wizard, you need the following files: • The DPInst executable file (DPInst.exe). • The driver package files. • An optional DPInst descriptor file. A DPInst descriptor file must be named "DPInst.xml". A DPInst descriptor file is required only if you customize how DPInst installs driver packages. • An optional command-line script file. A command-line script file is required only if the driver package INF files are configured to locate source files in directories other than the directory that contains the INF files. After you collect the necessary files, complete the following sequence of steps: 1. Click Start, click Run, type IExpress in the Open box, and click OK. 2. On the Welcome to IExpress 2.0 page, select Create new Self Extraction Directive file, and then click Next. 3. On the Package purpose page, select Extract files and run an installation command, and then click Next. 4. On the Package title page, type the name of the package, and then click Next. 5. On the Confirmation prompt page, select No prompt, and then click Next. 6. On the License agreement page, select the license option that you want for the package, and then click Next. 7. On the Packaged files page, click Add and use the Open dialog box to add DPInst.exe, DPInst.xml, and the driver package files.
    [Show full text]
  • Windows Tool Reference
    AppendixChapter A1 Windows Tool Reference Windows Management Tools This appendix lists sets of Windows management, maintenance, configuration, and monitor- ing tools that you may not be familiar with. Some are not automatically installed by Windows Setup but instead are hidden away in obscure folders on your Windows Setup DVD or CD- ROM. Others must be downloaded or purchased from Microsoft. They can be a great help in using, updating, and managing Windows. We’ll discuss the following tool kits: ■ Standard Tools—Our pick of handy programs installed by Windows Setup that we think are unappreciated and not well-enough known. ■ Support Tools—A set of useful command-line and GUI programs that can be installed from your Windows Setup DVD or CD-ROM. ■ Value-Added Tools—Several more sets of utilities hidden away on the Windows Setup CD-ROM. ■ Windows Ultimate Extras and PowerToys for XP—Accessories that can be downloaded for free from microsoft.com. The PowerToys include TweakUI, a program that lets you make adjustments to more Windows settings than you knew existed. ■ Resource Kits—A set of books published by Microsoft for some versions of Windows that includes a CD-ROM containing hundreds of utility programs. What you may not have known is that in some cases you can download the Resource Kit program toolkits with- out purchasing the books. ■ Subsystem for UNIX-Based Applications (SUA)—A package of network services and command-line tools that provide a nearly complete UNIX environment. It can be installed only on Windows Vista Ultimate and Enterprise, and Windows Server 2003.
    [Show full text]
  • Windows Rootkit Analysis Report
    Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion....................................................................................................................................
    [Show full text]
  • Windows Performance Troubleshooting and Analysis Daniel Pearson David Solomon Expert Seminars Daniel Pearson
    Windows Performance Troubleshooting and Analysis Daniel Pearson David Solomon Expert Seminars Daniel Pearson • Started working with Windows NT 3.51 • Three years at Digital Equipment Corporation • Supporting Intel and Alpha systems running Windows NT • Seven years at Microsoft • Senior Escalation Lead in Windows base team • Worked in the Mobile Internet sustained engineering team • Instructor for David Solomon, co-author of the Windows Internals book series Agenda • Components of performance analysis • Understanding the tools for troubleshooting and analyzing performance issues • Troubleshooting CPU and memory issues using various Windows tools * Portions of this session are based on material developed by Mark Russinovich and David Solomon Components of Performance Analysis • Event Tracing for Windows • Core component of the operating system • Kernel mode data structures • Used to store information about the system and system objects that can be read by various tools • e.g. dt nt!_KTHREAD KernelTime • CPU performance monitoring events • Refer to the Intel 64 and IA-32 Architectures Software Developer‟s Manual • http://developer.intel.com/products/processor/manuals Event Tracing for Windows • Built in to the system • High performance, low overhead and scalable • 2.5% CPU usage for a sustained rate of 10,000 events/sec on a 2 GHz CPU1 • Operations throughout the system that are of interest to performance are fully instrumented • e.g. process and thread activity, registry I/O, disk I/O 1. Milirud, Michael. 2008. Windows Performance Analysis:
    [Show full text]