DOCSLIB.ORG

Windows Rootkit Analysis Report

Windows Rootkit Analysis Report

Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion..................................................................................................................................... 26 Windows Task Manager kinject.exe ...................................................................................... 27 Handle kinject.exe ................................................................................................................... 28 Process Explorer Threads kinject.exe ................................................................................... 28 Process Explorer Strings Memory kinject.exe ...................................................................... 29 Process Monitor kinject.exe .................................................................................................... 30 Windows Task Manager kNtiLoader.exe .............................................................................. 68 Handle kNtiLoader.exe ........................................................................................................... 69 Process Explorer Properties Memory kNtiLoader.exe ........................................................ 69 Process Monitor kNtiLoader.exe ........................................................................................... 71 Miscellaneous Information and Summary .......................................................................... 122 AFX ............................................................................................................................................. 125 Process Explorer Threads root.exe ...................................................................................... 129 The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -1- Process Monitor root.exe ...................................................................................................... 129 Process Explorer Memory Threads Root.exe ..................................................................... 131 Miscellaneous Information and Summary .......................................................................... 136 Migbot......................................................................................................................................... 137 PSList Migbot ........................................................................................................................ 137 Error Signature Generated by Migbot ................................................................................ 138 Windows Task Manager Applications Migloader.exe ....................................................... 139 Windows Task Manager Processes Migloader.exe & Dwwin.exe ..................................... 140 Handle Migloader.exe & Dwwin.exe ................................................................................... 140 Process Explorer Stack Migloader.exe ................................................................................ 141 Process Explorer String Memory Migloader.exe ............................................................... 142 Process Explorer String Memory Dwwin.exe ..................................................................... 145 Process Monitor Dlls Migloader.exe and Dwwin.exe ......................................................... 158 Miscellaneous Information and Summary .......................................................................... 161 Process Explorer Threads cfsd.exe ...................................................................................... 164 Process Explorer Strings Memory cfsd.exe ......................................................................... 164 Process Monitor cfsd.exe....................................................................................................... 165 HxDefender (Hacker Defender) ............................................................................................... 168 Process List HxDefender ....................................................................................................... 168 Windows Task Manager HxDefender ................................................................................. 169 Process Monitor Dlls HxDef100.exe ..................................................................................... 170 Process Monitor File Activity HxDef100.exe ...................................................................... 170 Process Explorer Thread Stacks HxDef100.exe.................................................................. 174 Process Monitor Dlls bdcli100.exe ....................................................................................... 175 Process Monitor File Activity bdcli100.exe ......................................................................... 175 Process Explorer Thread Stacks bdcli100.exe .................................................................... 178 The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -2- Process Monitor Dlls rbrbs100.exe ...................................................................................... 179 Process Monitor File Activity rdrbs100.exe ........................................................................ 179 Process Explorer Thread Stacks rdrbs100.exe ................................................................... 185 Process Monitor hxdOFena.exe ........................................................................................... 186 Process Monitor File Activity hxdOFena.exe ...................................................................... 186 Process Explorer Thread Stack hxdOFena.exe .................................................................. 191 Miscellaneous Information and Summary .......................................................................... 191 FUtoEnhanced ........................................................................................................................... 208 Process Monitor FUtoEnhanced (Process Start – Exit) ..................................................... 217 FUtoEnhanced Process Monitor (Threads) ........................................................................ 218 FUtoEnhanced Process Monitor Events .............................................................................. 219 Miscellaneous Information and Summary .......................................................................... 219 He4Hook ..................................................................................................................................... 220 He4HookControler Process Monitor (Process Start – Exit) .............................................. 220 Process Monitor (Threads) He4Hook .................................................................................. 221 Process Monitor Events H4HookController ....................................................................... 221 Miscellaneous Information and Summary .......................................................................... 237 Appendix: Windows Rootkit Monitoring Procedures ................................................................ i Ghost Image Boot Disks ................................................................................................................ ii Monitoring Tools ........................................................................................................................... ii Monitoring Process for BOT Analysis ........................................................................................ iv References ...................................................................................................................................... v The contents of this report were produced by SAIC, Inc., under to contract to HBGary, Inc., for contract number NBCHC80048. SBIR Data Rights apply. -3- Introduction This report focuses on Windows Rootkits and their affects on computer

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    243 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us