Friday, 18 November 2011

Using Process explorer to discover network properties

Process Explorer is a tool from Microsoft that is in effect Task Manager on steroids without all the bad consequences.

image

Right clicking on a running process allows you to select properties.

image

From here, selecting the TCP/IP tab will display the connections in progress from this application.

image

So, if you have a suspicious application, now you have a tool to watch what it is doing.

Wednesday, 16 November 2011

More Windows tasks

Most people know of the Windows Task-manager GUI application. There are many times when it is better to use a CLI (command line interface). One such example would be where a script tests what is running.

The command “tasklist” is a Windows command that allows just this.

image

Just like its GUI cousin, you can also list services using this tool. The “/svc” option for instance displays the services hosted in each process.

image

More, you can filter such as in the example below where we have selected processes that do not respond to task-monitoring requests.image

Knowing what you are running is the first part of stopping malware.

Tuesday, 15 November 2011

Investigating tasks in Windows

When investigating an incident in Windows environment, one of the things you should check is the scheduled tasks. Many malware varieties use startup processes to reload and maintain themselves. By seeking new and unusual tasks, you can quickly look for simple compromises and malicious processes.

The inclusion of privileged processes (those running as SYSTEM and Admin for instance) are or particular concern. It is also not unusual to discover malicious code running using a blank username.

To make a simple check of the running and scheduled tasks from the command line, type:

  • schtasks

image

You can see in the image above that we have a number of scheduled tasks on the system that this was run from. This is divided into groups as follows:

  • by folder
  • Task name
  • The next run time
  • The status (ready to run or if it is running now)

You can create tasks in Windows using these commands as well, but for now, we are simply seeking commands out that we did not expect. Diff’√≠ng the results is a good way to look for system changes.

You can see the help for this command using the “schtasks /?” extension as displayed below.

image

Next is WMIC.

WMIC is great for doing malware analysis. It will display all of the files loaded at Startup. More, the Registry keys the system has associated with the “autostart” are also returned.

You can see the values returned in the figure below:

  • wmic startup list full

image

We can also use this to select individual processes.

  • wmic process list full | find "cmd.exe"

image

Here we have restricted the process search to just cmd.exe.

This is useful in checking paths and if a process has inserted itself before the “true” system file.

Monday, 14 November 2011

IPv6 RoutingHeader like Loose-Source Routing (LSR)?

A question to ask is whether the IPv6 Routing Header is like Loose-Source Routing? In many ways it is extremely similar and in fact, RH0 can be used in this way. Consequently, Routing Header Type 0 was depreciated in RFC5095.

The Routing Header: Type 0 Routing Header (RH0) can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic just as with LSR.

With Type 0 Routing Headers (RH0) a packet can be constructed such that it will oscillate between two RH0-processing hosts or routers many times. This is a serious amplification that lead to the end of RH0 in the standard track as it allows a stream of packets from an attacker to be amplified along the path between two remote routers and could be used to cause congestion along arbitrary remote paths and hence act as a denial-of-service mechanism.

Worse, when coupled with the ability to assign Multiple addresses per node, we also have to ask, “Who needs spoofing”? With IPv6, spoofing becomes a non-issue as Renumbering means that for a certain lifetime, two (2) addresses are coexisting on the node.

Mobility support means that paths can be defined.

The point is when deploying IPv6, we need to take care to ensure that we think of the traffic coming into and out of our networks. More, as this is commonly encrypted in IPv6 (using IPsec), we need to think seriously about design and trust.