Monday, November 5, 2007

Hunting Malware in Windows

The purpose of this blog entry is to help the reader identify Malware on a PC. I look at the some of the changes made to the PC by the malware and the effect that Malware might have on a system.

First, here are a few answers to some basic questions.

What is Malware?
Malware are a programs that have code that performs actions with malicious intent. Often the owner of the system will not agreed to the Malware being installed. System owners may not be aware of the presence of the Malware.

What Can Malware Do?
I classify programs such as viruses, Trojans and Spyware as Malware. These types of programs can steal personal information and corrupt data. Infected systems can attack other systems and be used for other illegal activities..

How Does Malware Get onto a System?
Malware can be installed when installing a legitimate program or it can be installed by visiting a website hosting malicious code. Malware can be installed by a virus or worm or it can be installed by someone with malicious intent that has access to the system.

Okay, with those questions answered lets get down to the detail.

After Malware has been installed by whatever means, be it a payload from a file you open, a website you visit or by someone hacking your system and placing it there as a backdoor or a keylogger. The Malware will need to be initiated every time the system reboots (persistence), it’s going to run as a process and it’s going to communicate. I’ll address each of these separately. But first I’ll list the tools that I use throughout my Malware hunting process.

  • Tools
  • Regedit
  • Netstat
  • Tlist
  • Tasklist
  • Autoruns
  • Process Explorer
  • PUList
  • TaskList
  • Net
  • Handles
  • ListDlls
  • Nbtstat
  • Netstat
  • TCPView
  • Procmon
  • SmartSniff

All the tools listed do not require installation to run. The tools can be run from a CD or other read-only medium which is good practice, as then you then know that the tools have not been affected by any Malware on the PC you are examining. It’s best to take tools directly from the vendor or from a clean installation of Windows.

I have listed methods to detect Malware using both command-line tools and a GUI alternative.

Okay, lets hunt!


Once Malware is on the system it will need a way of starting every time you log on. Listed below are some common places it can start from.

1. The Registry
Use Regedit to examine the contents of the following registry keys:
  • HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is a popular key for malware to start from. Other keys that have been known to be used for Malware are listed below.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  • HKCU\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKCU \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKCU\Control Panel\Desktop\Scrnsave.exe
Other keys to note:
  • HKEY_CLASSES_ROOT\batfile\shell\open\command
  • HKEY_CLASSES_ROOT\exefile\shell\open\command
  • HKEY_CLASSES_ROOT\comfile\shell\open\command
The 3 keys listed above tell windows what to do when opening a bat, exe or com file. The values of these keys should be “%1”%”

Malware has been to modify these values so it is started up when either an exe, bat or com file is started.

The screenshot below is from my HKLM\Software\Microsoft\Windows\CurrentVersion\Run key.

As you can see there are quite a few keys to become familiar with.

Become familiar with the contents of these keys and if in doubt use Google to identify the values. When using Google I find it is best look at a few different results rather than the first that comes up. There are many sites that will say that this.exe or that.dll is spyware and it'll sell you just the tool to remove it. You'll get to know which sites you can trust.

2. The File System
The Malware may even be listed in the startup folder. Check out:

C:\Documents and Settings\\Start Menu\Programs\Startup

If you find programs listed here that you don’t recognise, Google them.

3. Scheduled Tasks
Scheduled tasks are another place that Malware can start from. Use the Scheduled Tasks program from Start > Programs > Accessories > System Tools to view scheduled tasks.

Using schtasks.exe you are able to view or from the command-line:

C:\schtasks /query

The benefit of the command-line option is that scheduled tasks can be hidden from the GUI by creating a new scheduled task and then using attrib +h against the task listed in %WINDIR%tasks. This may fool the GUI but it will not get by the command-line tool.

Here is an example.
I have created a task called test which is viewable in Scheduled Tasks

After hiding test.job with the command C:\Windows\Tasks\Attrib +h test.job the task is hidden even though in my folder options I display hidden files.

However, after running C:\schtasks /query I can still see the task.

4. Services
Malware is often installed as a service. This is another way that it can be guaranteed to start. You can view the services using the tools listed below.

Services.mcs. Run this or look in computer manager (Right Click My Computer > Manage) for a list of services on your PC. Malware authors or hackers can install a program to run as a services using the tool Srvany.exe. This is a legitimate Microsoft tool available in the Resource Kit.

To view running services from the command-line use:

C:\net start

Now for the fantastic AutoRuns from SysInternals. Autoruns provides all of the above information in seconds and you can do some funky stuff with it too.

If you want to see a list of all programs that are being started from all the places listed above run AutoRuns and check out the Everything tab (shown below).

From here you can see which programs are set to start, where they are initialised from (Registry, Scheduled Tasks etc..), the Publisher, the Description and the path to the image. On selecting an entry, additional details are supplied in the bottom pane. Entry’s can also be selected or deselected here to start them upon startup or prevent them from loading.

The list of entries and the applied settings can also be saved to a file and then compared to at a later time to identify new entries that have been created. Any new additions will be highlighted in green.

Running Processes

After Malware has started it will be a running process on your PC. There are a number of tools you can use to view the running processes. Again what’s important here is any processes you find that you are unsure of should be Googled.

Below are the different tools I use to list the running processes.

PSlist is a free command-line tool developed by SysInternals. It can be used on local and remote computers and can display a great deal of information. Below is a screenshot of running the tool on the local PC using the process tree option (-t). Output can be piped out to a text file if necessary using >filesname.txt. Additional options can be viewed by using the /? switch.

What can be seen in the screenshot above is a number of processes with the same name, svchost In XP svchost appears 5 times and in Windows 2003 there are 7 occurrences of it. Svchost is a system process that runs several other services as we shall see and should always be listed under the System process as shown above. If you find svchost running as a process on its own or under cmd (as demonstrated below) it should definitely raise eyebrows and warrant further investigation.

Some Malware will be named so it looks legitimate and will look at home when displayed in outputs from programs like PSList. For example, would you spot a program named scvhost amongst the list above? Probably not at first glance.

A useful program is PUlist. PUList from the Microsoft resource kit will display the user account that has been used to start a program. So in the case of a legitimate svchost process this should be the NT AUTHORITY SYSTEM user.

To help demystify what some of those svchost processes are run TList with the –c switch. This will display all the running services and the command-line used to launch the service. The screen shot below clearly shows that my disguised svchost process is was started with syntax that is strangely similar to netcat!

Another useful TList option is the –s switch. This will list the active services in each process.

Tasklist is a native tool to both XP and Windows 2003 and Tasklist /svc will provide similar information to the tlist –s option.

ListDLLs will display all running processes and the DLL’s used by them and the path to the DLL. ListDLLs will also provide the DLL version also.

Running ListDlls against the PID of my mystery svchost process provides the following information.

Looking at a few of the DLL’s listed such as DNSAPI.dll and mswsock.dll may give a hint to the type of program the svchost is being used as.

Handle will display information on what the process is interacting with in regards to other handles, the registry and the file system. Handle is also developed by SysInternals (now Microsoft). As with all the command-line tools listed above the output of handle can be directed to a text file by appending >filename.txt to the command.

Process Explorer
And for the GUI inclined, the brilliant SysInternals have developed yet another great tool that rolls all of these tools into one, Process Explorer.

The interface is very easy to navigate yet can provide you with all information regarding running processes. All information is updated in realtime and can be saved to a tab delimited text file.

It has fantastic search capabilities to quickly find handles or dll-substrings. By enabling the lower pane you can easily view the DLLs associated with each process. By selecting a process and using ctrl+h and ctrl+d you can toggle between viewing the handles and the dll’s for the selected process.

The integrated searchable Strings function clearly identifies my mystery process as being a renamed instance of netcat (shown below).

The TCP/IP tab will display any connection that the process has open.

Which brings us to connections.


So the Malware is on your PC, it’s running as a process and it’s likely at some stage going to try to connect to another system somewhere on the internet to attack, send information or spread. Below I have listed the tools you can you to monitor your network connections to capture details of the connection.

Netstat is very useful for showing exactly what connections are being made to and from a PC. Nestat /? will display all available switches for use with the tools. I find the following very useful:

netstat -anobv

This command will list all connections (-a), list the numerical values of he ports (-n), list the owning process for the connection (-o), list the executable that created the connection (-b), and will be verbose (-v).

Another trick I have used in the past with Netstat is to close down all my programs that may make an internet connection and wait a few minutes then run netstat to ensure that all connections are down. I’ll then run the following command and leave my PC connected to the internet:

Netstat –bn 5 >netstatlog.txt

This will create a log file watching for any connections and refresh every 5 seconds. I leave this to run overnight and then stop the task running with ctrl+c. I then review the log and investigate any connections that show up in the log

Fport from Foundstone is another useful program for displaying ports and the paths to the executable used to launch the connection

Nbtstat is a native windows utility and the command nbtstat –S will list any network connections using the NBT protocol. Nbtstat –s will convert IP addresses to NETBIOS names. And using nbtstat –S 5 >nbtlog.txt will create a log file that is updated every 5 seconds.

And once again SysInternals do it again with a nice GUI that does it all. TCPView provides a realtime view of connections so you can easily identify what is listening or connected. It can resolve DNS for you and you have the option of only listed established connections or viewing all unconnected endpoints as well (shown below).

As new connections are established they are displayed briefly in green and as they are terminated they are displayed in red before disappearing.

Smartsniff from Nirsoft is a fantastic tool for viewing live connections. But it does a few extras also. SmartSniff can capture from either RAW sockets or using a WinPCAP driver, can display the contents of the connections, can easily apply filters to traffic to focus on particular connections, hosts or protocols. SmartSniff can save the contents of the captures to file for further analysis and can also produce detailed HTML reports. Below is a screenshot of SmartSniff in action.


Once Malware is installed and running on your system it will leave various footprints, as Locard’s exchange principle states, when two objects come into contact a transfer of material takes place between them. Using the information I have provided and the free tools I have listed, the discovery of that material may be a little easier.

Personally, if I locate Malware on a PC all that the current build of that PC is good for is investigation. Following that, format and reinstall.


Spook said...

Came Across some good commands and tools in this post. N1

SynJunkie said...
This comment has been removed by the author.
SynJunkie said...

Thanks Spook. I really should update it, i have learned a lot since I posted this and could probably make it better.

Nelson said...


Thats classy man! Great piece of work,
Nice post having excellent contents.I have been searching for this type of posts.Thank you so much for sharing.Keep blogging.
My system got infected with the Malware, so I’ve trying to fix it all day, and your post helped me out a lot.Really a very nice detailed review and very very helpful.

By the way for more information check this link: