Which Windows malware tools are available to monitor a specific virus?

Which Windows malware tools are available to monitor a specific virus?

A SearchMidmarketSecurity.com reader asks our resident security expert Tom Chmielarski, "Which Windows malware tools will help you examine the actions of a specific virus on your computer?"

Send Tom your security questions

Have a security question about risk management? Windows security? Mobile devices? Send them to Tom, and he'll answer them in a future tip.
From time to time, when responding to a malware infection, it is useful to determine what changes that malware is making to your system. Is it writing data to any files? Has it modified any registry keys? Is it listening on any network ports? These are all good questions

    Requires Free Membership to View

    Login

    SearchMidmarketSecurity.com members gain immediate and unlimited access to breaking SMB industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchMidmarketSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchMidmarketSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchMidmarketSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

that will help you understand the threat and respond to it correctly.

You should keep in mind that malware may try to hide from examination so you should not trust the operating system that runs the malware to tell you what is happening.

A skilled developer can disassemble the malware's components and determine (mostly) what the malware is doing. That level of sophisticated analysis is far outside of this answer, so I'll focus on ways of identifying some of the basic actions instead. Malware designers are often very skilled persons (or teams) who apply a lot of excellent security methods to keep their creations undetected.

Virtual machines are a convenient tool for examining the workings of a malware item. A virtual machine gives you a consistent and easy-to-replace platform for testing malicious code that you've encountered. The downside of virtualization, however, is that it's easy for malware to determine if it's in a virtual environment and possibly act differently, or not activate, avoiding detection.

More "Ask the Expert" responses

A reader asks Tom Chmielarski, "What are the options beyond a Windows XP SP2 upgrade?"
An excellent Windows malware tool, borrowed from the sysadmin realm, is Microsoft's Process Monitor. This examination tool, originally by Sysinternals, allows you to trace the activity on a system or by a specific process. You can watch all of the file accesses, the DLLs called by each process, the registry keys read and written, and a variety of other activity. This is a very powerful and handy tool.

Because most malware is capable of communicating over the network, a key tool in your arsenal should be a program like ActivePorts or Foundstone's fport that allows you to determine what processes use a network interface. Microsoft's Port Reporter is another robust option. According to the software's listed features, Port Reporter logs will examine the ports that are used, the processes that use the port, the modules (.dll, .drv, and so on) that a process loads and the user accounts that start a process. This is a two-part application designed to examine systems that may be compromised.

Forensic tools are often well suited to examine system activity and history. There are a few incident response-focused bootable CDs containing Windows binaries that can be run as safe, known-good tools for data collection on a compromised system. The Windows Forensic Toolkit (WFT) is one such CD, but the newest version is no longer free for commercial use. Helix is another live CD but is also no longer free. Guidance Software Inc.'s EnCase and AccessData Corp.'s FTK forensic products have advanced features that will allow you to collect detailed system and memory information, along with a forensic image, provided you have the budget for these tools.

Lastly, there are sandbox tools, including CWSandbox and Norman Sandbox, that are designed specifically to collect information on what a given piece of software does as it runs.

As a tangent, I'd recommend anyone interested in the security efforts used by malware developers read up on the Conficker / Downadup botnet, malware that uses a variety of techniques to obscure itself and make examination tricky. A Conficker working group is dedicated to examining and eradicating it.

Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.

Send Tom your security questions.

Join us on LinkedIn.

This was first published in July 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top