A SearchMidmarketSecurity.com reader asks our resident security expert Tom Chmielarski, "Which Windows malware tools will help you examine the actions of a specific virus on your computer?"
From time to time, when responding to a malware infection, it is useful to determine what changes that malware is making to your system. Is it writing data to any files? Has it modified any registry keys? Is it listening on any network ports? These are all good questions that will help you understand the threat and respond to it correctly.
You should keep in mind that malware may try to hide from examination so you should not trust the operating system that runs the malware to tell you what is happening.
A skilled developer can disassemble the malware's components and determine (mostly) what the malware is doing. That level of sophisticated analysis is far outside of this answer, so I'll focus on ways of identifying some of the basic actions instead. Malware designers are often very skilled persons (or teams) who apply a lot of excellent security methods to keep their creations undetected.
Virtual machines are a convenient tool for examining the workings of a malware item. A virtual machine gives you a consistent and easy-to-replace platform for testing malicious code that you've encountered. The downside of virtualization, however, is that it's easy for malware to determine if it's in a virtual environment and possibly act differently, or not activate, avoiding detection.
An excellent Windows malware tool, borrowed from the sysadmin realm, is Microsoft's Process Monitor. This examination tool, originally by Sysinternals, allows you to trace the activity on a system or by a specific process. You can watch all of the file accesses, the DLLs called by each process, the registry keys read and written, and a variety of other activity. This is a very powerful and handy tool.
Because most malware is capable of communicating over the network, a key tool in your arsenal should be a program like ActivePorts or Foundstone's fport that allows you to determine what processes use a network interface. Microsoft's Port Reporter is another robust option. According to the software's listed features, Port Reporter logs will examine the ports that are used, the processes that use the port, the modules (.dll, .drv, and so on) that a process loads and the user accounts that start a process. This is a two-part application designed to examine systems that may be compromised.
Forensic tools are often well suited to examine system activity and history. There are a few incident response-focused bootable CDs containing Windows binaries that can be run as safe, known-good tools for data collection on a compromised system. The Windows Forensic Toolkit (WFT) is one such CD, but the newest version is no longer free for commercial use. Helix is another live CD but is also no longer free. Guidance Software Inc.'s EnCase and AccessData Corp.'s FTK forensic products have advanced features that will allow you to collect detailed system and memory information, along with a forensic image, provided you have the budget for these tools.
As a tangent, I'd recommend anyone interested in the security efforts used by malware developers read up on the Conficker / Downadup botnet, malware that uses a variety of techniques to obscure itself and make examination tricky. A Conficker working group is dedicated to examining and eradicating it.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.
A reader asks Tom Chmielarski, "What are the options beyond a Windows XP SP2 upgrade?"