BOT detection ideas. In each case, upon the launch of a BOT, at least one process was run on the system. Some of these processes were stealth, in that they did not show up in the Microsoft Windows Task Manager but we were able to capture all of them in PSList, ProcessExplorer or Process Monitor. In some cases, there was a need to utilize another aid to capture the process, this was due to the disappearance of the process after it executed. In cases such as this we employed Flypaper. In regard to the processes that did not disappear they would begin running upon reboot. In at least one case an application was added to the system.
This application actually presented itself in Microsoft Task Manager. The application also ran each time the system was rebooted.In each case dll’s and registries were modified and or added to the system
. In some cases other files were added to the system
. In this case the files were usually exe or txt files.During some of the BOT analyses the
system made attempts to contact other computersor servers
. This activity was browser and or email (SMTP) driven.Often, on the system,
there were programs running in the background (i.e. Visual Basicor an iteration of C).
These programs were attempting to ‘GET’ passwords and logins to pass on to the BOT herder. Within the memory of the executable that contained these programs we also found code to turn off security features that might be included on a system. In regard to our hypotheses on the matter of BOT detection we have come up with a couple different avenues that we feel could be explored. One is in regard to the programming logic that is being executed; is it running in a linear fashion or is it sporadicin its movement? Another possibility in determining whether a BOT has invaded asystem might be the evidence provided by polling of I/O devices. In other words, doesthe polling make logical sense given the program(s) that are running or is it exceeding theexpected parameters? Finally, the subject of hooks and dlls brings us to a question of whether detection could be provided by knowing whether a dll hook is legitimate or from a BOT.
AutoRuns This utility, which has the most comprehensive knowledge of auto-startinglocations of any startup monitor, shows you what programs are configured to run duringsystem bootup or login, and shows you the entries in the order Windows processes them.
FastDump is the industry’s most forensically sound windows memory dumping utility.
Flypaper loads as a device driver and blocks all attempts to exit a process, end athread, or delete memory. All components used by the malware will remain resident inthe process list, and will remain present in physical memory. The entire execution chainis reported so you can follow each step. Then, once you dump physical memory foranalysis, you have all the components ‘frozen’ in memory – nothing gets unloaded.
Handle is a utility that displays information about open handles for any process in thesystem. You can use it to see the programs that have a file open, or to see the object typesand names of all the handles of a program.
LiveKD allows you to run the Kd and Windbg Microsoft kernel debuggers, which arepart of the Debugging Tools for Windows package, locally on a live system. Execute allthe debugger commands that work on crash dump files to look deep inside the system.
Osiris is a Host Integrity Monitoring System that periodically monitors one ormore hosts for change. It maintains detailed logs of changes to the file system, user andgroup lists, resident kernel modules, and more.
ProcessExplorer (GUI-based version of Handle) shows you information aboutwhich handles and DLLs processes have opened or loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handleleaks, and provide insight into the way Windows and applications work.
ProcessMonitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more.
SNORT is an open source network intrusion prevention and detection systemutilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods
TCPView is a Windows program that will show you detailed listings of all TCP andUDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, NT, 2000 and XP TCPView alsoreports the name of the process that owns the endpoint.
Wireshark is a network protocol analyzer.