Malware Infects Baseline Analysis

1,093 views

Published on

Malware Infects Baseline Analysis

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,093
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Malware Infects Baseline Analysis

  1. 1. Page 1 of 46 Name: Allen Galvan Due: 27 October 2005 CSFI 214: Information Security Systems Analysis – Fall 2005 Lab #1: Malware Last printed 10/26/2005 1:43:00 a10/p10 Page 1
  2. 2. Page 2 of 46 Lab Report Instructions..........................................................................................................3 Report Observations and Findings.........................................................................................4 Baseline..........................................................................................................................4 Post-Baseline Firefox.....................................................................................................4 Post-Baseline IE.............................................................................................................4 Conclusions....................................................................................................................5 Baseline..................................................................................................................................8 B01.AutoRuns Baseline (Startup Programs)..................................................................8 B02.Current Installed Programs Baseline......................................................................9 B03.Processes.Baseline................................................................................................10 B04.Hijack This Baseline (Registry, for hacker activity)............................................11 B05.TCPView.Baseline (Data Error Capturing Data).................................................12 B06.TDIMon.Baseline.txt (Tcp/Udp activity).............................................................13 B07.Rootkit Revealer Baseline (blank page, no rootkit found)...................................14 B09.Process Explorer.Baseline.txt...............................................................................16 B10.RegMon.Baseline.txt (Applications accessing Registry).....................................17 B11.Add-Remove Programs Baseline..........................................................................18 Post-Baseline Firefox...........................................................................................................19 C01.TCPView Firefox Google (Data Error Capturing Data)......................................19 C02.TCPView Firefox Spyware Sites.txt....................................................................20 C03.Autoruns.Firefox.post-Baseline.txt.......................................................................21 C04.Currently Installed Programs Firefox Post-Baseline............................................22 C05.Processes Firefox Post-Baseline...........................................................................23 C06.Hijack This Firefox Post-Baseline.txt..................................................................24 C07.TCPView Firefox Post-Baseline.txt.....................................................................25 C08.TDIMon.Firefox.Post-Baseline.txt.......................................................................26 C09.Rootkit Revealer Firefox Post-Baseline.txt (blank page, no rootkit found).........27 C10.Process.Explorer.Firefox.Post-line.txt..................................................................28 Post-Baseline IE...................................................................................................................29 D01.TCPView.IE.Google.txt.......................................................................................29 D02.TCPView.IE.Spyware.Sites.txt............................................................................30 D03Autoruns.IE.Post-Baseline.txt (Startup Spyware).................................................31 D04.Currently Installed Programs IE post-Baseline.bmp (Spyware)..........................32 D06.Hijack This IE Post Baseline.txt...........................................................................35 D07.TCPView IE Post Baseline.txt (missing screen shot)..........................................36 D08.TDIMon IE Post Baseline.txt...............................................................................37 D09.Rootkit Revealer IE Post-Baseline.txt (blank page, no rootkit found).................39 D10.Process Explorer IE Post-Baseline.txt..................................................................40 D12.Add-Remove Programs IE Post-Baseline.bmp (Malware)..................................45 D13.Spybot IE Post-Baseline.bmp (unresolved Spyware)...........................................46 Last printed 10/26/2005 1:43:00 a10/p10 Page 2
  3. 3. Page 3 of 46 Lab Report Instructions This lab has a series of questions that you will answer to demonstrate that you have done the tutorial & understand the main concepts. Each student will hand in a printed copy of the lab report next lab class with the answers to each question. The lab report will also be submitted electronically (E-mailed to the instructor – due on the day of the next lab). The main body of the lab report should be no more than 2 pages long (max). • What are your observations? • What are your findings? • How does Firefox compare to IE? • How is the Baseline used? • What are the differences? • Why are there differences? All of the supporting data & screen shots should be placed in the appendix. This appendix could be very long. Some output files could be very long. In the printed lab report, only include the first few pages. Each output file should be clearly labeled to indicate what it is. Part-II Verify that the Anti-Virus software is working. Use the EICAR test file. Download the .TXT & .ZIP files. • Any differences in behavior between the 2 file types? Turn off the Anti-Virus software. Download the .TXT & .ZIP files. • What happened? • Any differences in behavior between the 2 file types? Turn on the Anti-Virus software. • Try opening one of the test files. • What happened? Last printed 10/26/2005 1:43:00 a10/p10 Page 3
  4. 4. Page 4 of 46 Report Observations and Findings The purpose of this exercise was to find out what happens when one surfs the web in a secure manner, and compare that with surfing the web in an insecure manner. Baseline The Baseline refers to the documentation of the original state of the system, as it was before the surfing tests began. If variants to the system Baseline occurred, the prior surfing behavior was noted, and likely conclusions were inferred. • The “B02.Current Installed Programs Baseline” Screen (p. 8), and the “B11.Add- Remove Programs Baseline” Screen (p. 20), both showed only 4 programs installed. • “B07.Rootkit.Revealer.Baseline” screen on page 15 indicated that no Rootkits were installed. • “B08.Spybot.Baseline” screen on page 16 indicated no Spyware was detected. Post-Baseline Firefox I surfed bad peer-to-peer web sites like www.Kazaa.com using Firefox off (means what?), and the system integrity was maintained. No rootkits were indicated by “C09.Rootkit Revealer Firefox Post-Baseline.txt” screen on page 31. The “C04.Currently Installed Programs Firefox Post-Baseline” Screen (p. 23) showed only 4 programs installed. These results also did not differ from the Baseline observations. There were no changes. Post-Baseline IE I surfed bad peer-to-peer web sites like www.Kazaa.com using IE on (means what?), and the system got infected with Spyware as indicated on “D13.Spybot-IE Post-Baseline.bmp” (p. 30), “D03.Autoruns.IE.Post-Baseline.txt” (p. 35), “D04.Currently Installed Program IE post-Baseline.bmp” (p. 37), and “D12.Add-Remove Programs IE Post-Baseline.bmp” (p. 49) Also, the computer started misbehaving in an unpredictable manner: • Ads just popped up in the IE browser, without any user acitivity on the computer. • When I tried to remove one of the programs that I did not install, the Add-Remove screen froze, & I had to kill the process using Process Explorer to abnormally exit the process. When I brought the Add-Remove screen back up, the program was successfully removed. Last printed 10/26/2005 1:43:00 a10/p10 Page 4
  5. 5. Page 5 of 46 • When I tried to remove another program that I did not install, it prompted me for a code. This behavior was not normal. It never happened before. Spybot found numerous Spyware infection as indicated on “D13.Spybot-IE Post- Baseline.bmp” screen on page 30. When I tried to clean or remove the Spyware, some of the Spyware instances, persisted, and could not be removed. No rootkits were indicated by “D09.Rootkit Revealer IE Post-Baseline.txt” on page 44. Conclusions The control state of the computer is the Baseline state. It is regarding this control state, from which the experiment compares changes and their impact on the integrity of the computer system. The Baseline showed only 4 programs installed, as indicated by “B02.Current Installed Programs Baseline” Screen (p. 8), and the “B11.Add-Remove Programs Baseline” Screen (p. 20). When I surfed using Firefox, the same programs were shown to be installed, (the same as the Baseline), which was indicated by the “C04.Currently Installed Programs Firefox Post-Baseline” Screen (p. 23). This indicated that surfing the web using Firefox was secure. However, other unauthorized programs were installed after using IE, as indicated by “D04.Currently Installed Program IE post-Baseline.bmp” (p. 37), and “D12.Add-Remove Programs IE Post-Baseline.bmp” (p. 49). This indicated that surfing with IE was insecure. The evidence indicates that I was able to surf in a relatively secure manner using the Firefox browser. “B07.Rootkit.Revealer.Baseline” screen on page 15 indicated that no Rootkits were installed. “B08.Spybot.Baseline” screen on page 16 indicated no Spyware was detected. All the unauthorized activity occurred Post-Baseline IE. • There was more unauthorized TCP/IP activity, indicated on D02.TCPView.IE.Spyware.Sites.txt. • There were more unauthorized processes and higher cpu activity indicated on D03.Autoruns.IE.Post-Baseline.txt, D04.Currently Installed Programs IE post- Baseline.bmp, D05.Processes IE post-Baseline.bmp, D10.Process Explorer IE Post- Baseline.txt • There were unauthorized programs that Spybot could not remove, as detailed on page D13.Spybot IE Post-Baseline.bmp. Also the evidence indicates that I was not able to surf the web in a secure manner using Internet Explorer (IE), since Spybot found a number of installed Spyware programs. The Last printed 10/26/2005 1:43:00 a10/p10 Page 5
  6. 6. Page 6 of 46 computer also began to act erratically. “C09.Rootkit Revealer Firefox Post-Baseline.txt” screen on page 31 indicated no rootkits. Ultimately, in no case did Rootkit Revealer indicate the existence of any rootkits. It appears that this experiment did not install any rootkits. There is a possibility that there may exist a rootkit that was hidden from Rootkit Revealer. Based on the findings of this experiment, I would prefer and recommend to surf the web using Firefox, as a more secure browser than Internet Explorer. From personal experience, the McAfee Anti-virus software found the EICAR test virus to verify it was working. McAfee did not find the EICAR test virus when it was zipped. The McAfee anti-virus software scan did not find the Spyware that Spybot could not eliminate. Anti-malware programs do not provide adequate protection. Last printed 10/26/2005 1:43:00 a10/p10 Page 6
  7. 7. Page 7 of 46 Appendix Last printed 10/26/2005 1:43:00 a10/p10 Page 7
  8. 8. Page 8 of 46 Baseline B01.AutoRuns Baseline (Startup Programs) HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun + VMware Tools VMwareTray (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwaretray.exe + VMware User Process VMwareUser (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareuser.exe HKLMSystemCurrentControlSetServices + VMTools Provides support for synchronizing objects between the host and guest operating systems.(Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareservice.exe HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved + Display Panning CPL Extension File not found: deskpan.dll HKLMSystemCurrentControlSetControlSession ManagerKnownDlls + DllDirectory c:winntsystem32 HKCUControl PanelDesktopScrnsave.exe + (NONE) File not found: (NONE) Last printed 10/26/2005 1:43:00 a10/p10 Page 8
  9. 9. Page 9 of 46 B02.Current Installed Programs Baseline The above illustrates the programs that were initially installed, before any malicious activity ensued. Last printed 10/26/2005 1:43:00 a10/p10 Page 9
  10. 10. Page 10 of 46 B03.Processes.Baseline Last printed 10/26/2005 1:43:00 a10/p10 Page 10
  11. 11. Page 11 of 46 B04.Hijack This Baseline (Registry, for hacker activity) Logfile of HijackThis v1.99.1 Scan saved at 8:57:33 PM, on 9/6/2005 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Running processes: C:WINNTSystem32smss.exe C:WINNTsystem32winlogon.exe C:WINNTsystem32services.exe C:WINNTsystem32lsass.exe C:WINNTsystem32svchost.exe C:WINNTsystem32spoolsv.exe C:WINNTSystem32svchost.exe C:WINNTsystem32regsvc.exe C:WINNTsystem32MSTask.exe C:Program FilesVMwareVMware ToolsVMwareService.exe C:WINNTExplorer.exe C:Program FilesVMwareVMware ToolsVMwareTray.exe C:Program FilesVMwareVMware ToolsVMwareUser.exe E:VMwareSharedautoruns.exe C:WINNTSystem32taskmgr.exe E:VMwareSharedHijackThis.exe O4 - HKLM..Run: [VMware Tools] C:Program FilesVMwareVMware ToolsVMwareTray.exe O4 - HKLM..Run: [VMware User Process] C:Program FilesVMwareVMware ToolsVMwareUser.exe O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:Program FilesVMwareVMware ToolsVMwareService.exe Last printed 10/26/2005 1:43:00 a10/p10 Page 11
  12. 12. Page 12 of 46 B05.TCPView.Baseline (Data Error Capturing Data) ÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐ ÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈ ÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔ Last printed 10/26/2005 1:43:00 a10/p10 Page 12
  13. 13. Page 13 of 46 B06.TDIMon.Baseline.txt (Tcp/Udp activity) 1 0.00000000 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 2 0.00031121 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 3 0.00038301 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 4 0.00047688 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 5 0.00051263 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 6 0.00056627 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 7 0.00059505 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 8 0.00062019 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 9 0.00064813 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 10 0.00069310 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 11 0.00071741 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 12 0.00074171 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 13 0.00077496 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 14 0.00115881 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 15 0.00119652 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 16 0.00124792 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 17 0.00130464 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 18 0.00133872 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 19 0.00138928 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 20 0.00141526 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 21 0.00143985 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 22 0.00146443 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 23 0.00149516 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 24 0.00151947 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 25 0.00154377 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 26 0.00157394 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 27 0.00183347 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 28 0.00186979 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 29 0.00195164 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX Last printed 10/26/2005 1:43:00 a10/p10 Page 13
  14. 14. Page 14 of 46 B07.Rootkit Revealer Baseline (blank page, no rootkit found) The above illustrates that the tool Rootkit revealer, is blank, because no rootkits were found. Although there is a possibility that rootkits could still be installed, but Rootkit Reveler didn’t find them. Last printed 10/26/2005 1:43:00 a10/p10 Page 14
  15. 15. Page 15 of 46 B08.Spybot Baseline (Spyware Remover) Last printed 10/26/2005 1:43:00 a10/p10 Page 15
  16. 16. Page 16 of 46 B09.Process Explorer.Baseline.txt Process PID CPU Description Company Name System Idle Process 0 100.00 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 8 smss.exe140 Windows NT Session Manager Microsoft Corporation csrss.exe 164 Client Server Runtime Process Microsoft Corporation winlogon.exe 184 Windows NT Logon Application Microsoft Corporation services.exe 212 Services and Controller app Microsoft Corporation svchost.exe 384 Generic Host Process for Win32 Services Microsoft Corporation SPOOLSV.EXE 416 Spooler SubSystem App Microsoft Corporation svchost.exe 460 Generic Host Process for Win32 Services Microsoft Corporation regsvc.exe 496 Remote Registry Service Microsoft Corporation mstask.exe 520 Task Scheduler Engine Microsoft Corporation VMwareService.e 580 VMware Tools Service VMware, Inc. lsass.exe 224 LSA Executable and Server DLL (Export Version) Microsoft Corporation taskmgr.exe 692 Windows TaskManager Microsoft Corporation explorer.exe 704 Windows Explorer Microsoft Corporation VMwareTray.exe 760 VMwareTray VMware, Inc. VMwareUser.exe 780 VMwareUser VMware, Inc. autoruns.exe 844 Autostart program viewer Sysinternals - www.sysinternals.com HijackThis.exe 852 HijackThis Soeperman Enterprises Ltd. firefox.exe 672 Firefox Mozilla procexp.exe 840 Sysinternals Process Explorer Sysinternals Process: Procexp Pid: -2 Type Name Last printed 10/26/2005 1:43:00 a10/p10 Page 16
  17. 17. Page 17 of 46 B10.RegMon.Baseline.txt (Applications accessing Registry) 1 1.96351099 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutes SUCCESS Access: 0x20019 2 1.96390235 Regmon.exe:836 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutesTahoma NOT FOUND 3 1.96415102 Regmon.exe:836 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutes SUCCESS 4 2.03640127 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND 5 2.03652668 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 6 2.03655314 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoNetHood NOT FOUND 7 2.03659463 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS 8 2.03663611 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND 9 2.03666997 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 10 2.03669119 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoInternetIcon NOT FOUND 11 2.03671908 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS 12 2.03681421 Regmon.exe:836 OpenKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityApplicationsRegmon.exe NOT FOUND 13 2.03692174 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND 14 2.03695560 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 15 2.03697419 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoCommonGroups NOT FOUND 16 2.03700423 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS 17 2.03710175 Regmon.exe:836 OpenKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityObjects{20D04FE0-3AEA- 1069-A2D8-08002B30309D} NOT FOUND 18 2.03732586 Regmon.exe:836 QueryKey HKCUCLSID SUCCESS Name: REGISTRYUSERS-1-5-21-484763869-1085031214-839522115- 500_ClassesCLSID 19 2.03746939 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND 20 2.03754115 Regmon.exe:836 OpenKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Access: 0x2000000 21 2.03766656 Regmon.exe:836 QueryKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Name: REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32 22 2.03777146 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND 23 2.03802896 Regmon.exe:836 QueryValue HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32(Default) SUCCESS "%SystemRoot%system32shell32.dll" 24 2.03806305 Regmon.exe:836 QueryKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Name: REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32 25 2.03811383 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND 26 2.03813267 Regmon.exe:836 QueryValue HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32LoadWithoutCOM NOT FOUND 27 2.03817320 Regmon.exe:836 CloseKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS 28 2.03824568 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND 29 2.03828311 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 30 2.03830242 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSetFolders NOT FOUND 31 2.03833055 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Last printed 10/26/2005 1:43:00 a10/p10 Page 17
  18. 18. Page 18 of 46 B11.Add-Remove Programs Baseline Last printed 10/26/2005 1:43:00 a10/p10 Page 18
  19. 19. Page 19 of 46 Post-Baseline Firefox C01.TCPView Firefox Google (Data Error Capturing Data) ÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐ ÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈ ÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔ Last printed 10/26/2005 1:43:00 a10/p10 Page 19
  20. 20. Page 20 of 46 C02.TCPView Firefox Spyware Sites.txt svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENING System:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENING mstask.exe:520 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1029 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1065 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1028 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1028 localhost:1029 ESTABLISHED firefox.exe:672 TCP vmware-afi1cid5:1029 localhost:1028 ESTABLISHED System:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1065 66.70.68.147:http ESTABLISHED System:8 TCP vmware-afi1cid5:1080 cdn.fastclick.net:http TIME_WAIT System:8 TCP vmware-afi1cid5:1093 cdn.fastclick.net:http TIME_WAIT System:8 TCP vmware-afi1cid5:1099 cdn.fastclick.net:http TIME_WAIT System:8 TCP vmware-afi1cid5:1111 cdn.fastclick.net:http TIME_WAIT firefox.exe:672 TCP vmware-afi1cid5:1123 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1123 66.70.68.147:http ESTABLISHED svchost.exe:384 UDP vmware-afi1cid5:epmap *:* System:8 UDP vmware-afi1cid5:microsoft-ds *:* services.exe:212 UDP vmware-afi1cid5:1026 *:* System:8 UDP vmware-afi1cid5:netbios-ns *:* System:8 UDP vmware-afi1cid5:netbios-dgm *:* lsass.exe:224 UDP vmware-afi1cid5:isakmp *:* Last printed 10/26/2005 1:43:00 a10/p10 Page 20
  21. 21. Page 21 of 46 C03.Autoruns.Firefox.post-Baseline.txt HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun + VMware Tools VMwareTray (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwaretray.exe + VMware User Process VMwareUser (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareuser.exe HKLMSystemCurrentControlSetServices + VMTools Provides support for synchronizing objects between the host and guest operating systems. (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareservice.exe HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved + Display Panning CPL Extension File not found: deskpan.dll HKLMSystemCurrentControlSetControlSession ManagerKnownDlls + DllDirectory c:winntsystem32 HKCUControl PanelDesktopScrnsave.exe + (NONE) File not found: (NONE) Last printed 10/26/2005 1:43:00 a10/p10 Page 21
  22. 22. Page 22 of 46 C04.Currently Installed Programs Firefox Post-Baseline Last printed 10/26/2005 1:43:00 a10/p10 Page 22
  23. 23. Page 23 of 46 C05.Processes Firefox Post-Baseline Last printed 10/26/2005 1:43:00 a10/p10 Page 23
  24. 24. Page 24 of 46 C06.Hijack This Firefox Post-Baseline.txt Logfile of HijackThis v1.99.1 Scan saved at 8:12:51 PM, on 9/13/2005 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Running processes: C:WINNTSystem32smss.exe C:WINNTsystem32winlogon.exe C:WINNTsystem32services.exe C:WINNTsystem32lsass.exe C:WINNTsystem32svchost.exe C:WINNTsystem32spoolsv.exe C:WINNTSystem32svchost.exe C:WINNTsystem32regsvc.exe C:WINNTsystem32MSTask.exe C:Program FilesVMwareVMware ToolsVMwareService.exe C:WINNTExplorer.exe C:Program FilesVMwareVMware ToolsVMwareTray.exe C:Program FilesVMwareVMware ToolsVMwareUser.exe C:Program FilesMozilla Firefoxfirefox.exe E:VMwareSharedTcpview.exe E:VMwareSharedautoruns.exe E:VMwareSharedHijackThis.exe R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://search.qsrch.com/ O4 - HKLM..Run: [VMware Tools] C:Program FilesVMwareVMware ToolsVMwareTray.exe O4 - HKLM..Run: [VMware User Process] C:Program FilesVMwareVMware ToolsVMwareUser.exe O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cab O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:Program FilesVMwareVMware ToolsVMwareService.exe The above illustrates a clean system. Last printed 10/26/2005 1:43:00 a10/p10 Page 24
  25. 25. Page 25 of 46 C07.TCPView Firefox Post-Baseline.txt svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENING System:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENING mstask.exe:520 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1029 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1065 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1123 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1133 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1148 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1028 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1028 localhost:1029 ESTABLISHED firefox.exe:672 TCP vmware-afi1cid5:1029 localhost:1028 ESTABLISHED System:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1065 66.70.68.147:http ESTABLISHED firefox.exe:672 TCP vmware-afi1cid5:1123 66.70.68.147:http ESTABLISHED firefox.exe:672 TCP vmware-afi1cid5:1133 cdn.fastclick.net:http ESTABLISHED firefox.exe:672 TCP vmware-afi1cid5:1148 208.53.131.181:http ESTABLISHED firefox.exe:672 TCP vmware-afi1cid5:1169 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1169 208.53.131.181:http ESTABLISHED firefox.exe:672 TCP vmware-afi1cid5:1170 vmware-afi1cid5:0 LISTENING firefox.exe:672 TCP vmware-afi1cid5:1170 208.53.131.181:http ESTABLISHED svchost.exe:384 UDP vmware-afi1cid5:epmap *:* System:8 UDP vmware-afi1cid5:microsoft-ds *:* services.exe:212 UDP vmware-afi1cid5:1026 *:* System:8 UDP vmware-afi1cid5:netbios-ns *:* System:8 UDP vmware-afi1cid5:netbios-dgm *:* lsass.exe:224 UDP vmware-afi1cid5:isakmp *:* Last printed 10/26/2005 1:43:00 a10/p10 Page 25
  26. 26. Page 26 of 46 C08.TDIMon.Firefox.Post-Baseline.txt 1 0.00000000 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 2 0.00031568 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 3 0.00036429 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 4 0.25002870 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 5 0.25010553 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 6 0.25028069 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 7 0.25033936 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 8 0.25038517 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 9 0.25045306 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 10 0.25049022 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 11 0.25052430 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 12 0.25055782 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 13 0.25061593 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 14 0.25064890 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 15 0.25068186 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 16 0.25072544 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 17 0.25118332 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 18 0.25123221 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 19 0.25129646 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 20 0.25134787 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 21 0.25139201 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 22 0.25145710 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 23 0.25149118 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 24 0.25152498 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 25 0.25155851 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 26 0.25159762 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 27 0.25163030 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 28 0.25166355 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 29 0.25170378 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX Last printed 10/26/2005 1:43:00 a10/p10 Page 26
  27. 27. Page 27 of 46 C09.Rootkit Revealer Firefox Post-Baseline.txt (blank page, no rootkit found) -Intentionally left blank, because no rootkit was found- Last printed 10/26/2005 1:43:00 a10/p10 Page 27
  28. 28. Page 28 of 46 C10.Process.Explorer.Firefox.Post-line.txt Process PID CPU Description Company Name System Idle Process 0 96.88 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 8 smss.exe140 Windows NT Session Manager Microsoft Corporation csrss.exe 164 Client Server Runtime Process Microsoft Corporation winlogon.exe 184 1.56 Windows NT Logon Application Microsoft Corporation services.exe 212 Services and Controller app Microsoft Corporation svchost.exe 384 Generic Host Process for Win32 Services Microsoft Corporation SPOOLSV.EXE 416 Spooler SubSystem App Microsoft Corporation svchost.exe 460 Generic Host Process for Win32 Services Microsoft Corporation regsvc.exe 496 Remote Registry Service Microsoft Corporation mstask.exe 520 Task Scheduler Engine Microsoft Corporation VMwareService.e 580 VMware Tools Service VMware, Inc. lsass.exe 224 LSA Executable and Server DLL (Export Version) Microsoft Corporation explorer.exe 704 Windows Explorer Microsoft Corporation VMwareTray.exe 760 VMwareTray VMware, Inc. VMwareUser.exe 780 VMwareUser VMware, Inc. Tcpview.exe 500 1.56 TCP/UDP endpoint viewer Sysinternals firefox.exe 288 Firefox Mozilla procexp.exe 572 Sysinternals Process Explorer Sysinternals Process: Procexp Pid: -2 Type Name Last printed 10/26/2005 1:43:00 a10/p10 Page 28
  29. 29. Page 29 of 46 Post-Baseline IE D01.TCPView.IE.Google.txt svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENING System:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENING mstask.exe:520 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENING System:8 TCP vmware-afi1cid5:1199 localhost:1198 TIME_WAIT System:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENING svchost.exe:384 UDP vmware-afi1cid5:epmap *:* System:8 UDP vmware-afi1cid5:microsoft-ds *:* services.exe:212 UDP vmware-afi1cid5:1026 *:* System:8 UDP vmware-afi1cid5:netbios-ns *:* System:8 UDP vmware-afi1cid5:netbios-dgm *:* lsass.exe:224 UDP vmware-afi1cid5:isakmp *:* IEXPLORE.EXE:836 UDP vmware-afi1cid5:1223 *:* Last printed 10/26/2005 1:43:00 a10/p10 Page 29
  30. 30. Page 30 of 46 D02.TCPView.IE.Spyware.Sites.txt svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENING System:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENING mstask.exe:504 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENING istsvc.exe:892 TCP vmware-afi1cid5:1204 vmware-afi1cid5:0 LISTENING System:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENING istsvc.exe:892 TCP vmware-afi1cid5:1204 216.127.33.119:http CLOSE_WAIT svchost.exe:384 UDP vmware-afi1cid5:epmap *:* System:8 UDP vmware-afi1cid5:microsoft-ds *:* services.exe:212 UDP vmware-afi1cid5:1026 *:* System:8 UDP vmware-afi1cid5:netbios-ns *:* System:8 UDP vmware-afi1cid5:netbios-dgm *:* lsass.exe:224 UDP vmware-afi1cid5:isakmp *:* The program istsvc.exe is a new program that indicates possible unauthorized acitivity. Last printed 10/26/2005 1:43:00 a10/p10 Page 30
  31. 31. Page 31 of 46 D03Autoruns.IE.Post-Baseline.txt (Startup Spyware) HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun + BullsEye Network c:program filesbullseye networkbinbargains.exe + Internet Optimizer c:program filesinternet optimizeroptimize.exe + IST Service c:program filesistsvcistsvc.exe + Power Scan PowerScan v1.1 c:program filespower scanpowerscan.exe + SurfAccuracy c:program filessurfaccuracysacc.exe + ugclljcm c:winntsystem32ugclljcm.exe + VMware Tools VMwareTray (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwaretray.exe + VMware User Process VMwareUser (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareuser.exe + Z9GwE c:winntflswcpje.exe HKLMSystemCurrentControlSetServices + VMTools Provides support for synchronizing objects between the host and guest operating systems.(Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareservice.exe HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved + Display Panning CPL Extension File not found: deskpan.dll HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects + ADP UrlCatcher Class ADP Module (Not verified) eXact Advertising c:winntsystem32msbe.dll + BAHelper Class BrowserHelperObject Module c:program filessidefindsfbho.dll + BHObj Class DyFuCA_BH Module c:winntnem220.dll HKLMSoftwareMicrosoftInternet ExplorerToolbar + È|Ûwÿÿÿÿåf ¤ƒÛw@ YourSiteBar c:program filesyoursitebarysb.dll HKLMSystemCurrentControlSetControlSession ManagerKnownDlls + DllDirectory c:winntsystem32 HKCUControl PanelDesktopScrnsave.exe + (NONE) File not found: (NONE) The initial conditions of this test regarding the only authorized installed programs were Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This means that all the other programs shown above were installed without the authorization of the user. Last printed 10/26/2005 1:43:00 a10/p10 Page 31
  32. 32. Page 32 of 46 D04.Currently Installed Programs IE post-Baseline.bmp (Spyware) The initial conditions of this test regarding the only authorized installed programs were Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This means that all the other programs shown above were installed without the authorization of the user. For example, the above programs and program ISTsvc is a new program that indicates possible malicious or unauthorized activity. Last printed 10/26/2005 1:43:00 a10/p10 Page 32
  33. 33. Page 33 of 46 Last printed 10/26/2005 1:43:00 a10/p10 Page 33
  34. 34. Page 34 of 46 D05.Processes IE Post-Baseline.bmp The initial conditions of this test regarding the only authorized installed programs were Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This means that all the other programs shown above were installed without the authorization of the user. Istsvc.exe, flswcpje.exe, SAcc.exe are all examples of process shown above that were installed without the user’s authorization. Last printed 10/26/2005 1:43:00 a10/p10 Page 34
  35. 35. Page 35 of 46 D06.Hijack This IE Post Baseline.txt Logfile of HijackThis v1.99.1 Scan saved at 8:50:12 PM, on 9/13/2005 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Running processes: C:WINNTSystem32smss.exe C:WINNTsystem32winlogon.exe C:WINNTsystem32services.exe C:WINNTsystem32lsass.exe C:WINNTsystem32svchost.exe C:WINNTsystem32spoolsv.exe C:WINNTSystem32svchost.exe C:WINNTsystem32regsvc.exe C:WINNTsystem32MSTask.exe C:Program FilesVMwareVMware ToolsVMwareService.exe C:WINNTExplorer.exe C:Program FilesVMwareVMware ToolsVMwareTray.exe C:Program FilesVMwareVMware ToolsVMwareUser.exe C:Program FilesISTsvcistsvc.exe C:WINNTflswcpje.exe C:Program FilesSurfAccuracySAcc.exe C:Program FilesInternet Optimizeroptimize.exe C:Program FilesBullsEye Networkbinbargains.exe C:WINNTSystem32ugclljcm.exe E:VMwareSharedHijackThis.exe R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://search.qsrch.com/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:WINNTnem220.dll O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:Program FilesSideFindsfbho.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:WINNTSystem32msbe.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:Program FilesYourSiteBarysb.dll O4 - HKLM..Run: [VMware Tools] C:Program FilesVMwareVMware ToolsVMwareTray.exe O4 - HKLM..Run: [VMware User Process] C:Program FilesVMwareVMware ToolsVMwareUser.exe O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM..Run: [IST Service] C:Program FilesISTsvcistsvc.exe O4 - HKLM..Run: [Z9GwE] C:WINNTflswcpje.exe O4 - HKLM..Run: [SurfAccuracy] C:Program FilesSurfAccuracySAcc.exe O4 - HKLM..Run: [Internet Optimizer] "C:Program FilesInternet Optimizeroptimize.exe" O4 - HKLM..Run: [BullsEye Network] C:Program FilesBullsEye Networkbinbargains.exe O4 - HKLM..Run: [Power Scan] C:Program FilesPower Scanpowerscan.exe O4 - HKLM..Run: [ugclljcm] C:WINNTSystem32ugclljcm.exe O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:Program FilesSideFindsidefind.dll O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cab O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:Program FilesVMwareVMware ToolsVMwareService.exe Last printed 10/26/2005 1:43:00 a10/p10 Page 35
  36. 36. Page 36 of 46 D07.TCPView IE Post Baseline.txt (missing screen shot) -Intentionally left blank. Missing screen shot- Last printed 10/26/2005 1:43:00 a10/p10 Page 36
  37. 37. Page 37 of 46 D08.TDIMon IE Post Baseline.txt 1 0.00000000 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 2 0.00025841 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 3 0.00030786 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 4 0.51670785 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 5 0.51678412 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 6 0.51692408 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 7 0.51698079 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 8 0.51702688 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 9 0.51709924 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 10 0.51713668VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 11 0.51717132 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 12 0.51720512 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 13 0.51727273VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 14 0.51730653 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 15 0.51734033 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 16 0.51738447VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 17 0.51781134 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 18 0.51786079 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 19 0.51792476VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 20 0.51797561 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 21 0.51802031VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 22 0.51808400 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 23 0.51811864 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 24 0.51815301 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 25 0.51818681 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 26 0.51822732 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX Last printed 10/26/2005 1:43:00 a10/p10 Page 37
  38. 38. Page 38 of 46 27 0.51826000 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 28 0.51829381VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX 29 0.51833515VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX Last printed 10/26/2005 1:43:00 a10/p10 Page 38
  39. 39. Page 39 of 46 D09.Rootkit Revealer IE Post-Baseline.txt (blank page, no rootkit found) -Intentionally left blank. Missing screen shot- Last printed 10/26/2005 1:43:00 a10/p10 Page 39
  40. 40. Page 40 of 46 D10.Process Explorer IE Post-Baseline.txt Process PID CPU Description Company Name System Idle Process 0 100.00 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 8 smss.exe 140 Windows NT Session Manager Microsoft Corporation csrss.exe 164 Client Server Runtime Process Microsoft Corporation winlogon.exe 184 Windows NT Logon Application Microsoft Corporation services.exe212 Services and Controller appMicrosoft Corporation svchost.exe384 Generic Host Process for Win32 Services Microsoft Corporation SPOOLSV.EXE 412 Spooler SubSystem App Microsoft Corporation svchost.exe444 Generic Host Process for Win32 Services Microsoft Corporation regsvc.exe 484 Remote Registry Service Microsoft Corporation mstask.exe504 Task Scheduler Engine Microsoft Corporation VMwareService.e 572 VMware Tools Service VMware, Inc. lsass.exe 224 LSA Executable and Server DLL (Export Version) Microsoft Corporation explorer.exe 712 Windows Explorer Microsoft Corporation VMwareTray.exe 760 VMwareTrayVMware, Inc. VMwareUser.exe 780 VMwareUser VMware, Inc. procexp.exe 640 Sysinternals Process Explorer Sysinternals istsvc.exe 892 flswcpje.exe 908 SAcc.exe 940 optimize.exe 1000 bargains.exe 1096 ugclljcm.exe 972 Process: Procexp Pid: -2 Type Name The initial conditions of this test regarding the only authorized installed programs were Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This means that all the other programs shown above were installed without the authorization of the user. Above shows unauthorized processes. Last printed 10/26/2005 1:43:00 a10/p10 Page 40
  41. 41. Page 41 of 46 D11.RegMon IE Post-Baseline.txt 1 0.97014344 istsvc.exe:892 CreateKey HKLMSoftwareMicrosoftWindowsCurrentVersionRun SUCCESS Access: 0x2 2 0.97070354 istsvc.exe:892 SetValue HKLMSoftwareMicrosoftWindowsCurrentVersionRunIST Service SUCCESS "C:Program FilesISTsvcistsvc.exe" 3 0.97090244 istsvc.exe:892 CloseKey HKLMSoftwareMicrosoftWindowsCurrentVersionRun SUCCESS 4 0.97159195 istsvc.exe:892 QueryValue HKCUSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsEnableAutodial SUCCESS 0x0 5 1.00403678 Regmon.exe:1100 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND 6 1.00424612 Regmon.exe:1100 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 7 1.00429749 Regmon.exe:1100 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoNetHood NOT FOUND 8 1.00463104 Regmon.exe:1100 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS 9 1.00468636 Regmon.exe:1100 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND 10 1.00473380 Regmon.exe:1100 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 11 1.00476038 Regmon.exe:1100 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoInternetIc on NOT FOUND 12 1.00479865 Regmon.exe:1100 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS 13 1.00492191 Regmon.exe:1100 OpenKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityApplic ationsRegmon.exe NOT FOUND 14 1.00502610 Regmon.exe:1100 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND Last printed 10/26/2005 1:43:00 a10/p10 Page 41
  42. 42. Page 42 of 46 15 1.00507104 Regmon.exe:1100 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 16 1.00509703 Regmon.exe:1100 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoCommon Groups NOT FOUND 17 1.00513446 Regmon.exe:1100 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS 18 1.00523674 Regmon.exe:1100 OpenKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityObject s{20D04FE0-3AEA-1069-A2D8-08002B30309D} NOT FOUND 19 1.00554395 Regmon.exe:1100 QueryKey HKCUCLSID SUCCESS Name: REGISTRYUSERS-1-5-21-484763869-1085031214- 839522115-500_ClassesCLSID 20 1.00571191 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND 21 1.00576580 Regmon.exe:1100 OpenKey HKCRCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Access: 0x2000000 22 1.00579965 Regmon.exe:1100 QueryKey HKCRCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Name: REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069- A2D8-08002B30309D}InprocServer32 23 1.00587201 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND 24 1.00593376 Regmon.exe:1100 QueryValue HKCRCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InProcServer32(Default) SUCCESS "%SystemRoot%system32shell32.dll" 25 1.00597394 Regmon.exe:1100 QueryKey HKCRCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Name: REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069- A2D8-08002B30309D}InprocServer32 26 1.00603235 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND 27 1.00605774 Regmon.exe:1100 QueryValue HKCRCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InProcServer32LoadWithoutCOM NOT FOUND 28 1.00609851 Regmon.exe:1100 CloseKey HKCRCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS 29 1.00617003 Regmon.exe:1100 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND Last printed 10/26/2005 1:43:00 a10/p10 Page 42
  43. 43. Page 43 of 46 30 1.00621557 Regmon.exe:1100 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 31 1.00624526 Regmon.exe:1100 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSetFolder s NOT FOUND 32 1.00628102 Regmon.exe:1100 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS 33 1.00632870 Regmon.exe:1100 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND 34 1.00637233 Regmon.exe:1100 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS Access: 0x1 35 1.00644696 Regmon.exe:1100 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoControlPa nel NOT FOUND 36 1.00648320 Regmon.exe:1100 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS 37 1.00692403 Regmon.exe:1100 OpenKey HKLMSystemCurrentControlSetControlSession Manager SUCCESS Access: 0x1 38 1.00698912 Regmon.exe:1100 QueryValue HKLMSystemCurrentControlSetControlSession ManagerAdditionalBaseNamedObjectsProtectionModeNOT FOUND 39 1.00702739 Regmon.exe:1100 CloseKey HKLMSystemCurrentControlSetControlSession Manager SUCCESS 40 1.00717628 Regmon.exe:1100 OpenKey HKLMSYSTEMCurrentControlSetControlSession Manager SUCCESS Access: 0x20019 41 1.00722098 Regmon.exe:1100 QueryValue HKLMSYSTEMCurrentControlSetControlSession ManagerCriticalSectionTimeout SUCCESS 0x278D00 42 1.00725758 Regmon.exe:1100 CloseKey HKLMSYSTEMCurrentControlSetControlSession Manager SUCCESS 43 1.00805521 Regmon.exe:1100 OpenKey HKLMSOFTWAREMicrosoftOLEAUT NOT FOUND 44 1.00809801 Regmon.exe:1100 OpenKey HKLMSOFTWAREMicrosoftOLEAUTUserEra NOT FOUND Last printed 10/26/2005 1:43:00 a10/p10 Page 43
  44. 44. Page 44 of 46 45 1.00841975 Regmon.exe:1100 QueryKey HKCU SUCCESS Name: REGISTRYUSERS-1-5-21-484763869-1085031214-839522115- 500_Classes 46 1.00846565 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0- 3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND Last printed 10/26/2005 1:43:00 a10/p10 Page 44
  45. 45. Page 45 of 46 D12.Add-Remove Programs IE Post-Baseline.bmp (Malware) Last printed 10/26/2005 1:43:00 a10/p10 Page 45
  46. 46. Page 46 of 46 D13.Spybot IE Post-Baseline.bmp (unresolved Spyware) Spybot couldn’t eradicate the above unauthorized activity. Last printed 10/26/2005 1:43:00 a10/p10 Page 46

×