Find A Windows Infection Quickly Part 2 - With Tools

This post is a follow up to my previous post on spending the least amount of time to find out if a Windows computer is infected based on methods that will work on many typical viruses.

Process Explorer

(Link) This tool is like ctrl+alt+delete on steroids and the newest version includes the ability to submit running program hashes to VirusTotal for identification. To turn this on, you'll need to go to View-> Select Columns and check the VirusTotal box and then go to Options -> VirusTotal.com -> Check VirusTotal.com and agree the the terms. You'll also obviously need to have an active internet connection. To find the badness, just look for the red rating in the VirusTotal column, easy.

Autoruns

(Link) Autoruns works the same as Process Explorer in terms of using VirusTotal integration. To turn it on go to Options -> Scan Options -> Check VirusTotal.com then click Rescan. Known viruses should pop up with a higher than 0 detection ratio, and even if they aren't identified, it's often easy to find them just from the ridiculous names or red highlighting such as in the picture below of this sample.

Mandiant ShimCache (AppCompat Cache) Parser

(Link) This little tool has saved me TONS of time in investigations by working easily over a network via command line and quickly giving me a list of names of executables that have been run and when (note this method might not show infections that start with non .exe files, such as word doc spam, if no new exe's are used). Sometimes output dates can be a bit odd looking, but in general it helps to very quickly identify the time of infection which allows you to go back to other logs and put the incident back together.

To export your shimcache (on Windows 7), open up an Admin command prompt and type the following:

reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" shimcache.reg

Then, take that file to where you saved the Mandiant script and parse it out with:

python shimcacheparser.py -o output.csv -r shimcache.reg

This will produce output.csv, a file you should probably sort by date or folder name and then can analyze for odd executable names. Pay particular attention to the user temporary, desktop, and download folders, these are generally where I find the infection. Typically people will download some spam exe, run it from their desktop, and that will drop something in a AppData/Local/Temp. This should be obvious because there will be several entries from the same time with questionable names. Here's an example with ShopAtHome adware.

07/14/09 01:16:17 N/A C:\Program Files\Common Files\System\wab32.dll,N/A,False
07/14/09 01:15:38 N/A C:\Windows\System32\mf.dll,N/A,False
03/21/14 21:13:42 N/A C:\Program Files\Common Files\VMware\Drivers\vss\comreg.exe,N/A,True
03/21/14 20:22:54 N/A C:\Program Files\VMware\VMware Tools\TPVCGateway.exe,N/A,True
03/21/14 20:22:54 N/A C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe,N/A,True
07/14/09 01:14:29 N/A C:\Windows\system32\printui.exe,N/A,True
07/14/09 01:14:23 N/A C:\Windows\System32\mctadmin.exe,N/A,True
07/14/09 01:14:30 N/A C:\Windows\System32\regsvr32.exe,N/A,True
07/14/09 01:14:45 N/A C:\Program Files\Windows Mail\WinMail.exe,N/A,True
07/12/09 07:55:40 N/A c:\a8bae8b25b3310ea7c\install.exe,N/A,True
01/25/15 16:08:10 N/A C:\Users\IEUser\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\Exec.exe N/A True
01/25/15 16:08:36 N/A C:\Users\IEUser\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\ShopAtHomeHelperInstaller.exe N/A True
01/25/15 16:08:14 N/A C:\Users\IEUser\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\RibbonConfig.exe N/A False
08/14/14 13:08:10 N/A C:\Users\IEUser\AppData\Local\Temp\{7EAD7ED1-4F98-47EA-AF3E-1652458B1DFD}~setup\vcredist_x86.exe,N/A,True
08/14/14 13:08:01 N/A C:\Users\IEUser\AppData\Local\Temp\vmware-IEUser\00000265\setup.exe,N/A,True
07/14/09 01:14:28 N/A C:\Windows\System32\powercfg.exe,N/A,True
08/14/14 12:46:50 N/A C:\Users\IEUser\AppData\Local\Temp\upgrader.exe,N/A,True
08/14/14 12:46:50 N/A C:\Users\IEUser\AppData\Local\Temp\storePwd.exe,N/A,True
08/14/14 12:46:50 N/A C:\Users\IEUser\AppData\Local\Temp\unattend.cmd,N/A,False
07/14/09 01:14:23 N/A C:\Windows\system32\mcbuilder.exe,N/A,True
07/14/09 01:14:46 N/A C:\Windows\system32\winsat.exe,N/A,True
07/14/09 01:14:28 N/A C:\Windows\system32\oobe\oobeldr.exe,N/A,True
07/14/09 01:14:25 N/A C:\Windows\system32\oobe\msoobe.exe,N/A,True
UserAssist

(Link) This tools queries the Windows registry for a list of executables that have been run by Explorer. It's an easy tool to run and visually inspect the output, see anything odd here? Here's a real infection with an example I got from Payload Security.

Process Hacker

(Link) Similar to Process Explorer and good for the same things, but has one feature I like more that can highlight rogue processes very quickly. Close all your open apps, and in the View menu check "Hide Signed Processes", doing this often leaves only the malicious executables in the list. (To do this in Process Explorer, go to Option -> Verify Image Signatures and look what isn't signed.) Here's an example with this malware.

Process Hacker also has the side benefit of coming with the most determined process killer you can find, to use it right click a process, click Miscellaneous -> Terminator. This feature will try increasingly crazy things, including writing garbage into memory, until something kills or crashes the program you pointed it at.

No Chance


Bonus Analysis Tip - Live Process Strings:

In Process Explorer right click a process and open up Properties and go to the strings tab. Or, in Process Hacker, right click the malicious process, select Properties, go to the Memory tab, click the Strings button, and click OK on the defaults. This will give you the strings from the running process in memory which almost always includes command and control addresses, this tells you what to block, as well as the callback contents or type. In the case of the malware above, you can see multiple IP addresses, as well as the fact that it's going to at least attempt an HTTP POST request, or something that looks like one. This gives you an easy network IOC that you can look for to ensure no one else has the same infection.