Priveon Labs Security Blog

In my last post, I showed how to use sigverif to identify questionable files. In this post, I will go over identifying potential threats by examining startup items, scheduled tasks, user accounts, and the windows hosts file. The goal so far, has been to provide you with the ability to monitor various areas on you system where malware tends to "hide". These tools and methods should help you get familiar with what’s normal on your computer and what’s suspicious. Let’s first take a look at the windows Hosts file.

Hosts File

The windows XP hosts file is used to store information on where to find a node on a computer network. The information contained in the file, resolves hostnames to IP addresses. This file is used much like DNS (Domain Name System), but has the ability to be edited locally, unlike DNS. Malware will often write to the hosts file in order to prevent you from resolving some addresses or to have you resolve specific addresses to point to a malicious site. In the first case, the malware author may want your antivirus software to stop getting updates, so the author creates an entry in your hosts file that prevents your antivirus software from going to the correct location for updates. Another way a malware author may use the hosts file is to have the malware add an entry that resolves your bank's address to a fake server elsewhere on the internet. While its important to know that the hosts file can be used for good, there are many ways a bad guy can use the hosts file.

Viewing the hosts file:

Click Start, then Run, and type:

Notepad.exe %SystemRoot%\system32\drivers\etc\hosts

Click OK.

The image illustrates what a normal hosts file in windows XP should look like. Everything with “#” in front of it is commented out – meaning that they are just comments and are not used by windows XP for resolution. The loopback address of 127.0.0.1 is set for localhost, which is a reserved name meaning this computer.

Now that we have an idea of what a normal hosts file look like, let’s take a look at a hosts file that has been edited or replaced by malware.

Follow up:

As you can see from the image, malware has changed the hosts file to resolve common antivirus company addresses to the localhost.

Now that we have seen what a normal and malicious hosts file looks like, let’s check other areas of the computer that you should be familiar with and that may help identify malware on your computer.


Scheduled Tasks

Microsoft says “With Scheduled Tasks, you can schedule any script, program, or document to run at a time that is most convenient for you.” Unfortunately, certain types of malware like to run scheduled tasks when your system is infected. An example would be if malware took screen shots or logged your keystrokes and then sent the information to a remote FTP server on a scheduled basis. This is just another area that malware may hide, so here is where “schtasks” comes in.

Click Start. Then Run and type “cmd.exe”

At the dos prompt, type schtasks /query

As you can see there is a scheduled task created named “omgwt32” which may be suspicious if you read “Malware Discovery with XP Tools – Part 1”. You can get a more verbose view of the task by typing “schtasks /query –v” This will return possible paths to the location of the application that is scheduled.


User Accounts

It is a good practice to know what user accounts exist on a system. Malware will sometimes add a user account with administrative privileges to the computer. An easy way to check for user accounts on a system is to use WMIC. WMIC is a command-line and scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through WMI. It is a very powerful little program that can provide you with a lot of information about a computer. It is definitely a tool worth exploring if you have not used it. Let’s use WMIC to view user account information.

Click Start. Then Run and type “cmd.exe”

At the dos prompt, type “wmic useraccount list brief” and hit enter.

You should now see a list of user accounts on the system. Keep in mind there will be various accounts used by windows services on your computer such as ASPNET or
HelpAssistant. A quick Google of these accounts should help you decide if they are legitimate or not. If you do find a suspicious account on your computer, then you can get even more information on the accounts by typing “wmic useraccount list full” at the command line.

Startup Items

Finally, lets review applications or scripts that are started when your computer is started -- Malware needs to be able to survive a reboot. The most common way for malware to survive the reboot is to use locations in windows that will allow the malware to be started when you load the operating system. To see what startup programs exist on the computer, I am going to use WMIC again.

Click Start. Then Run and type “cmd.exe”

At the dos prompt, type “wmic startup list” and hit enter.

Hopefully at this point, we have identified some important areas of your computer that you should be familiar with and monitor on a frequent basis. In the Part 3 of this series, we will review processes, listeners, and locations.