Home

Resources

About

Press

FAQ

Contact

myNetWatchman KnowledgeBase

Pooling knowledge to
secure the internet.

mNW Reports

(Registered Users Only)

Look Up Incidents by IP Address

SecCheck, Text Report - Section by Section

General System Info

Tuesday, January 24, 2006 5:38:16 PM UTC / Tuesday, January 24, 2006 12:38:16 PM Eastern ...
Operating System: WinNT Version 5.1.2600 "Service Pack 2", Type 0x01, Suite 0x0100, ...
System Name: "XPPTEST2"
Last shutdown recorded in Registry: 1/24/2006 5:32:53 PM UTC
Install Date recorded in Registry: 5/26/2005 3:27:50 PM

Shows system time, time zone information, computer name, and version of Windows as indicated by the system. Important to determine if system is Windows NT-based (NT/2000/XP/2003) vs. Win9x-based (95/98/ME). If the latter group, mapping of network connection activity to program name is NOT possible, so alternate tools may be necessary to identify hostile programs.
The last shutdown time and the install date recorded in the Registry are also shown.

Things to look for:

Latest service pack? We are seeing a disproportionately higher percentage of XP systems infected that do not have the latest service pack. (And that service pack itself is going on 18 months old as of this writing. Make sure your systems are keeping themselves updated via Windows Update.)

This is in part because XP Service Pack 2 was the first Microsoft release of their "consumer" version of Windows after their security push began with a well-publicized memo in early 2002. (Windows Server 2003 incorporated many changes that predate XP Service Pack 2 and Service Pack 1 for Windows 2003 was released last year.)

Process Token (NT-only)

Token SIDs: (9)
	S-1-5-21-X-Y-Z-1006 = 0x00000000
	S-1-5-21-X-Y-Z-513 = 0x00000007 = [token SID attributes]
	S-1-1-0 = 0x00000007 = [token SID attributes]
	S-1-5-21-X-Y-Z-1007 = 0x00000007 = [token SID attributes]
	S-1-5-32-545 = 0x00000007 = [token SID attributes]
	S-1-5-4 = 0x00000007 = [token SID attributes]
	S-1-5-11 = 0x00000007 = [token SID attributes]
	S-1-5-5-0-55646 = 0xc0000007 = [token SID attributes]
	S-1-2-0 = 0x00000007 = [token SID attributes]

Token privileges: (4)
	SeChangeNotifyPrivilege = 0x00000003 = [token privilege attributes]
	SeShutdownPrivilege = 0x00000000
	SeUndockPrivilege = 0x00000002 = [token privilege attributes]
	SeCreateGlobalPrivilege = 0x00000003 = [token privilege attributes]

Shows the groups and privileges in the token for the SecCheck process. In the example above, "X-Y-Z" represents subauthorities in the machine security identifier (SID).

Things to look for:

Running as Admin? The local Administrators group SID is S-1-5-32-544 (also known as "BUILTIN\Administrators"). The local Users group SID ("BUILTIN\Users") is S-1-5-32-545. (A caveat to this is the next point.) A list of well-known SIDs should be available here.

Restricted token? Tools such as DropMyRights and integrated systems such as Software Restriction Policies can start processes with a restricted token. In that case, you might see an entry in the Token SIDs section that looks like this:
```
S-1-5-32-544 = 0x00000019 = Mandatory+Owner+Deny Only
```
(The DropMyRights article has some background information on deny-only SIDs. This will become even more prevalent as NT 6.0 (a.k.a. "Vista") installs begin to proliferate. Restricted tokens were introduced with NT 5.0/Windows 2000.)

Beware of SeTcbPrivilege! The SeTcbPrivilege (seen in Security Policies as "Act as part of the operating system") is rarely, if ever, needed unless a program is running as a service. The SecCheck output shows its own process token; since it is being run interactively, one should NEVER see this privilege included in the token. It is usually an indication of a past or current infection -- this is a mistake that malware often makes during the initial infection of a system. We are also seeing some rootkits that are lying to programs with inconsistent or invalid token privileges.

Beware of other non-standard privileges. Similar to the privilege above, there are other privileges that one really should NEVER see included in the token of an interactive SecCheck process. The ones listed in this MSDN reference are noted to be dangerous and another one is SeCreateTokenPrivilege.

TCP and UDP table:

Shows current network connection activity in and out of the system AND shows applications that are acting as Servers which are LISTENING for inbound connections. The former will often identify outgoing port scanning, worm propagation activity and/or "call-home" activity to command and control servers. The latter identifies possible backdoors that may be running on the system as well as identifing other services which are running on the system that may have acted as the initial infection vector.

Things to look for:

High volumes of outbound connection request activity (e.g. SYN_SENT)
SYN_SENTs to sequentially incrementing target IP addresses
CLOSE_WAITS in pattern similar to SYN_SENTS documents recent (but not current) scanning activity
ESTABLISHED connections that you don't expect (e.g. to IRC servers in Russia)
LISTENERS entries indicating a installed service that you have not installed

As mentioned before, if you are running Windows NT/2000/XP/2003 you'll be able to see the program name associated with any ESTABLISHED or LISTENING application. This essentially identifies the hostile application for you. If you see evidence of scanning activity (e.g. lots of SYN_SENTs or CLOSE_WAITs) but no ESTABLISHED connections you may have to run SecCheck several times to "catch" a case where the scanner actually gets an ESTABLISHED connect to one of the systems being scanned.

Process List:

Shows list of currently active processes running on this system

Things to look for:

Process names which don't correlate to known applications you installed
Program names with seemingly random sequences of characters
Programs running in unusual directories (e.g. /recycler , /drivers , /Iownu, etc.)
Programs that are named the same as common Windows files BUT exist in improper directly (e.g. svchost.exe, scvhost.exe, etc.)

Services running on local machine:

Other services registered on local machine:

Drivers running on local machine:

Other drivers registered on local machine:

Beginning with SecCheck 2.0.1007, all services and drivers registered on the system at the time of the check are shown. This is an increasingly popular mechanism that malware is using to automatically start on system boot.

Things to look for:

Defined services that you have not enabled
Program names in weird directories
Anything named Serv-U (a common FTP server dropped by crackers)

Startup Entries

Most malware utilizes some way to cause it to automatically restart each time your reboot. This is usually accomplished by adding a startup key in the Registry or making an entry in one of the Startup folders. Once you have identified the malware, search through the startup registry keys to identify where it's being launched. You can sometimes manually remove the malware by deleting values within these Registry keys and rebooting the system. Some of the common startup locations are shown below.

Entries for HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
Entries for HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce:
Entries for HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices:
Entries for HKU\[user SID]\Software\Microsoft\Windows\CurrentVersion\Run:
Entries for HKU\[user SID]\Software\Microsoft\Windows\CurrentVersion\RunOnce:
Entries for HKU\[user SID]\Software\Microsoft\Windows\CurrentVersion\RunServices:
Startup items for folder 'C:\Documents and Settings\%username%\Start Menu\Programs\Startup'
Startup items for folder 'C:\Documents and Settings\All Users\Start Menu\Programs\Startup'
Startup Entries for HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon:
Startup Entries for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
Entries for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad:
Entries for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler:

Browser Helper Objects - BHOs

BHOs are used to add extensions or to customize the Internet Explorer browser. Unfortunately, many adware, spyware, and browser hijack malware utilize BHOs to hook their code into the browser. If you see standard BHOs like Acrobat, Norton AV, or Real Audio that's pretty normal. However, if you see things like 'MySearchBar' and others, it's probably time to run an Adware scan and removal. Two free tools that I recommend are Adaware and Spybot Search and Destroy

Entries for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects:
	{4BB0D2E1-C1CF-4315-827E-F8C084665E93} = '', "C:\WINDOWS\System32\baseslrv.dll"
	{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} = 'REALBAR'(realbar.REALBAR), [DLL path];
	{53707962-6F74-2D53-2644-206D7942484F} = '', "C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
	{AA58ED58-01DD-4d91-8333-CF10577473F7} = 'Google Toolbar Helper', [DLL path];

Winsock2 Registered Service Providers

Winsock LSPs can be used by malware to spy on or manipulate application-level Internet communications. Generally, there will only be a couple of LSPs registered on the system by default. For XP, a "clean" set of entries would be:

	"%SystemRoot%\system32\mswsock.dll": 31 entries in memory, 31 entries in the Registry
	"%SystemRoot%\system32\rsvpsp.dll": 2 entries in memory, 2 entries in the Registry

(The number of "entries" refers to the number of protocols registered to each LSP in memory and in the Registry.)

Full Process/Modules/Threads Dump

The list of modules (EXEs/DLLs) and threads for each process is displayed here. Sometimes, malicious activity can be seen by looking in either or both of these sections. For example, the module list for a spam trojan DLL loaded into the Shell (Explorer) looks in part like this:

Modules loaded into  PID ########: "explorer.exe" / CmdLine: 'C:\WINDOWS\Explorer.EXE' / SecDesc: '[SDDL]'
	BaseAddr 0x00C30000, LastMod 12/14/2004 10:20 AM : "C:\Program Files\Adobe...\PDFShell.dll"
	BaseAddr 0x01000000, LastMod 9/3/2002 4:32 PM    : "C:\WINDOWS\Explorer.EXE"
	BaseAddr 0x01100000, LastMod 9/3/2002 4:44 PM    : "C:\WINDOWS\System32\msi.dll"
	BaseAddr 0x024F0000, LastMod 11/19/2005 3:14 AM  : "C:\WINDOWS\System32\ocmbomap.dll"

The highlighted ocmbomap.dll file is the one spamming; looking at the threads in that process, we also see it there:

				  
Threads in PID ########: "explorer.exe" / CmdLine: 'C:\WINDOWS\Explorer.EXE' / SecDesc: '[SDDL]'
TID = 144 / 0x00000090, StartEIP = 0x77E7D342
TID = 156 / 0x0000009C, StartEIP = 0x77E8149F
	StartAddr = 0x010160CC --> 'explorer.exe+0x000160CC'
TID = 160 / 0x000000A0, StartEIP = 0x77E7D342
	StartAddr = 0x024F57E1 --> 'ocmbomap.dll+0x000057E1'
TID = 172 / 0x000000AC, StartEIP = 0x77E7D342
	StartAddr = 0x024F57E1 --> 'ocmbomap.dll+0x000057E1'
TID = 184 / 0x000000B8, StartEIP = 0x77E7D342
	StartAddr = 0x024F57E1 --> 'ocmbomap.dll+0x000057E1'
TID = 364 / 0x0000016C, StartEIP = 0x77E7D342
	StartAddr = 0x024F57E1 --> 'ocmbomap.dll+0x000057E1'
TID = 396 / 0x0000018C, StartEIP = 0x77E7D342
	StartAddr = 0x024F5886 --> 'ocmbomap.dll+0x00005886'
TID = 424 / 0x000001A8, StartEIP = 0x77E7D342
	StartAddr = 0x024F57E1 --> 'ocmbomap.dll+0x000057E1'
.
.
.

Etcetera, etcetera. The complete list shows a total of 35 threads with start addresses within that DLL.

Last 50 files changed in System Directory: "%windir%\system32"

The last 50 files changed in the system directory (shown in reverse chronological order) will sometimes provide an indication of infection. Malware often explicitly copies things like downloaders, configuration files, and log files to that directory.

File SHA1 Dump:

This is the list of files that SecCheck encountered during its scan of the different areas of the system. Each entry includes an abbreviated format of the last write timestamp (in UTC time, as reported by the local system), along with the path (relative to the local system) and SHA1 hash of the file.