How to detect malicious process?

Any process that we execute during our session, is done at our own risk and responsibility. There is no security mechanism or barrier preventing any processes from being infected or altered. On the other hand we have Bell–LaPadula model and controlled access to specific information within given security level. There are also AVs and other tools used for alerting. Apart from theoretical stuff, let focus on methods of host inspection and finding suspicious malware hiding somewhere, behind processes.

What problems can we face during host inspection?

We start looking for malicious files and processes when other automated tools and AV failed. You know, tons of security layers, but still our host got infected. What now? Possibly this can be a rootkit trying to hide itself and other malware, trojan – behaving as a normal, standard process or job. Just to quickly look at simplified work flow:

        1.  Try to stop spreading.

        2.  Terminate suspicious process. (processes can cooperate).

        3.  Delete binaries and files, verify  auto-run. 

        4.   Restart machine and check what is going on.

Basic and at the same time very often sufficient list of helpful tools : procexp.exe, procmon.exe, movefile.exe, msconfig.exe, autoruns.exe. Please follow  sysinternals -  the  best reference in this subject.

Great knowledge and comprehensive tool description can be found in “Windows Sysinternals Administrator’s Reference” written by Mark Russinovich. Please note that tools can be downloaded directly to the infected host, brought by investigator or executed from the web. To run the program from Internet Explorer just type http://live.sysinternals.com/nameOfTool.exe or just map drive  \\live.sysinternals.com with net use utility. The last thing to mention is.. practice makes perfect. So, the more systems you analyze (infected and clean) the better you are. Spend some time with listed utilities and start training. 

Hacker Lifestyle

Here, I would like just to quickly mention two really great novels about hackers and their lives. First of all, both stories present the history, how it all began, and how hacking  evolved. At the same level showing biography of famous guys, their vision, passion and troubles. Really good piece of entertainment, for those bored, exhausted or burned out( just for the moment! :) ) - to stay focused and see what is on 'the other side'. Enjoy reading.