Security Incidents mailing list archives
Re: strange windows behaviour.
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 10 Oct 2003 06:10:05 -0700 (PDT)
You've gotten some good advice already. FWIW, I would not first suspect adware in either of the cases below.
I would agree. Too many times, that seems to be a stock answer, particularly from someone who deals with it all the time. I see it a lot, but I prefer to try and narrow down the usual suspects before resorting to running the adware/spyware removal tools.
Regarding the university report, the fact that winservn.exe does not show up in a Google.com search plus the fact that it is listening for inbound connections does not make me think adware.
I wouldn't be too concerned about Google, though that is a valid point. The fact that it's listening for connections should take priority, in my thinking.
In both incidents, I would want to save and submit the responsible file to the anti-virus vendor for inspection.
Good call, though some of the work can be done by the person who actually has a copy of that file. Tools like strings.exe and Dependency Walker can give a really good view of that the file may be doing. Also, using a tool to get the file version information may also be enlightening.
Regarding the original poster's incident, knowing the ports and remote IP addresses involved would be helpful. If you haven't already, running one of the previously mentioned port inspecting tools such as Fport from Foundstone.com/knowledge that actually tells you what executable is generating the traffic should be done.
Just a quick comment here...I recommend using fport, but as with any tool, one needs to understand the strengths and weaknesses of the tools used. Fport requires an admin account to work, whereas openports.exe from DiamondCS doesn't. Also, I know that inzider is bandied about quite a bit by SANS but before you use it, take a moment to read the author's web site on the tool (just b/c SANS recommends it doesn't make it a particularly good tool to use).
Inspecting firewall and IDS logs for traffic from the affected machines or ports and/or running a sniffer such as Ethereal, Windump or Snort could be useful.
True. I would recommend Ethereal, as it can do stream reassembly...that way, you can look at an entire "conversation" at once. However, keep in mind that WinDump and Snort can both capture in formats that can be opened by Ethereal.
[Windows Netstat utility doesn't give you that information unless you're running XP.]
Netstat won't capture traffic on any Windows platform. Are you referring to the '-o' switch, which will list the PIDs associated with the connections on the far right-hand side of the output? --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: strange windows behaviour., (continued)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Jeff Kell (Oct 09)
- Re: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Tobias Rice (Oct 10)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harlan Carvey (Oct 09)
- Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
- RE: strange windows behaviour. Chris Brenton (Oct 09)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. Pepijn Vissers (Oct 09)
- Re: strange windows behaviour. Karl Levinson (Oct 09)
- Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 10)
- Re: strange windows behaviour. Derek (Oct 14)