Re: NKADM rootkit - Something new?

[Paul Schmehl <pauls () utdallas edu>]

--On Wednesday, May 26, 2004 09:32:00 AM -0700 Harlan Carvey 
<keydet89 () yahoo com> wrote:

> This is an excellent example of what happens when you
> take the easy route and look at something
> (particularly on Windows systems) based on filenames
> or open ports...both are configurable in most cases.
I agree, Harlan.  In general, here's what I do to examine a Windows box 
that is suspected of compromise (much of this requires tools which I have 
accumulated on a CD - Foundstone, Sysinternals, etc.):

1) scan for open ports (from another host)
2) run a full virus scan on the machine (by full I mean heuristics, all 
files, archived files, Mime encoded files, etc., etc.)
3) search for all files *created* just prior to the suspected compromise 
date
4) search for all *.ini files and inspect the unusual ones - this usually 
yields a treasure trove of file names and locations  (I once found a text 
file that had nothing in it except "You're pretty good if you found this!")
5) Look for anything stored in the Recycler folders on each hard drive
6) Inspect all Run keys in the registry
7) Look at all running services
8) Look in %windir%\%system32%\drivers and its subfolders (favorite hiding 
place)
9) Look in all Temp directories (another favorite hiding place)
10) inspect all logs for evidence of a break-in date

Frankly, I could care less about the filenames.  They're seldom useful 
anyway.  I've seen ServU named almost anything from servuftp.exe to 
svchost.exe to setup.exe.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/