12 September 2011

Finding malware infection attempt source machines

It is a very common problem to have.  You have your machines being protected by an antivirus solution and you a number of infection attempts being blocked.  You can however not always determine WHERE the attack is coming from.

Some malware will persistently and very frequently attempt to infect the same machine, through something like a brute force password attempt.  We can use this pattern or behavior to determine the source.

Using netstat
This system utility "Displays protocol statistics and current TCP/IP network connections."

The option are as follows



NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]


  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -f            Displays Fully Qualified Domain Names (FQDN) for foreign
                addresses.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -t            Displays the current connection offload state.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

By executing the netstat with the default you can get a very nice output of active connection as they are established   Furthermore you also get the connection ports from both the source and local.  Specifying a refresh interval will continually run and refresh your list of connections.



You can output this to a text file for easier analysis with Excel. To do this use the following command:

netstat 1 >c:\logfile.csv


Using netstat -n 1 >c:\logfile.csv  will you you a faster refreshing log since there is no name look up involved

Working with the results
Open excel and start a new workbook


  • From the Data Tab select From Text
  • Specify the path of the logfile you created earlier
  • Select Delimited as the original data type
  • Start import from row 4
  • Next
  • Select Space as the Delimiter
  • Finish




You will now have a easy to work with table.  As an example - If your machine is a web server you might want to exclude all connection attempts against port 80 as this is probable legitimate traffic.



You can also refresh the table to continually get the latest log import.

TCPview
There is also a free sysinternals tool to do the same thing but with an easier GUI.  There is also a command line version with a few more options, especially useful is to output to a csv file.

http://technet.microsoft.com/en-us/sysinternals/bb897437


Conclusion
If you know what to look for you can determine if a machine is persistently making unsolicited connections to your machine.  This can be indicative of malware trying to get in.  If you have more detailed knowledge of the malware floating around your network you can streamline this process by tailoring your excel filters.  This is a very manual process but it might help you if you are getting hit hard.



No comments:

Post a Comment