Identifying Unexpected Activity using SysInternals Tools

Introduction

Almost three years ago I wrote this post about using Netmon to identify unexpected traffic. Although Netmon is a great tool and the advices that were written on that post are still valid, there are some scenarios that you need to go beyond that and identify if the process that is generating this traffic is suspicious or not. This post will describe how to use TCPView and Process Monitor to identify suspicious activity on your local system.

Symptoms

  • User complains that his computer is randomly slowing down, even when he is not using any application.
  • Customer thinks he has a malware.
  • He tested scanning the computer with different antivirus vendors and nothing was detected.

Investigation Process

When investigating issues of this nature and mainly when you’ve done the basics of scanning the computer the next step will be to understand if this computer is sending anything (or receiving) through the network. One great test that should be done right in the beginning is to ask/test: does the performance issue still happen if you remove the network cable from the computer? Many times a potential compromised computer will behave differently when you unplug it from the network. As this step was not done in this case, we will start the investigation using TCPView to understand the current footprint for this computer.

image

This is a great tool because it allows you to view many aspects of the process from the socket perspective to the TCP state of the connection. You can argue that this is similar to run the command netstat -naob and I’m okay using netstat tool, but the nice thing TCPView is that you have live experience with what’s going on. In other words, you don’t need to refresh it, if a connection gets closed, it will update the UI. With netstat, you will need to keep running to see if the state changed or not, this is the main reason I prefer using this tool for live investigation on issues of this nature. Apparently there is no suspicious activity; however there is a process that doesn’t seems to be a valid process, it is called msupdate.exe. Notice that this process is listening on port 3349, which is also not a usual port. Now is time to use Process Explorer to better understand what this process is trying to do:

image

There are some suspicious signs around this process:

  • It doesn’t have a parent.
  • It doesn’t have a Company Name.

Note: I’m saying suspicious signs because this could indicate a malicious process, but at this point we don’t have enough information to confirm that.

To investigate further this process, right click on the suspicious process and choose Properties, the window below will appear:

image

As you can see this process is located in the %windir%\system32 folder and it is starting a command line with some additional parameters. As I’m not sure which process is that, one way to obtain more information about what this process loaded in memory is to verity the Strings tab (choose memory radio button on the bottom of this window). Notice that in this case the Strings tab shows some interesting information about the process, such as the one that I pointed out below:

image

This line is used by NC (NetCat) tool and it matches with the parameters that we saw in the Image tab for this executable file. This means that this executable file is actually the NC tool, renamed to msupdate.exe, it is listening on port 3349 and once someone access this port this tool will execute Command Prompt (cmd.exe).

Conclusion

The findings here showed that this workstation was compromised with an implementation of NC that could be used as a backdoor. A simple implementation but for the purpose of this investigation was enough to understand how we can leverage Process Explorer to identify suspicious activities that sometimes are not caught by antivirus.