Complementary security tools

It’s interesting what vision has PC users with not a lot of experience about their antivirus, how they feel about that software. It’s more about a feeling, yes, they perceive the antivirus like a comrade who defend them fighting back against all kind of nasty malware and zombies for their safety and peace, look how people speak about their antivirus :  “my antivirus says this or says that…”

Well, if it’s about a comparison between an antivirus and a bodyguard who must defend me against the Internet threats, the bodyguard is a blind person when it comes about new threats and here you must consider as a fact that daily thousands of viruses, trojans or undetected variants of them are released in the wild. There is no antivirus software that can guarantee a clean PC.

Sounds strange maybe but when it comes about new unknown malware a couple of little applications most of them freeware and the human good sense can perform better than an antivirus, they are really complementary but very effective security solutions. These tools must not replace the antivirus, them are not antivirus alternatives(maybe are but for experienced users) instead come in help complementing the antivirus range of actions and overcoming its limitations.

iDefense Labs has a lot of security tools :

SysAnalyzer is a tiny application that creates a complete report about what actions an executable does on a system, monitoring the most important  elements and by doing system snapshots at time intervals specified by user it’s able to do comparisons revealing the persistent changes found on the system since an application was first run. The application can monitor :

• Running Processes
• Open Ports and associated processes
• Loaded Drivers
• Injected Libraries into explorer.exe and Internet Explorer–the best way trojans unveiling
• Key Registry Changes
• APIs called by a target process
• File Modifications
• HTTP, IRC, and DNS traffic

Also by injecting a dll into a process, api_log.dll all the API calls made by a program are logged.

The program interface allow drag and drop or browse for files :

The use of  ProcAnalyzer module gives a complete overview about running processes –just right click and select analyze :

Now,  interesting enough the API calls made by a trojan–screenshots made on an infected computer of a client of mine:

Here is the way how a trojan operates to be undetectable by an antivirus : It is embedded and encrypted inside of an apparently inoffensive executable without a signature in antivirus database. When  the program(very often a crypter) is running it will suspend(freeze) the host process and inject the trojan code directly into the process adress space(into the RAM without writing anything to hard disk to avoid the detection), using WriteProcessMemory  and CreateRemoteThread functions.

Now, be aware how the trojan looks like in analysis:

Firefox, huh? Tricky!!!

Now the open ports :

In conclusion the trojan open port TCP1635 trying to establish  connections with his “master” . Note that such kind of trojan if it’s new enough will bypass very easily an antivirus but there is several clues for us to suspect a malware:

-Use of WriteProcessMemory, Create process–suspended and CreateRemote Thread;

-Firefox added in the processes when in reality the Firefox browser is not running–the trojan masquerade as Firefox;

-An unusual post open;

By using the system snapshots, can be revealed the location where the trojan is copying itself : system32, temporary and UserData are preferred folders.

Runscanner version 2.0 is windows 64 bits compatible and will scan your system for all running programs, autostart locations, drivers, services and hijack points.

Features :

• 100+ start/hijack locations
• Online malware analysis
• Import and export of .run files
• Powerful process killer
• Save to text log file
• Powerful file filtering
• Host file editor
• History backup / restore
• Explorer jump
• Analysis of file certificates
• Beginner, Expert mode
• Bit9 FileAdvisor MD5 lookup
• Systemlookup.com lookup
• Upload file to VirusTotal
• Analyze loaded modules
• Google lookup
• Runscanner database lookup
• Regedit jump
  

There is possible an online analysis and a report will be generated automatically, also several security forums support is available.

Another powerful processes administrator is MKN TaskExplorer 5.0(Edit: no longer available now !)  it provides detailed reports about running processes, loaded modules, threads,  access token, open ports and many more. It also shows the information about the handles opened by a process.

MKN Software release also a network monitor for both inbound and outbound network connections established by processes running on the system.

However, the most advanced Network Monitor, and analyzer for packets of data sent and received over the network is  Wireshark.

One of the best known system tool is Trend Micro HijackThis, a free utility that generates an in depth report of registry and file settings from your computer. For analysis of the generated report is recommended to consult an expert from one of the multitude of specialized forums:

http://hijackthis.de/

http://forums.maddoktor2.com/index.php?showforum=17

http://www.security-forums.com/viewforum.php?f=48

http://www.bleepingcomputer.com/forums/

http://spywarehammer.com/simplemachinesforum/

http://www.spywareinfoforum.com/

http://forums.spybot.info/index.php

An easy but strong method to unveil a malware dropped in the system is to track the changes made to files and folders and registry entries taking system snapshots.

ESET SysInspector® is a free, state of the art diagnostic tool for Windows systems. It is also an integral part of ESET Smart Security 4 and ESET NOD32 Antivirus 4. It peers into your operating system and captures details such as running processes, registry content, startup items and network connections. Once a snapshot of the system is made, ESET SysInspector applies heuristics to assign a risk level for each object logged.

• Ability to generate and save a detailed log to be used by an IT expert or uploaded to an online forum for diagnosis
• Option to exclude private, personal information from being saved in logs
• Integrated Anti-Stealth technology allows discovering hidden objects (e.g. rootkits) in MBR, registry entries, drivers, services and processes
• Ability to compare two existing logs for differences makes it easy to detect changes over time
• Log entries are assigned a color code risk level for easy filtering
  Intuitive hierarchical navigation of logs
• Fast and compact single file executable, ideal for first responders to run from a USB drive without lengthy installation

SysTracer can scan your system and record information about:

• changed files and folders
• modified registry entries
• system services
• system drivers
• applications that are configured to run at computer startup
• running processes
• loaded dlls

By comparing snapshots from before and after a new program installation or execution, you can determine which files or registry entries were added, changed, or deleted.

MJ Registry Watcher is a simple registry, file and directory hooker/poller, that safeguards the most important startup files, registry keys and values, and other more exotic registry locations commonly attacked by trojans.

Other registry and files compare utilities :

• RegShot Windows Registry Compare Utility–FREE
• InstallWatch – FREErecords changes made to your PC during the installation of software, hardware, or configuration changes.
• Total Uninstall analyze the installed program and create the installation log.With “Monitored Programs” module it helps to monitor any changes made to your system during the installation of a new program.
• Registry Watch monitors changes made in the Windows Registry and the file system. Registry Watch make two file system and Registry snapshots for comparison. It compares the Registry and the file system before the installation of a program to the Registry and file system after the installation is completed. You can elect to just compare the Registry or file system or both.Since it is a full Windows snapshot utility, it can completely uninstall the program. Registry Watch is a 100% complete software uninstaller. It works on 64 bit as well as 32 bit.