GSR-IconBannerAd_v1d

Security Advisories

Trustwave Press Releases

« [Honeypot Alert] Mass Joomla Component LFI Attacks Identified | Main | [Honeypot Alert] WordPress/Joomla/Mambo SQL Injection Scanning Detected »

06 December 2011

Comments

There are numerous ways to determine what change was made to the file, in my opinion, that's the easy part. Diff, strings, hash values, sfc, etc. I think the real challenge is not in the identification of the modification, but in the detection of the single file that was modified.

As I pointed out in the post, and what I still think is the real meat of the issue, is how to tell? How can you tell if a legitimate Windows process has become weaponized. Again, think the best way to even get the point where you can employ something like SFC, is through live analysis, and correlation of data points.

Great point! Thanks fro bringing that up!

Chris

One way to detect such modifications of processes as demonstrated is to run the System File Checker (sfc.exe).
Since we're talking about the modification of processes, the most reliable way would be to perform this from the Windows Recovery Console/System Recovery Options on the installation media.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment