|
(aka AbuIbrahim12) |
|
A. Elshafei |
|
Tips on using Filemon for detecting Malware
If hijackthis fails to display any suspicious entires and you still believe that you are infected, Filemon is the next best tool to use.
Filemon is a powerful tool that displays all file system activity in realtime. You can also see the activities of rootkits and hidden files, which makes it a great advantage. However, due to increasing amount of programs and operating system processes running at once, filemon will display over a thousand of open,write,read,etc. entries within seconds which makes it difficult and time consuming to troubleshoot. On the other hand, not all malware that are actively running on the computer will be displayed immidiately on the event log and it may take hours just to see an associated entry. This is becuase the malware was not involved with any observed activites at the time the monitoring was done.
If you want to use filemon to detect a malicious file in less than a minute here is how: A) In order to effectively use Filemon to detect malicious files it is preferred to use it when either one of the following conditions is satisfied: 1. The malware is triggered by an event or an action performed by the user. For an example, - when you click on something on the desktop or open a program an advertisement pop-up appears - As soon as you open IE, your start-page is changed. - when you open an application such as MS word, a windows-like message appears saying you are infected and click here to download our super duper antispyware - you end a suspicious process on the task manager and it get recreated again If the malware behaves such a way, start Filemon > immidaitely perform the action that would induce the malware > click on the capture button and scroll through the process and the related path to determine the suspected file.
2. Time-triggered malware There are some adware that are known to create an advertisement popup after every prescribed time interval. For an example, a variant of the w32.spybot worm will perform a popup exactly every 30 minutes even though you could be offline. By observing the malware in your PC, check if the malware performs some certain action at a synchronized matter. If so, check the time the PC whenever the action happens. Start filemon say one minute before the next scheduled event. After the operation is performed, immidiately click the capture button and scroll through the files to pinpoint the culprit file.
B) Try to keep minimum processes as possible. close all unneccessary processes during the observation. Antivirus, sntispyware and firewall programs are known to have loads of heavy activities. Disconnect from the internet and then shutdown these programs before using filemon.
C) Change the filter settings to open only. Before starting diagnosing, In the menu bar, click options > filter/Highlight > uncheck 'log write' and 'log read'. If step A is applicable, log open is enough to actualy determine the malicious file . Then click on the clear button to flush out unnecessary activities.
D) Another way to shorten the log file for easier diagnosis is by using the exclude list. In the log file, right-click a legitimate or an unwanted process, select Exclude Process. The unwanted process and all of its activities will automaticly dissappear. The same applies to excluding a particular path. You can undue any changes by either clicking on the filter button or by restarting filemon. There are some legitimate processes that are not advisable to exclude depending on the type of malware or the conditions encountered. Explorer.exe in particular should not be excluded unless you know what you are doing. Lots of malware run under explorer.exe process such as LOP spyware. You can determine hidden LOP infections by observing the path under the explorer.exe process. The same goes for malware dll files. They can only be observed through another process such as rundll32.exe and explorer.exe.
E) If you are a tech. agent troubleshooting someone others computer through a call center or a support forum, you can easily intepret a filemon log by using filemon instead of text editor. Open filemon > click on the capture button > file > select open and open the logfile belonging to the infected computer. This is alot more easier than openning the log file using notepad or wordpad. In addition you can exclude or filter any actions within the log. However, in call center environment, the agent must request the file to be uploaded on the web for he/she to see.
Authored by A. Elshafei (aka Abu Ibrahim)
References: - Download: http://www.sysinternals.com/utilities/filemon.html - Finding rootkits using filemon: http://www.sysinternals.com/blog/2005_10_01_archive.html |
