By using this
tool, we can see if our process spawns other processes. In this case, it does not. However,
we do see multiple threads, which probably are used for network access, registry access,
or file access.
Another great feature of this tool is process properties, which include a list of network
sockets.
This tool is also useful for finding strings contained in the binary.
TCPView
The TCPView tool can be used to see network activity.
Chapter 20: Collecting Malware and Initial Analysis
517
PART V
As you can see, the malware appears to be attempting to scan our subnet for other
infected machines on port 3127. At this point we can Google ???TCP 3127??? and find out
that port is used by the MyDoom worm as a backdoor.
With our limited knowledge at this point, it appears that our malware connects to
existing MyDoom-infected victims and drops a copy of the MyDoom source code on
those machines.
Malware Analyst Pack (iDefense)
The iDefense labs offer a great set of tools called the Malware Analyst Pack (MAP). The
following tools are contained in the MAP:
ShellExt Four explorer extensions that provide right-click context menus
socketTool Manual TCP client for probing functionality
MailPot Mail server capture pot
fakeDNS Spoofs dns responses to controlled IPs
sniff_hit HTTP, IRC, and DNS sniffer
sclog Shellcode research and analysis application
IDCDumpFix Aids in quick reverse engineering of packed applications
Shellcode2EXE Embeds multiple shellcode formats in .
Pages:
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896