"What is really happening on my Windows system?"

 

As a Technical Lead on the Microsoft Product Support Services Incident Response team, I talk to customers every day that ask me this question.  Whether you use a single computer in your home or office, or run a business using thousands of systems, at some point you have probably wondered what is really happening on your system(s).  Has your system been compromised?  Is it running processes for someone other than you?

 

Determining if a system has been compromised can be difficult and time consuming.  Even if evidence of an intrusion isn’t found, how confident are you that the system has not been compromised and is running only authorized, legitimate processes?  Auditing system activity can be complex and time consuming.  In my experience most compromised systems typically have at least two things in common: 

 

  1. They were compromised via the network. i.e. attackers did not have physical access to the system so they attacked the system over the wire.  I am not saying that I haven’t seen systems that have been purposely compromised by people sitting in front of the keyboard.  But this type of case seems to be much rarer than cases where the attackers are remote. 
  2. After the system was successfully compromised, the attackers used the system for some purpose.  i.e. they are not satisfied with gaining access to the system, they want to run their own processes on the system to accomplish whatever goal they have in mind.  If you are interested in what attackers use compromised systems for, a co-worker of mine, Robert Hensing,  has done a good job of outlining the different types of hackers that we encounter:  http://blogs.msdn.com/robert_hensing/archive/2004/08/09/211383.aspx

Because most compromised systems have these two things in common (or at least one of them will inevitably be true) if you audit the TCP/IP port usage and the processes running on a system you can get some idea about what your Windows system is really doing.  One caveat I have to make is that this approach is not fool proof.  If the attackers install “rootkit” programs designed to hide port and process usage data (along with files, registry entries, etc) from the operating system itself, a combination of techniques and/or tools may be needed to detect them.

 

Rootkits aside, lots of software has been written to help monitor system integrity and monitor the processes that run on a system.  How much money, time and effort you are willing to spend on software to help in this endeavor is probably related to the level of confidence that you require in your systems’ integrity.

 

I have developed several tools to help customers answer that fundamental question, "what is really happening on my Windows system?"  Two of these tools, Port Reporter and Port Reporter Parser (PR-Parser) are publicly available and are free. 

 

Port Reporter is a logging service that logs port to process activity on Windows 2000, Windows XP and Windows Server 2003 systems.  This service runs in the background and does not require any user intervention.  It generates text log files that contain data that will help determine what your system is doing.  Specifically, these log files contain data on running processes and the TCP and/or UDP ports that processes use.  On Windows Server 2003– and Windows XP–based computers, the Port Reporter service can log the following information:

·         The ports that are used

·         The processes that use the port

·         Whether a process is a service

·         The modules (.dll, etc) that a process loaded

·         The user accounts that start a process

 

This tool can be downloaded from:  http://www.microsoft.com/downloads/details.aspx?familyid=69ba779b-bae9-4243-b9d6-63e62b4bcd2e&displaylang=en

 

Depending on how busy your system is, Port Reporter can generate a lot of data.  This is where the second tool that I mentioned, PR-Parser can help. 

The Port Reporter Parser (PR-Parser) is a tool that parses the logs that the Port Reporter service generates.  I have built some features into this parser to help identify suspicious processes and ports running on Windows systems and to provide some useful statistics on a system’s usage.  Some features of PR-Parser include:

·         PR-Parser has a Windows graphical user interface (GUI), which makes it easier to review logs than trying to use a text editor. The GUI enables you to sort and filter the data in a number of ways.

·         PR-Parser helps you identify and filter data you are interested in. The tool:

o      Identifies ports of interest that are used on the system. 

o      Identifies processes of interest running on the system.

o      Identifies modules of interest, such as .dlls, etc loaded on the system.

o      Helps to determine when user accounts of interest are active on a system.

o      Helps to determine when IP addresses, fully qualified domain names (FQDNs), or computer names of interest are found communicating with the system.

o      Attempts to identify when a process using the name of a legitimate process is run from the wrong directory on the system.  Example: is Svchost.exe running from the wrong directory – if it is the system may be compromised.

·         PR-Parser provides some log analysis data as well. This data can help you understand how the system is used. This data includes:

o      Ranked list of local TCP port usage.  Which TCP ports have been used?  If they include TFTP or FTP and they shouldn’t, then maybe you have an issue to investigate.  If TCP port 4444 is being used a lot on a system, maybe it’s infected with the Blaster worm – you should investigate.

o      Ranked list of local process usage.  Which processes have been running on the system?

o      Ranked list of remote IP address usage.  Which remote IP addresses have connected to your system?

o      Ranked list of user context usage.  Which user accounts are used to launch processes most often on your system?

o      Port usage by hour of the day.  Is someone connecting to the system in the middle of the night when they shouldn’t be?

o      Svchost.exe service enumeration.  What services are hosted by each instances of svchost.exe?  You need to know this to understand what the system is really doing.

o      Internet Explorer usage by user.  Where have users been going with Internet Explorer?  It may be tough to get this information if you don’t have access to firewall or proxy logs.

PR-Parser and a detailed readme file can be downloaded from:

http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe

While these tools and this approach cannot detect all instances of compromise, they can give you some help in identifying compromised systems.  They should be used in combination with other tools and approaches in order to gain some level of confidence in your system’s integrity.  That said, many customers and my team (PSS Security) have had some good results with these tools.  I hope you find them as useful as we have.

 

This posting is provided "AS IS" with no warranties, and confers no rights.