In Finding the DNS Hijacking Victims, Microsoft Systems Management Server (SMS) and a SQL query were used to find unusual DNS settings.
In Hidden Files, one technique mentioned (under the “hide in plain site” tactic) was to “use extended ASCII characters”. When SMS inventories files, it converts the extended ASCII characters to “?”. This makes finding file names that use extended ASCII characters a simple WQL query:
select SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Name, SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonUserName, SMS_G_System_WORKSTATION_STATUS.LastHardwareScan, SMS_G_System_SoftwareFile.FileName, SMS_G_System_SoftwareFile.FilePath, SMS_G_System_SoftwareFile.FileSize, SMS_G_System_LastSoftwareScan.LastScanDate from SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_LastSoftwareScan on SMS_G_System_LastSoftwareScan.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName like "%?%"
This query uncovered an oddly named w?nlogon.exe file in a “C:\Program Files\Common Files\?racle\” folder. Extended ASCII characters would present what appears to be “C:\Program Files\Common Files\Oracle\winlogon.exe” to the untrained eye. The filename doesn’t sort as you might expect. Bypassing the untrained eye with an SMS query makes finding these cases easy.
VirusTotal confirmed that some vendors (Avast, AVG, CAT-QuickHeal, DrWeb, eSafe, Ikarus, Microsoft, NOD32v2, Panda, Prevx1, Sunbelt) already detect the sample as adware from the PurityScan family.
In a large environment, a more comprehensive approach that would produce many benign conditions (cases to ignore) is to find file names that seldom occur. These files are suspicious only because their names occur infrequently.
There are places where malware is likely to reside. The System32, Downloaded Program Files, and each user’s “\Local Settings\Temp\” folder are common locations. An across-the-organization search for out-of-the-ordinary files in those locations will usually yield undetected malware.
To look for unusual files in System32:
SELECT COUNT(*) AS 'Count', v_GS_SoftwareFile.FileName AS 'File name' FROM v_GS_SoftwareFile WHERE v_GS_SoftwareFile.FilePath IN ('C:\WINNT\System32\', 'C:\Windows\System32\') GROUP BY v_GS_SoftwareFile.FileName ORDER BY COUNT ASC
Now that you have file names that you want to learn more about, use whatever mechanism you are comfortable with to find those files. For example, a VB Script like the following would identify the machines with the specific peculiar file names. (Note that SERVER and CITE CODE must be changed.)
OPTION EXPLICIT
Const ForAppending = 8
Dim winmgmt1
Dim SystemSet
Dim strQuery
Dim strOddFilename
Dim objEnumerator, instance
Dim objFSO_results, objResultsFile
Dim intWriteHeader
Dim strResultsFilename
Dim strHeader
strOddFilename = Wscript.Arguments.Named("Filename")
If strOddFilename = "" Then
WScript.Quit
End If
strResultsFilename = Wscript.Arguments.Named("Result")
If strOddFilename = "" Then
strResultsFilename = "OddFilename.txt"
End If
strHeader = "Resource Domain or Workgroup" & vbTab & "Name" & vbTab &_
"Last Logon User Domain" & vbTab & "Last Logon User Name" & vbTab &_
"FileName" & vbTab & "FilePath" & vbTab & "Last Software Scan Date"
Set objFSO_results = CreateObject("Scripting.FileSystemObject")
If objFSO_results.FileExists(strResultsFilename) Then
intWriteHeader = 0
Else
intWriteHeader = 1
End If
Set objResultsFile = objFSO_results.OpenTextFile(strResultsFilename, ForAppending, True)
' 800A0046 Permission denied when file is in use
If intWriteHeader Then
objResultsFile.WriteLine(strHeader)
End If
'The following line connects to the SMS Server through the WMI layer.
'For SERVER put in your SMS Server name.
'For XXX put in the site code for that server
winmgmt1 = "winmgmts:{impersonationLevel=impersonate}!//SERVER\root\sms\site_XXX"
‘The following section echoes the connection then gets the object.
Set SystemSet = GetObject(winmgmt1)
strQuery = "select SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Name, " &_
"SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonUserName, " &_
"SMS_G_System_SoftwareFile.FileName, SMS_G_System_SoftwareFile.FilePath, " &_
"SMS_G_System_LastSoftwareScan.LastScanDate from SMS_R_System " &_
"inner join SMS_G_System_SoftwareFile on " &_
"SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId " &_
"inner join SMS_G_System_LastSoftwareScan on " &_
"SMS_G_System_LastSoftwareScan.ResourceID = SMS_R_System.ResourceId " &_
"where SMS_G_System_SoftwareFile.FileName in ( """ & strOddFilename & """ ) " &_
"and SMS_G_System_SoftwareFile.FilePath in ( ""C:\\WINDOWS\\system32\\"", ""C:\\WINNT\\system32\\"" )"
' "and SMS_G_System_SoftwareFile.FilePath in ( ""C:\\WINDOWS\\Downloaded Program Files\\"", ""C:\\WINNT\\Downloaded Program Files\\"" )"
' "and SMS_G_System_SoftwareFile.FilePath LIKE ""%\\Local Settings\\Temp\\%"""
Set objEnumerator = SystemSet.ExecQuery(strQuery)
for each instance in objEnumerator
' 80041017 - no instances?
objResultsFile.WriteLine(instance.SMS_R_System.ResourceDomainORWorkgroup & vbTab &_
instance.SMS_R_System.Name & vbTab &_
instance.SMS_R_System.LastLogonUserDomain & vbTab &_
instance.SMS_R_System.LastLogonUserName & vbTab &_
instance.SMS_G_System_SoftwareFile.FileName & vbTab &_
instance.SMS_G_System_SoftwareFile.FilePath & vbTab &_
instance.SMS_G_System_LastSoftwareScan.LastScanDate)
Next
objResultsFile.Close
Run the VB script with a batch file such as the following. “FilenameDownloadDir.txt” is a text file of file names to search for.
@ECHO OFF
rem Does not find filenames with a space in the name
FOR /F "DELIMS=" %%F IN (FilenameDownloadDir.txt) DO (
wscript OddFilenameDownloadDir.vbs /filename:%%F /result:OddFilenameDownloadDir.txt
)
To look for unusual files in “Downloaded Program Files”:
SELECT COUNT(*) AS 'Count', v_GS_SoftwareFile.FileName AS 'File name' FROM v_GS_SoftwareFile WHERE v_GS_SoftwareFile.FilePath IN ('C:\WINNT\Downloaded Program Files\', 'C:\Windows\Downloaded Program Files\') GROUP BY v_GS_SoftwareFile.FileName ORDER BY COUNT ASC
To find the machines with the unusual files in “Downloaded Program Files”:
OPTION EXPLICIT
Const ForAppending = 8
Dim winmgmt1
Dim SystemSet
Dim strQuery
Dim strOddFilename
Dim objEnumerator, instance
Dim objFSO_results, objResultsFile
Dim intWriteHeader
Dim strResultsFilename
Dim strHeader
strOddFilename = Wscript.Arguments.Named("Filename")
If strOddFilename = "" Then
WScript.Quit
End If
strResultsFilename = Wscript.Arguments.Named("Result")
If strOddFilename = "" Then
strResultsFilename = "OddFilename.txt"
End If
strHeader = "Resource Domain or Workgroup" & vbTab & "Name" & vbTab &_
"Last Logon User Domain" & vbTab & "Last Logon User Name" & vbTab &_
"FileName" & vbTab & "FilePath" & vbTab & "Last Software Scan Date"
Set objFSO_results = CreateObject("Scripting.FileSystemObject")
If objFSO_results.FileExists(strResultsFilename) Then
intWriteHeader = 0
Else
intWriteHeader = 1
End If
Set objResultsFile = objFSO_results.OpenTextFile(strResultsFilename, ForAppending, True)
' 800A0046 Permission denied when file is in use
If intWriteHeader Then
objResultsFile.WriteLine(strHeader)
End If
'The following line connects to the SMS Server through the WMI layer.
'For SERVER put in your SMS Server name.
'For XXX put in the site code for that server
winmgmt1 = "winmgmts:{impersonationLevel=impersonate}!//SERVER\root\sms\site_XXX"
'The following section echoes the connection then gets the object.
Set SystemSet = GetObject(winmgmt1)
strQuery = "select SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Name, " &_
"SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonUserName, " &_
"SMS_G_System_SoftwareFile.FileName, SMS_G_System_SoftwareFile.FilePath, " &_
"SMS_G_System_LastSoftwareScan.LastScanDate from SMS_R_System " &_
"inner join SMS_G_System_SoftwareFile on " &_
"SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId " &_
"inner join SMS_G_System_LastSoftwareScan on " &_
"SMS_G_System_LastSoftwareScan.ResourceID = SMS_R_System.ResourceId " &_
"where SMS_G_System_SoftwareFile.FileName in ( """ & strOddFilename & """ ) " &_
"and SMS_G_System_SoftwareFile.FilePath in ( ""C:\\WINDOWS\\Downloaded Program Files\\"", ""C:\\WINNT\\Downloaded Program Files\\"" )"
' "and SMS_G_System_SoftwareFile.FilePath in ( ""C:\\WINDOWS\\system32\\"", ""C:\\WINNT\\system32\\"" )"
' "and SMS_G_System_SoftwareFile.FilePath LIKE ""%\\Local Settings\\Temp\\%"""
Set objEnumerator = SystemSet.ExecQuery(strQuery)
for each instance in objEnumerator
' 80041017 - no instances?
objResultsFile.WriteLine(instance.SMS_R_System.ResourceDomainORWorkgroup & vbTab &_
instance.SMS_R_System.Name & vbTab &_
instance.SMS_R_System.LastLogonUserDomain & vbTab &_
instance.SMS_R_System.LastLogonUserName & vbTab &_
instance.SMS_G_System_SoftwareFile.FileName & vbTab &_
instance.SMS_G_System_SoftwareFile.FilePath & vbTab &_
instance.SMS_G_System_LastSoftwareScan.LastScanDate)
Next
objResultsFile.Close
A batch file to read a list of file names to search for and report machines with those files would be very similar to the previous example.
To look for unusual files in every user’s “\Local Settings\Temp\”:
SELECT COUNT(*) AS 'Count', v_GS_SoftwareFile.FileName AS 'File name' FROM v_GS_SoftwareFile WHERE v_GS_SoftwareFile.FilePath LIKE '%\Local Settings\Temp\%' GROUP BY v_GS_SoftwareFile.FileName
The VB script changes to make are included in the previous example as remarks. A batch file to read a list of file names to search for and report machines with those files would be very similar to the previous example.
Note that if you do not have a system inventory tool which collects information about files, then a specialized product which searches for specific files is an option. Consider the Sophos Application Discovery Tool.
Aggressive Virus Defense 