Finding Suspicious Services

Regardless of the antivirus product you use, if your organization is sufficiently large with a sufficiently large lenient access policy, you have undetected malware running. How will you find that which is undetected? You need to look.

One fruitful approach is to find the unusual services. With Microsoft System Management Services (SMS), try the following SQL query:

SELECT COUNT(*) AS ‘Count’, v_GS_SERVICE.Name0 AS ‘Service’ FROM v_GS_SERVICE GROUP BY v_GS_SERVICE.Name0

By reviewing the low frequency results, you should find malware. For example, a service with the somewhat plausible name “WINS Client Service” can escape review unless it is exposed through a system comparison measure like this query.
Now that you know there is such a service name, you want to find its instances. You can use whatever method you choose. I normally want to look up quite a few services at once, and to do so I use a VB script. Change line 51 to reflect your server name. Invoke the vbscript with a command like:

wscript OddServiceName.vbs /filename:service.txt /result:OddServiceNameDPF.txt

Where service.txt is a list of services to look up (input), and OddServiceNameDPF.txt is the result (output).

OPTION EXPLICIT
Const ForReading = 1
Const ForAppending = 8
Dim winmgmt1
Dim SystemSet
Dim strQuery
Dim strOddFilename
Dim objEnumerator, instance
Dim objFSO, objTextFile
Dim objFSO_results, objResultsFile
Dim intWriteHeader
Dim strInputFilename
Dim strResultsFilename
Dim strHeader
strInputFilename = Wscript.Arguments.Named(“Filename”)
If strInputFilename = “” Then
WScript.Quit
End If
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objTextFile = objFSO.OpenTextFile(strInputFilename, ForReading)
strResultsFilename = Wscript.Arguments.Named(“Result”)
If strResultsFilename = “” Then
strResultsFilename = “OddFilename.txt”
End If
strHeader = “Resource Domain or Workgroup” & vbTab & “Name” & vbTab &_
“Last Logon User Domain” & vbTab & “Last Logon User Name” & vbTab &_
“DisplayName” & vbTab & “Name” & vbTab & “FilePath” & vbTab & “Last Hardware Scan Date”
Set objFSO_results = CreateObject(“Scripting.FileSystemObject”)
If objFSO_results.FileExists(strResultsFilename) Then
intWriteHeader = 0
Else
intWriteHeader = 1
End If
Set objResultsFile = objFSO_results.OpenTextFile(strResultsFilename, ForAppending, True)
‘ 800A0046 Permission denied when file is in use
If intWriteHeader Then
objResultsFile.WriteLine(strHeader)
End If
‘ — The following line connects to the SMS Server through the WMI layer.
‘ — Use your own server name here
winmgmt1 = “winmgmts:{impersonationLevel=impersonate}!//servername\root\sms\site_C00”
‘The following section echoes the connection then gets the object.
Set SystemSet = GetObject(winmgmt1)
Do Until objTextFile.AtEndOfStream
strOddFilename = objTextFile.Readline
strQuery = “select SMS_R_System.ResourceDomainORWorkgroup, ” &_
“SMS_R_System.Name, ” &_
“SMS_R_System.LastLogonUserDomain, ” &_
“SMS_R_System.LastLogonUserName, ” &_
“SMS_G_System_SERVICE.DisplayName, ” &_
“SMS_G_System_SERVICE.Name, ” &_
“SMS_G_System_SERVICE.PathName, ” &_
“SMS_G_System_WORKSTATION_STATUS.LastHardwareScan ” &_
“from  SMS_R_System ” &_
“inner join SMS_G_System_WORKSTATION_STATUS on ” &_
“SMS_G_System_WORKSTATION_STATUS.ResourceID = SMS_R_System.ResourceId “&_
“inner join SMS_G_System_SERVICE on ” &_
“SMS_G_System_SERVICE.ResourceID = SMS_R_System.ResourceId ” &_
“where SMS_G_System_SERVICE.Name in ( ‘” & strOddFilename & “‘ )”
‘ debug
‘ objResultsFile.WriteLine(strQuery)
Set objEnumerator = SystemSet.ExecQuery(strQuery)
for each instance in objEnumerator
‘ 80041001 – “Call Failed” when ‘Selod0usc’ is searched for
‘ 80041002 – object not found. Do the WriteLine details match the strQuery details?
‘ 80041017 – no instances? syntax error?
objResultsFile.WriteLine(instance.SMS_R_System.ResourceDomainORWorkgroup & vbTab &_
instance.SMS_R_System.Name & vbTab &_
instance.SMS_R_System.LastLogonUserDomain & vbTab &_
instance.SMS_R_System.LastLogonUserName & vbTab &_
instance.SMS_G_System_SERVICE.DisplayName & vbTab &_
instance.SMS_G_System_SERVICE.Name & vbTab &_
instance.SMS_G_System_SERVICE.Pathname & vbTab &_
instance.SMS_G_System_WORKSTATION_STATUS.LastHardwareScan)
Next
Loop
objTextFile.Close
objResultsFile.Close

Advertisements

Comments are closed.