This output below is the result of running strings(1) on my pagefile.sys file left over from running Windows 7. You can see there is a bit of activity going on behind the scenes of Windows that I was not aware of. I thought my system had no bugs in it at all, but I loaded up my Linux installation and ran the strings command and I found a lot of stuff in my pagefile that does not belong there. My system seems to be phoning home to send information from my computer to a bunch of Gmail addresses. The Win32/Agent.A Trojan seems to be responsible, the Microsoft Security Essentials did not catch this at all, a good time to use Fedora Linux instead of Windows in future I think. The strings command can be used to search through any file for a certain text string with grep(1). This command is indispensable for finding out what has run in memory when you thought your system was clean. The command: strings pagefile.sys | grep HTA brings up this output shown on the right.
02:51:03-thx@matrix Elements >$ strings pagefile.sys | grep HTA AHTADropper AHTADropper.A Exploit:HTA/Behind.A Exploit:HTA/Showhelp Exploit:HTA/Wareme.A %lt;HTA:Application Adware:HTA/Htaporn HTAXB SCHTASKS.EX SCHTASKS.EXE SCHTASKS.EXE .HTAk SCHTASKS.EXE *HTA HTAf 4HTA HTAT HTAJ HTAtm,? VT#HTA3 >MHTAKH SHTA< HTAj# UHTAvW HTA1 HTAq1 HTArH h[HTA =HTA HTAV HTA$ )HTA HTA1 HTA| HTA) HTAII 'HTA HTA4 HTAZ \HTA #HTA 02-E5LDSHTA HTA3 unHTAG HTA; HTAB>z HTA k4; HTAqI HTATN TCCHTAKA@K HTAJ ((.HTA0 HTA" HTAqI $HTA "!HTA HTAAB= ?kHTAI" HTA@ ?HTA ;HTAM HTAM HTAbDHS HTAIl)@G QHTA )HTAH +0:HTA BHTA IIHTA PHTAB @DHTA4 mHTA >AHTAL >fF/XHTA yHTA hHTA( !HTA |
This command shows the output when searching for a particular virus agent. I have written about this command ages ago in my other Linux pages on my website, but I thought I had better write a good blog posting to alert users of just about any Linux operating system that you can use it to scan your pagefile.sys and find heaps of stuff that your computer is doing behind your back. This is a good advertisement for Linux over Windows anyday, despite the Unity desktop environment wrecking Linux and dumbing it down, but that is nothing compared to what Windows 8 will bring you… Fedora Core 15 with the NSA Selinux and all the latest updates will be more secure than a Windows installation anyday, this shows you another way to find Malware if you have a Ubuntu/Arch/Fedora/Chrunchbang system handy and you want to have fun seeing what the latest Windows Malware has been up to.
aragorn@fangorn:/media/Elements$ strings pagefile.sys | grep Win32/Agent.A HSTR:TrojanDropper:Win32/Agent.AT SIGATTR:TrojanDropper:Win32/Agent.AT !#PEEMU:Worm:Win32/Agent.A #TrojanDownloader:Win32/Agent.ABF @hotmail.comBrowserModifier:Win32/Agent.A |
Another cool command is this one to take a screen-shot of a window on your desktop. This dumps a screen-shot of the window to the disk and then converts it into a *.jpg file that you can upload to the Internet. Just run this command, click on the window with the cross-hairs and a screen-shot of the window will be saved to the desktop.
xwd -out me.out ; convert me.out me.jpg ; rm -f me.out |
Running the file(1) command on the X Window Dump file prints this information.
04:41:34-thx@matrix ~ >$ file me.out me.out: XWD X Window Dump image data, "2.6.40.6-0.fc15.i686.PAE: /home/thx", 914x733x24 |
1 thought on “Finding Windows Malware with Linux.”