Finding Windows Malware with Linux.

Posted: November 4, 2011. At: 4:08 PM. This was 6 years ago. Post ID: 2144

This output below is the result of running strings(1) on my pagefile.sys file left over from running Windows 7. You can see there is a bit of activity going on behind the scenes of Windows that I was not aware of. I thought my system had no bugs in it at all, but I loaded up my Linux installation and ran the strings command and I found a lot of stuff in my pagefile that does not belong there. My system seems to be phoning home to send information from my computer to a bunch of Gmail addresses. The Win32/Agent.A Trojan seems to be responsible, the Microsoft Security Essentials did not catch this at all, a good time to use Fedora Linux instead of Windows in future I think. The strings command can be used to search through any file for a certain text string with grep(1). This command is indispensable for finding out what has run in memory when you thought your system was clean. The command: strings pagefile.sys | grep HTA brings up this output shown on the right.

02:51:03-thx@matrix Elements >$ strings pagefile.sys | grep HTA
AHTADropper
AHTADropper.A
Exploit:HTA/Behind.A
Exploit:HTA/Showhelp
Exploit:HTA/Wareme.A
%lt;HTA:Application
Adware:HTA/Htaporn
HTAXB
SCHTASKS.EX
SCHTASKS.EXE
SCHTASKS.EXE
.HTAk
SCHTASKS.EXE
*HTA
HTAf
4HTA
HTAT
HTAJ
HTAtm,?
VT#HTA3
>MHTAKH
SHTA<
HTAj#
UHTAvW
HTA1
HTAq1
HTArH
h[HTA
=HTA
HTAV
HTA$
)HTA
HTA1
HTA|
HTA)
HTAII
'HTA
HTA4
HTAZ
\HTA
#HTA
02-E5LDSHTA
HTA3
unHTAG
HTA;
HTAB>z
HTA k4;
HTAqI
HTATN
[email protected]
HTAJ
((.HTA0
HTA"
HTAqI
$HTA
"!HTA
HTAAB=
?kHTAI"
HTA@
?HTA
;HTAM
HTAM
HTAbDHS
HTAIl)@G
QHTA
)HTAH
+0:HTA
BHTA
IIHTA
PHTAB
@DHTA4
mHTA
>AHTAL
>fF/XHTA
yHTA
hHTA(
!HTA

This command shows the output when searching for a particular virus agent. I have written about this command ages ago in my other Linux pages on my website, but I thought I had better write a good blog posting to alert users of just about any Linux operating system that you can use it to scan your pagefile.sys and find heaps of stuff that your computer is doing behind your back. This is a good advertisement for Linux over Windows anyday, despite the Unity desktop environment wrecking Linux and dumbing it down, but that is nothing compared to what Windows 8 will bring you… Fedora Core 15 with the NSA Selinux and all the latest updates will be more secure than a Windows installation anyday, this shows you another way to find Malware if you have a Ubuntu/Arch/Fedora/Chrunchbang system handy and you want to have fun seeing what the latest Windows Malware has been up to.

aragorn@fangorn:/media/Elements$ strings pagefile.sys | grep Win32/Agent.A
HSTR:TrojanDropper:Win32/Agent.AT
SIGATTR:TrojanDropper:Win32/Agent.AT
!#PEEMU:Worm:Win32/Agent.A
#TrojanDownloader:Win32/Agent.ABF
@hotmail.comBrowserModifier:Win32/Agent.A

Another cool command is this one to take a screen-shot of a window on your desktop. This dumps a screen-shot of the window to the disk and then converts it into a *.jpg file that you can upload to the Internet. Just run this command, click on the window with the cross-hairs and a screen-shot of the window will be saved to the desktop.

xwd -out me.out ; convert me.out me.jpg ; rm -f me.out

Running the file(1) command on the X Window Dump file prints this information.

04:41:34-thx@matrix ~ >$ file me.out
me.out: XWD X Window Dump image data, "2.6.40.6-0.fc15.i686.PAE: /home/thx", 914x733x24
1 responses to “Finding Windows Malware with Linux.

Leave a Reply