Malware. PMDump and Holodeck - Essay Example

WEEK 8 INIDIVIDUAL PROJECT Hostile worms and viruses, also known as Malware, are threats to virtually every system in the world that is connected to another system. Microsoft, by virtue of creating the most popular operating systems and application software, is by far the most attacked. So it stands to reason that their WinWord and the Notepad programs would be subject to attacks. For example, Data Rescue, a company that specializes in helping customers recover their vital information after an attack or disaster, analyzed one customer’s computer.

They found that an executable program called MSMSGS.EXE was loaded on the customer network that played havoc with the WinWord application. With diligent research Data Rescue was able to determine the URL that had loaded the malware and noticed that by attaching itself to the Application Data folder the hostile code was actually able to disguise itself as Windows Media Player, a legitimate Windows program that would be otherwise incongruous in a WinWord application (Landuyt 2008). In their favor, Microsoft has been trying to close gaps in its software for many years.

As early as 2001, before the introduction, the computer giant announced a virtual war against those entities intent on introducing hostile code. Yet almost twelve years later, less than two days after the roll out of Windows 8, MS is still fighting the battle and it was a main topic of discussion at the recent RSA conference, sponsored in part by the security firm of the same name. Also, MS developed Sysinternals as early as 1996 to allow developers and users alike the ability to find convenient tools to diagnose problems in their software in one single location.

Further, the website is broken down into various levels for whatever the user needs. For the purpose of this paper we will be using the Security Tools (Russinovich 2012). Using the Security Suite of Sysinternals, one can find very detailed information about a computer, highly useful in determining if hostile invaders have attached themselves to the system. For example, PSFile.exe shows a list of files opened remotely, interesting if there are no remote users. Also there are commands such as PSKill or PSSuspend to do as their name suggests, kill or suspend programs or files that are open, and there is even a command to reboot the computer.

The one tool in this Suite we will need is PSList.exe, which will give us detailed information about the WinWord process and determine whether there are any external resources being utilized by the program. The computer used was an older XP model with the Office 2003 suite and all current MS updates. The PSList, executed through the DOS command prompt, shows various information about the WinWord program and is shown as Enclosure 1, although the image is not very good. The priority is 8, and is using 24,880 KB of virtual memory.

In addition, there is a thread count of 8 and a handle count of 355. These two figures tell you what processes Word is using at a given time. To quote MS, “Monitoring threads is also costly”. It can be done by editing in the system registry but unless one is well schooled in the registry that is an area to steer clear from (Microsoft 2012). A check using other Sysinternals tools and Symantec shows this particular Word program is safe with no external threats. Another software to check for external processes is Holodeck, made by the independent firm Security Innovation.

According to their website, it helps debuggers by “allowing testers to work in a controlled, repeatable environment to analyze and debug Error-handling code”. It also claims that its software is used by such technology giants such as Microsoft and Adobe and is safe for use on the test XP machine (Holodeck 2012). Yet I can’t testify to the security of Holodeck, for my Symantec would not allow the beta program to be downloaded to the computer, calling the software “untrustworthy”. Still another program to be considered is PMDump.

According to James M. Aquilina in his book Malware Forensics: Investigating and Analyzing Malicious Code (2008), basically PMDump is a useful tool for the investigator to determine what processes are used by a program. This is accomplished by “dumping” the memory of a specific program such as Word into another file, so the integrity of the original program is not compromised. The separate file can then be viewed using ASCII strings or binary text. Again it appears that this executable is a useful tool for the professional but one should be very comfortable with computer processes, as well as knowing code strings, in order to attempt to use this program References: Aquilina James M. (2008), Malware Forensics: Investigating and Analyzing Malicious Code, Burlington, MA: Syngress Publishing.

Landuyt, Eric (2008), Real Life Hostile Code Analysis, Available at: http://www.datarescue.com/laboratory/trojan2008/index.html. Microsoft (2012), Monitoring Threads, Available at: http://technet.microsoft.com/en-us/library/cc776966%28v=ws.10%29.aspx. Russinovich, Mark (2012), Windows Sysinternals, Available at: http://technet.microsoft.com/en-US/sysinternals. Security Innovation (2012), Holodeck, Available at: https://www.securityinnovation.com/security-lab/holodeck/.