Detecting Malware

00:00

Hey, everyone, welcome back to the course. So in this video, we're just gonna talk about some of the ways that you could help detect Mauer on systems

00:08

so we could do things like scanning for suspicious ports that are open, suspicious processes that might be running that aren't normal. Process is to be running.

00:16

We could look for registry entries that don't look normal. We could look for device drivers that we are like, Hey, we don't have this device in our machine.

00:24

Why do I have this printer? I don't even have a printer, right. So why do I have the device? The printer driver on my machine? We could look for suspicious started programs or suspicious files and folders,

00:35

abnormal network activities as well as different services that it might be running.

00:40

So let's talk about these a little bit more

00:44

So with suspicious ports were looking for uncommon port supports we normally wouldn't use. And these might be an indicator of compromise that there is some kind of infection or attack going on. For example, let's just say that normally I don't have anything running on Port 5000,

01:00

and so I see they have port 5000 is in use, I might say, Well, wait a minute. There's no services that run on that port for our organization. So why is there traffic on that port?

01:11

And why is most of that traffic outbound traffic

01:15

so we can use a tool, a command like Net Stat Dash ano, which will show us ports that are open on our device. And we could identify those suspicious ports from there

01:25

scanning for suspicious processes. So some Trojans use what's called PES or portable execute a bles

01:32

on that allows him to inject into various processes. So, for example, like Web browser processes or like Explorer Dottie XY,

01:41

and so the process is air actually visible right? They look like

01:45

legitimate processes, but they help the attacker do things like bypassing your host firewall, right? So your Windows firewall, for example,

01:53

and they can inject this through things like using a root kit to try to hide what they're actually doing. And they can use tools like process monitor or what's running toe. Identify suspicious processes,

02:06

suspicious registry entries. So Windows automatically executes instructions that you've got in run run services. Run services once run once,

02:15

and so an example of a suspicious century would be this one depicted here, where you see, after the typical entry of H key classes route we see executed a file open the shell Command. Basically, this is suspicious, right?

02:29

And we can use a tool like red scanner that allows us to scanner registry to find values that match the specific criteria that we specified

02:37

suspicious device drivers. So this is basically where user might install device drivers from an untrusted stores because they say, Well, this is the first one that came up in Google, and I need to update my printer software. And so basically, you can scan for suspicious device drivers that don't look

02:53

like they should be there. Right? So you have a certain printer, for example, and

02:58

this is a totally different type of printing device. Why would you need that driver on your system? So a tool like driver view can help you identify a listing of the device drivers that are currently loaded on your system suspicious Windows services. So, for example, the attacker

03:13

alter some registry keys to hide what they're doing, so they're gonna launch these different services, but there,

03:19

renaming the service or they're using registered Kiki's to try to hide what they're doing. And what these allow the attacker to do is to try to gain remote access to that device. Suspicious startup program. So basically, you want to check the startup program entries in the registry. You want to check the auto loading, uh,

03:36

drivers, So basically, the drivers that are automatically loaded upon boot

03:39

you want to check the boot dot I and I file you want to check the window services? So what services are automatically running once the the system is booting up, checking for suspicious files and folders. So has there been anything altered there? So, using something like sick verify that verifies the integrity of critical files

03:59

that have been digitally signed by Microsoft to say yes, this file has not been altered.

04:02

Using the F. C. I V or the file, check some integrity verifiers, basically a command line utility on that community. Compute MD five hash four files so you could verify that Yes, this is unaltered file or using a tool like trip wire, for example, that will verify the integrity of the files

04:20

and looking for suspicious network activities. So for example, is the attacker

04:25

communicating back to their command and control server from that victim machine and sending confidential information back? Are they stealing credentials? Are they stealing our intellectual property?

04:34

Is it normal for all of this type of

04:38

traffic or data to be leaving our network? Or is this an abnormal things? So looking for those suspicious activities

04:46

and we can use packet sniffers, try and network scanners to identify Mr Traffic going to malicious I P addresses we can use that also use tools like capsules Network analyzer. So just a quick, quick question here for you. This tool could help you check the integrity of critical files that have been signed by Microsoft that services

05:03

ap data sick very for trip wire

05:05

fire,