Before pausing from reading email for a few hours, I'd like to take a moment to redirect your attention to a little advertised and even more infrequently used Incident Response and investigative feature hosted here on the ISC SANS portal. That feature is SecCheck, developed by MyNetWatchman, and offered to the Storm Center to assist in investigating suspicious and potentially malicious activity on hosts running the Windows family of operating systems.

The Storm Center deployment of SecCheck is hosted at http://isc.sans.org/seccheck/ and does require the use of Internet Explorer.  IE is required for this execution as our deployment is implemented in the form of an ActiveX DLL that executes in the context of your browser to analyze and deliver IR run-time reporting for the currently running workstation session.  Execution of the tool will result in the report being displayed on your workstation as well as being posted back to the Storm Center host for our review, and enables the handlers to assist you more directly.

Among the run-time details that are reported include:

• running process list  (why am I running something called caseyvideo.exe?)       
  
• running service enumeration (hmmm, that service executing from c:\winnt\lssass.exe looks interesting)
  
• network connection snapshot (identify both services and established connectivity mapped to processes)
• autostart registry hive dumps (malware has to restart itself somehow, this will show you where)
• Installed BHO listing (Often Spyware and Hijackers jump right out)
• Module dump (You can identify library injection techniques here)

SecCheck reporting does present much information that may take a little getting used to, but we're here to help!  Give it a try, especially if you are experiencing unusual and inexplicable computer activity.

There are additional developments available at http://www.mynetwatchman.com including standalone SecCheck binaries that offer additional features.

William Salusky
Handler on Duty!