What has the end user installed?

If your users are anything like my end users, they violate the Acceptable Use Policy (AUP) with great vigour. They install all kinds of garbage on their notebook that A) has no business purpose B) comes with hidden bonus items such as trojans and backdoors. C) Violates various licensing laws and rules.

My primary method of investigating installed Software is with the SCCM Resource Explorer tool. This leverages the WMI interface and gives me a nice list of installed products. If i start seeing items such as Bit-Torrent clients I automatically know that this is not going to end well. 

Sometimes though for some strange reason the workstation i’m trying to investigate does not have the SCCM client on it. This is when use a great free tool from the folks at Manage Engine. They come out with some free tools that allow you to leverage the RPC interface. One of the tools included in the package is one called Software Inventory. This tools connects to the remote machine and uses your admin credentials to create a list of Software Installed.

Once you know what is installed you can go ahead you often have a good idea what you are dealing with. Often it’s just time to reimage the workstation. However, if you don’t have any evidence to support the reimage. You then need to proceed further the next step is investigating the applications in the ‘Startup’ category.

MSCONFIG

MSConfig is a great place to look for viruses/trojans that start with the workstation. In the last year though, I’ve noticed that the trojans are getting a lot more tricky and do not show up in MSConfig.

Trend Micro – HiJack This

HiJack this used to be an opensource tool until it was bought by Trend Micro. This tool allows you to see what starts when the operating system is powered up. What Browser Helper Objects are integrated into the browser. If you start to see items and DLL’s registered that should not be there. You definitely might want to investigate further. Trend still offers HiJack This for free on their website or at download.com

Run Once

The next place you want to look is the “Run Once” portions of the Windows Registry. This is often where Trojans and Viruses hide themselves.  The Registry Keys that you want to look at are:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Services

The services MMC console is another great place to look for Viruses and Trojans. A quick perusal of the running services might indicate an infection and depending on the infection will determine the remediation.

If after investigating these areas you still suspect an infection there are numerous types of free tools that you can use.

1. Sysinternals RootKit Revealer

2. Gmer

3. F-Secure BlackLight

In the organization I currently work for we had a scenario where a certain area of users did not get patched and ended up getting infected with the Conficker Virus. Sophos Software has created a great tool to remove the Conficker Worm/Virus it can be found here.

The information security world is definitely a scary one and there is definitely a lot at stake. You don’t need to know necessarily everything  about every virus that comes out. It is simply a matter of knowing the key parts of the system to investigate and learning to use Google to investigate the methodology your infection uses as well as the impact on the system.

If you have any questions or need a little extra help. I’d be glad to lend a hand chris (at) chrismadge.com