Jim,
ProcMon is a great tool, but if you suspect hardware/firmware attacks:
Google "RootKitUnhooker"
I used RkU3.8.388.590.rar and am really impressed.
Found an infected Dell system that showed BIOS fan-speed errors on POST
until the virus was un-hooked and then cleaned (using Malwarebytes).
It also had multiple ATAPI errors, and other nasties, indicating that
the virus was embedded (hooked) into non-volatile memory. It's funny
that some of these hooks are okay with Microsoft Corp.
Any O.S. internals-type virus running within a Linux VM box may not be of any use.
This is because all your hardware is still exposed.
These new attacks are fun to research. The Doze monitor tools are improving.
Fun, fun, fun.
(-: Chas.M. :-)
Date: Tue, 22 Feb 2011 08:22:05 -0700
Subject: Security-related question
From: 1.jim.march@gmail.com
To: plug-discuss@lists.plug.phoenix.az.us; tfug@tfug.org
Folks,
I'm trying to figure out what a particular Windows piece of malware does.
To that end I built a brand new WinXP virtual machine via Virtualbox (Linux host of course) and then infected the virtual machine :).
In Ubuntu (Gnome) I usually run the System Monitor toolbar widget set to display CPU, memory and network traffic. In the latter I can see network traffic happening that I can't explain as being Linux-related, so it has to be the virtual machine (which has Internet connectivity via a NAT router off of the Linux host...in other words, guest OS traffic will be visible in the host Linux system.
I need to know first how I can prove that it's the Windows XP guest OS that's doing the traffic, or which other processes are doing which traffic, and then if possible log ALL of that traffic (preferably using Linux tools) for a brief time period to a file for analysis.
Any help appreciated :).
Jim March
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss