force 404 page message to center
[disinclined.org.git] / _posts / 2013-03-12-malware-analysis.html
1 ---
2 layout: note
3 ---
4
5 <p>This is my exploration of a trojan horse sent to open@duckduckgo.com. The email, which claimed to hold "My eTicket", contained a malicious call to action and .zip file.</p>
6
7 <p>I began by attempting to locate the origin of the email. The relevant portion of the headers is excerpted below. These headers cannot be relied upon for identification (they are trivially forged). However, the email does not claim to be from delta.com, leading me to suspect the original domain is genuine - why pretend to be from an arbitrary domain?</p>
8
9 <pre class="brush: bash">
10 Received: from unknown (HELO ) (89.77.209.23)
11 by 0 with SMTP; 5 Mar 2013 22:11:01 -0000
12 From: "DELTA" &lt;PFlFnLybzQlsh@lorusso.com&gt;
13 To: open@duckduckgo.com
14 Message-ID: &lt;20130305231057.D5B526351B50D849E929.5F438C@MARTA-F97BA78A4&gt;
15 Subject: Your eTicket
16 MIME-Version: 1.0
17 Content-Type: multipart/related;
18 boundary="----=_Part_369841052092"
19 </pre>
20
21 Taking a look at lorusso.com, it seems legitimate. Following with a WHOIS query, it still looks good.
22
23 <pre class="brush: bash">
24 Domain Name: LORUSSO.COM
25 Registrar: TUCOWS DOMAINS INC.
26 Whois Server: whois.tucows.com
27 Referral URL: http://domainhelp.opensrs.net
28 Name Server: NS10.IXWEBHOSTING.COM
29 Name Server: NS9.IXWEBHOSTING.COM
30 Status: clientTransferProhibited
31 Status: clientUpdateProhibited
32 Updated Date: 17-oct-2011
33 Creation Date: 25-oct-1998
34 Expiration Date: 24-oct-2017
35
36 Administrative Contact:
37 Lorusso, David dave@lorusso.com
38 1200 Mahogany Lane
39 Cedar Park, TX 78613
40 US
41 +1.5123319487
42 Technical Contact:
43 Lorusso, David dave@lorusso.com
44 1200 Mahogany Lane
45 Cedar Park, TX 78613
46 US
47 +1.5123319487
48 </pre>
49
50 <p>Because I do not believe the email was sent by the owner of lorusso.com, this leaves two possibilities: a negligently open mail relay service, or a compromised system. To determine if the former is the case, I attempt to send my own email through his mail provider. To locate the resource, I first query the mail exchange record for the domain and it's corresponding address record.</p>
51
52 <pre class="brush: bash;">
53 $ dig mx lorusso.com +short
54 10 mail909.ixwebhosting.com.
55
56 $ dig mail909.ixwebhosting.com +short
57 76.162.254.111
58 76.162.254.117
59 76.162.254.118
60 76.162.254.109
61 76.162.254.110
62
63 $ telnet 76.162.254.111 25
64 Trying 76.162.254.117...
65 Connected to 76.162.254.117.
66 Escape character is '^]'.
67 220 ironport4.opentransfer.com ESMTP
68 helo dylanstestserver.com
69 250 ironport4.opentransfer.com
70 mail from: dylansserver.com
71 250 sender &lt;dylansserver.com&gt; ok
72 rcpt to: dylan@dylansserver.com
73 550 #5.1.0 Address rejected dylan@dylansserver.com
74 quit
75 221 ironport4.opentransfer.com
76 Connection closed by foreign host.
77 </pre>
78
79 <p>My request to forward mail through the server is denied appropriately. Without running an intrusive network scan of lorusso.com, at this point there is nothing left to do except to alert the technical contact of the domain.</p>
80
81 <p>Now to the payload. Inside a GNU/Linux VM I identify the file type, log a checksum, and unpack, recursively. I'm lucky - it's packed, but there is no obfuscation of the executable by its format.</p>
82
83
84 <pre class="brush: bash;">
85 $ file eTicket.zip
86 eTicket.zip: Zip archive data, at least v2.0 to extract
87
88 $ md5sum eTicket.zip
89 5f3aeef467f263e56b7a53f28497523c eTicket.zip
90
91 $ unzip eTicket.zip
92 Archive: eTicket.zip
93 inflating: eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
94
95 $ file eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
96 eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
97
98 $ md5sum eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
99 a98d8bf1d8b68477867ebae47f0d5086 eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
100
101 $ upx -d eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
102
103 $ file eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
104 eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe: PE32 executable (GUI) Intel 80386, for MS Windows
105
106 $ md5sum eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
107 82c3c81779564d999787a3a15203fb33 eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
108 </pre>
109
110 <p>Seeing the portable executable, I know the honeypot system I need. Before preparing it, I take quick peek inside the file:</p>
111
112 <div style="height:200px;overflow:auto">
113 <pre class="brush: bash;">
114 $ strings eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
115 ...
116 KERNEL32.DLL
117 gdi32.dll
118 user32.dll
119 UnregisterWaitEx
120 GetEnvironmentStringsA
121 GetCommandLineW
122 CreateDirectoryExA
123 ExitProcess
124 GetNumberFormatW
125 GetCommandLineA
126 EnumTimeFormatsA
127 GetPrivateProfileStructW
128 GetTextExtentPoint32W
129 GetRgnBox
130 SetColorSpace
131 DeviceCapabilitiesExW
132 DeleteDC
133 PolyTextOutA
134 GetBkColor
135 GetFontLanguageInfo
136 CreateFontW
137 GetKerningPairsA
138 GdiDeleteSpoolFileHandle
139 GetMapMode
140 GdiArtificialDecrementDriver
141 CreateFontIndirectExA
142 StartDocW
143 SetROP2
144 UpdateColors
145 OffsetViewportOrgEx
146 GetOutlineTextMetricsA
147 DeviceCapabilitiesExA
148 CopyEnhMetaFileA
149 Polyline
150 SetAbortProc
151 ExtEscape
152 SetBrushOrgEx
153 GetFontResourceInfoW
154 StartPage
155 GetDIBColorTable
156 EudcUnloadLinkW
157 OffsetWindowOrgEx
158 IntersectClipRect
159 SetMapMode
160 CreateFontIndirectW
161 GetTextFaceA
162 GetRelAbs
163 DescribePixelFormat
164 GetLogColorSpaceW
165 BeginPath
166 GetPath
167 GetCharacterPlacementW
168 GdiPlayPrivatePageEMF
169 SelectPalette
170 CloseMetaFile
171 CreateRectRgn
172 EnumFontsA
173 SetLayout
174 EudcLoadLinkW
175 InvertRgn
176 EnumFontFamiliesExW
177 SetRelAbs
178 EnumFontFamiliesExA
179 GetStretchBltMode
180 GetCharacterPlacementA
181 CreateFontIndirectA
182 GdiPlayScript
183 CreateDCA
184 ExcludeClipRect
185 SetMetaFileBitsEx
186 GetDeviceCaps
187 StartFormPage
188 GetWorldTransform
189 CombineTransform
190 FlattenPath
191 GdiPlayPageEMF
192 CreatePolyPolygonRgn
193 GetBkMode
194 SelectFontLocal
195 PolyPolyline
196 CreateDCW
197 GetTextExtentPoint32A
198 SelectObject
199 EnumFontFamiliesA
200 RemoveFontResourceExW
201 SetSystemPaletteUse
202 GetPaletteEntries
203 GetCharWidthFloatA
204 Escape
205 DeleteObject
206 UpdateICMRegKeyA
207 GetFontUnicodeRanges
208 CreateCompatibleBitmap
209 ExtCreatePen
210 GetObjectW
211 GetTextExtentPointI
212 GdiComment
213 GetWindowExtEx
214 SelectBrushLocal
215 GetCharWidthFloatW
216 FloodFill
217 EndPath
218 LPtoDP
219 WidenPath
220 RemoveFontResourceW
221 CopyEnhMetaFileW
222 GetMetaFileA
223 PolyPolygon
224 PaintRgn
225 CreatePalette
226 GetGlyphIndicesA
227 GdiGetSpoolFileHandle
228 GetDIBits
229 SetTextCharacterExtra
230 PolylineTo
231 SetMetaRgn
232 GetKerningPairsW
233 ExtCreateRegion
234 GetCharWidthA
235 SetColorAdjustment
236 GetLayout
237 SetMagicColors
238 SetICMProfileW
239 GetSystemPaletteEntries
240 SetDIBits
241 DeleteEnhMetaFile
242 CreatePatternBrush
243 SetWindowOrgEx
244 GetTextExtentPointA
245 UnrealizeObject
246 PolyTextOutW
247 ResetDCW
248 CreateFontIndirectExW
249 GetTextExtentExPointW
250 CreateCompatibleDC
251 GetLogColorSpaceA
252 GetTextExtentPointW
253 CreateDIBPatternBrushPt
254 CreatePolygonRgn
255 GdiPlayJournal
256 ColorCorrectPalette
257 RemoveFontMemResourceEx
258 GetStockObject
259 PatBlt
260 FrameRgn
261 UpdateICMRegKeyW
262 GetCharABCWidthsA
263 CreatePen
264 CombineRgn
265 GetEnhMetaFileW
266 GetDCOrgEx
267 GetBoundsRect
268 LineDDA
269 PlayEnhMetaFile
270 RemoveFontResourceA
271 GetSystemPaletteUse
272 GdiPlayDCScript
273 CreateColorSpaceW
274 GetBitmapBits
275 GetDCPenColor
276 GetBrushOrgEx
277 GetCharWidthI
278 GetBitmapDimensionEx
279 GetObjectType
280 RemoveFontResourceExA
281 SelectClipRgn
282 TranslateCharsetInfo
283 CreateEnhMetaFileW
284 GetObjectA
285 SetStretchBltMode
286 GetFontAssocStatus
287 SetDCBrushColor
288 SetRectRgn
289 Polygon
290 SetMapperFlags
291 EnumEnhMetaFile
292 SetDIBColorTable
293 GetDeviceGammaRamp
294 StartDocA
295 CreatePenIndirect
296 StretchBlt
297 VkKeyScanExA
298 InvalidateRect
299 ToUnicodeEx
300 GetMenuDefaultItem
301 AdjustWindowRect
302 ReleaseCapture
303 EnumDisplayDevicesW
304 DdeDisconnect
305 TranslateMDISysAccel
306 SetClipboardViewer
307 DrawTextA
308 LoadMenuW
309 CharNextW
310 GetLastActivePopup
311 CopyRect
312 PrivateExtractIconsW
313 IsWindow
314 GetTabbedTextExtentA
315 InvalidateRgn
316 GetClipboardFormatNameA
317 IMPQueryIMEW
318 TranslateMessage
319 CreateMenu
320 SetWindowsHookExA
321 DefWindowProcA
322 GetDialogBaseUnits
323 GetWindowRgn
324 OpenDesktopW
325 LockWindowUpdate
326 ...
327 </pre>
328 </div>
329
330 <p>There are some interesting calls made, but I don't know enough about Windows internals to tell much from it. Instead, I'll move on to dynamic analysis. To create a safe, monitored environment, I will use another guest operating system, loaded with the following utilities:</p>
331
332 <ul style="margin-top:10px">
333 <li style="margin-left:60px;list-style:disc;display:list-item;">VirtualBox appliance, Windows XP SP3</li>
334 <li style="margin-left:60px;list-style:disc;display:list-item;">Internet Explorer 8 (updated)</li>
335 <li style="margin-left:60px;list-style:disc;display:list-item;">Windows Security Essentials (updated)</li>
336 <li style="margin-left:60px;list-style:disc;display:list-item;">RegShot (for registry and filesystem snapshots)</li>
337 <li style="margin-left:60px;list-style:disc;display:list-item;">Windows Process Monitor (for live monitoring of system calls)</li>
338 </ul>
339
340 <p>The host also requires configuration. I create a virtual network device (and an ethernet bridge) that can be attached to the virtual machine, watched and firewalled.</p>
341
342 <pre class="brush: bash;">
343 sudo modprobe vboxnetflt
344
345 sudo brctl addbr br0
346 sudo brctl addif br0 eth0
347
348 sudo modprobe tun
349 sudo ip tuntap mode tap
350 sudo link set up tap0
351 sudo brctl addif br0 tap0
352
353 mkdir monitor && cd monitor
354 sudo tcpdump -itap0 -vvvA -s0 -G 60 -W 1 -Uw baseline_
355 tcpdump -vvvA -r baseline_00
356 </pre>
357
358 <p>With a distinct, tapped interface, I listen for baseline network connections including ARP and UDP inside the LAN. This will help me eliminate noise from the network I/O of the infected system. Simultaneously, I create a new virtual machine snapshot to return to later. Meanwhile, inside the guest I take registry and filesystem snapshots with RegShot, as well as open the Process Monitor, filtering out friendly services. With a healthy signature obtained, I start a new listening process:</p>
359
360 <pre class="brush: bash;">
361 sudo tcpdump -itap0 -vvvA -s0 -C 128 -W 10 -Uw capture_
362 </pre>
363
364 <p>Environment prepared, I download and execute the trojan. The file disappears after triggering, and the process and network monitors flood with calls and packets. After about 3 minutes, I pause the VM, and begin the log analysis.</p>
365
366 <p>My first step now is to peek inside with my editor. There are a lot of HTTP requests, furthermore, a lot of requests that seem to passing parameters used for ad tracking.</p>
367
368 <pre class="brush: bash;">
369 $ strings capture_00 | grep http | wc -l
370 281
371 $ strings capture_00 | grep http | grep CLICK | wc -l
372 137
373 $ strings capture_00 | grep http | grep -v CLICK | grep impression | wc -l
374 73
375 $ strings capture_00 | grep Host | sort -u
376 Host: 113594url.directdisplayad.com
377 Host:239.255.255.250:1900
378 Host: 88.198.7.221
379 Host: ajax.googleapis.com
380 Host: cache.adfeedstrk.com
381 Host: cds.q2q3h3t3.hwcdn.net
382 Host: connect.facebook.net
383 Host: edge.sharethis.com
384 Host: fonts.googleapis.com
385 Host: html5shiv.googlecode.com
386 Host: j.maxmind.com
387 Host: redirect.ad-feeds.net
388 Host: vjlvchretllifcsgynuq.com
389 Host: wd.sharethis.com
390 Host: w.sharethis.com
391 Host: www.directorslive.com
392 Host: xlotxdxtorwfmvuzfuvtspel.com
393 </pre>
394
395 <p>A bit more searching and it's clear that the malware is using my computer to send out hundreds of forged ad impressions every minute. It's also hitting something else interesting - j.maxmind.com is a geolocation service. It's possible that it's fetching this information to send back to a command and control sever. This of course points towards the next concern - that the program has also installed additional hooks such as a keylogger, which it could use to send keystrokes (including financial information) to its owner.</p>
396
397 <p>None of the outgoing packets look very interesting, but there's no way of predicting when it might try to make contact. Instead, I'll try to look for evidence of additional tampering locally. To do this, I look at the registry and file system diff, alongside the process monitor.</p>
398
399 <pre class="brush: bash;">
400 ----------------------------------
401 Files deleted: 2
402 ----------------------------------
403 C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
404 C:\WINDOWS\Tasks\MpIdleTask.job
405 </pre>
406
407 <div style="height:200px;overflow:auto">
408 <pre class="brush: bash;">
409 $ egrep -i 'Control.*firewall' registry.changes
410 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy
411 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
412 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
413 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
414 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
415 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
416 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
417 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
418 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
419 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
420 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
421 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
422 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
423 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
424 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
425 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
426 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)"
427 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000001
428 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000000
429 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000
430 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
431 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
432 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001
433 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
434 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000
435 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
436 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
437 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
438 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)"
439 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000001
440 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000000
441 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000
442 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
443 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
444 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001
445 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
446 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000
447 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
448 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
449 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
450 </pre>
451 </div>
452
453 <p>No more security scans! These deleted files ensure that the automatic malware scans will no longer run. Also modified and removed are firewall control settings. There don't seem to be any obvious changes to core system code such as DLLs that would be used by a keylogger - but I could easily be missing something. With the process monitor I see the file and registry modifications in real time, but nothing else jumps out at me.</p>
454
455 <p>Here is the <a href="/share/baseline_00">baseline tcpdump</a>, the <a href="/share/capture_00">capture tcpdump</a> and the full <a href="/share/registry.changes.txt">filesystem and registry diff</a>.</p>