Troubleshooting infected server Part 1.

by Miha Pihler 16. May 2011 15:05
Recently I was troubleshooting an infected server. Some of the malware was removed beforehand. After malware was removed RDP was still not working on this server. When I tried to telnet to TCP port 3389 (RDP TCP port) there was an unknown service listening and responding.
Checking this with netsat.exe (netstat -ano | findstr :3389) confirmed it. I was now able to see PID (Process ID) of the process that was listening on TCP 3389.
Using tasklist.exe (tasklist | findstr 2304) revealed the service (tcpsvcs.exe) that was listening on TCP 3389. This is highly unusual. RDP service runs in svchost.exe.
Using Process Explorer and looking for tcpsvcs.exe revealed two processes running with that name. Checking the signature of files revealed that one of the signatures cannot be verified. Also note the purple coloration of the process. Process Explorer will mark "Packed Images" in purple. Packed images are often used by malware authors (but can also be used by legitimate software).
   The suspicious file was located in folder C:\Windows\System32\wbem 

Using sigcheck.exe (sigcheck.exe -u -e c:\windows\system32\wbem) to check the folder for all unsigned files revealed two such files. One was the one we already identified (tcpsvcs.exe) and sc.exe.
Both files actually exist on windows operating system but not in "wbem" folder and both are digitally signed by Microsoft. You can also note the difference in size. 
Looking at the malware files, malware authors tried to hide the fact that the file is a malware by entering the Microsoft and other information from the real files that can be found on the server. Of course the failure of digital signature verification quickly gave them away. 
In part 2, I will talk about removing this malware from the server.



by Miha Pihler 11. May 2011 13:30
In December 2009 I reported a bug in TMG GUI to Microsoft.
If you wanted to use E-mail Policy in TMG at the time there were some restrictions in e.g. "Blocked sender" GUI. More specifically the GUI didn't allow me to enter "" as blocked address. If you did TMG returned an error: "The Sender address in empty or not valid. Please enter a valid e-mail address."

Further investigation into this problem I found out that TMG would not accept the following characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~ which are legal characters according to RFC.
Microsoft acknowledged the bug. Patch was released in January 2010 as part of hotfix update package for TMG 2010. They also released KB 97925


Miha Pihler

Microsoft Certified Master | Exchange 2010 (MCM)
Microsoft MVP - Enterprise Security

Month List

Page List