Troubleshooting infected server Part 1.

Recently I was troubleshooting an infected server. Some of the malware was removed beforehand. After malware was removed RDP was still not working on this server. When I tried to telnet to TCP port 3389 (RDP TCP port) there was an unknown service listening and responding.
Checking this with netsat.exe (netstat -ano | findstr :3389) confirmed it. I was now able to see PID (Process ID) of the process that was listening on TCP 3389.
Using tasklist.exe (tasklist | findstr 2304) revealed the service (tcpsvcs.exe) that was listening on TCP 3389. This is highly unusual. RDP service runs in svchost.exe.
Using Process Explorer and looking for tcpsvcs.exe revealed two processes running with that name. Checking the signature of files revealed that one of the signatures cannot be verified. Also note the purple coloration of the process. Process Explorer will mark "Packed Images" in purple. Packed images are often used by malware authors (but can also be used by legitimate software).
   The suspicious file was located in folder C:\Windows\System32\wbem 

Using sigcheck.exe (sigcheck.exe -u -e c:\windows\system32\wbem) to check the folder for all unsigned files revealed two such files. One was the one we already identified (tcpsvcs.exe) and sc.exe.
Both files actually exist on windows operating system but not in "wbem" folder and both are digitally signed by Microsoft. You can also note the difference in size. 
Looking at the malware files, malware authors tried to hide the fact that the file is a malware by entering the Microsoft and other information from the real files that can be found on the server. Of course the failure of digital signature verification quickly gave them away. 
In part 2, I will talk about removing this malware from the server.

Add comment