Above and far below might be the type of topology or map you may want to look at if you had a million or so Conficker machines and you were considering where to store your next payload so that it would remain:
(1) well-hidden
(2) ever-present
The first column (also the X axis above) is the count of the number of times this particular memory size is stored on my machine. The second column (in KB and Y axis above) is the memory size itself. The last print column are those Windows modules at that particular size. This is the type of topology that would help lay out the battlefield for the Botnet Generals. It would help answer questions like:
(1) Where should/could our armies live?
(2) How much space or resources will we have for them?
(3) Who will house them? What dll will be called the most frequently with what access?
Any administrative access to Win 7 or Win2008 would have Powershell/WinRM waiting to be configured. Thus this type of surveillance of Windows desktop could be done on a very large scale quickly and dynamically. And the analysis could be granular: per region, per industry, per subnet, etc.
[Powershell]
$Global:ps = ps
$ps_count = $ps.count
write "Process Count = $ps_count"
$Global:all_modules = 0..$ps_count |%{$ps[$_].Modules} | Select Size,ModuleName,FileName,FileVersion
$Global:all_modules_memory = $all_modules | Select -property ModuleName,Size | Sort -property Size
$all_modules_memory | sort -Descending -property Size | group -property Size
[partial dump]:
....
63 712 {@{ModuleName=ntdll.dll; Size=712}, @{ModuleName=ntdll.dll; Size=712}, @{ModuleName=ntdll.dll; Size=712}, @{ModuleName=ntdll.dll; Size=712}
13 704 {@{ModuleName=SXS.DLL; Size=704}, @{ModuleName=SXS.DLL; Size=704}, @{ModuleName=SXS.DLL; Size=704}, @{ModuleName=SXS.DLL; Size=704}...}
1 680 {@{ModuleName=xpsp3res.dll; Size=680}}
1 676 {@{ModuleName=TzShell.dll; Size=676}}
1 672 {@{ModuleName=swg.dll; Size=672}}
2 656 {@{ModuleName=RASDLG.dll; Size=656}, @{ModuleName=localedata_others.dll; Size=656}}
3 652 {@{ModuleName=MSVCR90.dll; Size=652}, @{ModuleName=MSVCR90.dll; Size=652}, @{ModuleName=MSVCR90.dll; Size=652}}
2 644 {@{ModuleName=chartmodelmi.dll; Size=644}, @{ModuleName=Microsoft.PowerShell.ConsoleHost.ni.dll; Size=644}}
1 636 {@{ModuleName=SavNeutralRes.dll; Size=636}}
1 632 {@{ModuleName=localedata_euro.dll; Size=632}}
1 624 {@{ModuleName=System.Transactions.ni.dll; Size=624}}
67 620 {@{ModuleName=ADVAPI32.dll; Size=620}, @{ModuleName=MSVCR80.dll; Size=620}, @{ModuleName=ADVAPI32.dll; Size=620}, @{ModuleName=ADVAPI32.dll
30 616 {@{ModuleName=comctl32.dll; Size=616}, @{ModuleName=comctl32.dll; Size=616}, @{ModuleName=comctl32.dll; Size=616}, @{ModuleName=comctl32.dl
2 604 {@{ModuleName=stlport_vc7145.dll; Size=604}, @{ModuleName=stlport_vc7145.dll; Size=604}}
21 596 {@{ModuleName=CRYPT32.dll; Size=596}, @{ModuleName=CRYPT32.dll; Size=596}, @{ModuleName=CRYPT32.dll; Size=596}, @{ModuleName=CRYPT32.dll; S
63 584 {@{ModuleName=RPCRT4.dll; Size=584}, @{ModuleName=RPCRT4.dll; Size=584}, @{ModuleName=RPCRT4.dll; Size=584}, @{ModuleName=RPCRT4.dll; Size=
63 580 {@{ModuleName=USER32.dll; Size=580}, @{ModuleName=USER32.dll; Size=580}, @{ModuleName=USER32.dll; Size=580}, @{ModuleName=USER32.dll; Size=
1 576 {@{ModuleName=QuickTimeMPEG4Authoring.qtx; Size=576}}
1 572 {@{ModuleName=QuickTimeEffects.qtx; Size=572}}
1 564 {@{ModuleName=diasymreader.dll; Size=564}}
2 560 {@{ModuleName=wzcsvc.dll; Size=560}, @{ModuleName=printui.dll; Size=560}}
46 556 {@{ModuleName=OLEAUT32.dll; Size=556}, @{ModuleName=OLEAUT32.dll; Size=556}, @{ModuleName=OLEAUT32.dll; Size=556}, @{ModuleName=OLEAUT32.dl
3 544 {@{ModuleName=shdoclc.dll; Size=544}, @{ModuleName=libdb42.dll; Size=544}, @{ModuleName=shdoclc.dll; Size=544}}
1 532 {@{ModuleName=wbemcore.dll; Size=532}}
2 528 {@{ModuleName=xcrmi.dll; Size=528}, @{ModuleName=dopdfui5.dll; Size=528}}
1 520 {@{ModuleName=HPQTOA~1.EXE; Size=520}}
2 516 {@{ModuleName=evtsys.exe; Size=516}, @{ModuleName=winlogon.exe; Size=516}}
4 512 {@{ModuleName=tlmi.dll; Size=512}, @{ModuleName=CRYPTUI.dll; Size=512}, @{ModuleName=CRYPTUI.dll; Size=512}, @{ModuleName=CRYPTUI.dll; Size
31 508 {@{ModuleName=CLBCATQ.DLL; Size=508}, @{ModuleName=CLBCATQ.DLL; Size=508}, @{ModuleName=CLBCATQ.DLL; Size=508}, @{ModuleName=CLBCATQ.DLL; S
....
No comments:
Post a Comment