New
#1
Quick Tip: Log all references to HTTP in your files and programs.
This is quick and dirty,
If you ever get hacked, you might not know it. Your Anti-Virus might miss the infection and the malicious process might run invisible to task manager.
One quick and dirty way to check for signs of infection is to create a log that contains all the URL's contained within the files and programs on your computer. Because almost all malware is going to try to send and receive files to and from your computer, making a log of every URL contained on your computer can reveal some really interesting information. For instance, you might discover that a PDF file you thought was inccocent , contains referrences to a known malware domain hosted in China or Russia.
To create your log, you will need:
Strings from Sys Internals: This tool will search through every file and folder on your computer (or just one if you prefer) and print out all the ASCII and Unicode text it finds contained within them. It is faster than FINDSTR in the command line, and its output is cleaner and more organized.
Please note that to use the script as is, you will need to place the strings executable in your system32 folder. OR, you will need to add the path of the strings.exe executable to your PATH environment variable.
Next, copy and paste the following command into a command prompt:
The code will first clear the screen (cls) then change the current directory to the C: drive (cd \) then it will search strings (or text) in each file and program on your computer(strings -s) it will then pipe, or send ( | ) that data to the find command and find strings that start with http:// (find "http://")Code:cls && cd \ && strings -q -s | find "http://" > "%USERPROFILE%\Desktop\Http_Log.txt" && notepad.exe "%USERPROFILE%\Desktop\Http_Log.txt"
While doing this it will add every string it finds to a file on your desktop called Http_Log.txt ( > "%USERPROFILE%\Desktop\Http_Log.txt") and once that finishes, it will then open that log in notepad for you to view it ( notepad.exe "%USERPROFILE%\Desktop\Http_Log.txt" )
Once the log has been created, it is up to you to do with as you please. For me, I like to start looking for interesting strings. So I will do an Edit>Find in notepad and look for references to Chinese or Russian websites (.cn or .ru). I'll also look for key words like "password" ".dll" and other things.
Some technical notes:
- Please note that the size of the log file will be bigger than your average text file, usually between 10MB to 35MB. Notepad can handle a file size this large, but give it a little while to open it.
- Also note that each time you run this command, the size of your log file will be twice as large as before. Reason being that, each successive time you run it, it will add all the strings it finds in your http_log.txt file to your new http_log.txt file, so it will be twice as large.
- Please note that it will take a while for this command to finish. If you have over 1GB of ram, you can just do something else while it runs. If you have 512mb or less, than you might want to go get some coffe and watch a tv show until it is done.
Happy Hunting
Last edited by dranfu; 02 Sep 2010 at 23:27.
Quote