IT Trenches

Jan 27 2010   6:26PM GMT

Identify malware infection using Internet Explorer history



Posted by: Troy Tate
Tags:
antimalware
antivirus
Internet Explorer
internet explorer history
malicious software
toolkit
troubleshooting

A user on my network recently reported their computer was displaying virus detection warnings. Investigation showed that the virus detection warnings were bogus and looked something like the screen below.

Bogus Anti-Virus warning

Bogus Anti-Virus warning

One thing to note about notifications like this is the computer displaying this message is now infected by some malware. The next thing that must happen is identifying the infected files and removing them.This process can take several steps. Some of the steps are outlined below.

  • The client antivirus must be updated to see if it can detect and remove the infection.
  • Scan the client using the Microsoft Malicious Software Removal tool. This is free and available for Windows systems running Windows 2000 or newer.
  • If possible, use task manager to see running tasks. Find the names of any strange running processes. Then, see if you can locate the executable name on the hard drive.
  • If you can locate the executable, and the previous virus scans have not detected anything, it is possible that you have a new variant or a new malware sample. To find out, submit the suspicious executable to VirusTotal for analysis by multiple virus scanning engines. This can help you determine what the depth of infection might be on this system.

In the case of this user, we also wanted to identify the particular source of infection and block it using URL filtering. This is where IE History Viewer came into action. I used the Sysinternals Psexec tool to remotely run the IEHV executable and capture the user’s browsing history. The command series I used for this purpose was as follows (this must be run under the security context of a user with administrative rights over the remote computer):

net use * \\machine-name\c$

psexec \\machine-name -w c:\ -c iehv.exe /shtml “userIEdata.html” -user username

Where machine-name can either be the fully qualified domain name of the user’s computer or the IP address. The username must also be specified on the command line in the same format as the name used on the user’s Documents and Settings folder. In other words, a user may have more than one profile copy on the computer, the command shown above will need the user’s active profile name. For example: user JBond may have profiles JBond.UK and JBond.007. If JBond.007 is the normal profile used by this user, then that will be the value used for the username variable above. So, an example for this would be:

psexec \\Goldfinger -w c:\ -c iehv.exe /shtml “JBond007-IEdata.html” -user JBond.007

So, I I mapped drive Y: to the Goldfinger computer, there would be an HTML file called JBond007-IEdata.html showing the IE history for the JBond.007 user. Since this file is HTML, it can be opened in a web browser or other HTML editors for review. I typically open the output file in Excel so I can do sorting, searching and string manipulation on the data.

This enabled me to look at the user’s internet activity around the time the bogus antivirus detection was reported. One thing you should notice in the history file shown below is the kaka:// string in front of a path to a file under the user’s Documents and Settings folder. This kaka string can help you identify where part of the malware has deposited itself. This is the file that needs submitted to VirusTotal for analysis.

The IE History Tool can be a very useful tool for fighting malware.I also found a website that I put into the URL filter blocklist called laptopantivirus.net. This is a known malware source and if you have not blocked it in your environment in some way, I recommend you take steps to block this domain.

Have you used it for any other useful purposes? Share your experiences with other ITKE readers.

Thanks for reading and let’s continue to be good network citizens!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: