Download rrodTRAITS 15.43 KiB application/vnd.openxmlformats

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts

Airborne Networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
svchost::svchost
B2 46 This piece of software contains a decompression algorithm used by version 3.03 of the UPX
executable packer.
A9 A2 This program appears to be opening a raw socket. Malware applications often open up raw sockets
for use in ping flooding/DDOS attacks
38 CD Program is determining the layout of the keyboard.
21 B8 Storing URL files.
B4 0B Program appears to be compiled in Delphi.
38 A6 Program appears to communicate over the network.
45 45 Program appears to communicate over the network or over a named pipe.
8E 44 Program appears to communicate over the network or over a named pipe.
iexplore::iexplore
B2 46 This piece of software contains a decompression algorithm used by version 3.03 of the UPX
executable packer.
AC C8 Potential service accessing Internet Explorer settings
5F D9 Program can turn on the audio microphone and record audio.
38 CD Program is determining the layout of the keyboard.
B8 98 Program appears to communicate over the network using TCP/IP.
DF 37 Program uses web or ftp addresses and possibly URL's to access one or more sites on the Internet
for downloading files or posting up data.
1C 0E This module may enable audio recording.
83 69 Program appears to communicate over the network using TCP/IP.
21 B8 Storing URL files.
C1 7C Program appears to communicate over the network using TCP/IP. It appears to use, check, or log
the IP address of the remote connection point.
B4 0B Program appears to be compiled in Delphi.
7E 1E Program appears to communicate over the network using TCP/IP.
E7 9F Program appears to communicate over the network using TCP/IP.
B4 EE Translates network to host byte orders, common to winsock and sockets implementations.
AE DA This trait is an indicator that this program may be writing outgoing data on a socket.
0E DF Program appears to communicate over the network using TCP/IP.
79 D8 Program appears to communicate over the network using TCP/IP.
C6 E4 Program appears to communicate over the network using TCP/IP.
05 81 Program appears to use the UDP protocol and receive packets.
svchost::memorymod-pe-0x00d90000-0x00e82000
80 08 This appears to be a hidden module, possibly injected.
C6 AA Program may have remote process injection capability.
A9 A2 This program appears to be opening a raw socket. Malware applications often open up raw sockets
for use in ping flooding/DDOS attacks
9B E1 Possible scans UNC paths.
68 5A Protected storage COM interface DLL - could indicate scanning for username/passwords
45 3C This module may use an undocumented windows call to load dlls.
EE 51 Program can communicate from usermode to kernelmode using a command channel. This is
common to any program that has a device driver component, or accesses hardware via a device driver.
27 E1 This program understands the SMTP and/or ESMTP mail protocols. These protocols can be used
to send SPAM or to communicate with remote machines.
25 6A Program may be using named pipes. This is a method for two processes to communicate with one
another.
B8 F6 The program may use win.ini
78 9A Program appears to be using mail slots. Mail slots can be used between two different programs so
they can communicate with one another. Some exploits are known to use mail slots.
0E 6F Program may be using named pipes. This is a method for two processes to communicate with one
another.
61 9B Program opens a handle to a running process on the system. This is done before some
manipulation or information query made against the process.
4A 31 Program may be moving files over the network or copying files on the filesystem.
iexplore::flash6.ocx
70 AE This module appears to have a binary embedded resource which is common to malware droppers.
5F D9 Program can turn on the audio microphone and record audio.
1C 0E This module may enable audio recording.
13 A9 This module may capture screen shots.
1B D2 This module may have embedded resources.
5D 09 The program uses the windows shell to access a local file on the system.
4C EC The program is reading the system time and converting it to a file time.
B4 EE Translates network to host byte orders, common to winsock and sockets implementations.
E7 9F Program appears to communicate over the network using TCP/IP.
4C 5D A method for intercepting keystrokes from the data path that relies on an event, callback, or signal
being delivered to the sniffing program. This is not suspicious by itself and is used by many GUI based apps
on windows.
7A A0 Explorer settings
winlogon::msgina.dll
F6 E3 Process may inject or write data into other processes.
1B 2A Program is reading the memory of another process. This is not typical to most programs and is
usually only found in system utilities, debuggers, and hacking utilities.
66 09 This module opens an existing local process object.
4C 5D A method for intercepting keystrokes from the data path that relies on an event, callback, or signal
being delivered to the sniffing program. This is not suspicious by itself and is used by many GUI based apps
on windows.
System::tcpip.sys
DD 33 Driver appears to use the windows internal IP stack. This is common to networking drivers, desktop
firewalls, and security software. However, it is also common to kernel mode rootkits.
0E 3A Driver appears to use the windows internal IP stack. This is common to networking drivers, desktop
firewalls, and security software. However, it is also common to kernel mode rootkits.
64 31 This device driver queries and obtains the EPROCESS block for the current process. This is not by
itself suspicious, but is used some rootkits that remove process entries for stealth.
3C 02 This networking driver is accessing the filesystem, check for a backdoor
93 75 Indicates that this module is opening a registry key.
5F 2B Indicates that this module is sending control code directly to drivers
System::oreans32.sys
73 24 Kernel driver appears to query the system call table. This can potentially mean hooks are being
used.
64 31 This device driver queries and obtains the EPROCESS block for the current process. This is not by
itself suspicious, but is used some rootkits that remove process entries for stealth.
Related documents
TCP/IP Configuration
TCP/IP Configuration
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
Networking - Institute of Mathematics and Informatics
Networking - Institute of Mathematics and Informatics
Reference Models - UT School of Information
Reference Models - UT School of Information
How the Internet Works
How the Internet Works
Project Description
Project Description
Presentation: Operating systems
Presentation: Operating systems
Proposed Differentiated Services on the Internet
Proposed Differentiated Services on the Internet
Interview Questions
Interview Questions
Chapter17 - Website Staff UI
Chapter17 - Website Staff UI