Jump to content

Best method/program for monitoring data exfiltration?


Recommended Posts

Since Samuel linked to NirSoft and Ron linked to SysInternals, a word of advice and a word of caution.


Caution: Many of Nir Sofer's tools will set off MBAM (and most decent AV products as well) as potential viruses.  You'll need to make sure you have exceptions in your AV software, MBAM, and other software as well.  They are not malicious files.  But, the mechanisms that they employ can be used in a malicious manner, so rather than marking them as FPs in the definitions, it is better for individual users to determine whether to allow them or not.  Since you plan on using them, you'll probably want to allow them on an as - installed (as used) basis.


Advice: If you find that you use more than a few of the tools from Nir Sofer, and / or SysInternals, then you could opt to use either site's all in one package download.


Or you could opt to use a software from KLS Soft called WSCC (Windows System Control Center).  It will allow you to download whichever tools you choose to from both sites, optionally allow you to use the online tools at SysInternals, and also comes in a regular portable version as well as one that is compatible with PortableApps.com.


No matter how you do it, though, the word of caution above applies - be prepared for your anti-malware program(s) to kick up a veritable storm of block messages / quarantined files if you do.


I use many tools from both sites, as well as WireShark (when I was in college and working in the IT dept., the NetAdmin of the school showed me how he used it and used a lot of our time together to have me learning the basics of WireShark.  It's truly incredible.

Link to post
Share on other sites

Caution: Many of Nir Sofer's tools will set off MBAM (and most decent AV products as well) as potential viruses.

Let me properly qualify that statement.


No anti malware application will flag these tools as potential viruses.  Anti virus and anti malware utilities may flag various utilities as "Not a virus", "Hacktool", "Potentially Unwanted Program (PUP)" or other detection.


This is not because the tools are malicious but because the tools have the propensity to be used maliciously. 


For example, Nir Sofer (Nirsoft) has Password Recovery Tools.  While this is OK to use on your own PC, malware may package a Nirsoft utility with their malware, capture passwords, and exfiltrate the extracted data.

Link to post
Share on other sites

There are multiple points here that must be addressed.


The first is that Sysinternal's TCPView (and Nirsoft's CPorts) allow one to see, via a GUI, what program is connecting to an Internet/Intranet site via a particular TCP or UDP (or both) protocols.  One may view this display over time and one may see a program connect to an Internet site and then disconnect.  The connection may be in colour to show the activity's state.  Such as "Green" for Connecting and "Red" for Disconnecting.


This is fine when a program like FIREFOX.EXE [ c:\Program Files\Mozilla Firefox\firefox.exe ]  is the active component or if some malware does it such as THVBHY.EXE [ C:\Users\Admin\AppData\Local\Temp\THVBHY.EXE ].   In the case of Firefox one would expect (mostly but not always) connections via http [ TCP port 80 ] and https [ TCP port 443 ].  In the case of a malicious process such as THVBHY.EXE exampled above, it may use https or ANY protocol it is programmed to use [ there are 65535 TCP ports and likewise 65535 UDP ports ] .  This "unusual activity" is a clue to malicious activity.


Another situation is where the computer "Beacons" to an Internet site.  That is on a periodic but regularly timed event, a malicious process may try to communicate to a malicious Internet site, home, 3rd party or Command and Control (aka; C2, CnC and C&C) site.  The Duty Cycle of this beaconing can be quite short.  That is the period may be once per hour and the actual communication attempt may take place for less than 1 minute.


This Duty Cycle may be too short for luck to have you "see" the activity.  If the malicious process such as THVBHY.EXE exampled above was the culprit that would be easy to spot.  However the process can be injected into the Operating System such that it will be tied to a legitimate process such as "SYSTEM" or "svchost.exe"


Wireshark is a protocol decode and analysis program.  It will allow one to "capture" packets of a chosen protocol family or particular protocol.  You can't run it all day without filtering 'cause the data set captured will be too large and overwhelming.  One would have to filter "background noise" and concentrate on abnormal OS activity.  This can be done intrusively and non-intrusively.  When I say "intrusively" that is to say Wireshark is installed on the computer in question.  It should be noted that malware examines the programs running on a system it is on and may go "dormant" when it sees such programs as Wireshark is running.  When I say "non-intrusively" this is where one uses a second computer with a "promiscuous Network Interface Card (NIC)" and an Ethernet hub.   It should also be noted that such "dormancy" may be performed as a result of the detection of TCPView, CPorts or any other tool running on the PC.  On another note, a clue to malicious activity could be that TCPView, CPorts or some other tool will not run.  That is a malicious process running in the background will not allow such utilities to run.  One trick to get around this is to copy the tool to a differently named file such as with TCPVIEW.EXE and create a copy named blackdove83.exe or blackdove83.com.


A Promiscuous NIC is one that basically sees all traffic and not just traffic intended for the MAC address of the monitoring computer where the monitoring computer is the PC with Wireshark.


The non-intrusive mode is where one sets up this "test bed" and on the suspect computer, all regular programs are closed (RealAudio, QuickTime, Yahoo IM, email, etc, etc) and allows the computer to run without user intervention.  On the monitoring computer where Wireshark is loaded one would still filter "background noise" but would allow Wireshark to "sniff" the wire over some period of time.


Finally one should note it is not the traffic but the traffic behaviour that may be the clue.  If the malicious process such as THVBHY.EXE exampled above was the culprit the data may be "clear text" and a protocol decode will show that personal information is being/has been exfiltrated.  However new malware often uses the Microsoft Crypto API.  That means the malicious process such as THVBHY.EXE exampled above can just as easily encrypt the data stream and thus a protocol decode will show "garbage" (as far as you are concerned).


It should not be understated that if data is exfiltrated you are already too late.  The system has been compromised as well as the data and if one is cognizant of this then one must go into an immediate mitigation mode such as changing passwords, changing Internet account names, etc.



Link to post
Share on other sites

Thank you for all of the information. I suspected that things were like you've confirmed they are.


I've been reading up on specific types of malware that don't advertise to the user, and are simply there to record or exfiltrate.


So, say my webcam had been activated and was being used to spy on me, Wireshark or TCPView would show a fake svchost or something sending a lot of data for no reason, and that would be likely to show up there? Encrypted or not, it would likely show some suspicious activity?


The reason I ask, is that certain programs like, Team Fortress 2 or something, which I know must be sending and receiving a lot of data, doesn't show up as doing so in TCPView at all.


I'll research more into that promiscuous network interface. Any more information you can think of would be appreciated.

Link to post
Share on other sites

Although it can be malware masquerading as the legitimate SVCHOST.EXE [ such as;  c:\windows\temp\svchost.exe ] a DLL can be injected into a service thus the legitimate SVCHOST.EXE [ c:\windows\system32\svchost.exe ] will be seen with the unusual activity.



So, say my webcam had been activated and was being used to spy on me, Wireshark or TCPView would show a fake svchost or something sending a lot of data for no reason, and that would be likely to show up there? Encrypted or not, it would likely show some suspicious activity?


Maybe, maybe not.  One would think that you would see a network connection.  However it could also record the data and save it for some period where the computer has been at rest for some indeterminate time period and then send the captured data.  However it would show some suspicious activity at some point in some way.


We are talking about actual malware performance but in generalized terms.  We are not discussing a particular malware or malware family which has shown a specific set or sub-set of activities.


Different malware will have a set payload and modus operandi.  They can be generalized.


For example when discussing Rogues we know that its payload will announce itself in full glory.  That is its intent is to indicate an issue (hard disk, malware... whatever) and let you know it can be dealt with for a fee.


A spambot will not be "in your face".  Its payload must be stealthed such that it can exist and perform its payload function for as long as possible and without computer owner intervention.  Part of the payload will be exhibiting self preservation techniques.  Often it is finding these self preservation techniques that becomes the clues to a present infection.


Other malware may lie dormant for some indeterminate time period or be based on a calendar event only to become active on its coded schedule or an event based reactionary performance.


Based upon the number of posts and the queries made it has become more than evident that you think you may be infected.  This is still a Malwarebytes Anti-Malware support product forum and and best advice is a choice...


1.  Backup your data, wipe the PC and reinstall the OS of choice


2.  Choose to get 1-on-1 assistive help in the Malware Removal forum after reading; I'm infected - What do I do now?

Link to post
Share on other sites

Microsoft TCP view is the best option.


There is no "best option" and I have elucidated why TCPView and CPorts are limited and fall short of being a "best option" in Post #8.


It takes an arsenal of tools/utilities and the understanding how they work and what their limitations are to get an overarching understanding of a state a computer may be in in reference to a possible malware occurrence.

Link to post
Share on other sites

  • Root Admin

Agree with David.  Research, learning, and building experience is the best option.  Once a rootkit is on the system it can do anything it wants including telling you the color is ORANGE when it's really GREEN but you won't know that as everything will say it's ORANGE

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.