Trojans and Malware Protection

Part one: Activating a Trojan

Following along with Lab 2. Browsing the file explorer to c:\GTSLABS brought me to a bunch of set up files. Running the file “setup” installed a piece of software, which turned out to be minesweeper, accepting the default settings, the lab asked me to check out if anything else had installed, in this case I’m guessing the Trojan. Scanning through the Task Manager processes which the lab tells you to check, all i could find that was unusual to me was the “nc (32-bit)”.

Further investigation is required.

Event Viewer:

The Lab required us to open up and view the event logs of the system to see if I could see anything unusual inside of the Application and System logs.

As soon as I clicked on the Application logs, I seen an error, the error was Security-SPP, which after a little research learnt that Security-SPP is a service related to windows licensing and activation. In the details it says that the license activation had failed, Unaware as to why, I think it may be due to this being a VM.


Looking further down the Application log list, I found a lot more of the Security-SPP but also a perflib 1008 error, unaware of what it is, I did some research. This event may occur for various applications. When the performance monitor reads all counters for the first time, the extension’s Open Procedure is called. A typical task for the Open procedure is to read what range of object indexes it supports from the registry. These index values are stored in the First Counter, First Help, Last Counter, and Last Help registry values under the application’s performance key. If this Open procedure fails to read the data (i.e. those entries don’t exist or have been deleted) the 1008 event is recorded in the event log.


Moving on to checking out the System logs now, I was first met with a warning that didn’t hold much value as it had already fixed itself. But moving further down the list I came across a Distributedcom 10010 error. Checking it out I found that these errors are just timing issues and are meaningless to the end user, the system is still working fine after all.


I found a critical error that was caused from the system not shutting down properly, I don’t think that is what I’m looking for, then again I’m not entirely sure what I am looking for. Still scanning down the system logs, I came across a Eventlog error that was caused due to an unexpected shutdown of the system and a volsnap error that was caused from a shadow copy of my C: being aborted due to limited storage.

Moving further down, I found a list of warnings with a particular error in between them, which had to do with Group Policy.

Group Policy.PNG

That was all that I could find while moving down the two lists.


The lab required us to open up the windows firewall and navigate to inbound rules to spot anything unusual, as soon as I had opened it, it was full of errors, well not full but their was a lot.

Inbound rules.PNG

Part two: Exploiting the Trojan

This part of the lab was introducing how to exploit the backdoor from the Rogue VM. Following along with the lab, and I get to the point where we need to scan for the port number 4450, to listen for the Trojan currently accessing client at administrator level, but whenever I go to scan the only alive machine that shows up is the ROGUE which is the one I am running the IP scanner off, I have no idea why it won’t work properly with the lab.

So I’m going to have to skip this section and see if I am still able to carry on with this lab.

Part Three: Blocking the Trojan

Part three tells me to go through the firewall and disable any rule that has Firewall Service.

This slideshow requires JavaScript.

Part 4: Deploying Malware Protection

We are using group policy on the server vm to ensure that windows defender is active on each computer, by disabling Turn off windows defender, turn off routine remediation, and turn off real-time protection.

Part 5: Using the AntiVirus Software

This section was all about how to use the anti-virus software to detect and neutralize malware threats. Was really interesting because when I navigated to documents to run the file, it wasn’t even there but the in Windows defender the “DOS/Eicar_Test_File” was there in the history. I was able to follow along with this part of the lab. 

Also I wasn’t able to revert anything back!! I can’t find the revert button!

Coming back..

I came back to this lab after I went through the class forum, and it had solutions to the problem I had earlier in this lab. So I did redo it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s