CAN YOU REALLY TRUST WINDOWS PROCESS VIEWER?
WHAT ABOUT 3RD PARTY SOFTWARE SUCH AS "PROCESS EXPLORER, OR EVEN THE WINDOWS COMMAND LINE? THE INFORMATION HERE YOU MAY FIND INTERESTING!
I thought I'd post on something a bit different.
This post isn't for everyone although some may find this very interesting weather your new to the IT industry or have been working computers for a while and want to become more familiar with malware, rootkits and testing for nasties from a forensic standpoint.
Process architectures are different so it's likely that a kit won't hide itself from multiple operating systems. Looking at processes remotely often show up different remotely than when if you were to view it locally. This same rule applies to other process viewers such as "Process Explorer" for windows.
When suspicious of complex malware or rootkits check the victim machine remotely.. or use a command line emulator such as snort, free and also good for intrusion detection. What you see may surprise you! If your looking to get into computer forensics or advanced malware detection you need to look past looking for stuff locally on the hard drive. Other than completely wiping a hard drive there is no real way of knowing for sure a victims computer is "clean" regardless of how many scanners you run. A true test is "looking outside the box" -literally.. this way you can see what a hacker may see, rather than what you see locally. Found this interesting video courtesy of Infosec for those who may be interested in having a look. http://www.youtube.com/watch?v=-tGfXLZSQNI