10.1 Malware Identification and Monitoring Exercise
Using the Windows Sysinternals suite of diagnostic tools, identify the behaviors
of the Alarm Clock application that make it a software Trojan. Note any filesystem,
memory, registry, or other activity that is unrelated to the program's advertised
functionality. The Alarm Clock application is available at the following location:
Alarm Clock Java Application
Note that even though the Alarm Clock application is written in Java, the bytecode has
been aggressively obfuscated to discourage the use of decompilation as a strategy for
learning the application's behavior.
10.2 Malware Identification and Monitoring Exercise Solution
The Alarm Clock application is a benign software Trojan that in addition to being
a rudimentary alarm clock, collects information about the Windows® installation, and
randomly scans for computers on the Internet or Intranet that will respond to an ICMP
ping. The application logs all of the information it gathers into several files in a directory
off of the root filesystem, or off of the current directory (if the root filesystem is not
writeable). The specific information gathered by the application is as follows:
➢ Registry data on the Windows® installation including the license key.
➢ Registry data on the currently installed programs.
➢ The locations of Microsoft Office, OpenOffice, PDF, and text documents in the