Phishing & BotNets
Worm Origin Oct 23 2005 08:37AM
Joel A. Folkerts (jfolkert hiwaay net) (3 replies)
RE: Worm Origin Oct 23 2005 08:16PM
Omar A. Herrera (omar herrera oissg org)
Re: Worm Origin Oct 23 2005 04:35PM
crazy frog crazy frog (i m crazy frog gmail com)
Re: Worm Origin Oct 23 2005 02:39PM
Matteo G.P. Flora (lk lastknight com) (1 replies)
2005/10/23, Joel A. Folkerts <jfolkert (at) hiwaay (dot) net [email concealed]>:
> QUESTION
> Is there a definitive method to determine if the user started the local
> infection or was merely another victim in the infection. My theory is that
> she downloaded the virus from a hack website and manually began the
> infection. Any help would be greatly appreciated!

Just my fast 2 cents:

- Look for the URL history in seized machine (just in case... hack
sites are not proper "corporate" related stuff, to begin with...)
- Look for latest downloads
- Try to determine timestamps for 1st and subsequent infections
tracking down virus creation date.

Since Norton AV should have restricted the download itself (or at
least the RUNNING OF virus) that implicitly admit user tampered with
AV.
I don't know (maybe someone more expert than me here) if there is such
a thing as a Norton AV eventlog entry for manual STOP and RESTART of
AV, but I hoper there is one...
If you're able to demonstrate that:

1- user went to a very nasty website for no particular reason
2- user edactivated Norton AV
3- time-based filestamps says the machine was the 1st on netword infected
4- User re-activated Norton AV

you should have some good points to start with....

As always there are only my unworthy italian 2 (euro) cents ;)

MgpF

--
Matteo G.P. Flora // .:.LK.:. // PGP 0xF3B6BC10
www.LastKnight.com // lk(at)lastknight(dot)com

Resp. Prov. MI - Associazione Informatici Professionisti (AIP)
Perito Forense // .NET Architect // Security Consultant

[ reply ]
Re: Worm Origin Oct 26 2005 12:54PM
Marco Monicelli (marco monicelli marcegaglia com)


 

Privacy Statement
Copyright 2010, SecurityFocus