Phishing & BotNets
Worm Origin Oct 23 2005 08:37AM
Joel A. Folkerts (jfolkert hiwaay net) (3 replies)
RE: Worm Origin Oct 23 2005 08:16PM
Omar A. Herrera (omar herrera oissg org)
Hi Joel,

> -----Original Message-----
> From: Joel A. Folkerts [mailto:jfolkert (at) hiwaay (dot) net [email concealed]]
>
> List:
>
> BACKGROUND
> A user admitted to a confidential source she released a virus on her
> small
> LAN. Before I was able to seize and image the user's machine, a local
> sysadmin scanned the small LAN with NAV and found several machines were
> infected with W32.Korgo.X
> (http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.korgo.x.
ht
> ml
> ). We subsequently seized and imaged the machine found where NAV has
> quarantined the virus on the user's machine.
>
> QUESTION
> Is there a definitive method to determine if the user started the local
> infection or was merely another victim in the infection. My theory is that
> she downloaded the virus from a hack website and manually began the
> infection. Any help would be greatly appreciated!
>

This is difficult, and depends a lot on the specific malware. Propagation
algorithms sometimes allow you to trace back the infection to its origin
within the corporation, but as far as I know, this is not simple task with
Korgo since it includes some random selection of the first 3 octets of the
ip address to attack the next victim.

However, this variant has specific characteristics that might give you some
clue (if NAV didn't erase the evidence while cleaning). The description from
Symantec states that the first action of this worm is to delete the file
ftpupd.exe from the folder where the worm was executed.

I don't have a copy of that particular version to test, but apparently (from
what Symantec and CA say:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39581) this file
is only created after a breach through the LSASS exploit (i.e., machines
infected through the network should have a deleted entry for this file, at
some point in time), whereas machines where the worm was directly executed
wouldn't have this entry.

But you just can't rely on information from third parties. You should verify
in an isolated lab that the variant of the worm you found does behave in
this way. Hopefully someone with experience with this particular variant
might provide more information.

Another thing you might want to check is places where NAV found the virus
(e.g. Nav reported a copy of the virus in My Documents folder or somewhere
different from the system folder). If you can be sure that the only place
where this particular variant installs itself only in the system folder,
when the machine is infected through the net, you have good chances of
proving that a copy of this piece of malware was lying in a place where it
couldn't be stored by means other than manual download (problem here is that
timestamps for the files most probably have been modified by NAV during
quarantine).

Now, things do not stop here, because even if you can prove that the user
downloaded a copy of the malware and executed it in her machine, you still
have to prove intention (she might just claim that she was tricked by
someone else into doing it). Here is where your confidential source's
testimony might be the key, but check with your lawyers if this evidence
(assuming you are able to get it) would be enough to demonstrate malicious
intent. It might be enough to demonstrate negligence though, depending on
your corporate policy.

Kind regards,

Omar Herrera

[ reply ]
Re: Worm Origin Oct 23 2005 04:35PM
crazy frog crazy frog (i m crazy frog gmail com)
Re: Worm Origin Oct 23 2005 02:39PM
Matteo G.P. Flora (lk lastknight com) (1 replies)
Re: Worm Origin Oct 26 2005 12:54PM
Marco Monicelli (marco monicelli marcegaglia com)


 

Privacy Statement
Copyright 2010, SecurityFocus