Phishing & BotNets
Worm Origin Oct 23 2005 08:37AM
Joel A. Folkerts (jfolkert hiwaay net) (3 replies)
RE: Worm Origin Oct 23 2005 08:16PM
Omar A. Herrera (omar herrera oissg org)
Re: Worm Origin Oct 23 2005 04:35PM
crazy frog crazy frog (i m crazy frog gmail com)
Re: Worm Origin Oct 23 2005 02:39PM
Matteo G.P. Flora (lk lastknight com) (1 replies)
Re: Worm Origin Oct 26 2005 12:54PM
Marco Monicelli (marco monicelli marcegaglia com)
Here they are my 2 cents added to the 2 of Matteo:

- Most of AV do have a log file where any manual START or STOP is logged
but a skilled hacker knows that and can erase that, once he becomes
ADMINISTRATOR over that machine (SYSTEM privilegies work as well); for
this, just have a look at the help of the DOS command "find" and "findstr".

- The same objection is valid for Explorer History and any Explorer
activity logged (unless you don't use a 3rd party software to log events)

- Where would you look to check the latest download? The registry? What
key?

- Timestamp is a good information but actually doesn't help you so much to
track the hacker down. You'll know when the virus was created
and.............

Once said this, I would suggest to deeply check the registry for any
trace/clue which you probably will find because cleaning the registry from
your traces is not the most used action of hackers/script kiddies.

I'm open to any comment and suggestion.

My unworthy italian 2 cents :)

Yog-Sotho

2005/10/23, Joel A. Folkerts <jfolkert (at) hiwaay (dot) net [email concealed]>:
> QUESTION
> Is there a definitive method to determine if the user started the local
> infection or was merely another victim in the infection. My theory is
that
> she downloaded the virus from a hack website and manually began the
> infection. Any help would be greatly appreciated!

Just my fast 2 cents:

- Look for the URL history in seized machine (just in case... hack
sites are not proper "corporate" related stuff, to begin with...)
- Look for latest downloads
- Try to determine timestamps for 1st and subsequent infections
tracking down virus creation date.

Since Norton AV should have restricted the download itself (or at
least the RUNNING OF virus) that implicitly admit user tampered with
AV.
I don't know (maybe someone more expert than me here) if there is such
a thing as a Norton AV eventlog entry for manual STOP and RESTART of
AV, but I hoper there is one...
If you're able to demonstrate that:

1- user went to a very nasty website for no particular reason
2- user edactivated Norton AV
3- time-based filestamps says the machine was the 1st on netword infected
4- User re-activated Norton AV

you should have some good points to start with....

As always there are only my unworthy italian 2 (euro) cents ;)

MgpF

--
Matteo G.P. Flora // .:.LK.:. // PGP 0xF3B6BC10
www.LastKnight.com // lk(at)lastknight(dot)com

Resp. Prov. MI - Associazione Informatici Professionisti (AIP)
Perito Forense // .NET Architect // Security Consultant

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus