PaulDotCom mailing list archives

Re: Forensic Timestamps Question

From: signupjar at gmail.com (signupjar at gmail.com)
Date: Thu, 01 Oct 2009 22:04:42 -0400

Zeusbot drops tmp1.exe which unpacks and creates sdra64.exe, modifying 
its file creation/access time per the below disassembled code-

tmp1 (3rd stage) (Windows XP SP2)

//---   0x4059D1
SHGetSpecialFolderPath(0,&[ebp-0x440],CSIDL_SYSTEM,1);
PathCombine([ebp-0x440], [ebp-0x440], "ntdll.dll");
CreateFile([ebp-0x440],GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0);
if(esi != INVALID_HANDLE_VALUE)
{
        GetFileTime(esi,&[ebp-0x28],&[ebp-0x30],&[ebp-0x20]);
        SetFileTime([ebp-0x8],[ebp-0x28],[ebp-0x30],[ebp-0x20]);
        CloseHandle([ebp-0x8])
}
//---   0x405A48

Basically, file creation, last access, and last write times are copied 
from C:\WINDOWS\system32\ntdll.dll

Hope that helps-
Kelson


Date: Wed, 30 Sep 2009 16:46:49 -0400
From: Ben Greenfield <bcg at struxural.com>
Subject: Re: [Pauldotcom] Forensic Timestamps Question
To: PaulDotCom Security Weekly Mailing List <pauldotcom at mail.pauldotcom.com>
Message-ID:
        <83ff70350909301346y7abc83ccrd6ed09ece00b53ec at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Doh, that's supposed to end "people with more experience than me
saying stuff smarter than me".

Thanks,

On Wed, Sep 30, 2009 at 4:45 PM, Ben Greenfield <bcg at struxural.com> wrote:

I'm doing a forensic analysis of a Zeus/Zbot infection for a client.
I came across something kind of interesting that I didn't initially
notice, and I'm hoping that someone can confirm or blow away a thought
I just had.

Here is some backup information:
~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe
-rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500

sdra64.exe


~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe
-rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400

sdra64.exe


For arguments sake lets assume that the timestamps are accurate and
that the malware isn't modifying its creation timestamp (which I
wonder about because of 2009-02-09 and 2009-09-02 having numbers
swapped). ?If I'm not mistake the -0400 and -0500 refer to offset from
Greenwich Mean Time. ?If that's the case, is it fair for me to assume
that -0500 indicates that the computer which created the malware was
configured with a different timezone than the one which was infected?

Thanks, I look forward to people with more experience than saying
smart stuff now  :)

Current thread:

Forensic Timestamps Question Jake Cunningham (Oct 01)
- <Possible follow-ups>
- Re: Forensic Timestamps Question signupjar at gmail.com (Oct 01)
  - Forensic Timestamps Question Carlos Perez (Oct 01)