Security Incidents mailing list archives
Re: They got me!!!
From: "Colin Copley" <colin.75 () btinternet com>
Date: Thu, 6 Apr 2006 20:14:53 +0100
Hi Trying to run analysis tools on an infected machine can be incredibly troublesome depending on the trojan. Some examples of MSN/Peer to peer trojans/viri(uses) I've seen will go to some lengths to prevent new software being installed; closing down windows with security related text in the title bar, altering the hosts file to stop access to anti-virus websites, restricting user permissions etc. A quick recon that's helped me decide whether or not it's worth the hassle in the past is to boot the machine (disconnected from LAN) into safe mode and try to run regedit, check the HKLM\Software\Microsoft\Windows(or WinNT)\Current Version\Run (also Run Once, + Run As Service) and see what the executable being loaded at startup is, (remember there are also the autoexec.bat/win.ini/system.ini files. Google the exe name, it can make for some interesting reading. This will help you decide whether it's worth the risk of connecting the box to the LAN and running analysis tools from another box, or installing them on the infected machine itself. My previous experience trying to clean an infected box from the top down so to speak is it's not worth it, flatten & rebuild is the only way to be absolutely sure. If the trojan has a keylogger and/or is reporting back to base, you may be able to follow the data back to the "my guess: irc server" and have a word with the culprit himself. (Not a woman surely!) Once a customer's teenage son was actually given the CD by a schoolfriend, and installed it thinking it was 'Runequest' if I remember. Best of Luck Kind Regards Colin ----- Original Message ----- From: <pentesticle () yahoo com> To: <incidents () securityfocus com> Sent: Wednesday, April 05, 2006 5:23 PM Subject: They got me!!! | Hey list!!! | | My kids left their puter on while I was away on vacation and some | loverly person managed to gain access to the puter. Unfortunately I was on | vacation so had all of my systems off except the one the kids turned | back on, so my sniffer was off as well. | | I don't know much from the forensics side of the house as I mainly | perform audits and such, so was hoping I could get some insight as where to | start and tools to use to find everything that was done to the | computer. | | My AV software picked up a trojan, but figure it was after the fact and | is still resident on the system. It almost appears that they accessed | hotmail and picked up files from a mailbox. (sure wish my sniffer would | have been on :( )The local Symantec firewall is being bypassed and most | of the services won't start. Term Svcs among others has been set to | manual but starts up automatically with Windows (I had it disabled before) | and will not allow me to stop the service. I keep the system up to date | with patches and AV signatures and use 25 char passwords with | fingerprint scanners for the kids to use, so am not certain what they used to | exploit, but given time anything can be broken. My fingerprint scanner | doesn;t show any failed logon attempts while we were gone but the | security logs show numerous failed attempts by all of the accounts so assuming | they are trying to remotely access the PC. I'm thinking they gained | access to the account that was currently logged in as it shows th | at particular account's priviledges were escalated in the log files | several times then shortly after it shows the system account making | changes to the system. | | Anyway, if somone could recommend where to start and what tools I | should use, I guess this will begin my forensics career and OJT... | | Much appreciated :)
Current thread:
- Re: They got me!!!, (continued)
- Re: They got me!!! Ivan . (Apr 05)
- Re: They got me!!! Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Apr 05)
- Re: They got me!!! Dude VanWinkle (Apr 06)
- RE: They got me!!! lucretias (Apr 06)
- Re: They got me!!! Eliah Kagan (Apr 06)
- Re: They got me!!! Valdis . Kletnieks (Apr 06)
- RE: They got me!!! David Gillett (Apr 06)
- RE: They got me!!! Terry Vernon (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Jamie Riden (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Colin Copley (Apr 06)
- RE: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! john . fellers (Apr 06)
- Re: Re: They got me!!! pentesticle (Apr 06)
- RE: Re: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! Eliah Kagan (Apr 06)