PaulDotCom mailing list archives
Forensic Timestamps Question
From: carlos_perez at darkoperator.com (Carlos Perez)
Date: Thu, 1 Oct 2009 22:35:39 -0400
I just love that!! I do the same with my winenum script .... Note to self: I should randomize the file selection for MACE copy Sent from my Mobile Phone On Oct 1, 2009, at 10:04 PM, signupjar at gmail.com wrote:
Zeusbot drops tmp1.exe which unpacks and creates sdra64.exe, modifying its file creation/access time per the below disassembled code- tmp1 (3rd stage) (Windows XP SP2) //--- 0x4059D1 SHGetSpecialFolderPath(0,&[ebp-0x440],CSIDL_SYSTEM,1); PathCombine([ebp-0x440], [ebp-0x440], "ntdll.dll"); CreateFile([ebp-0x440],GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE, 0,OPEN_EXISTING,0,0); if(esi != INVALID_HANDLE_VALUE) { GetFileTime(esi,&[ebp-0x28],&[ebp-0x30],&[ebp-0x20]); SetFileTime([ebp-0x8],[ebp-0x28],[ebp-0x30],[ebp-0x20]); CloseHandle([ebp-0x8]) } //--- 0x405A48 Basically, file creation, last access, and last write times are copied from C:\WINDOWS\system32\ntdll.dll Hope that helps- Kelson Date: Wed, 30 Sep 2009 16:46:49 -0400 From: Ben Greenfield <bcg at struxural.com> Subject: Re: [Pauldotcom] Forensic Timestamps Question To: PaulDotCom Security Weekly Mailing List <pauldotcom at mail.pauldotcom.comMessage-ID: <83ff70350909301346y7abc83ccrd6ed09ece00b53ec at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Doh, that's supposed to end "people with more experience than me saying stuff smarter than me". Thanks, On Wed, Sep 30, 2009 at 4:45 PM, Ben Greenfield <bcg at struxural.com> wrote:I'm doing a forensic analysis of a Zeus/Zbot infection for a client. I came across something kind of interesting that I didn't initially notice, and I'm hoping that someone can confirm or blow away a thought I just had. Here is some backup information: ~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe -rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500sdra64.exe~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe -rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400sdra64.exeFor arguments sake lets assume that the timestamps are accurate and that the malware isn't modifying its creation timestamp (which I wonder about because of 2009-02-09 and 2009-09-02 having numbers swapped). ?If I'm not mistake the -0400 and -0500 refer to offset from Greenwich Mean Time. ?If that's the case, is it fair for me to assume that -0500 indicates that the computer which created the malware was configured with a different timezone than the one which was infected? Thanks, I look forward to people with more experience than saying smart stuff now :)_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Forensic Timestamps Question Jake Cunningham (Oct 01)
- <Possible follow-ups>
- Re: Forensic Timestamps Question signupjar at gmail.com (Oct 01)
- Forensic Timestamps Question Carlos Perez (Oct 01)