Forensic Timestamps Question

[carlos_perez at darkoperator.com (Carlos Perez)]

I just love that!! I do the same with my winenum script .... Note to  
self: I should randomize the file selection for MACE copy

Sent from my Mobile Phone

On Oct 1, 2009, at 10:04 PM, signupjar at gmail.com wrote:

> Zeusbot drops tmp1.exe which unpacks and creates sdra64.exe, modifying
> its file creation/access time per the below disassembled code-
>
> tmp1 (3rd stage) (Windows XP SP2)
>
> //---    0x4059D1
> SHGetSpecialFolderPath(0,&[ebp-0x440],CSIDL_SYSTEM,1);
> PathCombine([ebp-0x440], [ebp-0x440], "ntdll.dll");
> CreateFile([ebp-0x440],GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE, 
> 0,OPEN_EXISTING,0,0);
> if(esi != INVALID_HANDLE_VALUE)
> {
>    GetFileTime(esi,&[ebp-0x28],&[ebp-0x30],&[ebp-0x20]);
>    SetFileTime([ebp-0x8],[ebp-0x28],[ebp-0x30],[ebp-0x20]);
>    CloseHandle([ebp-0x8])
> }
> //---    0x405A48
>
> Basically, file creation, last access, and last write times are copied
> from C:\WINDOWS\system32\ntdll.dll
>
> Hope that helps-
> Kelson
>
>
> Date: Wed, 30 Sep 2009 16:46:49 -0400
> From: Ben Greenfield <bcg at struxural.com>
> Subject: Re: [Pauldotcom] Forensic Timestamps Question
> To: PaulDotCom Security Weekly Mailing List <pauldotcom at mail.pauldotcom.com 
> >
> Message-ID:
>    <83ff70350909301346y7abc83ccrd6ed09ece00b53ec at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Doh, that's supposed to end "people with more experience than me
> saying stuff smarter than me".
>
> Thanks,
>
> On Wed, Sep 30, 2009 at 4:45 PM, Ben Greenfield <bcg at struxural.com>  
> wrote:
> > I'm doing a forensic analysis of a Zeus/Zbot infection for a client.
> > I came across something kind of interesting that I didn't initially
> > notice, and I'm hoping that someone can confirm or blow away a  
> > thought
> > I just had.
> >
> > Here is some backup information:
> > ~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe
> > -rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500
> sdra64.exe
> > ~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe
> > -rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400
> sdra64.exe
> > For arguments sake lets assume that the timestamps are accurate and
> > that the malware isn't modifying its creation timestamp (which I
> > wonder about because of 2009-02-09 and 2009-09-02 having numbers
> > swapped). ?If I'm not mistake the -0400 and -0500 refer to offset  
> > from
> > Greenwich Mean Time. ?If that's the case, is it fair for me to assume
> > that -0500 indicates that the computer which created the malware was
> > configured with a different timezone than the one which was infected?
> >
> > Thanks, I look forward to people with more experience than saying
> > smart stuff now  :)
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com