Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Worm Origin

from [frederic.stonesifer] Network Security [Permanent Link]
Subject: RE: Worm Origin
Date: Mon, 24 Oct 2005 00:17:20 -0400 
 
Joel,

If you know the virus and the filename...look for the filename in the index.dat
file of the Temporary Internet History Files.  It should tell you the time and
date (encoded so just use an unencoder like
http://www.digital-detective.co.uk/freetools/decode.asp).  The times and dates
are located 8 hex digits in from the URL beginning (i.e 55 52 4C 20 02 00 00 00
= first 8 hex digit header then first time = 00 C9 F8 6D 53 BA C5 01 and the
second right after = 40 09 DB 74 04 D7 C5 01)  Time and dates will vary.  The
index.dat file will come from a specific user account.

The MSHist index.dat should tell you if the file (by filename) was accessed by
an account on the system.

v/r
Ric



Frederic W. STONESIFER
Special Agent, Computer Crime Investigations Unit
701st MP GRP (CID), USACIDC


~~~ PFC KRISTOFOR T. STONESIFER
~~~ 3/75th Ranger Regiment
~~~ Operation Enduring Freedom
~~~ Aug 20, 1973 - Oct 19, 2001
~~~ http://rstonesifer.com/kris

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 7.1.1

mQGiBDzYI6MRBADKvaRDamxe0bzLQlrrcIhmOgsT0kPtp/DYkIY8rozpGs3A+TBK
9ml6FX9iopVVR3agKHro1LbuHeaqnag65mHnd9DHvcKyKPB+xbSfRqyduLHhKSSS
lmrRbiOLqIXI1Q5MrthTMiCOJs2zeVO7e11Rq3smu/HVG+ayV3yZuLp+VwCg/8KC
IYpzvf3Px5yw/e38VmK1jaED/3j9flWhc4sny37hTGAmER9h/m/YwEeWp0tmKKpN
j8w4jgyZyuK1iM4l0V18fjzGhOSduffUuJuNgPkghC+sn9LNFpnDhuKB6FEeDwfV
+lfAyqgokCEykz0WoelaSPSVECGIQQWHj3vYOMu/NUw8gEXL52CG3ogvPt+hrjKP
b4h7A/0STeqxVxUcr0wC06Dan10OrJVOcYsk65DmG7swOROVQwvxtKpPLORBYYqc
SDXj6u2TVep6DjgFt111qSuE4qeHubuSehJUCFVaCtSiWUIaJ9+k/ZBzNftdQF/H
MCnQVBT6twTX1CrMPp1fbfJSosnIjWk/Ocgy5uLNlpAUJaM+RLQ1RnJlZGVyaWMg
U3RvbmVzaWZlciA8ZnJlZGVyaWMuc3RvbmVzaWZlckB1cy5hcm15Lm1pbD6JAFgE
EBECABgFAjzYI6MICwMJCAcCAQoCGQEFGwMAAAAACgkQPVcqNPMkJQtzcgCgmfd7
VCBHkZh9dcpF4r/bFyY+yZ8AoM9kszik7QQh5HumvN1fmUb/qpAVuQINBDzYI6MQ
CAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0Op
lK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPF
RzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEH
NmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4z
ISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGf
nHy9iUsiGSa6q6Jew1XpMgs7AAICCACngQNQ7bUvuBssetoe3tUsyGE9XT1jTc/C
adRF9oVMLKtI4ZaecCU4dvUY5/vT2UrdF9M+pBskftqfb8cLMFNG4PF57/lfdeIL
FtfV87jhv2dHbvv6S/iYjFVBxOPpCzeK27RV+cuTecgPmMUMRROVixtleUovpTq2
GmC7isfKR9d8Lw8LRVRWqNxeiAmV5mhnAsRpkdnIYsC8F1tVd7c3K3yUOB0fUizD
veapXLkAixSAXAY4BDH6u4ZgSf5RRz59zcOmeb5cENefxLEzpTTNiobJE7imE2X/
/gr2j73zq31RjK0yd/SGC5E6gP8mWei5g6oDmVfJirUkGyT3QibciQBMBBgRAgAM
BQI82COjBRsMAAAAAAoJED1XKjTzJCULyKkAmwSDrs4GBjgjbG+myhJCZ2E2LUlv
AKC2KZXC/Q/D750RFrkHK6zyE8kcQg==
=hcjP
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPYsrPz1XKjTzJCULEQIsmwCgnETvLBYaNmbviuhWrTycRPxtbkgAoIxP
82nquzuedGJebrF+NjxjgU1/
=reGo
-----END PGP SIGNATURE----- 


-----Original Message-----
From: Joel A. Folkerts [mailto:jfolkert@hiwaay.net] 
Sent: Sunday, October 23, 2005 4:37 AM
To: binaryanalysis@securityfocus.com; forensics@securityfocus.com
Subject: Worm Origin

List:

BACKGROUND
 A user admitted to a confidential source she released a virus on her small LAN.
Before I was able to seize and image the user's machine, a local sysadmin
scanned the small LAN with NAV and found several machines were infected with
W32.Korgo.X
(http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.korgo.x.html
). We subsequently seized and imaged the machine found where NAV has quarantined
the virus on the user's machine.

QUESTION
 Is there a definitive method to determine if the user started the local
infection or was merely another victim in the infection. My theory is that she
downloaded the virus from a hack website and manually began the infection. Any
help would be greatly appreciated!

-Joel
 
---
"Illegitimis non carborundum."
Latin translation: "Don't let the bastards grind you down."
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Having trouble breaking partitions out of a raw image, subscribe
Next by Date:  Re: attach & detach drives under Linux, subscribe
Previous by Thread:  Re: Worm Origin, Marco Monicelli
Next by Thread:  Re: Worm Origin, Michele Vetturi
Indexes:  [Date] [Thread] [Top] [All Lists]