Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Worm Origin

from [Marco Monicelli] Network Security [Permanent Link]
Subject: Re: Worm Origin
Date: Wed, 26 Oct 2005 14:54:09 +0200 
Here they are my 2 cents added to the 2 of Matteo:

- Most of AV do have a log file where any manual START or STOP is logged
but a skilled hacker knows that and can erase that, once he becomes
ADMINISTRATOR over that machine (SYSTEM privilegies work as well); for
this, just have a look at the help of the DOS command "find" and "findstr".

- The same objection is valid for Explorer History and any Explorer
activity logged (unless you don't use a 3rd party software to log events)

- Where would you look to check the latest download? The registry? What
key?

- Timestamp is a good information but actually doesn't help you so much to
track the hacker down. You'll know when the virus was created
and.............

Once said this, I would suggest to deeply check the registry for any
trace/clue which you probably will find because cleaning the registry from
your traces is not the most used action of hackers/script kiddies.

I'm open to any comment and suggestion.

My unworthy italian 2 cents :)

Yog-Sotho






2005/10/23, Joel A. Folkerts <jfolkert@hiwaay.net>:

QUESTION
 Is there a definitive method to determine if the user started the local
infection or was merely another victim in the infection. My theory is

that

she downloaded the virus from a hack website and manually began the
infection. Any help would be greatly appreciated!


Just my fast 2 cents:

- Look for the URL history in seized machine (just in case... hack
sites are not proper "corporate" related stuff, to begin with...)
- Look for latest downloads
- Try to determine timestamps for 1st and subsequent infections
tracking down virus creation date.

Since Norton AV should have restricted the download itself (or at
least the RUNNING OF virus) that implicitly admit user tampered with
AV.
I don't know (maybe someone more expert than me here) if there is such
a thing as a Norton AV eventlog entry for manual STOP and RESTART of
AV, but I hoper there is one...
If you're able to demonstrate that:

1- user went to a very nasty website for no particular reason
2- user edactivated Norton AV
3- time-based filestamps says the machine was the 1st on netword infected
4- User re-activated Norton AV

you should have some good points to start with....

As always there are only my unworthy italian 2 (euro) cents ;)


MgpF

--
Matteo G.P. Flora // .:.LK.:. // PGP 0xF3B6BC10
www.LastKnight.com // lk(at)lastknight(dot)com

Resp. Prov. MI - Associazione Informatici Professionisti (AIP)
Perito Forense // .NET Architect // Security Consultant
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Worm Origin, dave kleiman
Next by Date:  RE: Worm Origin, Nevalainen, Eric
Previous by Thread:  RE: Worm Origin, dave kleiman
Next by Thread:  RE: Worm Origin, frederic.stonesifer
Indexes:  [Date] [Thread] [Top] [All Lists]