Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Worm Origin

from [Michele Vetturi] Network Security [Permanent Link]
Subject: Re: Worm Origin
Date: Thu, 27 Oct 2005 00:52:11 +0200 
You can make a try looking for:

- AV logs, comparing infection timestamps (are your clocks synchronized? Can
  you trust such logs?) and finding out the first system compromised. Maybe
  this isn't the suspect's workstation...

- Net logs, looking for traffic toward VX-zines...

- Evidences of the binary which was containing Korgo and used as the spread
  initiator. Maybe the suspect didn't wipe that! What are her skills? If
  you're a bit lucky, you can find some Korgo's stuff in addition to the
  worm's defaults.

My unique €cent.

Please let me know news... I'm interested in your case.

Good luck.. Ciao! :)

--
mk




Joel A. Folkerts wrote:

List:

BACKGROUND
 A user admitted to a confidential source she released a virus on her small
LAN. Before I was able to seize and image the user's machine, a local
sysadmin scanned the small LAN with NAV and found several machines were
infected with W32.Korgo.X
(http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.korgo.x.html
). We subsequently seized and imaged the machine found where NAV has
quarantined the virus on the user's machine.

QUESTION
 Is there a definitive method to determine if the user started the local
infection or was merely another victim in the infection. My theory is that
she downloaded the virus from a hack website and manually began the
infection. Any help would be greatly appreciated!

-Joel
 
---
"Illegitimis non carborundum."
Latin translation: "Don't let the bastards grind you down."
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Having trouble breaking partitions out of a raw image, Jonathan Glass (GM)
Previous by Thread:  RE: Worm Origin, frederic.stonesifer
Next by Thread:  RE: Worm Origin, Nevalainen, Eric
Indexes:  [Date] [Thread] [Top] [All Lists]