Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Compromised WinXP box prob

from [Robert S. Slifkin] Network Security [Permanent Link]
Subject: RE: Compromised WinXP box prob
Date: Mon, 17 Mar 2008 16:36:25 -0400 
Of course he needs the client's permission first, and he could possibly
remove sensitive data before imaging.  


____________________________________
Robert S. Slifkin
Email: Rob@slifkin.net
Phone: 203.962.3878

-----Original Message-----
From: Jay [mailto:jay.tomas@infosecguru.com] 
Sent: Monday, March 17, 2008 3:00 PM
To: Robert S. Slifkin; focus-ms@securityfocus.com
Subject: RE: Compromised WinXP box prob

You need to consider the liability of imaging of clients data . If you
are at some point compromised or there is a physical theft you are
placing your business and the client at risk. 

Jay



----- Original Message -----
From: Robert S. Slifkin [mailto:rob@SLIFKIN.NET]
To: focus-ms@securityfocus.com
Sent: Mon, 17 Mar 2008 13:41:41 -0400
Subject: RE: Compromised WinXP box prob

I agree, imaging if possible and a wipe is probably the best option.
Forensic analysis never hurts, but it shouldn't be done at the expense
of the customer (convenience, time to fix, etc).   


________________________________
Robert S. Slifkin
Email:  Rob@slifkin.net
Phone: 203.962.3878

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Devin Ganger
Sent: Monday, March 17, 2008 1:34 PM
To: Mike Moratz-Coppins; focus-ms@securityfocus.com
Subject: RE: Compromised WinXP box prob

With all the problems you've described on this box, you're better off
nuking it and reinstalling from scratch. If you really want to play with
it and learn from it, take an image of the hard drive before you do so
(with, of course, the customer's consent). That way the customer gets
back up and running quickly and you can perform forensic analysis at
your leisure.

Be aware, though, with all of the access to the drive that you've
described, you're going to have a very tough time actually determining
exactly what happened. The fact that it is XP SP1 (not SP2) dramatically
increases the likelihood of malware's role in ruining this installation.

--
Devin L. Ganger, Exchange MVP      Email: deving@3sharp.com
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/



-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Mike Moratz- 
Coppins
Sent: Saturday, March 15, 2008 8:11 AM
To: focus-ms@securityfocus.com
Subject: Compromised WinXP box prob

I am self-employed; fixing computers for customers for a living.  I 
have a customer's machine at home at the moment because I am stumped 
by a problem on it.

I'll describe the history (AFAIK) up to this point - the customer was 
running WinXP SP1 with Norton Antivirus.  They noticed a problem where



it looked like lots of e-mails were outgoing, Norton detected viruses 
but wasn't able to get rid of them.  The customer rang Symantec 
support, who spent about an hour doing remote assistance on their 
machine, seemingly trying to delete the virus-infected files only to 
have them recreated on reboot.  The Symantec guy gave up after a while



and advised the customer that they should get hold of a WinXP CD (I'm 
not sure what their intention was at this point).  When the customer 
managed to get hold of a WinXP CD, they rang Symantec back only to be 
told that they should get someone local to deal with the problem.
Then the customer called me.

When the computer boots, it seemingly does a normal Windows boot (the 
normal Windows XP progress bar (green as it is Home Edition and pre 
SP2), but then the next screen it shows is saying safe mode (no reboot



in between).  Standard welcome screen, but no accounts can log in 
("your account cannot log in due to an account restriction" - perhaps 
not exactly word-for-word but the message looks like a genuine Windows



message rather than something crafted by a third party).  This goes 
for all accounts on the machine including administrator.

I tried all safe modes and 'last known good' but same result.  Next I 
tried the ntpasswd boot CD and reset all accounts' passwords, though 
none of them said locked out/disabled etc.  Boot again, no difference.

I booted off my WinXP CD into recovery console, and as the customer 
mentioned boot sector viruses, for the sake of being thorough I used 
FIXMBR and FIXBOOT to rewrite the boot sector and MBR.  No difference 
to normal Windows boot.  Again in recovery console, I checked for the 
file names that the customer said that Norton mentioned.  Neither of 
them were familiar, but I think I found one of them and renamed it to 
stop it potentially executing on boot.  No difference to bootup.

I guessed that the 'account restriction' might be the 'log on locally'
right but I haven't found a way of configuring this.  I tried renaming



logonui.exe to cmd.exe but that command prompt won't let me run any 
other executables (not enough quota message) such as ntrights.exe.
One
possibility I can think of is to set up a LAN with DHCP, put my laptop



on it and the machine in question and try to do ntrights over the 
network but I would have thought that the firewall on that machine 
would stop that attempt.  Of course I could be barking up the wrong 
tree with this overall 'account restriction' theory.  I also tried 
having REGEDIT.EXE run in the place of LOGONUI.EXE but it errors 
saying I didn't supply it with an argument.  Eventually it gives up 
trying to run it and goes to the winlogon classic UI, which 
unsurprisingly gives me the same account restriction error.

The other problem I have noticed is that I saw a few iffy-looking 
services in recovery console using LISTSVC but I can't configure the 
service startup type as the command complains that there isn't a 
CurrentControlSet key.

That last problem makes me think that this and the 'account 
restriction'
were inadvertently caused by Symantec support, perhaps one of their 
removal utilities (which I've noticed one or two on C drive) has done 
some damage.  My only other theory is that some over-zealous malware 
writer has designed some sort of self-destruct system but I can think 
of more effective ways of achieving such an end and overall I think 
this theory is rather alarmist.

I've mounted the disk on my machine and virus-scanned it.  It has 
removed a few assorted virus-infected files and cleaned up a couple of



others (such as lsass.exe - not misspelt), but the machine still 
doesn't start.  I've backed up the customer's data and I have got the 
customer's consent to nuke the installation but I would prefer not to 
if it isn't necessary (and learn from this experience), though of 
course I don't want to spend a huge amount of hours on this problem 
only to fall back on the repair-reinstall/clean-install option.

If anyone has any ideas I would much appreciate hearing them!


--
Mike Moratz-Coppins
mike@mikeymike.org.uk
http://www.mikeymike.org.uk/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Compromised WinXP box prob, Robert S. Slifkin
Next by Date:  RE: Compromised WinXP box prob, Jay
Previous by Thread:  RE: Compromised WinXP box prob, Jay
Next by Thread:  RE: Compromised WinXP box prob, Jay
Indexes:  [Date] [Thread] [Top] [All Lists]