I am very new to forensics, and I have never had to do an investigation to track down a piece of mailing software.
The computer is basically acting as a mass mailer sending out thousands of messages per minute.
The messages have the form
TO randomletters@randomletters.com
FROM randomletters@randomletters.com
Subject - 3 Random Letters
Message what appears to be a coherent message but when you highlight it there are actually litters hidden between the text which are random, which randomizes the message every time.
I have started looking through the internet history as I found a java.openconnection type virus on the drive, and a IE Crash from loading a pdf which made me think it might have been a script in a PDF/mail attachment.
I don't really know how to search for this infection or where to start, has anyone with more experience seen anything like this before?
I should also add, I was not allowed to work on the computer live due to issues with the person who owned it, so I have a harddrive image as well as a very rough "win audit" i took from an unprivileged account
Is your goal incident response (i.e. identify the issue and resolve?). Sounds like you've done that. If you need full-on malware analysis and/or damage assessment, then yes, you do need to start analyzing the computer.
But, to 'get the job done' exactly how much malware analysis do you need to do?
Regardless, with your situation, and no memory capture, your first priority is to enumerate running processes. This can be done from deadbox analysis - you need to query the 'usual suspects' for startup data. Then account for each startup item. That might be hard - stuff can hide pretty good - you essentially need the offline equivalent of Sysinternals' Autoruns.
Another approach is to image the drive and then boot up the computer on an isolated network; sniffer running, acquire memory and all that to determine what is going on.
Hash sets can be your friend - help in narrowing down the good from the bad.
Basically, I was told here is a laptop harddrive we are not going to fix it but we need you to image it an analyze, the computer is gone I have no way of getting back to it (my company doesnt understand live > "dead" ).
It was already turned off and "problem solved" by a tech before I got it. My job is to find the attack vector, ie how did the mailer get on the machine, and what exactly is the mailer. The computer, as I am learning, is an unmaintained version of windows Visa that basically has a 500GB harddrive full of junk.
I feel its going to be a long slow process.
I was given the results of winaudit run on the machine by the IT Tech at a non admin account level, and not run in the accout which was active on the machine, so the "open processes" are likely not the correct "open processes" as the machine was restarted, altered, and then logged in as someone else …… Its a good thing we don't have to present our findings legally!!
If the machine isn't maintained, then I guess you'll find that the operating system isn't patched, Flash isn't patched, the browser is old, Adobe Reader is old, Java run time is old, etc..
If this was the case then there would have been 100s of different holes for malware to get onto the machine. Not to mention social engineering.
A lot of malware also comes with a suite of exploits, which they try one after the another. In that type of environment you aren't going to be able to identify which particular hole was exploited unless you get very lucky.
You can somewhat get away with this if you are on a corporate network with gateway filters, but I am guessing the laptop was used all over the place.
Its just a nightmare. The computer I was given to be my forensic workstation is now also dying. I have found reference to the URL given in the mailer, in a file in the windows, I also found a Java file which is a java.openconnection, which I think is likely one of the main exploit points.
Passmark you are completely right, looking through system logs, I see an IE Crash a few days before the incident, which was caused by a PDF, so I checked Adobe, and its 2 versions out of date, and IE is version 5.
It has been very slow progress thus far!
IE version 5.
They were begging to be owned -)
IMHO it is time to give up on it. You have established probably cause, and already know the technical solution.
The only interesting point worth looking at now is what poor excuse for a IT policy allowed the machine to go so for so long without being patched. i.e. who allowed this to happen and how to fix / enforce company policy for the future.