Join Us!

Notifications
Clear all

Netbios traces ?  

  RSS
psycko
(@psycko)
New Member

Hello,
Which are the traces left by a NETBIOS connection ?
How to find traces left by the author of the hacking?
Is there a possibility to find the author ?

Regards

Psy

Quote
Posted : 25/03/2006 5:45 am
keydet89
(@keydet89)
Community Legend

psyko,

It depends. What operating system are your using, or is on the victim system? Depending upon the o/s and the audit configuration, there may be something in the logs to help you…such as logon/logoff events.

For someone to log into a system, there must be a user account on that system. Therefore, if someone connected to the victim system using NetBIOS, then it's likely that they knew or figured out the account and password. If that's the case, it may be possible to find the "author", particularly if they left anything behind.

Otherwise, most Windows systems do not log by IP address…for example, in Windows 2000, logins are recorded based on the NetBIOS name of the remote system.

HTH,

Harlan

ReplyQuote
Posted : 25/03/2006 5:33 pm
psycko
(@psycko)
New Member

Hello Harlan
In fact the system used in the cases are windows 2000 and XP !
Someone wrote a kind of virus and sent it on computers by using the netbios connection (I believe) . The author deleted all the events logs.
Is there a possibility to find the bad guy ! )

Regards

Psy

ReplyQuote
Posted : 27/03/2006 3:25 am
keydet89
(@keydet89)
Community Legend

psycko,

Interesting. Is there any reason you didn't mention any of that before?

It's more likely that what you're seeing isn't a virus, but a worm…which, in turn, would mean that the bad guy/author never actually connected to any of these systems himself. The worm may have cleared the Event Log.

What this means is that the systems involved have easily guessed passwords…if the worm did get in via NetBIOS/NetBEUI networking. In the case of the XP systems, did someone shut down the firewall, or were they in a corporate environment?

Is it possible to find the bad guy? Perhaps. Do you have a copy of the worm/virus? Did you scan it to see which one it is…which family and variant? Did you examine it to see if there are any unique identifying strings embedded in the code? Did you perform any sort of dynamic analysis to see if the worm connects to any other servers?

Harlan

ReplyQuote
Posted : 27/03/2006 6:16 pm
psycko
(@psycko)
New Member

You are right Harlan, it's a kind of worm ! wink
This worm seems to cleared the event log.
On the XP system I examined the firewall was curiously down (Norton) and on the other Win 2000 systems there was no firewall in action.

I scanned the worm but it is a home-made worm so no signature in viruses databases. No strings inside it too, just the IP adresses of the servers to attack for making a DDOS (hard coded in the program).

His spreading rate is very low and it concerns only an Internet Service Provider, so I thought to the netbios fault, because it seems that the author send it one by one.

I think it is going to be difficult to find the source ! lol

Regards
Psy

ReplyQuote
Posted : 27/03/2006 7:38 pm
keydet89
(@keydet89)
Community Legend

What program did you use to get the strings from the code? I ask, b/c sometimes the strings may be Unicode, and if you don't use a tool to find Unicode strings…

Also, did you use any other tools on the executable, such as PEiD or anything to parse the PE headers and do some header analysis?

What did you scan the worm with? Which A/V tool(s)? Just curious…

Finally, is there any chance that you could provide a copy of the worm? Put it in a password-protected zip file and make it accessible?

Harlan

ReplyQuote
Posted : 27/03/2006 9:48 pm
psycko
(@psycko)
New Member

I used strings from sysinternals

I used Peid and it is an Microsoft Visual C++ 6.0 program

Norton and Mcaffee viruscan were the A/v

For a copy I think it is possible, perhaps you will see something I missed
I send you the link by private message

Thanks for your help

Psy

ReplyQuote
Posted : 27/03/2006 10:33 pm
keydet89
(@keydet89)
Community Legend

Hhhhmmm…the link doesn't work.

Harlan

ReplyQuote
Posted : 27/03/2006 10:54 pm
psycko
(@psycko)
New Member

Sorry
I tried the link and for me it is working
I don't understand why

Psy

ReplyQuote
Posted : 28/03/2006 4:27 am
keydet89
(@keydet89)
Community Legend

I get prompted for what looks like a login screen…too bad my French is really rusty.

ReplyQuote
Posted : 28/03/2006 5:57 am
psycko
(@psycko)
New Member

Sorry for the french page, here in France, the link is ok
Have you got an email address where I can send you it ?

psy

ReplyQuote
Posted : 28/03/2006 2:44 pm
keydet89
(@keydet89)
Community Legend

Yes, send it to keydet89 at yahoo dot com

ReplyQuote
Posted : 28/03/2006 6:21 pm
keydet89
(@keydet89)
Community Legend

…and if you would, please…zip, not rar.

Thanks,

H

ReplyQuote
Posted : 28/03/2006 6:21 pm
psycko
(@psycko)
New Member

That's ok

Psy

ReplyQuote
Posted : 28/03/2006 8:41 pm
Share: