I have been doing some reading about this. I also read
Forensic Focus forum post on RP's from 2004.
and
In FTK, I am looking at a malware infected machines image, where 15 of the last 28 restore points contain infected files.
By digging through the prefetch info, getting the earliest mac dates of 28 infected (non RP) files on the system, browsing history and snort logs showing when the machine appears to have been first infected, I 'think' I know the date of the initial infection.
Darned if the mac dates of the restore point folders don't just confuse me.
The mac dates on the restore point folders all have the access date of the date from the last time the machine was powered on.
Created dates I 'think' show the date that the restore point was actually created. I understand that by default they are created every 24 hours. By 'I think' above, I mean, I have breaks in the time sequence which can possibly be explained by weekends and the user not being present on the machine with it powered off for the other days.
So that leaves me with the modified date which is where I get confused.
The Modified date seems to be 'about' 24, 48 hours and twice, four and five days later than the created date.
What I am interested in, is understanding why the discrepancy? What controls the modified date on the RP ?
As always, I want to take the best guess possible as to the original infection date. All 28 (non RP) infected files are from a 13 minute period of time on a single day.
The RP's which contain infected files are from dates over almost 3 months. It isn't impossible that our IDS network didn't pick it up over that period of time, but it is very unlikely. Our IDS crew has a response time usually measured in hours, not weeks or months. Regardless, I am wondering if maybe the malware is injecting itself into random Restore Points in the hope of maintaining an infection on folks who attempt cleaning via restoring to a previous time…
Also has anyone ever seen malware that creates an RP as part of it's infection/installation process?
Any thoughts are appreciated.
–Bruce
Bruce,
…I am wondering if maybe the malware is injecting itself into random Restore Points in the hope of maintaining an infection on folks who attempt cleaning via restoring to a previous time…
Also has anyone ever seen malware that creates an RP as part of it's infection/installation process?
Just some thoughts…
Restore Points are not a reliable persistence mechanism, as there's no way to predict how long one will stick around…it could be there for a month or a week, or it could be completely deleted and gone by the end of the day. I've seen systems were, due to maintenance updates and driver installations, three RPs have been created in an 8hr period, with corresponding deletion of other, older RPs.
As such, I wouldn't think that malware would inject itself into RPs. Nor do I think that malware would create an RP. It's much more likely that the malware file would be included as part of the RP, simply by being there on the system.
Now, this is not to say that it isn't possible…all I'm saying is that this isn't something that I've seen, and it doesn't really make sense. If your hypotheses are based on something that you were told, would it be possible to find out the name of the malware?
I am just conjecturing the above trying to make sense of the MAC dates of the RP folders (infected) contents.
The Modified and Created dates of a few of the infected files in the RP's would indicate that the machine was infected far earlier (like 17 months earlier) than the MAC dates of the infected files outside of the RP folders.
The RP folders (containing malware) earliest C and M dates are 4/5 and 4/6 /2011. respectively.
The malware names (These will all be Trend Micro names) are
Infected files not inside of RP Folders
TROJ_FAKEAV.SM29
TROJ_FAKEAV.SM10
TROJ_FAKEAV.SM8
TROJ_RAMNIT.SM2
JAVA_DLOADER.VI
JAVA_AGENT.TEH
JAVA_EXPLT.EZ
JAVA_EXPLT.O
TROJ_GEN.R01C2DL
TROJ_SMALL.RCL
Infected files inside the RP's.
TROJ_FAKEAV.SM8
TROJ_FAKEAV.SM10
TROJ_FAKEAV_SM29
Thanks for your comments. These dates really force me to dig and dig, trying to understand when did this machine 'really' appear to first get infected. I think digital life would be easier if everyone was forced to operate from read only media…. -)