Hello All,
I was wondering if people could provide some pointers. I am investigating an intrusion on a particular system. There were no odd ids logs, but I think the sigs are out of date (need to check on that). The user said that they were just browsing the web when their system began to act odd. I know that I can review the index.dat to review all the recent websites. Oh the system is XP Pro SP2.
I checked netstat, and there is nothing odd w/ regards to out bound networking. There were a few pieces of spyware on the system (found in list of running processes) so I know that something was on the system, now I need to find out how it got there.
What other areas should I be looking at as possible signs of an intrusion.
Thanks,
Alan
Can you give us an idea of what "began to act odd" might refer to?
The user complained that while surfing the web (still need to go through the index.dat file to see where the user was browsing. There were several new icons on the users desktop (links to rouge antispyware products) and there were some odd processes running. I found the processes and found out that they were malware (named generic trojans). The system also seemed to run slow.
I think that I found all the malware that was dropped, I just now need to know how it got on the system. What is the best way to identify the vector?
I know it was not mail.
The user complained that while surfing the web (still need to go through the index.dat file to see where the user was browsing. There were several new icons on the users desktop (links to rouge antispyware products) and there were some odd processes running.
The user complained that while surfing the web…what?? In addition to the system running slowly, what else was there? What did the user complain of?
I think that I found all the malware that was dropped, I just now need to know how it got on the system. What is the best way to identify the vector?
Usually, if you identify the malware, going to the AV vendor's web site and looking up the name of the malware you found will include information in the technical description regarding how the malware propagates. From there, you can examine artifacts to confirm this.
Sorry, lack of sleep has made my writting not complete. There were many ads that appeared immediately after the initial popup, where the user said that they didn't click on anything. As previously mentioned there were some new icons on the desktop.
I am trying to find some different ways to track down an intrusion if you didn't know what malware or backdoor etc was on the system. In this case I can following the suggestions provided (knowing the malware and seeing what the malware vendors suggest), but this got me thinking about what if I didn't know what was on the system but I might suspect that somthing was amiss, what could I do to being searching for clues?
thanks,
Alan.
At what point do you suspect this occurrence went from a malware installation to an intrusion?
There is quite a bit of information on malware analysis. Harlan Carvey has written some excellent information on Executable File Analysis in Ch6 of Windows Forensic Analysis. CastleCopsWiki is also a good general reference.
This doesn't sound like an intrusion at all…if the user complains of ads popping up, it sounds like they got…well…ads.
To answer your question regarding clues, anything that is available on the system…processes, network connections, contents of the Registry, etc. But it doesn't sound as if you have an intrusion to investigate at all…
This sounds like your system has become infected with malware - may possibly be a bot. Try running Helix on the system whilst it is live (ie don't boot from helix, but rather use the autorun feature in Windows). Then run the WFT Tool (Windows Forensic Toolchest). When reviewing the results, in particular take a look at FPort - see if there are any unusual open ports (that may have been hidden from the "built-in" netstat). If so, take a closer look at the executable that opened the ports - often they are disguised with "system-sounding" names. It's also, worth installing wireshark to see if you can identify unusual traffic.
At the end of the day though, unless you just want to use this as a learning experience, your best bet is to reinstall with a clean system to get rid of the problem (provided you patch & secure!)
This sounds like your system has become infected with malware - may possibly be a bot.
I'm curious…what led you to this conclusion?
I guess its a difference in terminology. For my org any hack, malware, spyware etc that occurs on the system is labeled an intrusion. The ads that appeared was adware that was part of a downloader that dropped all kinds of garbage on the system (as mentioned there was one generic trojan, one rogue antispyware detection tool kit). I need to identify how dropper / downloader (what ever you want to call it) found its way on the system.
I have isolated all the processes that I can find and removed them. I have removed the entries in the /run * keys. My thoughts are to find any new or modified files on or around the suspected time when the user first described the odd system behavior. I was reading an article about lastwritetimes for Reg keys, specifically HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBStor to at least rule out any USB device infection. In this key I have located many USB devices as expected but I don't see any lastwritetimes. I am currently reviewing this on my system (vista) so I don't contaminate the target machine. I want to know what I am looking for first. Should I be expecting to see a lastwritetime for every entry in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBStor for the listed USB devices? Or is there another place to look for mac times for Reg keys.
Thanks,