Notifications

Clear all

Signs of an Intrusion

luc_4246 · 2008-06-15T15:44:56Z

Hello All,I was wondering if people could provide some pointers. I am investigating an intrusion on a particular system. There were no odd ids logs, but I think the sigs are out of date (need to check on that). The user said that they were just browsing the web when their system began to act odd. I know that I can review the index.dat to review all the recent websites. Oh the system is XP Pro SP2.I checked netstat, and there is nothing odd w/ regards to out bound networking. There were a few pieces of spyware on the system (found in list of running processes) so I know that something was on the system, now I need to find out how it got there.What other areas should I be looking at as possible signs of an intrusion.Thanks,Alan

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by phius 17 years ago

12 Posts

4 Users

0 Reactions

1,569 Views

RSS

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

18/06/2008 3:21 am

I guess its a difference in terminology. For my org any hack, malware, spyware etc that occurs on the system is labeled an intrusion.

Wow…you and I are geographically close, but worlds apart with regards to terminology.

I was reading an article about lastwritetimes for Reg keys, specifically HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBStor to at least rule out any USB device infection. In this key I have located many USB devices as expected but I don't see any lastwritetimes.

Do you know where they are located? Perhaps the article you mentioned can describe what you need to look for.

I am currently reviewing this on my system (vista) so I don't contaminate the target machine. I want to know what I am looking for first. Should I be expecting to see a lastwritetime for every entry in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBStor for the listed USB devices? Or is there another place to look for mac times for Reg keys.

First, Registry keys do not have MAC times…only a LastWrite time, which is analogous to a last modification or last written time on files.

Second, most tools don't show key LastWrite times…RegEdit doesn't.

Finally, LastWrite times on keys/subkeys beneath the enum\USBStor key won't show you when the device had last been connected to the system.

All of this is covered in a book titled, Windows Forensic Analysis. I hear that it's a great read and an easy reference.

ReplyQuote

phius

(@phius)

Eminent Member

Joined: 21 years ago

Posts: 25

18/06/2008 7:35 am

I'm curious…what led you to this conclusion?

It was from studying that "great read" of yours Keydet roll

Seriously though, it's far from being a "conclusion" given the limited info provided. Nonetheless, there are many Autoclick Bots that will try to install & earn ad clicking revenue for the herder.

Luc - I'd be surprised if the infection came from a USB… was the system fully patched? AV? Firewall? You will probably have been right earlier… often this type of infection comes from visiting a malicious website. If you have identified some of the malware, how about mapping the creation times to the browsing history times… use Netanalysis would be my advice.

Why is this so important to find out? This kind of thing happens all the time… Even if you find the malicious site, what will you be able to do about it?

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
276 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed