Doh, that's supposed to end "people with more experience than me saying stuff smarter than me".
Thanks, On Wed, Sep 30, 2009 at 4:45 PM, Ben Greenfield <[email protected]> wrote: > I'm doing a forensic analysis of a Zeus/Zbot infection for a client. > I came across something kind of interesting that I didn't initially > notice, and I'm hoping that someone can confirm or blow away a thought > I just had. > > Here is some backup information: > ~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe > -rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500 sdra64.exe > > ~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe > -rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400 sdra64.exe > > For arguments sake lets assume that the timestamps are accurate and > that the malware isn't modifying its creation timestamp (which I > wonder about because of 2009-02-09 and 2009-09-02 having numbers > swapped). If I'm not mistake the -0400 and -0500 refer to offset from > Greenwich Mean Time. If that's the case, is it fair for me to assume > that -0500 indicates that the computer which created the malware was > configured with a different timezone than the one which was infected? > > Thanks, I look forward to people with more experience than saying > smart stuff now :) > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
