Zeusbot drops tmp1.exe which unpacks and creates sdra64.exe, modifying
its file creation/access time per the below disassembled code-
tmp1 (3rd stage) (Windows XP SP2)
//--- 0x4059D1
SHGetSpecialFolderPath(0,&[ebp-0x440],CSIDL_SYSTEM,1);
PathCombine([ebp-0x440], [ebp-0x440], "ntdll.dll");
CreateFile([ebp-0x440],GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0);
if(esi != INVALID_HANDLE_VALUE)
{
GetFileTime(esi,&[ebp-0x28],&[ebp-0x30],&[ebp-0x20]);
SetFileTime([ebp-0x8],[ebp-0x28],[ebp-0x30],[ebp-0x20]);
CloseHandle([ebp-0x8])
}
//--- 0x405A48
Basically, file creation, last access, and last write times are copied
from C:\WINDOWS\system32\ntdll.dll
Hope that helps-
Kelson
Date: Wed, 30 Sep 2009 16:46:49 -0400
From: Ben Greenfield <[email protected]>
Subject: Re: [Pauldotcom] Forensic Timestamps Question
To: PaulDotCom Security Weekly Mailing List <[email protected]>
Message-ID:
<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
Doh, that's supposed to end "people with more experience than me
saying stuff smarter than me".
Thanks,
On Wed, Sep 30, 2009 at 4:45 PM, Ben Greenfield <[email protected]> wrote:
> I'm doing a forensic analysis of a Zeus/Zbot infection for a client.
> I came across something kind of interesting that I didn't initially
> notice, and I'm hoping that someone can confirm or blow away a thought
> I just had.
>
> Here is some backup information:
> ~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe
> -rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500
sdra64.exe
>
> ~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe
> -rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400
sdra64.exe
>
> For arguments sake lets assume that the timestamps are accurate and
> that the malware isn't modifying its creation timestamp (which I
> wonder about because of 2009-02-09 and 2009-09-02 having numbers
> swapped). ?If I'm not mistake the -0400 and -0500 refer to offset from
> Greenwich Mean Time. ?If that's the case, is it fair for me to assume
> that -0500 indicates that the computer which created the malware was
> configured with a different timezone than the one which was infected?
>
> Thanks, I look forward to people with more experience than saying
> smart stuff now :)
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
