I just love that!! I do the same with my winenum script .... Note to self: I should randomize the file selection for MACE copy
Sent from my Mobile Phone On Oct 1, 2009, at 10:04 PM, [email protected] wrote: > Zeusbot drops tmp1.exe which unpacks and creates sdra64.exe, modifying > its file creation/access time per the below disassembled code- > > tmp1 (3rd stage) (Windows XP SP2) > > //--- 0x4059D1 > SHGetSpecialFolderPath(0,&[ebp-0x440],CSIDL_SYSTEM,1); > PathCombine([ebp-0x440], [ebp-0x440], "ntdll.dll"); > CreateFile([ebp-0x440],GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE, > 0,OPEN_EXISTING,0,0); > if(esi != INVALID_HANDLE_VALUE) > { > GetFileTime(esi,&[ebp-0x28],&[ebp-0x30],&[ebp-0x20]); > SetFileTime([ebp-0x8],[ebp-0x28],[ebp-0x30],[ebp-0x20]); > CloseHandle([ebp-0x8]) > } > //--- 0x405A48 > > Basically, file creation, last access, and last write times are copied > from C:\WINDOWS\system32\ntdll.dll > > Hope that helps- > Kelson > > > Date: Wed, 30 Sep 2009 16:46:49 -0400 > From: Ben Greenfield <[email protected]> > Subject: Re: [Pauldotcom] Forensic Timestamps Question > To: PaulDotCom Security Weekly Mailing List <[email protected] > > > Message-ID: > <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > Doh, that's supposed to end "people with more experience than me > saying stuff smarter than me". > > Thanks, > > On Wed, Sep 30, 2009 at 4:45 PM, Ben Greenfield <[email protected]> > wrote: >> I'm doing a forensic analysis of a Zeus/Zbot infection for a client. >> I came across something kind of interesting that I didn't initially >> notice, and I'm hoping that someone can confirm or blow away a >> thought >> I just had. >> >> Here is some backup information: >> ~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe >> -rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500 > sdra64.exe >> >> ~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe >> -rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400 > sdra64.exe >> >> For arguments sake lets assume that the timestamps are accurate and >> that the malware isn't modifying its creation timestamp (which I >> wonder about because of 2009-02-09 and 2009-09-02 having numbers >> swapped). ?If I'm not mistake the -0400 and -0500 refer to offset >> from >> Greenwich Mean Time. ?If that's the case, is it fair for me to assume >> that -0500 indicates that the computer which created the malware was >> configured with a different timezone than the one which was infected? >> >> Thanks, I look forward to people with more experience than saying >> smart stuff now :) > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
