('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus In-Reply-To: <3BD7A7D1at_private> A couple of points may be in order, particularly how you're going about this analysis. Did you make a bit-image copy of the drive, or are you sitting at the console of the live system? I'm not asking this to tell you that you're wrong for doing it one way or another, but rather to get a better idea of what you have access to. >The scripts have a non-destructive payload and > just adds some XXX links to the favorites in IE. I'd think that these are definitely a dead-end w/ respect to the NetBus installation. The suggestion to check email files is a good one. Look for any .exe files in the email attachments. It's quite simple these days to bind a trojan to some other file. Be sure to look in the Recycle Bin, as the user may have deleted the .exe file. What shares does the system have available? What do the contents of the autoexec.bat, win.ini, system.ini look like? If you remember Lance Spitzner's "Worms at War" paper, one method used by the attacker was to copy the executeable over to the drive, and then update the win.ini file to execute it the next time the system was booted. Rather than last modification time of the file, perhaps creation time would be of more interest to you. You could correspond this w/ the LastWrite time of any Registry keys created/modified by the installation of NetBus. From there, I'd definitely look for other files on the system that had been created shortly thereafter. Also, check the Temp dir for .exes. As far as nailing down exactly how the Trojan got on the system, have you considered interviewing the user? If it's possible, an interview might speed up your analysis a bit. I'd suggest not mentioning the rather obvious XXX web surfing the user has done, unless it becomes necessary to 'turn up the heat' a bit. Carv ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 05:52:57 PST