Need to do some detective work

[Tripredacus]

I've been researching an XP Pro machine that is infected with Conflicker, and the task is to determine how or when it got infected. I have access to the suspect DLL, which was tough. Conflicker not only makes itself a hidden system file, but it also changes the permissions on itself so you can't unhide it. Fortunately, it doesn't actively check to make sure its permissions are still the same, so once you change them you have full access forever.

What I had done was use CACLS to give the Administrator account Full Control permissions on the file. This then let me change its attributes so it wouldn't be hidden and possible to copy, open, etc. This file is devious in the fact that it changes its original file attributes (the date/times) to reflect those values in kernel32.dll, which makes it impossible to determine the original date it appeared on the system.

I did some other checks, such as looking in the registry, but was unable to find anything in particular there. I examined the PE headers and related information and was not able to find anything important. Also, because the PE headers are modified, you do not have the ability to open the DLL in ResHack, and it has no resource file entries.

At this point I cannot determine much about the system. I was thinking about looking up other information, but not sure how to go about doing it. Here are some random thoughts, tell me what your ideas might be:

1. Indexing was turned on, and the DLL is also indexed. Is there a way to look at the file index to get the date/time it was first indexed?

2. If this virus was spread via a USB drive, it should have a record of which drives were connected to the machine in the registry. Where does it registered installed USB devices there?

Any other ideas you might have may be good also.

[CharlotteTheHarlot]

These are very tough to nail down. I have not yet seen a box with Conflicker, but I can tell you what I might do. To perform this it would be helpful to have the both the System and the same Flashdrive that transmitted it. It also really helps to keep a collection of harddrives sitting around and stick one in, clone the original and play with the copy.

* First I would simulate Conflicker on the Flashdrive by creating the Autorun.inf and \Recycler. Or if I wanted to be exact in my testing, I would load the Flashdrive with the real virus files which should be easily found now at the multitude of links discussing this outbreak. Remove the Flashdrive. Try to get the PC as it likely was at the time of infection, antivirus on if it was running, same services, same startup items, etc.

* Get a full filelist of the harddrive. Get a full list of ADS on the harddrive. Export the entire Registry.

* Insert the Flashdrive. Initiate the autorun if the system does not do it automatically. Safely remove the hardware.

* Get a full filelist of the harddrive. Get a full list of ADS on the harddrive. Export the entire Registry.

* Windiff before/after each of the three sets of snapshots.

You will now have clues to every file that is altered under such an action. The directory list within folders will be mostly consecutive. Files normally appear in the order they arrived in a folder. Of course any defrag or the use of any sorting switches with DIR will disturb this. Such clues will hopefully allow you to pinpoint a common file date/time (on the 'before' snapshot naturally) that specifies the problem. This date/time can now be used in the Event Viewer and will help search for other files that may be related (e.g., the user was looking at this webpage just before, and was playing solitaire right after, ... etc). Once you get the hang of it will make sense.

You will also have a few dozen registry changes including antivirus activity, USB insertion/removal keys, Windows Events, and Shell housekeeping (including MUI/Roaming/MRU items). These are all useful because now you would be able to search above these new 'markers' for previous entries (which are normally consecutive, and stay in order unless manually deleted). Once you get the hang of it will make sense.

As mentioned, there is of course the Event Viewer which might offer insight to the Disk Indexings that have taken place and perhaps Security Audits that look abnormal. IMHO, the Event Viewer, while a fabulous idea in theory, rarely lives up to expectations.

Regarding permissions, these forensics would be very simple if there was a log entry EVERY TIME that an ACL was altered (be it McAfee, Norton, or Conflicker)! This has been a pet peeve of mine since Windows NT, when NTFS and ACL's were touted as the 'end all' of system security. Yeah right! They have proven to be a PITA not to the bad guys, but only to the real owner of the computer.

P.S. I know you have seen the links since you are the OP there, but for others who that haven't, read this thread.

[Tripredacus]

This seems like too much work to do for one system. Unfortunately, we do not have a snapshot of this machine prior to delivery to the field. This one didn't use an image like we normally do, it was done with a DSP copy (think Windows OEM copy with CD key) instead of our normal OA copies. A checkdisk and defrag were run on the machine, as well as creating new user accounts, adding to a domain and also it had been sysprepped so the Event Viewer has had some entries removed (among other things).

I agree about the Event Viewer. I am quite happy with how it is in Vista and 2008, being a bit on the heavy side but I never think you can have too much information.

At this point, I am fine with just formatting it and starting over. We already ran full scans on all of our production systems and servers and found no trace of the virus so we can safely presume it didn't come from us.

I had once read about this type of thing in the past, with Windows NT. There was a feature, similar to indexing, that would log file changes so that you could roll-back to older files if necessary. The only problem with that was you had to turn it on!

[iamtheky]

If restore points are on (believe it only checks against those), this guy might help.

http://support.microsoft.com/kb/924732

[Tripredacus]

Cool. I'll keep that in mind for the future.

I've also found a way to search the Indexing Service. Its in Computer Management. I tried it on a machine Audit mode so it didn't work. I'll have to remember to check on a sysprepped XP also.