Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Finding the Source of the infection.


  • Please log in to reply
14 replies to this topic

#1 NicholasIT

NicholasIT

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 07 August 2013 - 03:32 PM

Hello, 

 

I'm in need of a little help. I work at a local IT company in my home town. We are currently servicing a range of about 50-60 Small Businesses and just under 600 Clients. 

 

Recently one of our clients got hit with an infection that was promptly removed, that was using their emails to spam and causing some issues. Now we use Vipre Anti-Virus 

on all our clients and it seems to not be doing the trick for some. 

 

What is the best way to trace back an infection to see if it was an email attachment a drive by download or whatever it may be so we can know where to begin concentrating our efforts?

 

 

Thanks,

 

Nick



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 07 August 2013 - 04:29 PM

Do you know which machine was infected first?

If you don't know which machine, look into the logs of your e-mail server to see which machine send out the first SPAM mails.

 

Then check the same logs to see which e-mails the user of this machine received, and the proxy logs to see which sites were visited.

If you don't find something, ask the user if removable media was connected to that machine prior to the infection.


Edited by Didier Stevens, 07 August 2013 - 04:29 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 NicholasIT

NicholasIT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 07 August 2013 - 04:33 PM

I do know which computer was hit first.
Also this is a new client who has yet to transfer their email server. So no access to smtp server and godaddy is no help(their mail host) also there is no and has been no other than my companies removable media in the machines

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 07 August 2013 - 04:41 PM

So you have no logs.

 

Then ask the user if you can see the mails that were opened that day, and look into the history and cache of the browser.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:22 PM

Posted 07 August 2013 - 06:06 PM

so we can know where to begin concentrating our efforts?

 

There is nothing like education for prevention, Nick.  I wouldn't concentrate on where it came from last time -- the next time will assuredly be different.  There are just TOO many ways now.  Unfortunately, people have to learn to be suspicious.

Try Simple and easy ways to keep your computer safe and secure on the Internet on 'em, for a start.

 

 

-Mz



#6 NicholasIT

NicholasIT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 08 August 2013 - 10:22 AM

I think a little more background is needed.

Firstly this is a business clients computer that got infected. They are contracted with us as a fully managed client using LabTech software to do a lot of that management.

Now the main reason I want to trace the infection backto the source is to implement the needed security measures pass the basics.

In this situation I did after a bit of work find that this client had been victim to a drive by download hosted on a Hollywood gossip website using the latest version of chrome and with vipre anti virus up to date. What that tells me is that something isn't working.
Again for this client, content filters are the next step as its a company with a government contract and infections can't happen but I came to see the best method to trace the infection for this purpose.

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 08 August 2013 - 01:14 PM

Maybe it's a Java exploit. I see them regularly in drive-by-downloads.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 NicholasIT

NicholasIT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 08 August 2013 - 01:16 PM

I hate to be rude but that has nothing to do with any question I've asked. I understand what happened. I'm asking "what are some methods of tracing an infection to the source." Not please tell me what happened to one computer.

Again I'm sorry it's been a long day and no one here seems to read my full posts and answer the question at hand

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 08 August 2013 - 01:24 PM

I'm asking if it is a Java exploit, because then there are ways to trace it back, because Java drive-by-downloads leave traces on the machine.

 

And I DID read and answer your questions. Reviewing the e-mail and proxy logs is a proven way of tracing back an infection.

Don't take it out on me if you don't have these logs.


Edited by Didier Stevens, 08 August 2013 - 01:27 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 NicholasIT

NicholasIT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 08 August 2013 - 01:38 PM

I apologize, I understand where your coming from.
I'm looking for something scriptable. OTL has been useful in seeing when the file was created and from there a starting point. But I am looking for something I can deploy when a client gets hit. Instead if having to do each pc by hand

#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 08 August 2013 - 01:46 PM

OK, no problem.

 

But I am looking for something I can deploy when a client gets hit. Instead if having to do each pc by hand

 

Sorry, but now I fail to understand your question. What do you want this tool to achieve? Help you identify the source of the infection? Or cleanup the infection once you have identified it? ...

 

Update: or is it something like OTL but scriptable?


Edited by Didier Stevens, 08 August 2013 - 01:48 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 NicholasIT

NicholasIT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 08 August 2013 - 01:49 PM

Identify. Removal is a non issue but as a company were moving away from the break fix model

#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 08 August 2013 - 02:17 PM

So you can deploy programs + scripts on a remote computer (the infected machine), execute them and retrieve the reports?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 NicholasIT

NicholasIT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 08 August 2013 - 02:20 PM

Yes, we use a remote management system called LabTech Control Center.(labtechsoftware.com). 

 

Ofcourse i understand this only works on machines that the infection at hand does not kill network connections. As in the infection on the computer described in the first post.



#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:22 PM

Posted 08 August 2013 - 02:47 PM

OK, now I understand what you want.

 

Are you familier with Mark Russinovich's tool ListDLLs?

I developed a similar tool: ListModules.

http://blog.didierstevens.com/programs/authenticode-tools/

 

ListModules takes a snapshot of all processes and then analyses all loaded modules (.exe, .dll, …).

It produces a CSV file with information on all modules like ListDLLs does, but with much more information, for example the MD5 hash.

 

I use my tool as a first response tool. I review the report it produces to identify unknown executables, and then decide if they are malicious or not, based on the extra information provided for each executable. If I'm not sure, I can use the MD5 hash to compare it with a baseline or search it in VirusTotal, for example.

 

If this is what you are looking for, I'll give you more details.


Edited by Didier Stevens, 08 August 2013 - 02:49 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users