jrs_50
asked on
Passive/Active problem. Help requested. XP Pro connected via NITIX
In advance - I apologize for a) the length of the post and b) the fact that I will have only sporadic and minimal opportunity to follow-up on this post. I will, however, do what I can to facilitate any resolution and everyone's assistance IS appreciated.
Short version - I'm dealing with both a passive spy and an active hack. As you know windows does a lot in the background and it is difficult at best to separate the 'file'access of those actions from something more malicious. At the end of this is a partial list of \windows\system32 accesses as an example. Note that the accesses were while in 'Safe Mode' (which isn't!) and AFTER/WHILE I was viewing some gathered info using Notepad (where I've started the list). Note, for example, the tourstart.exe, spider.exe and so forth. Not me. Not ANYTHING that I was doing. The date/times are 'access'. The info is just to provide an 'example' in case someone might be able to view it and say 'oh yeah I know whats going on' and also to provide an 'example'.
Please don't respond with the 'standard' about run this scan or that. This is NOT a new 'problem'. I've been analyzing for several months and have run quite a few scans using various products both mainstream and other for spyware, trojans, rootkits, hijack, and so forth. The bottom line is, essentially, that my own legitimate 'system' is being used against me and none of the scans have found anything significant. I am also aware that I will need to wipe and fully reinstall. Before that, however, I'd like to acquire some better sense of how/what is/was done in order to prevent (as was the case following the previous wipe/reinstall) re-infection. :-(
The platform is Dell Inspiron 4150 TrueMobile, up-to-date (supposedly) XP Pro SP2, and quite a bit of development software, Visual Studio, Macromedia Studio, SQL 2k desktop, Mysql, Apache, etc, etc. I PULLED the dell mini-pci after determining that 'disabling' the wireless connection was not sufficient and that it was being used. It's a workstation connected to a ('bare' at this point) NITIX server which provides the DSL internet connection. I generally,now, have the XP plug to the server disconnected unless I need it. I use Norton, (supposedly) current, for FW/AV.
I have 2 SPECIFIC multi-point questions at this point of things:
1) In safemode, ethernet disconnected, mini-pci removed, no modem cable (It's a Conexant internal), telephony etc disabled, HOW could it possibly be a 'live' connection? There have been (although not this specific instance) indications of that. If NOT 'live' then what is the best tool/approach for for isolating the 'process' that is doing the accessing? Someone/Something quite obviously IS.
2) My CD-RW has been turned into a CD-ROM (because I've been using it to offload some of the 'clues' I have discovered for subsequent analysis). Can't use my external USB CD-RW either. In fact; at THIS point any access to CD yields "D:\ is not accessible...illegal function". I can copy stuff to my server (when connected) BUT as the recent loss of a critical file indicated; the info is not safe there. Any ideas as to how to 'quickly' reenable CD burn capability??? Note that neither repair install, uninstall of drivers/device and reinstall of device, nor loading the burn software associated with my external drive (currently uninstalled) resolves the problem.
ANY help/clues appreciated. I hope I can 'paste' this because I'm vulnerable whenever I connect to the net. THANKS in advance.
John
Volume in drive C has no label.
Directory of c:\windows\system32
11/03/2006 02:33 PM 69,120 notepad.exe
11/03/2006 02:36 PM 159,744 scrobj.dll
11/03/2006 02:38 PM 25,065 wmpscheme.xml
11/03/2006 02:38 PM 20,992 wrlzma.dll
11/03/2006 02:38 PM 258,048 wmvds32.ax
11/03/2006 02:38 PM 75 View Channels.scf
11/03/2006 02:38 PM 187,904 main.cpl
11/03/2006 02:39 PM 438,272 shimgvw.dll
11/03/2006 02:39 PM 2,897 mpm.xml
11/03/2006 02:39 PM 86,016 mdmxsdk.dll
11/03/2006 02:39 PM 73,376 mciavi.drv
11/03/2006 02:39 PM 72,704 magnify.exe
11/03/2006 02:39 PM 742,400 ltann11N.dll
11/03/2006 02:39 PM 110,592 ltfil11n.DLL
11/03/2006 02:39 PM 13,312 lsass.exe
11/03/2006 02:39 PM 514,560 logonui.exe
11/03/2006 02:40 PM 607,232 ltocx11n.ocx
11/03/2006 02:40 PM 61,440 MFC71ITA.DLL
11/03/2006 02:41 PM 8,192 staxmem.dll
11/03/2006 02:42 PM 239,104 srrstr.dll
11/03/2006 02:42 PM 737,280 spr32d30.dll
11/03/2006 02:42 PM 31,232 sc.exe
11/03/2006 02:42 PM 397,824 regwizc.dll
11/03/2006 02:42 PM 143,360 rasmontr.dll
11/03/2006 02:42 PM 181,248 rasmans.dll
11/03/2006 02:42 PM 657,920 rasdlg.dll
11/03/2006 02:43 PM 35,840 rcimlby.exe
11/03/2006 02:43 PM 13,824 rdsaddin.exe
11/03/2006 02:43 PM 92,168 rdpdd.dll
11/03/2006 02:44 PM 16,896 winrnr.dll
11/03/2006 02:44 PM 1,309,184 wbdbase.deu
11/03/2006 02:44 PM 163,980 VPCNetS2.dll
11/03/2006 02:44 PM 123,392 umpnpmgr.dll
11/03/2006 02:44 PM 200,704 THREED32.OCX
11/03/2006 02:44 PM 610,304 sspipes.scr
11/03/2006 02:44 PM 17,920 nddeapi.dll
11/03/2006 02:46 PM 53,760 narrator.exe
11/03/2006 02:46 PM 506,368 msxml.dll
11/03/2006 02:46 PM 54,784 msvci70.dll
11/03/2006 02:47 PM 7,168 msr2cenu.dll
11/03/2006 02:47 PM 20,992 msg.exe
11/03/2006 02:47 PM 33,792 msgsvc.dll
11/03/2006 02:48 PM 51,712 wzcsapi.dll
11/03/2006 02:48 PM 6,144 svcpack.dll
11/03/2006 02:49 PM 59,392 streamhlp.dll
11/03/2006 02:49 PM 58,880 resutils.dll
11/03/2006 02:51 PM 50,688 mmcshext.dll
11/03/2006 02:51 PM 41,472 hhsetup.dll
11/03/2006 02:51 PM 413,696 msvcp60.dll
11/03/2006 02:51 PM 60,416 colbact.dll
11/03/2006 02:52 PM 4,096 mtxex.dll
11/03/2006 02:52 PM 66,560 mtxclu.dll
11/03/2006 02:53 PM <DIR> CatRoot
11/03/2006 02:53 PM <DIR> CatRoot2
11/03/2006 02:53 PM <DIR> Com
11/03/2006 02:53 PM <DIR> config
11/03/2006 02:53 PM <DIR> Dell
11/03/2006 02:53 PM <DIR> DirectX
11/03/2006 02:53 PM <DIR> dhcp
11/03/2006 02:53 PM <DIR> dllcache
11/03/2006 02:53 PM <DIR> drivers
11/03/2006 02:53 PM <DIR> export
11/03/2006 02:53 PM <DIR> ias
11/03/2006 02:53 PM <DIR> icsxml
11/03/2006 02:53 PM 53,760 cryptext.dll
11/03/2006 02:54 PM 90,624 trkwks.dll
11/03/2006 02:54 PM 12,288 tracert.exe
11/03/2006 02:54 PM 51 pscript.sep
11/03/2006 02:54 PM 96,768 psbase.dll
11/03/2006 02:56 PM 140,288 sfc_os.dll
11/03/2006 02:56 PM 18,432 secedit.exe
11/03/2006 02:56 PM 144,896 schannel.dll
11/03/2006 03:23 PM <DIR> inetsrv
11/03/2006 03:23 PM <DIR> IME
11/03/2006 03:23 PM <DIR> Logfiles
11/03/2006 03:23 PM <DIR> ..
11/03/2006 03:23 PM <DIR> .
11/03/2006 03:23 PM 39,936 rshx32.dll
11/03/2006 03:23 PM 56,832 authz.dll
11/03/2006 03:23 PM 114,688 aclui.dll
11/03/2006 03:23 PM 46,080 docprop.dll
11/03/2006 03:23 PM 48,128 docprop2.dll
11/03/2006 03:23 PM 44,032 twext.dll
11/03/2006 03:25 PM 1,179,648 d3d8.dll
11/03/2006 03:28 PM 2 desktop.ini
11/03/2006 03:28 PM 68,096 shgina.dll
11/03/2006 03:28 PM 2,370,296 wmvcore.dll
11/03/2006 03:28 PM 224,768 wmasf.dll
11/03/2006 03:28 PM 480,768 Audiodev.dll
11/03/2006 03:28 PM 291,840 winsrv.dll
11/03/2006 03:28 PM 397,824 rpcss.dll
11/03/2006 03:28 PM 640,000 dbghelp.dll
11/03/2006 03:28 PM 498,688 clbcatq.dll
11/03/2006 03:28 PM 792,064 comres.dll
11/03/2006 03:28 PM 658,944 wininet.dll
11/03/2006 03:28 PM 431,616 riched20.dll
11/03/2006 03:28 PM 617,472 comctl32.dll
11/03/2006 03:28 PM 28,672 verclsid.exe
11/03/2006 03:28 PM 8,453,632 shell32.dll
11/03/2006 03:37 PM 110,080 imm32.dll
11/03/2006 03:37 PM 20,634 debug.exe
11/03/2006 03:37 PM 347,136 tourstart.exe
11/03/2006 03:37 PM 538,624 spider.exe
11/03/2006 03:37 PM 407,552 mstsc.exe
11/03/2006 03:37 PM 126,976 mshearts.exe
11/03/2006 03:37 PM 146,432 winspool.drv
11/03/2006 03:37 PM 275,456 ulib.dll
Short version - I'm dealing with both a passive spy and an active hack. As you know windows does a lot in the background and it is difficult at best to separate the 'file'access of those actions from something more malicious. At the end of this is a partial list of \windows\system32 accesses as an example. Note that the accesses were while in 'Safe Mode' (which isn't!) and AFTER/WHILE I was viewing some gathered info using Notepad (where I've started the list). Note, for example, the tourstart.exe, spider.exe and so forth. Not me. Not ANYTHING that I was doing. The date/times are 'access'. The info is just to provide an 'example' in case someone might be able to view it and say 'oh yeah I know whats going on' and also to provide an 'example'.
Please don't respond with the 'standard' about run this scan or that. This is NOT a new 'problem'. I've been analyzing for several months and have run quite a few scans using various products both mainstream and other for spyware, trojans, rootkits, hijack, and so forth. The bottom line is, essentially, that my own legitimate 'system' is being used against me and none of the scans have found anything significant. I am also aware that I will need to wipe and fully reinstall. Before that, however, I'd like to acquire some better sense of how/what is/was done in order to prevent (as was the case following the previous wipe/reinstall) re-infection. :-(
The platform is Dell Inspiron 4150 TrueMobile, up-to-date (supposedly) XP Pro SP2, and quite a bit of development software, Visual Studio, Macromedia Studio, SQL 2k desktop, Mysql, Apache, etc, etc. I PULLED the dell mini-pci after determining that 'disabling' the wireless connection was not sufficient and that it was being used. It's a workstation connected to a ('bare' at this point) NITIX server which provides the DSL internet connection. I generally,now, have the XP plug to the server disconnected unless I need it. I use Norton, (supposedly) current, for FW/AV.
I have 2 SPECIFIC multi-point questions at this point of things:
1) In safemode, ethernet disconnected, mini-pci removed, no modem cable (It's a Conexant internal), telephony etc disabled, HOW could it possibly be a 'live' connection? There have been (although not this specific instance) indications of that. If NOT 'live' then what is the best tool/approach for for isolating the 'process' that is doing the accessing? Someone/Something quite obviously IS.
2) My CD-RW has been turned into a CD-ROM (because I've been using it to offload some of the 'clues' I have discovered for subsequent analysis). Can't use my external USB CD-RW either. In fact; at THIS point any access to CD yields "D:\ is not accessible...illegal function". I can copy stuff to my server (when connected) BUT as the recent loss of a critical file indicated; the info is not safe there. Any ideas as to how to 'quickly' reenable CD burn capability??? Note that neither repair install, uninstall of drivers/device and reinstall of device, nor loading the burn software associated with my external drive (currently uninstalled) resolves the problem.
ANY help/clues appreciated. I hope I can 'paste' this because I'm vulnerable whenever I connect to the net. THANKS in advance.
John
Volume in drive C has no label.
Directory of c:\windows\system32
11/03/2006 02:33 PM 69,120 notepad.exe
11/03/2006 02:36 PM 159,744 scrobj.dll
11/03/2006 02:38 PM 25,065 wmpscheme.xml
11/03/2006 02:38 PM 20,992 wrlzma.dll
11/03/2006 02:38 PM 258,048 wmvds32.ax
11/03/2006 02:38 PM 75 View Channels.scf
11/03/2006 02:38 PM 187,904 main.cpl
11/03/2006 02:39 PM 438,272 shimgvw.dll
11/03/2006 02:39 PM 2,897 mpm.xml
11/03/2006 02:39 PM 86,016 mdmxsdk.dll
11/03/2006 02:39 PM 73,376 mciavi.drv
11/03/2006 02:39 PM 72,704 magnify.exe
11/03/2006 02:39 PM 742,400 ltann11N.dll
11/03/2006 02:39 PM 110,592 ltfil11n.DLL
11/03/2006 02:39 PM 13,312 lsass.exe
11/03/2006 02:39 PM 514,560 logonui.exe
11/03/2006 02:40 PM 607,232 ltocx11n.ocx
11/03/2006 02:40 PM 61,440 MFC71ITA.DLL
11/03/2006 02:41 PM 8,192 staxmem.dll
11/03/2006 02:42 PM 239,104 srrstr.dll
11/03/2006 02:42 PM 737,280 spr32d30.dll
11/03/2006 02:42 PM 31,232 sc.exe
11/03/2006 02:42 PM 397,824 regwizc.dll
11/03/2006 02:42 PM 143,360 rasmontr.dll
11/03/2006 02:42 PM 181,248 rasmans.dll
11/03/2006 02:42 PM 657,920 rasdlg.dll
11/03/2006 02:43 PM 35,840 rcimlby.exe
11/03/2006 02:43 PM 13,824 rdsaddin.exe
11/03/2006 02:43 PM 92,168 rdpdd.dll
11/03/2006 02:44 PM 16,896 winrnr.dll
11/03/2006 02:44 PM 1,309,184 wbdbase.deu
11/03/2006 02:44 PM 163,980 VPCNetS2.dll
11/03/2006 02:44 PM 123,392 umpnpmgr.dll
11/03/2006 02:44 PM 200,704 THREED32.OCX
11/03/2006 02:44 PM 610,304 sspipes.scr
11/03/2006 02:44 PM 17,920 nddeapi.dll
11/03/2006 02:46 PM 53,760 narrator.exe
11/03/2006 02:46 PM 506,368 msxml.dll
11/03/2006 02:46 PM 54,784 msvci70.dll
11/03/2006 02:47 PM 7,168 msr2cenu.dll
11/03/2006 02:47 PM 20,992 msg.exe
11/03/2006 02:47 PM 33,792 msgsvc.dll
11/03/2006 02:48 PM 51,712 wzcsapi.dll
11/03/2006 02:48 PM 6,144 svcpack.dll
11/03/2006 02:49 PM 59,392 streamhlp.dll
11/03/2006 02:49 PM 58,880 resutils.dll
11/03/2006 02:51 PM 50,688 mmcshext.dll
11/03/2006 02:51 PM 41,472 hhsetup.dll
11/03/2006 02:51 PM 413,696 msvcp60.dll
11/03/2006 02:51 PM 60,416 colbact.dll
11/03/2006 02:52 PM 4,096 mtxex.dll
11/03/2006 02:52 PM 66,560 mtxclu.dll
11/03/2006 02:53 PM <DIR> CatRoot
11/03/2006 02:53 PM <DIR> CatRoot2
11/03/2006 02:53 PM <DIR> Com
11/03/2006 02:53 PM <DIR> config
11/03/2006 02:53 PM <DIR> Dell
11/03/2006 02:53 PM <DIR> DirectX
11/03/2006 02:53 PM <DIR> dhcp
11/03/2006 02:53 PM <DIR> dllcache
11/03/2006 02:53 PM <DIR> drivers
11/03/2006 02:53 PM <DIR> export
11/03/2006 02:53 PM <DIR> ias
11/03/2006 02:53 PM <DIR> icsxml
11/03/2006 02:53 PM 53,760 cryptext.dll
11/03/2006 02:54 PM 90,624 trkwks.dll
11/03/2006 02:54 PM 12,288 tracert.exe
11/03/2006 02:54 PM 51 pscript.sep
11/03/2006 02:54 PM 96,768 psbase.dll
11/03/2006 02:56 PM 140,288 sfc_os.dll
11/03/2006 02:56 PM 18,432 secedit.exe
11/03/2006 02:56 PM 144,896 schannel.dll
11/03/2006 03:23 PM <DIR> inetsrv
11/03/2006 03:23 PM <DIR> IME
11/03/2006 03:23 PM <DIR> Logfiles
11/03/2006 03:23 PM <DIR> ..
11/03/2006 03:23 PM <DIR> .
11/03/2006 03:23 PM 39,936 rshx32.dll
11/03/2006 03:23 PM 56,832 authz.dll
11/03/2006 03:23 PM 114,688 aclui.dll
11/03/2006 03:23 PM 46,080 docprop.dll
11/03/2006 03:23 PM 48,128 docprop2.dll
11/03/2006 03:23 PM 44,032 twext.dll
11/03/2006 03:25 PM 1,179,648 d3d8.dll
11/03/2006 03:28 PM 2 desktop.ini
11/03/2006 03:28 PM 68,096 shgina.dll
11/03/2006 03:28 PM 2,370,296 wmvcore.dll
11/03/2006 03:28 PM 224,768 wmasf.dll
11/03/2006 03:28 PM 480,768 Audiodev.dll
11/03/2006 03:28 PM 291,840 winsrv.dll
11/03/2006 03:28 PM 397,824 rpcss.dll
11/03/2006 03:28 PM 640,000 dbghelp.dll
11/03/2006 03:28 PM 498,688 clbcatq.dll
11/03/2006 03:28 PM 792,064 comres.dll
11/03/2006 03:28 PM 658,944 wininet.dll
11/03/2006 03:28 PM 431,616 riched20.dll
11/03/2006 03:28 PM 617,472 comctl32.dll
11/03/2006 03:28 PM 28,672 verclsid.exe
11/03/2006 03:28 PM 8,453,632 shell32.dll
11/03/2006 03:37 PM 110,080 imm32.dll
11/03/2006 03:37 PM 20,634 debug.exe
11/03/2006 03:37 PM 347,136 tourstart.exe
11/03/2006 03:37 PM 538,624 spider.exe
11/03/2006 03:37 PM 407,552 mstsc.exe
11/03/2006 03:37 PM 126,976 mshearts.exe
11/03/2006 03:37 PM 146,432 winspool.drv
11/03/2006 03:37 PM 275,456 ulib.dll
ASKER
Agree...SOME type of scan/use. However; not boot time and not a virus scan. I'm quite familiar with TM and ProcessExplorer, filemon, and so forth but have been unable to isolate beyond some relationship to svchost -netsvcs, ctfmon, ntdll, explorer, msmsgs, rstrui, print spooler, machine debug manager/vs7debug, homesite/frontpage/coldfus ion/Jasc paintshop, and a few others. It varies a bit depending upon what I've enabled/disabled. Basically; SOMETHING IS scanning/mining for applicable components for the purpose of rebuilding/repairing itself. It's that SOMETHING I'm attempting to isolate. I'm also attempting to isolate the SOMEONE who has a backdoor into my system and that backdoor.
Regarding 'live connection'. I agree that it seems quite unreasonable for the 'backdoor' to be in use when there is, so far as I am aware, no communication channel available (no ethernet or modem cable, mini-pci/wireless board pulled). Yet; there have been indications of that occuring. I'm basically asking if there is some channel, for example wireless even though I've pulled the mini-pci, that I'm overlooking somehow. As for disabling wireless, alone, providing protection; that's a fallacy (think "Tempest"-like process).
There is no 'recording' tab because the system thinks its a DVD/CD-ROM device. Although as I indicated, at this point, its not usable at all. See previous post.
Thanks for the feedback/response. It is appreciated. I'm still looking for answers.
Regarding 'live connection'. I agree that it seems quite unreasonable for the 'backdoor' to be in use when there is, so far as I am aware, no communication channel available (no ethernet or modem cable, mini-pci/wireless board pulled). Yet; there have been indications of that occuring. I'm basically asking if there is some channel, for example wireless even though I've pulled the mini-pci, that I'm overlooking somehow. As for disabling wireless, alone, providing protection; that's a fallacy (think "Tempest"-like process).
There is no 'recording' tab because the system thinks its a DVD/CD-ROM device. Although as I indicated, at this point, its not usable at all. See previous post.
Thanks for the feedback/response. It is appreciated. I'm still looking for answers.
Ok, you mention rstrui, can you try disabling system restore, is it possible it is attempted to create a restore point.
Why dont you run a netstat and post the result, that will show everything that is listening or has connections open.
TEMPEST is technology that reads your monitor by analysing it's em radiation, unless you suspect you are the subject of an NSA, CIA investigation I would generally assume that you are safe.
If a device is disabled in windows...it is disabled, it is not allocated resources and therefore will NOT function.
Can you try another CD-RW device.
Why dont you run a netstat and post the result, that will show everything that is listening or has connections open.
TEMPEST is technology that reads your monitor by analysing it's em radiation, unless you suspect you are the subject of an NSA, CIA investigation I would generally assume that you are safe.
If a device is disabled in windows...it is disabled, it is not allocated resources and therefore will NOT function.
Can you try another CD-RW device.
ASKER
Disabled sys restore via system (its not doing me any good anyway as part of the 'problem' is that if I attempt a restore I lose admin access via the admin account) . It made no difference anyway and I've had to deal with 'restores' going on out of my control even with system restore disabled. I believe rstrui is being used for other than the basic "system restore". It has, since, been turned back on (not sure when/how). Similarly; indications of backup/restore.
The netstat no longer reports any activity although I know it is occurring (other tools if I get lucky. Interestingly; within past few weeks if I attempt to netdiag (while noting net activity in progress) the activity stops as soon as I TYPE the command and resumes after it completes. The 'passive' portion of the problem is somehow tied to msmsg, intuit printer, one of more graphics handlers, encryption, and conf.
I think you will find that you can find Tempest related tools if you search the net. Either way, there are symptoms or at least circumstantial indications. As regards investigation. Not that I'm aware of. The 'evidence' I've gathered with respect to my problem will be submitted to the feds anyway. I'm just doing a bit more on my own first.
If a device is disabled in windows... Yes, supposedly. Also safemode with no networking should have no networking. I have indications to the contrary.
As I posted earlier my external (usb) CD-RW manifests the same problems.
Anyway, thanks again. Must disconnect. Will try to check back again in case anyone has any ideas I might have overlooked.
The netstat no longer reports any activity although I know it is occurring (other tools if I get lucky. Interestingly; within past few weeks if I attempt to netdiag (while noting net activity in progress) the activity stops as soon as I TYPE the command and resumes after it completes. The 'passive' portion of the problem is somehow tied to msmsg, intuit printer, one of more graphics handlers, encryption, and conf.
I think you will find that you can find Tempest related tools if you search the net. Either way, there are symptoms or at least circumstantial indications. As regards investigation. Not that I'm aware of. The 'evidence' I've gathered with respect to my problem will be submitted to the feds anyway. I'm just doing a bit more on my own first.
If a device is disabled in windows... Yes, supposedly. Also safemode with no networking should have no networking. I have indications to the contrary.
As I posted earlier my external (usb) CD-RW manifests the same problems.
Anyway, thanks again. Must disconnect. Will try to check back again in case anyone has any ideas I might have overlooked.
Ok, first things first.
If we're dealing with a rootkited machine, there is absolutely NOTHING you can do with THAT very machine. It's the second rule of computer forensic. Let's suppose a very smart and motivated attacker just coded a little piece of code to allocate hardware resources even when you disable them, enable wireless even when you disable it (via software, obv) and so on. There would be absolutely no way to tell using that very system, that's something you learn doing linux rootkits. Yes, you could check syscalls addresses and such, but that would not be of any use.
First question: are you REALLY sure something is happening due to an attack? Can you test a similar system? Can you clone the system (Ghost 4 Linux) and reproduce this on another machine?
The idea: clone the machine (G4L will do) run it into VmWare (without any network connection) and test it. Even a rootkited machine will be helpless if you run it into a Virtual environment, so you can monitor and see what happens.
Second question: can you check the size of some core system files and see if there's something strange? (Note you'll have to do it from a Live cd or such, not from XP since it could just lie about filesizes).
Third: Check for Alternative Data Streams.
If we're dealing with a rootkited machine, there is absolutely NOTHING you can do with THAT very machine. It's the second rule of computer forensic. Let's suppose a very smart and motivated attacker just coded a little piece of code to allocate hardware resources even when you disable them, enable wireless even when you disable it (via software, obv) and so on. There would be absolutely no way to tell using that very system, that's something you learn doing linux rootkits. Yes, you could check syscalls addresses and such, but that would not be of any use.
First question: are you REALLY sure something is happening due to an attack? Can you test a similar system? Can you clone the system (Ghost 4 Linux) and reproduce this on another machine?
The idea: clone the machine (G4L will do) run it into VmWare (without any network connection) and test it. Even a rootkited machine will be helpless if you run it into a Virtual environment, so you can monitor and see what happens.
Second question: can you check the size of some core system files and see if there's something strange? (Note you'll have to do it from a Live cd or such, not from XP since it could just lie about filesizes).
Third: Check for Alternative Data Streams.
ASKER
Your points are valid, and known, and considered.
Yes; I'm CERTAIN I am (have been) dealing with an attack. Both Symantec and MS recommend notifying the feds and complete reinstall.
No; I can't clone (etc) at this point. I am looking forward to that when I can but not sure when that might be right now.
I'm aware of the 'difficulty' of analyzing on the system that has been "hijacked". You are both correct, and incorrect, regarding the "absolutely no way". I can't go into any details due to the limited time for internet access. There are conf.exe accesses going on as I type. Hopefully (minimal) they are not succeeding but I've been unable to determine that. As for their possibly sucessfully sending the keyboard input, screen images, and voice input, gathered while offline I can't be certain.
The size of core system files isn't helping. I'm 80% certain explorer (among others) is compromised but can't confirm. I also have 'indications' of core-resident modification but haven't had an opportunity to explore that fully; yet. Should not be able to access JIT debug from the net, but...
Yes; there have been (are?) alternative data streams. I've been working on that as well.
I left the system on yesterday after a reboot and did nothing until this AM. I'm working on trying to determine whether the accesses to the print spooler, and etc, an hour or so before logging in could have, somehow, been "legitimate" and also trying to determine why the firewall wanted access to the internet for spooler.exe to 240.44.18.242 yesterday morning. I thought I'd taken care of that and haven't seen it for more than 2 weeks.
Again; your points are valid and I appreciate the feedback. It's tough trying to deal with this without having anyone for a sounding board. I'm not inexperienced regarding computers/software but I'm also intelligent enough to know that I don't know everything. Feedback from EE may help stimulate the brain cells. Wouldn't be the first time I missed something 'simple' because it failed to come to mind.
Thanks.
Yes; I'm CERTAIN I am (have been) dealing with an attack. Both Symantec and MS recommend notifying the feds and complete reinstall.
No; I can't clone (etc) at this point. I am looking forward to that when I can but not sure when that might be right now.
I'm aware of the 'difficulty' of analyzing on the system that has been "hijacked". You are both correct, and incorrect, regarding the "absolutely no way". I can't go into any details due to the limited time for internet access. There are conf.exe accesses going on as I type. Hopefully (minimal) they are not succeeding but I've been unable to determine that. As for their possibly sucessfully sending the keyboard input, screen images, and voice input, gathered while offline I can't be certain.
The size of core system files isn't helping. I'm 80% certain explorer (among others) is compromised but can't confirm. I also have 'indications' of core-resident modification but haven't had an opportunity to explore that fully; yet. Should not be able to access JIT debug from the net, but...
Yes; there have been (are?) alternative data streams. I've been working on that as well.
I left the system on yesterday after a reboot and did nothing until this AM. I'm working on trying to determine whether the accesses to the print spooler, and etc, an hour or so before logging in could have, somehow, been "legitimate" and also trying to determine why the firewall wanted access to the internet for spooler.exe to 240.44.18.242 yesterday morning. I thought I'd taken care of that and haven't seen it for more than 2 weeks.
Again; your points are valid and I appreciate the feedback. It's tough trying to deal with this without having anyone for a sounding board. I'm not inexperienced regarding computers/software but I'm also intelligent enough to know that I don't know everything. Feedback from EE may help stimulate the brain cells. Wouldn't be the first time I missed something 'simple' because it failed to come to mind.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well... Your comments didn't hurt anything. It is a tough nut to deal with.
Don't have the facilities to clone at the moment or the $.
You are correct regarding encryption.
Will be replacing the drive and saving it for later analysis along with the other drive and several ASR backups.
Oh well...
Thanks for the sanity check.
Don't have the facilities to clone at the moment or the $.
You are correct regarding encryption.
Will be replacing the drive and saving it for later analysis along with the other drive and several ASR backups.
Oh well...
Thanks for the sanity check.
Thank you for the accepted ans, anyway you could go for a clone using G4l (freeware) and a dvd (cheap) :D
When you say "live connection" what do you mean ? You categorically cannot have a live connection if you have disabled you external devices. To isolate the process, either use built in task manager with i/o read and i/o write columns switched on (in view, select columns) monitoring this should give you a good idea of what is racking up disk activity. Alternatively Process Explorer will show exactly what file is open by what process, it can be downloaded from http://www.sysinternals.com/Utilities/ProcessExplorer.html
Lastly to convert a device detected as CD-ROM back to a CD-RW. In My Computer, right click the non functional device, and choose properties, then open the recording tab, and choose "Enable CD Recording on this Drive"