Re: 1,800 files missing from system32

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 10/14/04

  • Next message: Joe Blatz: "Re: 1,800 files missing from system32"
    Date: Thu, 14 Oct 2004 12:29:15 -0700 (PDT)
    To: incidents@securityfocus.com
    
    

    > Ah, the much anticipated Carvdog reply on the
    > incidents list. I was afraid I'd get one. ;-)

    Well, if that's the case, you should have specified
    that you didn't want to hear from me.

    BTW...that's Carvdawg to you... ;-)
      
    > To the best of my knowledge WFP cannot be disabled
    > post SP2.

    [snip]

    > Based on that, I believe WFP to be functional.

    I would say that based on the messages you were seeing
    in the Event Log, that's enough to show that WFP
    is/was still working. But your understanding is
    correct, as well...except that there is reportedly
    another way to disable WFP by modifying the applicable
    (based on os version) DLL files w/ a hex editor. I've
    referenced this method in my book.

    > If the
    > information above is not true please let me know.
    > Being able to dynamically enable and disable WFP
    > would prove very useful to our developers.

    Yes, you're correct with regards to the information
    you listed...install a debugger, modify the Registry
    entry appropriately, etc.

    > I failed to mention that these events have occurred
    > over about 5 months. I think the odds of Symantec
    > missing a bug that does this kind of damage, but has
    > been around for that long, are low. I think current
    > AV
    > sigs (with file system real time protection) should
    > prevent the system from getting infected and the AV
    > engine from being disabled. I'm not going to bet a
    > month's salary on that, though. Unfortunately the
    > tech
    > on site did not re-scan the host. He attempted to
    > use
    > TrendMicro's HouseCall, but bandwidth was such that
    > he could not get it to work.
    >
    > I'm with you 100% on needing to get time to analyze
    > the systems. On the last one we were able to run
    > diagnostics for MS support and provided them with
    > about 20MB of captured data. They just scratched
    > their
    > heads and said it "looks virus like". I advocated
    > for
    > waiting before rebuilding this one, as it was our
    > best
    > chance to date to get a good analysis done, but that
    > was not approved. I'm trying to get the word out to
    > our techs that if they should run across one of
    > these
    > systems again that it should not get immediately
    > reloaded.
    >
    > Here is our auditing policy on the DCs
    >
    > Audit account logon events :: Success, Failure
    > Audit account management :: Success, Failure
    > Audit directory service access :: Failure
    > Audit logon events :: Success, Failure
    > Audit object access :: Failure
    > Audit policy change :: Success, Failure
    > Audit privilege use :: Failure
    > Audit process tracking :: No Auditing
    > Audit system events :: Success, Failure
    >
    > Except for not auditing directory service access,
    > non-DCs are the same. Do you think this would
    > normally
    > be an adequate policy? Are there any changes you
    > would recommend?

    Well, since in most cases, people/admins aren't
    running programs on the DC (ie, Solitaire, browsers,
    etc), you shouldn't have a problem in setting both
    success and failure auditing on process tracking. You
    may also want to increase the size of the logs, but
    the most important thing would be to regularly review
    the log entries...for that, using a syslog client such
    as NTSyslog to send the entries to a system running
    the Kiwi Syslog Server would be a great idea.

    > All files that WFP logged were exe, tlb, dll or ocx
    > files.

    ...could be a virus...but there's still nothing
    definitive.

    > We have seen problems with Sasser like activity on
    > these networks in the past, and at two locations we
    > applied the patch for MS04-011 and resolved those
    > issues. So, yes, it was a guess but it was also
    > based on past malware activity on these LANs.

    I've been looking around on a couple of AV sites, and
    as yet, haven't found anything that correlates the
    activity you mention to a version of a Sasser-like
    worm. That doesn't mean that it's not the case...just
    that I haven't seen anything like that yet.

    > They have no
    > inbound access allowed from the Internet, but they
    > are
    > large enough that an infected laptop can still make
    > its way onto the LAN and wreak havoc. It's happened
    > before, though incidents on these LAN are relatively
    > rare.

    Yeah, that's an avenue that we see all the time.

    > In the event we manage to get to one of these hosts
    > before it completely dies (when they are like this a
    > reboot kills them) what tools would you recommend we
    > run?

    Get tlist.exe from the Microsoft Debugger Tools (*NOT*
    the resource kit). Run this with the '-c' switch to
    get the command lines of all the processes running on
    the system. Look for anything unusual.

    Get network connection information using a clean
    version of netstat, and include openports.exe from
    DiamondCS (better than fport). If you have access to
    an admin account on the running system, use portqry
    v.2.0 from Microsoft. The combination of these tools
    will give you a pretty complete view of network
    connections and the processes associated with each
    connection. You might also use tcpvcon.exe from
    SysInternals.

    If you prefer a GUI approach, use Process Explorer and
    TCPView from SysInternals.

    In case that doesn't provide you with enough info
    (;-)) check the startup locations using AutoRuns from
    SysInternals, or the Silent Runner .vbs script (from
    silentrunners.org).

    You might also consider running anti-spyware tools,
    and keeping a log of their findings.

    Basically, what you're looking for are any unusual
    processes, network connections, etc., the may at least
    give you a clue as to what's happening.

    Hope that helps,

    =====
    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://groups.yahoo.com/group/windowsir/

    "Meddle not in the affairs of dragons, for
    you are crunchy, and good with ketchup."

    "The simplicity of this game amuses me.
    Bring me your finest meats and cheeses."
    ------------------------------------------


  • Next message: Joe Blatz: "Re: 1,800 files missing from system32"

    Relevant Pages

    • Re: Server missing from network
      ... Yes F&P is enabled and netbios is enabled on the WINS tab, for the local LAN ... Ethernet adapter Network Connection: ... Ethernet adapter Server Local Area Connection: ...
      (microsoft.public.windows.server.sbs)
    • Re: Error Disabling Connection
      ... when I try to disconnect the network connection, ... maybe disable the LAN port in BIOS and add a LAN ... SetLocal EnableDelayedExpansion ... echo Syntax: Device enable / disable ...
      (microsoft.public.windowsxp.general)
    • Re: Server missing from network
      ... Server Local Area Connection: ... Backup LAN: ... >> Windows IP Configuration ... >> Network Connection ...
      (microsoft.public.windows.server.sbs)
    • Re: Lock down Win2K Box on a LAN?
      ... Just unbind 'File and Printer Sharing' for the network connection. ... Microsoft MVP [Windows] ... "Geoff Glave" wrote: ... | I'd like to lock down a Windows 2000 Pro box on a LAN. ...
      (microsoft.public.win2000.security)