±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 124

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Netbios traces ?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

psycko
Member
 

Netbios traces ?

Post Posted: Mar 25, 06 05:45

Hello,
Which are the traces left by a NETBIOS connection ?
How to find traces left by the author of the hacking?
Is there a possibility to find the author ?

Regards

Psy  
 
  

keydet89
Senior Member
 

Re: Netbios traces ?

Post Posted: Mar 25, 06 17:33

psyko,

It depends. What operating system are your using, or is on the victim system? Depending upon the o/s and the audit configuration, there may be something in the logs to help you...such as logon/logoff events.

For someone to log into a system, there must be a user account on that system. Therefore, if someone connected to the victim system using NetBIOS, then it's likely that they knew or figured out the account and password. If that's the case, it may be possible to find the "author", particularly if they left anything behind.

Otherwise, most Windows systems do not log by IP address...for example, in Windows 2000, logins are recorded based on the NetBIOS name of the remote system.

HTH,

Harlan  
 
  

psycko
Member
 

Re: Netbios traces ?

Post Posted: Mar 27, 06 02:25

Hello Harlan
In fact the system used in the cases are windows 2000 and XP !
Someone wrote a kind of virus and sent it on computers by using the netbios connection (I believe) . The author deleted all the events logs.
Is there a possibility to find the bad guy ! Smile

Regards

Psy  
 
  

keydet89
Senior Member
 

Re: Netbios traces ?

Post Posted: Mar 27, 06 17:16

psycko,

Interesting. Is there any reason you didn't mention any of that before?

It's more likely that what you're seeing isn't a virus, but a worm...which, in turn, would mean that the bad guy/author never actually connected to any of these systems himself. The worm may have cleared the Event Log.

What this means is that the systems involved have easily guessed passwords...if the worm did get in via NetBIOS/NetBEUI networking. In the case of the XP systems, did someone shut down the firewall, or were they in a corporate environment?

Is it possible to find the bad guy? Perhaps. Do you have a copy of the worm/virus? Did you scan it to see which one it is...which family and variant? Did you examine it to see if there are any unique identifying strings embedded in the code? Did you perform any sort of dynamic analysis to see if the worm connects to any other servers?

Harlan  
 
  

psycko
Member
 

Re: Netbios traces ?

Post Posted: Mar 27, 06 18:38

You are right Harlan, it's a kind of worm ! Wink
This worm seems to cleared the event log.
On the XP system I examined the firewall was curiously down (Norton) and on the other Win 2000 systems there was no firewall in action.

I scanned the worm but it is a home-made worm so no signature in viruses databases. No strings inside it too, just the IP adresses of the servers to attack for making a DDOS (hard coded in the program).

His spreading rate is very low and it concerns only an Internet Service Provider, so I thought to the netbios fault, because it seems that the author send it one by one.

I think it is going to be difficult to find the source ! Laughing

Regards
Psy  
 
  

keydet89
Senior Member
 

Re: Netbios traces ?

Post Posted: Mar 27, 06 20:48

What program did you use to get the strings from the code? I ask, b/c sometimes the strings may be Unicode, and if you don't use a tool to find Unicode strings...

Also, did you use any other tools on the executable, such as PEiD or anything to parse the PE headers and do some header analysis?

What did you scan the worm with? Which A/V tool(s)? Just curious...

Finally, is there any chance that you could provide a copy of the worm? Put it in a password-protected zip file and make it accessible?

Harlan  
 
  

psycko
Member
 

Re: Netbios traces ?

Post Posted: Mar 27, 06 21:33

I used strings from sysinternals

I used Peid and it is an Microsoft Visual C++ 6.0 program

Norton and Mcaffee viruscan were the A/v

For a copy I think it is possible, perhaps you will see something I missed
I send you the link by private message

Thanks for your help

Psy  
 

Page 1 of 2
Page 1, 2  Next