Infected with a virus thats stealing passwords


sid

New Member
Aug 11, 2006
18
0
#1
Okay well heres my problem. I just recieved a hard drive that have been infected with a virus/trojan that has stolen passwords, and I need to check it all out and give a report.

So what I'm figuring to do so far is to mount the drive, then conduct several anti-virus scans on it. After that I should have the atleast the name of the virus/trojan... from there I am going to search online to see what other information I can find out about the virus specificaly.

Then I guess I will boockmark all the files and such asociated with the virus so i can put them in the report.

So any tips or anything that will guide me in the right direction will me much appreciated.

thank you all.
 

obi-wan

New Member
Sep 3, 2006
27
0
#2
Some hints

<t>Hy,<br/>
That could be difficould. <br/>
Welll, my first step is allway to make a duplicate of the Harddisk with dcfldd (the dd tool with build in md5 checksum creator). After it, i make a copy of the dd image to work with. <br/>
I commonly i use "Get Data Back from Runtime" to mount and analyze the DD Image under Windows.<br/>
My first look is in the Windows/system32 folder and i check for new files that have not to be there.<br/>
Note that sometimes no antivirus vendor knows of the trojan/virus, therefore a virusscan with different tools will get no result.<br/>
<br/>
After i found some interresting stuff, i extract it to a recoverd folder structure similar to the original (to find back faster) and analyze it with a heckeditor (ultraedit) or a disasambler like idapro.<br/>
<br/>
Mostly i found what i am searching for. For suspected file your antivirus vendor will help to analyze and update the pattern.<br/>
<br/>
<br/>
Best regards</t>
 

Prickaerts

Administrator
Jan 2, 2006
765
0
#3
Hi Sid,

Do NOT scan the drive under windows!

If you scan the drive the virusscanner will (at least) change access times and in worst case remove the virus files. Your stuck with a list/log without being able to research/check those findings. Without access time you are left in the dark as to when the files were introduced onto the filesystem.

Make a forensic copy of the disk using DD of FTK imager/Encase. If you used DD you can mount that image under linux and share it read only using Samba. Then scan the drive via a network connection or use a local virus scanner.

Good luck.
 

Prickaerts

Administrator
Jan 2, 2006
765
0
#5
Hi Sid,

Encase has a module named PDE (physical disk emulator). With that module you can mount an encase image as a disk (read-only) so you should be able to scan the disk locally (means faster).

PDE does cost extra though if you do not already have a license.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu