427 Botnet fm qxd

6. Copy the user’s data.
7. Reimage the victim’s computer.
To prepare for gathering this information, we prepared 1G USB memory
sticks. We chose a set of very useful tools, mostly from the sysinternals tools
located at www.microsoft.com/technet/sysinternals/default.mspx. In our tool
chest, we included Process Explorer (now called Process Monitor),TCPView,
Autoruns, Rootkit Revealer, and a small application called AntiHookExec
(www.security.org.sg/code/antihookexec.html), which the author claims will
let you execute an application in a way that is free from stealth application
hooks. In other words, it lets them see hidden applications. Unfortunately, it
works only with XP or newer operating systems. We also included a batch file
(find.bat, described in Chapter 2), conveniently provided by the botherder
and edited by us, that searched through the computer to locate where he had
put his files. It seems that when you have thousands of computers to manage,
you forget where you put things.
Next we chose a naming scheme for the folders that would be collected.
This was an important step because the data was going to be collected by
many people—some security staff but mostly help desk support and business
liaison IT staff. Our folder-naming convention consisted of the computer
name (the NetBios name of the computer), the date (in 
yymmdd
format), and
the help desk ticket number. Log files and picture images we created were
named in the format 
Computer Name Date Description
. So the security event
log for a computer called Gotham that was gathered on December 27, 2006,
would be called GOTHAM 061227 Security Event.evt. Within the main
folder you want to make a distinction between files that actually existed on
the computer and analysis files gathered about the computer (such as the files
saved by Process Explorer).
Since we are not gathering the information as evidence, we can attempt
to use the tools present on the computer with the caveat that the bot may
interfere with the reliability of what we see. If we have external confirmation
that a computer is part of the botnet, yet we find nothing during this exami-
nation, we perform an external virus scan of the hard drive using another
system. In our case, we do a PXE boot of the system on an isolated network
using a clean computer that is used only for virus scanning. We only do this if

Download 6,98 Mb.

Do'stlaringiz bilan baham: