Virus virus everywhere
May 24, 2010 8:53 AM   Subscribe

I think our network as a virus, but virus scanners say no.

Hi all. I hope someone knows what could be causing this, or at least point me in a direction that I can investigate further..

Starting about a month ago, I noticed that some custom .exe files on one of our servers (windows 2003) started having their modified dates changed. Where they had previously had dates that were days, months, or even years earlier, they suddenly started having their modified dates updated at random intervals, sometimes being modified with date/times in the middle of the night, sometimes in the middle of the day.

In most cases, the size of the files do not change. However, there were a couple of files that did increase in size by a few hundred K.

We have scanned the files with various different scanners (including everything at virustotal.com), but nothing shows up. While I am convinced there is a virus running around, the network guy says not.

Without a positive hit, what can I do to convince him otherwise? What other options do I have? What other explanations could there be?

Thanks!
posted by eas98 to Computers & Internet (19 answers total)
 
You say these are custom .exe files. They wouldn't by any chance be part of a package that has some kind of auto-updater?
posted by flabdablet at 8:58 AM on May 24, 2010


What is the goal of the attacker? If you sniff your IP traffic, and you have been infected, chances are you'll see unexpected traffic, such as 3 am blasts of spam-to-the-world. Most likely flabdablet is correct, the exe's are being targeted for auto-update. I am assuming that the custom programs were written on contract? Was the contractor free to sell the programs to subsequent users?

If not, send it to a virus lab (email addresses here). They'll find out if it has a new kind of virus.
posted by TeatimeGrommit at 9:05 AM on May 24, 2010


The .exes are custom programs that I wrote and maintain. They are not being updated by anything.
posted by eas98 at 9:11 AM on May 24, 2010


If a virus were hiding inside of an NTFS alternate data stream (think of it like those old resource fork/data fork deals with Apple, long ago), in most cases, you would not see the file size change. Also, if you tried to move one of these files up to the web, say to virustotal.com, the NTFS alternate data stream would not go along with it, and so no virus would be seen. Alternate data streams can also be added to directories. Heh. That's one avenue to explore.

The other is to boot from a CD and use a virus scanner that way. F-Secure's Blacklight rootkit scanning download is also interesting.
posted by adipocere at 9:14 AM on May 24, 2010 [1 favorite]


Put the originals back, and add Deny Write, Deny Delete, Deny Change Atttributes and Deny Change Permissions for Everyone NTFS permissions. Then crank up Sysinternals' ProcMon tool, have it filter on failed write attempts to those files, and you'll see who's doing it.
posted by flabdablet at 9:19 AM on May 24, 2010


Put the originals back, and add Deny Write, Deny Delete, Deny Change Atttributes and Deny Change Permissions for Everyone NTFS permissions. Then crank up Sysinternals' ProcMon tool, have it filter on failed write attempts to those files, and you'll see who's doing it.

I'm pretty sure that something running as Local System Authority (and most rootkits do) would be able to bypass those settings.
posted by deadmessenger at 9:26 AM on May 24, 2010


Are the exe files actually changing, or just being touched? Keep a clean copy off the disk and run a binary diff next time the timestamps change.
posted by Dr Dracator at 9:39 AM on May 24, 2010


If you wrote the programs yourself, do you have an original known-good copy? If so, do an md5sum on your original .exe and the one with the newer date. If the md5sums match, they're not modified from the original (barring any NTFS alternate data stream chicanery like adipocere mentions above).
posted by zsazsa at 9:40 AM on May 24, 2010


Do you have reason to not trust your IT people?

On the NTFS ADS front, you can check for streams with thestreams utility from MS.
posted by Cat Pie Hurts at 9:51 AM on May 24, 2010


Ok, md5 checksum is the same on the files that have modified dates but same size, but on the ones that have grown in size, the md5 is different, as expected.
posted by eas98 at 9:53 AM on May 24, 2010


Could a backup job, or other scanner-type utility, be changing the modified date of the file? If it's changing the status of the file (archived or not), that may count as a "modification."
posted by GJSchaller at 10:54 AM on May 24, 2010


Setting the archive bit wouldn't change the file's MD5 or size. Something fishy is going on. I would try picking up a different scanner (Microsoft Security Essentials is free) and having another go. It sounds like you are a developer so you might be qualified to disassemble the original and modified executables and then diff them. You might be dealing with an entirely new infection and so signature based scans won't spot the problem.
posted by chairface at 11:28 AM on May 24, 2010


Try submitting it to CWSandbox. CWSandbox is a fantastic tool for malware analysis. I use it all the time when something I am suspicious of doesn't trip any of the engines that virustotal scans with. As Chairface points out, new infections are far less likely to be detected by signature-based malware detection engines.

So, you should submit your file to CWSandbox. (yes, it's free) You'll get a report back on what the file did in their automated lab when it ran there. As the developer, you should be looking for stuff like "why did it touch that file?! why is it opening that network socket?". I think it would also help to submit a known-good, freshly compiled version, and do an eyeball comparison of the two CWSandbox reports.

Good luck!
posted by deadmessenger at 12:10 PM on May 24, 2010


Which virus scanner do you use? some are better than others.
posted by annsunny at 12:20 PM on May 24, 2010


I'm pretty sure that something running as Local System Authority (and most rootkits do) would be able to bypass those settings.

To do so invisibly, it would need to take ownership of the files for the SYSTEM user, then remove the permissions, then modify the files, then create a session for the original file owner, in which it took ownership of the files and then reapplied the original Deny permissions.

I've never seen a rootkit careful enough to do that at all, let alone do it preemptively. ProcMon would almost certainly show a process experiencing an ACCESS DENIED error before any such sequence occurred.

Also: if all you care about is finding out who is doing it, as opposed to attempting to stop them, it's probably sufficient to have ProcMon filtering on one of those files being opened with Write access.
posted by flabdablet at 7:14 PM on May 24, 2010


You could also try running something like VBinDiff against the original and modified .exe files. Hopefully this would show you exactly what's being added, and a debugger could show you what that does.
posted by flabdablet at 7:33 PM on May 24, 2010


Thanks for all the great replies everyone! I really appreciate the input, and now I have something to go on.
posted by eas98 at 6:35 AM on May 25, 2010


Hanging out to know what's going on, now!
posted by flabdablet at 4:59 PM on May 25, 2010


Hanging out to know what's going on, now!

Me too - I would LOVE to hear how this turns out.
posted by deadmessenger at 6:03 PM on May 25, 2010


« Older Help me feed a crowd of hungry wedding goers.   |   Hip hop CAN'T be dead. Newer »
This thread is closed to new comments.