Malware that can change system time

Discussion in 'malware problems & news' started by aigle, Oct 9, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I read that there are some malware that can change system time. I will like to see a VirusTotal or Jotti,s scanning result of such a virus. Anyone please?

    Thanks
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello aigle,

    This topic came up recently with some friends. So far, we've found that

    1) running as Limited User (Standard User in Vista), the user cannot change the system time. Vista also has an "Administrator Approval Mode":

    http://technet.microsoft.com/en-us/windowsvista/aa940967.aspx

    2) Deep Freeze restricts access to changing the system time. Here using Win2K in Administrative mode:


    time_1.gif
    ________________________________________________________________

    time_2.gif

    It would be interesting to try this malware you refer to, to see if it can bypass the above situations.

    We did agree, though, that if a user's system was compromised with such malware, she probably had more serious problems than just this!

    -rich
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Rmus! Agree with u.

    On XP when I run command C:\>time, I don,t get system time. I am not at all familiar with command line. How I can run these commands?

    I am trying to get such a virus too, for testing.

    Thanks
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello aigle,

    I just tried the Time command from a command prompt on my Laptop with WinXP SP1 running as Administrator, and I am able to access/change the System Time.

    Are you running as a Limited User?

    -rich
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Running as Admin, I run cmd.exe from start, all programs, accessories
    then CD\
    C:\>time

    This is what I get. I must be wrong somewhere. I don,t know even the ABC of command line.
     

    Attached Files:

    Last edited: Oct 10, 2007
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, aigle,

    At the Prompt: C:/>

    type: time

    You typed: C:/>time

    Hence, the error message

    -rich
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. I knew that I am making some dumb mistake. Tried it.
    EQS intercepted successfully.
    GW seems to be failed but I need to confirm it. I will send them mail about it.
    00.01.00- 125.jpg
    01.00.20- 126.jpg
     
    Last edited: Oct 10, 2007
  8. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks.
    I will see how I can find it..
     
  10. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    I have run into a least a dozen websites that downloaded malware and changed the system time which disabled Kaspersky :mad: I dont know the names thought because they weren't detected.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can u PM me the links. Thanks
     
  12. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Changing time is useless.What you "need" to use is the DATE command.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I meant this, time/ date/ year anything.
    Tried again and same results, EQS passed. GW failed.
     

    Attached Files:

    Last edited: Oct 17, 2007
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Luckily I found few samples of such viruses.

    I tried them against EQS and GW. EQS sucessfully intercepted it. GW failed.
     
Loading...
Thread Status:
Not open for further replies.