PDA

View Full Version : Can malware change the date in"Properties"?



mark c
19-06-2004, 02:50 PM
Hi,

I've been sleuthing around on this comp ( a friend's, I'm the amateur helper) for malware and I was wondering if the dates under "properties" when checking out a file or .exe can be trusted?

If malware doesn't / can't change the date created/viewed or modified then that would be good indication of something's authenticity, wouldn't it?

TIA :D

Graham L
19-06-2004, 02:59 PM
All the date fields are just parts of the directory entry for a file. It's trivial to change them in DOS FAT file systems and probably "not at all difficult" in NTFS. You need root privileges to do it in *nix and other real operating systems.

You can't trust nuttin'.

mark c
19-06-2004, 03:08 PM
Thanks, Graham L, just as I thought/feared.

If I may follow with another Q. Wouldn't it be possible ( I did COBOL coding myself yonks ago) to infect a comp with a file or .exe or virus or whatever and have no visible trace of it? Just "no display" on everything?

Graham L
19-06-2004, 03:23 PM
"You can do anything with software".

You'd need a thorough knowledge of the OS. :D The simpler the OS the better. Again, DOS come to mind.:D

Adding a file means the directory has been written to, so the directory (which is basically a file itself) will usually have access date/modification date/ creation date ... entries to keep track of and fix.

An OS like *nix will have accounting/security logs which keep records of who is logged on, when, sometimes what they did ... naughty people try to grab those and get rid of the evidence. (Of course the crude way of just deleting the log files is a big fat clue that someone has been up to something. :D)

A secure computer is one in a locked room, with no network connection, turned off, and with floppy disk and CD slots glued shut.

mark c
19-06-2004, 03:51 PM
Great, thanks for that.

Now I know.

I'm not paranoid after all, I can relax now. It's all true! :^O