How can I determine when a rootkit was first installed..

Ask your beginner questions here.
Post Reply
kurt2121
Posts: 9
Joined: Sat Jul 09, 2016 2:46 pm

How can I determine when a rootkit was first installed..

Post by kurt2121 » Mon Sep 04, 2017 4:18 am

So my old hdd had an alureon rootkit in the last sectors of the drive and I was wondering how can I determine when it was created. Would there be a time stamp associated with it? Would looking at with a hex editor yield any results?

User avatar
EP_X0FF
Global Moderator
Posts: 4790
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: How can I determine when a rootkit was first installed..

Post by EP_X0FF » Tue Sep 05, 2017 9:30 am

Old, unused hdd -> no way. You can determine when it was compiled however, if you manage to extract TDL components from drive. Also old TDL version may store install date in the config file.
Ring0 - the source of inspiration

Post Reply