Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Shutdown from NT-AUTHORITY\... = virus/attack?

from [Larry Mitchell] Network Security [Permanent Link]
Subject: Re: Shutdown from NT-AUTHORITY\... = virus/attack?
Date: Wed, 15 Sep 2004 14:55:12 -0500 
Sadly I think it is you who has overlooked the obvious.  The intent of my
post was not because i did not believe there was spyware on the machine.  I
am well aware of this machines infection.  What I am concerned with is the
NT authority shutdown error I receive even though there is no known RPC
exploiting virus on the system and it is not attached to a network right now
to receive the exploit of any existing viruses on the network.

To my knowledge no spyware exploits this vulnerability, and no virus that
does is on, or is capable of getting on, this system right now.

With this in mind does anyone have any ideas as to the source of this
shutdown message and/or have experience with such a situation?   Hijackthis
logs will be available soon.

Regards,

Larry
Support Services
www.IVNET.com


----- Original Message ----- 
From: "James E. Bunting" <jimbunting@msn.com>
To: <lists@e-lsd.com>; <focus-virus@securityfocus.com>
Sent: Wednesday, September 15, 2004 1:59 PM
Subject: Re: Shutdown from NT-AUTHORITY\... = virus/attack?



Larry,

I think that you overlooked the obvious, specifically the lack of Spyware
protections (the Ad-Ware issue is certainly a viable clue in this case).

AdWare or Spyware isn't necessarily obtained via the Internet alone, as

any

AdWare/ Spyware infected platform that communicates even once with this XP
Laptop could be the source of infection.

Previously, I worked in a somewhat similar 'standalone' Windows XP Laptop
environment (I used 'always-on' Broadband in a SOHO environment, but I
routinely disconnected when finished with an Internet session/service due

to

LAN/WAN connectivity elsewhere - basically I treated Broadband as a
high-speed Dial-up connection via a SOHO).

Even with technical Anti-Virus experience, I was totally amazed with the
growth ramifications of Spyware when I initially installed these services
several years ago. These Spyware services immediately identified more than
200+ Spyware instances, from various Spyware infections. And that was when
there were only a few thousand Spyware signatures.

Today I am protected from almost 30 thousand Spyware signatures as
identified by the Webroot Spysweeper application. Spyware is a serious
threat to the Internet experience, regardless of the rarity of an Internet
connection - Once infected your platform stays infected unless you take

the

appropiate steps to disinfect the software.

Webroot provides a free 'Demo' of their Spysweeper application (with a
limited signature capability), and I sincerely suggest that you use this
opportunity to disinfect your standalone XP Laptop of potential
AdWare/Spyware signatures. Should this software resolve your problems, I
highly recommend that you consider upgrading your existing Anti-Virus
configuration to include Spyware protection, or obtain an additional

Spyware

application.

In my honest personal opinion, Symantec and other Anti-virus services

would

not have added additional Spyware services in the past year or so, if

these

exploding Spyware infections were not negatively impacting their existing
Anti-Virus product lines.

In the recent past we have observed the creation and growth of 'Personal'
Firewall Services, 'Personal' Intrusion Detection Services (HIDS),
'Personal' Intrusion Prevention Services (HIPS), along with URL Screening
and AdWareSpyware services (not to mention true enterprise level content
filtering). Thus it is no longer sufficient to rely upon an Anti-Virus
applications as a sole method of prevention for an infected software
platform.

Regardless of your experience with software infections, there are many
categories of infection that are not revealed by Anti-Virus solutions.

Sincerely,

James E. Bunting

jimbunting@msn.com






From: "Larry Mitchell" <lists@e-lsd.com>
To: <focus-virus@securityfocus.com>
Subject: Re: Shutdown from NT-AUTHORITY\... = virus/attack?
Date: Wed, 15 Sep 2004 10:17:28 -0500

Greetings to All,

I have an interesting twist on this little story here that may interest
some
of you. Details of the situation are as follows:

The box is a laptop running XP home with SP1.
The box is known to be infected with spyware.
The box is know to be free of viruses and other malware.
The box receives an NT authority shutdown with a 60 second timer not 30
from
the RPC service.

Seems normal right? Well here comes the twist.

The box is not on a network.
The box is not dialed in to the internet.
The box shows no signs of blaster or sasser.
The issue is reproducable by simply running ad-aware SE

Any ideas?

Larry
Support Services
www.IVNET.com



_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Shutdown from NT-AUTHORITY\... = virus/attack?, Larry Mitchell
Next by Date:  Virus list by ports used, travis . alexander
Previous by Thread:  Re: Shutdown from NT-AUTHORITY\... = virus/attack?, James E. Bunting
Next by Thread:  remotely took over computer, nguyen khoa
Indexes:  [Date] [Thread] [Top] [All Lists]