Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Virus or trojan help

from [Ansgar -59cobalt- Wiechers] Network Security [Permanent Link]
Subject: Re: Virus or trojan help
Date: Mon, 16 Oct 2006 01:08:01 +0200 
On 2006-10-13 genome wrote:

I am not entirely sure If its infected explorer.exe as the virus does
not run in safemode and while running explorer.exe.. I have been able
to extract files with winrar and the exe files are not deleted upon
extraction.. I have even been able to install Outpost firewall in
safemode and scan the system with spyware..


You installed a PERSONAL FIREWALL to scan for spyware? o_O


it detected some spyware including bagle and removed it then... when I
restarted the system in normal mode the virus keeps restarting the
system imidiately after the desktop is shown.. This is probably
because the virus cannot delete outpost.exe as it is already running
as a service before the virus loads... so virus simply restarted the
system so I would not be able to fix anything..
I booted again in safemode and disabled outpost.exe service and surely
windows booted ok in nomal mode but looking in outpost installation
directory the virus deleted outpost.exe...
also the standard windows firewall service will not automaticaly start
I had to start it manually all the time..
I could not see any rouge running process in taskmanager and Ive even 
installed WintaskPro and cannot find anything out of the ordinary.. Ive 
disabled all other non microsoft services and microsoft servises I can 
disable.. to no avail..


First of all you should take the machine off the net IMMEDIATELY. Your
system is compromised and a hazard not only to your network, but to any
host it may reach over networks it's connected to. Put it into a lab
that's not connected to other networks so you can analyze it. Usually
you'd image the harddisk before doing anything else, but it's probably a
bit late for that in your case.

Incomplete list of things you can try on the live system:

- Inspect the running processes with Process Explorer [1] (Task Manager
  will NOT suffice).
- Read the eventlog.
- Check the patchlevel.
- Run TCPView [2] (or maybe "netstat -ano" or "netstat -anb") to look
  what ports are opened by which process and which connections to which
  address are (seem to be) established.
- Run rootkit detection tools (e.g. RootkitRevealer [3], Rootkit Hook
  Analyzer [4], or BlackLight [5]).
- Inspect the autoruns with Autoruns [6] or Silent Runners [7].
- Run spyware detection tools (e.g. HijackThis! [8]).
- Tap the network wire and inspect the network traffic with a sniffer
  (e.g. Wireshark [9]).
- Run a port scan (e.g. nmap) against the compromised machine.

Incomplete list of things you can try on the shut-down system:

- Install the harddisk into another computer (as a slave) and run a
  virus scan from the other computer's operating system against the disk
  from the compromised system.
- Inspect Alternate Data Streams using the streams utility [10].
- Running strings [11] against infected files may give you information
  about what the malware does or where it communicates to.
- Analyze registry hives from the infected system (e.g. by loading them
  into regedit).


Its a shame...Evil people are getting smarter and smarter every day....


No offense, but to me the problem seems to be that you have no clue
whatsoever of what you're doing rather than the bad guys getting
smarter.

[...]

Unfortunately I cannot just format and reinstall without knowing what
has gone wrong as this virus probably have infected some in our
network and chances are it will just return again...


Unfortunately you don't seem experienced enough to do anything BUT
format and reinstall. Sorry.

However, if you really want to try the hard route you first need to
identify WHAT hit you, and then HOW it hit you, so you can mitigate the
attack vector. The suggestions I made above may help with this. I also
suggest you ask any further questions about this matter on the forensics
list [12], which is IMHO more appropriate in this case.

[1]  http://www.sysinternals.com/Utilities/ProcessExplorer.html
[2]  http://www.sysinternals.com/Utilities/TcpView.html
[3]  http://www.sysinternals.com/Utilities/RootkitRevealer.html
[4]  http://www.resplendence.com/hookanalyzer
[5]  http://www.f-secure.com/blacklight/
[6]  http://www.sysinternals.com/Utilities/Autoruns.html
[7]  http://www.silentrunners.org/
[8]  http://www.merijn.org/programs.php#hijackthis
[9]  http://www.wireshark.org/
[10] http://www.sysinternals.com/Utilities/Streams.html
[11] http://www.sysinternals.com/Utilities/Strings.html
[12] http://www.securityfocus.com/archive/104/description

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

----------------------------------------------------------------------------
ALERT: "How a Hacker Launches a SQL Injection Attack!" - White Paper
It's as simple as placing additional SQL commands into a Web Form input box 
giving hackers complete access to all your backend systems!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CZWl
----------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: explorer.exe infected virus, Hector Munoz
Next by Date:  RE: Virus or trojan help, Miguel Valentin
Previous by Thread:  Re: Virus or trojan help, John Mason Jr
Next by Thread:  Re: Virus or trojan help, Genome
Indexes:  [Date] [Thread] [Top] [All Lists]