Darren Kirby wrote:
Hello all,
I am writing this on behalf of my Mom. She was complaining that her computer
was sluggish, and that her HD space was getting used up faster than it
should. So I went over and fired up my trusty Linux live cd and had a look.
Anyway, I found a directory right in C: named 'Downloads', and inside were
about 50 or so files, which were all warez, porn, windows exploits and
cracker 'howto's. Quite obviously this computer is owned, and is being used
as a warez server. I deleted the files, booted win, but they reappeared after
about 10 minutes. The strange thing is that these files are ALL 29k, and all
have filenames like:
Adobe Photoshop crack.exe
Smashing the Stack.txt.exe
Eminem - full album.mp3.exe
Office 2003 full.exe
...
On further inspection I found an identical directory at C:/windows/Downloaded
Program Files/. God only knows how many trojans and other nasties are
sprinkled around...
So I yanked the power cord out of her adsl modem, and told her not to plug it
back in unless she was checking her mail. Bad advice for sure, but try
telling your mom that her computer is rooted by punk kids and it is too
cracked to have safe internet access at all. Seems that a complete OS
reinstall is in order, but it seems to me that if they can own her box once
they can own it again just as easy, which leads me to this list...I would
like to try some investigating, and try to figure out where the backdoor is,
what exactly they are doing...and of course how to prevent it.
Some background on myself...I am a Linux sysadmin, and have a great deal of
experience with UNIX operating systems...however, I have never run a windows
box, and have only used one in the 'point-and-drool' sort of way. So I really
know nothing of how the underlying OS works (or doesn't...).
So I guess I am just asking for some opinions of the situation, and perhaps
some links to docs about this type of attack, and how to prevent it. Also,
any software along the lines of chkrootkit or other forensic tools, but for
windows would be a big help.
TIA
-d
Well, definitely a reinstall... And do have your Mom change all her
passwords afterwards, especially for her e-mail, any online banking or
anything like that. Also, if she has done any online shopping or
ordering keep a close eye on credit card bills for anything unusual and
get in touch immediately with said CC company's fraud division. Backup
the critical docs and e-mail, bookmarks, so the pain factor of all this
is as minimal as possible.
For an ad-hoc amateur forensic audit, try all the tools
www.sysinternals.com has for free. They have quite a selection to
monitor access to the registry, filesystem, network, and Windows
versions of things like strings to check out those binaries. Of course
doing forensics on a broken box from the box in question is not really
as fruitful but should still give some useful info. Another way of
course is to image the windows partition(s) off via network to a linux
box, mount them there and pick away at things, maybe even bring it up
under VMware and use Linux to watch the network. Do it first offline and
see what it trys to connect to, and then plug it in and see what
connects to it. Put together as much information as possible, especially
any IP addresses or identifying information that shows up, and send that
to the ISP's abuse/security folks, and let them know that you've
completely reinstalled the OS and patched it.
Consider making Norton AV, Ad-aware, and a good host firewall program
(Outpost, Zone Alarm, Norton Personal Firewall) part of the install as
well, and perhaps an upgrade from Windows 98 to XP, too. Patches and
turning off unneeded services and installing desired user apps/games
should complete the task. Switch her from IE to Firefox/Mozilla if not
already switched.
For the services, here is a good guide to turning stuff off:
http://www.blackviper.com/Articles/OS/OSguides.htm
HTH,
John
