R
Raffi
David said:
I'll run all the scans you suggested later today and post the results.
Raffi
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
I'll run all the scans you suggested later today and post the results.
Raffi
R
Raffi
Raffi said:I'll run all the scans you suggested later today and post the results.
Raffi
OK, I downloaded and ran all the software. While Ad-Aware was running I
get a warning from AntiVir that it had found a virus called
Run_it_xxx.exe. I deleted it. Other than that, they came up with a few
minor viruses on some files that have been on my PC for ever. I
quarantined them. I also made sure I have all the Windows security
updates, and I do except for a RAID driver. I also upgraded to IE 7
just to be sure. The problem still persists.
I installed a program called Prevx1 which seems to be a nice program.
It tells you when an application starts ends etc. Every time I
disconnect and reconnect the network connection, it tells me that a
program called MOBSYNC.EXE has started. I'm not sure if this is
related.
Also, the network connection seems to be active only at certain times
and inactive otherwise. When it's active it goes like crazy. I'm
suspicious that the PC is being used for DOS attacks or SPAM etc.
I'm still at a loss and any help will be appreciated. The only way I
can fight this is by unplugging the network connection.
Also, I recently configured reverse DNS lookup for my static IP address
through my ISP. Can this be related to the network activity?
Raffi
D
David H. Lipman
From: "Raffi" <[email protected]>
|
| OK, I downloaded and ran all the software. While Ad-Aware was running I
| get a warning from AntiVir that it had found a virus called
| Run_it_xxx.exe. I deleted it. Other than that, they came up with a few
| minor viruses on some files that have been on my PC for ever. I
| quarantined them. I also made sure I have all the Windows security
| updates, and I do except for a RAID driver. I also upgraded to IE 7
| just to be sure. The problem still persists.
|
| I installed a program called Prevx1 which seems to be a nice program.
| It tells you when an application starts ends etc. Every time I
| disconnect and reconnect the network connection, it tells me that a
| program called MOBSYNC.EXE has started. I'm not sure if this is
| related.
|
| Also, the network connection seems to be active only at certain times
| and inactive otherwise. When it's active it goes like crazy. I'm
| suspicious that the PC is being used for DOS attacks or SPAM etc.
|
| I'm still at a loss and any help will be appreciated. The only way I
| can fight this is by unplugging the network connection.
|
| Also, I recently configured reverse DNS lookup for my static IP address
| through my ISP. Can this be related to the network activity?
|
| Raffi
MOBSYNC.EXE is most likely legit and OK.
This may have to do with the RDNS service.
|
| OK, I downloaded and ran all the software. While Ad-Aware was running I
| get a warning from AntiVir that it had found a virus called
| Run_it_xxx.exe. I deleted it. Other than that, they came up with a few
| minor viruses on some files that have been on my PC for ever. I
| quarantined them. I also made sure I have all the Windows security
| updates, and I do except for a RAID driver. I also upgraded to IE 7
| just to be sure. The problem still persists.
|
| I installed a program called Prevx1 which seems to be a nice program.
| It tells you when an application starts ends etc. Every time I
| disconnect and reconnect the network connection, it tells me that a
| program called MOBSYNC.EXE has started. I'm not sure if this is
| related.
|
| Also, the network connection seems to be active only at certain times
| and inactive otherwise. When it's active it goes like crazy. I'm
| suspicious that the PC is being used for DOS attacks or SPAM etc.
|
| I'm still at a loss and any help will be appreciated. The only way I
| can fight this is by unplugging the network connection.
|
| Also, I recently configured reverse DNS lookup for my static IP address
| through my ISP. Can this be related to the network activity?
|
| Raffi
MOBSYNC.EXE is most likely legit and OK.
This may have to do with the RDNS service.
R
Raffi
David said:From: "Raffi" <[email protected]>
|
| OK, I downloaded and ran all the software. While Ad-Aware was running I
| get a warning from AntiVir that it had found a virus called
| Run_it_xxx.exe. I deleted it. Other than that, they came up with a few
| minor viruses on some files that have been on my PC for ever. I
| quarantined them. I also made sure I have all the Windows security
| updates, and I do except for a RAID driver. I also upgraded to IE 7
| just to be sure. The problem still persists.
|
| I installed a program called Prevx1 which seems to be a nice program.
| It tells you when an application starts ends etc. Every time I
| disconnect and reconnect the network connection, it tells me that a
| program called MOBSYNC.EXE has started. I'm not sure if this is
| related.
|
| Also, the network connection seems to be active only at certain times
| and inactive otherwise. When it's active it goes like crazy. I'm
| suspicious that the PC is being used for DOS attacks or SPAM etc.
|
| I'm still at a loss and any help will be appreciated. The only way I
| can fight this is by unplugging the network connection.
|
| Also, I recently configured reverse DNS lookup for my static IP address
| through my ISP. Can this be related to the network activity?
|
| Raffi
MOBSYNC.EXE is most likely legit and OK.
This may have to do with the RDNS service.
I had some time to do packet analysis using Etherial and most of the
conenctions were DNS queries and SMTP connections.
I went ahead and blocked all traffic from the PC to the ISP DNS servers
in my firewall (Comodo). The DNS server for my PC is statically defined
as the gateway router. Since the ISP DNS was no longer accessible it
rerouted the DNS queries (and/or query responses) to the gateway
router. These were a bunch of MX queries for mostly .ru domains.
Next I blocked all inbound and outbound UDP connections for svchost.exe
and services.exe. This stopped most of the traffic. After a while I
started seeing traffic to a couple of specific ip addresses
(208.66.195.78 and 62.189.194.215) which don't resolve to anything with
nslookup. I blocked these IP addresses in the firewall as well. Next
the PC started sending out a bunch of broadcasts (.255). So I blocked
outbound broadcast connections.
Next it started sending broadcast to 0.255 using the ZIP (Zone
Information Protocol) protocol. I don't think I've seen this one
before. I haven't been able to block these yet.
My guess is the PC is somehow being used as a DNS/SMTP relay. Another
guess is my svchost.exe and/or services.exe have been compromized.
As usual, any help in getting to the bottom of this would be welcome.
Raffi
D
David H. Lipman
From: "Raffi" <[email protected]>
| I had some time to do packet analysis using Etherial and most of the
| conenctions were DNS queries and SMTP connections.
| I went ahead and blocked all traffic from the PC to the ISP DNS servers
| in my firewall (Comodo). The DNS server for my PC is statically defined
| as the gateway router. Since the ISP DNS was no longer accessible it
| rerouted the DNS queries (and/or query responses) to the gateway
| router. These were a bunch of MX queries for mostly .ru domains.
| Next I blocked all inbound and outbound UDP connections for svchost.exe
| and services.exe. This stopped most of the traffic. After a while I
| started seeing traffic to a couple of specific ip addresses
| (208.66.195.78 and 62.189.194.215) which don't resolve to anything with
| nslookup. I blocked these IP addresses in the firewall as well. Next
| the PC started sending out a bunch of broadcasts (.255). So I blocked
| outbound broadcast connections.
| Next it started sending broadcast to 0.255 using the ZIP (Zone
| Information Protocol) protocol. I don't think I've seen this one
| before. I haven't been able to block these yet.
| My guess is the PC is somehow being used as a DNS/SMTP relay. Another
| guess is my svchost.exe and/or services.exe have been compromized.
| As usual, any help in getting to the bottom of this would be welcome.
| Raffi
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-208-66-195-64-1&server=whois.arin.net
http://www.dnsstuff.com/tools/whois.ch?ip=62.189.194.215&email=on
This is suspicious.
You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the
csnas have come up negative.
The only other option is to use anti RootKit software such as Gmer and BlackLight to find
the malware. Otherwise, wipe the system.
| I had some time to do packet analysis using Etherial and most of the
| conenctions were DNS queries and SMTP connections.
| I went ahead and blocked all traffic from the PC to the ISP DNS servers
| in my firewall (Comodo). The DNS server for my PC is statically defined
| as the gateway router. Since the ISP DNS was no longer accessible it
| rerouted the DNS queries (and/or query responses) to the gateway
| router. These were a bunch of MX queries for mostly .ru domains.
| Next I blocked all inbound and outbound UDP connections for svchost.exe
| and services.exe. This stopped most of the traffic. After a while I
| started seeing traffic to a couple of specific ip addresses
| (208.66.195.78 and 62.189.194.215) which don't resolve to anything with
| nslookup. I blocked these IP addresses in the firewall as well. Next
| the PC started sending out a bunch of broadcasts (.255). So I blocked
| outbound broadcast connections.
| Next it started sending broadcast to 0.255 using the ZIP (Zone
| Information Protocol) protocol. I don't think I've seen this one
| before. I haven't been able to block these yet.
| My guess is the PC is somehow being used as a DNS/SMTP relay. Another
| guess is my svchost.exe and/or services.exe have been compromized.
| As usual, any help in getting to the bottom of this would be welcome.
| Raffi
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-208-66-195-64-1&server=whois.arin.net
http://www.dnsstuff.com/tools/whois.ch?ip=62.189.194.215&email=on
This is suspicious.
You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the
csnas have come up negative.
The only other option is to use anti RootKit software such as Gmer and BlackLight to find
the malware. Otherwise, wipe the system.
G
Grzegorz Wiktorowski
The only other option is to use anti RootKit software such as Gmer and
BlackLight to find
the malware. Otherwise, wipe the system.
Try Sysinternals RootkitRevealer. Also I suggest to visit Sysinternals -
Malware forum at:
http://forum.sysinternals.com/forum_topics.asp?FID=18
W
William
It could be, but a more thourogh checkup is in orderSince the problem is "fixed" by running under a different user, that really
strongly points the finger at malware. Agrees with you here
However, I would definitely recommend that you not view this as being
"fixed".
It isn't.
Yes, that is the only way to entirely be sure that you're using a cleanYou still have that malware, and the "work" that you do on it is now exposed
to the author of that malware, and anyone he chooses to share it with.
Your most reliable bet would be to "flatten" the machine - take your work
off to a backup device, reinstall the OS and your applications, and restore
your work.
machine. However, that probably isn't necessary. I would recommend
using David Lipman's multi-AV scan either in Safe Mode as administrator
(so that you'll have access to all files) or using BartPE (if these AV
proggies can be incorporated into a BartPE disc).
Depends on which P2P and what its used foreAnd don't be running P2P applications on your work machine.
Not necessarily. If you're just using it to illegally download musicP2P
"file-sharing" is a great way to pick up malware, because you're downloading
and then executing untrusted data and applications from unknown and
untrusted third parties.
and videos (not program executables), and you're careful about how you
play these (I wouldn't rely on Windows to launch them, for example, but
load them in Winamp, and don't let Winamp connect to Internet), than
you're more or less safe. Also, more than likely, the P2P proggie you
used had its own malware (like Navaccel or something like that).
Finally, some P2P proggies (such as Bittorrent) can be used safely (like
for downloading Linux distros), since even though you're downloading
from other computers, the tracker is administered by the Linux
Distribution and, to my knowledge, it's not possible yet to alter a file
or set of files once the tracker has already been posted without posting
a new torrent tracker.
R
Raffi
David said:From: "Raffi" <[email protected]>
| I had some time to do packet analysis using Etherial and most of the
| conenctions were DNS queries and SMTP connections.
| I went ahead and blocked all traffic from the PC to the ISP DNS servers
| in my firewall (Comodo). The DNS server for my PC is statically defined
| as the gateway router. Since the ISP DNS was no longer accessible it
| rerouted the DNS queries (and/or query responses) to the gateway
| router. These were a bunch of MX queries for mostly .ru domains.
| Next I blocked all inbound and outbound UDP connections for svchost.exe
| and services.exe. This stopped most of the traffic. After a while I
| started seeing traffic to a couple of specific ip addresses
| (208.66.195.78 and 62.189.194.215) which don't resolve to anything with
| nslookup. I blocked these IP addresses in the firewall as well. Next
| the PC started sending out a bunch of broadcasts (.255). So I blocked
| outbound broadcast connections.
| Next it started sending broadcast to 0.255 using the ZIP (Zone
| Information Protocol) protocol. I don't think I've seen this one
| before. I haven't been able to block these yet.
| My guess is the PC is somehow being used as a DNS/SMTP relay. Another
| guess is my svchost.exe and/or services.exe have been compromized.
| As usual, any help in getting to the bottom of this would be welcome.
| Raffi
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-208-66-195-64-1&server=whois.arin.net
http://www.dnsstuff.com/tools/whois.ch?ip=62.189.194.215&email=on
This is suspicious.
You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the
csnas have come up negative.
The only other option is to use anti RootKit software such as Gmer and BlackLight to find
the malware. Otherwise, wipe the system.
Update - I had tried a couple of rootkit detection software without
success and had given up. But gmer finally found it. Turns out it is a
rootkit. It's called Backdoor.Rustock.B. It uses the following hidden
data stream c:\windows\system32:lzx32.sys (c:\windows\system32:18467).
This Symantec website has more information:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=3
The syptoms for the rootkit are similar to what I'm experiencing. From
what I've read so far it might be tricky to get rid of. It seems to be
active in safe mode as well. I'll be searching for a way to get rid of
it. If there are any ideas out there, please let me know.
Thanks for all the help.
Raffi
W
William
First, stay of the network with your infected PC. Secondly, GetUpdate - I had tried a couple of rootkit detection software without
success and had given up. But gmer finally found it. Turns out it is a
rootkit. It's called Backdoor.Rustock.B. It uses the following hidden
data stream c:\windows\system32:lzx32.sys (c:\windows\system32:18467).
This Symantec website has more information:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=3
The syptoms for the rootkit are similar to what I'm experiencing. From
what I've read so far it might be tricky to get rid of. It seems to be
active in safe mode as well. I'll be searching for a way to get rid of
it. If there are any ideas out there, please let me know.
Thanks for all the help.
Raffi
PEBuilder and create a BartPE LiveCD. Use this to edit your
registry.hiv file in order to remove the rootkit (I haven't done the
research because my blood sugar is getting low, so you'll need to do the
research to figure out what registry keys in registry.hiv should be
deleted (or maybe someone else here will be nice enough to post those
for you). Good luck.
Cheers,
Will
A
Alun Jones
William said:Not necessarily. If you're just using it to illegally download music and
videos (not program executables), and you're careful about how you play
these (I wouldn't rely on Windows to launch them, for example, but load
them in Winamp, and don't let Winamp connect to Internet), than you're
more or less safe.
Right, because Winamp has never had any vulnerabilities that can be
exploited by badly formatted data.
Oh. No, wait, actually it has. Several times.
This is why the trend lately is to attack applications, rather than
operating systems - the operating system vendors are getting much better at
tracking and fixing problems, but many application vendors still have their
heads in the sand - and so do many users, to judge from the reactions I get
whenever I suggest that data - music, video, etc - might carry trojans.
In the abstract sense, there is no dividing line between code and data -
data tells code where to go, and so acts as pseudo-code, in many cases.
Also, more than likely, the P2P proggie you used had its own malware (like
Navaccel or something like that).
Don't make the mistake of assuming that I'm talking about my own experiences
with P2P - I've simply seen too many machines infected where the source of
infection is traced to an overactive P2P exchanger.
Finally, some P2P proggies (such as Bittorrent) can be used safely (like
for downloading Linux distros), since even though you're downloading from
other computers, the tracker is administered by the Linux Distribution
and, to my knowledge, it's not possible yet to alter a file or set of
files once the tracker has already been posted without posting a new
torrent tracker.
I'm glad you put me at ease there - after all, the main Linux distros have
never been altered maliciously by hackers.
Oh, wait, they have, haven't they.
http://www.linuxinsider.com/story/32240.html
Cleaning a virus or trojan infection is only going to be effective if you
can plug whatever hole they got in through - whether it's a hole in your
behaviour, or in your apps, or in your OS. Even flattening and restoring
just means that the attacker gets another chance to try the same thing at
you, but this time on a system that's less cluttered with the debris of
other previous attacks.
Alun.
~~~~
P
PA Bear
You're a gem, Alun! Your posts are always insightful, and I very much enjoy
your sly, tongue-in-cheek writing.
your sly, tongue-in-cheek writing.
W
William
Right, because Winamp has never had any vulnerabilities that can be
exploited by badly formatted data.
I didn't recommend Winamp because it was invulnerable, but simply
because its not Integrated into the OS, so that if it goes bad, the
whole OS doesn't suffer. Additionally, while exploits may exist in
Winamp when accessing questionable media locally stored, In order for
any real damage to be done (i.e. a trojan downloader), Winamp would need
to access the Internet (or maybe that reched program Internet Explorer).
A good Firewall (like Kerio) should be able to prevent this from
happening.
[snip]Oh. No, wait, actually it has. Several times.
This is why the trend lately is to attack applications, rather than
operating systems - the operating system vendors are getting much better at
tracking and fixing problems, but many application vendors still have their
heads in the sand - and so do many users
I understand your sentiment. Clearly, you support Microsoft, and that's
fine. I don't agree with that sentiment, but everyone is entitled to
their own opinion.
Again, requires Internet access to download the trojan. Media itselfIn the abstract sense, there is no dividing line between code and data -
data tells code where to go, and so acts as pseudo-code, in many cases.
cannot contain the final executable code that infests a system with
malware, all it can do is exploit vulnerabilities that allow the said
malware to be installed.
Which is why if someone is going to use P2P, they should be advised (asDon't make the mistake of assuming that I'm talking about my own experiences
with P2P - I've simply seen too many machines infected where the source of
infection is traced to an overactive P2P exchanger.
I'm trying to do) on how to use it safely. I'm not condoning such
action, but its kind of analogous to making sure your teenager has
protection, you don't want them to have to use it until they've matured,
but they do, than it'll be there for them.
I'm glad you put me at ease there - after all, the main Linux distros have
never been altered maliciously by hackers.
Oh, wait, they have, haven't they.
http://www.linuxinsider.com/story/32240.html
What's this got to do with altering a bittorrent stream. The results
would have been the same rather bittorrent was used to download the
distro or if it was downloaded from the server. In fact, in this case,
the bittorrent tracker probably would have been the safer bet, since it
was the server (and not the torrent) that was hacked.
Cleaning a virus or trojan infection is only going to be effective if you
can plug whatever hole they got in through - whether it's a hole in your
behaviour, or in your apps, or in your OS. Even flattening and restoring
just means that the attacker gets another chance to try the same thing at
you, but this time on a system that's less cluttered with the debris of
other previous attacks.
Agrees with you here. So, with that, I hope that if the OP ultimately
decides to continue P2P, that he/she does so safely.
Regards,
Will
A
Alun Jones
William said:I didn't recommend Winamp because it was invulnerable, but simply because
its not Integrated into the OS, so that if it goes bad, the whole OS
doesn't suffer.
It does if you're running as an administrator account.
Windows (as with all computer systems I'm aware of) cannot distinguish
between the user, and programs run on that user's behalf. If you, the user,
run Winamp, and it loads a data file that causes execution through
exploiting a buffer overflow, the malware inside of that data file can do
absolutely anything to the system that you can do, with the exception of
anything that requires your actual physical presence.
So, if you're running as an administrator, it doesn't matter if you're
loading exploits into a program that's labeled "part of the OS", or one
that's labeled "third party shovelware", the exploit can do what it chooses.
The answer, then, is to run as a restricted user account. I do it all the
time - and when I do, my Internet Explorer runs as a restricted user account
too. Exploits in the apps I use can still do anything I can do, but the
damage is limited to my personal data, not the entire OS.
You can even run as an administrator while forcing IE to run as a restricted
user! [Search for "SAFER" and "SRP" and "Internet Explorer" for some
articles, or see
http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx]
Note, though, that once you've downloaded and run a piece of malware,
whether it's an EXE or a buffer-overflowing MP3, that malware can do
everything you can do as a user.
Additionally, while exploits may exist in Winamp when accessing
questionable media locally stored, In order for any real damage to be done
(i.e. a trojan downloader), Winamp would need to access the Internet (or
maybe that reched program Internet Explorer).
Uh... no. Remember, Winamp - and any exploit it loads, as far as the
operating system is concerned, _is_ you.
It can start another program, it can inject itself into another program
you're already running, or it can combine the two.
A good Firewall (like Kerio) should be able to prevent this from
happening.
No, no it won't. Again, if you've told Kerio, or whatever, to allow _any_
program to access the outside world, that program can be compromised by code
you've run under any other program. So, your Winamp exploit can infect your
Internet Explorer in memory (not on disk, unless you have rights to that),
and pretend to be Internet Explorer in order to download its exploit - or,
quite honestly, it can simply start up IE to fetch the rest of its code.
But why would it need to do even that?
How big are the media files you're "sharing"? Way bigger than most damaging
code I could imagine. If you're downloading a video, or anything more than a
few seconds of sound, you won't notice the increase in size that you get by
adding some kind of malware.
[snip]Oh. No, wait, actually it has. Several times.
This is why the trend lately is to attack applications, rather than
operating systems - the operating system vendors are getting much better
at tracking and fixing problems, but many application vendors still have
their heads in the sand - and so do many users
I understand your sentiment. Clearly, you support Microsoft, and that's
fine. I don't agree with that sentiment, but everyone is entitled to
their own opinion.
A => Z. Welcome to today's edition of "Jumping to Conclusions".
Again, requires Internet access to download the trojan. Media itself
cannot contain the final executable code that infests a system with
malware, all it can do is exploit vulnerabilities that allow the said
malware to be installed.
If you believe that, you've got a long way to go. There really is no other
way to say it, but to note that you are completely wrong in that assertion.
Media itself can quite comfortably contain the exploit and whatever code is
going to execute after the exploit has taken over control of your system.
Which is why if someone is going to use P2P, they should be advised (as
I'm trying to do) on how to use it safely. I'm not condoning such action,
but its kind of analogous to making sure your teenager has protection, you
don't want them to have to use it until they've matured, but they do, than
it'll be there for them.
Best protection against catching malware from P2P is a membership at
Blockbuster, or a Netflix subscription.
Get your movies, and your tunes, from reputable sources who have a little
skin in the game should you get infected through them.
What's this got to do with altering a bittorrent stream. The results
would have been the same rather bittorrent was used to download the distro
or if it was downloaded from the server. In fact, in this case, the
bittorrent tracker probably would have been the safer bet, since it was
the server (and not the torrent) that was hacked.
The point is that you can only trust checksummed streams as much as you can
trust the person who created the file and the checksum in the first place.
Since most "sharing" of illegally copied material is done by people who
would like to remain anonymous, you're relying on trusting someone whom you
can't identify, and whose reputation (and reason for maintaining that
reputation) is unverifiable.
Agrees with you here. So, with that, I hope that if the OP ultimately
decides to continue P2P, that he/she does so safely.
That requires only loading files with hashes generated by trusted
authorities. ("Authority" here means anyone with the right to say what is,
or isn't, a valid copy of a file.)
Downloading stolen movies and songs is not going to be safe. Not ever.
Alun.
~~~~
R
Raffi
William said:First, stay of the network with your infected PC. Secondly, Get
PEBuilder and create a BartPE LiveCD. Use this to edit your
registry.hiv file in order to remove the rootkit (I haven't done the
research because my blood sugar is getting low, so you'll need to do the
research to figure out what registry keys in registry.hiv should be
deleted (or maybe someone else here will be nice enough to post those
for you). Good luck.
Cheers,
Will
Will,
Thanks for the suggestions. I did manage to clean my system using a
tool called "rustbfix.exe". My guess is this tool disables the root kit
in the registry but doesn't actually delete the stream
(c:\windows\system32:lzx32.sys). After running the tool, I ran gmer.exe
again and had to manually delete the stream. The stream was
inaccessible before but after running the cleaning tool, I was able to
delete it.
Anyway, this little adventure took up alot of my time and hopefully
this message thread will help others get to a fix much quicker/easier.
Thanks for everyone for the help and suggestions.
Raffi
D
David H. Lipman
From: "Raffi" <[email protected]>
| Will,
| Thanks for the suggestions. I did manage to clean my system using a
| tool called "rustbfix.exe". My guess is this tool disables the root kit
| in the registry but doesn't actually delete the stream
| (c:\windows\system32:lzx32.sys). After running the tool, I ran gmer.exe
| again and had to manually delete the stream. The stream was
| inaccessible before but after running the cleaning tool, I was able to
| delete it.
| Anyway, this little adventure took up alot of my time and hopefully
| this message thread will help others get to a fix much quicker/easier.
| Thanks for everyone for the help and suggestions.
| Raffi
That would be the following Rustock RootKit removal toool...
http://www.uploads.ejvindh.net/rustbfix.exe
| Will,
| Thanks for the suggestions. I did manage to clean my system using a
| tool called "rustbfix.exe". My guess is this tool disables the root kit
| in the registry but doesn't actually delete the stream
| (c:\windows\system32:lzx32.sys). After running the tool, I ran gmer.exe
| again and had to manually delete the stream. The stream was
| inaccessible before but after running the cleaning tool, I was able to
| delete it.
| Anyway, this little adventure took up alot of my time and hopefully
| this message thread will help others get to a fix much quicker/easier.
| Thanks for everyone for the help and suggestions.
| Raffi
That would be the following Rustock RootKit removal toool...
http://www.uploads.ejvindh.net/rustbfix.exe
W
William
Will,
Thanks for the suggestions. I did manage to clean my system using a
tool called "rustbfix.exe". My guess is this tool disables the root
kit in the registry but doesn't actually delete the stream
(c:\windows\system32:lzx32.sys). After running the tool, I ran
gmer.exe again and had to manually delete the stream. The stream was
inaccessible before but after running the cleaning tool, I was able to
delete it.
Anyway, this little adventure took up alot of my time and hopefully
this message thread will help others get to a fix much quicker/easier.
Thanks for everyone for the help and suggestions.
Raffi
OK. Surf safely, now, and seriously, be careful with the P2P.
G
Grzegorz Wiktorowski
R
Raffi
Alun said:William said:I didn't recommend Winamp because it was invulnerable, but simply because
its not Integrated into the OS, so that if it goes bad, the whole OS
doesn't suffer.
It does if you're running as an administrator account.
Windows (as with all computer systems I'm aware of) cannot distinguish
between the user, and programs run on that user's behalf. If you, the user,
run Winamp, and it loads a data file that causes execution through
exploiting a buffer overflow, the malware inside of that data file can do
absolutely anything to the system that you can do, with the exception of
anything that requires your actual physical presence.
So, if you're running as an administrator, it doesn't matter if you're
loading exploits into a program that's labeled "part of the OS", or one
that's labeled "third party shovelware", the exploit can do what it chooses.
The answer, then, is to run as a restricted user account. I do it all the
time - and when I do, my Internet Explorer runs as a restricted user account
too. Exploits in the apps I use can still do anything I can do, but the
damage is limited to my personal data, not the entire OS.
You can even run as an administrator while forcing IE to run as a restricted
user! [Search for "SAFER" and "SRP" and "Internet Explorer" for some
articles, or see
http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx]
Note, though, that once you've downloaded and run a piece of malware,
whether it's an EXE or a buffer-overflowing MP3, that malware can do
everything you can do as a user.
Additionally, while exploits may exist in Winamp when accessing
questionable media locally stored, In order for any real damage to be done
(i.e. a trojan downloader), Winamp would need to access the Internet (or
maybe that reched program Internet Explorer).
Uh... no. Remember, Winamp - and any exploit it loads, as far as the
operating system is concerned, _is_ you.
It can start another program, it can inject itself into another program
you're already running, or it can combine the two.
A good Firewall (like Kerio) should be able to prevent this from
happening.
No, no it won't. Again, if you've told Kerio, or whatever, to allow _any_
program to access the outside world, that program can be compromised by code
you've run under any other program. So, your Winamp exploit can infect your
Internet Explorer in memory (not on disk, unless you have rights to that),
and pretend to be Internet Explorer in order to download its exploit - or,
quite honestly, it can simply start up IE to fetch the rest of its code.
But why would it need to do even that?
How big are the media files you're "sharing"? Way bigger than most damaging
code I could imagine. If you're downloading a video, or anything more than a
few seconds of sound, you won't notice the increase in size that you get by
adding some kind of malware.
[snip]Oh. No, wait, actually it has. Several times.
This is why the trend lately is to attack applications, rather than
operating systems - the operating system vendors are getting much better
at tracking and fixing problems, but many application vendors still have
their heads in the sand - and so do many users
I understand your sentiment. Clearly, you support Microsoft, and that's
fine. I don't agree with that sentiment, but everyone is entitled to
their own opinion.
A => Z. Welcome to today's edition of "Jumping to Conclusions".
Again, requires Internet access to download the trojan. Media itself
cannot contain the final executable code that infests a system with
malware, all it can do is exploit vulnerabilities that allow the said
malware to be installed.
If you believe that, you've got a long way to go. There really is no other
way to say it, but to note that you are completely wrong in that assertion.
Media itself can quite comfortably contain the exploit and whatever code is
going to execute after the exploit has taken over control of your system.
Which is why if someone is going to use P2P, they should be advised (as
I'm trying to do) on how to use it safely. I'm not condoning such action,
but its kind of analogous to making sure your teenager has protection, you
don't want them to have to use it until they've matured, but they do, than
it'll be there for them.
Best protection against catching malware from P2P is a membership at
Blockbuster, or a Netflix subscription.
Get your movies, and your tunes, from reputable sources who have a little
skin in the game should you get infected through them.
What's this got to do with altering a bittorrent stream. The results
would have been the same rather bittorrent was used to download the distro
or if it was downloaded from the server. In fact, in this case, the
bittorrent tracker probably would have been the safer bet, since it was
the server (and not the torrent) that was hacked.
The point is that you can only trust checksummed streams as much as you can
trust the person who created the file and the checksum in the first place.
Since most "sharing" of illegally copied material is done by people who
would like to remain anonymous, you're relying on trusting someone whom you
can't identify, and whose reputation (and reason for maintaining that
reputation) is unverifiable.
Agrees with you here. So, with that, I hope that if the OP ultimately
decides to continue P2P, that he/she does so safely.
That requires only loading files with hashes generated by trusted
authorities. ("Authority" here means anyone with the right to say what is,
or isn't, a valid copy of a file.)
Downloading stolen movies and songs is not going to be safe. Not ever.
Alun.
~~~~
Let's not assume the malware came through P2P. This stuff is all over
the Internet.
Raffi
W
William
Alun said:William said:On 12/28/2006 10:10 AM, something possessed Alun Jones to write:
in message Not necessarily. If you're just using it to illegally download
music and videos (not program executables), and you're careful
about how you play these (I wouldn't rely on Windows to launch
them, for example, but load them in Winamp, and don't let Winamp
connect to Internet), than you're more or less safe.
Right, because Winamp has never had any vulnerabilities that can
be exploited by badly formatted data.
I didn't recommend Winamp because it was invulnerable, but simply
because its not Integrated into the OS, so that if it goes bad, the
whole OS doesn't suffer.
It does if you're running as an administrator account.
Windows (as with all computer systems I'm aware of) cannot
distinguish between the user, and programs run on that user's behalf.
If you, the user, run Winamp, and it loads a data file that causes
execution through exploiting a buffer overflow, the malware inside of
that data file can do absolutely anything to the system that you can
do, with the exception of anything that requires your actual physical
presence.
So, if you're running as an administrator, it doesn't matter if
you're loading exploits into a program that's labeled "part of the
OS", or one that's labeled "third party shovelware", the exploit can
do what it chooses.
The answer, then, is to run as a restricted user account. I do it
all the time - and when I do, my Internet Explorer runs as a
restricted user account too. Exploits in the apps I use can still do
anything I can do, but the damage is limited to my personal data, not
the entire OS.
You can even run as an administrator while forcing IE to run as a
restricted user! [Search for "SAFER" and "SRP" and "Internet
Explorer" for some articles, or see
http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx]
Note, though, that once you've downloaded and run a piece of malware,
whether it's an EXE or a buffer-overflowing MP3, that malware can do
everything you can do as a user.
Additionally, while exploits may exist in Winamp when accessing
questionable media locally stored, In order for any real damage to
be done (i.e. a trojan downloader), Winamp would need to access the
Internet (or maybe that reched program Internet Explorer).
Uh... no. Remember, Winamp - and any exploit it loads, as far as the
operating system is concerned, _is_ you.
It can start another program, it can inject itself into another
program you're already running, or it can combine the two.
A good Firewall (like Kerio) should be able to prevent this from
happening.
No, no it won't. Again, if you've told Kerio, or whatever, to allow
_any_ program to access the outside world, that program can be
compromised by code you've run under any other program. So, your
Winamp exploit can infect your Internet Explorer in memory (not on
disk, unless you have rights to that), and pretend to be Internet
Explorer in order to download its exploit - or, quite honestly, it
can simply start up IE to fetch the rest of its code.
But why would it need to do even that?
How big are the media files you're "sharing"? Way bigger than most
damaging code I could imagine. If you're downloading a video, or
anything more than a few seconds of sound, you won't notice the
increase in size that you get by adding some kind of malware.
Oh. No, wait, actually it has. Several times.
This is why the trend lately is to attack applications, rather
than operating systems - the operating system vendors are getting
much better at tracking and fixing problems, but many application
vendors still have their heads in the sand - and so do many users
[snip]
I understand your sentiment. Clearly, you support Microsoft, and
that's fine. I don't agree with that sentiment, but everyone is
entitled to their own opinion.
A => Z. Welcome to today's edition of "Jumping to Conclusions".
In the abstract sense, there is no dividing line between code and
data - data tells code where to go, and so acts as pseudo-code, in
many cases.
Again, requires Internet access to download the trojan. Media
itself cannot contain the final executable code that infests a
system with malware, all it can do is exploit vulnerabilities that
allow the said malware to be installed.
If you believe that, you've got a long way to go. There really is no
other way to say it, but to note that you are completely wrong in
that assertion. Media itself can quite comfortably contain the
exploit and whatever code is going to execute after the exploit has
taken over control of your system.
Also, more than likely, the P2P proggie you used had its own
malware (like Navaccel or something like that).
Don't make the mistake of assuming that I'm talking about my own
experiences with P2P - I've simply seen too many machines infected
where the source of infection is traced to an overactive P2P
exchanger.
Which is why if someone is going to use P2P, they should be advised
(as I'm trying to do) on how to use it safely. I'm not condoning
such action, but its kind of analogous to making sure your teenager
has protection, you don't want them to have to use it until they've
matured, but they do, than it'll be there for them.
Best protection against catching malware from P2P is a membership at
Blockbuster, or a Netflix subscription.
Get your movies, and your tunes, from reputable sources who have a
little skin in the game should you get infected through them.
Finally, some P2P proggies (such as Bittorrent) can be used
safely (like for downloading Linux distros), since even though
you're downloading from other computers, the tracker is
administered by the Linux Distribution and, to my knowledge, it's
not possible yet to alter a file or set of files once the tracker
has already been posted without posting a new torrent tracker.
I'm glad you put me at ease there - after all, the main Linux
distros have never been altered maliciously by hackers.
Oh, wait, they have, haven't they.
http://www.linuxinsider.com/story/32240.html
What's this got to do with altering a bittorrent stream. The
results would have been the same rather bittorrent was used to
download the distro or if it was downloaded from the server. In
fact, in this case, the bittorrent tracker probably would have been
the safer bet, since it was the server (and not the torrent) that
was hacked.
The point is that you can only trust checksummed streams as much as
you can trust the person who created the file and the checksum in the
first place. Since most "sharing" of illegally copied material is
done by people who would like to remain anonymous, you're relying on
trusting someone whom you can't identify, and whose reputation (and
reason for maintaining that reputation) is unverifiable.
Cleaning a virus or trojan infection is only going to be effective
if you can plug whatever hole they got in through - whether it's a
hole in your behaviour, or in your apps, or in your OS. Even
flattening and restoring just means that the attacker gets another
chance to try the same thing at you, but this time on a system
that's less cluttered with the debris of other previous attacks.
Agrees with you here. So, with that, I hope that if the OP
ultimately decides to continue P2P, that he/she does so safely.
That requires only loading files with hashes generated by trusted
authorities. ("Authority" here means anyone with the right to say
what is, or isn't, a valid copy of a file.)
Downloading stolen movies and songs is not going to be safe. Not
ever.
Alun.
~~~~
Let's not assume the malware came through P2P. This stuff is all over
the Internet.
Yup. Like, for example, it could have happenned from surfing the
Internet using Internet Exploiter ;-D.
Cheers,
William
A
Alun Jones
Raffi said:Let's not assume the malware came through P2P. This stuff is all over
the Internet.
I don't think I ever did assume that - however, it's a behaviour one should
strongly avoid if one wants to prevent malware infections. It's like surfing
to random locations on the web and running whatever ActiveX controls you
find.
Alun.
~~~~