|
Posted by William on December 27, 2006, 12:49 am
If you were Registered and logged in, you could reply and use other advanced thread options
On 12/21/2006 9:49 AM, something possessed Alun Jones to write:
>> David H. Lipman wrote:
>>>
>>> |
>>> | Thanks for the reply. Removing the P2P software and clearing the
>>> | \etc\hosts file did not correct the issue after all. I just logged in
>>> | with the administrator account and the network activity is no longer
>>> | there. This seems to be happenning only when I log into my personal
>>> | account. During my last login, SERVICES.EXE was making the connections
>>> | rather than SVCHOST.EXE. Is there a way to determine if these files
>>> | have been tampered with?
>>> |
>>> | I'll try to get more information from netstat etc.
>>> |
>>> | Raffi
>>>
>>> Yes. Download and use Process Explorer
>>>
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
>>>
>>> And look at not only the file name SERVICES.EXE but the fully qualified
>>> name and path.
>>>
>>> SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder;
>>> %windir%\system32
>>> If they are executed from any other location it is a sure sign of
>>> malware.
>>>
>>> Also, there are DLLs that can be loaded and use SERVICES.EXE and
>>> SVCHOST.EXE such that the
>>> legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but
>>> are loading
>>> malicuious DLL files.
>>>
>>> You can also run MSCONFIG.EXE and compare what is loaded as administrator
>>> vs. what is loaded
>>> in you everyday account. You indicated the activity stopped when you
>>> logged on as admin.
>>> thus what may be loaded to cause the activity is being loaded by that
>>> personal account.
>>>
>>> --
>>> Dave
>>> http://www.claymania.com/removal-trojan-adware.html
>>> http://www.ik-cs.com/got-a-virus.htm
>> Dave,
>>
>> Thanks for all the help and suggestions. I took the easy way out this
>> time. I created a new user and transferred all important files
>> (documents etc) to the new user. Then I deleted the original account.
>> This fixed the issue.
>>
>> My guess is that this was some sort of malware. I did download process
>> explorer for future use. Sorry I couldn't chase this any longer but
>> this is my main workstation and I have alot of work to do which had
>> been on hold while I was chasing this.
>
> Since the problem is "fixed" by running under a different user, that really
> strongly points the finger at malware.
Agrees with you here
>
> However, I would definitely recommend that you not view this as being
> "fixed".
>
> It isn't.
It could be, but a more thourogh checkup is in order
>
> You still have that malware, and the "work" that you do on it is now exposed
> to the author of that malware, and anyone he chooses to share it with.
>
> Your most reliable bet would be to "flatten" the machine - take your work
> off to a backup device, reinstall the OS and your applications, and restore
> your work.
Yes, that is the only way to entirely be sure that you're using a clean
machine. However, that probably isn't necessary. I would recommend
using David Lipman's multi-AV scan either in Safe Mode as administrator
(so that you'll have access to all files) or using BartPE (if these AV
proggies can be incorporated into a BartPE disc).
>
> And don't be running P2P applications on your work machine.
Depends on which P2P and what its used fore
> P2P
> "file-sharing" is a great way to pick up malware, because you're downloading
> and then executing untrusted data and applications from unknown and
> untrusted third parties.
Not necessarily. If you're just using it to illegally download music
and videos (not program executables), and you're careful about how you
play these (I wouldn't rely on Windows to launch them, for example, but
load them in Winamp, and don't let Winamp connect to Internet), than
you're more or less safe. Also, more than likely, the P2P proggie you
used had its own malware (like Navaccel or something like that).
Finally, some P2P proggies (such as Bittorrent) can be used safely (like
for downloading Linux distros), since even though you're downloading
from other computers, the tracker is administered by the Linux
Distribution and, to my knowledge, it's not possible yet to alter a file
or set of files once the tracker has already been posted without posting
a new torrent tracker.
> Is it any wonder you got infected? Unless you
> remove the infection, and stop doing the things that got you infected,
> you'll stay infected, and you'll get infected again with the next thing that
> comes along. Eventually, your "work" will be spread around the world for
> everyone to enjoy. I don't think you want that.
>
> Alun.
> ~~~~
>
>
|
|
Posted by Alun Jones on December 28, 2006, 1:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Not necessarily. If you're just using it to illegally download music and
> videos (not program executables), and you're careful about how you play
> these (I wouldn't rely on Windows to launch them, for example, but load
> them in Winamp, and don't let Winamp connect to Internet), than you're
> more or less safe.
Right, because Winamp has never had any vulnerabilities that can be
exploited by badly formatted data.
Oh. No, wait, actually it has. Several times.
This is why the trend lately is to attack applications, rather than
operating systems - the operating system vendors are getting much better at
tracking and fixing problems, but many application vendors still have their
heads in the sand - and so do many users, to judge from the reactions I get
whenever I suggest that data - music, video, etc - might carry trojans.
In the abstract sense, there is no dividing line between code and data -
data tells code where to go, and so acts as pseudo-code, in many cases.
> Also, more than likely, the P2P proggie you used had its own malware (like
> Navaccel or something like that).
Don't make the mistake of assuming that I'm talking about my own experiences
with P2P - I've simply seen too many machines infected where the source of
infection is traced to an overactive P2P exchanger.
> Finally, some P2P proggies (such as Bittorrent) can be used safely (like
> for downloading Linux distros), since even though you're downloading from
> other computers, the tracker is administered by the Linux Distribution
> and, to my knowledge, it's not possible yet to alter a file or set of
> files once the tracker has already been posted without posting a new
> torrent tracker.
I'm glad you put me at ease there - after all, the main Linux distros have
never been altered maliciously by hackers.
Oh, wait, they have, haven't they.
http://www.linuxinsider.com/story/32240.html
Cleaning a virus or trojan infection is only going to be effective if you
can plug whatever hole they got in through - whether it's a hole in your
behaviour, or in your apps, or in your OS. Even flattening and restoring
just means that the attacker gets another chance to try the same thing at
you, but this time on a system that's less cluttered with the debris of
other previous attacks.
Alun.
~~~~
|
|
Posted by PA Bear on December 28, 2006, 1:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
your sly, tongue-in-cheek writing.
--
~PA Bear
Alun Jones wrote:
> message
>> Not necessarily. If you're just using it to illegally download music and
>> videos (not program executables), and you're careful about how you play
>> these (I wouldn't rely on Windows to launch them, for example, but load
>> them in Winamp, and don't let Winamp connect to Internet), than you're
>> more or less safe.
>
> Right, because Winamp has never had any vulnerabilities that can be
> exploited by badly formatted data.
>
> Oh. No, wait, actually it has. Several times.
>
> This is why the trend lately is to attack applications, rather than
> operating systems - the operating system vendors are getting much better
> at
> tracking and fixing problems, but many application vendors still have
> their
> heads in the sand - and so do many users, to judge from the reactions I
> get
> whenever I suggest that data - music, video, etc - might carry trojans.
>
> In the abstract sense, there is no dividing line between code and data -
> data tells code where to go, and so acts as pseudo-code, in many cases.
>
>> Also, more than likely, the P2P proggie you used had its own malware
>> (like
>> Navaccel or something like that).
>
> Don't make the mistake of assuming that I'm talking about my own
> experiences
> with P2P - I've simply seen too many machines infected where the source of
> infection is traced to an overactive P2P exchanger.
>
>> Finally, some P2P proggies (such as Bittorrent) can be used safely (like
>> for downloading Linux distros), since even though you're downloading from
>> other computers, the tracker is administered by the Linux Distribution
>> and, to my knowledge, it's not possible yet to alter a file or set of
>> files once the tracker has already been posted without posting a new
>> torrent tracker.
>
> I'm glad you put me at ease there - after all, the main Linux distros have
> never been altered maliciously by hackers.
>
> Oh, wait, they have, haven't they.
> http://www.linuxinsider.com/story/32240.html
>
> Cleaning a virus or trojan infection is only going to be effective if you
> can plug whatever hole they got in through - whether it's a hole in your
> behaviour, or in your apps, or in your OS. Even flattening and restoring
> just means that the attacker gets another chance to try the same thing at
> you, but this time on a system that's less cluttered with the debris of
> other previous attacks.
>
> Alun.
> ~~~~
|
|
Posted by William on December 28, 2006, 2:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>> Not necessarily. If you're just using it to illegally download music and
>> videos (not program executables), and you're careful about how you play
>> these (I wouldn't rely on Windows to launch them, for example, but load
>> them in Winamp, and don't let Winamp connect to Internet), than you're
>> more or less safe.
>
> Right, because Winamp has never had any vulnerabilities that can be
> exploited by badly formatted data.
I didn't recommend Winamp because it was invulnerable, but simply
because its not Integrated into the OS, so that if it goes bad, the
whole OS doesn't suffer. Additionally, while exploits may exist in
Winamp when accessing questionable media locally stored, In order for
any real damage to be done (i.e. a trojan downloader), Winamp would need
to access the Internet (or maybe that reched program Internet Explorer).
A good Firewall (like Kerio) should be able to prevent this from
happening.
>
> Oh. No, wait, actually it has. Several times.
>
> This is why the trend lately is to attack applications, rather than
> operating systems - the operating system vendors are getting much better at
> tracking and fixing problems, but many application vendors still have their
> heads in the sand - and so do many users
[snip]
I understand your sentiment. Clearly, you support Microsoft, and that's
fine. I don't agree with that sentiment, but everyone is entitled to
their own opinion.
>
> In the abstract sense, there is no dividing line between code and data -
> data tells code where to go, and so acts as pseudo-code, in many cases.
Again, requires Internet access to download the trojan. Media itself
cannot contain the final executable code that infests a system with
malware, all it can do is exploit vulnerabilities that allow the said
malware to be installed.
>
>> Also, more than likely, the P2P proggie you used had its own malware (like
>> Navaccel or something like that).
>
> Don't make the mistake of assuming that I'm talking about my own experiences
> with P2P - I've simply seen too many machines infected where the source of
> infection is traced to an overactive P2P exchanger.
Which is why if someone is going to use P2P, they should be advised (as
I'm trying to do) on how to use it safely. I'm not condoning such
action, but its kind of analogous to making sure your teenager has
protection, you don't want them to have to use it until they've matured,
but they do, than it'll be there for them.
>
>> Finally, some P2P proggies (such as Bittorrent) can be used safely (like
>> for downloading Linux distros), since even though you're downloading from
>> other computers, the tracker is administered by the Linux Distribution
>> and, to my knowledge, it's not possible yet to alter a file or set of
>> files once the tracker has already been posted without posting a new
>> torrent tracker.
>
> I'm glad you put me at ease there - after all, the main Linux distros have
> never been altered maliciously by hackers.
>
> Oh, wait, they have, haven't they.
> http://www.linuxinsider.com/story/32240.html
What's this got to do with altering a bittorrent stream. The results
would have been the same rather bittorrent was used to download the
distro or if it was downloaded from the server. In fact, in this case,
the bittorrent tracker probably would have been the safer bet, since it
was the server (and not the torrent) that was hacked.
>
> Cleaning a virus or trojan infection is only going to be effective if you
> can plug whatever hole they got in through - whether it's a hole in your
> behaviour, or in your apps, or in your OS. Even flattening and restoring
> just means that the attacker gets another chance to try the same thing at
> you, but this time on a system that's less cluttered with the debris of
> other previous attacks.
Agrees with you here. So, with that, I hope that if the OP ultimately
decides to continue P2P, that he/she does so safely.
Regards,
Will
|
|
Posted by Alun Jones on December 28, 2006, 7:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options > On 12/28/2006 10:10 AM, something possessed Alun Jones to write:
>>> Not necessarily. If you're just using it to illegally download music
>>> and videos (not program executables), and you're careful about how you
>>> play these (I wouldn't rely on Windows to launch them, for example, but
>>> load them in Winamp, and don't let Winamp connect to Internet), than
>>> you're more or less safe.
>>
>> Right, because Winamp has never had any vulnerabilities that can be
>> exploited by badly formatted data.
>
> I didn't recommend Winamp because it was invulnerable, but simply because
> its not Integrated into the OS, so that if it goes bad, the whole OS
> doesn't suffer.
It does if you're running as an administrator account.
Windows (as with all computer systems I'm aware of) cannot distinguish
between the user, and programs run on that user's behalf. If you, the user,
run Winamp, and it loads a data file that causes execution through
exploiting a buffer overflow, the malware inside of that data file can do
absolutely anything to the system that you can do, with the exception of
anything that requires your actual physical presence.
So, if you're running as an administrator, it doesn't matter if you're
loading exploits into a program that's labeled "part of the OS", or one
that's labeled "third party shovelware", the exploit can do what it chooses.
The answer, then, is to run as a restricted user account. I do it all the
time - and when I do, my Internet Explorer runs as a restricted user account
too. Exploits in the apps I use can still do anything I can do, but the
damage is limited to my personal data, not the entire OS.
You can even run as an administrator while forcing IE to run as a restricted
user! [Search for "SAFER" and "SRP" and "Internet Explorer" for some
articles, or see
http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx]
Note, though, that once you've downloaded and run a piece of malware,
whether it's an EXE or a buffer-overflowing MP3, that malware can do
everything you can do as a user.
> Additionally, while exploits may exist in Winamp when accessing
> questionable media locally stored, In order for any real damage to be done
> (i.e. a trojan downloader), Winamp would need to access the Internet (or
> maybe that reched program Internet Explorer).
Uh... no. Remember, Winamp - and any exploit it loads, as far as the
operating system is concerned, _is_ you.
It can start another program, it can inject itself into another program
you're already running, or it can combine the two.
> A good Firewall (like Kerio) should be able to prevent this from
> happening.
No, no it won't. Again, if you've told Kerio, or whatever, to allow _any_
program to access the outside world, that program can be compromised by code
you've run under any other program. So, your Winamp exploit can infect your
Internet Explorer in memory (not on disk, unless you have rights to that),
and pretend to be Internet Explorer in order to download its exploit - or,
quite honestly, it can simply start up IE to fetch the rest of its code.
But why would it need to do even that?
How big are the media files you're "sharing"? Way bigger than most damaging
code I could imagine. If you're downloading a video, or anything more than a
few seconds of sound, you won't notice the increase in size that you get by
adding some kind of malware.
>>
>> Oh. No, wait, actually it has. Several times.
>>
>> This is why the trend lately is to attack applications, rather than
>> operating systems - the operating system vendors are getting much better
>> at tracking and fixing problems, but many application vendors still have
>> their heads in the sand - and so do many users
> [snip]
> I understand your sentiment. Clearly, you support Microsoft, and that's
> fine. I don't agree with that sentiment, but everyone is entitled to
> their own opinion.
A => Z. Welcome to today's edition of "Jumping to Conclusions".
>> In the abstract sense, there is no dividing line between code and data -
>> data tells code where to go, and so acts as pseudo-code, in many cases.
> Again, requires Internet access to download the trojan. Media itself
> cannot contain the final executable code that infests a system with
> malware, all it can do is exploit vulnerabilities that allow the said
> malware to be installed.
If you believe that, you've got a long way to go. There really is no other
way to say it, but to note that you are completely wrong in that assertion.
Media itself can quite comfortably contain the exploit and whatever code is
going to execute after the exploit has taken over control of your system.
>>> Also, more than likely, the P2P proggie you used had its own malware
>>> (like Navaccel or something like that).
>>
>> Don't make the mistake of assuming that I'm talking about my own
>> experiences with P2P - I've simply seen too many machines infected where
>> the source of infection is traced to an overactive P2P exchanger.
> Which is why if someone is going to use P2P, they should be advised (as
> I'm trying to do) on how to use it safely. I'm not condoning such action,
> but its kind of analogous to making sure your teenager has protection, you
> don't want them to have to use it until they've matured, but they do, than
> it'll be there for them.
Best protection against catching malware from P2P is a membership at
Blockbuster, or a Netflix subscription.
Get your movies, and your tunes, from reputable sources who have a little
skin in the game should you get infected through them.
>>> Finally, some P2P proggies (such as Bittorrent) can be used safely (like
>>> for downloading Linux distros), since even though you're downloading
>>> from other computers, the tracker is administered by the Linux
>>> Distribution and, to my knowledge, it's not possible yet to alter a file
>>> or set of files once the tracker has already been posted without posting
>>> a new torrent tracker.
>>
>> I'm glad you put me at ease there - after all, the main Linux distros
>> have never been altered maliciously by hackers.
>>
>> Oh, wait, they have, haven't they.
>> http://www.linuxinsider.com/story/32240.html
>
> What's this got to do with altering a bittorrent stream. The results
> would have been the same rather bittorrent was used to download the distro
> or if it was downloaded from the server. In fact, in this case, the
> bittorrent tracker probably would have been the safer bet, since it was
> the server (and not the torrent) that was hacked.
The point is that you can only trust checksummed streams as much as you can
trust the person who created the file and the checksum in the first place.
Since most "sharing" of illegally copied material is done by people who
would like to remain anonymous, you're relying on trusting someone whom you
can't identify, and whose reputation (and reason for maintaining that
reputation) is unverifiable.
>> Cleaning a virus or trojan infection is only going to be effective if you
>> can plug whatever hole they got in through - whether it's a hole in your
>> behaviour, or in your apps, or in your OS. Even flattening and restoring
>> just means that the attacker gets another chance to try the same thing at
>> you, but this time on a system that's less cluttered with the debris of
>> other previous attacks.
>
> Agrees with you here. So, with that, I hope that if the OP ultimately
> decides to continue P2P, that he/she does so safely.
That requires only loading files with hashes generated by trusted
authorities. ("Authority" here means anyone with the right to say what is,
or isn't, a valid copy of a file.)
Downloading stolen movies and songs is not going to be safe. Not ever.
Alun.
~~~~
|
| Similar Threads | Posted | | Unknown download activity in background - how to determine what it is? | July 28, 2007, 3:51 am |
| my network server has a virus and i can not conect to the network. | November 1, 2008, 6:19 pm |
| svchost.exe virus? | January 16, 2007, 5:19 pm |
| Strange svchost.exe | April 23, 2008, 8:54 am |
| Modified svchost.exe | November 9, 2008, 5:46 am |
| C:\WINDOWS\SYSTEM32\SVCHOST.EXE | August 7, 2006, 6:00 pm |
| Help! Fake svchost.exe on my computer | October 6, 2006, 7:27 am |
| What is C:\WINDOWS\system32\svchost.exe | December 8, 2006, 10:03 pm |
| SMTP Trojan uses SVCHOST on W2K Pro | November 4, 2008, 1:23 pm |
| Port log | April 22, 2008, 2:54 am |
|
XML site map