You have read the page that has my preaching about AV. Let me give a real example of what can happen.
On June 11th 2003 I received a work order about a client who was not able to send his email via a specific account. The PC he uses had 2 other email accounts as well. I will not bore you with the account specifics. The other 2 accounts were working just fine. I had the client attempt test emails from all 3 accounts. I received 2 of the 3. The account that was failing to achieve my mailbox was an account that my employer hosts. That was my first piece of good luck. That meant I had control of the search or clues.
After performing a grep of the mail logs I found 2 items, 1.) my client was logging in, 2.) Our spam filtering was stopping his email. We know that the actual account was ok and what was stopping the email from getting to the outside world. The email account is question was being stopped cold. There are other email accounts on the same domain and they worked. Next question, why was that specific account being stopped?
We know that there are plenty of viruses that spread themselves around via their own SMTP engines or use the actual email client that is on your pc. NOTE: One of the newer security features in Outlook Express 6.0 (OE) is to alert you when something is trying to send email that did not originate from you.
In this case OE was not alerting the user. I called the client to see if I could use a tool that we have to connect to a pc remotely and see what we had going on. I received his permission and proceeded to connect to his pc. I found 2 things that raised flags, 1.) Norton AV was disabled and 2.) the virus defs were 6 days past the newest defs. I ran a scan using his AV software after updating the defs. I found 2 viruses actually TROJANS. I let Norton deal with the 2 trojans but I was not convinced that I had all the evilness. As me why in a minute.
The trojans were Backdoor.IRC.Zcrew and Hacktool.flooder. You will notice that the link for Hacktool is troj_katien.a. This is common to see happen.
Back to why I did not beleive I was finished. After reading up on the 2 trojans I found that they were what I feared, back door exploits. In otherwords, he had been hacked and as we in the IT industry like to say, it have been OWNED.
Back to the disabled NAV. I asked the client why the NAV had been disabled. I was expecting to hear that the NAV was causing the system to run slower than the customer liked. I have heard and seen that one before. This time I was close but not for the reason I expected. The AV was disabled because it was claiming that email was almost constantly being sent, but the client said it was happening even though he did not create it. Remember what I said about OE and the security option? This did not raise an immediate red flag and the client disabled real time scanning. Lesson to be learned here for the average user. If you do not manually generate the email and your AV and or OE says you are, you have a problem. Norton AV will popup a box to tell you that it is scanning outbound email. You can minumize that box, you can keep on trucking.
So, we know the system was compromised. When you run into this situation, run your regular software and an Online scan. The reason for an online scan or installing another AV is to see if your normal AV has been taken over as well. In this case, my suspicions were proven. Trend found an additional 13 trojans. All of them back door exploits that use IRC (Internet Relay Chat).
The particular trojans used mIRC to do the dirty deeds. The software would contact a IRC list and announce that it was avaliable. Think of it this way, the exploited pc was calling a specific location and saying "here I am". At this point, it was reasonable to beleive that software to do 2 things was installed, 1.) be and active participant in a DDOS attack 2.) be a point of origin for spam distrobution. Thus, why the email account was blacklisted and why Norton was saying email was being sent.
More reading determined that the files that Trend had flagged were deletion candidates. I promptly did that and rebooted. A problem arose, mIRC and 2 update sessions were trying to start upon reboot. While I had most of the system cleaned, or thought I did, I clearly did not have everything beat yet. The trojans may not have been able to phone home anymore but clearly were hampered. They could not complete thier tasks. I still had to find where and what was being called up.
At this point, things are not for the novice and the faint of heart. I had to go to the core of Windows, the registy.
This is old hat for people familar with Win95 and up. Programs for Windows variants can be started in multiple places. Autoexec.bat is only one place and sequence of starting things is important. Autoexec.bat, the Startup group and 2 registy keys, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ Current Version\RunServices, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce, HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run, HKEY_CURRENT_USER\Software\Microsoft\Windows\ Current Version\RunServices, HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce, and in the Control Panel under services for NT4, Win2K and WinXP.
Those are not the only places but the most likely. If you are not familar with registry editing, DONT DO IT. You can take Windows to its knees and fast. It is always a good idea to backup the registry before you start wacking at it. Deleting keys will get you a prompt if you try to but that is it. There is no recycle bin for registry keys. For changes to take effect, you have to reboot most of the time.
After much time reading and going over registy keys and whacking things I was confident in, I rebooted. I still was not rid of mIRC of the 2 update windows. Back one step and it was the end of day. I called the client and discussed the situation with him, I advised him of his status and requested he do 2 things, Uninstall and reinstall NAV, run Live Updates and run another scan with a patched system. I also discussed with him something else I found, KaZaa.
I am not going into my views of music file sharing. KaZaa is now known to be a security risk along with most instant messanger programs. They are all known vectors for viruses. An example of a known IM virus is troj_coced. These are examples of known Kazaa virii are . I suspect the original compromise happened via KaZaa but I do not have the proof and at this point, I am not paid to find out.
I discussed the KaZaa program with the client. He told me had tried to uninstall it and informed me to remove it if I could. I gave the uninstall script a shot and it failed. That was no surprise. I made the searches and registry wacking that I so love to do, yea right. I did get rid of KaZaa.
Ok, end of the day.
I received a call from my client and he told me how the reinstall of Norton went and what was found. Two more trojans. I did my research on the 2 new items and I let it clean them up. I still was not completely sure that I had gotten rid of the infections. I read up on the technical details of the 2 additional infections and a search for the list of files from the other 15 found trojans. Most of those files were gone. I deleted those items and once again got to the registry. More detailed digging in the keys I mentioned yielded more items to dig at and remove. I located the batch files that the registy keys were pointing to and read what they do. I then went into notepad, read what they did. I located the directories the offending files were, ound even more batch files, read those and so forth and so on. I deleted the registy keys, created zipped files and sent myself the zipped directories for further reading. Glad I did.
One of the directories I found was called god. It was in all lower case letters. I deleted it because it was one of the most offending directories. The other was an images directory nested in the system directory. The images directory should have just that, images, not exe, bat, dll or any other files. I renamed it, recreated an empty one. Zipped the renamed directory and emailed it to me then deleted it.
At this point, I got rid of the mIRC and update programs starting up and I felt great. I am still proud of this work.
I have not given the names of the files but you can get them by refering to the links I posted and other research.
I still do not beleive that I got all the junk that was installed out but I am confident that I stopped the trojans and their tasks. I also shut off some services that are known issues.
I have stated that I suspect KaZaa, I still do but upon further discussions I found out a critical fact. When the client obtained his DSL circuit, the local phone company installed it for him. There are multiple machines on this network. The network connection started at the DSl modem, went to a hub or switch (the client is not sure which) then the pcs. I ran ipconfig on the infected machine and found a public IP address not a private one. This means the pc and others are fully exposed to the net.
This is a big deal. Routinely hackers scan a range of ip addresses looking for exposed ports. Various software opens various ports but be default, Windows is a barn door with known exploits. I have recommended he get a router ASAP. He asked me for a quote and our sales department is on it.
Now for the dollar amount damage. My client was fortunate I could do this remotely. Our onsite rate is over $120. Our remote rate is around $90 and our bench rate around $80. I have roughly 5 hours on this problem. We hit around $450 in labor for just the cleanup on one machine. If the others are had, I know more now and can do it alot quicker.
1.) Always run a form of a firewall, be it software or hardware.
2.) Make sure your AV is running and CURRENT.
3.) If you susepct your system has an issue even though you have AV, goto a online site and run a scan.
4.) File sharing and IM is cool but also has risks. I run GAIM but restrict my contacts to those I authorize only.
5.) Disable unused or unneeded services on Windows.
6.) Cleaning up this kind of mess is not quick or cheap at times. The sooned you catch the compromise the better your chances of easier cleanup.
7.) AV software can be defeated depending on the infection. Sometimes a machine will give you symptoms. Sometimes not.
8.) Do not hook any workstation to the network directly unless you have a firewall. There are plenty of vendors that offer those solutions.
9.) I drank alot of Dr Pepper and found this interesting but frustrating. I am proud to say I took care of my customer and helped stop a source of noise on the internet.
73, Guy Story KC5GOI