Privlages revoked!

obsolete · Nov 26, 2004

Privileges revoked!

Went home at lunch today & decided to run my g/f's anti virus she has installed on her PC (I installed it, AVG Free Grisoft). She never does anything to take care of the PC I built her so it's on me. **sigh**

Anyways, found one virus labeled agent downloader somethin another........GREAT, looked a little more into this & turns out it's some sort of Trojan Horse.....YAY. I have a router with a built in NAT, so I'm not all to concerned about anybody getting in or whatever. However, I am worried about the virus possibly tracking keystrokes & possibly sending information out to someone.........I haven't had time to look into this virus, (will tonight).

Any major concerns anyone can think of right off the bat? Wondering if she should change her bank account ## or password, depending. Just a lot going on today/tonight & if it's nothing really to worry about, then I'll let it sit for another day. I did get rid of the virus, it was running in processes under task manager as a acp.exe or api.exe, can't remember. Grisoft was unable to get rid of it because it was currently running.

Her privileges have been revoked from the internet until she can properly run security with a PC. I yanked the cat5 cable out of the router until further notice.

David · Nov 26, 2004

I would get her to change any online banking passwords - it cant hurt. Perhaps see if you can set some sort of reminder for her to run virus scans etc?

obsolete · Nov 26, 2004

Guess it would help if I could spell "privileges."

She isn't allowed to use the internet period on any of the computers until she can prove that she can do simple things like run anti-virus. I've procrastinated & let this slide for awhile, but.......after today, that just makes me mad.......

I honestly don't know if she has looked online at her bank account lately & I know it just happened so it may not be a huge concern. I'll get her to change everything anyways.

My main thing was I have not been up to date with the viruses out there so I'm not sure what certain viruses may be doing.......The older (back in the day) Trojan Horses just basically allowed some knimb rod to run a application that remotely connects to a computer. From there (depending on the Trojan), you may browse My computer, take screen shots of the persons desktop. Make the cd-rom eject, etc.......They pretty much the same now?

winterhavok · Nov 27, 2004

Pretty much anymore, the Trojans are mainly RATs, so it does basically the same thing, but with the newer computers this can get a bit more bothersome, with the fact that now you can lag the crap out of the person who has the infected PC. It's nothing too big to worry about identity theft or anything of that nature unless she keeps her bank account records and such on her computer via Excel or Access, otherwise, it will just be a pain in the arse and will notice a prevalent amount of spikes.

Como · Nov 27, 2004

on my girlfriends computer i set it up to auto run avg every night at 11pm, and auto update every morning at 2 am....why dont you do the same?

winterhavok · Nov 27, 2004

Wouldn't that only work if they keep the computer going 24/7?

obsolete · Nov 27, 2004

I got rid of the virus, so it didn't do anything really. Spoke with my g/f & she said she never does her banking online or whatever so..........I just assumed she did.

And yes, I have the AVG configured to run on it's own, but as you pointed out winterhavok, the pc is not running 24/7. I mean it is, but if it's not in use it's in stand by mode which means AVG won't run.

winterhavok said:
Pretty much anymore, the Trojans are mainly RATs, so it does basically the same thing, but with the newer computers this can get a bit more bothersome, with the fact that now you can lag the crap out of the person who has the infected PC. It's nothing too big to worry about identity theft or anything of that nature unless she keeps her bank account records and such on her computer via Excel or Access, otherwise, it will just be a pain in the arse and will notice a prevalent amount of spikes.

Thanks for the input. Nothing is saved on excel, access, or anything a like. I know that someone running a remote access program that accesses viruses needs to scan a certain range of IP's.......So the chances of someone scanning & finding it with in a day or two is slim to none. I just didn't know if the backdoor trojan's (now a days) are set to send out information. Oppose to someone having to track the computer down. Even if someone did get a hit, my firewall/nat router would have blocked it. And there were no logs of any such activity in my router's admin area.

I come across viruses myself here & there. But my anti-virus stops anything dead in it's tracks. It's been a long time since I've seen a trojan actually running in full tilt on a PC.

winterhavok · Nov 28, 2004

The only way that the malicious intruder would be able to get in without scanning for exploits, is to be the one who intentionally placed it there, like if someone were to do it at the computer or through a download initiated by them. Otherwise, if the person got it from downloading software off of a less than credible source or just went to a specific site, there would be no way to tell where the trojan was placed. What you might want to do, is set up the virus scan to boot up with windows and at bootup have it update and scan by itself. If you just keep it on standby, you might look into setting a macro to do it when it detects motion after standby.

su root · Nov 28, 2004

It sounds like you guys are lagging behind in the area of Trojans. (Don't take it personally, technology changes):

The first thing you should do after any virus/worm/trojan attack is to quarantine it. (Good job there).

Next is to figure out exactly what it does. To do this, take the name of it, and go to places like Symantec Security Response, and search for it:
http://securityresponse.symantec.com/avcenter/vinfodb.html

Read through the information on it, and it should tell you how you got infected, exactly what the trojan does, and how to remove it. Generally, "bad stuff" falls into 3 categories:
* Viruses - These are made to destroy data, format harddrives, etc. These are getting more rare
* Worms - These simply replicate. Their whole purpose in life is to infect others. Some do other things, like DDOS a site on a certain date. These are becomming very common.
* Trojans - These allow attackers to control an infected PC, and do anything with it.

Here are some common abilities of a trojan:
How they infect you:
* Can happen via a bug in software you run
* Email Attachment
* Bad file download
* A worm may infect you and as one of it's payloads, download and run the trojan
* A legitimate file download may include the trojan
* Etc.

What they can do to your computer:
* In the old days, an attacker had to scan to find the infected host, which held a certain port open, and usually required a password.
* Nowadays, attackers understand that most people have a router or firewall, but this is not the end-all of viruses worms and trojans. The virus simply makes an outgoing connection to somewhere, like an IRC server or some 3rd party server, where the attacker can log in and take control. A router generally assumes all traffic initiated from the local LAN is legitimate, and allows anything through, which allows your computer to connect out to the attacker, or to their servers (which are generally other comprimised machines)
* The trojan may be fully automated, requiring no attacker input. It may grab system information... cd-keys, passwords, email addresses, credit card numbers and other information, and send it, or email it to the attacker.
* If the attacker connects to your system (or, via a 3rd party server that the trojan connects out to), the attacker can do anything. This includes, but is not limited to:
* Look at, download, or delete any files on your harddrive
* Log keystrokes
* Watch what you do on your computer live, or take over control, whether you are there or not
* Read your email or send email posing as you
* Listen in on your IM conversations (or interact)
* Format your computer
* Attack other machines on your local network (bad in a corporate environment, because this gives you leverage being on an internal, trusted computer as an internal, trusted user)
* Turn on your microphone or webcam and watch/listen to anyone near the computer
* Etc.

Trojans are not to be taken lightly. There should be no conjecture on what a trojan did. You can find out exactly what it did, and change passwords where necessary, or as a precaution. Find out how it got in and what it did and learn from it.

winterhavok · Nov 29, 2004

But then, wouldn't it normally go under a high port number, like Sub7 did, if you have most of your higher ports blocked, how in the world would it get by a firewall? While it's true that a lot of trojan payloads could come from the affected computer, like a virus, it would have been seen if it would have already. I am not saying that one shouldn't be worried about it, but they shouldn't live in paranoia over something that may or may not occur, last time that happened, we had Y2k...

su root · Nov 29, 2004

winterhavok said:
But then, wouldn't it normally go under a high port number, like Sub7 did, if you have most of your higher ports blocked, how in the world would it get by a firewall? While it's true that a lot of trojan payloads could come from the affected computer, like a virus, it would have been seen if it would have already. I am not saying that one shouldn't be worried about it, but they shouldn't live in paranoia over something that may or may not occur, last time that happened, we had Y2k...

If you block all high-numbered ports, then your network would stop working. When making almost any outbound connection, your computer picks the next sequential port between 1024-65535, opens it, uses it, then closes it when the conversation is done. The trojan would look just like any other outbound connection. The only way to stop it is to have a smart user and a software firewall (that can do per-application allow/deny).

Sub7, IIRC, was an inactive trojan that waited for the attacker to connect to you. Most common trojans are either automatically set to do a list of things (like capturing certain data and sending it out) and/or connect out to a 3rd party server and wait for an attacker to personally attack the computer via the outbound connection.

I used a trojan infection as a worm's payload.. you say you would have discovered the worm? If you take a look at MS Blaster, that was a virus delivered by a worm. The worm would go and attack other computers, exploiting a vulnerability. The vulnerability would allow the worm to run privilidged code (the code would download and run blaster). The worm would never really exist on the target machine, it would send only a few lines of compiled code which would be inserted into memory and run. The virus scanners out there would not catch the worm, but they would catch the virus as soon as it's downloaded (hopefully before it's executed).

I'm not saying "be paranoid", I'm actually saying the opposite.. There are lots of resources out there. Find out exactly what it is, what it does, how it got in, what it is capable of, and act accordingly. The capabilities I listed are real, and it's not meant to scare you into paranoia, but you guys seem to be taking this rather lightly, thinking that an attacker could not have connected to it between the time when it was infected and when it was taken off the network, because you have a hardware firewall. A hardware firewall will not save you from a Trojan. Worms? Yeah, as long as they don't get inside through another route like a bad download or a Trojaned machine.

obsolete · Nov 29, 2004

There is zone alarm installed on this PC as well so I know it's gone & no harm was done. Thanks for the information.

Privlages revoked!

obsolete

Member

David

Forums Super Moderator

obsolete

Member

winterhavok

Member

Como

Member

winterhavok

Member

obsolete

Member

winterhavok

Member

su root

Senior Member, --, I teach people how to read your

winterhavok

Member

su root

Senior Member, --, I teach people how to read your

obsolete

Member

Similar threads