Fully updated system with up-to-date AV now hacked!

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Spent the last 4 hours or so, at a friends place.  I'd previously
done everything I could to lock down the system, but he managed
to get some sort of malware installed.

Neither avast or superantispyware find any problems.  It's an old,
slow computer, so the scans took hours.

The admin account is no longer accessible from the login screen,
even in safe mode.  Only the limited user account is accessible.
GMER will not run, apparently due to lack of permissions.

The fire wall service is not running, and can't be started due
to lack of permission.
The security center service is not running.

This old computer has an lcd tv used as the monitor.  The tv does
not display text mode, so the bios setup screen cannot be seen.

The bios is set to boot from the hard drive first, so booting from
a cd is out.

I'll be going back over to his place on Tuesday.  I expect the next
step will be to pull the hard drive out of his computer, and put it
in mine, as a slave, so I can scan it without whatever rootkits are
running.

Luckily he doesn't use if for online banking, or shopping!

I HATE Microsoft.  I expect this friend will become another linux
convert very soon!

Regards, Dave Hodgins


--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Fully updated system with up-to-date AV now hacked!




Quoted text here. Click to load it

In my experience (not a professional) if you use an s-video connection,
the onboard video support requires the OS for the driver. If you use the
RS-232 (VGA) video cable instead of the s-video cable you can see the
messages during boot.



Re: Fully updated system with up-to-date AV now hacked!





Quoted text here. Click to load it

| In my experience (not a professional) if you use an s-video connection,
| the onboard video support requires the OS for the driver. If you use the
| RS-232 (VGA) video cable instead of the s-video cable you can see the
| messages during boot.


The RS-232 uses 9 or 25 pin D-Subminature interface

VGA is a 15 pin D-Subminature and should not be called RS-232 nor confused with
this old
serial connector.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Fully updated system with up-to-date AV now hacked!




Quoted text here. Click to load it

Sorry, I knew it wasn't quite right but was too lazy look up the correct
nomenclature. My hope was to help David W. Hodgins. I Googled "rs-232"
(the only nomenclature I could remember) and "video" and got "confirmed
by google" <cough> enough to make the errant post.

Thanks for correcting me.



Re: Fully updated system with up-to-date AV now hacked!




Quoted text here. Click to load it

It might have been a trojan bomb. There is no way for me to tell, but
IIRC the Safe Mode admin account is supposed to be enabled when there is
no other admin account (i.e., when the last existing one is demoted or
otherwise removed). A miscreant with sufficient privileges can however
assign admin rights to the asp.net user account (satisfying the
requirement for not needing to enable the Safe Mode admin account )and
remove/demote all others resulting in the user being unable to elevate.



Re: Fully updated system with up-to-date AV now hacked!



wrote:

Quoted text here. Click to load it

Using the control panel/users currently only shows the one
limited account.  I was surprised that safe mode also only
had that one account available.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Fully updated system with up-to-date AV now hacked!



dwhodgins@nomail.afraid.org says...
Quoted text here. Click to load it

And yet, in my 30+ years of using computers, thousands of them with MS
Operating sytems, I've had exactly one malware on all of those machines
that I've used.

If the system is that old, that it takes hours to do a scan, which is
normal for many computers, wipe it and reinstall clean, the system will
most likely run faster and it will be easier for you to do the updates
and make sure that everything is applied.

I have never seen a machine where the user was always using a Limited
account that was compromised, but I've seen a lot of machine where the
user had a limited account and wasn't using that one, where they were
using the Admin account after being warned not to, and they were
compromised while using the admin account.


--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.  
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

Re: Fully updated system with up-to-date AV now hacked!






| I have never seen a machine where the user was always using a Limited
| account that was compromised, but I've seen a lot of machine where the
| user had a limited account and wasn't using that one, where they were
| using the Admin account after being warned not to, and they were
| compromised while using the admin account.


I have.  They were infected through malware that took advantage of Buffer
Overflow
conditions and the subsequent elevation of privileges.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Fully updated system with up-to-date AV now hacked!




Quoted text here. Click to load it

Agreed.  Means I'll have to hook up a real monitor, so I can see
the post/bios setup messages, in order to be able to change the
boot order, so I can boot from an install cd.

Quoted text here. Click to load it

I'm pretty sure that's what happened here.  I'd like to figure out
exactly what he did, and what malware was involved, but I think
that may just be a waste of time, at this point.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Fully updated system with up-to-date AV now hacked!



On 3/29/2010 5:39 AM, David W. Hodgins wrote:
Quoted text here. Click to load it

I've never had a virus and I've used MS for years. I'm not going to get
into a back and forth MS vs Linux and I wouldn't waste much time
defending MS, but I've used both and if your user can't handle MS he
won't get very far with Linux unless all he wants to do is email and
surf the net. It is not a system ready for the non technical user, and
if you friend requires you to set things up for him, I have to assume he
fits that description.

Re: Fully updated system with up-to-date AV now hacked!




Quoted text here. Click to load it

He's one of those users who thinks he knows a lot more than he
does.  At least with linux, I can lock down the privileges to
control what he can do.  For example, I can set it up so that
he can install updates from the distributions repositories, but
can't install new programs, or stuff from third parties, without
my involvement.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Fully updated system with up-to-date AV now hacked!




Quoted text here. Click to load it

During the bootup, windows switches to vga mode quite early, which does
allow safe mode to be selected/used.  Haven't tried the recovery console yet,
due to the booting issues.  I currently only have one monitor, a 20 inch
Mitsubishi diamond scan (purchased in 92), that weighs more than I do.

Quoted text here. Click to load it

That's an interesting idea, although reconnecting the drive after the boot
starts probably won't work, and no access to the had drive, when booted from
an install cd doesn't accomplish much.

Quoted text here. Click to load it

He's using an online backup service for all of his data, but I'll stick in
another hard drive, and backup all of the data, just in case there are some
he hasn't backed up.

Quoted text here. Click to load it

Once I get the system able to boot from a cd/dvd, I'll stick with a linux
live cd, such as knoppix, and use rsync to backup the data.  I may make
an image copy of the drive (using dd), for later analysis.

Thanks for the suggestions.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Site Timeline