Continous attack

[nikanthpromod]

Im under continous attack...
is this normal??
-http://www.4shared.com/file/pov8eLRf/my_test.html-

[stackz]

Looks like you're infected with some sort of Backdoor IRCBot/Autorun worm

[nikanthpromod]

no im not infected... but when i turn off my firewall ,malwares are downloaded..

just try yourself by turning off firewall...
only do if u have enough protection..

[Spysnake]

You do understand that without proper protection, you can get infected? No user should run without firewall when connected to the internet.

And you are not infected, but malware is downloaded? Can you specify how this is possible?

[nikanthpromod]

Quote:

Originally Posted by Spysnake

And you are not infected, but malware is downloaded? Can you specify how this is possible?

hi i tried to find how is this happening...
i installed sandboxie first in a clean OS.. sandboxed FF..then turned off my windows firewall...surfed internet...
i got infected with virus...

then i restored with Rollback rx... i repeated my procedure with Appguard , Bufferzone pro , Geswall ..All Failed...
The result was 2 malwares in my system 32 folder, lpdd.exe and smsc.exe..

Finally i installed Defensewall and repeated my procedure...
Malware was not able to bypass defensewall...
i checked defensewall list , taskmanager and found: when i turnoff my firewall , net.exe in system32 is activated ,then cmd.exe is activated , then two malwares are downloaded.... only defensewall was able to prevent this driveby mlaware...

[tipo]

download and do a scan with drweb cureit!
download link:
http://www.softpedia.com/dyn-postdow...=50008&t=0&i=1

[nikanthpromod]

Quote:

Originally Posted by tipo

download and do a scan with drweb cureit!
download link:
http://www.softpedia.com/dyn-postdow...=50008&t=0&i=1

hi ithink u didnt read my above post.

[nikanthpromod]

i scanned with Webroot SA , MBAM , Dr.webcureit ..all came clean..

[m00nbl00d]

What were your Firefox sandbox settings? Just to clarify a doubt... You used Firefox to see if you were going to get infected? Or, did the infection have another entrance? That's what I'm not understanding. If the infection had another entrance, then sandboxing Firefox would result in nothing.

DefenseWall probably protected you because whatever was used to download malicious files to your system was ran as untrusted by DefenseWall?

[nikanthpromod]

i used sandboxed FF to check how im getting infected...also tried Geswall , bufferzone and appguard..all were bypassed
because infection had another entrance...
i found this when i used defensewall bcoz DW marks some system exes as untrusted... hence malware couldnt bypass DW...

[m00nbl00d]

I don't know about the others, but it makes sense that Sandboxie didn't protect you. It doesn't automatically sandbox processes.

Did you try sandboxing (with Sandboxie) the processes that DefenseWall ran as untrusted, just for the sake of it?

[Spysnake]

I think there is a problem with the method you're using. You turn off your firewall, sandbox your browser and go surfing. Then you get infected. There seems to be no explanation where the infection came from - and I think it doesn't have anything to do with the sandboxed program. You can try verifying the problem by doing all like you did before, but without the surfing. Maybe the infection happens either way.

Only reason I can think of why Defensewall worked but nothing else did - DW has a built-in firewall.

A little possibility would also be that you have a rootkit which doesn't go away with Rollback. I don't remember if Rollback used boot menu for recovery, but there is a small possibility of infection slipping by when the method doesn't include a cold image from external source.

[John Bull]

As a SBxie user plus what you see in my signature, I have`nt been infected since I got Chicken Pox as a toddler.

So whilst not being involved and certainly not being able to help, I am very interested in what is going on here and even more so to hear the accurate diagnosis and solution. Unfortunately it all sounds like tangled spaghetti so far.

I would love to see a few posts from our highly respected SBxie and FF experts on this matter, they almost always crack it fast.

John

[RJK3]

Perhaps you should review the attack vectors for Sdbot worm variants.

Do you use a proper modem router, or are you using a USB modem or even on dialup? Are you using an unpatched version of Windows XP? This will have nothing to do with web browsing so Sandboxie is a non-issue.

Saying "I'm not infected, but my computer is trying to download malware" sounds ridiculous, so most people won't want to touch a thread like this.

[RJK3]

No mystery here, after a quick review of the OP's other posts. Looks like I was right on both points:

He's running Windows XP SP2:
http://www.wilderssecurity.com/showp...ostcount=18649

and accessing the net using a USB modem:
http://www.wilderssecurity.com/showthread.php?t=290175

Basically disabling the software firewall with this setup is a silly idea.

[nikanthpromod]

hmmm...

try disabling ur firewall and check whether u have this problem...

[John Bull]

Quote:

Originally Posted by RJK3

No mystery here, after a quick review of the OP's other posts. Looks like I was right on both points:

He's running Windows XP SP2:
http://www.wilderssecurity.com/showp...ostcount=18649

and accessing the net using a USB modem:
http://www.wilderssecurity.com/showthread.php?t=290175

Basically disabling the software firewall with this setup is a silly idea.

I like your general comments, but most reputable firewalls automatically disable Windows firewall. I know mine does.
? Not sure at all what you are saying. SP2 is no more sensitive to the Windows firewall being disabled by a much better firewall than SP3, which I use.

If you use a proprietary firewall, you have no option but to disable Windows Firewall - everybody jumps on you if you even suggest you are using TWO firewalls.

John

[RJK3]

Quote:

Originally Posted by nikanthpromod

hmmm...

try disabling ur firewall and check whether u have this problem...

I can't see any advantage to disabling my security as you suggest.

You're most likely infected by Sdbot - a network worm, not a 'drive by' download from a webpage. The worm scans open ports looking for vulnerabilities to exploit. Possibly other computers on your LAN are infected also.

You've become infected due to the absence of security basics - using a hardware firewall, a software firewall, and maintaining an up-to-date operating system with the latest security patches. I wouldn't be surprised if you were also using a pirated version of Windows.

I notice from your other posts that you actively seek out malware from 'crack' sites in order to do testing. I would suggest you learn the simple stuff first, as you are in way over your head if you still can't understand what has happened here.

[RJK3]

Quote:

Originally Posted by John Bull

Not sure at all what you are saying. SP2 is no more sensitive to the Windows firewall being disabled by a much better firewall than SP3, which I use.

I never mentioned Windows firewall specifically. When I say 'software firewall' I just mean any firewall running as an application on the system in question - as opposed to a 'hardware firewall', such as the basic one found in most modem routers. A hardware firewall would make his ports 'stealthed' and so prevent port scanning from internet worms.

SP2 is mentioned because it is full of known security vulnerabilities that were patched years ago in SP3. This makes him vulnerable to all kinds of exploits if a worm is able to scan for them.

Without a hardware firewall or an antivirus, on an unpatched version of Windows XP - the software firewall is literally the only line of defence against internet worms. Disabling that software firewall means that the first network worm that scans for open ports and finds an exploitable vulnerability will infect his system without any resistance.

[nikanthpromod]

Quote:

You're most likely infected by Sdbot - a network worm, not a 'drive by' download from a webpage. The worm scans open ports looking for vulnerabilities to exploit. Possibly other computers on your LAN are infected also.

must be due to that...

[RJK3]

Quote:

Originally Posted by nikanthpromod

must be due to that...

You may find it useful to install Avast, even if just for the Network Shield. This does a good job supplementing the software firewall for systems that don't have a hardware firewall (e.g. people using USB modems, 3G dongles, dialup).

Modem router logs are constantly filled with instances of port scanning. With LNS firewall you've literally got just one line of defence against internet worms. Your setup is great for stopping browser based attacks, but you've overlooked where you are most vulnerable (and don't appear to have an antivirus.)

Even if I disabled both my software and hardware firewall, I'd still be far less vulnerable than you given I'm on Windows 7 with the latest service packs and security updates, and have an antivirus.

[John Bull]

Quote:

Originally Posted by RJK3

Perhaps you should review the attack vectors for Sdbot worm variants.
Saying "I'm not infected, but my computer is trying to download malware" sounds ridiculous, so most people won't want to touch a thread like this.

RJK,
Your post comment above says it all.
However, you have made such a positive contribution of help to this abominable mess that you should get a Gold Medal.

Perhaps the OP will take all you have said including the comments of others on board and sort his self inflicted wound out.

But I must compliment every poster for trying to help on what must be the most confusing of all threads raised by an adrenaline rush threat seeker.

"My computer starts downloading Malware !"
I reckon he would be better off seeking the help of some paranormal investigator rather than posting on Wilders. Poltergeist ? Ya got it, hole in one, problem solved.

John

[Spysnake]

I don't want to offend OP here, but I must make this clear: when you test things with malware, you need to completely isolate the whole computer. Even better if you can isolate the local network too. When the infection occurs, it must be studied - it is important to understand the possible attack vectors to understand how the malware in question works. If the tester doesn't have skills for that, he should drop testing immediaetly. Playing with malware only results in further infections. I hope that this computer isn't your daily used one, or that you atleast have a cold image stored in an USB drive and are ready to flash your BIOS if necessary.

[TOMxEU]

Do you have some software with network lmonitoring (like a firewall, all allowed, but logging on)? I would try to find out, where it gets downloaded from (IP, port, process).

[nikanthpromod]

Hii thanks for the inputs..

Quote:

If the tester doesn't have skills for that, he should drop testing immediaetly

I started this thread to check whether someone else have this problem...
i forgot that i was in a LAN network and there are infected computers.
i forgot the basics

Quote:

You may find it useful to install Avast, even if just for the Network Shield. This does a good job supplementing the software firewall for systems that don't have a hardware firewall (e.g. people using USB modems, 3G dongles, dialup).

Thanks.. but no.. .. i dont want to add anything to my setup...
I have made a lot of infections but no infection were made by malwares for years..& will continue .. One day i tried Outpost FW pro( giveaway time ) .during installation it turned off my Firewall.. that time my nod32 alerted malwares.. i found it interesting .. i posted here to check whether someone else have this problem... i thought many of u will try bcoz i have seen a lot of posts showing " im searching for drive by malwares .. that software failed.. my testing.. like that "

But i found some thing from my testing.. Defensewall can provide allround protection..

Thanks .. This thread is over..