Busted a trojan!!! Now what?

Discussion in 'Trojan Defence Suite' started by coolartist, Oct 7, 2002.

Thread Status:
Not open for further replies.
  1. coolartist

    coolartist Registered Member

    Joined:
    Oct 6, 2002
    Posts:
    25
    Hey every body.Tds-3 is awesome! I love it!!!!!

    QUESTIONS:
    Can TDS-3 tell me how long a trojan has been on my system and if so what date is was activated and if so how do I do that?

    If I find a trojan can TDS-3 tell me who it is or do I have to wait for them to reconnect? If so....how do I get the ip of the intruder?

    If I decide to take action against the attacker does TDS provide a platform for that?

    The reason I'm asking is that I already found a trojan on my system...so I'm wondering what information is available if any on the attacker...thanks everybody!
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS is central on my system, because i love it too! :)
    Not to forget the marvalous support and the TDS family!
    First tell what trojan did you find?
    By rightclicking on it in the scan alerts window you see the date it came on your system.
    Depending on the trojan it might be worth or not to have it analysed, for which DiamondCS has extra services indeed to snipe out all available info.
    This you find on their websites www.diamondcs.com.au > Our services.
    Did you scan with the newest database update, all possible scanoptions and the worm slider on highest sensitivity?
     
  3. coolartist

    coolartist Registered Member

    Joined:
    Oct 6, 2002
    Posts:
    25
    It was the remote anything and I killed it and destroyed he file.Is it too late now to get the info on when it got activated?
    Can you tell me how to do all the above mentioned proceedures?I'd really appreciate it....better yet can you tell me how to properly set this thing up for a proper a really good thourogh scan?Do you have any suggestions as to how I should set up the program?

    Like I said I destroyed the file already but down at the bottom it has some information left...it says (alarm)"RegVal trace:Rat.Remote Anything.(name) Hkey local machine and then the file extension or path I guess.If I right click it it says"delete registry entry" and "save as text" What do I do with that? And again...is there any way left for me to get information on how long that thing has been on my machine since I already destroyed the file? Thanks
    Ok update:the above info is coming from a trace scan.Should I delete it or can I still get some info out ot it.And I think I've got another one.Tds just detected changes in the registry and a program just tried to open on my screen.Looks suspicioius.Can you help tell me how to run a total cleanup with this software?What would you do right now?I'm trying to learn as fast as possible but I think Ive got another one going maybe.
     
  4. FanJ

    FanJ Guest

    Hi Coolartist,

    With respect to your question "how long a trojan has been on my system" the following:

    I would like to look at it in a more general way:
    "how long a file has been on my system".
    And that leads to an even better question:
    "can I know whether any file on my system is changed, deleted or new"?

    The answer is more or less: Yes !

    What you need for this is a kind of program that you could name an Integrity Checker.
    There are several of those programs.
    Some are free, some not.
    Some are able to inform you more or less in real time, others must be started by yourself.

    What those programs do, is only inform you whether a file is changed/deleted/new since the last time the check was done. And then it is up to the user to decide whether it was a legitimate change (for example you installed an MS Update or Patch) or it was caused by some malware (and there come good anti-virus and good anti-Trojan programs into the game to help you).

    You could have a look at those programs (to name some):
    FileChecker from Javacool (see dedicated forum at this board); free.
    NIS File Check (see dedicated forum at this board); free.
    FileChangeAlarm (brother of NISFileCheck); free.
    ADInf32 or ADInf32 Pro from the company that sells the AV DrWeb; not free.
    Inspector integrated in KAV Personal Pro; not free.

    And also the CRC32-checksum-feature in TDS-3 gives you some possibilities (I had promised to make a special thread for the CRC32-checksum-feature; I have to apologize that until now I haven't done so, although in some other threads I have posted about it; I hope to be able to make that thread somewhere in the nearby future).


    I hope this helps you a little bit to get a more general view on the topic.
     
  5. coolartist

    coolartist Registered Member

    Joined:
    Oct 6, 2002
    Posts:
    25
    Hey FanJ..I just found the log the "remote anything" was using! Can you or anyone explain to me what each of these entries means? This is very interesting......it is showing me how the trojan ran.....I presume.The path changed 7 days from the start up date and appeared to be going through 8 different listings....and stayed the same till the end. NOW I'M GETTING SOMEWHERE!!! I'd really appreciate it..it will really help me...there was something written in behind all the entries but I didnt fill them in...

    example: what is the comspec or what is the classpath etc.

    [Run] Date: 09/30/02 Time: 07:07:12
    Path: C:\WINDOWS\SLAVE.EXE
    Env. variables:
    -COMSPEC=C:\WINDOWS\COMMAND.COM
    -PATH=
    -PROMPT=
    -TEMP=C:\WINDOWS:\TEMP
    -TMP=C:\WINDOWS\TEMP
    - CLASSPATH=
    -QTJAVA=
    -winbootdir=C:\WINDOWS
    -windir=C:\WINDOWS
    *MY ADDRESS WAS HERE*
    Run Service
    Starting
    Enter Accept Loop (what is a accept loop)
    *my name and my whole system setup was listed here*
    HSF Modem(INTERNAL)
    End Session
    Stop Listening
    [Exit] Date: 09/30/02 Time: 07:54:50
    Exit Mag Loop ? (what is a mag loop)
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This isn't really the job of TDS, but of your file system - from Windows Explorer (explorer.exe), simply right-click on the trojan executable and select Properties, then observe the Created, Modified and Accessed dates - this should clue you in as to when the trojan was created on your system, and when it was last executed.

    Best regards,
    Wayne Langlois / DiamondCS
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If this was the first date in your log it might either have been the date of installment either has replaced former logs.

    So this is why i never just delete a possible nasty without looking deeper into it first, at least a date i want to know.
    The essential system files are backed up by TDS and if necessary replaced by the clean copies; i don't remember i ever saw alerts about infected files replaced back so it might never have happened or it is done silently (which i doubt).

    As said before, the RA is a commercial tool, so you can with that date in mind try to find out who has enough interest in your system to spend money for that and what they think to gain logging your actions and what kind of actions have been logged; i might suppose there is also in those logs something telling where the logs are sent to, an email address, whatever.
    You could have sent the nasty to DCS for deeper investigation to know your controller and have some clues and if necessary legal actions, as you wrote you make your money via your computer.
    There are some programs with which you can find back deleted files on your system, have still to dig deeper for that thread in the forums here where it was, as i saw them recently but don't remember where and have no idea where to look as it was under another subject.
    With such a tool you might be able to find back the nasty, put it back a moment, you know now the name was slave.exe, zip the thing and send it to DCS lab to get all info out for you.
    I suppose in the meantime you don't remember what program started after you removed it, did you?
    At least google for the thing and read about it's features, which might give some more clues about it.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Most probably Backdoor.RA - named that way because of the similarities with the innocent real program. Better change all passwords at the spot.

    regards.

    paul
     
  9. coolartist

    coolartist Registered Member

    Joined:
    Oct 6, 2002
    Posts:
    25
    Thanks Paul.I should change all my passwords? I didn;'t understand what you meant when you said at the spot?Did you mean on the spot?Like now?

    Your right ..it was a rat.Remote anything.I went to the site where they sell them and checked it out.With it you can do anything on the slaves computer that they can do.Delete files...download files...open programs...name it....see the desktop...
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    Yes, you should change all the passwords you've used through that system now. If someone was indeed watching, logging or downloading your files, changing your passwords from your now unmonitored system would be very prudent.

    LowWaterMark
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks, LowWaterMark ;)

    Typo - apologies. As for how you picked it up; either someone did install the server part on purpose on your system in person, or your system has been infected while touring the web. Be careful out there - and keep exec. prot enabled.

    regards.

    paul
     
  12. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Hi coolartist!

    You're getting some excellent advice here from people who really do know what they are doing.

    It's tough when you find a nasty on your system. You want to remove it IMMEDIATELY! (Argh! Get it off! Get it OFF!! You get the idea.) It's taken me some time to learn not to do that, so I can learn what it is, where it came from and what else I might need to do about it. It may not be as simple as removing it. Some reinstall themselves under different pathnames as soon as you do so.

    You can get this stuff in a variety of ways. Simply visiting a website can load a trojan on your system. This happened to me at a Hong Kong site. I never clicked on anything but I still got it. I now assiduously avoid Chinese websites (or go "armed" to the teeth!). Trawling the darksides/strangesides of the Web can be dangerous to your PC's health. Be careful out there!

    Another thing I do is keep a file on everything I download off the Web. What it is, where I got it, why I got it, etc. I keep it in an encrypted folder. It's an extra chore but well worth it should I get something "extra" with my downloads.
    I also keep all my passwords in an encrypted folder. You can get freeware encryption programs at ZDNet or Tucows.

    I wish you well and try to be patient with yourself as you learn more. You'll become an experienced User before you know it!

    Best regards from Larry! :cool:
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Beside TDS i'm really very happy having WormGuard running all time too, which blocks even more and protects for picking up nasties from websites, blocking them from running, and if there is a suspicious file/script/email the warning pops up before you open it and gives opportunity to check it in the safe mode.
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    Very good advice there Prince. I do the same thing. I create a note file for all kits, downloads, etc. I include there the references (forum notes, page contents, etc) that sent me there in the first place and more.

    Maintaining appropriate amounts of data on changes and installs on your PC can help significantly when researching the appearance of a Trojan or Virus on your system.
     
Thread Status:
Not open for further replies.