Did a hacker copy my honeymoon pix?

Like an idiot I downloaded a favorite ep a sunday ago and -like a bigger idiot - I downloaded a codec it said it needed. (I'm buying the DVD just to soothe my conscience)

Turns out the codec was really W32.Kwbot.F.Worm and it dropped Backdoor.Sdbot on my computer.

I didn't catch any of this for seven days, my computer had startup problems which I attributed to a recent reinstallation of WinXP and not a virus. Luckily I ran NAV and I caught it late Sunday night.

Panicking I followed NAVs advice but still was not able to remove all files. So I reformatted, twice (I've never been hacked and I was in panic mode...).

I think I squashed the virus and I bought/installed a shitload of software. Between Norton and Zonealarm I'm vaguely certain that spare electrons do not squeeze out into the internet anymore...

Two worries:
1) My tax return for 2002 was on the drive during the period in which I was infected.

2) So were my honeymoon pictures which would lead to my divorce (Though they are nice Playboy, not hardcore) if they were posted on the internet. Maybe not divorce, but malicious posting would really hurt me and my wife...I don't really know what else to say here...

Needless to say these files are off the computer but my worries are still on my mind.

Is there any way to figure out what the hacker took? Is there any way to know if the virus was even active? Can I figure out who the hacker is?

I feel like such a shitheel.

Thanks,
Entropy

 

Hi entropy123,

Am I correct in understanding that you did not have a firewall during the time you were infected?
Chances are very slim that if anyone was able to access your data, they would choose to steal pictures. Normally they would go after your passwords or other useful information.

Regards,

Pieter

 

Pieter,

No firewall, I'm behind a router but I'm given to understand that would not help....

Does this change the picture?

Thanks,
Entropy

 

Hi entropy123!

Well, looks bad if you formated your harddisk twice to get any information back. Overall you rewrote the harddisk with the new OS, so that there's no hope of getting any information about the old harddisk back!

Like that I'm not able to tell you if the virus was active, if the hacker took something of your computer or even figure out who the hacker was. But don't worry about that. You can't change things now -so you have to accept them as they are.

And don't forget, it doesn't mean that the hacker took the things you wrote about. Perhaps he has done nothing at all. The more important is, what you can do, so that in future this won't happen again. So let's go through this:

a) If there's a further attack: NEVER EVER PANIC! Just plug out the network cable and get help (if you are in need of).

b) Install the latest Updates of your OS

c) Install an Antivirus-Software (as you already do)

d) Install an Antitrojan-Tool (TDS-3 for example)

e) Install a personal firewall (Look'n'Stop for example)

f) Buy a router and put it in front of your computer (as you already do)

g) Use encryption software to hide your private files (PGP for example)

h) Install Spyware-Software (Ad-aware, Spybot,...)

i) Install a registry monitor (like RegProt or Cleaner)

j) ... If you still don't have enough of my suggestions let me know, so that I can give you further informations about how to make your computer more secure!

If you have any further questions let me know!

Best regards!

Patrice

 

Does your router make logs?
If so, they could provide useful information.
If not, there is not much chance of finding out anything about who and what.

This is what the hacker was able to do at your computer:
-Manage the installation of the backdoor
-Control the IRC client on the compromised computer
-Dynamically update the installed Trojan
-Send the Trojan to other IRC channels to attempt to compromise more computers
-Download and execute files
-Deliver system and network information to the hacker
-Perform Denial of Service (DoS) attacks against a target that is defined by the hacker
-Uninstall itself completely by removing the relevant registry entries

Regards,

Pieter

 

Hi Pieter!

In addition to what you mentioned, he was able to delete all the important logs of Windows as well, so that you can't see that he was active... But only if the hacker was a real pro!

Regards,

Patrice

P.S. What router do you have, entropy123?

 

Pieter,

I have a linksys four port router, non-wireless. It apparently has some 'hardwired' firewall.

Right before I ran norton I did something called a Gibson's port scan (found this on the web) which informed me that my computer was 'super stealthy'. I wasn't - like an idiot - running the WinXP firewall so I thought no way am I stealthy.

I ran norton and found the virus.

Another thing, the HD with the material I don't want to see on the internet was on my D drive, which I disconnected (Cable) once I learned I was hacked.

How does the situation look?

entropy

 

Hi entropy123!

Can you check if logging was enabled (In router settings -192.168.1.1)?

Here are logging utility tools:

http://www.sonic.net/wallwatcher/
http://www.wallwatcher.com/GetLog_Readme.html

GetLog is the one, with which you can check what traffic you had on your router. But be aware that with the BEF series of Linksys you only have 70 log entries... With the BEFSX series of Linksys you would have up to 1000 log entries. Can you tell me the exact name of your linksys router?

Would be great if you would have a router of the BEFSX series, because then it would be possible to see what traffic you had!

Regards,

Patrice

P.S. By the way the internall firewall of Windows XP is crap, unfortunately.

 

Relax! Get yourself a brew. Worms like the one you mention is scriptkiddie crap. No pro hacker would mess around with your personal stuff. An no scriptkiddie is going to leave a trail to his front door by placing pics on the internet. You were violated an feel the emotions. Tighten your security and move on with your life. You sure as hell wont get any information off your reformatted harddrive that would help in learning the identity of the orgin of the worm. ToughLove but true.

 

Hi WasNotMe!

I can't completely agree on what you said. For me it doesn't look like scriptkiddie crap. If you wanna have more information about W32.Kwbot.F.Worm and Backdoor.Sdbot, check these sites:

http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.f.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html

Best regards!

Patrice

 

Patrice,

How do I distinguish serious hacking from 'scriptkiddie' activities?

entropy

 

SDBot is an IRC controlled backdoor, and usually you would be part of a botnet. The main thing they want that you had was bandwidth. Controlling a botnet would be easy, but browsing each and every users harddrives (if even a few) would be time consuming

So I doubt many botnet owners would go uploading a trojan to their victims and then connect to them all and snoop around. Considering the timeframe of a week I would guess you are fairly OK !

 

Hi entropy123!

Let's say scriptkiddie crap is someone, who writes malicious codes in a script. If you open and start this script it would for example delete some system files on your harddisk, put a file in the autostart (trojan, etc.) or whatever. Serious hacking is difficult to trace. Perhaps you even don't know that it happened (if the hacker is a pro and you don't have enough security). It means that a hacker breaches your system, gets in, fools around (installing trojan, deleting files, copying files,...) and uses the computer for example to attack other computers. Normally they hardly leave any traces which could compromise them.

But you can trust the reply of Gavin / DiamondCS, they have much more knowledge about trojans than I have. They are dealing daily with such things! Consider to look at TDS-3, it's worth it!

Entropy123, could you please tell us what router you have (exact name)?

Best regards!

Patrice

 

Dispite what some think of the company that makes this program
Hackeriliminator is a good program with tons of features , like back tracing the hacker. The company is her to make money like everyone else and isn't cheap and it sure doesn't hurt to trial it out, right?

 

Hi controler!

I just checked out Hacker Eliminator. I have to say it's a nice registry scanning tool and certainly good for some people but nothing more. If I consider that I would have to pay for it there are other alternatives. You can use RegistryProt from DCS which does almost the same things (especially it's for free and uses very low mem!). The port exploring tool isn't that good, let's say it's a good start for a beginner. I prefer Port Explorer from DCS. And last but not least, against trojans you need something like TDS-3. There's no way around it. Hacker eliminator can't help there!

If you have TDS-3, Port Explorer and RegProt (as I have) you don't need Hacker Eliminator. And last but not least I didn't like their homepage at all. There's no explanation, support or whatsoever. That's a bad sign! The homepage, the service and the support gives very important informations about a software (trustworthy or not).

But nevertheless it's worth to look at.

Best regards!

Patrice

 

Patrice,

I'm running a Linksys BEFSR41 v2.0 4 port router. My wife also has a computer (mac) hooked up.

I don't know if it makes a difference, but about 1 day before NAV found the virus and I freaked I had run 'Gibson's Port Test' which gave me the all clear 'super stealth' rating...For some reason this made me suspicious enough to ask a question on a newsgroup. One of the replies was to run NAV so I did and there was my virus...

Also, this morning my computer acted up at startup again. I searched for the specific error and it turned out to be my memory. I had a 512mb DDR chip which now is reading as 256mb...At random intervals my computer will refuse to start up...

Thanks for all the advice on the various tools. As time allows - gotta keep my job - I'm running these tests and trying to figure out how to assess the security of my computer on a daily basis...I'm running ZApro but I'm not sure how to set ports and the like.

I still can't figure out why 3 copies of SVchost.exe need to access the internet...

Thanks!
entropy

 

Hi entropy123!

I got the same router as you have. Forget it about the old logs of your router, you just have 70 logs stored in it. But nevertheless enable logging in the router settings, install WallWatcher and GetLog, so that in future you are able to check your logs. For futher information see the information which was posted some answers before.

This is normal, so let them be. Svchost is started several times, but with different parameters svchost.exe -h,... As far as I remember it right it has something to do with the network. But it's o.k. I haven't found any good information about this process on the Microshit Knowledge Base or TechNet unfortunately. Perhaps someone else can help you out there.

I'm too tired now, gotta go to bed. It's midnight already where I live!!

Best regards!

Patrice

 

I'm running wallwatcher and red ips account for roughly 30% of my 'hits'? What does this mean and how do I figure out if it is malicious?

Some of the red - which I take to be unrequested - hits are by the same address maybe 5-9 times in a row...

Thanks,
entropy

 

Hi entropy123!

Don't worry about them! It's good that you see the traffic now! If these packets are really unrequested (did they appear when you weren't surfing around and doing nothing?), they were blocked successfully by your router!

Don't forget to install GetLog as well. If you shut down your computer during night, you can view the log of the router with this tool the next morning. That helps to see, if someone tried to attack your system.

And don't forget to install a good firewall as well. I suggest Look'n'Stop, because it's the one who passes all the leak tests at the moment. And because you don't need just outside-inside protection (router) but also inside-outside protection, as you know since a few days... For further information about firewalls, leak tests and online tests of your system go to PC Flank:

http://www.pcflank.com

Best regards!

Patrice