Anchors and Trojans

Hello

My AVG Antispyware software found “Backdoor.Hupigon” in two locations.

C:\$ISR\1\WINDOWS\system32\LegitCheckControl.dll -> Backdoor.Hupigon : Cleaned with backup (quarantined).

C:\WINDOWS\system32\LegitCheckControl.dll -> Backdoor.Hupigon : Cleaned with backup (quarantined).

This is the first “serious” threat I’ve had in a few years.

1) Does this mean the bug was in both Primary and the Secondary snapshot?

I am anchoring only “my desktop” and “my docs”. I recently reset the anchor to make sure only these areas are in the anchor.

I’m ready to follow Pete’s advice from a previous post: “ NO don't anchor the desktop. Just anchor data, and play it safe.”
( https://www.wilderssecurity.com/showthread.php?p=892703#post892703 )
Or even stop anchoring altogether.

2) If a trojan can migrate from "Desktop" couldn't it also migrate through the anchor from "my docs" to another snapshot?

3) Is it really likely that the Trojan migrated from my docs or desktop to the locations listed in the AVG report?

4) Could it have been a new signature in AVG, finding an old infection (the trojan was always in the other snapshot)?

BTW, I Googled and saw it is a well known Trojan- yet a few other spy apps I ran failed to detect the bug. Any chance it is false positive?

Thanks for any insight into this

Ashwin

 

I don't think anyone can answer your questions for sure.
If it is a true infection, it means it bypassed all your security softwares, you can only blame your security setup for this.

My assumption is that an infection in one snapshot, doesn't affect other snapshots, until the opposite is proven. But I don't say it's impossible, because you can expect anything from the bad guys.
Even a direct attack on FDISR itself is possible, that's why you need Image Backup Software to recover from such an attack.

A snapshot depends on its security softwares and a rollback snapshot removes any change in your work snapshot, including infections, unless your rollback snapshot was already infected during its creation.
A frozen snapshot cleans itself after reboot, even when an infection bypassed your security software, because an infection CHANGED your harddisk and a frozen snapshot REMOVES CHANGES, unless you were already infected during the freezing.
A rollback snapshot and a freeze storage have the same purpose and there is no difference in usage.

Just get rid of it like on a normal computer.

 

Thanks Erik

Ashwin

 

Ashwin,
In addition to what happened.
First of all, FDISR is NOT a security software. You have to protect each on-line snapshot with security softwares, just like a computer without FDISR, like a firewall, AV, ... etc.
Even a FROZEN snapshot requires security softwares to protect you against installation/execution of malwares between TWO reboots.

The standard method in FDISR is a WORK snapshot (primary) and a ROLLBACK snapshot (secondary).
Suppose you find a good software, which you like to keep.
So you do a copy/update FROM WORK snapshot TO ROLLBACK snapshot, but what you can forget is that your WORK snapshot can be infected during the day.
In other words your copy/update infects also your ROLLBACK snapshot.

If you are in trouble later with your WORK snapshot and you do a copy/update FROM ROLLBACK snapshot TO WORK snapshot, the infections on your ROLLBACK snapshot will also infect your WORK snapshot.

So it's NOT EASY to keep your WORK snapshot and ROLLBACK snapshot malware-free and it depends on how GOOD your security software are.

Before you copy/update FROM WORK snapshot TO ROLLBACK snapshot, you have to run all your scanners first, not really foolproof, but that is typical for scanners.

You have the same problem, when you use an archive as rollback snapshot,
because a copy/update FROM WORK snapshot TO archived WORK snapshot has the same problem.
The same counts for re-freezing, your snapshot has to be malware-free first.

I hope this helps.

 

I'm pretty much on the same page with you Erik, including backing up to an external drive. There is so much to learn it is always good to go over it again.

Frozen snaps are not feasable for me, as I collect too much data to store.

Any red flags about simply dropping the anchor (no pun intended!), and refreshing the unused snapshot with the fresh data weekly, or monthly?

I can copy new docs to an external drive between those times...

Ashwin

 

Very good topic in a manner of speaking. I also seen anchoring as a "potential" risk, but a risk nonetheless and possibility there for a concern, soooooo, i choose to not anchor anything. Works for me, less to be concerned about just in the event of that possibility.

Security software programs? Absolutely, as Erik so rightly alludes to, like any other program, FD-ISR also needs be covered. I'm really very new to this whole idea the FD-ISR project offers, but i been catching on rather quickly and now make clean snapshots/archives first and storing some copy of those especially to another alternative drive for safekeeping. I think this planning is beneficial anyway.

 

I see you have one external harddisk ?
How many internal harddisks do you have + volume ?
How many partitions per internal harddisk do you have ?
Do you have a decent image backup/restore system ?

 

-one external drive 30 gigs
-Paragon Exact Image (my local tech recommended)w/boot disk
-empty bay for 60 gig 2nd hard drive (investment needed)
-original drive 40 gigs w/ no partition (too small to partition?)

-BartPE boot disk (will it work with FDISR?)

Jetico Firewal
KAV6 (real time)
spy sweeper (real time)
AVG Antispy (on demand)
Spybot S &D (tea timer on)
Adaware (free)
Spywareblaster
Spywareguard

 

Hi ashwin, are u sure it,s not a false positive?
Pls upload it to virus total.

 

Ashwin,
So that's what you have now :
Internal Harddisk #1 (40gb) : WinXP + FDISR + Applications + Data
Internal Harddisk #2 (60gb) : not available yet.
External Harddisk #3 (30gb) : Backup

Your external harddisk is too small, if you ever invest in a second internal harddisk of 60gb (= maximum ?)
40gb + 60gb = 100gb vs. 30gb.

If you ever have a second internal harddisk, you better move your data on that harddisk
Internal Harddisk #1 (40gb) [C:] : WinXP + FDISR + Applications
Internal Harddisk #2 (60gb) [D:] : Data
External Harddisk #3 (30gb) [E:] : Backup
Then you have more room for data, which seems to grow constantly, when I read your post.

Now you have 40gb, so lets stick to that :

1. If you don't anchor and you use a second snapshot as rollback snapshot, it means that your data is stored in both snapshots, that's 2 x data volume.
So this solution requires more space and that's not so good.

2. If you do anchor and you use a second snapshot as rollback snapshot, it means that your data is not included in both snapshots, that's 1 x data volume.
So this solution is the best in case you use a second snapshot as rollback snapshot.
Since you have only ONE internal harddisk, you can use Paragon to backup the whole harddisk and you have a backup of Windows + FDISR + Applications + Data.

So your setup will be like this :
One work snapshot, which contains Windows + Application
One rollback snapshot to save your work snapshot.
You anchor the folder "My Documents" and your data is accessible in both snapshots and always up-to-date.

Your backup is quite simple, it backups the whole harddisk.

So if your WORK snapshot is in trouble, you will be able to save it most of the time with your ROLLBACK snapshot.
In case FDISR doesn't solve the problem, you can restore your IMAGE with Paragon.
If you don't want to lose much data, you have to backup DAILY, because you can only recover your data via an IMAGE.

I wouldn't use archived snapshots, because you have to store them on your external harddisk and that means less space for your Image Backup and your Image Backup is the most important one, certainly in your case.

This solution will work until your harddisk becomes too small and then you will need a second harddisk to store your data and then you will have a problem with your external harddisk, which is too small.

 

Regarding anchoring :
There is nothing wrong with anchoring and it has a purpose, because it reduces the space you need for at least 2 snapshots and certainly in your case and your growing data will increase the size of both snapshots constantly and that will finally end up in anchoring. So you better do it now, because one day you will have to do it anyway.
Anchoring has nothing to do with security either, your security softwares protect your system files and data files, nothing else.

Since your total system is rather small, DVD RW's might be a solution to archive snapshots, but I never recommend them in general, they are not so reliable as harddisks.

 

Hi aigle

This is a new procedure for me (submitting a file for analysis).

The only info I know how to access right now about this critter is in my first post. It is from the "report" section of the AVG:

C:\$ISR\1\WINDOWS\system32\LegitCheckControl.dll -> Backdoor.Hupigon

Do I just cut and paste that same line of info into some kind of secure "zip" file and send it off?

I can open zips but I've never made one...

On the Virus Total site, when I click on "choose", the Windows box opens, with the space in the bottom with "file name"....do I paste the line above into that box...and click on "open"?

Can I reinfect my computer doing this??

I'll do some legwork on it----If you have a link with newbiie instructs I'll follow it. I think KAV has instructs which I can look for tommorrow.

Cheers

Ashwin

 

Hi Erik

I appreciate the strategy you've laid out. I agree with it, given that the anchor process doesn't open any doors for infections to migrate.

Would this work:
Find out from AVG how old the signature is which located the Trojan.
I scanned my Primary snap before making the Secondary (15 days ago) with the AVG (and all the others). All was clean.

If the signature which found the Backdoor trojan is more than 15 days old, and not a false positive, then the infection found its way from one snapshot to the other.

[Notice I'm not saying the anchor is at fault in this case. I anchored "my docs" and "desktop" (against Pete's advice). It may be I'm not doing the anchor correctly or in the most secure way...]

If it is a signature less than 15 days old, there is no way to tell if it found a new or an old infection.

 

Sorry, I can't answer that question. I know FDISR very well, but I don't know how you can find out from AVG how old the signature is.

Your anchoring sounds OK to me.

If the trojan was stored in your folder "My Documents" and the trojan does bad things somewhere in your system files, then it can infect your WORK snapshot if it is the ACTIVE snapshot.
The trojan will also infect your ROLLBACK snapshot, if it is the ACTIVE snapshot.
A copy/update FROM WORK snapshot TO ROLLBACK snapshot and vice versa will also transfer the infection.
But I'm not sure how this trojan works, I know very little about malware and anti-malware.
So I'm just guessing. I try to be honest

Downloading files from an unknown source is always 'dangerous', because they are usually stored under "My Documents".
I'm not saying you did this, but I don't know what you are doing on the internet. I did also alot of dangerous activities on the internet during my newbie-time.

Maybe you can ask this question in the Anti-Virus forums, because these scanner-fans know alot more than me.

 

Hi Ashwin, follow these steps.

Browse to the file location on ur PC via drop down box and select it by double click or single click and open (in dropn down box).

U need java script turned on in FireFox.
If u have problems, use Internet Explorer instead.

 

Press the SEND button. U might need to turn off ur AV to select and upload the file. During this time, can it damage or not I am not sure. But I see it,s a dll so should have no harm but I can,t guarantee u.

 

U can first try to upload a harmless file just to know how it works.

 

OK

I'll have time later today to do Virus Total search.

Just to be sure I understand:

Will I still be able to find the file if it has been "Quarantined" by the AVG software??

Does turning off the AVG release the Quarantine?

Thanks for the screen shots

Ashwin

 

No file will remain qurantined in any case. U can,t upload it deirectly from quarantine. U first need to restore it to a folder of ur choice and then upload.
I will suggest to do it only if u are confident enough or u have a full backup but as far as I know restoring a dll from quarantine should not be a threat to ur OS.

 

I’m sure you’ve all been where I am now: I’d like to devote more time to this, but the world is demanding otherwise.

I have not proceeded with the Virus Total - outside my tech ability at this point.

Since my last post:

- I am still using the same anchor for “my docs” and “desktop”, but something has gone wrong: A series of pdf’s placed on the desktop of my secondary snap never made it to the desktop (OR to my documents) on my primary snap.
Feels like a new post…

- I am realizing I don’t know how to navigate the pathways (manage files) to make sure new data from existing software is added to an area (like my docs) so that it will available on both of my snaps.

Example: my Opera bookmarks AND current websites opened in the browser used to be saved in the anchoring process. Now neither is saved. This occurred after I set my new anchor last month. The bookmarks are not kept in “my docs” so I will have to search them out and try to include them….

My goal is as Erik pointed out- use the anchor to save hard drive space. I may dissolve it for now, until I have more time to sort this out.

Yep it’s the learning curve…and worth it…thanks so much everyone…

Ashwin

 

ashwin,
I admit that anchoring becomes tricky, if you anchor MORE than the folder "My Documents".
Every PDF-file has to be stored in the folder somewhere under "My Documents".

Once you put shortcuts to PDF-files on your desktop and you anchored "Desktop", it might be possible it won't work, because you might have forgotten something that is necessary for Windows.
Windows is complicated and this requires a detailed study.

I don't have that problem, because I separated my data from my system partition.
As an experiment, I will put some shortcuts of PDF-files on my desktop and see what happens.

 

Erik - One detail to pdf's: Another thing that started happening is that when I close one Adobe pdf, any remaining open ones close also. That is new to my machine.

If I download the latest Adobe update (I did last month), and only "my docs" are anchored, will I have in "my docs" the older version of Adobe installer, the newer one also, and the current running version will be the older one until I install the new one? Or should the Adobe installer not even be in "my docs"?

Peter - at the very least I will start again.
Will only anchor "my docs", or none at all.