Anchors and Trojans

Discussion in 'FirstDefense-ISR Forum' started by ashwin, Apr 12, 2007.

Thread Status:
Not open for further replies.
  1. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Hello

    My AVG Antispyware software found “Backdoor.Hupigon” in two locations.

    C:\$ISR\1\WINDOWS\system32\LegitCheckControl.dll -> Backdoor.Hupigon : Cleaned with backup (quarantined).

    C:\WINDOWS\system32\LegitCheckControl.dll -> Backdoor.Hupigon : Cleaned with backup (quarantined).

    This is the first “serious” threat I’ve had in a few years.

    1) Does this mean the bug was in both Primary and the Secondary snapshot?

    I am anchoring only “my desktop” and “my docs”. I recently reset the anchor to make sure only these areas are in the anchor.

    I’m ready to follow Pete’s advice from a previous post: “ NO don't anchor the desktop. Just anchor data, and play it safe.”
    ( https://www.wilderssecurity.com/showthread.php?p=892703#post892703 )
    Or even stop anchoring altogether.

    2) If a trojan can migrate from "Desktop" couldn't it also migrate through the anchor from "my docs" to another snapshot?

    3) Is it really likely that the Trojan migrated from my docs or desktop to the locations listed in the AVG report?

    4) Could it have been a new signature in AVG, finding an old infection (the trojan was always in the other snapshot)?

    BTW, I Googled and saw it is a well known Trojan- yet a few other spy apps I ran failed to detect the bug. Any chance it is false positive?

    Thanks for any insight into this

    Ashwin
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't think anyone can answer your questions for sure.
    If it is a true infection, it means it bypassed all your security softwares, you can only blame your security setup for this.

    My assumption is that an infection in one snapshot, doesn't affect other snapshots, until the opposite is proven. But I don't say it's impossible, because you can expect anything from the bad guys.
    Even a direct attack on FDISR itself is possible, that's why you need Image Backup Software to recover from such an attack.

    A snapshot depends on its security softwares and a rollback snapshot removes any change in your work snapshot, including infections, unless your rollback snapshot was already infected during its creation.
    A frozen snapshot cleans itself after reboot, even when an infection bypassed your security software, because an infection CHANGED your harddisk and a frozen snapshot REMOVES CHANGES, unless you were already infected during the freezing.
    A rollback snapshot and a freeze storage have the same purpose and there is no difference in usage.

    Just get rid of it like on a normal computer.
     
    Last edited: Apr 12, 2007
  3. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Thanks Erik

    Ashwin
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Eriks point is well taken. If a false positive it could show up in both snapshots. Also if your system was infected and you updated the other snapshot it would be there. Just hard to tell exactly what happened.

    Pete
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Ashwin,
    In addition to what happened.
    First of all, FDISR is NOT a security software. You have to protect each on-line snapshot with security softwares, just like a computer without FDISR, like a firewall, AV, ... etc.
    Even a FROZEN snapshot requires security softwares to protect you against installation/execution of malwares between TWO reboots.

    The standard method in FDISR is a WORK snapshot (primary) and a ROLLBACK snapshot (secondary).
    Suppose you find a good software, which you like to keep.
    So you do a copy/update FROM WORK snapshot TO ROLLBACK snapshot, but what you can forget is that your WORK snapshot can be infected during the day.
    In other words your copy/update infects also your ROLLBACK snapshot.

    If you are in trouble later with your WORK snapshot and you do a copy/update FROM ROLLBACK snapshot TO WORK snapshot, the infections on your ROLLBACK snapshot will also infect your WORK snapshot.

    So it's NOT EASY to keep your WORK snapshot and ROLLBACK snapshot malware-free and it depends on how GOOD your security software are.

    Before you copy/update FROM WORK snapshot TO ROLLBACK snapshot, you have to run all your scanners first, not really foolproof, but that is typical for scanners.

    You have the same problem, when you use an archive as rollback snapshot,
    because a copy/update FROM WORK snapshot TO archived WORK snapshot has the same problem.
    The same counts for re-freezing, your snapshot has to be malware-free first.

    I hope this helps.
     
    Last edited: Apr 12, 2007
  6. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    I'm pretty much on the same page with you Erik, including backing up to an external drive. There is so much to learn it is always good to go over it again.

    Frozen snaps are not feasable for me, as I collect too much data to store.

    Any red flags about simply dropping the anchor (no pun intended!), and refreshing the unused snapshot with the fresh data weekly, or monthly?

    I can copy new docs to an external drive between those times...

    Ashwin
     
  7. EASTER.2010

    EASTER.2010 Guest

    Very good topic in a manner of speaking. I also seen anchoring as a "potential" risk, but a risk nonetheless and possibility there for a concern, soooooo, i choose to not anchor anything. Works for me, less to be concerned about just in the event of that possibility.

    Security software programs? Absolutely, as Erik so rightly alludes to, like any other program, FD-ISR also needs be covered. I'm really very new to this whole idea the FD-ISR project offers, but i been catching on rather quickly and now make clean snapshots/archives first and storing some copy of those especially to another alternative drive for safekeeping. I think this planning is beneficial anyway.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I see you have one external harddisk ?
    How many internal harddisks do you have + volume ?
    How many partitions per internal harddisk do you have ?
    Do you have a decent image backup/restore system ?
     
  9. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    -one external drive 30 gigs
    -Paragon Exact Image (my local tech recommended)w/boot disk
    -empty bay for 60 gig 2nd hard drive (investment needed)
    -original drive 40 gigs w/ no partition (too small to partition?)

    -BartPE boot disk (will it work with FDISR?)

    Jetico Firewal
    KAV6 (real time)
    spy sweeper (real time)
    AVG Antispy (on demand)
    Spybot S &D (tea timer on)
    Adaware (free)
    Spywareblaster
    Spywareguard
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Bartpe works very will with FDISR. I've used it for quite a while.

    Pete
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi ashwin, are u sure it,s not a false positive?
    Pls upload it to virus total.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Ashwin,
    So that's what you have now :
    Internal Harddisk #1 (40gb) : WinXP + FDISR + Applications + Data
    Internal Harddisk #2 (60gb) : not available yet.
    External Harddisk #3 (30gb) : Backup

    Your external harddisk is too small, if you ever invest in a second internal harddisk of 60gb (= maximum ?)
    40gb + 60gb = 100gb vs. 30gb.

    If you ever have a second internal harddisk, you better move your data on that harddisk
    Internal Harddisk #1 (40gb) [C:] : WinXP + FDISR + Applications
    Internal Harddisk #2 (60gb) [D:] : Data
    External Harddisk #3 (30gb) [E:] : Backup
    Then you have more room for data, which seems to grow constantly, when I read your post.

    Now you have 40gb, so lets stick to that :

    1. If you don't anchor and you use a second snapshot as rollback snapshot, it means that your data is stored in both snapshots, that's 2 x data volume.
    So this solution requires more space and that's not so good.

    2. If you do anchor and you use a second snapshot as rollback snapshot, it means that your data is not included in both snapshots, that's 1 x data volume.
    So this solution is the best in case you use a second snapshot as rollback snapshot.
    Since you have only ONE internal harddisk, you can use Paragon to backup the whole harddisk and you have a backup of Windows + FDISR + Applications + Data.

    So your setup will be like this :
    One work snapshot, which contains Windows + Application
    One rollback snapshot to save your work snapshot.
    You anchor the folder "My Documents" and your data is accessible in both snapshots and always up-to-date.

    Your backup is quite simple, it backups the whole harddisk.

    So if your WORK snapshot is in trouble, you will be able to save it most of the time with your ROLLBACK snapshot.
    In case FDISR doesn't solve the problem, you can restore your IMAGE with Paragon.
    If you don't want to lose much data, you have to backup DAILY, because you can only recover your data via an IMAGE.

    I wouldn't use archived snapshots, because you have to store them on your external harddisk and that means less space for your Image Backup and your Image Backup is the most important one, certainly in your case.

    This solution will work until your harddisk becomes too small and then you will need a second harddisk to store your data and then you will have a problem with your external harddisk, which is too small.
     
    Last edited: Apr 13, 2007
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Regarding anchoring :
    There is nothing wrong with anchoring and it has a purpose, because it reduces the space you need for at least 2 snapshots and certainly in your case and your growing data will increase the size of both snapshots constantly and that will finally end up in anchoring. So you better do it now, because one day you will have to do it anyway.
    Anchoring has nothing to do with security either, your security softwares protect your system files and data files, nothing else.

    Since your total system is rather small, DVD RW's might be a solution to archive snapshots, but I never recommend them in general, they are not so reliable as harddisks.
     
    Last edited: Apr 13, 2007
  14. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Hi aigle

    This is a new procedure for me (submitting a file for analysis).

    The only info I know how to access right now about this critter is in my first post. It is from the "report" section of the AVG:

    C:\$ISR\1\WINDOWS\system32\LegitCheckControl.dll -> Backdoor.Hupigon

    Do I just cut and paste that same line of info into some kind of secure "zip" file and send it off?

    I can open zips but I've never made one...

    On the Virus Total site, when I click on "choose", the Windows box opens, with the space in the bottom with "file name"....do I paste the line above into that box...and click on "open"?

    Can I reinfect my computer doing this??

    I'll do some legwork on it----If you have a link with newbiie instructs I'll follow it. I think KAV has instructs which I can look for tommorrow.

    Cheers

    Ashwin
     
  15. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Hi Erik

    I appreciate the strategy you've laid out. I agree with it, given that the anchor process doesn't open any doors for infections to migrate.

    Would this work:
    Find out from AVG how old the signature is which located the Trojan.
    I scanned my Primary snap before making the Secondary (15 days ago) with the AVG (and all the others). All was clean.

    If the signature which found the Backdoor trojan is more than 15 days old, and not a false positive, then the infection found its way from one snapshot to the other.

    [Notice I'm not saying the anchor is at fault in this case. I anchored "my docs" and "desktop" (against Pete's advice). It may be I'm not doing the anchor correctly or in the most secure way...]

    If it is a signature less than 15 days old, there is no way to tell if it found a new or an old infection.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Sorry, I can't answer that question. I know FDISR very well, but I don't know how you can find out from AVG how old the signature is.

    Your anchoring sounds OK to me.

    If the trojan was stored in your folder "My Documents" and the trojan does bad things somewhere in your system files, then it can infect your WORK snapshot if it is the ACTIVE snapshot.
    The trojan will also infect your ROLLBACK snapshot, if it is the ACTIVE snapshot.
    A copy/update FROM WORK snapshot TO ROLLBACK snapshot and vice versa will also transfer the infection.
    But I'm not sure how this trojan works, I know very little about malware and anti-malware.
    So I'm just guessing. I try to be honest :D

    Downloading files from an unknown source is always 'dangerous', because they are usually stored under "My Documents".
    I'm not saying you did this, but I don't know what you are doing on the internet. I did also alot of dangerous activities on the internet during my newbie-time.

    Maybe you can ask this question in the Anti-Virus forums, because these scanner-fans know alot more than me. :)
     
    Last edited: Apr 14, 2007
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Ashwin, follow these steps.

    Browse to the file location on ur PC via drop down box and select it by double click or single click and open (in dropn down box).

    U need java script turned on in FireFox.
    If u have problems, use Internet Explorer instead.
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      129.5 KB
      Views:
      1
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Press the SEND button. U might need to turn off ur AV to select and upload the file. During this time, can it damage or not I am not sure. But I see it,s a dll so should have no harm but I can,t guarantee u.
     

    Attached Files:

    • 2.jpg
      2.jpg
      File size:
      92.3 KB
      Views:
      117
    Last edited: Apr 14, 2007
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U can first try to upload a harmless file just to know how it works.
     
  20. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    OK

    I'll have time later today to do Virus Total search.

    Just to be sure I understand:

    Will I still be able to find the file if it has been "Quarantined" by the AVG software??

    Does turning off the AVG release the Quarantine?

    Thanks for the screen shots

    Ashwin
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No file will remain qurantined in any case. U can,t upload it deirectly from quarantine. U first need to restore it to a folder of ur choice and then upload.
    I will suggest to do it only if u are confident enough or u have a full backup but as far as I know restoring a dll from quarantine should not be a threat to ur OS.
     
  22. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    I’m sure you’ve all been where I am now: I’d like to devote more time to this, but the world is demanding otherwise.

    I have not proceeded with the Virus Total - outside my tech ability at this point.

    Since my last post:

    - I am still using the same anchor for “my docs” and “desktop”, but something has gone wrong: A series of pdf’s placed on the desktop of my secondary snap never made it to the desktop (OR to my documents) on my primary snap.
    Feels like a new post…

    - I am realizing I don’t know how to navigate the pathways (manage files) to make sure new data from existing software is added to an area (like my docs) so that it will available on both of my snaps.

    Example: my Opera bookmarks AND current websites opened in the browser used to be saved in the anchoring process. Now neither is saved. This occurred after I set my new anchor last month. The bookmarks are not kept in “my docs” so I will have to search them out and try to include them….

    My goal is as Erik pointed out- use the anchor to save hard drive space. I may dissolve it for now, until I have more time to sort this out.

    Yep it’s the learning curve…and worth it…thanks so much everyone…

    Ashwin
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    ashwin,
    I admit that anchoring becomes tricky, if you anchor MORE than the folder "My Documents".
    Every PDF-file has to be stored in the folder somewhere under "My Documents".

    Once you put shortcuts to PDF-files on your desktop and you anchored "Desktop", it might be possible it won't work, because you might have forgotten something that is necessary for Windows.
    Windows is complicated and this requires a detailed study.

    I don't have that problem, because I separated my data from my system partition.
    As an experiment, I will put some shortcuts of PDF-files on my desktop and see what happens.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    I would stick to only anchoring my doc's for data. Book marks and the like can be copied over on an update. Anchoring other stuff is asking for trouble, and probably not worth the small amount of space saved.
     
  25. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Erik - One detail to pdf's: Another thing that started happening is that when I close one Adobe pdf, any remaining open ones close also. That is new to my machine.

    If I download the latest Adobe update (I did last month), and only "my docs" are anchored, will I have in "my docs" the older version of Adobe installer, the newer one also, and the current running version will be the older one until I install the new one? Or should the Adobe installer not even be in "my docs"?

    Peter - at the very least I will start again.
    Will only anchor "my docs", or none at all.
     
Thread Status:
Not open for further replies.