Can a trojan hide in backup files & then re-infect your newly formatted hard drive?

Discussion in 'other security issues & news' started by J. A. Beanstalk, Sep 1, 2004.

Thread Status:
Not open for further replies.
  1. J. A. Beanstalk

    J. A. Beanstalk Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    37
    I was convinced that I had trojans and back doors on my computer that were phoning home all the time, and when the constant network activity finally drove me crazy, I backed up my files to CD and reformatted my hard drive. As no matter what security scanners I tried, nothing was able to detect whatever it was that was phoning home. Now that all is quite, I want to keep it that way--as well as keep my private files out of the hands of criminals.

    And I’m wondering whether I’ll get re-infected with this undetectable spyware if I install my files back onto my newly formatted hard drive. As my suspicion is that since a trojan/backdoor allows a hacker to do virtually anything, a line of code could have been planted in some of my files, programmed to phone home for the full spy programs the first time I went online after reformatting.

    As it’s logical to assume that clever spies will take precautions to avoid losing you when you reformat. So my theory is that they have an automated process that can easily infect every type of file on your hard drive that’s capable of launching some code.

    My understanding is that a line of code like this would be similar to what an unscrupulous software programmer can plant in a program to set up a backdoor into your computer. And that it can disguise itself as browser activity in order to get past your firewall.

    Am I being overly paranoid? If not, what type of files would be capable of launching the hackers code just by opening them? RTF documents? Pictures? Music files? In other words, I need to know what type of files it’s safe to put back on my computer. And although I’m sure my collection of web pages that I’ve saved in html format can definitely be considered unsafe to open, my biggest concern is my browser’s bookmark file.

    As that’s the one file a hacker is pretty much guaranteed that you’ll have to reinstall and launch. (Since you can copy everything else to a computer that’s never connected to the Internet.) So is it possible to infect that file with a line of code that will phone home the first time I use my bookmarks? If so, is there a way to copy the bookmarks to some other type of file format that will ‘sanitize’ any malicious code that‘s present, and then allow me to change it back to the regular bookmark format?

    Whatever spyware I had was sophisticated enough to get past my two anti-trojan programs, my anti-virus program, my firewall, and then avoid detection by numerous other security programs when I tried to track it down. So if some launchable malicious code is in fact secreted in my backup files, I have no doubt that the full spyware programs would be able to quickly set up shop again without being challenged by my security software.

    Thanks in advance,
    Jack
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Well, since you went to the effort of reformatting your system, you'll certainly want to do things securely, right from the start. The safe way to approach a reformat and system rebuild is to start of course from factory supplied Windows CDs. Format the disk and install the base Windows system only. Now you didn't say what version of Windows you were running, but if it's Windows XP, you can enable the built-in firewall then connect to the Internet and use IE to go direct (and only) to Windows Update and get all the necessary patches first thing. If you are on dialup, that will be a long process, I'm afraid. But, if you have broadband then it shouldn't be too bad.

    After patches, you need to install your security products. But, since you are unsure of the state of your old system, you really should not trust any executable files saved from that box. Original purchased CDrom install kits or freshly downloaded install kits (directly from the vendors' main sites) is the way to go. Install and configure your AV, FW, AT, anti-whatever products from safe install kits and you should be good. During all of this, go only to trusted source websites and take nothing from the old system or its backups.

    The critical thing after installing key security products, (and their updates!), is making secure system settings... I suggest reading and following the advice from here as a start:

    Why did I get infected in the first place?

    You see, it was most likely that whatever you got installed that caused your problems was allowed in via insecure system settings, or via holes from either unpatched Windows (or third-party applications) based exploits. Secure settings. Current patch levels. Maintained security products (AV, AT, FW...) And safe computing practices is really all you can do. It's not a 100% certainty of course, but it is the best you can do.

    What you restore from the old system is hard to say. But, nothing "executable" in nature should be transferred if you really think there is something so stealthed in there that no product can detect it. Of course, anything you do load from the old system should be scanned from the now clean system before using it. (It's possible that the scanning you were doing on the compromised system was inaccurate because of the compromise itself. A scan from a clean system is more likely to find some malware.)
     
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    Hi Jack,

    Welcome to Wilders.
    I agree with what LowWaterMark said.

    You may not be compromised though. For example, the constant internet activity on a router activity light may merely be the ISP's "heartbeat" which allows the ISP to maintain the network status etc. The hard drive activity light may ocassionally come on all by itself in Windows XP even with no scheduled defrag. I learned here that XP has an internal hidden defrag process that periodically optimizes certain system files on the hard drive. So it may be nothing. But on the other hand, there are some very stealthy malware out there capable of disabling various security programs and remaining hidden to all but the deepest examinations.

    The important point is to prevent the malware from executing. When you insert the CD with your backup data to be scanned on your clean system, do not let the CD "Autoload". Do this by holding down the shift key or previously disabling CD autoload.
    I would also highly recommend ProcessGuard from DiamondCS for your pristinely clean system. When properly configured, it will block the sneakiest of malwares: rootkits from installing. To answer your title question, yes they can hide in backup files and reinfect you. Most likely .rtf is okay because they don't have macro execution capabilities. I would still scan every file in those backups with all my updated scanners before moving them back on. If you have a good layered defense system set up, it will be much harder for anything to slip by.

    Here is a basic overview that I put together from what I have learned here for ensuring a clean system. It may be over the top, but it works for me.
    There is a TON of great info here at Wilders on the subject, but here is a link about Can malware infect/corrupt any file/folder/partition on a hard drive?

    I don't think so, but sometimes I think I am paranoid too! :eek: It is not necesarily a bad thing to be a little paranoid when dealing with security. The more you learn the better it gets. Paranoia gradually becomes knowledge and experience, except in my case. :D
    Beware of double extension files like picture.gif.exe. Pictures are generally okay, so are .wav and .mpg. Some windows media player files and MS office files can contain macro virus scripts. The bookmarks don't contain the actual web page, only a pointer to the web page, so each individual bookmark is probably fine. Regardless, I would scan every file on the backup CD with everything I had before restoring the files on to the clean system and you should be okay.

    Hope this Helps
     
    Last edited: Sep 2, 2004
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Jack,

    I really can't add much more to what LWM or Devinco added....but one of your concerns has me currious due to an ongoing problem I'm having with a family members PC.

    What kind of malicious code do you feel could be planted in your favorites links ? The only code I'm real concerned about with IE is script....but if you use an altenative browser....do you feel they can still harm us ?
     
  5. J. A. Beanstalk

    J. A. Beanstalk Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    37
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    Funny you should mention this, because with this recent reformat I did, I had forgotten the firewall was off by default, and that file sharing was on by default. So I promptly reformatted again (just as you described above), much to the dismay of the 100 hackers who were probably already on my computer licking their lips. (I'm using XP Home with DSL, and was using FireFox as my browser when I got the spyware.)

    Good advice. I've got a lot of .exe software installers I wanted to use, but since they could be infected, I'll just have to go through the hassle of downloading them again.

    Great link, thanks.

    I think one of the 'best' ways to get undetectable spyware is via backdoors in shareware and freeware programs. As basically, you're having to trust an individual programmer that you know nothing about personally. I probably installed 100 different shareware programs in the past from download.com, most of which I uninstalled. But obviously, any backdoors would have remained.

    Excellent point. I hadn't thought of that--the malware could have been configured to automatically adjust the security software to ignore it, or a hacker could have done it manually after taking an inventory of my software. Thanks for the input!
     
  6. J. A. Beanstalk

    J. A. Beanstalk Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    37
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    Hi Devinco, and thanks for the welcome.
    I was going by the activity of the network icon and my Sygate firewall icon in the system tray. Both icons grew more and more active as time went on--much more so than when I first went online. Now that I have a fresh system, "all is quite", meaning the icons are showing 'normal' activity. Whereas before, it was almost like my PC was being used as some kind of server.

    So are you saying that when I made the backup of my files, a trojan could have infected the CD itself, without having to infect any specific files? And that allowing the CD to autoload would enable that trojan to 'jump out' into my ram? But that if I open the CD 'manually', then the trojan would be kept within the 'constraints' of the CD? If that's the case, then loading a backup CD in your PC carries the same risk as opening an .exe file!

    Great suggestion, I was just thinking that myself. And the next reformat I do, I'll have TDS-4 and ProcessGuard on CD, along with Sygate Pro, and NOD32. All of which I'll install before downloading the I.E. updates. Then all I have to do is reformat once every two months to zap any undetectable trojans I get from web sites. :)

    I was talking to a friend today about wordpad documents that are saved in rtf format. He said his virus scanner checks them when he opens them, and that it only scans files capable of having malicious code. So I'm kind of leary of them now. As you can paste graphic files from web pages in that format, etc.

    Verrry helpful--appreciate it. Looks like I've got a lot more studying to do. And I know many other 'newbies' to Wilders will benefit from your info. as well.

    In reference to the bookmark situation, see my response to Bubba which I’ll post later tonight.

    Thanks again,
    Jack
     
  7. J. A. Beanstalk

    J. A. Beanstalk Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    37
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    By "line of code" I meant the actual instructions for the malware, that's used to program it. (Consisting of possibly as few as 100 characters for a simple phone home code.)

    I'm using Mozilla now, and I just went into the bookmark manager of my current system to "export the bookmarks" (for testing purposes), which subsequently turned all of them into a single HTML file. So html is obviously the format of the bookmark file on my backup CD. Which means if I imported it into the browser of my currently spyware free system, then I could get infected again. Or at least that's my educated guess.

    As my theory is that the html file could be infected with a small amount of code which could utilize the browser's java or javascript to phone home for the full spy program, the first time I go online after it's imported. And under this scenario, it wouldn't matter which browser you were using, as we probably all know what javascript and html pages are capable of when it comes to trojan exploits. So this is the perfect way for a hacker to re-infect a freshly formatted hard drive

    But after talking to a friend today, I learned there's also an easy way to circumvent this exploit. Simply ignore the browser's instructions for backing up your bookmarks via the export method. Instead, just copy the actual folders containing the bookmarks to your backup CD. Then you'll have a non-html copy of them. And when you reformat, simply drop the folders from the CD directly into your browser's open bookmark manager. (For I.E. you'd have to access it through the start menu I believe.)
     
    Last edited: Sep 3, 2004
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    AFAIK, the CD file system itself can't be infected. If the CD was a boot disk of some kind, then maybe some of the files required to boot could be infected. What I was referring to was the Autorun feature of CDs. A text file called autorun.inf is placed on the CD. In the .inf is a command to open a file (for example: open = myfavoritetrojan.exe). When you insert the CD, windows detects the CD insertion and looks for autorun.inf. If it finds it, windows will run the program listed inside. This could be a very small program that gives no indication that it has been run. Or it could be one of your shareware programs with a trojan attached. The program would run normally, but the trojan would also execute. I do not know if there are other methods to autorun from a CD. You can turn off autorun for CDs in windows. You can also press and hold down the shift key while inserting a CD, but you have to keep holding it down for much longer than you think. I always release the shift key too soon and the autorun starts. IF you use the shift key method, you should know that double clicking on the CD icon in My Computer will also launch autorun.inf. You need to right click the CD icon and select Explore if you want to look at the files or move them back. I would disable autorun and scan the cd with everything I had. It may not have happened to you though. They might have simply infected some of your executable shareware so that when you run it you get reinfected.

    That's fine too. I have a hardware firewall so that gives me a little buffer (time wise) to get the Windows updates. I prefer to have a clean updated and tweaked Windows image and then later a second image with my security suite. Make sure you burn the CD on a clean machine. I would also make it a CD-R not a CD-RW. That way your security apps CD could not be modified if put into a compromised machine by accident.

    If you implement a good layered defense strategy, you may not even need to reformat that often or ever. With a backup image that is disconnected from the computer, you can boot up from the CD, restore from the backup, and be up and running without having to reformat.

    .rtf files are not executable and I don't think they are capable of containing any form of macros or scripts or HTML. If they did contain it, it would be treated as plain text and not executed. .rtf can contain pictures and formatting, but that's it. All office files (.doc, .xls, etc.) are able to contain macros which may be malicious. Virus scanners can be set to scan ALL files.
    There was also a recent buffer overflow vulnerability in WinZip that was recently patched that affected zip files.
    Learn which files are executable on there own like .exe, .com, .bat, etc. and those that may contain scripts or macros that may be executed by the opening program.

    I'm glad you liked it. I am very grateful for all of the really nice people here and the practical knowledge that everyone freely shares. I know I would have wanted something like this overview when I first was learning (still learning), so I put together the best that I currently know.

    IE favorites are .URL files which contain pointers to the website not the actual HTML page itself. The .URL file has an association with certain Windows system components which would then launch IE with the address located in the .URL file. I don't know if a .URL file can contain HTML or scripts. In fact I don't know how to even open a .URL file to examine it.

    Can't help you with the nature of the Mozilla bookmarks either. Here is a nice backup utility for Mozilla, Firefox, and Thunderbird. It creates .pcv files.
    They probably wouldn't even need to infect the bookmark (although it may be possible). They could just alter the URL of the bookmarks so they go to a malicious website.
    Any file can be altered whether it is on disk or in memory. It is just a matter of whether the malicious file or the malicious part of a file will be allowed to execute. The other method seems to do with buffer overflow to make the loading program go into error by overflowing it with info. Once the target program is in error mode it can be made to execute arbitrary code. It only works on certain programs (and certain versions) that have this vulnerability. At least that's what I think happens. That is also why it is important to keep current with program patches and updates.
     
  9. J. A. Beanstalk

    J. A. Beanstalk Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    37
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    Great tips. I will definitely disable auto run, and also use the imaging method from now on to foil undetectable trojans, instead of reformating. That's also great for 'uninstalling' new software of course, since it will get rid of any invisible back doors.

    What I meant was that when you "export" the bookmark shortcuts, the browser combines all of the shortcuts into an html file. And that html file could conceivably contain some malicious code that could infect your new browser when you import it.

    And when you have thousands of bookmarks, there would obviously be no practical way of determining if any of the URL's had been altered.

    Thanks again for the info.--will definitely put it to good use.
    Jack
     
    Last edited: Sep 6, 2004
  10. J. A. Beanstalk

    J. A. Beanstalk Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    37
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    My conclusion is that regardless of which method you use to backup your bookmarks, they're a clear security risk when copied from a hard drive that's been compromised by undetectable malware. And when you have thousands of bookmarks that you've spent a lot of time organizing into folders, that presents a depressing problem with no apparent solution. :'(
     
  11. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    Hi Jack,

    To every problem, there is a solution!
    I know, when I was attacked by trojans, I felt pretty bad. "They" were out to get me. Then I learned about rootkits and I was convinced that I had one. Then I learned more about how they work and the best ways to defend against the different types of attacks. I now feel pretty safe operating the computer. I am still alert and watch out for the obstacles. It is not unlike learning to drive a car safely. Scary at first (so many things to watch out for), then once you learn to drive safely, nothing to it. The problem is they don't require safe computing courses to operate a computer.

    I don't think your bookmark situation is THAT bad. It is no more a threat then any of the other data that you backed up to CD. In fact, you are better off with the favorites as one html file then say an .exe of an installer of one of your sharewares. Here's why:

    An HTML file is basically a text file that you can view the source for to examine, where as an .exe you cannot look into. An HTML file can only "execute" within the context of browser, where as an .exe executes and potentially has access to the whole computer. With HTML, the threat is mobile code(ActiveX, Java, Javascript). This is where the malicious code for HTML pages hide. You can totally block them by turning off mobile code in your browser. Then the only manipulation possible will have been changing the URL of your bookmarks so that you would be redirected to visit an evil website that would try to install malware. Installation of the malware through a website visit would require mobile code. Since you blocked mobile code in the browser, the malware will not install. You now have located the altered bookmark and can change it back to the right address. Just scan every file thoroughly with updated signatures and scan them with all your malware scanners.

    If you have a good layered security setup, it will be VERY difficult to get past all your defenses without being detected. The "undetectable trojan" may get past one or two of your defense layers, but will be caught by the others.

    You seem interested in protecting your computer. That is great! You are already ahead of the masses of computer users who wonder why this happened to me, only to repeat the same mistakes over and over.
    Keep learning and you will be up to speed in no time! :)
     
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    Speaking of Active script only....if a user exported his\her favorites using IE's Import\Export wizard into a bookmark.htm file....it's simply what Devinco said....an "HTML file is basically a text file". If by chance the file was "compromised by undetectable malware" and was injected with "malicious code that could infect your new browser when you import it"....they would also have to compromise your My Computer Zone default settings....because Active script is set to prompt by default. Of course....anything is possible but for those users that think this deeply....they should really consider not surfing because they will always feel there is "a depressing problem with no apparent solution."
     
  13. Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    But how can someone who isn't familiar with html code spot a short line of 'phone home code' mixed in with the text of thousands of bookmark shortcuts?

    But two seconds after "executing within the context of browser", a line of 'phone home code' can receive an undetectable trojan that DOES have access to the whole computer.

    But without javascript, how is he going to use the Internet? My favorite web sites won't even load when I have javascript disabled.

    He said that nothing he tried could detect the malware, so if he gets reinfected with the same thing, how is his software suppose to detect it a short while later? And suppose the hacker only has 500 computers infected with his customized malware--it could be years before there's a signature available for it. As most people will think the excess network activity is just normal browser communication.
     
  14. Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    There's nothing difficult about compramizing ANY browser. A line of 'phone home code' in an html bookmark file can utilize javascript to mimic normal browser activity, and retrieve a trojan from it's home base.

    This 'depth' barely scratches the surface, as hackers think at least five levels deeper.

    In other words, they should just cut their head off with a chainsaw "to spite their face"? I've been using the Internet for over a decade, and the security risk Beanstalk describes is the only one I've encountered that couldn't be solved. But your position is that since this problem can't be solved, then I "should really consider not surfing"?
     
  15. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    If you don't know what to look for, then it won't make any sense.
    I am not familiar with all the workings of how each browser handles bookmark import and export or of the exploitation of bookmarks. However, the browser is just trying to import the URL and title to recreate the bookmarks. It may ignore all mobile code and just get what it needs. I can only guess there would be 2 ways the bookmark HTML file could exploit the browser:
    1. Cause some kind of buffer overflow in the browser during bookmark import that would then allow some script in the HTML bookmark file to execute. Pure speculation, probably unlikely, and would require a pretty poorly made browser that would be fooled by that. This could be countered by using a less vulnerable browser (like Firefox or Opera) and by disabling mobile code during the import process.
    2. The bookmarks URL addresses were altered to point to malicious websites while leaving the title of each bookmark the same. This would be very possible. You would import the bookmarks, click on a normal looking bookmark, then visit the malicious website that would try to infect you via various exploits. Using an alternate browser and by disabling mobile code at least during the bookmark verification process (visiting each bookmarked site to confirm the URL) should cover you.

    But it depends on how vulnerable the browser is. I have tried many of the browser vulnerability tests and basically Firefox did much better compared to IE. Since the point of contact with mobile code is at the browser, it is dependent on how securely the browser handles it. Some browsers allow you to configure the settings better for security. If the browser is not vulnerable to the exploit, then you won't be compromised.

    I agree. You should be able to visit websites with Javascript enabled without fear of being attacked. The major browsers should either strip all of the dangerous parts out, or allow users more granularity to select what to allow and what to block. Firefox makes a start with more Javascript options, but it is not enough. The alternative browsers go a long way to making surfing safer. Some AV like NOD32 now have a webpage scanner that may help with this. Also web filters like Proxomitron could work to filter the bad mobile code while leaving the good. The problem is, we need to identify WHAT the bad code is, but that is another topic. Some firewalls like Outpost Pro allow you to specify per website whether to allow mobile code. So you could enable it just for your trusted favorite websites.

    Well, if he didn't learn anything from this thread or from Wilders and he does the same thing he has been doing, then of course he will be infected again. Obviously his previous defenses were not good enough. Many times it is just a matter of configuring your security properly to get the most protection out of it. All the security programs in the world won't help if you don't use them or set them up improperly. A good layered defense (with a security savvy operator) will present a formidable barrier to the "undetectable trojan".

    You are referring to custom modified trojans. Yes, they may get past a purely signature based trojan scanner. But what if that scanner uses other behavior based methods? It could detect the trojan by the tell-tale signs it has to make during infection. If the trojan tries to alter the registry, something like SSM or Regrun Gold would prevent it. If it tries to inject itself or hook into the browser, then something like Process Guard would prevent it. That's the whole point of a layered security setup.
     
  16. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    I know this was addressed to Bubba, but I am curious.
    How do you compromise ANY browser. Please enlighten us as to how the html bookmark file importation process works and how the browser is compromised specifically.

    Are you a hacker?
     
  17. K0zani

    K0zani Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    9
    Re: Can a trojan hide in backup files & then re-infect your newly formatted hard driv

    Hello everyone,

    As usual, always finding something profound and usefull reading these posts, though my brain is slowly functioning today, (ie, lost a bit, snafu!) so excuse a bit of rambling. I still do not know how to use the quotes in reply, but, in refrence to this html backup or about the bookmarks. I found this nifty program which is freeware from snapfiles, (formally webattack). AM deadlink , from snapfiles ; http://www.snapfiles.com/get/amdeadlink.html or the author's site ; http://aignes.com/products.htm. What I found interesting is how it checks your favorites and shows if it is ok or dead (the real reason for the download), but, then it showed if the link was ok but it redirects. So, in the case where it was mentioned about having a url redirected, I am thinking AM deadlink would be a great visual help. Hopefully this helps someone that wishes to back up thier bookmarks and see if all are necessary. Also, it works with most versions of diffrent browsers. Now I will go back and re-read this whole post in the hope it will sink in somewhat better. oi.

    Cheers

    K...

    ~ I wish I could think of a profound quote, I wish, I wish, I wi..... ummm need more back up sleep~ o_O
     
Loading...
Thread Status:
Not open for further replies.