Did a hacker copy my honeymoon pix?

Discussion in 'malware problems & news' started by entropy123, Apr 22, 2003.

Thread Status:
Not open for further replies.
  1. entropy123

    entropy123 Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    6
    Like an idiot I downloaded a favorite ep a sunday ago and -like a bigger idiot - I downloaded a codec it said it needed. (I'm buying the DVD just to soothe my conscience)

    Turns out the codec was really W32.Kwbot.F.Worm and it dropped Backdoor.Sdbot on my computer.

    I didn't catch any of this for seven days, my computer had startup problems which I attributed to a recent reinstallation of WinXP and not a virus. Luckily I ran NAV and I caught it late Sunday night.

    Panicking I followed NAVs advice but still was not able to remove all files. So I reformatted, twice (I've never been hacked and I was in panic mode...).

    I think I squashed the virus and I bought/installed a shitload of software. Between Norton and Zonealarm I'm vaguely certain that spare electrons do not squeeze out into the internet anymore...

    Two worries:
    1) My tax return for 2002 was on the drive during the period in which I was infected.

    2) So were my honeymoon pictures which would lead to my divorce (Though they are nice Playboy, not hardcore) if they were posted on the internet. Maybe not divorce, but malicious posting would really hurt me and my wife...I don't really know what else to say here...

    Needless to say these files are off the computer but my worries are still on my mind.

    Is there any way to figure out what the hacker took? Is there any way to know if the virus was even active? Can I figure out who the hacker is?

    I feel like such a shitheel.

    Thanks,
    Entropy
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi entropy123,

    Am I correct in understanding that you did not have a firewall during the time you were infected?
    Chances are very slim that if anyone was able to access your data, they would choose to steal pictures. Normally they would go after your passwords or other useful information.

    Regards,

    Pieter
     
  3. entropy123

    entropy123 Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    6
    Pieter,

    No firewall, I'm behind a router but I'm given to understand that would not help....

    Does this change the picture?

    Thanks,
    Entropy
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi entropy123!

    Well, looks bad if you formated your harddisk twice to get any information back. Overall you rewrote the harddisk with the new OS, so that there's no hope of getting any information about the old harddisk back!

    Like that I'm not able to tell you if the virus was active, if the hacker took something of your computer or even figure out who the hacker was. But don't worry about that. You can't change things now -so you have to accept them as they are.

    And don't forget, it doesn't mean that the hacker took the things you wrote about. Perhaps he has done nothing at all. The more important is, what you can do, so that in future this won't happen again. So let's go through this:

    a) If there's a further attack: NEVER EVER PANIC! Just plug out the network cable and get help (if you are in need of).

    b) Install the latest Updates of your OS

    c) Install an Antivirus-Software (as you already do)

    d) Install an Antitrojan-Tool (TDS-3 for example)

    e) Install a personal firewall (Look'n'Stop for example)

    f) Buy a router and put it in front of your computer (as you already do)

    g) Use encryption software to hide your private files (PGP for example)

    h) Install Spyware-Software (Ad-aware, Spybot,...)

    i) Install a registry monitor (like RegProt or Cleaner)

    j) ... If you still don't have enough of my suggestions let me know, so that I can give you further informations about how to make your computer more secure!

    If you have any further questions let me know!

    Best regards!

    Patrice
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Does your router make logs?
    If so, they could provide useful information.
    If not, there is not much chance of finding out anything about who and what.

    This is what the hacker was able to do at your computer:
    -Manage the installation of the backdoor
    -Control the IRC client on the compromised computer
    -Dynamically update the installed Trojan
    -Send the Trojan to other IRC channels to attempt to compromise more computers
    -Download and execute files
    -Deliver system and network information to the hacker
    -Perform Denial of Service (DoS) attacks against a target that is defined by the hacker
    -Uninstall itself completely by removing the relevant registry entries

    Regards,

    Pieter
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Pieter!

    In addition to what you mentioned, he was able to delete all the important logs of Windows as well, so that you can't see that he was active... But only if the hacker was a real pro! ;)

    Regards,

    Patrice

    P.S. What router do you have, entropy123?
     
  7. entropy123

    entropy123 Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    6
    Pieter,

    I have a linksys four port router, non-wireless. It apparently has some 'hardwired' firewall.

    Right before I ran norton I did something called a Gibson's port scan (found this on the web) which informed me that my computer was 'super stealthy'. I wasn't - like an idiot - running the WinXP firewall so I thought no way am I stealthy.

    I ran norton and found the virus.

    Another thing, the HD with the material I don't want to see on the internet was on my D drive, which I disconnected (Cable) once I learned I was hacked.

    How does the situation look?

    entropy
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi entropy123!

    Can you check if logging was enabled (In router settings -192.168.1.1)?

    Here are logging utility tools:

    http://www.sonic.net/wallwatcher/
    http://www.wallwatcher.com/GetLog_Readme.html

    GetLog is the one, with which you can check what traffic you had on your router. But be aware that with the BEF series of Linksys you only have 70 log entries... With the BEFSX series of Linksys you would have up to 1000 log entries. Can you tell me the exact name of your linksys router?

    Would be great if you would have a router of the BEFSX series, because then it would be possible to see what traffic you had!

    Regards,

    Patrice

    P.S. By the way the internall firewall of Windows XP is crap, unfortunately.
     
  9. WasNotMe

    WasNotMe Guest

    Relax! Get yourself a brew. Worms like the one you mention is scriptkiddie crap. No pro hacker would mess around with your personal stuff. An no scriptkiddie is going to leave a trail to his front door by placing pics on the internet. You were violated an feel the emotions. Tighten your security and move on with your life. You sure as hell wont get any information off your reformatted harddrive that would help in learning the identity of the orgin of the worm. ToughLove but true.
     
  10. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
  11. entropy123

    entropy123 Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    6
    Patrice,

    How do I distinguish serious hacking from 'scriptkiddie' activities?

    entropy
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    SDBot is an IRC controlled backdoor, and usually you would be part of a botnet. The main thing they want that you had was bandwidth. Controlling a botnet would be easy, but browsing each and every users harddrives (if even a few) would be time consuming

    So I doubt many botnet owners would go uploading a trojan to their victims and then connect to them all and snoop around. Considering the timeframe of a week I would guess you are fairly OK ! :D
     
  13. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi entropy123!

    Let's say scriptkiddie crap is someone, who writes malicious codes in a script. If you open and start this script it would for example delete some system files on your harddisk, put a file in the autostart (trojan, etc.) or whatever. Serious hacking is difficult to trace. Perhaps you even don't know that it happened (if the hacker is a pro and you don't have enough security). It means that a hacker breaches your system, gets in, fools around (installing trojan, deleting files, copying files,...) and uses the computer for example to attack other computers. Normally they hardly leave any traces which could compromise them.

    But you can trust the reply of Gavin / DiamondCS, they have much more knowledge about trojans than I have. They are dealing daily with such things! Consider to look at TDS-3, it's worth it!

    Entropy123, could you please tell us what router you have (exact name)?

    Best regards!

    Patrice
     
  14. controler

    controler Guest

    Dispite what some think of the company that makes this program
    Hackeriliminator is a good program with tons of features , like back tracing the hacker. The company is her to make money like everyone else and isn't cheap and it sure doesn't hurt to trial it out, right?
     
  15. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi controler!
    I just checked out Hacker Eliminator. I have to say it's a nice registry scanning tool and certainly good for some people but nothing more. If I consider that I would have to pay for it there are other alternatives. You can use RegistryProt from DCS which does almost the same things (especially it's for free and uses very low mem!). The port exploring tool isn't that good, let's say it's a good start for a beginner. I prefer Port Explorer from DCS. And last but not least, against trojans you need something like TDS-3. There's no way around it. Hacker eliminator can't help there!

    If you have TDS-3, Port Explorer and RegProt (as I have) you don't need Hacker Eliminator. And last but not least I didn't like their homepage at all. There's no explanation, support or whatsoever. That's a bad sign! The homepage, the service and the support gives very important informations about a software (trustworthy or not). :(

    But nevertheless it's worth to look at. ;)

    Best regards!

    Patrice
     
  16. entropy123

    entropy123 Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    6
    Patrice,

    I'm running a Linksys BEFSR41 v2.0 4 port router. My wife also has a computer (mac) hooked up.

    I don't know if it makes a difference, but about 1 day before NAV found the virus and I freaked I had run 'Gibson's Port Test' which gave me the all clear 'super stealth' rating...For some reason this made me suspicious enough to ask a question on a newsgroup. One of the replies was to run NAV so I did and there was my virus...

    Also, this morning my computer acted up at startup again. I searched for the specific error and it turned out to be my memory. I had a 512mb DDR chip which now is reading as 256mb...At random intervals my computer will refuse to start up...

    Thanks for all the advice on the various tools. As time allows - gotta keep my job - I'm running these tests and trying to figure out how to assess the security of my computer on a daily basis...I'm running ZApro but I'm not sure how to set ports and the like.

    I still can't figure out why 3 copies of SVchost.exe need to access the internet...

    Thanks!
    entropy
     
  17. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Well, that memory chip problem could certain be the cause for some of the odd behaviors you've seen.

    >> I'm running ZApro but I'm not sure how to set ports and the like.

    The key to ZAP is that it blocks things by default and the advanced configs are more for when you need to allow something that you're having problems with... If you have ZAP's firewall slider set to High for the Internet Zone, and the items under the various custom and advanced tabs all at their defaults, than you are probably good to go.

    The thing to watch out for is what things you allow to "act as server". Unless you want to provide a web server or ftp server (or other type of server) on your system, you shouldn't have anything allowed to act as server in the Programs listing tab.

    ZAP's most valuable feature for you, since you are behind a router, is watching for Programs that want to access out or act as a server. Just be careful what things you say yes to when you get pop-ups asking about program rights.
     
  18. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi entropy123!
    I got the same router as you have. Forget it about the old logs of your router, you just have 70 logs stored in it. But nevertheless enable logging in the router settings, install WallWatcher and GetLog, so that in future you are able to check your logs. For futher information see the information which was posted some answers before.
    This is normal, so let them be. Svchost is started several times, but with different parameters svchost.exe -h,... As far as I remember it right it has something to do with the network. But it's o.k. I haven't found any good information about this process on the Microshit Knowledge Base or TechNet unfortunately. :mad: Perhaps someone else can help you out there.

    I'm too tired now, gotta go to bed. It's midnight already where I live!!

    Best regards!

    Patrice
     
  19. entropy123

    entropy123 Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    6
    I'm running wallwatcher and red ips account for roughly 30% of my 'hits'? What does this mean and how do I figure out if it is malicious?

    Some of the red - which I take to be unrequested - hits are by the same address maybe 5-9 times in a row...

    Thanks,
    entropy
     
  20. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi entropy123!

    Don't worry about them! It's good that you see the traffic now! If these packets are really unrequested (did they appear when you weren't surfing around and doing nothing?), they were blocked successfully by your router!

    Don't forget to install GetLog as well. If you shut down your computer during night, you can view the log of the router with this tool the next morning. That helps to see, if someone tried to attack your system. ;)

    And don't forget to install a good firewall as well. I suggest Look'n'Stop, because it's the one who passes all the leak tests at the moment. And because you don't need just outside-inside protection (router) but also inside-outside protection, as you know since a few days... For further information about firewalls, leak tests and online tests of your system go to PC Flank:

    http://www.pcflank.com

    Best regards!

    Patrice
     
Loading...
Thread Status:
Not open for further replies.