Got a trojan from Windows Update?

Discussion in 'Trojan Defence Suite' started by Robin Moore, Jun 23, 2003.

Thread Status:
Not open for further replies.
  1. Robin Moore

    Robin Moore Guest

    I am running a trial version of MS Server 2000 and when using the Windows Update feature it started telling me during the install phase that none of the components were signed by MS. I ran TDS-3 and have about 1300 ADS files attached to things, many have executables. I am just learning how to work TDS-3 and Port Explorer. I have been in school and studying Server and UNIX, so no time to really mess with the fun things until now. I am watching what this is doing to our rinky little network and its like a huge science project. Port Explorer is telling me that some of the established ports are used by Optix Lite and RAT this and that. I called Microsoft to let them know that someone hacked their downloads and they told me its not possible (hysterical laughter) and that its because it is a trial version. Having downloaded patches previously since as a student I regularly blow up the network to do everything all over again, I KNOW that this is something new. Any ideas or help would be appreciated. Eventually when I finish playing with my new creepy pet I will want to clean things out.
    Robin Moore
    triara _AT_ yahoo _dot_ com

    *edited your email for the web harvesters; better register as a member (free! and see the attractive contest!) to receive PM and IMs via the board in a safe way!*
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Robin, welcome to security!
    Which windows version are you using?
    I suppose after installing you also updated TDS with the latest references.
    If for instance you use XP/2000/NT, you might have installed TDS as administrator and run as a user.
    This could cause trojan alarms, while the nasties don't show up if you do another scan from admins account.
    A way is to install TDS on both levels.
    For the scans, configure TDS > System Testing > Scan control with everything checked and worm slider on highest sensitivity and you might like to look at all the NTFS streams in this case, although normally many ignore all under 216 or 512 bytes.

    Few more questions: did you update from the official MS Windows update sites?
    Why do you think the infections came with that update?
    Does TDS alarm on all those rather nasty infections you mention there? And with "positive identification" or "suspicious"?
    If they are suspicious you better submit them (zipped please) to the TDS lab for advice, submit@diamondcs.com.au
    If you run XP you might like to go back to a former restore point and see if all those alarms are gone?
    Hope this helps for the moment, to get your system tiptop again.
    Which other AV/AT do you run? Could it be an update from that is on the loose?

    With PE showing the outside connections it looks really serious and i do hope you get it all in order without formatting....... :(
     
  3. triara

    triara Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    3
    Location:
    Seattle, WA
    Hi Robin, welcome to security!
    Which windows version are you using?
    ***
    trial version from a server class of MS Server 2000
    ***
    I suppose after installing you also updated TDS with the latest references.
    ***
    Yep and have backups so no big if have to blow the whole hard drive and redo it again, thats what I got this junker computer for. :) I am a student who wants to know how to do everything. This thing gets redone on a regular basis.
    ***
    If for instance you use XP/2000/NT, you might have installed TDS as administrator and run as a user.
    ***
    Only have an administrator account for myself on it in this incarnation.
    ***
    This could cause trojan alarms, while the nasties don't show up if you do another scan from admins account.
    A way is to install TDS on both levels.
    ****
    Now how can you install it on both levels? Do you mean give permissions etc so a user account can use it? I mean, its scanning the same stuff isnt it?
    ***
    For the scans, configure TDS > System Testing > Scan control with everything checked and worm slider on highest sensitivity and you might like to look at all the NTFS streams in this case, although normally many ignore all under 216 or 512 bytes.
    ****
    It is configured for any streams 1 byte or larger. I have everything checked. What I want to know is how to delete the ADS en masse, since there are over 1300 of them. Right clicking is going to get awfully old before I am done. It almost seems a lot easier to just reformat the drive.
    ************
    Few more questions: did you update from the official MS Windows update sites?
    *****
    Yep, used the link in the start menu to get there.
    ****
    Why do you think the infections came with that update?
    ***
    because during the installation of that update I kept getting error messages that said these drivers etc are not signed by MS and not tested with Windows yada yada, same thing you get when you set it to warn before installing unsigned drivers. It was an IE update service pack and the initial ADS files first appeared in the IE directory. Also, the path to these things leads to directories that are hidden so I cant get to them through Windows Explorer.
    ***
    Does TDS alarm on all those rather nasty infections you mention there? And with "positive identification" or "suspicious"?
    ****
    That is one of the things that is weird. Port Explorer identified several hidden ports in action and those were the ones it said are used by Optix Lite and RAT's of various flavors. However, while TDS-3 found the ADS files, it did not alarm on them as having anything else in them executable, but when I look at the properties, some of them appear to be executable, some are gifs, some are sis files, it varies. I KNOW they were not there before since I have done this scan many times. I update on a regular basis. There are three ADS files that belong there. I expect to see them. I didnt expect to see my printer do over 15 pages of ADS listings in small print when I told it to print. It seemed never ending and I think that TDS-3 was moving behind its infection rate. It ran and ran. All the streams are binaries, no text in them.
    ****
    If they are suspicious you better submit them (zipped please) to the TDS lab for advice, submit@diamondcs.com.au
    *****
    How do I get to them to zip the suckers up and send them when I cant navigate to those directories? It is hidden.
    ****
    If you run XP you might like to go back to a former restore point and see if all those alarms are gone?
    ***
    no XP, I rip out operating systems way too often for their activation scheme to be practical, I also take things off and on the machine and tinker with different parts. With XPKeyViewer I might give it a try. It records the activation key so you can use the same one again and again on a workstation. An article in Tech Republic recommended using it to add this info to every workstation's documentation package so if your network is badly infected and the worst happens, you can just set up again without spending hours on the phone to MS.

    Hope this helps for the moment, to get your system tiptop again.
    Which other AV/AT do you run? Could it be an update from that is on the loose?
    ***
    I use AVG, not my preference since I own Norton AV Professional, but they wont let me use it on a server even though its for educational purposes only. So freeware is what I am stuck with. Server stuff is way too expensive for a starvin student.
    *********
    With PE showing the outside connections it looks really serious and i do hope you get it all in order without formatting.......
    **********
    I reinstalled Zone Alarm Pro and put a password from hell in it. AND made my system password a lot harder as well. My usual running gear is Norton, TDS-3, Zone Alarm Pro, Port Explorer, and SPY-BOT.

    Any suggestions on how to package them up for sending would be helpful.

    Robin
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I'd be interested to see a text dump of the console, what sockets are RED ? Send one to gavin@diamondcs.com.au ? Just hit FILE > SAVE TABLE to do so..

    You cant see hidden files and folders ? Change the option in My Computer > Tools > Folder Options > View.

    Show all files, and DONT hide protected operating system files..

    Even if you cant see a folder because its hidden, typing the path in the address bar at the top of Windows Explorer and pressing enter still should take you there.. :)
     
  5. triara

    triara Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    3
    Location:
    Seattle, WA
    I will try and get some of this stuff in. I put zone alarm back in action and now the console shows all normal with no reds. It had been showing those up till put it back on. Right now I am kind of impatient with the whole thing and seriously temipted to just reformat the sucker. I will have time tomorrow to do some snooping with it. I will disable zone alarm and see if the red parts come back.
    Robin.
     
  6. triara

    triara Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    3
    Location:
    Seattle, WA
    Thanks for all the advice. Last night my passwords started not working at all on the system so it became "ok turkey, I have a boot disk and a power button." I fdisked and it did NOT want to do it. It would say that there were no logical partitions, and then that the extended partition could not be deleted till I had deleted the non existent partitions. I swung back and forth between the Server 200 install disk and the boot disk and finally got them all cleared out. I reformated, repartitioned and then fdisked again and reformatted. If it can resurrect after that. I will just get a new hard drive.

    It is frustrating that I simply do not know enough at this stage to effectively use the tools I have. I am still taking the basics classes. This summer is going to be heavy duty study for me even tho I am not in school. TDS-3 and the port explorer help files are going to be read till I have them down.

    Thanks again for the help. :)
    Robin
     
Thread Status:
Not open for further replies.