No firewall for 2-3 minutes = spoofing attack?

Discussion in 'malware problems & news' started by new2security, Sep 4, 2010.

Thread Status:
Not open for further replies.
  1. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Hi guys,

    Something has been nagging my mind for couple of days now.
    Here's the somewhat lengthy (and messy) story :

    On a computer with XP SP3, I was experiencing an irritating hard disk activity for 40-45 seconds right after booting up into the desktop, and I was trying to figure out why. I fiddled around with Microsoft's Autoruns and had disabled pretty much everything non-vital to the system, disabled unnecessary Services but the problem persisted.

    Finally, I found the culprit - upon closer inspection in Autoruns, I found there were two sessions of Comodo running; one firewall and one Internet Security. I disabled the Internet Security and rebooted to check; the long hard drive chugging immediately stopped!
    To make sure the firewall was still working, I tried enabling the Internet Security and disabled the firewall. Doing this, I lost pretty much all rules I had set up and all applications triggered all nagging questions by Comodo.

    Now, to the point; during my experiments with this and that in Autoruns, I disabled both instances of Comodo's and enabled Windows firewall but only after a reboot. It means the computer had no firewall enabled for probably two minutes or so, about the time it takes to open the Services.msc, find the Firewall service and start it.
    More, it seems at some point Comodo firewall got confused, started up as usual but didn't stealth all my ports (GRC). Changing the rulesets by right-clicking the Comodo icon in the taskbar, I spent good 30 minutes rebooting, testing the firewall, rebooting etc.

    At some point after another reboot (I am positive that Comodo firewall was up this time), the network connection didn't open and a pop-up window showed up asking for my admin credentials. I briefly looked at the window, typed in my credentials and got back my network connection. But thing is, the pop-up window's "theme" looked slightly different than what I'm used to when I use "Run As..." (when I install software). No other software was running at this point, only the usual startup programs and services.

    Could this be a spoofing attempt? Could malware gotten in during my experiments with "the Firewall on but not properly configured" and "Firewall off" sessions?

    - I am using LUA, SRP.
    - I'm also using Comodo 3.9 if my memory serves me well.
    - No router.
    - It might also be noteworthy that I use Microsoft's unofficial XP Theme, Royale Noir. But the pop-up window didn't look anything like Royale Noir or the Windows Classic theme either!

    I have scanned my system with Avira Antivir, MBAM, Panda antirootkit, F-secure blacklight, Microsoft rootkit revealer...everything looks good.

    Should I worry or am I being paranoid?
     
    Last edited: Sep 4, 2010
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    I don't think you have anything to worry about as regards computer security on this occasion :)
     
  3. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Probably I'm being paranoid, yeah.
    With SRP in enforced mode (except for admin), and with white listing
    I doubt any malware that managed to get in could execute any code.
    My temp-folders are restricted by SRP as well.
     
Loading...
Thread Status:
Not open for further replies.