[TELFORT] Officiele waarschuwing onveilige proxy 82.171.62.187

Discussion in 'malware problems & news' started by GES/POR, Mar 18, 2009.

Thread Status:
Not open for further replies.
  1. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Lol? K i did slip up today, i opened a spam message on a forum n pressed the link it took me took a blank page but what the hell kind of a threat is an open proxy



    ISP email:

    Naar aanleiding van klachten hebben wij moeten constateren dat er op uw computer/internetverbinding een onveilige open proxy is ontstaan. Een open proxy is een vrij ernstig beveiligingsprobleem welke zodra aanwezig ook op flinke schaal wordt misbruikt voor niet toegestane activiteiten. Kortweg gezegd komt het er op neer dat andere mensen (kwaadwillenden) in staat zijn om via het internet uw computer te benaderen, en te misbruiken voor onder andere het versturen van grote hoeveelheden ongewenste e-mail (spam). Wij gaan er natuurlijk vanuit dat er geen sprake is van opzet aan uw kant, maar het is uiteraard wel zaak om verdere overlast voor andere internetgebruikers te voorkomen.

    De meest voorkomende oorzaak van dit probleem is een bot die zich genesteld heeft in het besturingssysteem van uw computer. Deze bot zal van tijd tot tijd enorme hoeveelheden spam verzenden. Doordat de bot zijn eigen mailprogramma aan boord heeft, ziet u hiervan niets terug in uw postvak uit of verzonden items van uw mailprogramma. Doordat een bot geen virus is, zal een virusscanner ook niets vinden. Doordat er veel kennis benodigd is om een gecompliceerd probleem als dit op te lossen, raden wij u aan het systeem te formatteren, zodat u zeker van het probleem af bent. Vervolgens is het belangrijk te zorgen dat uw nieuw geïnstalleerde besturingssysteem wordt voorzien van alle windows-updates en servicepacks. Tevens raden wij u aan een goede virusscanner en anti-spyware programma?s te installeren en een goede rootkit scanner.



    http://www.telfort.nl/klantenservice

    E-mail: abuse@telfort.nl
     
    Last edited: Mar 18, 2009
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    For those of us who don't sprechen sie Dutch.
     
  3. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    K am doin a manual scan with SAS n indeed it has found so far: Rootkit.Dropper/BotNet, 4 Detected Items

    Now how come my active programs didnt detect squat and my isp did? o_O btw very dissapointed!
     
  4. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    I have posted the following on the forum where i received this:

    he following poster(a4SXjoc) has send me yesterday the following message(No a bit of joke, but this rocks) containing a link wich will lead to a blank page and will drop a Rootkit.Bot.

    I clicked the link because i figured wth with all my advanced security in place yet active protection of FW,HIPS n AS didnt pick up any activity whatsoever. I did find the blank page to be suspicious mainly because i didnt lead me ot anywhere so i did think of the possibility to have received malware without any clicking needed.

    Today my suspiciousness was confirmed when my ISP contacted me at several of my emailaccounts containing a rather large formal letter warning me about having a proxy open due to a Bot(large spam sended with builtin mail using rootkit evading techniques), according to them Av's do not pick up this kinda threat.

    Ok i can solve my own problem by either cleaning up all threats or a format but i have made this post because it is highly likely that more members on this forum have received such kind of a message and if you did then take direct action(either format or cleanup)

    Im in the middle of a scan with SUPERAntiSpyware right now, i have the Pro version. The active protection didnt do jack but the ondermand scan does pick up malware so for example you could use that.

    So to the moderators i would like you to keep an eye out on ppl who sign up yet never leave a post like this malware spreader did.
     
  5. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    SAS:

    Detected Item Description and Information

    Listed below is basic information about the detected application/process. This application may not be safe to have on your system.

    Summary : Rootkit.Dropper/BotNet.Process

    Company : Unknown

    Description : Rootkit.Dropper/BotNet.Process

    Threat Level (1-10) : 5

    Processes : *
    BN4.TMP

    CLSID List :
     
  6. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    After quarantining n rebooting, i ran a default Edge scan and it detected 3 additional threats, 2 of em High Risk Cloaked Malware(maybe rootkits?) and 1 medium risk

    Y have these tools detected these threats during ondemand but didnt protect me in realtime?
     
  7. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    So, Prevx Edge doesn't detect this rootkit?
     
  8. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    SAS n Edge detect these threats ondemand only.

    I have cleaned this items with Edge followed the Px procedure (disable other security,internet connection) before cleanup, cleaned up - rebooted, Edge does an auto scan then and yet another 3 items but different file names. My guess is they respawned so this malware is pretty advanced
     
  9. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Hmmm wanted to clean up the new items and now they show up as cleaned yet they r detected as threats o_O Also got a message from Windows saying Hostproces for Windows-services dont work no mo n is closed
     
  10. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Ok status infected, review items from tray icon triggers a scan o_O
     
  11. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Jesus picked up another high cloaked malware :'( well im off to another cleanup then
     
  12. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    KK Edge is green now, will send Joe a final scan report. Took me too many cleanups, reboots, etc. though to clean a few items - supposedly this had been fixed long ago?
     
  13. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    So who wants the link that drops this nasty, pm me
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    No security solution protects against 100% of threats. The malware authors have copies of the security products as well as the users so its always possible for them to engineer around any defense (even whitelisting/anti-executable approaches by breaking the hash algorithm behind the protection).

    Edge requiring multiple cleanups was probably the result of infections re-downloading other components during the cleanup process. It sometimes will take a few loops around if infections are extremely persistent, but it does look like your system is secure now :)

    Please let me know if you run into anything else. Your ISP has a unique position as they're able to analyze the real traffic coming from your system, something software physically cannot do. I am surprised that they were able to find this, however, as I've never actually heard of an ISP reporting an infection :D But either way, it does look like it is resolved now :)
     
  15. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    But this doesnt awnser y the active protection wasnt as usefull as ondemand.

    N yes im sticking with this ISP :thumb:

    Just finished a full scan with MBAM wich found 2 more adittional items :thumbd:
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Not sure why they weren't found tbh, however, what did MBAM find?
     
  17. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Dont know if these are false positives:

    Malwarebytes' Anti-Malware 1.34
    Database versie: 1863
    Windows 6.0.6001 Service Pack 1

    18-3-2009 6:06:54
    mbam-log-2009-03-18 (18-06-32).txt

    Scan type: Volledige Scan (C:\|D:\|E:\|)
    Objecten gescand: 174250
    Verstreken tijd: 13 minute(s), 45 second(s)

    Geheugenprocessen geïnfecteerd: 0
    Geheugenmodulen geïnfecteerd: 0
    Registersleutels geïnfecteerd: 1
    Registerwaarden geïnfecteerd: 0
    Registerdata bestanden geïnfecteerd: 0
    Mappen geïnfecteerd: 0
    Bestanden geïnfecteerd: 1

    Geheugenprocessen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Geheugenmodulen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registersleutels geïnfecteerd:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICF (Rootkit.Agent) -> No action taken.

    Registerwaarden geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registerdata bestanden geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Mappen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Bestanden geïnfecteerd:
    C:\Windows\System32\icf.exe.exe (Worm.Zhelatin) -> No action taken.
     
  18. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    whats tbh
     
  19. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    How is it supposed redownload stuff when ive pulled the plug on the net during cleanup as ordered by Edge's cleanup proces?

    Joe with all due respect, im not looking for pr damage control but for real awnsers n a prob. looking into how this can be prevented
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    "tbh" is "to be honest"

    However, the MBAM reported "infections" look like a FP - that is just the empty registry key which was left over for some reason.

    Edge did actually remove the malicious component of it:

    [BP] c:\windows\syswow64\icf.exe.exe:ext.exe [PX5: 9F8DEC3B00E661F1802600AE539FC2009AF0B46D] Malware Group: Medium Risk Malware
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It could have downloaded it between when the scan finished and when you pulled the plug - its very hard to say. It could also have dropped further infections from the running infections.

    I'm not sure why it wasn't stopped, but nothing is 100% and we can't possibly hope to be 100%. You were using a multi-layered approach and it still wasn't 100%, which proves that nothing is perfect. Not sure what else I can say about it but simply that we will work on improving protection for similar threats in the future. It is a bit odd that the infections were found on-demand and not on-access, but it may be because of SAS blocking Edge from reading the other files - its hard to say really.
     
  22. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Is it coming back still?
    Is the cleanup successfull?
    Real machine or VM session?

    If real machine you can use a hex editor from alternate boot medium to check the drive if your still having issues. Verify partitions, check end of drive, look for multiple MBRs.
     
  23. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Nono, real machine and all seems good now - thank you though i will have to change my security setup for obvious reasons
     
Loading...
Thread Status:
Not open for further replies.