Trouble in paradise.. :( Apparent botnet activity!

Discussion in 'malware problems & news' started by PunchsucKr, Jul 5, 2010.

Thread Status:
Not open for further replies.
  1. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    124
    I made the mistake of not logging out my admin account for one freaking day since i was doing a lot of admin related work, and i ended up with a pirated edition of office 2007 installed on my system by my brother :mad: only noticed today.
    i was using 2010 beta previously and had just installed openoffice for some time till i got a 2010 license.

    When i logged in to my open dns account, i was greeted by the message "Malware/Botnet Activity Detected" from my ip address from the day that the app was installed. It was on the 2nd apparently..
    There is a whole list of domains that opendns blocked (84, thankfully), some of them below;


    Now i have restored the system to before the app was installed, and there has been no such activity, looking at online armor free i just installed, i have since deleted all those restore point except the one i made after i got the restoration done. And i also removed all ms office related directories.. i did not check with OA with that app installed, since i was in a hurry to remove it from my system.

    I have scanned with MBAM, Hitman Pro, checked all autorun entries by 'autoruns', OA apparently checked them upon its installtion as well, even checked with hijackthis, checked with GMER for any signs of rootkits; all have come out negative...

    so should i stop freaking out now? :doubt: I don't want an os reinstall... neither do i have a system image, yeah my bad..

    Attached ss shows the rules OA made by itself... could not stop it from learning initially.
     

    Attached Files:

    Last edited: Jul 5, 2010
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the portion of the Firewall Ruleset you show, there are some dangers, where Ports 135, 137-139, 445 are permitted in. Those are the trojan/worm ports and should be closed unless you use file sharing, in which case specific addresses are usually indicated.

    Also, additional protection can be obtained by having separate Browser rules for Ports 80 and 443. For Port 443 you can set up a group custom addresses for your secure sites. Any other attempt to use Port 443 will bring up an alert.

    ----
    rich
     
  3. wat0114

    wat0114 Guest

    in case you forget again, the screenshot...

    Wonderful free software/recovery disk ;)
     

    Attached Files:

  4. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    124
    Thanks for the tip wat0114. will do that.

    Rmus, do you mean that those ports were opened by active malware on the system for the specific processes?? And does this mean i don't have a clean system?

    i do have an external router with the fw enabled..with upnp port forwarding disabled... so i guess these won't be opened over there.

    PS: The ss shows all the rules that oa created.

    EDIT:
    In the network activity, i can see the following; the 192 ip being the system's internal ip. But whats with the listening on so many ports.. :(
     

    Attached Files:

    Last edited: Jul 5, 2010
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I just commented on what I observed in your Rule Set, and you said that OA created the rules automatically. Nothing more can be determined without someone checking with the expertise to analyze what's going on.

    You didn't indicate that in your first post, so probably everything I wrote isn't relevant.

    ----
    rich
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Is it bad to enable upnp port forwarding in router?
     
  7. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    124
    Well i disabled it cause my router began having problems with it rebooting every now and then... but yea it might offer some protection from malware related opening of ports but i am no expert.

    ya i understand what you mean... so far apart from these listening connections/opened ports (on the software fw only) there has been no malicious activity over the internet or otherwise.

    can you please throw some light on the default opened ports for the files pointed out above on windows 7 ultimate? and thanks a lot for your attention :).
     
    Last edited: Jul 6, 2010
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Sorry, I don't use Windows 7.

    You might get good help in the Firewall Forum regarding ports, etc.

    ----
    rich
     
  9. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    124
    Alright thanks Rmus...
     
Loading...
Thread Status:
Not open for further replies.