XeroBank: Hacktool.Rootkit

Discussion in 'privacy technology' started by Pleonasm, Jun 15, 2008.

Thread Status:
Not open for further replies.
  1. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    When running the XeroBank Installer (2.0.0.14b) on Windows Vista (32-bit), Norton Internet Security 2007 detects and blocks a rootkit:
    Risk Name: Hacktool.Rootkit
    Risk Category: Virus
    Risk Level: High
    Action Taken: Blocked​

    [1] What is the XeroBank Installer attempting to do?
    [2] Is there a mechanism to install only xB VPN without using the XeroBank Installer?

    Thank you.
     
    Last edited: Jun 15, 2008
  2. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    According to Symantec, a “Rapid Release” virus definition for Hacktool.Rootkit was released two days ago (June 13, 2008; revision 032). However, the “Rapid Release” virus definitions may result in the detection of false positives:

    Is XeroBank in communication with Symantec to resolve this issue?
     
  3. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    This happens all the time with Symantec. Everytime the response is the same:

    This is caused by a couple of DLL files it sees. One detects if the user is running a firewall, another is a utility for killing processes.
     
  4. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Steve, thank you for the prompt response.

    [1] Based on your experience, how quickly do you anticipate Symantec releasing an updated set of virus definitions that will allow the XeroBank Installer (2.0.0.14b) to run on Windows Vista (32-bit)?

    [2] Is there an alternative installation process whereby I may install xB VPN only?
     
  5. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Pleonasm,

    We spoke with Symantec today, and they said it isn't in
    their current database. Please tell me what product and
    definition version you are using, and then update and
    try again.
     
  6. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Steve, I am using Norton Internet Security 2007 (version 15.5.0.23 with virus definitions 2008.06.14.016) on Windows Vista SP1 Business (32-bit). Both NIS and Windows are completely up-to-date.

    Symantec LiveUpdate reports that there are no updates available at this time (i.e., no virus definition updates have been issued since I first attempted to install XeroBank this morning and encountered the problem).

    [1] According to the NIS activity log, it appears that the file which triggered the security alert is: “c:\users\<user>\appdata\local\temp\nss9772.tmp\firewall-disabler.dll”. Is this a file created by the XeroBank installation process?

    [2] Can you replicate this problem internally at XeroBank?

    [3] Please let me know if there is any additional diagnostic information needed.

    Thank you for looking into this concern so quickly.
     
  7. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Is this the DLL that is used by XeroBank and is causing the threat alert by Norton Internet Security 2007: Firewall-Disabler plug-in?

    P.S.: By the way, my PC is free of all malware, as reported by running full scans with both Norton Internet Security 2007 and Webroot Spy Sweeper 5.5.7.
     
  8. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Steve, has XeroBank had any additional conversations with Symantec on this issue?

    In addition, is the file which triggered the security alert (“c:\users\<user>\appdata\local\temp\nss9772.tmp\firewall-disabler.dll”) created during the XeroBank installation process?

    P.S.: In prior posts, I mistakenly referred to “Norton Internet Security 2007” – but, am actually running NIS 2008, of course.
     
  9. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    As of 6/16

     
  10. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Thank you, Steve. I will run the XeroBank Installer (2.0.0.14b) again later today after updating Norton Internet Security 2008, and post the results.

    [1] In addition, is the file which triggered the security alert (“c:\users\<user>\appdata\local\temp\nss9772.tmp\firewall-disabler.dll”) created during the XeroBank installation process?

    [2] To clarify, xB VPN does not modify the operation of the firewall on a user’s PC – correct?
     
  11. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    firewall-disabler is only used to check and see if you are running a local firewall, incase the browser can't connect.
     
  12. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Success! With the updated Symantec virus definitions, the XeroBank Installer (2.0.0.14b) ran without triggering a security alert by Norton Internet Security 2008. Additionally, after installing xB VPN and running a full system scan with NIS, “No viruses, spyware, or other risks were found.”

    However . . .

    [1] Even though the xB Brower was unselected during the installation process, a shortcut to xB Browser was added to the desktop as well as to the “Start | All Programs | XeroBank” folder. You may wish to correct this situation in the next release of the XeroBank Installer.

    [2] A shortcut to "xB Config" is added to "Start | All Programs | XeroBank", but the target application (“xBConfig.exe") is not installed (in “C:\Program Files\XeroBank\App”). What does xB Config do, and why is it missing?

    [3] Upon logon, Windows attempts to launch xB VPN – but, this error message appears in the System Tray: “Windows has blocked some startup programs.” If I manually attempt to launch xB VPN (“Start | All Programs | XeroBank | xB VPN”), OpenVPN GUI displays this message: “Error opening logfile for writing. You probably don’t have administrator privileges, which are necessary to run OpenVPN.” I am, however, running Windows Vista SP1 Business (32-bit) in an administrative account. This error can be avoided by right-clicking the shortcut to xB VPN and choosing “Run as administrator” – however, that is an inconvenience and a step that cannot be executed automatically at logon. What is the recommended solution?

    [4] After exiting xB VPN and then later starting it, xB VPN displays the message: "It appears that xB VPN is already running" (even though, as far as I can determine, it is not running). Why?

    [5] My understanding was that XeroBank had nodes on its network in several countries around the globe – yet, only Canada and Netherlands are displayed as connect options when right-clicking the XeroBank icon in the System Tray. Why?

    [6] When attempting to connect to Canada by right-clicking the XeroBank icon in the System Tray and selecting “Canada | Connect”, OpenVPN GUI displays the message: “Connecting to Canada has failed.” Why? Note, however, that if I subsequently navigate to "www.google.com", I am connected to "www.google.ca", which seems to indicate that I was indeed connected to Canada, despite the error message.

    [7a] Based upon reading your prior posts, I was under the impression that the user could optionally select a US entry as well as US exit node on the XeroBank network. However, I do not see these options available. Why?

    [7b] How may the xB VPN configuration be altered (“C:\Program Files\XeroBank\Data\config\*.ovpn”) so that xB VPN always connects to Canada?

    Thank you for your continued assistance. Hopefully, the answers to these questions will assist many other individuals, too.

    P.S.: In examining the xB VPN log, I was pleased to see that LZO compression and AES-256 bit encryption are both used by default.
     
    Last edited: Jun 18, 2008
  13. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    I believe I have a solution to this issue:
    • Remove the shortcut to xB VPN in “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu”
    • Using the Windows Vista Task Scheduler, create a task to run "C:\Program Files\XeroBank\xBVPN.exe" at logon and specify "Run with highest privileges"
     
  14. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    I believe I now know the solution:
    • First, it is necessary to disconnect from the currently active connection (e.g., right-click the XeroBank icon in the System Tray and select “Best Effort | Disconnect” or “Netherlands | Disconnect”, as appropriate)
    • Next, right-click the XeroBank icon in the System Tray and select “Canada | Connect”
    (Hey, that was a simple one to solve!)

    As an xB VPN recommended enhancement, when a user selects a connect operation, I recommend that xB VPN automatically disconnect the currently active connection. Such a mode of operation would be, I believe, much more “user friendly.”
     
  15. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Any advice?

    Thank you.
     
  16. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    I believe I have found a solution, based upon the observation that the OpenVPN GUI application (i.e., the icon in the System Tray) opens the OVPN configuration files in alphabetical order. Therefore, in the folder “C:\Program Files\XeroBank\Data\config”, rename the *.OVPN files into the desired sequence. For example:
    • Rename “Canada.ovpn” to “1-Canada.ovpn”
    • Rename “Netherlands.ovpn” to “2-Netherlands.ovpn”
    • Rename “Best Effort.ovpn” to “3-Best Effort.ovpn”
    As a result, the OpenVPN GUI application will first attempt to connect to Canada rather than Best Effort at the next logon.

    An alternative approach is based upon the observation that all three OVPN files are identical, except for the local peer's signed certificate that is used. Therefore, if the command “cert best-effort.crt” in “Best Effort.ovpn” is changed to “cert canada.crt”, then “Best Effort” will be displayed by OpenVPN GUI when launched; however, the user will actually be connected to Canada.
     
  17. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Cute. Email me about this stuff instead of just posting it here. Here's a simple answer: The xB VPN software looks for "Best Effort.ovpn" first, and if it doesn't find it, it looks for "XeroBank - Reliable.ovpn" and then if it doesn't find that, it starts looking for the first .ovpn file it can find. Why? Because xB VPN is resilient.
     
  18. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Steve, thank you for the explanation. As a recommendation, please consider an enhancement which would allow the user to specify the default OVPN file to use when first launching xB VPN, perhaps through a command-line parameter (e.g., “--connect Canada.ovpn”).

    Personally, I find that the speed of my Internet connection is noticeably faster when connected to Canada as opposed to the Netherlands and, for this reason, prefer to use the former.

    P.S.: The file “XeroBank - Reliable.ovpn” does not exist on my installation of XeroBank (XeroBank Installer 2.0.0.14b).

    Steve, please check your "private messages" on this forum.
     
    Last edited: Jun 23, 2008
Thread Status:
Not open for further replies.