Am I safe?

[Dragonsi]

Hi all,

I have just been attacked by a hacker who has succesfully planted the w32.gael virus on my system. Here's how it happend.

A few days ago, a friend came around to play some network games. I had recently upgraded my Zone Alarm Pro Security Suit and he was unable to see my system. Since I was not online, I shut down the firewall and off we went gaming.

Unfortunatly, I forgot to switch my firewall back on and today, while reading a few sites, I started to get warnings of viruses found as files were being placed on my system. I then noticed that while I was not requesting anything from the net, I had activity inbound. All infected files were in a shared folder of downloaded applications, on inspecting these files, I noticed that the last modified date was today.

Although Zone Alarm has stated that the files are now safe, do any of you think that there could be a possibility of any infection still being present?

[Weedy Lady]

If it were me I would run every available program to detect any bad stuff (ad aware, spybot S&D, on line virus scans, yoru own virus program, etc.) and make sure it is clean.

I had some bad stuff on my computer and it took a long time to get rid of it all.

Good luck!

[kgun]

<quote>
Although Zone Alarm has stated that the files are now safe, do any of you think that there could be a possibility of any infection still being present?
</quote>

1. Some viruses, install themself in the start up folder. You can remove them manually, by stopping the process and delete the virus program. Sometimes you must start the computer in safe mode to delete them.

2. If you use XP, run + msconfig and uncheck the program is another way. The virus is dead until you start the program.

3. If you know the name, and know regedit, you can search in the registers and manually delete the files / keys related to the program. That does a better job than most cleaners, is important to know how to do and is fast when you have done it a few times. Look at the Trend Micro site. Some very good articles there on how to delete viruses manually.

4. Then you use online trojan, antivirus, adware and spyware cleaners.

5. An antivirus program is only secure when it is updated for that special virus and may give a very very false feeling. Use it, but you should know, it does not guarantee 100 % protection. In a digital world, viruses can be spread over the clode in seconds. It may take hours to update the antivirus pattern file.

6. Use a good firewall.

7. Best of all use intrusion protection software that prevents against future unknown viruses. There are some free ones.

Search term: "intrusion protection". The Swedish "Abtrusion Protector" is the best I know of.

8. Use good backup, so you can format your harddisk in a few hours and reinstall the system. There are programs for this purpose. Norton Ghost is one. It is difficult to infect a nonwritable (but burnable) CD. Backup on a CD may be enough, depending on how much you have to reinstall and your configuration.

9. Security in networks is for professionals.


Kjell Gunnar Bleivik

[mikmik]

I know the suspicion well. It is very hard to believe wholeheartedly that your system is clean after an infection or especially an attack, even when scans say so. Windows has enough odd behaviors on its own, what with autoupdating (Windows and other software), indexing, checking e-mail, background maintenance, malware running under processes (in taskmanager) with the same names as legit processes.

(I just got through with an infected computer: I just did a computer that had a nasty infection that I could not get with even safe mode scans. The person was getting multiple warnings from his Norton AV that a file, something like 'Rbot_downloader.gen' was found but couldn't be removed/repaired/quarantined at all. Even in safe mode this was untoucheable, and I could not change security permissions in the registry or anywhere else.)

I found this at Sophos
Removing worms and followed instructions.It found and cleaned the downloader_bot, another Trojan_bot, and a rootkit!

Go in safe mode with networking, and do an online scan at Panda, Housecall, or other. There are lot's of great links wenwilder compiled "Free Software and Online Scans" in a sticky topic here.

You can also return your computer's operations and settings back to an earlier time. If you have windows XP PRO, do a restore point back to where you hadn't turned off your firewall yet.

---------------------------------

*** HAHA!!! I just found this :OK To Trust "No Malware Found?"

F-Secure Blacklight is also recommended at the Langalist newsletter for getting at rootkits.

Finally, I also use 'Port Reporter' from MS to log my internet connections - this webpage Watching Ports with Port Reporter is good help for that.

I also use tools from Sysinternals: they make the best gui (graphical user interfaces for built-in windows monitoring and command line applications) software for Windows on the planet. These people are the best, no questions. I have become familiar with Process Explorer, Autoruns, TDImons and others there. Very easy to use, and becoming more important for monitoring these days, unfortunately.

I hope all this makes sense, the main points are getting a repair tool from Sophos (or another) and the restore point if necessary.

HTH, Dragonsi

[mikmik]

Oops, sorry kgun! I replied without reading yours first.
You have excellent points in your post. Pleased to meet you!
I also like to be behind a router, even though I am the only computer here. NAT device is another roadblock.

One more important thing I do is to use one partition for the OS, and another for my Documents and irreplaceable work. I move 'My Documents', 'Desktop', and 'Favourites' to another partition (or slave hard drive) in Windows Explorer.

[kgun]

<quote>
(I just got through with an infected computer: I just did a computer that had a nasty infection that I could not get with even safe mode scans. The person was getting multiple warnings from his Norton AV that a file, something like 'Rbot_downloader.gen' was found but couldn't be removed/repaired/quarantined at all. Even in safe mode this was untoucheable, and I could not change security permissions in the registry or anywhere else.)
</quote>

Could you remove it by starting the Pc from (a) startup disks (CD)? You should always have these disks. You can make them in Windows.

What about the system recovery CD? Earlier it was possible to delete most things in DOS subtask (or by starting the PC in DOS modus). Not always possible today.

<quote>
“Finally, I also use 'Port Reporter' from MS to log my internet connections - this webpage Watching Ports with Port Reporter is good help for that”.
</quote>

Is Microsoft compatible with themself? Is it not possible to do that in Windows XP (Pro)?

Kjell Gunnar Bleivik
http://www.multifinanceit.com/
http://www.blognorway.com/

[davebarnes]

Replace your Windows machine with a Mac OS X machine.
I did.
No more virii.
No more spyware.
Wonderful.

,dave

[Weedy Lady]

Poor Dave ...... you must not have read about the new "line" of viruses that specifically targets MAC computers.

The other slight drawback to having a MAC (beside the high cost) is that if you want to send files to the majority of folks like me with PC's you need Windows for MAC. So, there you are, back to Windows. And then you need all the protective stuff that the rest of us have anyway.

I suppose I've just offended everyone out there with a MAC. I know a few of them, and they are totally devoted to their machines, which is fine, if they don't get to thinking that a really sharp 14 year old can't gain access.

[kgun]

If everyone should follow you advice, that should cost some 100 billion's USD.

When somebody have a problem with their Pc, the simple "solution" is to crie Linux. Even waited that answer here. Linux is not safer than Windows. Journalists and persons in the media business may prefer a mac, but
1. It is not a general solution.
2. Nor special solution to this problem.

In the end it depends on the user. If you click on every link on the internet, and let your children use your PC, you get what you ...


Kjell Gunnar Bleivik
http://www.multifinanceit.com/
http://www.blognorway.com/

[kgun]

Registry Guide for Windows:
http://www.winguides.com/registry/display.php/1236/

Linux as a target.
F-08: Internet Address Spoofing and Hijacked Session Attacks:
http://www.ciac.org/ciac/bulletins/f-08.shtml

Cisco Glossary.
http://www.cisco.com/univercd/cc/td/...g/glossary.htm

Web Spoofing:
<quote>
"Web spoofing is a kind of electronic con game in which the attacker creates a convincing but false copy of the entire World Wide Web. The false Web looks just like the real one: it has all the same pages and links. However, the attacker controls the false Web, so that all network traffic between the victim's browser and the Web goes through the attacker.

"Secure" connections don't help
One distressing property of this attack is that it works even when the victim requests a page via a "secure" connection. If the victim does a "secure" Web access ( a Web access using the Secure Sockets Layer) in a false Web, everything will appear normal: the page will be delivered, and the secure connection indicator (usually an image of a lock or key) will be turned on.
</quote>

Source:
http://bau2.uibk.ac.at/matic/spoofing.htm

Search terms on Google:
define:ddos
define:redirection
etc. etc.

You find a lot of other relevant links in my link collection if you know where to look for information. Explained many times on this forum before.

Kjell Gunnar Bleivik
http://www.multifinanceit.com/
http://www.blognorway.com/

[mushroom]

This MAC and LINUX bashing irks me.

Question 1, When was the last MAC or LINUX virus discovered in the wild ?
years ago

Question 2, When was the last WINDOWS virus discovered in the wild ?
most likely a few seconds ago

To-day http://www.f-prot.com/currentversions.html lists

DOS/Windows 111427
Unix/Linux 432 (includes Mac)

Check back in a few days and see how much one of those numbers has inceased.

[kgun]

Unix versus Windows XP with serverpack II installed.

1. It may depend on your sources:

http://isc.sans.org/

http://www.cert.org/

Last time I checked, there were absolute more attacks on Linux than on Windows XP systems. That may vary over time.

Monday, 1 August 2005, 5:45 PM CET

"There seems to be a new important security patch out for Linux every month, lots of "do not use this program" warnings, too many articles and books with too little useful information, high-priced consultants, and plenty of talk about compromised systems. It is almost enough to send someone back to Windows".
http://www.net-security.org/


Related:

http://www.sans.org/

http://www.governmentsecurity.org/

2. Do not go into the absolute versus relative trap. Much more Windows and Pc users than Mac and Linux users.

3. His advice was to buy a mac, and that should solve every problem. If enough people followed that advice
- It would be very expensive
- Would increase the relative share of people using a mac and then increase the attacks.


4. Still mean what I wrote above, in the end it is the users own responsibility. My advice: Educate yourself on security. One of the first thing’s you should learn, is to restore your own Pc. I also recommend formatting your disk and reinstalling everything, every second year.
Assumption: You know what your are doing.

Kjell Gunnar Bleivik
http://multifinanceit.com/
http://www.blognorway.com/

[Dragonsi]

WOW - thanks all for your replies, on my original subject, I have scanned the infected files several times and no more infections have been found, so for now - I will continue as normal (but ensuring my firewall is up and in stealth mode).

With regards to the Linux/Mac/Win debate, I would like to add that I have tried Linux and while I find it very good and quick, I haven't the time to learn those rediculus command lines, when I did try it, it took me 3 days to install Flash player....! As for Mac - I would really love one, I find them easy to work with and when you do get problems, easy to resolve, but I haven't the money to spend on both hardware and software to get such a system up to the standard of my current Windows based unit.

On a hosting point of view, I will always advise my clients to go with a Unix/Linux server, I guess I just dont trust Windows when it comes to my websites..

[RidinHighSpeeds]

Quote:

Originally Posted by davebarnes

Replace your Windows machine with a Mac OS X machine.
I did.
No more virii.
No more spyware.
Wonderful.

,dave

hahaha You're kidding, right?

[ADAM Web Design]

Quote:

Originally Posted by Weedy Lady

If it were me I would run every available program to detect any bad stuff (ad aware, spybot S&D, on line virus scans, yoru own virus program, etc.) and make sure it is clean.

I had some bad stuff on my computer and it took a long time to get rid of it all.

Good luck!

Be very, very careful with this tack. The problem with it is that many of the programs that claim to get rid of nasties (Spam Blocker, Error Guard, Spy Spotter) quite often are or cause nasties themselves. I'm forever cleaning this type of crap off of my girlfriend's father's computer.

Remember...just because a program claims to do something doesn't mean it actually does. Always research anything you want to put on your computer before doing so.

As far as what to do about any possible infection, I would say you should (not will, but should since there's no real way to know) be fine. if you detected it as w32.gael, it probably means you're running McAfee. Assuming your virus definitions are no more than 2 months old, you're good to go (the virus definition and cure were released 7/15/2005).

In the unlikely event that you're not running McAfee, get your hands on a copy of either it or Norton Anti-Virus 2005. I personally prefer NAV2005 because I like the interface better and I have a lot fewer problems with it in terms of software conflicts with other programs, but either will work in your particular instance to remove the virus in question.

It's not actually a major threat, from what I can read about it, but it is the symptom of a deeper problem as mikmik touched on.

This is a tech bulletin from Microsoft that explains the vulnerability that the virus exploits and what can happen if you don't patch your operating system (i.e. code execution from someone remotely messing with your stuff).

So...your two steps are as follows:

1) Run your McAfee (after updates) at least 2-3 times in the coming week, just to make sure the nasty little bugger is gone.

2) Do the updates to your operating system (the critical ones at the very least), so that, in the unlikely event that the virus pops up again, it can't execute what it wants to.

mushroom, since we're on the subject of things that irk people, let's talk about something that irks me, shall we? I'm getting more and more "irked" by your complete lack of respect for someone who is in need of help.

You can disagree with their choice of operating system, and that's your right to do so. I'm not going to tell you one is better than the other, because that's not really what this thread is supposed to be about. But, when someone is on here clearly asking for help to solve a problem and you turn around and say "this wouldn't have happened if you were on a Linux system" or "this MAC/Linux bashing really bothers me", what are you really doing to help the other person? Nothing.

So if all you're going to do is just spout off at the lip about how great your operating system is, rather than try and contribute toward the solution, can it already. No one wants to hear it.

[MuNKyonline]

Your better off running a scan using AVG free, that actually removes viruses unlike the memory hungry Norton Antivirus 2005. And dont even think about buying Norton Internet Security unless you have a completely ultra fast up-to-date machine and you have money to waste.

Better off using the free stuff, the best programs are:

Adaware
Spybot Search and Destroy,
MS-Antispyware (win2k/xp).

And if you have no anti-virus software : AVG Free.

Hijack This is an excellent tool also but you have to know what your doing when using that!

If you want any more help then PM me =)

[Dragonsi]

I am using Zone Alarm Pro which has been upgraded (so to speak) to Zone Alarm Security Suite. My definiations are updated everyday and my system is fully scanned once a week.

With regards to spyware, Zone Alarm now comes with a built in spyware detector but I also run Ad-Aware at least once a week.

Since the attack, I have scanned my system (and others on my network) several times and no more traces of the invection have been found. So I am assuming (which I know can be dangerous) that I am now clean of this attack.

However, since my original post, I have had DSL installed and am using the Zoom X4 modem/firewall/router that is going through a LanArt switch. Since then I have had an itching question on my mind. During boot-up, especially at the windows login screen, I am not sure if Zone Alarm is fully loaded and hence not fully protecting my system.

How safe is a system during boot-up and while waiting at a login screen?

I have done the 'Sheilds Up' test at www.grc.com and while it shows that not all ports are in stealth mode, all ports are closed. Is this acceptable?

[Steve W]

@Weedy

Quote:

Poor Dave ...... you must not have read about the new "line" of viruses that specifically targets MAC computers.

The other slight drawback to having a MAC (beside the high cost) is that if you want to send files to the majority of folks like me with PC's you need Windows for MAC. So, there you are, back to Windows. And then you need all the protective stuff that the rest of us have anyway.

I suppose I've just offended everyone out there with a MAC. I know a few of them, and they are totally devoted to their machines, which is fine, if they don't get to thinking that a really sharp 14 year old can't gain access.

ROFL.
Got any more gems like that? I do enjoy a good laugh :)

[ADAM Web Design]

That's not all that funny, Steve. Weedy Lady was right on some counts. The recent attacks on MAC (which I capitalize because it stands for Major Annoying Crap to me) OS X are proof enough of that. Also, people tend to forget that MAC, while it does use a fairly well-designed GUI for Joe Schlub, is still a GUI. GUIs traditionally lend themselves more to vulnerabilities.

The only additional "security" that comes with a MAC is knowing that it's not going to be targeted as much as a Windows-based PC, since the market share is so much smaller. If it ever gained any significant market share, then the attacks would follow.

As far as the price goes, let's take a sample of two similarly built machines, one a MAC, one PC, in the GTA:

IMAC

17-inch widescreen LCD
1.8GHz PowerPC G5
512K L2 cache
600MHz frontside bus
512MB DDR400 SDRAM
ATI Radeon 9600
128MB DDR video memory
160GB Serial ATA hard drive
Slot-load Combo Drive
56K internal modem

Cost: $ 1,599

PC with the same or greater specs (listed below):

P4 3.0 gHz
XP Pro (I'm not saying this is better than MAC OS X...I just want to stack up the two most current O/Ses).

800 mHz FSB

Cost: $1,178

Let's see...a better system, that I could upgrade relatively inexpensively (to 1 GB RAM for $79, for example), at about $420 less than the iMac.

For those who think it's a one-shot deal, try it yourself. Find your local MAC retailer's website, find a system that is priced on it, and then stack it up against a comparable PC. You should find between 30-50% savings on a better machine.

This doesn't even take into account the increased costs of software, assuming you're lucky enough to even find it.

Oh...and if something breaks, try finding a MAC dealer. Gonna be a lot harder than finding a PC dealer, isn't it?

So...guess that means Weedy Lady is now two out of three, and I haven't really looked at her third point yet.

There are cross-platform file standards (PDF and ESP for example) that people can transport files to/from. Buuuuuut...consider a typical user. What might a typical user have?

Well...since the majority of people have Windows-based PCs, that would mean they're running the Windows platform. Now...let's also consider what this person might be doing with his/her PC, as in your average non-geeky user.

"I want to type out documents, check my email, and use the web." Pretty common request, right?

So...again, like most users, they'll likely have a copy of Word (or if they're really sick bastards, Corel WordPerfect Suite). Email? Likely Outlook or Outlook Express, or possibly a web-based email interface. The web? Odds are, IE.

With this knowledge in mind, if I'm someone who uses my computer for commercial reasons (which I am), I'm going to try and reach as many people as possible. So I'm going to make sure the things I do will reach the average Joe/Jane. And that means I'm going to type my docs out in Word, make sure my pages work in IE first and everything else after, and make sure any emails my sites or I send out are OE, Outlook, and web-based email-friendly.

And therein lies what I think Weedy Lady really meant. It's not necessarily that there are no cross-platform solutions for transporting information...it's that the solutions end up in the hands of a Windows-based user most of the time anyway. So why not start there?

So...Weedy Lady was a lot closer to being right than I think any MAC user would ever give her credit for.

[Dragonsi]

Quote:

Originally Posted by Dragonsi

How safe is a system during boot-up or while waiting at a login screen?

I have done the 'Sheilds Up' test at www.grc.com and while it shows that not all ports are in stealth mode, all ports are closed. Is this acceptable?

In case you missed my last post - I've done a bump...

[Steve W]

@Dragon

Sorry, don't know anything about Zone Alarm. Maybe the security awareness link I've posted below might lead somewhere for you, not sure?

@Adam
BTW
You missed the only reason why someone should buy a PC and that's gaming (though I prefer XBOX / Playstation personally).

Sure, it costs a bit more to buy an Apple over a regular PC, but they're worth every penny. Look at the device connectivity and quality. Match those and it's not so different. Plus, Apple uses standard ram these days?

Your software comments are out of touch too... iLife (bundled free) or iWork ($99)?

You're right about popularity making an OS a target - I don't claim to be a security expert, so read this security awareness blog if you want an expert's opinion. It's in 10 parts so be warned it's not a 2 minute deal...

If Weedy was correct, I'd have a hell of a problem with my macs and pcs, which have to work together whilst sharing the same printers, faxes, wireless network and internet connection.

[Weedy Lady]

You may not have a problem, but I do have a hell of a problem with trying to receive and open files from the non profit organization that I am very involved in. They were required to purchase MACs for the office due to specifications in a foundation grant. They cannot send me any .dat files -- only word files.

There are also some members who have MACs and the same problem exists that way. Recently one of our members was trying to work with me on designing a fund raising poster. What she sent to me opened, but was so messy I couldn't make any suggestions because I didn't know what it looked like without a printed copy from her MAC. A couple other people on this committee with PCs couldn't even open her file. I just happen to have a lot of programs that most people do not have on their machines.

Since I am on several finance related committees this makes for major problems. They use a program for all their accounting which produces these .dat files. This means that everything has to come to me via the postal service, which can sometimes take 10 days to arrive unless they spend big bucks for overnight delivery.

Of course we can send each other plain e mail, .jpg and .gif files, and word documents, but this is no help when it comes to the important stuff.

And NO I can't get it by fax because of the way my telephone company has the number of rings for call waiting set up and the way my own telephone has limitations on the number of rings before the answering machine picks up. I can send faxes but cannot receive them through my computer.

It is a bummer.

I also an active in a second non profit that uses PCs in the office and we have no problem sending each other anything.

It is nice that your computers work together across "cultures". Most do not.

[Steve W]

@Weedy,

Sounds like you're the odd one out if everybody is trying to send you mac format files? ;o)

Why isn't the program you use more interoperable regards import? As you rightly pointed out, .gif and .jpg are platform independent, just like .pdf - which is great for sharing digital proofs (including posters). Most data driven software accepts CSV (comma separated variable) files, which are also platform independent.

There are a very small number of specialist software packages not available on macs (or any other platform besides windows), sounds like yours is one of them - but is that a reason to discourage the vast majority of people who would benefit from using a mac not to buy one?

[Weedy Lady]

Ah com'on.....people are going to buy what they are going to buy, and you and I aren't going to change their minds.

And when an organization has over 2,500 members and only about 1% of them have MACs I don't think I am the odd one out.

[Steve W]

Actually, I am asked quite a lot what computer/laptop to buy, either by friends, family or clients. My answer depends on what they do (or want to do) and what they use their computer for, and I always encourage them to explore the available options.

I don't try to change their minds, just open their eyes to what's available.

Most choose a mac once they have done a bit of research for themselves and gotten out of the 'must buy windows' mindset... we don't all have to be sheep - or should that be lemmigs ;o)