All your computers are belong to us now
May. 24th, 2006 07:06 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
glaurungBackground: when ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
morgan_dhu's employer set her up with VPN so that she could work from home, the company IT guy was very firm: we could not install a software firewall on the work computer, and we could not put the work computer behind a router. The reasons didn't make much sense to us, but it was their computer, so they got to make the rules (she was also told that due to licensing issues, she could not install Mozilla on her work machine -- no seriously).
So we paid the cable company an extra $20 per month for 2 extra IP addresses so we could connect all our computers to the internet using a hub, instead of a router. And ever since then, the work machine has been naked to the internet, totally unprotected save for the frail figleaves provided by Norton Antivirus and Windows Update.
Since that time, all of the tech support and IT people at the company have been replaced with new people. The new people have a somewhat different philosophy than the old people: for instance, it is now permitted to install Firefox on one's work computer.
For a couple of years, we had one IP for each machine (my computer,morgan_dhu's computer, and her work computer) and they were all connected to the cable modem with a hub. Our personal computers were and still are protected by software firewalls; in addition, a few months ago, I decided I was tired of sending ridiculous amounts of money to the cable company each month, and bought a router. That enabled me to cancel one of the two extra IP addresses. So for the past few months, we had connected our personal computers to the router, and connected the router and the work computer to a hub, which connected to the cable modem. Yes, there was an unholy mess of cables behind the desk; we suspect the cables of developing their own form of intelligence and plotting world domination.
So, anyway, this afternoon,morgan_dhu started experiencing weirdness on her work machine. The mouse started moving around by itself, downloading a file, installing something, clicking past some kind of "are you sure you want to install this thing" warning, and the like. In short, it had been taken over by some kind of remote control software, and someone out there was merrily installing their little rootkit on it. The only question, really, is why it took so freaking long (unless of course it had been suborned years ago and only today the hacker had the bad judgement to start doing stuff when she happened to be using it).
Once we realised what was happening, I pulled the power plug on the computer, unplugged its Ethernet cable, and then we called the tech support atmorgan_dhu's company. One of the first things he asked me to do was to plug the work machine into our router, enable VPN on the router, and reboot the work machine so that it would connect to the corporate network through the router.
Then he let me through several rounds of trying to find the freaking rootkit, to no avail. Ad-aware found zilch, msconfig.exe found zilch, and after he said goodbye, I downloaded a "rootkit revealer" from sysinternals.com, and that found zilch. Reviewing running processes also revealed nothing that didn't seem to belong. So Morgan's work computer is probably still suborned. Fortunately it's only turned on about 8 to 12 hours a day, so while it may be part of a zombie farm (although I'd think zombie farmers would really prefer to take over machines that are left on around the clock), it's at least not a very efficient zombie.
On the upside, we can now save ourselves another $10 a month by cancelling all the extra IPs and just going with basic highspeed service. We can also cut back the cable forest behind Morgan's desk, from "enough to stretch to the moon" to merely "enough to stretch around the block."
Advertisment: Anybody who can help me figure out where the rootkit/remote control malware is hiding onmorgan_dhu's work machine may claim a lightly used 4 port linksys hub, free.
morgan_dhu's employer set her up with VPN so that she could work from home, the company IT guy was very firm: we could not install a software firewall on the work computer, and we could not put the work computer behind a router. The reasons didn't make much sense to us, but it was their computer, so they got to make the rules (she was also told that due to licensing issues, she could not install Mozilla on her work machine -- no seriously).So we paid the cable company an extra $20 per month for 2 extra IP addresses so we could connect all our computers to the internet using a hub, instead of a router. And ever since then, the work machine has been naked to the internet, totally unprotected save for the frail figleaves provided by Norton Antivirus and Windows Update.
Since that time, all of the tech support and IT people at the company have been replaced with new people. The new people have a somewhat different philosophy than the old people: for instance, it is now permitted to install Firefox on one's work computer.
For a couple of years, we had one IP for each machine (my computer,
morgan_dhu's computer, and her work computer) and they were all connected to the cable modem with a hub. Our personal computers were and still are protected by software firewalls; in addition, a few months ago, I decided I was tired of sending ridiculous amounts of money to the cable company each month, and bought a router. That enabled me to cancel one of the two extra IP addresses. So for the past few months, we had connected our personal computers to the router, and connected the router and the work computer to a hub, which connected to the cable modem. Yes, there was an unholy mess of cables behind the desk; we suspect the cables of developing their own form of intelligence and plotting world domination.So, anyway, this afternoon,
morgan_dhu started experiencing weirdness on her work machine. The mouse started moving around by itself, downloading a file, installing something, clicking past some kind of "are you sure you want to install this thing" warning, and the like. In short, it had been taken over by some kind of remote control software, and someone out there was merrily installing their little rootkit on it. The only question, really, is why it took so freaking long (unless of course it had been suborned years ago and only today the hacker had the bad judgement to start doing stuff when she happened to be using it).Once we realised what was happening, I pulled the power plug on the computer, unplugged its Ethernet cable, and then we called the tech support at
morgan_dhu's company. One of the first things he asked me to do was to plug the work machine into our router, enable VPN on the router, and reboot the work machine so that it would connect to the corporate network through the router.Then he let me through several rounds of trying to find the freaking rootkit, to no avail. Ad-aware found zilch, msconfig.exe found zilch, and after he said goodbye, I downloaded a "rootkit revealer" from sysinternals.com, and that found zilch. Reviewing running processes also revealed nothing that didn't seem to belong. So Morgan's work computer is probably still suborned. Fortunately it's only turned on about 8 to 12 hours a day, so while it may be part of a zombie farm (although I'd think zombie farmers would really prefer to take over machines that are left on around the clock), it's at least not a very efficient zombie.
On the upside, we can now save ourselves another $10 a month by cancelling all the extra IPs and just going with basic highspeed service. We can also cut back the cable forest behind Morgan's desk, from "enough to stretch to the moon" to merely "enough to stretch around the block."
Advertisment: Anybody who can help me figure out where the rootkit/remote control malware is hiding on
morgan_dhu's work machine may claim a lightly used 4 port linksys hub, free.
Re: This was posted by someone else, but it's locked.
Date: 2006-05-25 01:12 am (UTC)If you are using Windows XP or Windows 2000, it helps to boot into Safe Mode with Networking. You can do this by restarting the computer and hitting 'F8' at bootup, then selecting the mode from the DOS menu that appears.
Special note about Windows XP: all users in XP have their own environments, so you must clean each user individually in case of infection. If you leave one user infected, they may reinfect the others.
When you are ready to clean, close all open programs.
1. Run Ad-aware. Update the program and then start a new scan. Choose 'Custom Scan' and change all the red X marks to green checks. When the scan finishes, right-click on the list of found items, choose 'Select All Objects', then click next to clean the system. Note anything it was unable to clean.
2. Run Spybot. Update the program, then use the Immunize button. Start a new scan. Let Spybot clean whatever it finds, but note anything it was unable to clean.
3. Run, update, and clean with CWShredder and AboutBuster. They will look for specific, problematic spyware programs and remove them if they exist. A clean scan is a happy scan.
4. Go to your Control Panel and open Add/Remove Programs. Go through the list and find suspicious entries and uninstall them. Variations on the word "Search" are often featured. If you are unsure if a program is legitimate, go to www.google.com and enter the name of the program into the search field. If it is spyware, websites in the results will mention it as such.
5. Open HijackThis. This program is NOT the same as the others. It shows more than spyware and you should be VERY CAREFUL when using it or you will break things in your system. Press 'Scan' to see a list of items. Use Google to check to see which items are legitimate and which are spyware. Remove the spyware and scan to see if the items return. Make note of any that do so.
6. Re-run Spybot until it comes up clean or shows a few items that keep coming back. Again, make note of what remains. Some items can only be cleaned while in Safe Mode; if you have an infection like this and are in normal mode, reboot into safe mode (F8 at startup with any version of Windows) and scan/clean to remove, then return to normal mode.
If one item is DSO Exploit, Spybot cannot fix this and repair must be done directly in the registry. To fix the DSO Exploit, you will need Spybot's results and your registry editor (Start/Run/type in 'regedit' and click OK). Look at the information Spybot provides for the DSO Exploit. There will be registry paths listed. In the registry editor, follow the folders until you reach the matching locations. Inside will be an item called '1004'. Delete this item and then right-click in the right pane and create a new DWORD Key. Name it '1004' and give it a value of 3. Repeat this action for each listed folder.
7. Launch Internet Explorer and go to http://housecall.trendmicro.com/ Run a scan on your computer and clean or delete any found infections. Then go to http://www.pandasoftware.com/activescan/ and begin a scan. When you reach the scan settings, check off Heuristic and click on My Computer to scan your entire system. This will clean trojans from your PC that are related to the spyware.
8. Reboot the system.
9. Go to your Control Panel/Internet Options. Clear your temporary files and reset your security and privacy levels to default. Under Advanced reset to defaults, then disable Install On Demand.
9. Run Ad-aware and Spybot again until results show clean for both. You now have a clean PC.* Rejoice!
*There are a few spyware programs that cannot be removed without manual work in the system files. I don't recommend trying to clean these yourself unless you are very knowledgable. Most internet how-tos are useless with these because of the speed at which spyware mutates. In these cases, either find an expert who will clean it or reformat and reinstall.
Re: This was posted by someone else, but it's locked.
Date: 2006-05-25 01:12 am (UTC)1. Spybot and SpywareBlaster both install a small amount of protection against reinfection. They're not going to stop everything, but it helps with known spyware. We already put in Spybot's protection. Run SpywareBlaster, update it, and enable all protection.
2. Download and install AVG ( http://free.grisoft.com/freeweb.php/doc/2/ ) a free and rather nice little anti-virus program that doesn't weigh down your system like Norton and McAfee do. KEEP IT UPDATED. Without updates, your software is useless.
3. Download and install ZoneAlarm ( http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp ) a free and rather nice little firewall program. You will have to configure it to allow your computer and software to connect to the internet, but it is worth the extra effort.
4. Do your Windows Updates. Yeah yeah, no excuses. They patch bad security holes, and this is Microsoft so there's a lot of those around.
5. Switch browsers. IE is a huge gaping hole of security flaws that are exploited by spyware programs. ANY other browser will be far more secure. Check out these very nice free/inexpensive browsers:
Opera: http://www.opera.com/download/
Firefox: http://www.mozilla.org/products/firefox/
Netscape: http://channels.netscape.com/ns/browsers/download.jsp
If your new browser software doesn't have it, get a pop-up blocker. If it does have a built-in one, turn that sucker on and leave it on. Pop-ups are not only evil, they often are the way spyware is delivered to your PC. Keep them away.
6. Be careful about installing free software. Weatherbug, Incredimail, Cursor and Smiley programs, filesharing (Kazaa, Limewire, etc) and other programs install spyware on your PC. If you find free software and you're not sure if it's safe, go to www.google.com and enter the name of the program and the word 'spyware'; the results will show if it contains anything malicious. If it does, don't use it and find an alternative.
7. Once a month, update and scan with Ad-aware and Spybot. This will catch any spyware that slips past your defenses. Scan more often if you frequent high-risk areas such as adult websites and filesharing.
Feel free to copy the contents of this entry and pass them around. You do not need to attach any credit.