[trampas]

Apology up front ! This thread really ought to be in a forum called "Malware avoidance" or "Security - General" but I'm having to put it here. If anyone feels strongly that this should go elsewhere, please advise.

After about two months investigation and with the help of 3 separate helpers on G2G (thanks fellas,) it's finally become apparent that my PCs are been infected with malware (some known, some unknown) a) through straightforward hacking and b) through vulnerabilities within automatic software updates.

To overcome the hacking I've installed a hardware firewall but I still had a port-scanning attack today which I suspect must have originated from malware in my PC.

I'm also becoming increasingly aware that my PCs are being infected, straight after they've been rebuilt through vulnerabilities in the automatic software update process.

A piece of software was (wisely?) written to expose this flaw and is dubbed EvilGrade. Here's an article :


http://krebsonsecuri...ets-an-upgrade/
EDIT: scroll down 2 posts for the correct URL.

I can say more on my reasoning but I'm fairly sure that this software, or something like it, is being used against me.

It can't affect MS updates which are digitally signed.

Has anyone else had experience of this malware ?

How are my update requests being intercepted ?

Do I just have to run without updates until the suppliers catch up to MS ?

Do you have anything else to add ?

[Ztruker]

The link you provided is invalid.

[trampas]

Quite right. Not sure how I managed that

Anyway, here it is :
http://krebsonsecuri...ets-an-upgrade/

[trampas]

This thread has been moved from 'Operating System XP' to 'Malware removal' by the site administrators. That's not a problem but I should confirm that no help is requested at this time with removing malware. If my PC becomes infected I have to rebuild it.

So what would be helpful ? Any advice people have on best-practice in dealing with persistent hackers.

Say someone is doing it just for kicks. Illegal, yes but they probably fancy their chances of not getting caught.

So, are there :
- methods of locking them out that are guaranteed
- methods of detecting their activities from your own PC (to confirm the hacking)
- people you can contact to trace hacking within the internet e.g. your ISP

One vulnerability that I overlooked until now (just from ignorance really) was DNS poisoning. It's possible to deploy a software firewall that incorporates a secure DNS function, so I'll be doing that.

It's possible that evilgrade software is being used but I think that would require the hacker to have hacked my ISP. Can anyone confirm that assumption ?

An obvious question : could and would the hacker bother to hack the ISP ? Unfortunately yes he would. I'm uncertain if he *could*.

All help appreciated.

[Gammo]

Hello and welcome to Geekstogo!

We apologize for the delay in responding to your request for help.
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

If you haven't done so yet, please go to Malware and Spyware Cleaning Guide and follow the steps instructed there. If you have already done this, we still need a new log to see what has changed since you originally posted your problem.

We need to create an OTL Report
Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Check the box that says Scan All Users.
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

[trampas]

Hi gammo and thanks for replying.

These are the questions that I raised, not sure how you feel about them :

So, are there :
- methods of locking them out that are guaranteed
- methods of detecting their activities from your own PC (to confirm the hacking)
- people you can contact to trace hacking within the internet e.g. your ISP


What seems to happen:
- I reload a PC back to factory settings
- I connect it to the internet and either update s/w or browse
- within minutes my IP address and an open port no. on my PC is known
- (I assume) this information is then used to send a reply to that port which causes my PC to open a new connection to the hackers IP address. Hey Presto, system compromised. Firewalls make no difference.

If the above is correct I don't think I need help in removing malware. It would seem to be something more fundamental and *not* anything to do with my PC. Have you any thoughts on how the above could be happening ?

How would you suggest I confirm that the above is happening ?

Cheers

trampas

[Gammo]

I really don't think there's a hacker out there who's trying to hack your PC. It's not that simple to hack a (relatively) up-to-date PC. And on top of that, a normal PC user doesn't have anything a hacker wants.

Your PC might be infected by malware, but that's unlikely if you've already formatted and reinstalled Windows.

[trampas]

Hi Gammo

Some good points there but if we're to be precise it would be more accurate to say :
- hackers will attack a common-or-garden PC only rarely
- if a hacker's motivation derives from them being an internet troll then that could be sufficient
- the effort required to do something that takes a lot of effort and lasts several years indicates quite a bit about the mind of the hacker. He's probably enjoying it.

Having said those things, I will just say that when I originally considered what was happening to my two XP PCs I was quite stunned. It was then that I recognised how much effort was being expended by this hacker (or hackers). However, invoking the Conan-Doyle rule, I was forced to accept that though the explanation was quite likely, it was the only one left on the table.

I could reel-off a long list of things that have been done in 3 years. The most serious was when a money-transfer of mine was interfered with. When your email passwords have been changed you really don't have any doubts. Has that ever happened to you ?

All that aside, I logged another mysterious event this morning. Once again it was triggered by the Adobe_Updater.exe program running. I've recently discovered that TCPView from sysinternals is a great way to monitor TCP and UDP connections. Far superior to using netstat.

If you still wish to believe that it's impossible for there to be a hacker then I can't agree. If you choose to remain sceptical, that's okay.

It would be interesting to know if you agree that the method by which I've suggested the hacking is occurring is theoretically possible.

cheers for now

trampas

[trampas]

One more thing. When I joined the G2G forum my PC was already compromised (probably true for the majority of users !). The hacker knows all of the web sites that I go to. He always posts in any forum that I have joined. Once you accept his distorted view of life it's not hard to understand why he does this.

If you're still thinking : 'but it's so rare' just remember that rare things happen to everybody some time in their lives. I just get on with it. I've learnt a tremendous amount in the process.

He will be reading this thread so please feel free to use private messages if that makes sense at any stage. Any really useful advice can be posted in the public thread once the hacker has been dealt with

t

[Gammo]

Like you said yourself:

Quote

If the above is correct I don't think I need help in removing malware. It would seem to be something more fundamental and *not* anything to do with my PC.

This forum is for malware removal. I'm trained to do just that: malware removal. If there really is a hacker who's sole purpose it is to hack your PC (and personally I very much doubt so), then I wouldn't know how to stop him anyway.

[trampas]

Hey Gammo

We're in agreement on this. I shouldn't be taking your time as you're a malware expert. Could I ask you to do one thing please ? Ask the people who run this site if there's a forum where my particular problem should go. I originally placed it in Operating System - XP but it was moved to malware.

Cheers for that

t.

[trampas]

Evidence of some blocked hack attempts. For info PID 2800 is my browser. These netstat commands were issued over a period of about a minute, just about 5 minutes ago. The browser was running but not being used (by me anyway !)

"C:\Users\net_user>netstat -ano -p tcp

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 552
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1064
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1136
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 632
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 2460
TCP 127.0.0.1:49187 127.0.0.1:49188 ESTABLISHED 2800
TCP 127.0.0.1:49188 127.0.0.1:49187 ESTABLISHED 2800
TCP 127.0.0.1:53709 203.190.124.18:80 SYN_SENT 2800
TCP 192.168.0.7:139 0.0.0.0:0 LISTENING 4

C:\Users\net_user>netstat -ano -p tcp

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 552
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1064
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1136
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 632
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 2460
TCP 127.0.0.1:49187 127.0.0.1:49188 ESTABLISHED 2800
TCP 127.0.0.1:49188 127.0.0.1:49187 ESTABLISHED 2800
TCP 127.0.0.1:53710 203.190.124.16:80 SYN_SENT 2800
TCP 192.168.0.7:139 0.0.0.0:0 LISTENING 4

C:\Users\net_user>netstat -ano -p tcp

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 552
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1064
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1136
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 632
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 2460
TCP 127.0.0.1:49187 127.0.0.1:49188 ESTABLISHED 2800
TCP 127.0.0.1:49188 127.0.0.1:49187 ESTABLISHED 2800
TCP 127.0.0.1:53710 203.190.124.16:80 SYN_SENT 2800
TCP 192.168.0.7:139 0.0.0.0:0 LISTENING 4

C:\Users\net_user>netstat -ano -p tcp

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 552
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1064
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1136
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 632
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 2460
TCP 127.0.0.1:49187 127.0.0.1:49188 ESTABLISHED 2800
TCP 127.0.0.1:49188 127.0.0.1:49187 ESTABLISHED 2800
TCP 127.0.0.1:53711 203.190.124.11:80 SYN_SENT 2800
TCP 192.168.0.7:139 0.0.0.0:0 LISTENING 4

C:\Users\net_user>netstat -ano -p tcp

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 552
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1064
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1136
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 632
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 2460
TCP 127.0.0.1:49187 127.0.0.1:49188 ESTABLISHED 2800
TCP 127.0.0.1:49188 127.0.0.1:49187 ESTABLISHED 2800
TCP 127.0.0.1:53712 203.190.124.27:80 SYN_SENT 2800
TCP 192.168.0.7:139 0.0.0.0:0 LISTENING 4
"

The Foreign Address field is the one to look at. There are outgoing connect attempts by the browser.

EDIT: The formatting is lost but I think you get the idea.

t.

[Gammo]

If you are indeed being hacked (which I find very hard to accept), we can't help you at Geeks to Go. Nor do I know of any other site that can myself.

Since we're done here, I'm closing this topic.