October 27th, 2003, 12:44 AM
Mass infection of the Trojan.ByteVerifiy
I recently built and configured a new student machine at a local college. The moment it went online to the schools network, NAV and Norton Firewall came up with massive infection and attacks, of which 3 were successful. The one major one was the Trojan.ByteVerifiy trojan. I quickly unpluged the computer and conntacted the schools IT department and informed them of the attacks. I was able to log the IP addreses of the attackers and forwarded them to the IT people. I also did my own research and found out that the IP addresses were the college IP addresses. I conntacted the IT department again and informed them of my discovery. They ASSURED me that the infection was not in the schools network and the attack was launched from outside the school. This was a month ago. I tried the other day and the same attacks and trojans are still present and the schools still says that there is nothing harmfull on the schools network. Now, being a tech. certified in A+, Network+, Security+, I know there is more the school can do, provided they listen. Anyone have any ideas on what to do. The only access I can get is the same access a student gets, so launching virus scans from my secure machine is out of the question. Any help is great.
October 27th, 2003, 12:53 AM
If the IT department is that ignorant, then I think the students there are screwed. You can tell them again, and say that it has to be a problem in their network because it happened the minute you went online. It sounds like many students machines are infected, if not all of them. So, to sum up, they are screwed.
Just my 2 ¢
October 27th, 2003, 12:57 AM
Well, there really isn't much we can tell you other than run a firewall on the local box, keep the OS, the firewall and the AV software updated and secure. If the IT department at the college is in denial about their network and what is going on in it, there really isn't much that can be done by a student, other than taking the risks involved in whistlblowing.
Is this a state school (community college, state college, etc?). How the IT department runs and how secure the network is supposed to be may be defined and mandated by state law, or a state IT authority (as we have here in WA). If so, there may be avenues you can take to report problems above the school's IT.
If not ... maybe you want to look around for another school?
PM me, I can hook you up with our registrar.
October 27th, 2003, 02:24 AM
Funny you should mention that, only last night my Norton Internet Security
Pro 2004 alerted me of this trojan having infected my machine and removed
and deleted it instantly. Needless to say what sites i was surfing lol
A dialler was also installed and removed after a full scan.
This site has detailed info and removal advice, maybe you could print the page and go to
a more senior person explaining that they will have porn diallers on their machines
if removal action is not taken. Hardly suitible material for a school eh. If all else fails,
i would go to the education department (state government) and report your findings.
just some thoughts.......TidaLphasE23........
October 27th, 2003, 02:42 AM
I got curious and checked my firewall logs and notice that there is an unusually high level of incoming attempts from a number of different machines. Even the Nok Nok trojan. Getting a steady Nok Nok attempt. About once every few hours. I haven't examined the log port-by-port, yet, but it does seem to be more than usual.
I think I'm just seeing the results of a lot of clueless users on the internet and in my neighborhood.
October 27th, 2003, 08:46 AM
Are you sure that the IPs are from your College? is the ips from a non-routable source, ie, from 10.*.*.* or is it a class ip like 192.*.*.*? Is this from a range that is given to college as a block of non-routable ips from an isp that uses NAT? it may be that the range is a /20 or /21. what this means is that the downstream ip ranges are aware of other subnets. this is how, from one organisation, to sadly our own, msblast was able to get a foothold. if so, you could in both cases I am sure contact the tech support of the isp and inform them of the infection. this could perhaps help. also, speak with someone of the faculty that could be of assistance. if the bandwidth is dedicated and its highbandwith connections, trojans and the like could lead to zombie-bot and ddos attacks et al. btw there is a way, for your machine to "check" which machines are infected. get "iris" or other packet sniffer (got that info from a previous thread here) from eeye. that could show you trends and identify ports on machines that are being used by trojans. if you read up and find out characteristics of virii (what ports etc.) you can fingerprint suspicious machines.
please excuse if i am not 100% on explanation, i am trying to get my english on better level. if still problem, pm me.
HO$H Pagamisa. Pro Amour Ludi....
October 27th, 2003, 12:45 PM
I am for sure that the IP address is the college. The addresses all start with 141.209.*.*, which is the colleges IP address range. Even a Whois and DNS name translation show it as the schools addresses. As for finding the infected computers, I will try to collect as much information as I can and drop everything I find off to the IT department so they can see that the infectionm is in their network.
October 27th, 2003, 03:04 PM
From your previous experience with the IT department I would simply forget about them. Gather all your evidence, logs etc. and go and stand outside Peter MacPherson's office until he talks to you. Be prepared to explain in depth but in laymen's terms.....
Point out to him that the network is heavily infected and the potential for a dangerous information leak is quite high. That information leak could be of the kind that would leave the university liable and that is probably something he doesn't want. Furthermore, the reputation of this particular, (well known), school would not be improved at all should the fact that the network is so infected that it takes mere seconds for a student to become infected after connection to the network become public. Add the fact that the IT department are in denial and that information would guarantee that parents think twice about sending their hard earned money there when there is a perfectly good school just up the road.
Don't make it sound like a threat to disseminate the information but just that fact that you are a concerned student interested in the well being of the school and it's students and you think that this is something that the IT department should be a little more proactive about.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides