Trojan.webkit - how does it get in.
Results 1 to 8 of 8

Thread: Trojan.webkit - how does it get in.

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    Exclamation Trojan.webkit - how does it get in.

    Hey guys,

    While on my visit to a company outlet, I connected my laptop to their VLAN. No sooner then I connected the laptop to their network my AV started detecting trojan. I was trying to access google and I could see the status bar showing a redirect too - qwertyy.cx (dont visit). It tried to access a page on the URL that was being detected as the malware. I have a different AV from the one's on the endpoints at all outlets. Also I have windows vista business fully patches. I have no extra software's on my machine that is not-patched. i checked my laptop again with secunia's scanner. I have a software based firewall too (although it doesnt come into the picture much here). All unwnted ports and services are blocked. So how does it get in ? Is it my laptop or is it affecting traffic of the entire network ?


    I checked logs of the endpoints at the outlet all filled with same trojan entry, we use SEP at all endpoints. These are not patched completely and have few software's that are *old*. I can understand them being infected.. But my question is how is my laptop getting broken into ?

    Here is the trojan getting detected :

    http://www.symantec.com/security_res...100915-0239-99

    ..

    I'm still at the outlet (although on data card now). I've scanned my machine with the installed AV and with 2 online scanners and nothing .. !

    So how does this trojan get into ?
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Could be a compromised DNS server. If you tried to go to google and got redirected, perhaps the local DNS server was modified to point google.com to the IP of the suspect website.

    CSR

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hey ByTeWrangler,

    But my question is how is my laptop getting broken into ?
    Basically, it isn't..................your AV has detected the malware's attempted activity and blocked it.

    The detection is for generic HTML files that attempt to redirect your browser. It exists on the host (server) not on your laptop (client).

    Provided that you have not actually been redirected to a malicious site you should be perfectly OK. It is when you get to these sites that the bad guys try to download other malicious software to your machine.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    No sooner then I connected the laptop to their network my AV started detecting trojan.
    You did more then just connect your laptop. Trojans don't propagate by themselves.

    If you look at the "Technical details":

    Trojan.Webkit!html is a generic detection for HTML files containing malicious code to redirect users to malicious Web servers.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Hey guys, thanks a lot for the replies.. i am sorry I couldnt reply sooner.. but I've been busy post the incident..

    We have around 30 servers .. AD's, Web, SQL, AV and so on.. I secured all AD's and I'm sure ill have to move onto the web now.. I'm sure its the web server since it house the site's that are displayed once you log on..

    Anyway.. if there are any pointers please pass them on.. i'm trying to secure windows 2000 servers here you see :|
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Alright,

    I need help here guys. I still can't find the source of the infection.. I was in the same VLAN today (store) and there is a variant of the same Trojan that the browser was redirected too.

    From the last time I've blocked the "drop-off" site and now Iíve to add one more to the list. I've patched, scanned and secured the AD's and WEB servers. There are yet lots to go though.. I'm the only one securing all this and I still donít have full rights (management issue - donít ask).. I am still not sure how the VLAN gets infected.. Out of so many VLAN's only few are infected with this.. But all of them log onto the same AD(s) and have the same 2 web servers throwing startup pages.. The fact that I have stopped access to these URL's take a toll on surfing in infected VLANs since the malware redirects them to the infected site and legitimate (user entered site) never loads..


    I'm sorry but i'm stressed out fighting this alone with "limited" access.. I would really appreciate help here..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    I may be way out of my league here, but have you scanned
    the 'problem' VLAN's for any rogue servers?

    What about running a sniffer like Wireshark on those VLAN's?
    There's got to be some unusual traffic there. Any policy
    prohibiting sniffing?

    Just a thought or two.
    ďEverybody is ignorant, only on different subjects.Ē ó Will Rogers

  8. #8
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Brokencrow.. Thanks a lot mate.. It was a rouge machine on the network.. SOB !

    Thanks again..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides