Results 1 to 8 of 8

Thread: Trojan.webkit - how does it get in.

  1. #1

    Exclamation Trojan.webkit - how does it get in.

    Hey guys,

    While on my visit to a company outlet, I connected my laptop to their VLAN. No sooner then I connected the laptop to their network my AV started detecting trojan. I was trying to access google and I could see the status bar showing a redirect too - qwertyy.cx (dont visit). It tried to access a page on the URL that was being detected as the malware. I have a different AV from the one's on the endpoints at all outlets. Also I have windows vista business fully patches. I have no extra software's on my machine that is not-patched. i checked my laptop again with secunia's scanner. I have a software based firewall too (although it doesnt come into the picture much here). All unwnted ports and services are blocked. So how does it get in ? Is it my laptop or is it affecting traffic of the entire network ?


    I checked logs of the endpoints at the outlet all filled with same trojan entry, we use SEP at all endpoints. These are not patched completely and have few software's that are *old*. I can understand them being infected.. But my question is how is my laptop getting broken into ?

    Here is the trojan getting detected :

    http://www.symantec.com/security_res...100915-0239-99

    ..

    I'm still at the outlet (although on data card now). I've scanned my machine with the installed AV and with 2 online scanners and nothing .. !

    So how does this trojan get into ?
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Could be a compromised DNS server. If you tried to go to google and got redirected, perhaps the local DNS server was modified to point google.com to the IP of the suspect website.

    CSR

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hey ByTeWrangler,

    But my question is how is my laptop getting broken into ?
    Basically, it isn't..................your AV has detected the malware's attempted activity and blocked it.

    The detection is for generic HTML files that attempt to redirect your browser. It exists on the host (server) not on your laptop (client).

    Provided that you have not actually been redirected to a malicious site you should be perfectly OK. It is when you get to these sites that the bad guys try to download other malicious software to your machine.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    No sooner then I connected the laptop to their network my AV started detecting trojan.
    You did more then just connect your laptop. Trojans don't propagate by themselves.

    If you look at the "Technical details":

    Trojan.Webkit!html is a generic detection for HTML files containing malicious code to redirect users to malicious Web servers.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Hey guys, thanks a lot for the replies.. i am sorry I couldnt reply sooner.. but I've been busy post the incident..

    We have around 30 servers .. AD's, Web, SQL, AV and so on.. I secured all AD's and I'm sure ill have to move onto the web now.. I'm sure its the web server since it house the site's that are displayed once you log on..

    Anyway.. if there are any pointers please pass them on.. i'm trying to secure windows 2000 servers here you see :|
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    Alright,

    I need help here guys. I still can't find the source of the infection.. I was in the same VLAN today (store) and there is a variant of the same Trojan that the browser was redirected too.

    From the last time I've blocked the "drop-off" site and now I’ve to add one more to the list. I've patched, scanned and secured the AD's and WEB servers. There are yet lots to go though.. I'm the only one securing all this and I still don’t have full rights (management issue - don’t ask).. I am still not sure how the VLAN gets infected.. Out of so many VLAN's only few are infected with this.. But all of them log onto the same AD(s) and have the same 2 web servers throwing startup pages.. The fact that I have stopped access to these URL's take a toll on surfing in infected VLANs since the malware redirects them to the infected site and legitimate (user entered site) never loads..


    I'm sorry but i'm stressed out fighting this alone with "limited" access.. I would really appreciate help here..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    I may be way out of my league here, but have you scanned
    the 'problem' VLAN's for any rogue servers?

    What about running a sniffer like Wireshark on those VLAN's?
    There's got to be some unusual traffic there. Any policy
    prohibiting sniffing?

    Just a thought or two.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  8. #8
    Brokencrow.. Thanks a lot mate.. It was a rouge machine on the network.. SOB !

    Thanks again..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •