-
February 24th, 2004, 10:07 AM
#1
Trojan become smarter?
Recently my pc is infected with a Trojan call Beast. I managed to remove its autostart entry and deleted the Trojan files. I search the web for the Trojan and found the author website and downloaded the Trojan. Then I try to see if I can connect to my own computer. I looked at the help section and found something rather disturbing:
----------------------------------------------------------------------------------------------------------
As you might know from the previous versions, an important feature of the server is that is using the injecting technology. At the first run the server is injecting in the memory of winlogon.exe (on 9x systems in systray.exe). Afterwards, from winlogon.exe are performing injections in explorer.exe or other hosts, according with the options you chose when building the server. The main benefits of this type of running is that from winlogon.exe are monitoring the other injected applications and, by example, if the Internet Explorer is closed, from winlogon.exe will be started again and injected with the dll. If the server is injected in explorer.exe it won't be visible on any Task Manager, so that could be a good option. When the server is injected in Internet Explorer will be running under the System account on NT, will be visible in Task Manager, but in this way the firewalls could be more easily by-passed. And is not a big deal if it is visible in TaskMgr because in the case when the IE process is closed will be automatically run again Of course, the same running procedure will be performed when the injection occurred in explorer.exe. The server stability is almost 100%, the server can't be crashed by closing the client during a file transfer or other operations). Usually the server (dll) is residing in the windows/system directory. With Beast 2.06, if the victim is a restricted user (guest etc.) the server will be still running and will be located under <Documents and Settings> directory, for the server aren't needed the administrator privileges on NT (2k, XP), but the injection in winlogon.exe cannot take place and few tasks (Passwords Manager, Services Manager, Erase All etc.) cannot be performed.
Beast is pretty hard to remove especially when using injection. In this case, a certain way to get rid of Beast is booting in Safe Mode. I implemented in Beast an extra persistence feature on NT systems (with admin privileges), so whenever the injected (host) process is closed, from the winlogon.exe (unstoppable service...) the server will be injected again. All the servers (loaders) are locked from winlogon.exe, so cannot be deleted. The registry settings are also overwritten at every few seconds...
----------------------------------------------------------------------------------------------------------
So my question is:
1) Does it mean that Firewall become useless to this type of Trojan?
2) How can I detect this "injection"?
-
February 24th, 2004, 11:02 AM
#2
From the description you've provided I'd say your best bet at detection is a good AV program, a trojan detection program and don't use IE (it sounds like it depends on using a web access via IE to inject over the Internet or else via an attachment through Outlook -- and we all know about attachments right?).
Once any trojan is installed, IMHO, the firewall becomes useless. You've been compromised in a way where someone else can control the firewall (what kind of firewall do you use?). If it's a host based firewall (ZA, Sygate, etc.) this is a definate. If it's an external firewall, you might have some control but only if you limit access from the LAN out. (usually done in work environments, not home environments).
-
February 24th, 2004, 11:43 AM
#3
No, Trojans are not becoming smarter as such...........their main objective is to give remote access and control (based on common functionality, not a dictionary definition).
What you have there is a "hybrid" and these are becoming more common, presumably as their authors run out of original ideas?
It is a file infector as well as a trojan, so it is using "borrowed" virus technology (hah! I have just thought of two methods that would make it 10 times worse, and beat MsMittens suggestions.............but I am CERTAINLY NOT posting them on a public forum)
The best way to stop anything is not to let it in to start with...............for example you went to a site and downloaded a trojan............deliberately.............I do hope that you used a stand alone machine, that is not shared, that you own/administer , and that has a separate internet connection (not on a network!).............I think that you see where I am coming from?.....what else did you get apart from the trojan
http://www.runtimeware.com
Look for "Sentinel"
Also check out the Dialogue Science website (DrWeb etc)
You are looking for "checksummers"..............these are programs that look for changes in files, and a good one will detect embedded (injected) malware, even though the file size and date have not changed.
What you need is an integrated, layered security system coupled with good user security practice
Good luck
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|