?
Solved

Crazy Internet Security

Posted on 2003-03-04
16
Medium Priority
?
332 Views
Last Modified: 2013-11-16
Hi, I just installed Norton Internet Security 2002, and after reboot, I got non-stop security alerts "default block netspy trojan horse...", and I wasn't using any program! now, after 1 hour, I already got about 1500 intrusion attempts (!!!) What's wrong??
ps: I use WinXP
0
Comment
Question by:needmoney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +4
16 Comments
 
LVL 1

Expert Comment

by:slartibartfarst
ID: 8064122
It seems that one (or more) of your system files is infected with the NetSpy trojan horse.  Is your anti virus software up to date?   If not then get an update immediately and scan your PC.   If this doesn't work,  try one of the anti trojan programs available on the internet.  Type a search into google for 'anti trojan netspy' and view the results.
0
 
LVL 1

Expert Comment

by:matt_t1
ID: 8064433
The message you saw was Norton blocking an inbound connection attempt to the port that NetSpy uses.  This does not necessarily mean that you are infected, but 1500 attempts an hour is a lot...  You should take slartibartfarst's advice and do a virus scan.

Norton Internet Security 2002 comes with Norton AntiVirus included.  Do a LiveUpdate to make sure you have the latest signatures, then do a full system scan in Norton.
0
 

Author Comment

by:needmoney
ID: 8069007
Yes, I do have Norton antivirus with latest virus definitions and swat-it (anti trojan), runned full scan with both but found nothing. What should I do? Do I have to format and reinstall everything?
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 3

Expert Comment

by:ShadowWarrior111
ID: 8069833
Btw, have you try to remove all the spyware from your pc? Get AdAware (http://www.lavasoftusa.com/) and scan your hdd for any spyware program.
0
 
LVL 1

Expert Comment

by:matt_t1
ID: 8070431
If both Norton and Swat-It say you are clean, then you probably are.

What kind of internet connection do you have?  I know of people with cable connections and static addresses that have a large number of alerts every hour, but not quite as high as you...
0
 
LVL 1

Expert Comment

by:slartibartfarst
ID: 8070566
Try opening the task manager and shutting down one process at a time ( if there are any running apart from explorer and systray) every two minutes and monitor the alerts.   If they stop then you have found the suspect process.  Also you may need to make a rescue disk in Norton and boot from that. It will be able to scan files that are locked by the operating system.
0
 
LVL 1

Expert Comment

by:nisheed
ID: 8071656
0
 
LVL 1

Expert Comment

by:nisheed
ID: 8071700
I don't think you have the netspy trogan as an up-to-date version of your Norton antivirus can detect this virus.

Symantec has a FAQ regarding this problem and you can access this information from the link posted above.

Just a friendly note: Remember always consult with the application provider as they would have had other users with similar experiences and the support department would have a resolution.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8074328
ditto nisheed, RTFM. Before raising issues with strangers like us, try first the product provider for answers and FAQs. Then you can visit strangers for their strange opinions. Mine? Symmantec makes well-known, fairly solid A/V product. I do not like it, but that is other matter. It is generally accepted as solid.

Their package deals of trying to compete with personal firewalls is another matter. That's not their forte, so you are vulnerable to receipt of the confusion of false positives, such as case with your netspy and other anomaly. Reminds one of their quarantine of files of MS OS itself. They look for some 'indicator' of one program, and 'assume' that any program with such indicator is the bad one. Not necessarly so. IMO their responses such as link provided by nisheed leave a lot to be desired. Where they admit their product is defective, their solution is user implementing some manusl patches personally, not in fixing the defect of own product. Rather like MS and their registry hack 'solutions".

A label of "intrusion attempts" is also too overall encompassing. Very often this can be simply an OpenView type of product, that is merely attempting to find, locate, other devices on internet to build a topology. It can also be a survey someone is doing, comparing aspects of internet devices with each other. It can be someone not understanding their product and misconfiguring it. I have that at work these days with the professional support provided for SMS. Then again, it really could be a neighborhood script kiddie who got some download on internet and is snooping about town to see what can be gotten into (more likely if you have direct connection such as cable, rather than use of dial up modem).

In short, the information provided is not very thorough or complete, comprehensive, or even intelligible enough for you to figure out either what is going on or what to do about it. So, I suggest

Answer: consider alternative product that is more understandable to you, that has more of the features and functions you personally desire. There are indeed many. BlackIce for example, has beneficial forensic capability, in identifying source of some "intrusion", and ZoneAlarm has improved capability to block outgoing traffic.

IMO, if you have to ask us, then you are probably using the wrong product for your level of understanding and needs. Think about it.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8074356
> Do a LiveUpdate to make sure you

btw, I am opposed to any such activity of letting anyone's product be capable of calling out, downloading files, and changing the computer SW transparently. This is one, an abhorrent security permission beast, but two, makes it extremely difficult to debug any problems when you do not know what latest changes have been.  MS itself has been notorious for putting up 'bad' files on their servers for users to download.

Better, IMO, to disable any capability of unattended traffic & upgrade. Better to take one's time to D/L latest A/V signatures, and test to make sure system still functions as well as it had been.
0
 

Author Comment

by:needmoney
ID: 8077914
Hi
I use cable modem, but before didn't have this kind of problems. I've also tried ad-aware, clean too... And I installed zone alarm this morning, but still have the same problem.. as for the faq, it's a different problem. I'm being "attacked" by different IPs. But the weird thing is, the "attacks" completely stop after 2-3 hours... any clues??
0
 
LVL 1

Expert Comment

by:nisheed
ID: 8088262
You should be getting a port number as well?

If so please let me known as this will give me more insight. Thanks
0
 
LVL 1

Expert Comment

by:nisheed
ID: 8088269
Sorry forgot to mention that netspy 1.0-2.0 uses port 1024.
0
 
LVL 1

Accepted Solution

by:
nisheed earned 200 total points
ID: 8088503
Look out for (TCP) port 31339 (Netspy/Netspy DK).

Do you know how to do some Internet Research, by this I mean ping sweeps and traceroute (www.visualware.com/visualroute), what you looking for is weather those machines are live, you'll want to determine weather the attack is on the same network as you.

After you determine this try and recall all the applications you downloaded and installed in the past. The network information you get from  the  traceroute may help you pinpoint the application - it may even tell you nothing but aleast you being reactive and not accepting.

Remember every time you download and install and application form the internet you are exposing to being attacked. It's a bit like bring in a serial killer in your house letting him/her do as they please and them wondering who killing memebers of your family.

I like SunBow attitude: "I am opposed to any such activity of letting anyone's product be capable of calling out, downloading files, and changing the computer SW transparently."

You never know what going on.

So please be careful when you downlaod free stuff from the intenet.

I all else fails, format your machine - reinstall the operation system. Install your virus software and firewall and be careful what you download.

Sorry for being so frank but: Torgan horses are dangerous, they scare the s21T out of me!

Look at this stat: "in 1997 there were 7 variations of remote access/password stealing Trojans 81 in in the following year, 178 in 1999 and double that in 200/2001".

 

 
0
 

Author Comment

by:needmoney
ID: 8097469
yes, it's port 1024.. i've checked some ips, most of them are live... this is becoming very annoying, i guess i'll just back up everything end reformat... thanks for all the help
0
 
LVL 2

Expert Comment

by:bkrahmer
ID: 8117500
SunBow, I would just like to point out a couple oversights in your post.  First of all, there are three classes of firewall software and/or hardware products sold by Symantec.  The Enterprise Firewall product has been winning solid awards.  The desktop product is also top-notch, including transparent email and IM scanning, spam blocking, ad blocking, and program blocking.  I have been using NIS 2003 for about six months, and I have seen alot of intrusion attempts, but no false positives.
You also called software that can update itself "an abhorrent security permission beast".  First, to block viruses and the like effectively, you need to act fast when an outbreak is happening.  Secondly, I do not recall any issues where Symantec's LiveUpdate process has been compromised.
You also said that it "makes it extremely difficult to debug any problems when you do not know what latest changes have been".  Again, I have used many Symantec products over the last few years, and out of probably over 100 updates, I've never had a problem.  
I also think that to compare MS to other companies is quite unfair.  MS has a pretty poor security record compared to most.  
I don't think this should be the place for propaganda, and wanted to make a balanced viewpoint.
brian
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question