Solved

Passive/Active problem. Help requested. XP Pro connected via NITIX

Posted on 2006-11-03
9
400 Views
Last Modified: 2011-10-03
In advance - I apologize for a) the length of the post and b) the fact that I will have only sporadic and minimal opportunity to follow-up on this post. I will, however, do what I can to facilitate any resolution and everyone's assistance IS appreciated.

Short version - I'm dealing with both a passive spy and an active hack. As you know windows does a lot in the background and it is difficult at best to separate the 'file'access of those actions from something more malicious. At the end of this is a partial list of \windows\system32 accesses as an example. Note that the accesses were while in 'Safe Mode' (which isn't!) and AFTER/WHILE I was viewing some gathered info using Notepad (where I've started the list). Note, for example, the tourstart.exe, spider.exe and so forth. Not me.  Not ANYTHING that I was doing. The date/times are 'access'. The info is just to provide an 'example' in case someone might be able to view it and say 'oh yeah I know whats going on' and also to provide an 'example'.

Please don't respond with the 'standard' about run this scan or that. This is NOT a new 'problem'. I've been analyzing for several months and have run quite a few scans using various products both mainstream and other for spyware, trojans, rootkits, hijack, and so forth. The bottom line is, essentially, that my own legitimate 'system' is being used against me and none of the scans have found anything significant.  I am also aware that I will need to wipe and fully reinstall.  Before that, however, I'd like to acquire some better sense of how/what is/was done in order to prevent (as was the case following the previous wipe/reinstall) re-infection. :-(

The platform is Dell Inspiron 4150 TrueMobile, up-to-date (supposedly) XP Pro SP2, and quite a bit of development software, Visual Studio, Macromedia Studio, SQL 2k desktop, Mysql, Apache, etc, etc.  I PULLED the dell mini-pci after determining that 'disabling' the wireless connection was not sufficient and that it was being used. It's a workstation connected to a ('bare' at this point) NITIX server which provides the DSL internet connection. I generally,now, have the XP plug to the server disconnected unless I need it. I use Norton, (supposedly) current, for FW/AV.

I have 2 SPECIFIC multi-point questions at this point of things:

1) In safemode, ethernet disconnected, mini-pci removed, no modem cable (It's a Conexant internal), telephony etc disabled, HOW could it possibly be a 'live' connection?  There have been (although not this specific instance) indications of that.  If NOT 'live' then what is the best tool/approach for for isolating the 'process' that is doing the accessing?  Someone/Something quite obviously IS.

2) My CD-RW has been turned into a CD-ROM (because I've been using it to offload some of the 'clues' I have discovered for subsequent analysis). Can't use my external USB CD-RW either.  In fact; at THIS point any access to CD yields "D:\ is not accessible...illegal function". I can copy stuff to my server (when connected) BUT as the recent loss of a critical file indicated; the info is not safe there. Any ideas as to how to 'quickly' reenable CD burn capability???  Note that neither repair install, uninstall of drivers/device and reinstall of device, nor loading the burn software associated with my external drive (currently uninstalled) resolves the problem.

ANY help/clues appreciated. I hope I can 'paste' this because I'm vulnerable whenever I connect to the net. THANKS in advance.

John

 Volume in drive C has no label.

 Directory of c:\windows\system32

11/03/2006  02:33 PM            69,120 notepad.exe
11/03/2006  02:36 PM           159,744 scrobj.dll
11/03/2006  02:38 PM            25,065 wmpscheme.xml
11/03/2006  02:38 PM            20,992 wrlzma.dll
11/03/2006  02:38 PM           258,048 wmvds32.ax
11/03/2006  02:38 PM                75 View Channels.scf
11/03/2006  02:38 PM           187,904 main.cpl
11/03/2006  02:39 PM           438,272 shimgvw.dll
11/03/2006  02:39 PM             2,897 mpm.xml
11/03/2006  02:39 PM            86,016 mdmxsdk.dll
11/03/2006  02:39 PM            73,376 mciavi.drv
11/03/2006  02:39 PM            72,704 magnify.exe
11/03/2006  02:39 PM           742,400 ltann11N.dll
11/03/2006  02:39 PM           110,592 ltfil11n.DLL
11/03/2006  02:39 PM            13,312 lsass.exe
11/03/2006  02:39 PM           514,560 logonui.exe
11/03/2006  02:40 PM           607,232 ltocx11n.ocx
11/03/2006  02:40 PM            61,440 MFC71ITA.DLL
11/03/2006  02:41 PM             8,192 staxmem.dll
11/03/2006  02:42 PM           239,104 srrstr.dll
11/03/2006  02:42 PM           737,280 spr32d30.dll
11/03/2006  02:42 PM            31,232 sc.exe
11/03/2006  02:42 PM           397,824 regwizc.dll
11/03/2006  02:42 PM           143,360 rasmontr.dll
11/03/2006  02:42 PM           181,248 rasmans.dll
11/03/2006  02:42 PM           657,920 rasdlg.dll
11/03/2006  02:43 PM            35,840 rcimlby.exe
11/03/2006  02:43 PM            13,824 rdsaddin.exe
11/03/2006  02:43 PM            92,168 rdpdd.dll
11/03/2006  02:44 PM            16,896 winrnr.dll
11/03/2006  02:44 PM         1,309,184 wbdbase.deu
11/03/2006  02:44 PM           163,980 VPCNetS2.dll
11/03/2006  02:44 PM           123,392 umpnpmgr.dll
11/03/2006  02:44 PM           200,704 THREED32.OCX
11/03/2006  02:44 PM           610,304 sspipes.scr
11/03/2006  02:44 PM            17,920 nddeapi.dll
11/03/2006  02:46 PM            53,760 narrator.exe
11/03/2006  02:46 PM           506,368 msxml.dll
11/03/2006  02:46 PM            54,784 msvci70.dll
11/03/2006  02:47 PM             7,168 msr2cenu.dll
11/03/2006  02:47 PM            20,992 msg.exe
11/03/2006  02:47 PM            33,792 msgsvc.dll
11/03/2006  02:48 PM            51,712 wzcsapi.dll
11/03/2006  02:48 PM             6,144 svcpack.dll
11/03/2006  02:49 PM            59,392 streamhlp.dll
11/03/2006  02:49 PM            58,880 resutils.dll
11/03/2006  02:51 PM            50,688 mmcshext.dll
11/03/2006  02:51 PM            41,472 hhsetup.dll
11/03/2006  02:51 PM           413,696 msvcp60.dll
11/03/2006  02:51 PM            60,416 colbact.dll
11/03/2006  02:52 PM             4,096 mtxex.dll
11/03/2006  02:52 PM            66,560 mtxclu.dll
11/03/2006  02:53 PM    <DIR>          CatRoot
11/03/2006  02:53 PM    <DIR>          CatRoot2
11/03/2006  02:53 PM    <DIR>          Com
11/03/2006  02:53 PM    <DIR>          config
11/03/2006  02:53 PM    <DIR>          Dell
11/03/2006  02:53 PM    <DIR>          DirectX
11/03/2006  02:53 PM    <DIR>          dhcp
11/03/2006  02:53 PM    <DIR>          dllcache
11/03/2006  02:53 PM    <DIR>          drivers
11/03/2006  02:53 PM    <DIR>          export
11/03/2006  02:53 PM    <DIR>          ias
11/03/2006  02:53 PM    <DIR>          icsxml
11/03/2006  02:53 PM            53,760 cryptext.dll
11/03/2006  02:54 PM            90,624 trkwks.dll
11/03/2006  02:54 PM            12,288 tracert.exe
11/03/2006  02:54 PM                51 pscript.sep
11/03/2006  02:54 PM            96,768 psbase.dll
11/03/2006  02:56 PM           140,288 sfc_os.dll
11/03/2006  02:56 PM            18,432 secedit.exe
11/03/2006  02:56 PM           144,896 schannel.dll
11/03/2006  03:23 PM    <DIR>          inetsrv
11/03/2006  03:23 PM    <DIR>          IME
11/03/2006  03:23 PM    <DIR>          Logfiles
11/03/2006  03:23 PM    <DIR>          ..
11/03/2006  03:23 PM    <DIR>          .
11/03/2006  03:23 PM            39,936 rshx32.dll
11/03/2006  03:23 PM            56,832 authz.dll
11/03/2006  03:23 PM           114,688 aclui.dll
11/03/2006  03:23 PM            46,080 docprop.dll
11/03/2006  03:23 PM            48,128 docprop2.dll
11/03/2006  03:23 PM            44,032 twext.dll
11/03/2006  03:25 PM         1,179,648 d3d8.dll
11/03/2006  03:28 PM                 2 desktop.ini
11/03/2006  03:28 PM            68,096 shgina.dll
11/03/2006  03:28 PM         2,370,296 wmvcore.dll
11/03/2006  03:28 PM           224,768 wmasf.dll
11/03/2006  03:28 PM           480,768 Audiodev.dll
11/03/2006  03:28 PM           291,840 winsrv.dll
11/03/2006  03:28 PM           397,824 rpcss.dll
11/03/2006  03:28 PM           640,000 dbghelp.dll
11/03/2006  03:28 PM           498,688 clbcatq.dll
11/03/2006  03:28 PM           792,064 comres.dll
11/03/2006  03:28 PM           658,944 wininet.dll
11/03/2006  03:28 PM           431,616 riched20.dll
11/03/2006  03:28 PM           617,472 comctl32.dll
11/03/2006  03:28 PM            28,672 verclsid.exe
11/03/2006  03:28 PM         8,453,632 shell32.dll
11/03/2006  03:37 PM           110,080 imm32.dll
11/03/2006  03:37 PM            20,634 debug.exe
11/03/2006  03:37 PM           347,136 tourstart.exe
11/03/2006  03:37 PM           538,624 spider.exe
11/03/2006  03:37 PM           407,552 mstsc.exe
11/03/2006  03:37 PM           126,976 mshearts.exe
11/03/2006  03:37 PM           146,432 winspool.drv
11/03/2006  03:37 PM           275,456 ulib.dll
0
Comment
Question by:jrs_50
  • 4
  • 3
  • 2
9 Comments
 
LVL 1

Expert Comment

by:Yorkie0362
ID: 17876006
Firstly the accesses look possibly like a boot time virus scan

When you say "live connection" what do you mean ?  You categorically cannot have a live connection if you have disabled you external devices. To isolate the process, either use built in task manager with i/o read and i/o write columns switched on (in view, select columns) monitoring this should give you a good idea of what is racking up disk activity.  Alternatively Process Explorer will show exactly what file is open by what process, it can be downloaded from http://www.sysinternals.com/Utilities/ProcessExplorer.html

Lastly to convert a device detected as CD-ROM back to a CD-RW.  In My Computer, right click the non functional device, and choose properties, then open the recording tab, and choose "Enable CD Recording on this Drive"
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17876295
Agree...SOME type of scan/use.  However; not boot time and not a virus scan.  I'm quite familiar with TM and ProcessExplorer, filemon, and so forth but have been unable to isolate beyond some relationship to svchost -netsvcs, ctfmon, ntdll, explorer, msmsgs, rstrui, print spooler, machine debug manager/vs7debug, homesite/frontpage/coldfusion/Jasc paintshop, and a few others.  It varies a bit depending upon what I've enabled/disabled.  Basically; SOMETHING IS scanning/mining for applicable components for the purpose of rebuilding/repairing itself.  It's that SOMETHING I'm attempting to isolate.  I'm also attempting to isolate the SOMEONE who has a backdoor into my system and that backdoor.

Regarding 'live connection'.  I agree that it seems quite unreasonable for the 'backdoor' to be in use when there is, so far as I am aware, no communication channel available (no ethernet or modem cable, mini-pci/wireless board pulled).  Yet; there have been indications of that occuring.  I'm basically asking if there is some channel, for example wireless even though I've pulled the mini-pci, that I'm overlooking somehow.  As for disabling wireless, alone, providing protection; that's a fallacy (think "Tempest"-like process).

There is no 'recording' tab because the system thinks its a DVD/CD-ROM device.  Although as I indicated, at this point, its not usable at all.  See previous post.

Thanks for the feedback/response.  It is appreciated.  I'm still looking for answers.

0
 
LVL 1

Expert Comment

by:Yorkie0362
ID: 17876355
Ok, you mention rstrui, can you try disabling system restore, is it possible it is attempted to create a restore point.  

Why dont you run a netstat and post the result, that will show everything that is listening or has connections open.

TEMPEST is technology that reads your monitor by analysing it's em radiation, unless you suspect you are the subject of an NSA, CIA investigation I would generally assume that you are safe.

If a device is disabled in windows...it is disabled, it is not allocated resources and therefore will NOT function.

Can you try another CD-RW device.
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17877044
Disabled sys restore via system (its not doing me any good anyway as part of the 'problem' is that if I attempt a restore I lose admin access via the admin account) . It made no difference anyway and I've had to deal with 'restores' going on out of my control even with system restore disabled.  I believe rstrui is being used for other than the basic "system restore".  It has, since, been turned back on (not sure when/how).  Similarly; indications of backup/restore.

The netstat no longer reports any activity although I know it is occurring (other tools if I get lucky.  Interestingly; within past few weeks if I attempt to netdiag (while noting net activity in progress) the activity stops as soon as I TYPE the command and resumes after it completes.  The 'passive' portion of the problem is somehow tied to msmsg, intuit printer, one of more graphics handlers, encryption, and conf.

I think you will find that you can find Tempest related tools if you search the net.  Either way, there are symptoms or at least circumstantial indications.  As regards investigation.  Not that I'm aware of.   The 'evidence' I've gathered with respect to my problem will be submitted to the feds anyway.  I'm just doing a bit more on my own first.

If a device is disabled in windows...   Yes, supposedly.  Also safemode with no networking should have no networking.  I have indications to the contrary.

As I posted earlier my external (usb) CD-RW manifests the same problems.

Anyway, thanks again.  Must disconnect.  Will try to check back again in case anyone has any ideas I might have overlooked.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 9

Expert Comment

by:paradoxengine
ID: 17877576
Ok, first things first.
If we're dealing with a rootkited machine, there is absolutely NOTHING you can do with THAT very machine. It's the second rule of computer forensic. Let's suppose a very smart and motivated attacker just coded a little piece of code to allocate hardware resources even when you disable them, enable wireless even when you disable it (via software, obv) and so on. There would be absolutely no way to tell using that very system, that's something you learn doing linux rootkits. Yes, you could check syscalls addresses and such, but that would not be of any use.
 First question: are you REALLY sure something is happening due to an attack? Can you test a similar system? Can you clone the system (Ghost 4 Linux) and reproduce this on another machine?
The idea: clone the machine (G4L will do) run it into VmWare (without any network connection) and test it. Even a rootkited machine will be helpless if you run it into a Virtual environment, so you can monitor and see what happens.
 Second question: can you check the size of some core system files and see if there's something strange? (Note you'll have to do it from a Live cd or such, not from XP since it could just lie about filesizes).
 Third: Check for Alternative Data Streams.
 
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17877896
Your points are valid, and known, and considered.

Yes; I'm CERTAIN I am (have been) dealing with an attack.  Both Symantec and MS recommend notifying the feds and complete reinstall.

No; I can't clone (etc) at this point.  I am looking forward to that when I can but not sure when that might be right now.

I'm aware of the 'difficulty' of analyzing on the system that has been "hijacked".  You are both correct, and incorrect, regarding the "absolutely no way".  I can't go into any details due to the limited time for internet access.  There are conf.exe accesses going on as I type.  Hopefully (minimal) they are not succeeding but I've been unable to determine that.  As for their possibly sucessfully sending the keyboard input, screen images, and voice input, gathered while offline I can't be certain.

The size of core system files isn't helping.  I'm 80% certain explorer (among others) is compromised but can't confirm.  I also have 'indications' of core-resident modification but haven't had an opportunity to explore that fully; yet.  Should not be able to access JIT debug from the net, but...

Yes; there have been (are?) alternative data streams.  I've been working on that as well.

I left the system on yesterday after a reboot and did nothing until this AM.  I'm working on trying to determine whether the accesses to the print spooler, and etc, an hour or so before logging in could have, somehow, been "legitimate" and also trying to determine why the firewall wanted access to the internet for spooler.exe to 240.44.18.242 yesterday morning.  I thought I'd taken care of that and haven't seen it for more than 2 weeks.

Again; your points are valid and I appreciate the feedback.  It's tough trying to deal with this without having anyone for a sounding board.  I'm not inexperienced regarding computers/software but I'm also intelligent enough to know that I don't know everything.  Feedback from EE may help stimulate the brain cells.  Wouldn't be the first time I missed something 'simple' because it failed to come to mind.

Thanks.
0
 
LVL 9

Accepted Solution

by:
paradoxengine earned 500 total points
ID: 17877907
:) I hope my comment helped then.
May I ask why you can't clone? I would do that as the first thing.
Can you monitor the network traffic from a "Man in the middle" machine with wireshark or some sniffer? That  would help, provided the attacker is not encrypting the traffic (very likely).
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17884713
Well...  Your comments didn't hurt anything.  It is a tough nut to deal with.

Don't have the facilities to clone at the moment or the $.  

You are correct regarding encryption.

Will be replacing the drive and saving it for later analysis along with the other drive and several ASR backups.

Oh well...

Thanks for the sanity check.
0
 
LVL 9

Expert Comment

by:paradoxengine
ID: 17885302
Thank you  for the accepted ans, anyway you could go for a clone using G4l (freeware) and a dvd (cheap) :D
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now