Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 262
  • Last Modified:

Backdoor Trojan? Calling Russia constantly.

Hi experts,

I am not one to open attachments, and I didn't. I don't hang around in obviously infected websites. But, during a flurry of Google searches and research on carbon monoxide detectors and meters,

I run ESET Business Edition on my computer for Real Time scanning and weekly scans. It also, obviously, detects malware as they occur, although it didn't detect this. I just happened to have MBAM running (not doing any real time scanning or scheduled scanning -- just there).

It started blocking multiple attempts to access the Internet to sites which were in Russia. I disconnected it from the network and ran MBAM, SAS and ESET scans, all of which only found PUPs.

I have not tried any root kit scans. I am not sure what to do next.  This is Win 7 Pro on a domain run by SBS 2008.

Any help would be appreciated.

Bert

MBAM message
MBAM message
0
Bert2005
Asked:
Bert2005
  • 12
  • 11
  • 3
  • +2
4 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
Try the following (because the process may be running). Download, install and run Process Explorer from Microsoft (Sysinternals). Look on the left side for Explorer and see if there are any strange (alphanumeric) processes. If so, kill them, exit Process Explorer and do NOT restart.

Now run MBAM again and see if it can now remove the Trojans. Hopefully it can. Once done you can restart and see if the problem has been resolved.

You can try TDS Killer for root kit viruses.
0
 
andreasSystem AdminCommented:
Could be all or nothing. If a scan from the infected instance of the operating system does not show anything, then try to boot from an AV-boot CD and scan with that. Some malware uses rootkit kunctionality to hide itself from scanners.

You also could remove the HDD hook it up to another PC and scan it there, but remember, that access to some folders may fail due tu NTFS ACLS and ownerships that arent matching. Chaganging those so that they will give access is posible but might damage your system or make the ACLs less restrictive.

So best is to scan from an anti-virus boot cd. Or boot a live linux CD setup a sambs-share export the whole HDD and scan that share from another PC. This is slow as its running over the LAN but the scanner might be better than the one on the live CD.
0
 
Bert2005Author Commented:
Thanks John and andreas,

Appreciate the quick response. As I do these things, may I be informed of some general information? For instance, I would guess that the computer's Trojan or whatever has tried to reach around four different IP addresses. Given they were blocked, I feel safe. On the other hand, I can't know for sure that MBAM would have stopped all.

During any of these suggestions where I need to download something, should I download it from a non-infected PC and transfer it with a flash drive or something? I mean the longer the malware has to try to find the mothership (if that is the correct term), the more likely it will find it.

If a backdoor is opened on some port, can then the perpetrator place a virus that will be triggered down the road that is undetected? I know the phrase "One infected, always suspected." Ironically, I made an image backup that morning.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
John HurstBusiness Consultant (Owner)Commented:
You should be quite safe download Process Explorer to the problem PC. It is a simple program and just runs (no installation of any consequence).

Keep your image handy in case you need it.
0
 
Bert2005Author Commented:
Thanks. I just meant isn't it safer to keep the "infected PC" isolated from the LAN by disabling the NIC. I guess I am not quite sure what someone in Russia does once they have a backdoor open. Can they take over the computer, then access the server, etc.?
0
 
John HurstBusiness Consultant (Owner)Commented:
When back doors exist, yes, they can steal information from your computers. So the quicker you act, the better.
0
 
Bert2005Author Commented:
I have installed the Process Explorer. There are many processes especially when compared to the one that comes with Windows. So, not sure which one I am looking for. They do give descriptions, but my guess is the Russians would have it sound rule.
0
 
John HurstBusiness Consultant (Owner)Commented:
If the process has a strange name that may be it (alphanumeric). Otherwise look in programs and features for programs you did not install.
0
 
John HurstBusiness Consultant (Owner)Commented:
Also (less likely) look for an add-in in Internet Explorer.
0
 
andreasSystem AdminCommented:
Yes it might be you have a backdoor on your PC.

Any Virus or malwarescanner can only show the presence of malware but it cant prove that your system is clean.

So if the scanner found something you are sure you have a problem,
If it shows nothing you cant say your system is clean, you only know the scanner didnt found someting.

Recently attackers change malware quite frequently sometimes up to every 2 hours on web pages so chances are small that your scanner will detect all instances of the programs. In our company it usually takes 5-7 days until our scanner detects most of them.
(recently ive d/l a thred we got on a targeted attack every 2 hours from the link they spammed to us and submitted every sample to several AV-cmpanies. The result you see above. after 5 days still no 100% complete coverage of all sent samples.)

Another great tool is http://live.sysinternals.com/Procmon.exe which lists all unhidden file and registry access by the running processes. Attention the output amount is huge, even on a healthy windows.
0
 
GauthierCommented:
Are you sure it is still infected, the PUP found (and I assume cleaned successfully) could be the one responsible for conection to russian server.
0
 
John HurstBusiness Consultant (Owner)Commented:
It might be cleaned up, but then why would the website attacks continue?
0
 
Bert2005Author Commented:
Thanks for the feedback. I was waiting a bit, because I ran the MBAM rootkit device. It was kind of weird, because it tried to install and said their was a rootkit (why the hell I didn't write down the name -- started with an "a"). I am sure that is very helpful. Suggested I click on No. But, I installed and ran the scanner. I haven't had an attempt for over two hours.

Unfortunately, I checked and block malicious websites wasn't checked anymore on MBAM. But, I set it back an hour ago and nothing. Now the question I have, and I a rookie at this is the following. If this malware was sending requests to the Russians (another cold war) but kept getting blocked, would it not continue indefinitely? But, if one got through allowing the hacker to open a port for its use, would the malware know enough to stop trying. In other words MBAM's not blocking anything is a good thing -- I mean no attempts are occurring, because the malware is gone or a bad thing if it isn't trying.

I did use Gibson's Research Corporation. Everything looks good except it states that 25, 443 and 987 are open. Those would be SMTP, SSL and SharePoint, correct? I don't know what they would do with this. Are they supposed to appear open. I get very confused with GRC. I mean it is open with https anyway.

Thanks.
0
 
John HurstBusiness Consultant (Owner)Commented:
Ports 25 and 995 are mail ports. 987 is for SharePoint it you are using it. 443 is for https which we use.  So these are normal and you could be fine now.
0
 
Bert2005Author Commented:
Thanks John. Yes, you are correct about the ports. But, why does Steve get all bent out of shape when his probes find them open. I suppose you would use port 443 to send packets to a site such as CitiBank. Your router would then accept the reply. So, this would have been the case with GRC as it is HTTPS during the entire connection, but who am I to argue with Steve Gibson.

I don't know why SharePoint's port would always be open. Again, this is info provided by GRC. I can connect to SharePoint from outside the network using SSL, but it is mostly used for internal use hence the term company web.

This is where I falter a bit. Port 3389 which used to be used mainly for RDP is now handled by the server's RD Gateway. Port 3389 was probed many, many times daily so I don't quite get the difference between 3389's risk and 25's risk.
0
 
John HurstBusiness Consultant (Owner)Commented:
You are correct about 3389. 25 is an unsecured SMTP port for POP3 email.
0
 
Bert2005Author Commented:
It's interesting, because the log files of MBAM show about ten ports that were used as outgoing with either a dllhost.exe process or wextract.exe process. When I specifically probe them to see if they are open, they are stealthed. Again, according to Steve Gibson.
0
 
John HurstBusiness Consultant (Owner)Commented:
There isn't much more I can do from here. The ports you are naming are normal. GRC just notes these for your information.

If you want to see traffic in and out, you can use something like Wire Shark (free) or Comm View (paid) which are packet sniffers.
0
 
Bert2005Author Commented:
Well, I entered and probed every port used by this Trojan. They are all closed. I am assuming that if they were backdoors, they would show as open. I am hoping everything is fine. MBAM (which is not even my main A/V -- I generally use it when I am looking for something) is what stopped everything -- we hope. Of course, maybe it is 5 ms quicker than ESET.

I am going to go with the assumption (I know) that the malicious program is no longer there and not that it worked and no longer needs to do anything.

I am going to keep the question open until at least tomorrow in case something changes.
0
 
John HurstBusiness Consultant (Owner)Commented:
I am assuming that if they were backdoors, they would show as open. Probably. Since no more web attack notices, I think you are fine. My earlier responses were geared to the web attack notices. Let us see what tomorrow brings.
0
 
andreasSystem AdminCommented:
Actually there shouldbe no listening ports open. For usage of the web and e-mail we use OUTgoing connections to the servers on those porst. The GRC-Scan detects runing SERVER ports on your IP you are comming from.

But depending on your setup this also can be caused by OTHER users (if you are behind a Carrier Grade NAT, e.g. in Germany on cable networks)

But if you have your OWN public IP then these ports should definitely CLOSEd and not open they should only be open if you RUN a web-server and mailserver.

Port 25 isnt for POP its for SMTP only.

So please check your system including your router again, maybe those ports are opened by your router as it provides web-administration and or mail-services.

Open ports on windows you can see with the command

netstat -an|more

the ports open are labeld with listening. If there is port 25 and the othermentioned ports open, then its your windows box.

If the ports arent shown open they still could be opened by a rootkit, which HIDES the output from netstat.

In this case your should perform a portscan from another device on your network to the machine with the suspected malware.
0
 
McKnifeCommented:
First I did not want to participate, but this has grown a funny thread!

If you have made out a rootkit infection, restore your computer from your last known good image backup. If no image is at hand, backup your data, reinstall and restore your data after making sure that no file infector has worked on those files. There is no room for arguing. Bert is no expert at malware removal, so he is not in the position to try and clean it, nor will it be sufficient to follow the advice of experts (that themselves sometimes seem to be confusing listening ports with ports that your software uses at the remote server).

If you are interested in what infection that is, you should be able to rescan for that rootkit or look at the log of the previous scan. Also, you should be able to locate the executable that your screenshot shows (there is one with the same name belonging to windows, that won't be it). That executable can be uploaded to https://www.virustotal.com/ so that you get an idea of what it probably is.
0
 
Bert2005Author Commented:
Thanks McKnife,

You are correct that I am no expert with malware removal or detection. I, too, am confused with the port discussion. I do have Exchange so I guess that would account for SMTP or 25. 443 is open. There I am confused, because I thought you used either 80 (HTTP) or 443 (SSL). I can't account for SharePoint.

I do have a good image.
0
 
McKnifeCommented:
If you have an image, why bother worrying if something still remains? Use the image.
Since you said, this is win7, no exchange can be installed on it. So no exchange ports will be open! Neither your win7 is a sharepoint server...if those are open, and you have no explanation, then well, it's probably the virus.
We could start and analyze what processes use the ports:
netstat -bano |findstr 443

Open in new window

Tells you what process id listens on 443. Then you can open task manager, have it list the process ID and there you have the process that has opened that port...same for the other ports.

But what's the use? There was a rootkit infection which is serious and you have an image.
All that analysis would be good for is forensics, not for cleaning. Rootkits are able to hide processes, TCP/IP connections, files and so on, you would never be sure that all is gone unless you monitored it constantly for outgoing traffic - not desirable. Image!
0
 
Bert2005Author Commented:
Thanks for waiting. I am doing the image. My issue is I don't always trust restores. It's not that they don't work; I do like the idea that they have all the files that can be mounted, but it seems so easy to just say image, and I get a bit nervous. I'm apologize.

Anyway, continuing to work on it. Christmas and all. By the way, Merry Christmas to everyone or Happy Holidays. Can't remember if I said that.
0
 
Bert2005Author Commented:
It would really be nice if you knew the virus was gone. I do think I removed it which is why I gave Gauthier points, albeit small. Prior to finding a root kit and removing it, I was getting calls to the Internet nearly every minute. After none. But, who's to say that didn't mean a different call to a different server using a different IP wasn't successful. Or maybe once it succeeded, it was programmed to stop trying other IP addresses.

As to the restore, it was fun as usual. I was kind of fortunate as I was planning on cloning my 250 GB Samsung SSD to a 1 TB one. So, I removed the SSD with the possible virus and installed the 1 TB SSD. I then tried to restore the image to the new SSD, and it continued to have errors and stop. So, I thought that maybe it needed to be formatted. I installed a copy of Win 7 Pro to it, then restored to that, and it workeed fine. I have a new image of Windows from laster Saturday. Given this is a client, there are no major changes. The log files of MBAM show nothing resembling a virus or the attempted connections to the Internet.

So, I guess I am in the clear. Is it not possible to do a bare metal restore of an image to a brand new SSD? I did try a deploy to new hardware, which did not work either.

Thanks.

Bert
0
 
John HurstBusiness Consultant (Owner)Commented:
Thank you, and I do hope you are clear. I keep myself behind a VPN hardware firewall and also a software firewall, so Russia never calls (thankfully).
0
 
Bert2005Author Commented:
I am behind a Cisco and Windows firewall, but when what looks like a perfectly good website installs a Trojan, all ports going out are open by default. Personally, I think MBAM stopped all attempts.
0
 
John HurstBusiness Consultant (Owner)Commented:
but when what looks like a perfectly good website installs a Trojan, all ports going out are open by default

That is why we must always keep our guard up. Socially engineered website snare a lot of victims.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 12
  • 11
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now