Solved

Backdoor Trojan? Calling Russia constantly.

Posted on 2014-12-21
29
230 Views
Last Modified: 2014-12-27
Hi experts,

I am not one to open attachments, and I didn't. I don't hang around in obviously infected websites. But, during a flurry of Google searches and research on carbon monoxide detectors and meters,

I run ESET Business Edition on my computer for Real Time scanning and weekly scans. It also, obviously, detects malware as they occur, although it didn't detect this. I just happened to have MBAM running (not doing any real time scanning or scheduled scanning -- just there).

It started blocking multiple attempts to access the Internet to sites which were in Russia. I disconnected it from the network and ran MBAM, SAS and ESET scans, all of which only found PUPs.

I have not tried any root kit scans. I am not sure what to do next.  This is Win 7 Pro on a domain run by SBS 2008.

Any help would be appreciated.

Bert

MBAM message
MBAM message
0
Comment
Question by:Bert2005
  • 12
  • 11
  • 3
  • +2
29 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 75 total points
ID: 40512002
Try the following (because the process may be running). Download, install and run Process Explorer from Microsoft (Sysinternals). Look on the left side for Explorer and see if there are any strange (alphanumeric) processes. If so, kill them, exit Process Explorer and do NOT restart.

Now run MBAM again and see if it can now remove the Trojans. Hopefully it can. Once done you can restart and see if the problem has been resolved.

You can try TDS Killer for root kit viruses.
0
 
LVL 11

Expert Comment

by:andreas
ID: 40512005
Could be all or nothing. If a scan from the infected instance of the operating system does not show anything, then try to boot from an AV-boot CD and scan with that. Some malware uses rootkit kunctionality to hide itself from scanners.

You also could remove the HDD hook it up to another PC and scan it there, but remember, that access to some folders may fail due tu NTFS ACLS and ownerships that arent matching. Chaganging those so that they will give access is posible but might damage your system or make the ACLs less restrictive.

So best is to scan from an anti-virus boot cd. Or boot a live linux CD setup a sambs-share export the whole HDD and scan that share from another PC. This is slow as its running over the LAN but the scanner might be better than the one on the live CD.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40512012
Thanks John and andreas,

Appreciate the quick response. As I do these things, may I be informed of some general information? For instance, I would guess that the computer's Trojan or whatever has tried to reach around four different IP addresses. Given they were blocked, I feel safe. On the other hand, I can't know for sure that MBAM would have stopped all.

During any of these suggestions where I need to download something, should I download it from a non-infected PC and transfer it with a flash drive or something? I mean the longer the malware has to try to find the mothership (if that is the correct term), the more likely it will find it.

If a backdoor is opened on some port, can then the perpetrator place a virus that will be triggered down the road that is undetected? I know the phrase "One infected, always suspected." Ironically, I made an image backup that morning.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512018
You should be quite safe download Process Explorer to the problem PC. It is a simple program and just runs (no installation of any consequence).

Keep your image handy in case you need it.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40512022
Thanks. I just meant isn't it safer to keep the "infected PC" isolated from the LAN by disabling the NIC. I guess I am not quite sure what someone in Russia does once they have a backdoor open. Can they take over the computer, then access the server, etc.?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512027
When back doors exist, yes, they can steal information from your computers. So the quicker you act, the better.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40512030
I have installed the Process Explorer. There are many processes especially when compared to the one that comes with Windows. So, not sure which one I am looking for. They do give descriptions, but my guess is the Russians would have it sound rule.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512039
If the process has a strange name that may be it (alphanumeric). Otherwise look in programs and features for programs you did not install.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512046
Also (less likely) look for an add-in in Internet Explorer.
0
 
LVL 11

Assisted Solution

by:andreas
andreas earned 150 total points
ID: 40512047
Yes it might be you have a backdoor on your PC.

Any Virus or malwarescanner can only show the presence of malware but it cant prove that your system is clean.

So if the scanner found something you are sure you have a problem,
If it shows nothing you cant say your system is clean, you only know the scanner didnt found someting.

Recently attackers change malware quite frequently sometimes up to every 2 hours on web pages so chances are small that your scanner will detect all instances of the programs. In our company it usually takes 5-7 days until our scanner detects most of them.
(recently ive d/l a thred we got on a targeted attack every 2 hours from the link they spammed to us and submitted every sample to several AV-cmpanies. The result you see above. after 5 days still no 100% complete coverage of all sent samples.)

Another great tool is http://live.sysinternals.com/Procmon.exe which lists all unhidden file and registry access by the running processes. Attention the output amount is huge, even on a healthy windows.
0
 
LVL 7

Assisted Solution

by:Gauthier
Gauthier earned 50 total points
ID: 40512124
Are you sure it is still infected, the PUP found (and I assume cleaned successfully) could be the one responsible for conection to russian server.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512125
It might be cleaned up, but then why would the website attacks continue?
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40512203
Thanks for the feedback. I was waiting a bit, because I ran the MBAM rootkit device. It was kind of weird, because it tried to install and said their was a rootkit (why the hell I didn't write down the name -- started with an "a"). I am sure that is very helpful. Suggested I click on No. But, I installed and ran the scanner. I haven't had an attempt for over two hours.

Unfortunately, I checked and block malicious websites wasn't checked anymore on MBAM. But, I set it back an hour ago and nothing. Now the question I have, and I a rookie at this is the following. If this malware was sending requests to the Russians (another cold war) but kept getting blocked, would it not continue indefinitely? But, if one got through allowing the hacker to open a port for its use, would the malware know enough to stop trying. In other words MBAM's not blocking anything is a good thing -- I mean no attempts are occurring, because the malware is gone or a bad thing if it isn't trying.

I did use Gibson's Research Corporation. Everything looks good except it states that 25, 443 and 987 are open. Those would be SMTP, SSL and SharePoint, correct? I don't know what they would do with this. Are they supposed to appear open. I get very confused with GRC. I mean it is open with https anyway.

Thanks.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512210
Ports 25 and 995 are mail ports. 987 is for SharePoint it you are using it. 443 is for https which we use.  So these are normal and you could be fine now.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:Bert2005
ID: 40512222
Thanks John. Yes, you are correct about the ports. But, why does Steve get all bent out of shape when his probes find them open. I suppose you would use port 443 to send packets to a site such as CitiBank. Your router would then accept the reply. So, this would have been the case with GRC as it is HTTPS during the entire connection, but who am I to argue with Steve Gibson.

I don't know why SharePoint's port would always be open. Again, this is info provided by GRC. I can connect to SharePoint from outside the network using SSL, but it is mostly used for internal use hence the term company web.

This is where I falter a bit. Port 3389 which used to be used mainly for RDP is now handled by the server's RD Gateway. Port 3389 was probed many, many times daily so I don't quite get the difference between 3389's risk and 25's risk.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512227
You are correct about 3389. 25 is an unsecured SMTP port for POP3 email.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40512228
It's interesting, because the log files of MBAM show about ten ports that were used as outgoing with either a dllhost.exe process or wextract.exe process. When I specifically probe them to see if they are open, they are stealthed. Again, according to Steve Gibson.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512233
There isn't much more I can do from here. The ports you are naming are normal. GRC just notes these for your information.

If you want to see traffic in and out, you can use something like Wire Shark (free) or Comm View (paid) which are packet sniffers.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40512238
Well, I entered and probed every port used by this Trojan. They are all closed. I am assuming that if they were backdoors, they would show as open. I am hoping everything is fine. MBAM (which is not even my main A/V -- I generally use it when I am looking for something) is what stopped everything -- we hope. Of course, maybe it is 5 ms quicker than ESET.

I am going to go with the assumption (I know) that the malicious program is no longer there and not that it worked and no longer needs to do anything.

I am going to keep the question open until at least tomorrow in case something changes.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40512244
I am assuming that if they were backdoors, they would show as open. Probably. Since no more web attack notices, I think you are fine. My earlier responses were geared to the web attack notices. Let us see what tomorrow brings.
0
 
LVL 11

Expert Comment

by:andreas
ID: 40512516
Actually there shouldbe no listening ports open. For usage of the web and e-mail we use OUTgoing connections to the servers on those porst. The GRC-Scan detects runing SERVER ports on your IP you are comming from.

But depending on your setup this also can be caused by OTHER users (if you are behind a Carrier Grade NAT, e.g. in Germany on cable networks)

But if you have your OWN public IP then these ports should definitely CLOSEd and not open they should only be open if you RUN a web-server and mailserver.

Port 25 isnt for POP its for SMTP only.

So please check your system including your router again, maybe those ports are opened by your router as it provides web-administration and or mail-services.

Open ports on windows you can see with the command

netstat -an|more

the ports open are labeld with listening. If there is port 25 and the othermentioned ports open, then its your windows box.

If the ports arent shown open they still could be opened by a rootkit, which HIDES the output from netstat.

In this case your should perform a portscan from another device on your network to the machine with the suspected malware.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40512821
First I did not want to participate, but this has grown a funny thread!

If you have made out a rootkit infection, restore your computer from your last known good image backup. If no image is at hand, backup your data, reinstall and restore your data after making sure that no file infector has worked on those files. There is no room for arguing. Bert is no expert at malware removal, so he is not in the position to try and clean it, nor will it be sufficient to follow the advice of experts (that themselves sometimes seem to be confusing listening ports with ports that your software uses at the remote server).

If you are interested in what infection that is, you should be able to rescan for that rootkit or look at the log of the previous scan. Also, you should be able to locate the executable that your screenshot shows (there is one with the same name belonging to windows, that won't be it). That executable can be uploaded to https://www.virustotal.com/ so that you get an idea of what it probably is.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40514164
Thanks McKnife,

You are correct that I am no expert with malware removal or detection. I, too, am confused with the port discussion. I do have Exchange so I guess that would account for SMTP or 25. 443 is open. There I am confused, because I thought you used either 80 (HTTP) or 443 (SSL). I can't account for SharePoint.

I do have a good image.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 225 total points
ID: 40515022
If you have an image, why bother worrying if something still remains? Use the image.
Since you said, this is win7, no exchange can be installed on it. So no exchange ports will be open! Neither your win7 is a sharepoint server...if those are open, and you have no explanation, then well, it's probably the virus.
We could start and analyze what processes use the ports:
netstat -bano |findstr 443

Open in new window

Tells you what process id listens on 443. Then you can open task manager, have it list the process ID and there you have the process that has opened that port...same for the other ports.

But what's the use? There was a rootkit infection which is serious and you have an image.
All that analysis would be good for is forensics, not for cleaning. Rootkits are able to hide processes, TCP/IP connections, files and so on, you would never be sure that all is gone unless you monitored it constantly for outgoing traffic - not desirable. Image!
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40519920
Thanks for waiting. I am doing the image. My issue is I don't always trust restores. It's not that they don't work; I do like the idea that they have all the files that can be mounted, but it seems so easy to just say image, and I get a bit nervous. I'm apologize.

Anyway, continuing to work on it. Christmas and all. By the way, Merry Christmas to everyone or Happy Holidays. Can't remember if I said that.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40520092
It would really be nice if you knew the virus was gone. I do think I removed it which is why I gave Gauthier points, albeit small. Prior to finding a root kit and removing it, I was getting calls to the Internet nearly every minute. After none. But, who's to say that didn't mean a different call to a different server using a different IP wasn't successful. Or maybe once it succeeded, it was programmed to stop trying other IP addresses.

As to the restore, it was fun as usual. I was kind of fortunate as I was planning on cloning my 250 GB Samsung SSD to a 1 TB one. So, I removed the SSD with the possible virus and installed the 1 TB SSD. I then tried to restore the image to the new SSD, and it continued to have errors and stop. So, I thought that maybe it needed to be formatted. I installed a copy of Win 7 Pro to it, then restored to that, and it workeed fine. I have a new image of Windows from laster Saturday. Given this is a client, there are no major changes. The log files of MBAM show nothing resembling a virus or the attempted connections to the Internet.

So, I guess I am in the clear. Is it not possible to do a bare metal restore of an image to a brand new SSD? I did try a deploy to new hardware, which did not work either.

Thanks.

Bert
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40520116
Thank you, and I do hope you are clear. I keep myself behind a VPN hardware firewall and also a software firewall, so Russia never calls (thankfully).
0
 
LVL 1

Author Comment

by:Bert2005
ID: 40520119
I am behind a Cisco and Windows firewall, but when what looks like a perfectly good website installs a Trojan, all ports going out are open by default. Personally, I think MBAM stopped all attempts.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40520121
but when what looks like a perfectly good website installs a Trojan, all ports going out are open by default

That is why we must always keep our guard up. Socially engineered website snare a lot of victims.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now