Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Nov 21st, 2008, 3:43pm
   Mischel Internet Security Forum
   Internet Security
   Firewalls (Moderators: Helena, Gavin_Coe, Magnus)
   Trojans , FWs and outbound protection		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Trojans , FWs and outbound protection  (Read 734 times)
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Trojans , FWs and outbound protection
« on: Nov 6th, 2003, 5:11pm »		 Quote Quote  Modify Modify
 Hello  ,
 
  " Found trojan file: C:\System Volume Information\_restore{2658AA32-5EF6-4DF3-A693-66630AE5C0BC}\RP43\A0010617 .exe (KLog.Perfect)
 
  Found trojan file: C:\System Volume Information\_restore{2658AA32-5EF6-4DF3-A693-66630AE5C0BC}\RP54\A0012952 .exe (KLog.Perfect)
 
  Found trojan file: C:\System Volume Information\_restore{2658AA32-5EF6-4DF3-A693-66630AE5C0BC}\RP61\A0013162 .exe (KLog.Perfect)
 
  Found trojan file: C:\System Volume Information\_restore{2658AA32-5EF6-4DF3-A693-66630AE5C0BC}\RP65\A0015481 .exe (Netbus.170)
 
  Found trojan file: C:\System Volume Information\_restore{2658AA32-5EF6-4DF3-A693-66630AE5C0BC}\RP65\A0015483 .exe (Netbus.170)
 
  Found trojan file: C:\System Volume Information\_restore{2658AA32-5EF6-4DF3-A693-66630AE5C0BC}\RP66\A0015546 .exe (Netbus.170)  
 
 
  6 trojan files found  "
 
   Above  is  the  result  of  the  first  full scan  done by TH the first time installed on a friend's machine .
 
   He  has  XP Home with  all patches , NAV2003  fully  updated and the last version of a payware version of a nice FW ( well configured ,with  restrict programs rights and  with  no  odd  programs  listed there accessing  the  outside ) . I'll not  say  the  name  of  the FW  because I respect the brand , recomended it and I  think that  FWs  are mainly  designed against inbounds .
 
     
   I  do not  discard some level of outbound protection for those using  a FW  with  this  feature (outbound protection ) ;and  the majority of FW's users and also the FWs brands  have  the outbound feature  today .
   But ,  as the example  above  shows  , with  a *real world  test * , FW's  outbound protection is  relative  ,  limited - as  any  software is .
 
  In  this  case  ,  finally  ,  what did  found  and  terminated   the  trojans in  the  machine was  an  app  designed  exactly  with  that  objective in  its  creator's mind  - t o detect trojans .
 
   Regards  ,
 
     mozar
 
   P.S. : Magnus  ,  it's  the  second  time  this  week  that  TH  worked  against  real  world threads .Again I have to say : Nice  job  done .
 
 
IP Logged
acheton
Original Gangster
******





   


Gender: male
 Posts: 1162
Re: Trojans , FWs and outbound protection
« Reply #1 on: Nov 6th, 2003, 6:49pm »		 Quote Quote  Modify Modify
It's good to hear about TH is useful in real life situations. It does makes me wonder whether there is anyway of removing Trojans from restore points, I imagine that it would probably be difficult. However there is still a potential risk if a user restores a restore point with a trojan in it, especially if that it has disabled the AV, AT or FW in that restore point. I guess since TH tells you that the restore point is infected the advice would be to delete or rename that restore point to ensure that we don't accidentally restore an infected one.  
 
Ach
IP Logged
"What success a man builds from his gifting can be destoyed in a moment because of his character."
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Trojans , FWs and outbound protection
« Reply #2 on: Nov 6th, 2003, 7:10pm »		 Quote Quote  Modify Modify
Yes  ,  acheton . I've   suggested  to  him  to  temporarily  disable  the  system restore ( which  delete all points ) ,
enable it  again  and  create  a  new point  now that his machine is clean .
 
  Thanks  for  remembering  anyway  ,
 
    mozar
 
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2913
Re: Trojans , FWs and outbound protection
« Reply #3 on: Nov 6th, 2003, 10:18pm »		 Quote Quote  Modify Modify
Sometimes, that system restore is a real pest, but the time it isn't will be just after someone's decided to disable it and remove the archives.
 
I wonder if there's any scope in writing a quick tool to indicate if it's active? Maybe could include a context menu to stop/restart it? Sounds more like a job for Mr 100% Machine Code himself (Steve at GRC), but I can see it being informative as well as perhaps a little bit useful as well.
IP Logged
... but crap arrives pretty much straight away.
ReGen
Veteran
*****




It's because we know, that we care.

   


Gender: male
 Posts: 685
Re: Trojans , FWs and outbound protection
« Reply #4 on: Nov 6th, 2003, 10:24pm »		 Quote Quote  Modify Modify
Good reading Mozar.  Smiley
 
Another way of clearing the system restore (works in XP) is to firstly create a new restore point. Then go to Disk Cleanup and clean the system restore. This cleans all but the last restore point. Doing it this way means you’re never left without the chance to use a restore point should the unexpected happen.  Smiley
IP Logged
--
ReGen
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Trojans , FWs and outbound protection
« Reply #5 on: Nov 6th, 2003, 10:33pm »		 Quote Quote  Modify Modify
 Didn't  know  about that  one  ,  ReGen .
  And  you  know that  there  are  people  that  use  , together  with  the Windows' System Restore , an  app called  " WinRescue XP " - that's backup , isn't it ?
IP Logged
ReGen
Veteran
*****




It's because we know, that we care.

   


Gender: male
 Posts: 685
Re: Trojans , FWs and outbound protection
« Reply #6 on: Nov 6th, 2003, 10:48pm »		 Quote Quote  Modify Modify
I hadn’t heard of  ‘WinRescue XP’ before. It appears to provide registry backup plus a few other useful odds and ends.
 
http://www.superwin.com/frescuex.htm
IP Logged
--
ReGen
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Trojans , FWs and outbound protection
« Reply #7 on: Nov 6th, 2003, 10:54pm »		 Quote Quote  Modify Modify
 I  don't  used it . But  for  people   testing  a lot of apps everytime it's  safer  to have another "restorer" . I've  read  that the vendor  created    the  product  to  attend  the W.98's   users .
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2913
Re: Trojans , FWs and outbound protection
« Reply #8 on: Nov 6th, 2003, 10:56pm »		 Quote Quote  Modify Modify
on Nov 6th, 2003, 10:24pm, ReGen wrote:
Good reading Mozar.  Smiley
 
Another way of clearing the system restore (works in XP) is to firstly create a new restore point. Then go to Disk Cleanup and clean the system restore. This cleans all but the last restore point. Doing it this way means you’re never left without the chance to use a restore point should the unexpected happen.  Smiley

Is that a way around any possible nasty hiding therein? Or would it simply copy itself intot he fresh restore point fileset?
 
This is more than just curiosity since I've got 100 XP Pro laptops to manage these days, and one or two are bound to need some remedial work from time-to-time... Grin
IP Logged
... but crap arrives pretty much straight away.
ReGen
Veteran
*****




It's because we know, that we care.

   


Gender: male
 Posts: 685
Re: Trojans , FWs and outbound protection
« Reply #9 on: Nov 6th, 2003, 11:08pm »		 Quote Quote  Modify Modify
on Nov 6th, 2003, 10:54pm, mozar wrote:
 I  don't  used it . But  for  people   testing  a lot of apps everytime it's  safer  to have another "restorer" . I've  read  that the vendor  created    the  product  to  attend  the W.98's   users .

 
I used to use Roxios GoBack deluxe in my Win98 / ME days. I found it a great product for restoring the system. But since moving to XP I haven’t felt the need for anything in addition to what windows provides, and Norton Ghost for  complete backup.
IP Logged
--
ReGen
ReGen
Veteran
*****




It's because we know, that we care.

   


Gender: male
 Posts: 685
Re: Trojans , FWs and outbound protection
« Reply #10 on: Nov 6th, 2003, 11:09pm »		 Quote Quote  Modify Modify
on Nov 6th, 2003, 10:56pm, Ian wrote:

Is that a way around any possible nasty hiding therein? Or would it simply copy itself intot he fresh restore point fileset?
 
This is more than just curiosity since I've got 100 XP Pro laptops to manage these days, and one or two are bound to need some remedial work from time-to-time... Grin

 
I’m not sure Ian. I don’t know if an active Trojan can hide within the system restore files and still carry out its business. It certainly clears restore points that contain deleted / removed Trojans.
IP Logged
--
ReGen
acheton
Original Gangster
******





   


Gender: male
 Posts: 1162
Re: Trojans , FWs and outbound protection
« Reply #11 on: Nov 6th, 2003, 11:32pm »		 Quote Quote  Modify Modify
I guess that a trojan in a system restore directory must still be in it's original form (either packed or unpacked) because TH can still detect it. I don't have system restore turned on, but I am guessing that you cannot browse the contents of a restore point. So perhaps in theory it could be run, however there must be some process outside of the restore point itself required to kick off the reactivation. Anyone who manages to do this might as well deploy a trojan in the first place, rather than deploying a trojan to reactivate an existing trojan.  
 
It seems to me that the biggest threat is accidentally restoring a restore point with a trojan in it. This is a risk because so far a system restore point cannot, as far as I know, be cleaned.  
 
Ach
IP Logged
"What success a man builds from his gifting can be destoyed in a moment because of his character."
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register