Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Trojan Agent.A		 « Previous topic | Next topic »
Pages: 1    Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Trojan Agent.A  (Read 7779 times)
lutherjt
Newbie
*




We Are Watching You.  -1984- Never Say Anything.

   


Posts: 28
Trojan Agent.A
« on: Mar 11th, 2009, 9:50am »
This is more or less what I was ranting about in the Ten Forward section (http://www.misec.net/forum/board/TenForward/1236370580) in the following article on DarkReading.com. Basically, a new Trojan called Agent.A has been floating around since November, 2008. And a quick quote from the article states  
 
"...The Trojan also installs a rootkit on the infected system that loads even when the system is started up in safe mode, iDefense researcher Michael Ligh says in the report. 'The scary part is, none of us are really sure how Tigger is even being distributed,' he said. 'I look at a lot at info-stealing malware, and this is the first one I've seen in a while that goes to the trouble of removing other pieces of malware...' "  
 
http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid =KM3UJCYP2PXLEQSNDLPSKH0CJUNN2JVN?articleID=215800583  
 
Why does it take until March 9, 2009, for me to learn about this new security threat? Where are the RootKit detectors that can load before the Rootkit does at the Master Boot Record (MBR) level? See response to my post by Siliconman01 (http://www.misec.net/forum/board/AExp/1236359415)
Quoting Siliconma01, "...Currently, TH does not have an early load feature to scan the MBR.  As to whether Magnus is adding this feature in a later version, I do not know...."  
 
Basically the Trojan, Agent.A, raises it's rights to Admin, loads a RootKit (even in safe mode) at the first MBR level, removes other malware that's not it's own from your computer, disables Windows Defender, Windows Firewall, Outpost, Avira, Kaspersky, AVG, and CA products, injects code into user-mode processes, takes screen shots, hooks COM for spying on browser events, and exports passwords [from] protected storage, network and dial-up, and at least 11 popular chat, email, and remote access applications. It also steals web cookies, steals certificates, and puts the NIC in promiscuous mode to sniff FTP and POP3 passwords, also logs keystrokes, collects system information, and enables a backdoor on compromised computers and may also attempt to initiate communications with command and control servers!
 
IP Logged
President
Brotherhood of Forceful Intelligence
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Gender: male
 Posts: 3904
Re: Trojan Agent.A
« Reply #1 on: Mar 11th, 2009, 12:04pm »
Hi,
 
I am checking that I have the malware and will detect it shortly as Syzor. I suspect the rootkit detectors have no problem with it, tried GMER ?  
 
There are also always ways to scan for malware without it stopping you detecting it. Bootable CD/DVD can be the best method, as well as putting the hard drive in another PC which I personally like Smiley
IP Logged
lutherjt
Newbie
*




We Are Watching You.  -1984- Never Say Anything.

   


Posts: 28
Re: Trojan Agent.A
« Reply #2 on: Mar 13th, 2009, 8:32am »
I have used GMER before as well as Prevx, MBAM, Trend Micro's Rootkit Detector, etc. Syzor, interesting name. Do you recommend any Rootkit detectors that start at the MBR, or would that hard drive have to be inspected by taking it out and adding it to another computer for analysis?
 
The company I work for has not created a $5k - $10k static-free lab enviornment for me to troubleshoot computers safely; like using that dongle piece that comes with EnCase software so nothing can be written to the drive, only read. Nor do we have a bareboned computer with just Anti-everything on it to be able to hook the troubled hard drive up to. And nor do we have the professional grade software, like EnCase, or whatever else the pro's use to scan with. Is there any software you recommend using to find malicious software?  
 
We currently use Symantec Endpoint 2009 (ver. 11.0.4000 series), Trojan Hunter 5.0, Spybot S&D 1.6.2 with Teatimer and IE Tweek/locks, Privacy Mantra 2.05, Rocket Dock 1.3.5 (so no Icons on desktop, heard it was bad idea to do so) and PC Tools Firewall Plus with code injection protection, password protection, stealth mode, application filter, stateful packet inspection, full screen detector...basically expert user mode. We also have disabled all unnecessary services, encrypted our temp folder, delete all internet explorer files on IE7 exit, don't allow Netbios over TCP/IP, disabled LMHOSTS lookup, etc. And of course we have an ISP Firewall which is connected to yet another Firewall. Can you think of any other ideas for us to tighten the securty of our PC's? We run WinXP Pro SP2, cause I heard SP3 was fluff for the Livecare stuff and was advised to stay away from it.
« Last Edit: Mar 13th, 2009, 10:42am by lutherjt » IP Logged
President
Brotherhood of Forceful Intelligence
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Trojan Agent.A
« Reply #3 on: Mar 13th, 2009, 9:51pm »
Quote:
We currently use Symantec Endpoint 2009 (ver. 11.0.4000 series),

 
Doesn't Symantec Endpoint scan the MBR on each system reboot?  I know that NIS 2009 does if the settings are configured to early load.  Also SONAR advanced protection is good to have turned on.  
 
-  Do you have autorun turned off on external drives such as CDs/DVDs/FlashDrives so that infections cannot be automatically installed from these drives...which is a major source of infections?
 
http://www.misec.net/forum/board/FAQ/1232691642
 
-  Personally, I feel that scanning incoming and outgoing email is essential to prevent infections from being sent to other clients.  
 
-  In an enterprise environment, I feel it is good IT practice to restrict or forbid users to install any non-approved third party software on company computers.  The IT department should maintain total control on what software is running on company computers.  
 
-  A rigid and well established system backup strategy should be part of any total IT procedure.  
 
-  How does your company address the potential of stolen computers or hard drives...desktop and laptops?  Is critical company information/data encrypted and password protected.  
 
-  You should investigate JavaCool's SpywareBlaster as an addition to your security cadre of programs...particularly if your company allows employees to access the full Internet via company computers.  This program blocks thousands of malicious downloads.  
 
http://www.wilderssecurity.com/forumdisplay.php?s=a34d64a677ec3c7918c448 9fa0d3bdeb&f=23
 
Quote:
We also have disabled all unnecessary services, encrypted our temp folder, delete all internet explorer files on IE7 exit,

 
Have you confirmed that the temp files are actually being removed on IE7 exit?  If you are relying on the IE7 option to do this, I suspect that you will find that it is not doing it.  
 
Quote:
We run WinXP Pro SP2, cause I heard SP3 was fluff for the Livecare stuff and was advised to stay away from it.

 
I cannot say that I agree with the above; however, I know that there are varying opinions on this.  
 
A guide book like the one below might be of benefit.
 
http://www.criticalsecurity.com/foreword.php
« Last Edit: Mar 14th, 2009, 12:18am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
lutherjt
Newbie
*




We Are Watching You.  -1984- Never Say Anything.

   


Posts: 28
Re: Trojan Agent.A
« Reply #4 on: Mar 14th, 2009, 8:30am »
I'll have to look into whether or not Endpoint scans at the MBR. And it uses Bloodhound (set to the maximum level), I'm not sure about Sonar:
 
http://community.norton.com/norton/board/message?board.id=nis_feedback&a mp;message.id=24314
 
Autorun is turned off on all drives.
 
I agree that all e-mail should be scanned, and we currently have Endpoint configured to scan "all" files, regardless of what we are doing on the computer; i.e. e-mail, word processing, excel database, surfing the net, etc. Besides disabling user downloads in IE7 or having them use a Sanboxie type enviornment (http://www.sandboxie.com/), how can I restrict/forbid users to install any non-approved third party software? Currently any software is allowed (we are in a more trust-worthy enviornment, seriously) but the catch is that our PC Tools Firewall monitor's anything installed and logs it in a password protected file. So if you install something and then uninstall it, I will be able to read the log file for both. (Currently we are troubleshooting a suspicious "Nsz10.tmp\Ns11.tmp" file; not sure if it's part of the Windows Installer or not - http://n2.nabble.com/Sophos-AV-reports-virus-in-windows-installer-1.5.5- 2-td491657.html)
 
We have four backup methods (3 external HD's, 1 DVD Rom) methods that we rotate every week. However, I am not sure that all the data in the office is sensitive. But I will have to ponder using encryption software like PGP to encrypt/paswword protect the backups and the computer(s) with sensitive data on them. Any other suggestions besides PGP? (http://www.pgp.com/).
 
I'll play around with JavaCool's SpywareBlaster at home before I add it at work, thanks for the tip.
 
Yes, we are able to verify IE7 is clearing out all the temp files/cookies. However, as an added privacy measure, we use Privacy Mantra to scrub a whole bunch of different areas of the computer. (http://www.codeode.com/privacymantra/index.html)
 
I'm so confused about SP3. Sone techs says it's fluff and the others say that although not 100% necessary, it wouldn't hurt to install it. So far, we haven't noticed anything malicious slip into our computers and I am unsure of what additional security comes with SP3.
 
What about the Belarc advisor? When we run that from time to time, it doesn't give us, IMHO, a high enough security rating. We aren't in a networked enviornment, but do share the internet connection at the router level, so I know I can ignore some suggestions, but how close of attention should I pay to what Belarc advises of?
 
Lastly, we also run HiJackThis weekly to scrub anything else out.
 
Thanks sooo much for all your insight and help. I really appreciate it!
IP Logged
President
Brotherhood of Forceful Intelligence
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Trojan Agent.A
« Reply #5 on: Mar 14th, 2009, 9:25am »
Examine the differences in capability of a limited user account vs administrator account.  This, however, might be too restrictive in your environment.  Perhaps other users in your organization really only need "Limited User Accounts".  
 
http://www.microsoft.com/protect/computer/advanced/useraccount.mspx
 
XP-SP3
 
http://support.microsoft.com/kb/936929
 
XP-SP3 fixes
 
http://support.microsoft.com/kb/946480/
 
From the link above, Microsoft describes the new FIXES that are provided in SP3.
 
Quote:
The following fix list includes only the updates that were added in Windows XP SP3. For more information about the updates that are included in previous Windows XP service packs, click the following article numbers to view the articles in the Microsoft Knowledge Base:

 
From my experience on my XP system, the upgrade was a painless upgrade.  After installing it, I am assured that I have all the latest security fixes and hardware/OS fixes offered by Microsoft on Windows XP up to the point that SP3 was released.  Windows Update provides those hotfixes after SP3's release.  Why would I not want to achieve this position?  
 
Keep in mind that there is intertwined in a lot of "opinions" concerning SP3 an undercurrent of anger and despair that Microsoft is abandoning XP...an OS that millions fell in love with after the Windows ME fiasco...and re-inforced by the Vista debacle thereafter.  The fact that Microsoft failed to add new features into SP3 angered many, many users...which in turn resulted in a ho-hum attitude toward the SP3 upgrade.  
 
Quote:
What about the Belarc advisor? When we run that from time to time, it doesn't give us, IMHO, a high enough security rating. We aren't in a networked enviornment, but do share the internet connection at the router level, so I know I can ignore some suggestions, but how close of attention should I pay to what Belarc advises of?

 
I cannot answer the above without seeing a Belarc profile on your system(s).  Without this, I cannot tell where Belarc is saying your weaknesses are.  In my opinion, the most critical part of Belarc is "Missing Microsoft Security Hotfixes"...which should be NONE.  I am not running XP PRO so no CIS Benchmark score is shown on my system.  I run XP-SP3 Home Addition on that computer...Vista SP1 x64 Business on the other.  
 
Quote:
Any other suggestions besides PGP?

 
PGP is good.  
 
I assume that all your user accounts and your routers are password protected with strong passwords.  And that your router passwords have been changed from the factory default....which every hacker in the world knows.  
« Last Edit: Mar 14th, 2009, 9:28am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
lutherjt
Newbie
*




We Are Watching You.  -1984- Never Say Anything.

   


Posts: 28
Re: Trojan Agent.A
« Reply #6 on: Mar 14th, 2009, 2:26pm »
I'll have to research the contents of SP3 myself and ask; but I have to consider what our backup tech says; she works with/advises the Department of Defense and the Pentagon on a daily basis...!
 
Unfortunately we are not in the enviornment where I can dumb down the access to non-admin. Everyone needs the capibility to read, write and execute.
 
If it's ok with you, on Monday, I will e-mail you the results from a Belarc scan.
 
Yes, all the passwords (user/router/etc.) are a minimum of 14 characters, mix of upper/lower/number/special characters and are changed every month at the latest.
IP Logged
President
Brotherhood of Forceful Intelligence
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Trojan Agent.A
« Reply #7 on: Mar 14th, 2009, 11:29pm »
Quote:
If it's ok with you, on Monday, I will e-mail you the results from a Belarc scan.

 
Okay  Smiley
 
BTW, the link below describes how you can determine what is necessary to improve your CIS score per Belarc (Figure F.)
 
http://articles.techrepublic.com.com/5100-10878_11-6177700.html
« Last Edit: Mar 15th, 2009, 2:21am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Pages: 1    Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »