How to detect backdoors opened by viruses

[Me]

The Symantec writeup for GAOBOT.AJE says in part "The worm also spreads
through backdoors that the Beagle and Mydoom worms open."

My question is this:
How would one detect and fix the backdoors that the Beagle and Mydoom worms
open? If a machine were patched and then infected or patched after being
infected, is it not feasible that the worms would still open the backdoor
after the patches were applied? In that case, would we have machines that
appeared to be properly patched but in fact had ports opened?

TIA!!

 

[The Prophecy]

The Symantec writeup for GAOBOT.AJE says in part "The worm also
spreads through backdoors that the Beagle and Mydoom worms open."

My question is this:
How would one detect and fix the backdoors that the Beagle and Mydoom
worms open? If a machine were patched and then infected or patched
after being infected, is it not feasible that the worms would still
open the backdoor after the patches were applied? In that case,
would we have machines that appeared to be properly patched but in
fact had ports opened?

TIA!!

To "detect and fix" the opened backdoors you will need a firewall. If you
are running a firewall at the time you patch the machine, the worm should
not be able to reopen the port as long as the firewall does not get turned
off.

 

[Jason Wade]

The Symantec writeup for GAOBOT.AJE says in part "The worm also spreads
through backdoors that the Beagle and Mydoom worms open."

My question is this:
How would one detect and fix the backdoors that the Beagle and Mydoom worms
open? If a machine were patched and then infected or patched after being
infected, is it not feasible that the worms would still open the backdoor
after the patches were applied? In that case, would we have machines that
appeared to be properly patched but in fact had ports opened?

TIA!!

A hardware firewall that gives you logging would help with
this problem, or you could have another machine that is
serving as a firewall do it.

Also, on windows, the command "netstat -an" would help you
identify open ports, including listening ports.

 

[Ron & Ree]

You fix the backdoors by removing the program(s) that are looking for
packets from them.
A port is open if there is a software program running that is actively
trying to make a connection.
If no program is running, that is looking at a port, the port is closed.
A firewall can block the communications to or from a port by intercepting it
before it reaches the program waiting for it.

 

[Duane Arnold]

The Symantec writeup for GAOBOT.AJE says in part "The worm also
spreads through backdoors that the Beagle and Mydoom worms open."

My question is this:
How would one detect and fix the backdoors that the Beagle and Mydoom
worms open? If a machine were patched and then infected or patched
after being infected, is it not feasible that the worms would still
open the backdoor after the patches were applied? In that case, would
we have machines that appeared to be properly patched but in fact had
ports opened?

TIA!!

Well, you have got to look for yourself from time to time with the tools
mentioned in the link as malware can circumvent and defeat all of it.

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and
_Rootkit_Tools_in_a_Windows_Environment.html

Duane

 

[blackfoot]

A hardware firewall that gives you logging would help with
this problem, or you could have another machine that is
serving as a firewall do it.

Also, on windows, the command "netstat -an" would help you
identify open ports, including listening ports.

This is what I got to know the hard way aswell, what I would like to
know now is how to use "another machine serving as a firewall do it"

Can anyone direct me or let me know how to?

Also, if I do this will this machine stop/catch all the viruses and
trojans?

So I dont have to re-install all the software all over

OS win98SE

Thanks in advance





Blackfoot

 

[null]

This is what I got to know the hard way aswell, what I would like to
know now is how to use "another machine serving as a firewall do it"

No need for that.

Can anyone direct me or let me know how to?

Also, if I do this will this machine stop/catch all the viruses and
trojans?
No.

So I dont have to re-install all the software all over

OS win98SE

See my web site.


Art
http://www.epix.net/~artnpeg

 

[blackfoot]

On Thu, 13 May 2004 09:50:25 GMT, (e-mail address removed) wrote:


Art,

thanks a lot for that good link and advice, however, since I went to
Steve's site at grc I had it like he says(disconnet tcp/ip from
netbios) but, as I have to DL a lot of material from the net sometims
I get the feeling that some times my pc is not working right.

I had to re-install compleatly a month ago, thats my reason for asking
to put up a barricade of sorts if posiible.

Thanks once again




Blackfoot

 

[null]

On Thu, 13 May 2004 09:50:25 GMT, (e-mail address removed) wrote:


Art,

thanks a lot for that good link and advice, however, since I went to
Steve's site at grc I had it like he says(disconnet tcp/ip from
netbios) but, as I have to DL a lot of material from the net sometims
I get the feeling that some times my pc is not working right.

I had to re-install compleatly a month ago, thats my reason for asking
to put up a barricade of sorts if posiible.

"Barricades" don't do any good if you run malicious code. You don't
seem to "get it" at all


Art
http://www.epix.net/~artnpeg

 

[blackfoot]

"Barricades" don't do any good if you run malicious code. You don't
seem to "get it" at all


Art
http://www.epix.net/~artnpeg

Sorry, I am not a computer expert, would like some help on this
matter, so can you please let me know how to check for it, and
stop it from getting in in the first place?

At moment running
98Se
ZA
AVG



Blackfoot

 

[null]

Sorry, I am not a computer expert, would like some help on this
matter, so can you please let me know how to check for it, and
stop it from getting in in the first place?

What part of my web site info/instructions don't you understand?


Art
http://www.epix.net/~artnpeg

 

[FromTheRafters]

The Symantec writeup for GAOBOT.AJE says in part "The worm also spreads
through backdoors that the Beagle and Mydoom worms open."

My question is this:
How would one detect and fix the backdoors that the Beagle and Mydoom worms
open? If a machine were patched and then infected or patched after being
infected, is it not feasible that the worms would still open the backdoor
after the patches were applied? In that case, would we have machines that
appeared to be properly patched but in fact had ports opened?

Patches only address the vulnerability that a certain malware
exploits. The AV's detection and removal tools should be up
to the task of removing the backdoor when it detected and
removed the worms.

....but it is always good to check again with a different vendor's
product. It is also good to read the descriptions offered by the
vendors to get an idea of what to look for manually.

 

[Duane Arnold]

(e-mail address removed) (blackfoot) wrote in @news.btx.dtag.de:

Sorry, I am not a computer expert, would like some help on this
matter, so can you please let me know how to check for it, and
stop it from getting in in the first place?

At moment running
98Se
ZA
AVG



Blackfoot

About the easiest way to put it is to use Active Ports (free use Google)
and watch for the connections to remote IP(s) that you don't know about.
You can put a short-cut in the Start folder and let it start when you
boot the system. If you do that, Active Ports will give you a clear
picture of what is trying to connect out on the machine.

If malware has compromised your machine, it is most likely going to beat
it at system boot and get to the TCP/IP connection first and do its thing
and be done before something like ZA can even get there to stop it.
Active Ports will expose this if it happens.

You should use tools such as Active Ports to look around for yourself
from time to time and not take it as fact that nothing is wrong just
because ZA or AVG are not alerting on something.

A couple tools I like to use is one AD-Aware or Spybot both are free run
one or both of them on a routine basis.

Another tool you can use is the Host.

http://www.mvps.org/winhelp2002/hosts.htm
http://www.snapfiles.com/get/hoststoggle.html

The bottom line is on you and what you do, because 9 times out of 10 it's
the user who has done something that leads to the compromise with *happy
fingers* that click on things that should have not been clicked.

I am sure if you search Google you'll find articles on practicing Safe
Hex that should help in the overall prevention measures.

Keep in mind that nothing is 100% hack proof, and you should look around
from time to time for yourself to see what's happening on the machine.

HTH

Duane

 

[blackfoot]

(e-mail address removed) (blackfoot) wrote in @news.btx.dtag.de:

Thanks to Duane and Art for this advice, this what I have and done up
to now,
had Installed:
98SE- custom inst., no IE or intern.connection,discon NetBios from
tcp/ip
Ad-Aware
AV-NAV
ZA
Browse was Nescape (old) 4.7 Opera 7 java scrip/ java / all cookies
disabled, only when requested by site I vist to enable DL (trusted)

regular checks at grc showed green on all port scans

compleat de ins/re-instalation of 98 few months back when I felt that
pc playing up

New
AV- AVG
browser Mozilla
ZA

I can navigate around my own pc very well, fairly well in winreg,,only
I dont "know how" to relate key's to programs(what key is what
program) need to learn this, thinking of getting Ad-aware reghance to
help me here, any comments?

Also have saved and copied winreg for safety sake.

Art's Q, confusion on my side, as it say's all IE out of 98(have done
this IE/AOL/ NETmeet folders all out), then again says if you have
IE,OL this is mainly as I am also not an expert on pc's however, I do
get around to it(slowly) to understand all this.

Sorry for this long reply guy's, but such help is need all the time by
people like me.


















Blackfoot

 

[null]

compleat de ins/re-instalation of 98 few months back when I felt that
pc playing up

New
AV- AVG
browser Mozilla
ZA

Did you install all the critical patches for '98? That's very
important. If you didn't use IERadicator, I suggest that you update IE
and keep it patched ... even if you only use it for Windows Update
(which is all it should be used for). I also suggest that if you're a
single PC user that you follow the instructions on my Internet page.
Make sure the netstat -an report is empty. Then you're ok on the wide
internet whether you use a firewall or not. You see, some people get
nailed when their firewall is disabled for just a short time. You want
to be immune to that problem.

I see you're using Free Agent for news. Good. If you use Mozilla email
that's also good. Just delete all unsolicted attackments.

Be very careful what you download. Don't place trust in realtime
antivirus to save your butt. And you should be ok.

However, you've indicated that you're a high risk user ... downloading
whatever stuff and runnning it. If that's the case, you can cut your
risks quite a bit by using a top notch av such as KAV or F-Secure.

I can navigate around my own pc very well, fairly well in winreg,,only
I dont "know how" to relate key's to programs(what key is what
program) need to learn this, thinking of getting Ad-aware reghance to
help me here, any comments?

I suggest that you become familiar with the normal running processes
on your PC. Record normal running processes in a notebook so that you
can easily identify abnormal ones. The TrojanFinder d/l from my web
site is useful for showing these and also may registry entries ....
plus the contents of other startup axis files such as WIN.INI, etc.

Sorry for this long reply guy's, but such help is need all the time by
people like me.

No problem. Feel free to post whatever questions you might have.


Art
http://www.epix.net/~artnpeg

 

[FromTheRafters]

Patches only address the vulnerability that a certain malware
exploits. The AV's detection and removal tools should be up
to the task of removing the backdoor when it detected and
removed the worms.

...but it is always good to check again with a different vendor's
product. It is also good to read the descriptions offered by the
vendors to get an idea of what to look for manually.

Just to clarify the point - the backdoor(s) installed by the worm(s)
should be detectable by the AV software because it is associated
with the worm. Whatever may have been done via the use of said
backdoor is beyond the scope of the AV if said additional things
are unknown to it.