Backdoor Trojan

[cdnvic]

Interesting reading. Thanks for pointing it out. Looks like I'm safe as I have my firewall locked down to all but the few services I need, but some might not be so paranoid.

To those of you reading, I was right about the fact that your hardware firewall can't be taken down, but as Silvero has pointed out, a trojan buried on your system can tunnel out using this method. If you only websurf you can set your firewall to deny any traffic in or out except port 80 and be pretty safe.

Can't see this getting past an antimalware program with even average heuristics though, as the actions are pretty obvious and not exactly stealthy.

[silvero]

No not stealthy and any personal firewall would immediately pick it up, unless of course it is combined with a modern rootkit, and then you really have had it unless you go through your router logs with a fine tooth comb.

As always the key is to not let malware onto your system in the first place, which gets hard if your ISP hands it out.

[Guest Reimar]

Thanks to all of you for the answers, suggestions and others!

In the meantime I've disassembled the "container" of ythat Trojan and I'll send the generated source code to some friend who's an assembler specialist, which I'm not!

Anyway, the timestamp in the header of the container is from Nov. 1. 2005 and I'll check with some friend by the ISP at which time they programmed the software which "need" this container for running, according to the programmer of that ISP, but realy don't need!

As much as I understand from the ASM language, the User32.dll is accessed by following of a send command for name and password, but I'm not quiet sure and my knowledge isn't good enough so I'l contact an expert!

I do believe the danger of this Trojan isn't for private "normal" users but for corporates because of the possibility of bypassing security settings of servers and the possible change of settings in the server OS! If I think for my own servers, someone get access without my knowedge or/and control, it is terrible danger. Not the Data of my company only but the Data of my customers as well! Even private "normal" users should should try to avoid to get infected from such programs they are dangerous at all and may someone use the infected system as kind gateway to get access to other and more systems.

[Khleerm]

Sorry, cdnvic, what point you're trying to make in above posts?

Is that the lack of credibility on the Reimar's part?

The point is that installed software cannot disable a hardware firewall. Anyone with a properly set up router need not panic.

Not true says Wikipedia: Port Knocking

"In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s)."

[silvero]

Port Knocking could only apply to a NAT router where the router has the program "listening" for knocks running in firmware. If you have ports forwarded through the router to a host on the LAN and ports are "knocked" and opened on that host, that doesn't forward more ports through the router to give access; and even if someone has full access to a host on the LAN, you would still need the username and password for the router to change it's configuration and forward ports through it.

Generally speaking, Port Knocking is a stealth technique applied to an already-compromised machine, or for legitimate security purposes, it isn't a way to open ports on a router.

Edited January 9, 2007 by silvero

[Guest Reimar]

In the meantime I've send the generated source code to a friend who just called me to tell me that even hims knowledge isn't good enough to analyze the code. It will take some time to get the real result and I speciallity looking for that sentences which shows what exactly this Trodan is doing and which data is send out!

Today I have to down 1 server by one of my costumers because of this Trojan. The average of the server was down to just max. 39% while the mostly time the internet connection was use for to send out data. All other workstations was having problems to just only receive e-mails and even on the normal LAN connection. After I installed a Backup Server, the LAN was working well and after connecting the Router Modem back to the internet, without of installing that "special" software, the internet connection was back on normal stage.

Tomorrow I'll analyze the server!

Forgot to explain that the system of this costumers is protected with an Hardware Firewall: NetScreen 25. But all of the firewalls protecting the system from out- to inside and not vice versa!

Edited January 9, 2007 by Reimar

[cdnvic]

So its been two days... can you name the ISP so that others can avoid this?

[Guest Reimar]

So its been two days... can you name the ISP so that others can avoid this?

As I told already several times: I try to be fair and also stand to my words!!

The agreement with the ISP was that I will have one more meeting with them before I do my own decission.

I also accept if someone give hims word for something and I do NOT like people who break them own words! So, I do not let me push to smething I never will do!

[Guest Reimar]

Just for your info: send an SMS to the ISP today with this (cutted) contents:

""Dear K. xxxxxx! I send the generated source code from RUN.EXE tomorrow to analyze. As xxxxxxxx is not interested in informing customers about the Trojan, I'll start publish the info on th internet on Saturday because the Trojan is truly attached to the software of xxxxxxx and that is UNACCEPTABLE! Reimar""

If there is not any positve reply tomorrow, I'll publish on Saturday the whole facts.

[Guest Reimar]

Just for your info: send an SMS to the ISP today with this (cutted) contents:

""Dear K. xxxxxx! I send the generated source code from RUN.EXE tomorrow to analyze. As xxxxxxxx is not interested in informing customers about the Trojan, I'll start publish the info on th internet on Saturday because the Trojan is truly attached to the software of xxxxxxx and that is UNACCEPTABLE! Reimar""

If there is not any positve reply tomorrow, I'll publish on Saturday the whole facts.

Today I received several calls from the ISP with some reply and some questions regarding this case.

In final I now waiting for some e-mail from them with the evidence of them's own working on this project. If that shows to me that the ISP is really working on it, which I also will check with the AV Developer, I'll wait with the final publishing.

I know that some of you will not agree with this but as I wrote times before I try to be fair to the concerned parties. Also I still waiting for the answers from the AV Developer and the Assembler specialist.

Thanks for your understanding

[Khleerm]

Reimar,

Personally, I applaud your standing by your word and your nod to fairness due the ISP - with equal measure. Bravo!

[Crushdepth]

And it's Saturday already - so details please...

[Guest Reimar]

And it's Saturday already - so details please...

Crushdepth

I'm very sorry but for your convinience I copy my last post from yesterday here again:

QUOTE(Reimar @ 2007-01-11 21:18:40)

Just for your info: send an SMS to the ISP today with this (cutted) contents:

""Dear K. xxxxxx! I send the generated source code from RUN.EXE tomorrow to analyze. As xxxxxxxx is not interested in informing customers about the Trojan, I'll start publish the info on th internet on Saturday because the Trojan is truly attached to the software of xxxxxxx and that is UNACCEPTABLE! Reimar""

If there is not any positve reply tomorrow, I'll publish on Saturday the whole facts.

Today I received several calls from the ISP with some reply and some questions regarding this case.

In final I now waiting for some e-mail from them with the evidence of them's own working on this project. If that shows to me that the ISP is really working on it, which I also will check with the AV Developer, I'll wait with the final publishing.

I know that some of you will not agree with this but as I wrote times before I try to be fair to the concerned parties. Also I still waiting for the answers from the AV Developer and the Assembler specialist.

Thanks for your understanding

As I was getting a positive reply yesterday, I delay the publication. Read my next post.

[Guest Reimar]

Dear all,

yesterday I was getting some positive reply from the ISP and therefore I stopped the publication for today.

In an telephone call just a few minutes ago, I talked with an managment member of that ISP and we'll have a final meeting at coming Tuesday morning 10 am!

In the meantime they will send me the reply from the AV-Developer and I'll go in touch with them.

I was also talking with an laywer who's working with software developer companies about this case. What he was telling is may interesting:

Software which is deveolped to find suspicious actions from other software, like AV, AD,SPY and so on programs, is special programmed to lokking for the sentences which forces to start special action like to take over controls (TROJANS), change file structures (VIRUS), send Data to unknown locations (SPY's), delete files pp and other action which are not "nomal"! If the software find something it will warn the user (if possible) and/or stopp the working process of that program or do others. But the checking software will look for that kind of actions which was already detected and classifies as DANGER (from the LOW to HIGH level) in the past because otherwise the want ad that stentencers to thems blocking list's.

Now, if a software developer produce software with sentences like the above mentioned, what for this software is really programmed? And, the writer of that programm must have a very good knowledge of the structure and how to program this dangerous software! In case the software developer is an ISP, which have to be on an very high security level and work mainly with costumer related data (many of them very confidential), this ISP need to control the program deveolping section on an much more higher level as any other software developer. For to get acces to "forein" data the most easy way is to do from an "Insider" within an ISP company!

And that is a truth!

Over this weekend the ISP will check the programming section of that company in details as they told me!

So, please wait for Tuesday while I'll get more info than!

Thanks and to all of you: have a nice weekend.

[dobbelinas]

Even if you get a reply, promising to remove it from any future releases.

It still doesn't change the fact, that many users are already infected !

As I said before, many people don't upgrade their softwares either.

I don't see any reason, why you should have to take it onto your own shoulders,

cleaning up the act of an isp ?

Do what other people would have done instead.

Let it be known publicly.

I can guarantee you, it's the fastest and smartest way to to have this issue resolved.

Make use of the community, it's here for a reason !

[bino]

I don't see any reason, why you should have to take it onto your own shoulders,

cleaning up the act of an isp ?

Do what other people would have done instead.

Let it be known publicly.

I can guarantee you, it's the fastest and smartest way to to have this issue resolved.

Make use of the community, it's here for a reason !

Reimar- I've been following this thread with interest, and waiting for an explanation.

I agree with all of dobbelinas post- especially the part above.

Whilst is is unquestionably noble for you as one man to take on a corporation and give them a chance to do the right thing, do you really think that they are taking you seriously, or playing you as a patsy and giving you "lip service" ?

How many times will you allow them to stall you? I'm willing to bet that they will just go on stalling you and telling you what you want to hear. You gave them a deadline of last Friday, and they came back with some excuses and sweet talk. Hence, you have extended the deadline. Now the precedent has been set, and they will likely keep on with this until you give up. Your threats and deadlines are baseless unless you are prepared to carry them out.

If your claim has merit, share it with other people who have or may have the same situation. As every day goes by, countless customers of this ISP are exposed to the problem.

There is strength in numbers. Whilst it is easy to pay lip service to one person, doing the same to hundreds or thousands would take up so much of their time and resources that they will have little choice but to get to the heart of the matter.

Since you say that the final meeting is on Tuesday morning, I will look forward to reading the resolution on that date.

[cdnvic]

Yes, this is getting tedious. It should have not been posted until there was a resolution if the full information was not to be given out. These teaser posts add nothing and just cause undo concern without helping anyone.

[Guest Reimar]

Yes, this is getting tedious. It should have not been posted until there was a resolution if the full information was not to be given out. These teaser posts add nothing and just cause undo concern without helping anyone.

My mainintention for to start this post was to get other internet user not only to be careful with the use of the internet itself but also be very careful with the software you need to go the net! Specail software which is coming from the ISP company! The AV Developer also did not publish where they find the Virus pp. they only inform about the existence!

But may a "general" warning isn't what some or many want?!

In the normal daily life many doing something wrong because nobody is perfect. And I do believe that everybody of you do not like to be convicted without the possibility to defent your self! Or I'm wrong?? But If everbody of you want to have the possibility to defent yourself why the ISP (in this case) should havn't the same right?

It is not easy for many humans to accept that others going a different way as themself and they try to force others go thems way. But the mostly problems someone faces is exactly this: If others go the same way as themself without to be forced to do so! There is a nice speech in Germany like this: "What your's is mine but better you keep your hands of from mine!"

Anyway, if someone of you don't want get this kind of warnings, they don't need to read about it, just ignore it! I will go exactly as I told but stand to my words I gave to the concerned parties!

One more thing: I never hide myself or use some pseudonym. Who want to know who is writing this, need to take a look to my profile only. Everything there is true and correct! And who want to know my phone no. pp. can get all of them!

[cdnvic]

So let the information out and then the ISP can defend itself to it's customers. You've done nothing here except build up a big commotion and it seems that there's always another reason to wait before revealing the alleged problem. When Tuesday comes I'm sure there will be another delay.

You've given them plenty of time to respond, now either reveal the info or stop playing games please.

This is starting to look more and more like a troll topic.

Edited January 14, 2007 by cdnvic

[bino]

My mainintention for to start this post was to get other internet user not only to be careful with the use of the internet itself but also be very careful with the software you need to go the net! Specail software which is coming from the ISP company! The AV Developer also did not publish where they find the Virus pp. they only inform about the existence!

But may a "general" warning isn't what some or many want?!

Sure - general warnings are great, and we have had the general discussion in this thread about antivirus manufacturers, routers, firewalls, port knocking , malware et al.

You started this thread, and made some serious allegations about ISP software that can be affecting many users in Thailand, but don't wish to give even a "general" idea of your discovery.

In the normal daily life many doing something wrong because nobody is perfect. And I do believe that everybody of you do not like to be convicted without the possibility to defent your self! Or I'm wrong?? But If everbody of you want to have the possibility to defent yourself why the ISP (in this case) should havn't the same right?

In this post where another member is having a problem with a "war driver", you have clearly given the advice "If you can, make a photo of that Guy with hims devices in hand anbd publish this photo everywhere on the internet."

Isn't the war driver entitled to defend himself according to what you believe? At what point do you practice what you preach?

Anyway, if someone of you don't want get this kind of warnings, they don't need to read about it, just ignore it! I will go exactly as I told but stand to my words I gave to the concerned parties!

What warning? You have created this thread and stirred up the interest in this subject, without providing any factual warning or providing any clue about what we should protect ourselves from, and kept everyone stringing along. Creating alarmist posts without tangible facts is nothing more than trolling.

As I said, there is strength in numbers. There are almost 40,000 people in this forum, and a lot of them are highly savvy about technology / in the industry. You might find that someone here is able to help you clear up what this trojan is actually doing to their computers, and help themselves and everyone else who might be affected.

I'm in agreement with cdnvic in that there probably won't be any further explanation coming on Tuesday, just more lip service and games. I hope that you can prove us wrong.

[MikeWill]

re: undue consern

cdnvic, it isn't necessary to be pushy. What if it isn't the fault of ISP?

[cdnvic]

re: undue consern

cdnvic, it isn't necessary to be pushy. What if it isn't the fault of ISP?

Pushy? How long are we going to play this little guessing game while a huge number of people are left unprotected from a potential security hole?

Regardless of who's at fault, it's still a security risk for everyone who has it installed on their computers. Some of them no doubt are businesses with important and expensive data on their machines. Is it more important for these paying customers to be protected, or should they all be at risk so some exec at an ISP can save face?

It's hardly being pushy as this info was supposed to be given already but there is just one excuse after another not to.

If it was contaminated food out there would you want to be pushy about it, or polite?

Maybe he should wait until hundreds of networks are seriously damaged. You know... just to be polite to the people who budled the trojan into their software.

[bino]

What if it isn't the fault of ISP?

It won't be the fault of the ISP. You can count on that.

Even if there is a problem with the software, they are hardly going to admit it to the single voice of the OP, losing face in the process. They will string him along, make excuses, point fingers, etc. Anyone who has been in Thailand long enough will know how this works.

Furthermore, I really doubt that the ISP is going to contact all of their customers, provide them with a new cd and tell them "Gee- we installed a trojan virus on your computer. Please reinstall this software as soon as possible." losing a huge amount of face because one guy caught them out.

The best thing that the OP could do is to lay out all of the facts as he sees them here, and seek opinions and assistance if he is unsure about this trojan, and it might be something harmless.

However, his starting of this thread combined with the fact that he is taking the ISP to task on this leads me to believe that he is confident in the fact that he has found a genuine problem, which would better serve a lot of people if he could be forthright about it.

Edited January 14, 2007 by bino

[Guest Reimar]

Dear all,

tomorrow morning at 10.00 am I called the meeting (not asked for an m...) with the ISP on thems place and I'll be there not longer than 15 minutes. If they coming to the meeting place is fine and if not it's fine also.

Doesn't matter what they want to tell me, if any, I will just inform them that I'll will publish the Facts, wich will be proovable from all affected user, on the Internet on thge same afternoon.

From my side I've done much more than I ever have need to do and I'll now carry on my "normal" work. I don't need anything from them and what I got I've paid already for!

The way how they try to go isn't my way and I do not like to listen a lot of b....... while nothing is a truth! Even as they want to send me the info they got from the AV Developer it was a "joke" because nothing is coming untill now.

Here I agree with cdnvic that the time for to "play" is over.

If someone of you will be interested to get the generated source code of the infected file, I'll give a limited acces to my server for just to download this 2 files if I get a PM with an real e-mail address from the interested person.

By the way, as I was try to simple copy the file, which is an .exe file, to an removeable media, it wasn't possible and even to write to CD-RW was impossible. Only after renaming to .bak I was able to copy this file. I haven't chack with .zip or .rar because the comp I use for decompiling and disassembling has an simple PC-DOS system only and the De-Compiler and Disassembler software, nothing else.

[bino]

The way how they try to go isn't my way and I do not like to listen a lot of b....... while nothing is a truth! Even as they want to send me the info they got from the AV Developer it was a "joke" because nothing is coming untill now.

Here I agree with cdnvic that the time for to "play" is over.

I'm happy to read that you have finally seen the reality and futility of this situation!

Looking forward to reading your report tomorrow.

[yeti]

Continued here: http://www.thaivisa.com/forum/index.php?showtopic=101655

[Plus]

The name is out, but that topic is closed.

My Avast gave a couple of warnings about that particular software from that particular ISP, and I use the same model as Reimar, apparently.

That ISP can easily ask all its customers to upgrade their software without telling them it had a "virus" as they run public service announcements automatically as soon as you log in. Just say "new version is available".

I connect to the Internet using Windows built in client and don't bother with that ISP's program, btw. It works better anyway.

[IMA_FARANG]

In the meantime, if you are running a router they can try opening all the ;ports they want, but it isn't going to do them anygood as the firewall will block it.

That doesn't sound right to me. I'm not an expert but I suspect that a properly configured program would have a built-in password that would let the user in irregardless of the firewall. If they have access to the port. Possibly the firewall could block that particular port, but that would have to also block the port to legitimate software.

[opalhort]

It is true that the CD distributed by TRUE with the Billion router does contain the Trojan mentioned by Reimar.

I did have a topic in this forum about this some time last year, but sorry I can't find it anymore.

After I installed the Highspeed navigator(HSN) I observed strange data traffic, ran Spybot S&D which found the Trojan, uninstalled the HSN - had to delete some files and a folder manually, ran Spybot S&D again which found some remnants of the Trojan and cleaned it. Since then no problem.

Don't know if AVG would have found it since I only used Spybot do get rid of it.

opalhort

[george]

Thread closed on request by OP.