Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > hidden files

Reply
Thread Tools

hidden files

 
 
Jim Watt
Guest
Posts: n/a
 
      04-17-2006
I have a machine running server/2000 which had/has some sort of
malware on it. Running the usual programs does not remove it
however inspecting the processes running with the excellent tool
from Sysinternals shows a process called

ntserv.exe

Which is started by a registry key and hides in a directory
under the system of

controlp.{21EC2020-3AEA-1069-A2DD-08002B30309D}

The program seems to want to set up a connection to an
external IP on port 6667.

Killing the process and removing the key disables it, however
it raises the issue of the way it hides from the anti-malware
software and me.

Its not a recent thing, as its been on the system for around six
months and was only really a problem when it was re-booted
which is infrequently. However time to get to bottom of it ...

In view of their excellent software being free, I bought the
book.

BUT WAIT ... theres more

Immediately after receiving a confirmation email from
Amazon, I got a phishing email. claiming to be them
is this magic or co-incidence?

Its a wicked world out there.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      04-17-2006
From: "Jim Watt" <(E-Mail Removed)_way>

| I have a machine running server/2000 which had/has some sort of
| malware on it. Running the usual programs does not remove it
| however inspecting the processes running with the excellent tool
| from Sysinternals shows a process called
|
| ntserv.exe
|
| Which is started by a registry key and hides in a directory
| under the system of
|
| controlp.{21EC2020-3AEA-1069-A2DD-08002B30309D}
|
| The program seems to want to set up a connection to an
| external IP on port 6667.
|
| Killing the process and removing the key disables it, however
| it raises the issue of the way it hides from the anti-malware
| software and me.
|
| Its not a recent thing, as its been on the system for around six
| months and was only really a problem when it was re-booted
| which is infrequently. However time to get to bottom of it ...
|
| In view of their excellent software being free, I bought the
| book.
|
| BUT WAIT ... theres more
|
| Immediately after receiving a confirmation email from
| Amazon, I got a phishing email. claiming to be them
| is this magic or co-incidence?
|
| Its a wicked world out there.

Sounds like an W32/IRCBot. A multi-library search for "ntserv.exe" found nothing but any
infector can be called anything.


Please submit a sample of "ntserv.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
(E-Mail Removed)?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
 
 
 
donnie
Guest
Posts: n/a
 
      04-17-2006
On Mon, 17 Apr 2006 16:09:15 +0200, Jim Watt <(E-Mail Removed)_way>
wrote:

>BUT WAIT ... theres more
>
>Immediately after receiving a confirmation email from
>Amazon, I got a phishing email. claiming to be them
>is this magic or co-incidence?
>
>Its a wicked world out there.
>--

#########################################
That's funny and no, it's propably not a coincidence.
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      04-18-2006
On Mon, 17 Apr 2006 22:44:35 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Please submit a sample of "ntserv.exe" to Virus Total --


Indeed theres the problem - I can't access the directory
although I know its there.

It no longer runs because the registry key has been
deleted, (after making a copy)
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      04-18-2006
On Mon, 17 Apr 2006 22:50:48 GMT, donnie <(E-Mail Removed)> wrote:

>On Mon, 17 Apr 2006 16:09:15 +0200, Jim Watt <(E-Mail Removed)_way>
>wrote:
>
>>BUT WAIT ... theres more
>>
>>Immediately after receiving a confirmation email from
>>Amazon, I got a phishing email. claiming to be them
>>is this magic or co-incidence?
>>
>>Its a wicked world out there.
>>--

>#########################################
>That's funny and no, it's propably not a coincidence.


Thats what I think.

There are three possibilities

1. sheer co-incidence
2. I have a problem
3. They have a problem

If one rules out 1 on the basis that its the first amazon phising
attempt I've seen, it raises the question of how an external
process has knowledge that I have just placed an order.

The response from them was prompt but the usual blurb one
gets on reporting these things.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
George Orwell
Guest
Posts: n/a
 
      04-18-2006
Jim Watt wrote:

> There are three possibilities
>
> 1. sheer co-incidence
> 2. I have a problem
> 3. They have a problem
>
> If one rules out 1 on the basis that its the first amazon phising attempt
> I've seen, it raises the question of how an external process has knowledge
> that I have just placed an order.


You're assuming too much I think.

First, you can't discard the possibility of this being a coincidence. I've
never seen an Amazon phishing attempt until recently myself, but received
three this last week and a half or so. These things always seem to come in
"waves".

Second, it might be that you were discussing making a purchase or even the
subject teh purchase pertained to in a public place, and the phisher just
took a wild stab in the dark. I've received phishing attempts that were
forging as specialized, regional banks for instance, because my real email
address has indications of my physical location.

Third, it makes absolutely no sense at all that a phisher who had this
sort of control over Amazon's shopping cart services would do this. The
whole idea is to get usable credit card info, and they already have
everything they need a LOT easier than trying to con you out of it. I
could see checking the numbers on the card for a bank type and phishing
THAT account, but phishing your Amazon info would out them big time and
ruin everything they already have for little or no gain, and a huge risk.

Nope, makes no sense. These crooks are crooked, not that stupid.

>
> The response from them was prompt but the usual blurb one gets on
> reporting these things.


They probably get so many of them that's all they can do.

 
Reply With Quote
 
donnie
Guest
Posts: n/a
 
      04-19-2006

>
>First, you can't discard the possibility of this being a coincidence.

################
I don't think he has discarded it completely, although I have by 99%.
################

>Third, it makes absolutely no sense at all that a phisher who had this
>sort of control over Amazon's shopping cart services would do this. The
>whole idea is to get usable credit card info, and they already have
>everything they need a LOT easier than trying to con you out of it.

####################################
True, but maybe they don't have control over the shopping cart
services. Maybe it's just captured packets from a router. Isn't a man
in the middle attack between 2 routers? That's the way I understand
it.

 
Reply With Quote
 
Borked Pseudo Mailed
Guest
Posts: n/a
 
      04-19-2006
donnie wrote:

>>First, you can't discard the possibility of this being a coincidence.

> ################
> I don't think he has discarded it completely, although I have by 99%.


I'd say the evidence points to the contrary conclusion, and you're
"glamorizing" the problem because it's sexier than seeing it as a mere
anomaly.

There's really nothing wrong with that, it's human nature to want to be
intrigued by a mystery. No offense intended.

>>Third, it makes absolutely no sense at all that a phisher who had this
>>sort of control over Amazon's shopping cart services would do this. The
>>whole idea is to get usable credit card info, and they already have
>>everything they need a LOT easier than trying to con you out of it.

> ####################################
> True, but maybe they don't have control over the shopping cart services.
> Maybe it's just captured packets from a router. Isn't a man in the middle
> attack between 2 routers? That's the way I understand it.


A MITM attack means exactly that. It doesn't have anything to do with any
type of equipment, and can be launched even from an "end" computer. IOW,
the "middle" really means an attack against a connection or protocol
anywhere between the starting point and ending point between which some
data travels. It's not unusual for routers to be the attack vector, but
there's scores of other possibilities.

The biggest thing that suggests MITM isn't the case is the Amazon
shopping cart connection being end to end SSL encrypted. There's no
known attacks against (current version) SSL that don't include the user
accepting invalid or unsigned certificates. So if this were the case it
would be even easier to spot than a compromised machine. One or two people
out of some large number might have their browsers set to automatically
accept untrusted certs without warning, but the raw numbers of people
shopping at Amazon would raise red flags all over the place in a VERY
short period of time.

Also, if someone had launched a successful MITM attack they'd again
already have all the information they needed, and accomplish nothing at
all but outing themselves by trying to phish for it.

The odds are about a billion to one against any sort of en route attack
IMO. It's either coincidental, or one of the two machines are owned. With
those choices the one that's the most "rational" would be coincidence, odd
as it seems.

Second best bet would be the user's machine being compromised, but again,
why would an attacker waste time phishing for information they already
have? It just makes no sense at all.

The only other possibility that makes any sense at all has nothing to do
with computers..... some sort of "mole" somewhere at Amazon. A lesser
customer service weenie type who has access to lists of email addresses
but not much else. Entirely plausible, but even here phishing attempts
made soon after customer activity raises bright red flags. A crook that
attacked current customers in sync with their activities would be
absolutely begging to be caught.

Typically these sorts of things are done in "batches" and those email
lists are collected and sold to "anonymous" parties who hit them all at
once. It almost has to be this way because the accounts and machines
phishers use are extremely transient. One or two emails at a time would be
fruitless because there would be so few responses before the phishing site
was taken down.

No, even with the "mole" theory the time line of the OP's incident makes
me gravitate toward coincidence. And it's almost a sure bet it has nothing
at all to do with any compromised equipment or "hackers" poking into
routers or anything as exciting as that. <grin>

 
Reply With Quote
 
nuvin.goonmeter@gmail.com
Guest
Posts: n/a
 
      04-19-2006
I'd say that it looks a rootkit variant....

 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      04-19-2006
On 19 Apr 2006 11:49:54 -0700, http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

>I'd say that it looks a rootkit variant....


I ran rootkit revealer and it didn't
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Populate Hidden field on post back and retrieve value from Hidden Field Rick ASP .Net 3 04-13-2010 05:38 PM
Win 7 folders hidden despite 'show hidden' checked Boppy NZ Computing 10 01-23-2010 02:56 AM
How would I discover the text in a block element hidden by overflow:hidden style being set? SolarCanine Javascript 2 09-20-2005 06:27 PM
Accessing hidden files in an .ear HJ Java 1 02-26-2005 06:48 PM
Can hidden files be found in a website? Pass HTML 11 10-08-2004 04:18 PM



Advertisments