Home > Security > Is Free Something Of The Past?

Is Free Something Of The Past?

I recently upgraded a client’s laptop hard drive from 40 to 250 GB. The replacement went without issue and Windows XP along with all user data was migrated using Norton Ghost, which took a few hours to complete. Although the user’s request did not go beyond the hard drive upgrade, I decided to run Windows Update to verify the OS, in this case XP, was up to date. I was unable however to connect to the internet even though the current IP settings were configured correctly.

I ran some normal checks to verify reliable network connectivity like pinging both the router and a web site address, in this case www.google.com, all of which confirmed that there was an active internet connection, yet I was unable to open a web site directly. This lead me to believe there was an issue with Internet Explorer so I decided to further investigate by running the NETSTAT –an command and exporting the results to a text file.




I needed to remove several thousand lines from the initial text file as it appeared that the machine was using it’s loopback address (127.0.0.1) as both source and destination address and was cycling through source ports 1024 through 4998 trying to connect to a single destination port 8085. If this wasn’t strange enough it then reversed itself and used a constant source port of 8085 while connecting to destination ports 1024 through 5000.

This is clearly not normal behavior so I decided to examine running processes and perhaps reveal a source for this unusual network traffic. Task Manager is the standard Windows utility used to examine currently running applications and processes so I ran the following command and exported the results to a text file. Although I removed several processes from the final list to save on space I choose to keep several standard windows processes and highlighted those I felt were suspicious in red.

Image Name PID Services

========================= ====== =============================================

System Idle Process 0 N/A

System 4 N/A

smss.exe 632 N/A

csrss.exe 680 N/A

winlogon.exe 704 N/A

services.exe 748 Eventlog, PlugPlay

lsass.exe 760 PolicyAgent, ProtectedStorage, SamSs

svchost.exe 928 DcomLaunch, TermService

ld11.exe 18040 N/A

freddy46.exe 264 N/A

mstre19.exe 15780 N/A

pp10.exe 15828 N/A

IEXPLORE.EXE 18448 N/A

GoogleToolbarNotifier.exe 18468 N/A

msmsgs.exe 18512 N/A

wuauclt.exe 19552 N/A

wuauclt.exe 20012 N/A

drwtsn32.exe 20404 N/A

taskmgr.exe 19324 N/A

cmd.exe 19564 N/A

wmiprvse.exe 20216 N/A

tasklist.exe 1152 N/A

 

After an initial Google search I discovered on the www.virusremovalguru.com and www.bleepingcomputer.com web site that all 4 files were variants of the Koobface virus. Although the virusremovalguru web site had a removal tool I wanted to get a final opinion (not that I needed one) by running the http://housecall.trendmicro.com online virus scan. The results from Trend Micro (seen below) confirmed once again that the files were that of the Koobface virus.

 

I proceeded to use the “Fix Now” option, and then reran the scan to verify that it was removed. It’s quite possible however that this one infection could have already led to further infections of which the current analysis tools were insufficient to detect. At this time I have two recommendations….

 

1. Reinstall the OS and then install Norton 360

2. Install Norton 360 on the current OS and clean for known infections

 

Either way I would highly recommend installing a premium antivirus\spyware application with as many tools available to detect malicious behavior from several points of attack. There was a time I would have suggested a free antivirus like AVG but given the steady growth in hacker expertise focused solely on financial gain, it seems more prudent today that we require elevated measures of security to protect our greatest assest…our identify . We are now in an age where free is something of the past.

Advertisements
Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: