• Welcome to the new NAXJA Forum! If your password does not work, please use "Forgot your password?" link on the log-in page. Please feel free to reach out to [email protected] if we can provide any assistance.

Interesting trojan

RichP

RichP

NAXJA Forum User
Location
Effort, Pa
Came across an interesting trojan hijacking this afternoon working on a customers system.
Sympton was not evident *until*, an example, you did not type a full URL in the browser, like you type www.sears.com it goes there, type sears and you end up at an adult search engine site. Drove me crazy for a couple of hours, finally found it, the trojan was forcing a change in the network setup, leaving DHCP from the DSL modem and firewall alone and leaving DHCP on the workstations IP alone but forcing it's own DNS servers into the configuration which would put your browser on their web site. So if anyone has noticed that their search engine has suddenly changed to undesired sites look there first. Under normal DHCP from your cable modem, firewall or DSL router THEY supply the DNS servers unless you have manually changed it at some point, if you pop your network interface up, right click properties and then look at TCP/IP > DNS servers and there are entries you did not put there you got a hijacker onboard.. OH yea, it also turned on the remote control for remote assistance.
 
RichP said:
Drove me crazy for a couple of hours, finally found it, the trojan was forcing a change in the network setup, leaving DHCP from the DSL modem and firewall alone and leaving DHCP on the workstations IP alone but forcing it's own DNS servers into the configuration which would put your browser on their web site.
Click to expand...

Interesting... That's probably a lot less noticeable than changing the hosts file. Never seen one that did this before.

Rich, were you able to identify it by name? If not, were you able to track down the binary and could you submit it to virustotal for analysis? I'm mildly intrigued by this one and would like to look into it a bit further but am not turning up anything matching the description at the usual places.
 
Adaware SE will get rid of any spyware you have. It's the best spyware remover I've found yet and it's free!

go to download.com and type in adaware. Get the SE version, it's free.
 
Jeep914x4 said:
Adaware SE will get rid of any spyware you have. It's the best spyware remover I've found yet and it's free!
Click to expand...

Adaware's pretty good (and should certainly be in any Windows user's arsenal of things that keep the OS hobbling along), but there's stuff that even it can't disentrench. Trojan/malware authors have really raised the bar for themselves in the last couple of years.
 
Wallyman said:
Windows Defender is just a good and made for windows, by microsoft themselves.you need a VALID copy of XP with SP2 tho.
Click to expand...
windows defender is good for prevention, I've found it just about worthless for removal though. Not to mention that companies have sued to be taken out of it's spyware lists.

Anybody having fun with the latest variant of the smitfraud family?
Virusburster took me a little while to remove whne I first came across it.
seems popular here.
 
casm said:
Adaware's pretty good (and should certainly be in any Windows user's arsenal of things that keep the OS hobbling along), but there's stuff that even it can't disentrench. Trojan/malware authors have really raised the bar for themselves in the last couple of years.
Click to expand...

Very True, I always back up Adaware with the Stinger antivirus tool from McAfee. The combination of the two have taken care of any problems I've run into lately.

http://vil.nai.com/vil/stinger/
 
casm said:
Interesting... That's probably a lot less noticeable than changing the hosts file. Never seen one that did this before.

Rich, were you able to identify it by name? If not, were you able to track down the binary and could you submit it to virustotal for analysis? I'm mildly intrigued by this one and would like to look into it a bit further but am not turning up anything matching the description at the usual places.
Click to expand...

No, I actually cleaned it out before I found the problem, when I dropped it off at the customer last nite he showed me what it was doing. When I did an nslookup that was when I noticed the non-authrotive name server, it was an 85.x.x.x and I knew epix uses the 72.51.x.x space just from working on epix dsl setups. The weird thing was it still kept the browsers default search engines in the option/preferences but would redirect any non-url entry, ie:macys, amway, sears, corvette to their porn search servers, very annoying.
 
You must log in or register to reply here.

Similar threads

F
naxja.org won't work on home computer
Replies
6
Views
733
fatwreck
F
Back
Top