IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / I had some success with the Ewido product.
Post #247,425
by a6l6e6x
Picture of a6l6e6x
3/9/06 11:34:24 PM
Reply
New I had some success with the Ewido product.
[link|http://www.ewido.net/en/|Ewido] is not free, per se, but they have a free download that you can use for 2 weeks. Long enough to do the job.

One of my wife's friends relies on me to get her out of PC troubles now and then and so I spent a couple of days trying to fix her system. This was my first attempt to clean out a badly compromised system.

The lady uses a dial-up connection to the Internet on Win-XP Home system. I helped her pick it out years ago. Her symptoms were that after booting up the system, the only thing she could do was move the mouse and watch the cursor move. Nothing else would function.

I will spare you my agonies (with much help gleaned from [link|http://www.majorgeeks.com/downloads29.html|MajorGeeks]) but the machine had 15 variations of Bagle, 3 variations of Backdoor and other stuff as well. Her Zone Alarm was borked and at least at one point AdAware zipped through tests in no time finding nothing. Obviously rigged. After cleaning out some stuff, I got to see 60 instances of IE trying to go to various sites.

At least a couple of the problems were that the system was pre-SP2 (Service Pack 2) which being ~300 MB is not exactly something one downloads on a dial-up connection and the other is she uses OE with the "preview" mode ON. She claimed that she never opened strange attachments, but who knows.

Anyways, while in Safe mode and disconnected from any network, I ran Ewido from a CD and cleaned out about 1100 "objects" i.e. files, registry settings, etc. Some of the files were system files. I was then able to connect the machine to my network (with the other Windows machines OFF) and get System updates from Microsoft, AdAware, and install Search and Destroy. Search and Destroy did find a Registry entry for Bagle that Ewido missed.

The machine seems OK now and is back in service. I wouldn't bet my life on it being clean though.

As far as BIOS attacks are concerned, look [link|http://adventuresinsecurity.com/blog/?p=28|here]. It can be done. When in doubt, get a BIOS update diskette for the motherboard. I suppose even that could be anticipated by the root kit. But, I'm guessing the root kits can't be generic for all motherboards without getting huge. If the BIOS chip is removable, as some are, one can always have a back-up copy.

As a side note, a removable BIOS chip, should be a requirement for motherboards you buy. I once unintentionally "updated" the BIOS on a mobo with a diskette intended for a different mobo. The BIOS chip was soldered in and so the mobo had to be put in the trash. I did save the battery! :)
Alex
When fascism comes to America, it'll be wrapped in a flag and carrying a cross. -- Sinclair Lewis
Post #247,546
by Ashton
3/11/06 12:32:23 AM
Reply
New Gracias! Alex -
for a quite comparable example. I too have witnessed AdAware and SpyBot zip through a "search" in nanoseconds: so obvious that a Newbie spotted -- as bogus.

Nor is that disablement any longer mysterious to moi: when one contemplates Owning the APIs - such that the display seen from any file manager - elides the name/presence of the Nasty. Apparently after partial cleaning, the above tools then commence being of use, as you found.

I read some of her printed logs, all since erased, of the script being run by this Kiddie; Over a 12 min. period (she wasn't observing machine then), a complex sequence of groups, permissions created - then access to ways of neutralizing same: closed. Clearly there Has to be a template of equal automation, as can be applied to a naked out-of-box version. Still looking . . .

(In present case, an RR is not even an inconvenience, any more; she can do that half-asleep ;^> - fortunately she had no important 'data' to need meticulous recovery, though she lost some pictures. :(

She'd alredy obtained Ewido, along with AVG and above Necessaries already installed. Obvious that, it takes a whole village to keep any copy of XP limping along til the next 'sploit happens, trashes -- then await next cure announcement.. What a way to poison a planet.

As I mention to Scott, I'm approaching this stuff as Comedy.
(Else it would be a waste of emotions in wrathful Kill-Billy/Bally mode; 'taint worth the waste of endorphins.)

It's a POS. Everybody who knows anything Knows it is.
So I/we two 'here' will just have to suck it up: until she can - in time - arabesque into a dual-boot with Linux, so that her new hP notebook is good for Something.. useable. Too many $ wasted recently, to chuck it.

(Though I expect she'll be happy enough in future -- just using her new Powerbook for all but that ONE ap that needs both Billyware + The Web {sob}. Kinda waste of a new notebook...)

I'm in same boat re her 'old' hP, of course ... {sigh}
I'm forced to learn more bug-lore than I wanted to; 'good' by some perverse interpretation.
Billy, We Hardly Knew Ye afore we had ye drawn and quartered -
~~ JFK book title, for the newcomers to the Play.


Thanks - al punte links. Passed on already.

moi

I deem it a palpable $Crime - that Billyware, a product Marketed to and For! the insouciant, is dropped into their lap with no Install-SWITCH - at least between "full office LAN" and "Home user needing no remote access, no Groups, no Guest, no ___" yada. There's a common denominator of Things to be Turned Off emerging from the countles sites trying to make this POS stumble onwards. Clearly: Bally gives not a Damn about any single User's predicament. May his karma come due.. Oh, just any old avalanche...
     Some Qs + Any suggested lock-down templates for Ex Pee? - (Ashton) - (16) - March 9, 2006, 07:32:28 PM EST
         Some answers. - (Another Scott) - (4) - March 9, 2006, 08:55:25 PM EST
             Re: Some answers. - (Ashton) - (3) - March 11, 2006, 02:03:07 AM EST
                 I understand now. What a nightmare. - (Another Scott) - (2) - March 11, 2006, 08:46:00 AM EST
                     A good checklist for securing XP. - (Another Scott) - March 11, 2006, 09:15:29 PM EST
                     Interim report.. - (Ashton) - March 11, 2006, 09:50:44 PM EST
         I had some success with the Ewido product. - (a6l6e6x) - (1) - March 9, 2006, 11:34:24 PM EST
             Gracias! Alex - - (Ashton) - March 11, 2006, 12:32:23 AM EST
         NTFS->FAT32 conversion - (pwhysall) - (6) - March 10, 2006, 07:22:30 AM EST
             Embedded Devices usually use FAT. -NT - (folkert) - March 10, 2006, 08:52:29 AM EST
             Was thinking of compatibility, not excellence - (Ashton) - (4) - March 10, 2006, 03:47:48 PM EST
                 Forget about FAT except for USB thumb drives. -NT - (folkert) - (3) - March 10, 2006, 09:32:33 PM EST
                     Ouch - so those are useless re HPFS? - (Ashton) - (2) - March 11, 2006, 12:40:21 AM EST
                         No. The format on the flash drives is FAT. - (Another Scott) - (1) - March 11, 2006, 12:55:00 AM EST
                             Ah, that makes more sense - (Ashton) - March 11, 2006, 02:10:41 AM EST
         'Process Guard' - Beastware nanny from Oz - (Ashton) - (1) - March 19, 2006, 03:50:35 AM EST
             ICLRPD. (new thread) - (Another Scott) - March 19, 2006, 07:21:31 AM EST

Now there's a frood who really knows where his towel is.
75 ms