.

Have I been hacked by the chinese?

<<

putosusio

Newbie
Newbie

Posts: 26

Joined: Wed Aug 12, 2009 8:20 pm

Post Thu Oct 28, 2010 1:01 am

Have I been hacked by the chinese?

I have a test network at home. I ran to the ipconfig /displaydns command to troubleshoot and issue and I noticed some .cn domains had been resolved.  What tools can I use to determine what the malware is and what it does?
Its not the fixing that's the hard part, its knowing what needs fixing.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Oct 28, 2010 3:16 am

Re: Have I been hacked by the chinese?

The easiest way in case you want to see everything which is transmitted between
you and the possible chinese domains is to do the following setup on your network:

[computer] => [NIDS] => [Internet Lol Internet]

The NIDS is a Network Intrusion Detection System which is basically another computer (cheapest solution) which can be running Snort which also detects attack patterns in the traffic from the computer through toe NIDS to the Internet. (Most likely via a router of course.

Now on the NIDS you should perhaps run Wireshark or tcpdump and then dump a good amount of traffic when the computer is idle and then just wait for the chinese domains to resolve. When they are resolved you can follow the TCP stream easily in Wireshark on perhaps another computer and even configure the NIDS to alert you whenever a connection is perhaps made to any chinese domain.

This is not easy, but this is the way you will be 100% sure what's going on if there's activity on your computer while it is idle. If there isn't, do the usual thing while the NIDS captures a "small" amount of packets for like 10-15 minutes. Or perhaps more.

Keep in mind the more traffic and the longer time you capture traffic, the less easy it may be to analyze the data.

A must is of course to understand HTTP, DNS, FTP, and other protocols too since you don't know what kind of protocols the malware may use in case  there's any, except that it may be using DNS to resolve the C&C servers.

I hope you have a good hint on how to do this, good luck  ;)
I'm an InterN0T'er
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Oct 28, 2010 8:50 am

Re: Have I been hacked by the chinese?

Keep in mind too....some anti-malware loads blacklists of domains/IPs into your DNS cache. An example is Spybot S&D. If you display your DNS cache with Spybot installed you'd think you are running more malware than legitimate software, but it's only because of the blacklist.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

putosusio

Newbie
Newbie

Posts: 26

Joined: Wed Aug 12, 2009 8:20 pm

Post Thu Oct 28, 2010 12:26 pm

Re: Have I been hacked by the chinese?

MaXe:

I do have wireshark and know how to follow the tcp stream. That's what I was thinking about doing.  I haven't used Snort before, but do know about it.  Learning a new tool is always a good thing anyway. I'm planning on disconnecting my modem and seeing where the malware is trying to call home to.

However, that won't tell me where this thing is on my system.  I make it a habit to delete my temporary internet files and scan any of my pcs regularly.

The good thing about this is that its only a test system.  The bad news is that I only went on "legitimate" websites; to get updates and such.  I didn't even go on social networking websites.

ziggy_567:

I don't have spybot on that server, I do have Malwarebytes though. I don't know if Malwarebytes does the blacklisting thing that Spybot does. A good point nonetheless.
Its not the fixing that's the hard part, its knowing what needs fixing.
<<

kaizen

Newbie
Newbie

Posts: 1

Joined: Thu Oct 28, 2010 12:53 pm

Post Thu Oct 28, 2010 1:13 pm

Re: Have I been hacked by the chinese?

Depends on what you were doing, but I'd say unlikely--they Chinese have bigger targets to hit  :)

I suspect you visited a webpage that had pixels or tracking beacons from those .cn domains.

Did you google those domains to see what they are?


putosusio wrote:I have a test network at home. I ran to the ipconfig /displaydns command to troubleshoot and issue and I noticed some .cn domains had been resolved.  What tools can I use to determine what the malware is and what it does?
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Oct 28, 2010 2:05 pm

Re: Have I been hacked by the chinese?

Believe it or not, the Chinese actually have a legitimate economy with legitimate businesses. Not all Chinese are hackers. I know, shocking, right?
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

putosusio

Newbie
Newbie

Posts: 26

Joined: Wed Aug 12, 2009 8:20 pm

Post Tue Nov 02, 2010 6:12 pm

Re: Have I been hacked by the chinese?

kaizen:

I didn't mean to suggest that the Chinese government are responsible. I mentioned the chinese because most of the domains that were resolved were .cn domains.

The webistes I visited were from well know companies, i.e. Microsoft, VMware, Citrix, etc.  If I was infected by malware it had to have come from such a website. I would just think that they would know it malware was being served from their website.

I have not googled for the domains that were resolved for fear that the links would take me to their websites and load even more malware onto my system.

tturner:

Really? Who would of thought. You sir, are a genius. 

... back to my original topic.  I did some more searching on my system and found a suspicious ini file.  From the little I can read of the code, it appears to be a config file for a fake anti-virus/malware program.  Here is the code in hopes someone here can read it and help me understand more about it:

[Main]
formCaption=Application
MainTB=0=Security status,1=System scan,2=Check for updates,3=Settings,
lStatusHeader=Security status
lStatusL2=Runtime system protection status monitoring. Be sure all the tools marked ON.
lStatusSummary=Security summary:
lStatusL3=Running insecure state, several vulnerabilities are detected
lStatusL4=Last virus scan:
Label7=Last update:
lStatusL5=Last scan results:
lStatusLastUpdate=never
btStatusFirewall=Disable
btStatusAntivirus=Disable
btStatusSpyware=Disable
btStatusAutoUpdate=Enable
btStatusScheduleScan=Enable
btStatusRAM=Enable
labelSSCaption=System scan
labelSS_2=Scan && fix Your computer
labelSS_ScanType=Scan type: 
gbScanStat= Last scan summary 
gbActiveScan= Scan process 
rbQuick=Quick
rbDeep=Deep
rbSelectFolder=Select Folder
rbMemoryScan=Memory Scan
btStart=Start
btStop=Stop
lvFoundItems=0=Threat Name,1=Type,2=Description,3=Threat Level,
btRemoveThreads=Remove Threats
stScanStats1=Objects scanned:
stScanStats3=Threats detected:
stScanStats5=Removed/healed:
stScanStats_eliminate=0
stActiveScan1=Currently scanning:
stActiveScan3=Current object:
stActiveScan2=File System
bSelDir=..
lUpdateInfo0=Please, get {APPNAME} updates from the Internet automatically. To ensure the maximum antivirus protection it is important to keep virus database on your PC up-to-date.
lUpdateHeader=Software update
GroupBox1= Settings   
cbUpdate1=Update upon next system start
cbUpdate2=Update immediately
cbUpdate3=Require confirmation
GroupBox2= Database information   
stUpdate1=Database version:
stUpdate2=Virus signatures:
cbUpdate4=Restart immediately
cbUpdate5=Complete at next system start
bUpdateSave=Save settings
bUpdateCheck=Check for updates
lSettingsHeader=Settings
lSettingsInfo0=You can customize Your preferences here.
LSettingsInfo1=Changes on this settings will take effect after system restart 
GroupBox5= Threats Warning 
cbSettings1=Enable
GroupBox6= Additional 
cbSettings2=Start with Windows startup
cbSettings3=Disable scheduled scans while running on battery power
bSettingsSave=Save settings
GroupBox3= Compatibility 
cbSettings4=Compatibility with self-defense applications 
Button1=start
Button2=stop
Button3=blcat
ShowGui=Show {APPNAME} main window
Activatenow1=Activate now
Update1=Update
Options1=Settings
Help1=Help
Contactcustomsupport1=Contact Customer Support
N2=Close
[BrowserDlg]
formCaption={APPNAME} Activation 
WebBrowser=TWebBrowser
[CancelScan]
formCaption={APPNAME} - System scan not completed
lInfo=You have not completed Your system analysis. {APPNAME} has detected threats in Your system during the scan. You need to complete System scan and eliminate threats it finds. 
bContinue=Continue scan
bRemindLater=Remind Later
[RegistrationWindow]
formCaption={APPNAME} activation
lHeader=Activate {APPNAME} 
lHeader2=Make Your PC free from all kinds of threats
lInfo1=Award-winning scan technology
lInfo2=Free updates without limitations
lInfo3=User-friendly complete GUI
lInfo4=24 h / 7 d full support
lInfo5=Full moneyback guarantee 
lInfo0=Please, click ìActivate nowî button to proceed with secure purchase of the license for {APPNAME}. As soon as you end activation youíll receive:
lHeader3=Activation is highly recommended:
lHeader4=Registration key:
lHeader6=Visit our website if any problems occur
bConfirmActivation=Confirm Activation
bActivateLater=Activate Later
bActivateNow=Activate Now
[AfterScan]
formCaption={APPNAME}
lHeader=Warning!
lHeader2=Infections on your PC can cause:
lInfo1=Applications wonít start
lInfo2=Unwanted advertising displaying
lInfo3=Loss of Internet communication
lInfo4=Lost documents and settings
lInfo5=Important files have disappeared from Your computer
lInfo6=You need registered version of {APPNAME} to remove these infections.%NEWLINE%Click ìRemove threatsî to activate protection and eliminate these security hazards.
lContinueUnprotected=Continue unprotected
lvFoundItems=0=Threat Name,1=Type,2=Level,3=Description,
bRegisterNow=Remove Threats
[RESOURCESTR]
0=Firewall protection
1=Antivirus protection
2=Spyware protection
3=Scheduled scans
4=Automatic updates
5=RAM protection
6={cnt} infected objects found, {cnt_removed} removed
7=Your system is infected! {cnt} dangerous objects have been found during last system scan. It is strongly recommended to remove them immediately.
8=Donít leave! You may have potentially harmful threats%NEWLINE%on Your computer. Please, register Your copy of product%NEWLINE%and get up-to-date protection against latest spyware.
9=This functional is disabled in the unregistered version.%NEWLINE%To use all the features of the product, You must register now.
10=Are you sure? Without activation Your PC will not be protected against intruders.
11=Are you sure? Your PC will not be protected against intruders
12=Congratulation!%NEWLINE%{APPNAME} completed elimination for dangerous objects from Your computer.
13={APPNAME} Update
14=Virus database is up-to-date
15=Memory / Processes
16=Registration key is invalid
17=File system
18=Now Your system under full protection
19=Show Your order details
20=Your computer might be at risk
21=- {APPNAME} is turned off%NEWLINE%Click this baloon to fix this problem.
22={THREAT} threat has been detected. This threat module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click button below to locate and remove this threat now.
23=Start
24=Pause
25=Warning! Removed attack detected!
26={APPNAME} has detected that somebody is trying to stole Your private data remotely via Trojan.Win32.Generic!BT.%NEWLINE%Transfer for Your private data via internet will start in: {SECOND}%NEWLINE%We strongly recommend You to block attack immediately.
27=System Security Pack 2010.78.932 ({APPNAME} Upgrade; KB{KB})
[SecCenter]
formCaption={APPNAME} Protection Center
lRes1=Get latest security information
lRes2=Check for latest updates
lRes3=Get support for security-related issue
lRes4=Get help about security center
lRes5=Change they way Security Center alerts me
Label1=What's new in System to help protect my computer?
Label2=Click "Activate Now" button for suggested actions You can take.
Label3=Internet Options
Label4=Windows Firewall
Label5=Automatic Updates
Label6=Protection Center helps You manage your PC security settings. To help protect Your computer, make sure the all security essentials are marked ON. If the settings are not ON, follow the recommendations.
lVirusProtectionInfo={APPNAME} reports  that it is not activated.%NEWLINE%Antivirus software helps protect your computer against viruses and other security thearts.
lVirusProtectionInfo2=We strongly recommend to activate {APPNAME} and get full protection.
Button1=Activate Now
OpenProtectionCenter1=Open Protection Center
ActivateProtection1=Activate Protection
[StartUp_v2]
formCaption={APPNAME}
lHeader=Warning!
lInfo={APPNAME} has detected {cnt} infected objects on your computer during the last system scan.%NEWLINE%The threats found on your computer are very likely to create further problems if not fixed immediately, such as:
lInfo1=System slowdown, crashes and freeze
lInfo2=Hackers can steal your Credit Card details
lInfo3=Your local and online passwords can be stolen
lInfo4=Slow web pages loading and attacks from outside
lInfo5=Privacy violations during Web surfing
lInfo6=You need registered version of {APPNAME} to remove these infections.%NEWLINE%Click ìRemove Nowî to activate protection and eliminate these security hazards.
lContinueUnprotected=continue unprotected
lInfo7=Infecting other computers on your network
bRegisterNow=Remove Now
[InstallNow]
formCaption=Automatic Updates
Label1=System Security Pack Upgrade
Label2=Update
Label3=Details
Button1=Remind Later
Button2=Install
lvUpdItems=0=,
reUpdDetails=TRichEdit

[ThankYouPage]
formCaption={APPNAME}
lHeader={APPNAME} has been successfully activated!
bContinue=OK
mInfo=Thanks for purchasing and registration {APPNAME}.%NEWLINE%%NEWLINE%All the neccessary information will be send to Your email. %NEWLINE%Please, SAVE them into secure location in case you need to reinstall the software.%NEWLINE%Feel free to contact Customer Support Service if You have any questions.%NEWLINE%%NEWLINE%Useful advices from {APPNAME} Team:%NEWLINE%%NEWLINE%- Scan your computer once ot twice a day and remove all the viruses and security threats.%NEWLINE%- Maximal protection of your computer is enabled ONLY if You turn ON all the Security Status services.%NEWLINE%- Do not use {APPNAME} together with other antivirus softwares.%NEWLINE%  It may result some software conflicts between them.%NEWLINE%- If you have any question, please, contact Customer Support Service.%NEWLINE%%NEWLINE%Please, press "OK" button and wait while {APPNAME} will eliminate threats. Please, be patient.%NEWLINE%


[UpdateReminder]
formCaption={APPNAME} Critical Update Notification
lHeader=Warning!
lInfo1=Use database version: {db_old}
lHeader2=The {APPNAME} database is out of date
lInfo2=New version available database: {db_new}
lInfo3=Automatic {APPNAME} updates are necessary to protect your computer against viruses, spyware and known system vulnerabilities.
lInfo4=Malicious software is detected on your PC!
bUpdateNow=Update Now
bLater=Remind Me Later
[ActivateReminder]
formCaption={APPNAME}
lHeader=Your still haven't activated {APPNAME}
lInfo1=Choose as option:
lInfo6=If you havenít done this yet we advise you to do it as soon as possible.
bRegisterNow=OK
rbActivation=Activate the product
rbLater=Remind me later
[AttackDetected]
formCaption={APPNAME} - Hacker attack detected
lInfo=Your computer is subjected to hacker attack. {APPNAME} has detected that somebody is trying to transfer Your private data via internet. We strongly recommend you to block attack immediately.
bContinue=Register and prevent theft
bRemindLater=No, thanks
[FirewallWarning]
formCaption=Firewall file transfer detected
lHeader=Warning!
lHeader2=Hidden file transfer to remote host was detected
lInfo1={APPNAME}  has detected that somebody is trying to transfer Your private data via internet. We strongly recommend you to block attack immediately.
bUpdateNow=Block attack
bLater=Allow
GroupBox1= Details of the attack
Label1=Remote host transfer IP:
Label2=Remote user computer name:
Label3=User:
Label4=IP-address:
[ThreatDetectWarning]
formCaption=Warning! Threat detected!
lHeader=Warning!
lHeader2=Threat module detected on your PC!
lInfo={THREAT} threat has been detected. This threat module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click button below to locate and remove this threat now.
lContinueUnprotected=You are using a trial version.
lRecomPurchase=It is recommended to purchase a commercial version.
bRemoveThreat=Remove Threat
bLater=Ignore
GroupBox1= Details
Label1=Threat name:
Label2=Infected files:
Label3=Alert level:
Label4=Suggestion:
lSuggestion=It is highly recommended to remove this threat from your PC
lAlertLevel=High
lThreatName=Zlob.Porn.Ad
lInfectedFile=1
[NetworkIntrusion]
formCaption=Network intrusion detected!
lHeader=Warning! Network attack detected!
lInfo=Process is trying to steal your passwords listed below. It is highly recommended to block this threat now.
lInfo1=Your computer is being attacked from a remote PC.
lInfo2=Attack from:
lRemoteIP=145.7.151.43:34630
lContinueUnprotected=continue unprotected
Label1=You are using a trial version.
lRecomPurchase=It is recommended to purchase a commercial version.
lvFoundItems=0=Login,1=Password,2=Website URL,
bRegisterNow=Prevent Identity Theft
[BlockAttack]
formCaption=Protection Center Alert
lHeader=To help protect your computer, {APPNAME} has blocked some features of this program
lInfo={APPNAME} has detected unauthorized activity, but unfortunately trial version cannot remove viruses, keyloggers and other treats. Your personal data under serious risk. It is strongly recommended to register Your copy of {APPNAME} and prevent intrusion for future.
lInfo0=Do You want to block this suspicious software?
Label1=Name:
lThreatName=Trojan.Win32.Autoit.agg
Label3=Alert level:
lAlertLevel=High
Label4=Description:
lDescription=It is highly recommended to remove this threat from your PC
bUnblock=Unblock
bLater=Ignore
bRemoveThreat=Remove Threat
[StartUp_v2_1]
formCaption={APPNAME}
lHeader=Warning!
lInfo={APPNAME} has detected {cnt} infected objects on your computer during the last system scan. The threats found on your computer are very likely to create further problems if not fixed immediately, such as:
lInfo1=System slowdown and crash
lInfo2=Hackers can steal your Credit Card details
lInfo3=Your local and online password stolen
lInfo4=Slow web pages loading and browser crashes
lInfo5=Privacy violations during Web surfing
lInfo6=You need registered version of {APPNAME} to remove these infections. Click ìRegister Nowî to activate protection and eliminate these security hazards.
lContinueUnprotected=continue unprotected
lInfo7=Infecting other computers on your network
bRegisterNow=Remove
Its not the fixing that's the hard part, its knowing what needs fixing.
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Sun Jun 19, 2011 7:33 am

Re: Have I been hacked by the chinese?

Hi,

That just looks like an ini file for the usual fake AVs doing the rounds, as you said. It may be that your AV caught it and failed to remove the ini files if you did not get any notifications saying you are infected..

Was the file called local.ini? Here is a threatexpert report for FakeAV

http://www.threatexpert.com/report.aspx ... 47cb358235
Last edited by n1p on Sun Jun 19, 2011 7:36 am, edited 1 time in total.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software