Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

p-o-r-n pop ups


  • Please log in to reply
10 replies to this topic

#1 hdware

hdware

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 02 April 2009 - 09:31 AM

Hi All,

I am a forensic investigator and would like to ask for some advice please and may I stress that I do not need removal instructions :-) The problem is way past that. I am helping with a peer review of a case that involves very unpleasant images. There are many instances of malware present and I have done a keyword search and found results suggesting indecent material in the RPfiles (XP Home). The results are all in the registry docs and settings\zonemap\domains\underagehost.com. Is this malware and what would be the effects? The system was unprotected with AV and ASW and there are loads of favorites and images in the TIF's. Some found are: -

Openstream.nac
Alphabet.naf
exploit.bytverify trojan
agent.a trojan
BnnnnBaa class loader trojan
Adware.agent.NFX
delf.cfz trojan
small.nze trojan
trojan.dowmloader.Iframe trojan
trojandownloader.agent.NED
downloader.zlob.bmy trojan
obfuscated trojan
trojanclicker.agent.nbs
fakealert.G trojan
Zlob (generic as there are many forms present)
downloader.fakealert.G
adware.vapsup.ad
fakealert.z trojan
rbot trojan
pakes.O trojan
adware.ultimatedefender application

Internet History is wierd and seems to point to very obscure host files and search engines I have never heard of. Any help/suggestions other than how to fix it would be welcome

Thanks
J

BC AdBot (Login to Remove)

 


#2 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 03 April 2009 - 07:04 AM

...hhmm I am not sure if I follow you correctly... You are saying you do not need removal help... You give a list of trojans/malware, that is present... You also ask if something is malware, and what the effects are... You want help/suggestions, but not on how to fix it... So outside the unpleasant images, you know there is malware, ect... and with that you don't need help, but you have already scanned the registry... I am hoping I am correct with that...
If removing the aforementioned list of programs, doesn't solve the problem... and scanning the registry doesn't help... I would check the hosts file see if that is the cause of these... I would also go through with a fine comb, make sure there is no present xml scripts causing the aforementioned problems....
As for it being malware, it is possible... But it could also be an intruder, it could be left over xml scripts not being picked up or deleted, it could be a joke someone is playing, or it could be a virus/spyware... As for the effects, well that really depends on what you want the effects from... From the problem of unpleasant images, if it is an intruder, well I am pretty sure I wouldn't have to explain that, if it is xml scripts, well it could be a huge variety, including but not limited too; information leaking, unwanted connections to unwanted servers (normally for the hopes of business), a zombie computer, internet leaching, ect... As for just a joke, well it depends on how it got on there, and what not... Could just be some person setting things in the hosts file...

#3 hdware

hdware
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 03 April 2009 - 07:55 AM

Hi Burn,
thanks for the reply

Yes you are correct and it is nothing sinister I assure you. It is a computer forensic case and it is puzzling me. I will look for xml scripts as I am sure it is not a joke. the zone map is riddled with indecent terms. should there be anything in particular I should be looking for with regards to XML scripts? as well as the zone map there are references to indecent sites in the doc and settings\network service\ntuser.dat. (and local service, as well as system32\config\default.) The registry has so many references to words linked with illegal material. its a strange one alright and I just thought I would post the results of the nod32 scan. Im running the computer in a VM to see what happens

#4 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 04 April 2009 - 04:39 PM

Hi hdware,
Your welcome...

Well it really depends with the xml scripts, mainly I would be looking for anything that could be opening new pages, or making a connection in the background... I would also look out for any href, or src... Though I still am not exactly sure what you are trying to get out of all this, are you just trying to figure out where it is all coming from? are you trying to figure out who has done this? ect... If I knew exactly what you are trying to do, it could help me help you... If the registry is linked with so much, then there is a good chance this is cause from spyware and what not... Or someone who has an internet porn addiction, and due to it, has caused for a lot of indecent type of spyware, malware, ect... With you referencing, the user, the system, and the registry, I would say that my guess, is probably not to far off...

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 AM

Posted 05 April 2009 - 01:43 PM

I am also wondering about the circumstances of this investigation and the objectives--just knowing who the peers are would be helpful. Doctors, a church group?

But I believe I can help by focusing in on the area of the registry that you've mentioned.

Zone Map registry keys are a more modern hosts file. They have to do with either the Restricted Zone or the Trusted Zone of Internet Explorer. From the information you've posted I can't tell which since you have not included the value data. But it is easy enough to find out. Open Control Panel/Intenet Options/Security tab/Click Trusted Zone to select then click the Sites button. If the domains that you're seeing in the registry are listed here then it means when the computer was infected these sites were added to the trusted zone that gives the sites permission to run just about any script it desires. If it is empty and you see that list of domains in the Restricted Zone, then the person has had a program like SpywareBlaster installed that sets the killbit in the registry so that those sites are no longer accessible. From the title of your post and other information you provided, I can predict with some confidence that those domains are in the Trusted zone. Please confirm.

I would, however advise that anyone be very careful about passing judgement on someone because they have gotten infected and now are seeing porn popups. That does not necessarily mean that the person was surfing porn to get them. It just means that they are infected. The entry point could well have been something as innocent as clicking on a link in IM that the person thought was from a friend or just surfing to the wrong website that is normally legit. Malware authors are experts at duping people into initiating infections. They are profoundly proficient at social engineering.

If the person does actually have all those infections you listed and isn't running AV/AS's--and it isn't clear to me if that is a list taken from a Nod32 scan or not--then the person is guilty of neglecting the computer's security, no question. But proving where the entry points are can be difficult--I know as I've been observing malware removal, and at times participating in and teaching it for around six years now. But you still would get better clues by looking at the properties of files and see when they were modified or created. Better yet, just look at Internet Explorer's history to see which sites have been visited. Unless that history has been deleted.

The thing about people

is they change

when they walk away.--Mipso


#6 hdware

hdware
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 05 April 2009 - 02:29 PM

Dear Papakid,
Thanks for the reply, at last someone willing to assist without just telling me to download an app. He is guilty of neglecting his security and perhaps more but I could do with knowing a bit more. Firstly the list is from a NOD32 scan. All images are in the Cache and most of the created and last accessed dates are identical meaning that they were probably not clicked on. Further investigation has shown that folloing a nomal google search for "HP Laptop" the next domain that appeared was werdagoniotu.com and not a google search result. Many of the search engines listed are not your usual and there are favorites created at times that don't add up.

As for the zone information - firstly there is no control panel for any account, even admin in safe mode but I can right click IE and get that info. I can't even install Hijackthis in safe mode and it is impossible to run a virus scan or right click on anything to get the properties on the desktop. There is noting in the trusted zone in IE and I will go through the other zone in the morning to see if it ties in. Thanks again for your time so far

#7 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 05 April 2009 - 06:59 PM

Papa - Though yes the registry does control the trusted and untrusted zones like the host file does... Though from what hdware has been describing almost sounds like host file directives, or a complete take over... Also I was not trying to pass judgment, I was simply saying, things like this are caused form either malware, or those kind of surfing habits... As I do know how these creators are in social engineering... I my self have studied psychology, sociology, and others pertaining to those type of studies...

hdware - So you can not get into a control panel, and not even safe mode is working properly... I would like to know if remote desktop is enabled, you don't need the control panel to do so, on the My Computer icon, you should be able to get the system properties from right clicking on there... If not that is fine...
Taking a look at what your saying, seems more then just a simple malware, or even virus, this almost seems like a total take over... Or in other words, a zombie computer... One thing I think would be a good resource to check is the hosts file... It seems to me that either the internal dns is being screwed with, or the dns server has been switched to provide a different dns lookup then it should receive... The host file is or should be in C:\windows\system32\drivers(\etc)... the file name is simply "hosts". If it isn't flooded with a bunch of random sites and ips, or something of the sort, then I would take a look at the network packets, check the DNS ip address, make sure it checks out...
Though I still have to say, I am still not exactly sure what you are trying to get out of this... And honestly I feel like if I could understand exactly what it is that you are trying to get accomplished here, I could probably direct you in a better way...

#8 hdware

hdware
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 06 April 2009 - 01:32 AM

Burn,

Thanks for the mail and I will check what you suggest when I get into the office. This case involves the downloading of illegal images into the internet cache and I am trying to establish another way that this could have happened in the absence of relevant search terms and typed url's, if not he's in big trouble and perhaps rightly so I am just not convinced yet. I hope this not clarifies what I am trying to do but if not I's be happy to PM you or mail. Thanks again

#9 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 PM

Posted 06 April 2009 - 01:50 AM

hdware,

Yes that does help clarify, and I could probably help you a little bit with all this... Though I have not gotten very deep into computer forensics, I have had more then enough experience with tracing down tracks, as well as the ways of finding the hidden ones... If you would like to discuss this further outside of the public, my email is burn1337*****. We could probably find some tracks that can prove where the origin is coming from.

Edited by Pandy, 06 April 2009 - 01:35 PM.
E mail address removed to protect the member from spambots


#10 hdware

hdware
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 06 April 2009 - 04:36 AM

Hi Burn,

Thanks for that and i will drop you a line this morning. For info and for Papa to dee here is the hosts info. from system32/drivers\etc hosts shows the following only
127.0.0.1 serial.alcohol-soft.com
127.0.0.1 www.alcohol-soft.com
127.0.0.1 images.alcohol-soft.com
127.0.0.1 trial.alcohol-soft.com
127.0.0.1 alcohol-sodt.com

There is a also a hosts.msn which includes the same. Also whilst browsing to system32 I noticed icons such as casino.ico in the windows directory. I will try and establish what the dns settings were but I suspect they were in the router which I don't have. I have noticed that the zone map info I referred to earlier does match the restricted zones. For info cannot chec remote access yet but I will use forensic software to view the registry to see if this was activated. I can find no evidence for VNC.

Thanks

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 AM

Posted 06 April 2009 - 11:06 AM

i started a long response to posts #6 & 7 last night--I am extremely slow, so more was posted before I could do so and then I got sleepy. I will still post what I wrote last night (between the lines of asterisks) as I think it needs to be said, tho a little outdated.
******************************

Papa - Though yes the registry does control the trusted and untrusted zones like the host file does... Though from what hdware has been describing almost sounds like host file directives, or a complete take over...

Yes, the hosts file could have been written to in whatever way, that's common--again I don't know either if further investigation is to see what the malware has done once it's entered. It seems obvious to me the system has been backdoored. So anything a person sitting at the keyboard of the computer can do, the person in control of the malware can do as well. Including altering the hosts file, adding favorites, changing the desktop, downloading more malware from nefarious websites--anything you can imagine. And yes the computer is probably a zombie--part of a botnet. Most actions are carried out by bots rather than a human sitting at a remote keyboard. Any information that isn't encrypted and protected with a strong password can be mined. In general all malware nowdays has a purpose--to make money in various ways. And, I might add, to not get caught.

If you want an interesting read on the intricate criminal network behind most of these trojans, see this page--download the PDF for details on the diagram:
http://pandalabs.pandasecurity.com/archive...-uncovered.aspx

As for the Zones, yes I obviously know what they are--the registry key that hdware asked about has nothing to do with the hosts file, so speculating on if the hosts file is affected is besides the point. I just mentioned that the Zones work much in the same way as a hosts file--it is not exactly the same and doesn't do everything that a hosts file can do, but I have even heard SpywareBlaster called a particular type of host, tho I've forgotten the exact term used.

This is a fact; if you add bleepingcomputer to the trusted zone, this registry key will be added (except the profile identifier at the beginning won't be the same for everyone and I've altered mine):

HKU\S-1-5-21-3400000054-0000017607-2000002147-0000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bleepingcomputer.com

Add the value data in there and the script looks like this:

HKU\S-1-5-21-3400000054-0000017607-2000002147-0000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bleepingcomputer.com\*: 0x00000002


There are also some encryption values modified, but this is the main key to focus on.

To add the BC domain to the Restricted Zone, the exact same registry key is used, but the value data is different.

Problem is that hdware has posted that, instead of Internet Settings, one of the registry keys/folders is docs and settings. I'm unaware of a Docs and Settings key in the registry--a quick look at my HKU profile key doesn't show one. I'm familiar with the Documents and Settings folder in Windows Explorer that contains the user specific files--were you writing this from memory and confused the two? If you want to explore this further, please export the key you were looking at so that I can see the exact spelling and syntax.

Also I was not trying to pass judgment, I was simply saying, things like this are caused form either malware, or those kind of surfing habits...

The comments about passing judgements was not directed at you--hdware mentioned a peer review--which is a nice way of saying a jury is being assembled to judge some particular person. What the pardigms, rules and bondaries of the peers are I have no clue, I am just concerned that the person whose computer is infected is not judged unfairly or too harshly. Yes, it is posible the person got infected when surfing to a porn site--but is that a fact or did it happen another way? As much time as I've spent in malware removal forums (many of them private), I am conditioned to consider people who get infected computers as victims. Sure there are a lot of irresponsible people out there who don't use security software and have no intention of changing their bad habits when they know better--and I get overall jaded at times--but there are still people out there that just make a mistake. If they learn from it and try to do better then I feel better about helping them and then putting the experience behind them.
*********************************
When a system has been backdoored, it is extremely difficult to prove what has been done by the computer operator and what by the malware or botmaster.

So now we know you are focusing on some images (illegal to who?--your government or company/peer entity?) in IE's cache. We do know that you or your peers consider them indecent. You're not worried about sensitive information that might have been stolen or that the computer could have been used to send out spam or whatever. You're just trying to determine if the computer user is culpable for those files being there, or, more specifically, did he intentionally download those images and store them in that folder. I don't know why you are worried about search terms and typed urls--clicked on links are much more common and should be documented in the browser History. You just need to analyze the data you have better.

For one thing, I don't know of anyone who would download images and store them in the browser cache. If the person visited a website that displayed those images, then they would get put in cache. You say the last accessed dates for the images are about the same--if it were only the created date, they could have gotten there just by visiting a porn gallery page. But being accessed in cache and considering the title of this topic is about porn popups, this could be the images used in the porn popups. Have you taken screenshots of the popups and compared its images with the images in cache?

What I suggest you do is look at the earliest creation dates of the malware executable files that Nod32 found and compare it to IE History and you might be able to determine if the infections were a result of visiting a dodgy website or not. If the entry point is other than that of visiting a infectious website (such as opening an email attachment or clicking on a link in IM), then I doubt you are going to be able to prove anything one way or another.

I have noticed that the zone map info I referred to earlier does match the restricted zones.

Then someone on the computer has made an effort to protect it. And tho I didn't ask to see it, the hosts file entries you posted show the same--those domains are being blocked. This is why I am cautioning against a rush to judgement, even for getting infected. There is a lot of ignorance out there about security and security programs. You would be surprised at the number of people who think any ol security program is antivirus protection. I have heard numerous comments from people who say they have run SpywareBlaster in order to attempt to remove a possible infection. And there are many other more common misconceptions. Do your peers have a rule that an antivirus must be installed and do they make any effort at education?

For info cannot chec remote access yet but I will use forensic software to view the registry to see if this was activated.

Why? All the bot needs is access to a browser or instant messaging--most popular is IRC, to communicate with the controlling server. Perhaps burn wants to access the computer remotely? I can tell you that private help is frowned on unless absolutely necessary--and posting email addresses is against the forum rules--a moderator will remove those when seen--both to protect against spam-bots and for other reasons. These forums are for sharing information that can be beneficial to the community of readers as a whole.

In conclusion, burn, you sound surprised that the system is affected by malware that is not "simple". Very little of the serious malware is simple now--especially on an unprotected machine. Delf I know is hard to remove. The Google search results being tampered with is a common tactic--I don't see it on the list but there is a whole class of trojans known as DNSchanger and other names that do that--along with other types of malware as well. That one makes money through search engines--pay per click and other schemes--blended with fraudulent antivirus/antispyware programs that try to fool you into paying to remove malware that isn't there. Doing malware removal does involve some forensics and one gets familair with malware characteristics. But there is too much of it out there to keep up with all of it. Even so, one should know as much about malware characteristics when conducting such an investigation.

I would like to give a final piece of advice, if possible, then move on, as this whole thing smells of a witch hunt. Get what data is still usable off that infecterknotted computer, do what you will with the subject of your investigation, then reformat--move on, educate your peers and don't worry so much about assigning blame.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users