Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

njRAT picked up by Detekt on my machine


  • Please log in to reply
7 replies to this topic

#1 magwep

magwep

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 22 November 2014 - 10:28 AM

I use McAfee, Super Anti Spyware and Malwarebytes on my computer. Recently Amnesty International endorsed Detekt, so I decided almost for fun to install that software and see if it turned up anything.

 

It did.

 

Detekt returned a positive on njRAT, a very nasty keylogging, mic-and-cam accessing, etc. etc. bit of real true spyware.

 

Sooooo... I'm wondering about it though, as I use TeamViewer. Could TV be causing this postiive to be returned?

 

I did a few searches with Farbar (available here on Bleeping) and can't find any njRAT on my machine that way or any other way, for that matter. I called my ISP to see if they had any signs of intrusion (and they, Time Warner Cable, hah, said that they would never let that happen to their customers! hee).

 

So... Detekt is basically advising me to throw out my computer (a rather expensive option hahha) so thought to see if this community, that I've lurked on for years and years has any experience or solutions.

 

If you google njRAT all you are returned is ways to surreptiously use it--YouTube has tons of instructional videos. ;(

 

See very little in the way of advice, which makes me think that either it is not common, or is really so super secret bit of stuff that you can't find help to get rid of it.

 

Anyone know anything about njRAT they can share? I'm wondering what extremes to go to to handle this--or if I even need to handle?

 

The message back from Detekt is:

Following is what I discovered:

= Njrat

This is a common trojan which is free to download from the Internet and is available to just about anyone. It should be normally detected and quarantined by major AntiVirus software. Although it is impossible to guess who might be targeting you, you should seek for assistance nevertheless.


Edited by magwep, 22 November 2014 - 10:32 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:27 PM

Posted 22 November 2014 - 11:08 AM

Welcome to BC !

One way to find if it is a false positve due to having a remote access program on your computer is to uninstall the program

and rerun the Detekt program.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 magwep

magwep
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 22 November 2014 - 02:32 PM

Thanks for your response!

 

I did do that and ran a scan... and it returned a finding that not only do I have njRat, I also have Extreme Rat. :)  

Wondering about Detekt's reliability although it seems author is known.

 

A sys admin friend is suggesting I back-up data, reload the OS, create new user accounts, including a separate, never-used, admin account -- and that I should check my router and firmware update; reset to factory default; hchange the password--and secure wireless with wpa2/aes security.

 

Sounds like no way to get around the effort.

 

Another friend is saying to throw out my hard drive and get a new one.

 

The kinds of things in the Detekt log are not comprehensible to me--here's a small sample....just wondering if they add up to a false positive.

 

2014-11-21 08:14:18,494 - detector - WARNING - Process svchost.exe (pid: 3748) matched: Njrat at address: 0x85E2324, Value:

46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 FromBase64String
00 54 6f 42 61 73 65 36 34 53 74 72 69 6e 67 00 .ToBase64String.
62 61 73 65 36 34 54 61 62 6c 65 00 43 6f 6e 76 base64Table.Conv
65 72 74 54 6f 42 61 73 65 36 34 41 72 72 61 79 ertToBase64Array
00 49 73 4c 69 74 74 6c 65 45 6e 64 69 61 6e 00 .IsLittleEndian.
47 65 74 42 79 74 65 73 00 73 65 74 5f 54 69 74 GetBytes.set_Tit
6c 65 00 57 72 69 74 65 4c 69 6e 65 00 67 65 74 le.WriteLine.get
5f 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 _ForegroundColor
00 73 65 74 5f 46 6f 72 65 67 72 6f 75 6e 64 43 .set_ForegroundC
6f 6c 6f 72 00 54 69 74 6c 65 00 46 6f 72 65 67 olor.Title.Foreg
72 6f 75 6e 64 43 6f 6c 6f 72 00 42 6c 61 63 6b roundColor.Black
00 57 69 6e 33 32 53 00 57 69 6e 33 32 57 69 6e .Win32S.Win32Win
64 6f 77 73 00 57 69 6e 33 32 4e 54 00 57 69 6e dows.Win32NT.Win
43 45 00 55 6e 69 78 00 58 62 6f 78 00 4d 61 63 CE.Unix.Xbox.Mac
4f 53 58 00 5f 42 75 69 6c 64 00 5f 4d 61 6a 6f OSX._Build._Majo
72 00 5f 4d 69 6e 6f 72 00 5f 52 65 76 69 73 69 r._Minor._Revisi

2014-11-21 08:14:18,496 - detector - WARNING - Process svchost.exe (pid: 3748) matched: Njrat at address: 0x85E2328, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 54 6f 42 Base64String.ToB
61 73 65 36 34 53 74 72 69 6e 67 00 62 61 73 65 ase64String.base
36 34 54 61 62 6c 65 00 43 6f 6e 76 65 72 74 54 64Table.ConvertT
6f 42 61 73 65 36 34 41 72 72 61 79 00 49 73 4c oBase64Array.IsL
69 74 74 6c 65 45 6e 64 69 61 6e 00 47 65 74 42 ittleEndian.GetB
79 74 65 73 00 73 65 74 5f 54 69 74 6c 65 00 57 ytes.set_Title.W
72 69 74 65 4c 69 6e 65 00 67 65 74 5f 46 6f 72 riteLine.get_For
65 67 72 6f 75 6e 64 43 6f 6c 6f 72 00 73 65 74 egroundColor.set
5f 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 _ForegroundColor
00 54 69 74 6c 65 00 46 6f 72 65 67 72 6f 75 6e .Title.Foregroun
64 43 6f 6c 6f 72 00 42 6c 61 63 6b 00 57 69 6e dColor.Black.Win
33 32 53 00 57 69 6e 33 32 57 69 6e 64 6f 77 73 32S.Win32Windows
00 57 69 6e 33 32 4e 54 00 57 69 6e 43 45 00 55 .Win32NT.WinCE.U
6e 69 78 00 58 62 6f 78 00 4d 61 63 4f 53 58 00 nix.Xbox.MacOSX.
5f 42 75 69 6c 64 00 5f 4d 61 6a 6f 72 00 5f 4d _Build._Major._M
69 6e 6f 72 00 5f 52 65 76 69 73 69 6f 6e 00 67 inor._Revision.g
 


Edited by magwep, 22 November 2014 - 02:34 PM.


#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:27 PM

Posted 22 November 2014 - 02:57 PM

magwep...I've asked a member of the malware response team to take a look. I would not recommend you

follow navayda's suggestion. Wait for a response from me or a member of the MRT.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 magwep

magwep
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 22 November 2014 - 09:17 PM

Thanks! I do not see a Navayda suggestion, so assume that's been rescinded. Thanks so much for your assistance.

#6 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:27 PM

Posted 22 November 2014 - 09:22 PM

It's the weekend....I will still post a response or someone from the MRT will.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 magwep

magwep
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 23 November 2014 - 09:05 AM

Oh sorry, yes! I thought there was a post you were referencing by a Navayda, but don't see any post by Navayda. Thank you again!



#8 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:27 PM

Posted 23 November 2014 - 10:06 AM

I've been advised to suggest you start a new topic.

 

Start a new topic after creating a DDS log by following instruction #6 found here: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help - Virus, Trojan, Spyware, and Malware Removal Logs

 

Post the DDS log along with a description of the problem in the Virus, Trojan, Spyware, and Malware Removal Logs Forum - BleepingComputer.com

 

Do not bump your topic once it is posted. Wait for a response. It could be a few days.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users