Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Not allowing remote assistance enough to keep you safe?


  • Please log in to reply
32 replies to this topic

#1 resertedlab

resertedlab

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 12 October 2016 - 10:10 PM

If your Remote Assistance is not allowed from system options, is that sure enough to keep any legal programs like team viewer or non legal malwares to remotely control your system? What else measure you should take if you belive your computer was exposed (by physical access) to unfriendly people and now you fear remote access is being on its way? Any tips to secure that non such connection happens and also any ways to find if such program/malware is currenlty being on? 

Thanks :)



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 14 October 2016 - 07:51 AM

That option only disables Microsoft's remote access, not other programs like TeamViewer. But of course, you need to have TeamViewer running on your machine for another TeamViewer client to connect to your machine.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 14 October 2016 - 08:51 AM

I understand. But is there any available option (firewall?) in Windows that disables all possible remote programs/apps, or as long as the programs are running on the machine no option can break the access? 


Edited by resertedlab, 14 October 2016 - 08:52 AM.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 14 October 2016 - 09:17 AM

Are you asking about malicious remote access tools running on your machine?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 14 October 2016 - 09:24 AM

For all types. I mean, i know programs like malwarebytes will try to detect the malicious ones, but also if any legal program works invisibly on the background, i need to know if windows has option to completely block any remote?

Thanks for you replies again Didier :)



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 14 October 2016 - 09:31 AM

Yes, you could block this with the firewall, but as such programs often run with administrative rights, they have he permissions to change the firewall rules and not be blocked.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 14 October 2016 - 09:37 AM

Yesterday i returned my laptop back to factory settings (i will reinstall windows but for now) and i have full track of everything currently installed and running. Is there a way to check which programs are allowed to bypass the firewall?



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 14 October 2016 - 09:41 AM

I guess you are asking about the Windows firewall? Check all Outbound Rules.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 14 October 2016 - 09:47 AM

Sorry Didier in the hurry i failed to clarify my question. In the Windows Firewall,in the section Allowed Apps, if any program is allowed will it be displayed there?



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 14 October 2016 - 10:11 AM

It should, but it can be bypassed. If your computer is compromised, you can not trust what the firewall settings tell you. The output could be correct, but it can also be tampered with.

 

I understand that you try to find workarounds for a possible compromise of your computer, but this chase will never end.

First you have to get your computer checked for malware, then you can see what to do about it (if it is compromised).

 

You also mentioned reinstalling your computer? Why don't you proceed with that? If you have done this before, it will be easier and cost you less time than chasing malware that may not be there.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 14 October 2016 - 10:27 AM

Absolutely,i will reinstall next few days, but  i consider my laptop lost already since it was exposed to physical access. Even reinstalling windows will still keep me paranoid about BIOS infection, it was my fault being not prepared back then. In fact i am almost sure nothing is installed on the machine, but paranoia is lot stronger than any virus out there. So my next machine will be fully encrypted, locked with passwords both BIOS and Windows, and hopefully i wont share anymore apartments with not trusted people. 

 

But information is always helpfull and i want to protect the rest of my devices (which were not accessed physicly). :) So thanks for the good info i will take note of those things ;)


Edited by resertedlab, 14 October 2016 - 10:28 AM.


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 14 October 2016 - 10:37 AM

No problem, you're welcome.

 

BTW, since you are going to reinstall your computer, I suggest you mention this in your thread in the Am I Infected forum. No point in checking a computer that you reinstall.

 

I always make a full system backup after I (re)install a computer. This way I can easily restore my computer when something goes wrong. Or if I just suspect something went wrong.

 

A BIOS infection is less likely because of the diversity of BIOS manufactures and versions.

But don't you have a recent laptop with UEFI in stead of BIOS? If you bought a laptop with Windows 8 or 10 pre-installed, it's very likely using UEFI.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 14 October 2016 - 11:18 AM

Didier, since i dont know if its UEFI or BIOS. i checked in system information and i found that next to BIOS mode it says UEFI? If i am not wrong that would mean i am using UEFI, but this things are complete mystery for me. From what i remember (since my parents bought that laptop back in late 2013) the windows is preinstalled (i never isntalled anything) and i remember the guy told me i need to make Dell Recovery Disk or something since eveytihng i store is in C: but back then i didnt listen at all (i thought i will be using this laptop only for fun but things turned out differently in the years) I think my cd keys in stored in the motherboard but still i am not sure.. But UEFI can be infected just as well, right?



#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 14 October 2016 - 02:07 PM

Yes, if you can set your BIOS mode to UEFI or BIOS, then you have an UEFI firmware.

 

UEFI has better protection against tampering, and UEFI-persistent malware is even less prevalent than BIOS-persistent malware.

 

Personally, I do not worry about UEFI malware for the moment.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 14 October 2016 - 02:35 PM

So basically, the chances that this guy was able to create his own malicious program for this new type of system (UEFI), specificly for my ulrtrabook, and to manage to pull it out in the limited amount of time he had on windows locked machine are really low. Do i need to boot into the UEFI options and check for something suspicious, for something installed there or anything else, or reinstalling windows will take care of that alone :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users