My Trojan War Becomes a Quagmire

WHAT DOES THIS HAVE TO DO WITH THE TROJAN WAR????????????????????

The Trojan Wars - I have run into the same scenario as you have mentioned regarding your trojan horse which is certainly no longer a routine "run of the mill" attack. Fortunately, for me I browse for trouble on purpose on a non-linked machine on my network - but, like you, I use admin level user accounts as is typical so I can determine how destructive new attacks can be and how they affect higher level functioning machines. I've previously encountered other similiar attacks to yours and had been able to isolate a few of the running processes and had been madly figuring up new workarounds to permanent solutions but have also found that there have been obvious hidden processes running code under different names than the original offending code that was spotted using the various spyware and TH programs available. The problem sometimes is these trojans are often mutating names and properties of themselves prior to discovery or upon a scan initiation, and since such properties are discovered based on search, find and discovery methods I began to look at the triggers of such scans and how they can be manipulated to re-name and hide the original offending processes and files while allowing discovery of the old processes to lull the user into a sense of false security. The discovery process of getting to the files that are causing havoc often triggers an event that then changes the filename to another so it will allow for a recognition of the file by the scanner, and lull the user into the sense of having apparently eliminated the offender, only to have them find it re-loads again after windows re-launches. The first trojan I ever personally saw that did this was coreflood, which changed its name and identity signature upon discovery to a nonsense 8 letter and digit name that then used multiple random extensions and it re-loaded itself on startup in a different folder using standard names of files noone would normally look at as being anything but harmless. Until the next scan it sat idle and it would also insert arbitrary code intot he machine allowing for RAS laoding and use by a seperate system user who could hide thier account using superuser style method, and then destroyed its own tracks. It wasn't reported as doing this on most sites such as McAfee or Nortons sites, but it was documented as a mutating trojan and they offered inferior methods of discovery through scan methods which of course triggered the trojan to rename and re-hide itslef back into the system. the cure, reformat or hard find the files in the registry yourslef and eliminate them. Since many of these typoes of trojans place themselves into the windows\\system and system32 folders as well as other folders and does so apparently at random it is extremely difficult to comprehend the time this took to truly rid the system of this? My experience showed this particular strand one of my users had contracted would also often create a readme.txt file which sat resident as a type of logic bomb awaiting another discovery and eventual re-mutation from where it would read the code from this seemingly innocuous file (readme.txt) as needed and constinuosly reload itself into the system files. Your trojan appears to be simliar - though it is doing something slightly different - and I too have spotted the method in several new trojans that I've encountered in my googling and spidering. New strains seem to be able to detect and mutate itself as many trojans do when it is discovered, but they also seem to be doing so whenever a scan, search or find command gets run and in special note it happens whenevr the file is tagged for deletion by a spybot or ad-aware type program. The fact that these files hide their existence and processes is an obvious step up for the trojan developers who are getting more tactical about their injection methods and the multiple step sequence levels of mutations is getting a lot smarter about how to handle exceptions in discovery and re-coding methods. I have recently also noted that several new trojans are using system and even hidden superuser accounts that are being created for the purpose of allowing for remote manipulation. these surreptitiosly create new accounts allowing for remote files to inject themselves into browsers at times, and I've seen new forms of coding attacks that will modify the offending filenames when the search command or scan methods used by Spybot, Ad-Aware and others is used. If the find command is used in regedit it also appears to be creating new problems elsewhere allowing for the re-load to occur on re-boot even though the original file has been located and destroyed. The only combative measures I've found to be truly effective are carefully noting the sequence of changes as noted in the registry backups I create when I make mods or by following the notes I get whenevr I snapshot off new images or apps files for mock distribution. Recently I set up an environment to document these forms of attck by creating clean base images of my systems using Ghost, and then I began creating seperate apps packages which are Zen'd and from which I Snapshot all program installs seperately. The changes made to the registry document feeds line by line changes that are being made to the registry as well as all the program mods made and it does so in detail in the Zen process. Every app I load gets a snapshot file, and if a machine corrupts I can re-ghost it and then load out the apps on a server push which gives me a clean machine in a matter of minutes instead of days. But there have been some recent issues even with this as I have encountered which have shown that the new forms of trojans can actually transcend the imaging and snapshot installs. Until reading your column I thought I had been alone in my problem. I too searched Google and spidered many sites to try and find answers to these issues, to no avail. I began to realize that there was a mix of logic bombs and trojans that were being triggered by certain applications (namely IE being used as a specific trigger and the introduction of any spyware program to the system has had serious side affects) as well as the use of any registry find issued or use of windows search strings... among others. One particularly insidious program was loaded from a warez site which was supposedly Zone Alarm 5 and it actually infected the boot sector of my drive and modified the startup file to allow for the infection to keep recurring while allowing for apparent clean re-ghosting and snapshotting. Since the image was being loaded off a server share, it wasn't as apparent but since I moved to an absolute clean image I realize now the ghosted image was coming from a logic bomb infected machine that triggered on the search command use. It was indeed perplexing me how an apparent clean image, which had been loadsed succesfully 100's of times before could be dirty even after re-format. It was hidden all along though and there is no telling how long it would have taken to discover thi shad it not been for my obvious lack of concern or respect over the recent warez scandals of using internet based software copies without licensing? I have also now started seeing imaged machines re-create the problems realizing there has been a boot sector infection that has been propogating itself into the new images al along. Since it is part of my job (I consider) as a consultant to discover these processes and create fixes that I can apply to my clients machines I've been allowing myself to be infected by these attacks for some time now. I recently hit one that almost exactly emulated your situation when loading a game hack for my own son. It also loaded a hidden copy of Lycos sidesearch components, 1800search tool as well as programs named bridge, bargain buddy, abbeterinternet and a few others, one of which was tvm.exe. I was having major trouble ridding my machines of these. It eventually blocked all downloads of any spyware program at all and it nearly beat me out of my own box for a hard re-format and base software hand-loading session. But, I have managed to rid these infections by doing a hard look through the registry without scanning and noting all instances of changes as previously noted using the zen snapshotting process and then reading all code lines added without using any seek or find methods which I beleive were being used as triggers. Next up I imagine is a coding that willmake mods whenever a regedit is performed but I am not hopeful of seeing this anytime soon as thi slatest one almost put me down for the count. In combination with using safe mode re-boots - killing processes and undoing these changes by hand rather than doing searches or finds for the keywords it appears I have won out, but with consequences. Nearly all of these processes I've discovered were using system account privelages which could not be easily stopped and all were mutating and migrating across folder strucures to create seemingly harmless filenames such as the readme.txt scenario. I have also encountered hidden.dll files and a few others aptly named services.exe, optimize.exe. sbb.exe and a few others that had rooted themselves pretty firmly into my file structure. It has only been through sheer determination to beat these bastards and quite possibly through dumb luck too, but the files have finally stopped popping up ads and the processes have not returned in over a month now which is completely new and hopefully a good sign. Still, I have doubts? The only thing remaining is my inability to load any spyware programs post-fix. But to me this seems to be better than hard formatting my drive and losing all potential data prior to the logic bomb insertion which is only slightly documented since it is way after the fact...but I think this is a small price to pay given the fact I have my data which I can finally feel safe to load to backup and re-load on a clean new image. Since this latest fix has blocked 100% of the adware loads due to hard mods these file made to my basic setup and startup files I have found that a compromise is better than full on defeat, but maybe I'll be able to figure this out soon enough? After all, I still read your column and am hoping you will be the one to get the solve in from a reader or through your own sheer determination. Kudos on not giving up, it goes to show that the bad guys will never win out simply over sheer determination and numbers alone.

I quite agree. If you think back all the way to MSDOSShell, yes, I said, MSDOSShell, the basic look and overall functionality of Programs really has not changed. In fact if what I've bee told about is right, Microsoft code is so large for Windows that anybody trying to clean it or wanting to optimize it are at a loss for fear of breaking something.. :-| Of course that is a normal concern for any programmer but the base sourcecode for Windows needs to be rewritten not merged. Merging only can add more problems. But "that's life" (I don't know what the correct French spelling for it is so just think it's french :p) Yet so much is riding on Windows nowadays that I think they are afraid of changing too much to break everything. Sure the opensource community is a great help for good, reliable working (for the most part) applications, but for the most part each OS has it own problems. So take your pick and shod your armor. It's a war out here and there's no going back. (Sad as it may be)

Two things I would definitely try: 1) Download SpyBot Search and Destroy........this is probably the most powerful spyware nuker out there. Do a Google on SpyBot and it will take you to the site. 2) I would download and run a program like "active ports" or some port monitoring software. You can see which ports are being used by every service, application, or trojan on your PC. Some programs like active ports also give you the name of the file being used to access certain ports. Very handy indeed if trying to find the culprit.

I have had similar problems with a couple of pc's but i've given up trying... its pretty darn scary close to the "Borg" creatures of StarTrek... "resistence is futile..."

Anyhow, I have an idea, I guess U allready tried it but here it goes...

On NT4 there was a practical utility to make snapshots of the registry... there has to be a similar tool around for XP. My guess is that this piece of spyware has added a string, somewhere in the registry, propably on the same line as an IE command... I don't know how it manages to place strings in the registry but its still my best guess, that when U start IE, it starts with a command to go to that hijacked url for starters...

By comparing a "healthy" working installation (IE values & strings) with your infected comp, you should be able to make a "diff" and compare the diffrences. Hope it helps.