dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5037
share rss forum feed


QuantumPimp

join:2012-02-19
Reviews:
·voip.ms

Bonehead move turns my computer into Tor exit node

So I downloaded and ran a program that I found on the internet. Normally I am super paranoid about doing this but today I must have suffered a slight brain malfunction and installed a program from an untrusted source without first testing it in a virtual machine.

Of course it installed a virus. Of course Windows 7 Security Essentials reported absolutely nothing wrong. As part of my normal practice, after installing new software, I did a quick netstat to peruse any open TCP connections. Internet explorer reported about a dozen connections. I wasn't running internet explorer. One program had Tor exit node as part of its command line parameters. Yikes!!!!!! I could see some sort of "phone home" taking place: lots of connections to servers all over the place. Maybe all this was just Tor. I dunno.

A quick rule added to Windows Firewall shut down all internet connections. Fortunately the "virus" appears to only have installed itself as a startup program from within the Roaming directory. Not sure why a virus scanner wouldn't flag this situation right away. Very odd.

A moment of indiscretion made my network connection an open Tor exit point for whatever the virus author intended. This can happen to anyone. Hopefully I shut this down before anything bad could take place however it took about two hours to diagnose and then regain control of my computer.

An IP address is not a person.


Samgee

join:2010-08-02
canada
kudos:2

Provided you can prove that, if law enforcement needs to find out why an illegal act was performed using your IP, you should be just fine (or not). Your IP may not be a person, but it's assigned to you so you'll be who they'll want to talk to.

»www.techdirt.com/articles/201105···de.shtml



Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7

1 edit
reply to QuantumPimp

said by QuantumPimp:

....A quick rule added to Windows Firewall shut down all internet connections.

Fortunately the "virus" appears to only have installed itself as a startup program from within the Roaming directory.

Not sure why a virus scanner wouldn't flag this situation right away. Very odd....

 
Most interesting - MSE misses something !

In the past, Windoze Defender would have immediately queried on any added startup tasks, and M$ provided THAT free security app for us too.

I actually LIKED WD, and avoided antivirus apps which wanted to disable it.

Talk about reverse progress !

--

We have only 2 things about which to worry :
(1) That things may never get back to normal
(2) That they already HAVE !


d4m1r

join:2011-08-25
Reviews:
·Start Communicat..
reply to QuantumPimp

1) Very weird that a virus would open up a Tor exit node....Are you use it's what it did? Tor session maybe, to transfer stuff between it self and the master computer....

2) Glad to see you have such a systematic (and efficient I'd say) PC security regiment in place. If all Windows users applied similar strategies, viruses would be a thing of the past...
--
www.613websites.com Budget Canadian Web Design and Hosting


Samgee

join:2010-08-02
canada
kudos:2

I suspect the scenario outlined above is fantastical in nature. Windows security essentials and defender (if not user access control) most certainly would have alerted the user to what was happening.



QuantumPimp

join:2012-02-19
Reviews:
·voip.ms
reply to d4m1r

How to be certain? Some facts:
1. Software launched something that had the words "tor exit node" on the command line (I used a program called CurrPorts v2.05 to monitor what was happening).
2. Found a temporary directory called "tor" in Local.
3. The software in Roaming was stored in a sub-directory called "Ogalxy" and the executable was signed by a German company.
4. A couple of dozen connections were created. Some to servers in Germany and the Netherlands.

I don't know much about Tor. For example are all exit nodes public or is it possible to create private nodes? I have no clue. I also don't know what protocols were used as that would require sniffing and analysing the traffic. I was not in a state of mind to dissect the software ... instead I was trying to figure out how to disable and then remove it.

The thing is d4m1r, I have very deep knowledge of computing and networking. During those couple of hours I was frantic and scrambling to preserve and protect the valuable information on my computer and network (including tax, banking, and credit info). I didn't even think about network security until I later understood what was happening. Lots of things that should have worked did not including virus detection, and restore from backup. Most people would not have the training to detect and fix this situation and to overcome the operational failures.

The reason for this post is twofold: Firstly, Virus detection is *not* as reliable as I had wrongfully assumed. It certainly wasn't in this case. Secondly, my network was briefly compromised. I believe I was fast enough to protect the security of my network but given recent happenings related to IP addresses vs identity I thought my experience with this virus presented a sobering lesson.



QuantumPimp

join:2012-02-19
Reviews:
·voip.ms
reply to Samgee

said by Samgee:

I suspect the scenario outlined above is fantastical in nature. Windows security essentials and defender (if not user access control) most certainly would have alerted the user to what was happening.

LOL. No. I have better things to do with my time than make things up for your amusement. Being skeptical of any information on the internet is healthy so I don't condemn you. You can have a copy of the virus if you wish.

I intend to re-download the virus into an XP virtual machine and study why Security Essentials failed. It seems to have at least two behaviours that should be easily detectable: modify startup from roaming. When is that ever a good thing? Opens a pile of connections as internet explorer and yet internet explorer was not launched as an application.

No. UAC won't protect Roaming. I am still puzzled by the startup changes not being reported.

Samgee

join:2010-08-02
canada
kudos:2

I don't want it, but if it's done what you suggest it has, Microsoft certainly would.



random

@teksavvy.com
reply to QuantumPimp

I also use »www.virustotal.com/, a free online virus scanner for scanning small (32MB or less) files and URL. It uses a pool of 40 or so virus scanners, so it would offer more coverage where an individual scanner would have missed.

Based on my experience, MSE misses a lot of the files that are caught by visustotal.



hm

@videotron.ca
reply to QuantumPimp

I bet half the people who thinking UAC or windows defender is your savior are very much unaware they are on some Russian proxy list as being good to use.


jerrycan

join:2010-11-05
Waterloo, ON
reply to QuantumPimp

I adore my 64.



sbrook
Premium,Mod
join:2001-12-14
Ottawa
kudos:13
Reviews:
·WIND Mobile
·TekSavvy Cable
reply to QuantumPimp

said by QuantumPimp:

During those couple of hours I was frantic and scrambling to preserve and protect the valuable information on my computer and network (including tax, banking, and credit info). I didn't even think about network security until I later understood what was happening. Lots of things that should have worked did not including virus detection, and restore from backup. Most people would not have the training to detect and fix this situation and to overcome the operational failures.

The FIRST thing I do if I suspect any kind of virus infection *at all* is to pull the machine OFF the network. Just pull the plug. Then I start protection steps. Then identification. Then removal.

If I need tools, I get them on another machine, put them on a CD or key and bring them manually to the infected machine.

Jaxom

join:2012-03-10
East York, ON
reply to QuantumPimp

Has absolutely nothing to do with Teksavvy.



TypeS

join:2012-12-17
London, ON
kudos:1
Reviews:
·TekSavvy Cable

said by Jaxom:

Has absolutely nothing to do with Teksavvy.

I think he's trying to make a subtle attack on the whole Voltage v TekSavvy drama going on with the "IP is not a person" statement he's mentioned twice now.

And that's a whole other can of worms being discussed in other threads.

As for antivirus protection, MSE is great for a free alternative but shouldn't be relied on if you want to be serious about protecting against malicious programs.

And as sbrook already said, the first thing you ever do when you suspect infection, is immediately disconnect the machine from network physically (or disable the wireless adapter via hardware switch on the notebook). Then you go about finding, negating, removing and restoring.

shepd

join:2004-01-17
Kitchener, ON
kudos:1
reply to sbrook

said by sbrook:

The FIRST thing I do if I suspect any kind of virus infection *at all* is to pull the machine OFF the network. Just pull the plug. Then I start protection steps. Then identification. Then removal.

If I need tools, I get them on another machine, put them on a CD or key and bring them manually to the infected machine.

Virus writer writes in his list of devious notes:

"Have virus hold the HDD data hostage until the PC is plugged back into the network. Give them 10 minutes and then delete it. "


sbrook
Premium,Mod
join:2001-12-14
Ottawa
kudos:13

At which point, I put another disk in place as "system" disk and the infected disk as data disk.



ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
kudos:4
reply to QuantumPimp

First off, what was this mystery software you downloaded and installed?
Second, have you ever heard of the Tor Project? You should google it, it's not a virus.



QuantumPimp

join:2012-02-19
Reviews:
·voip.ms
reply to TypeS

said by TypeS:

said by Jaxom:

Has absolutely nothing to do with Teksavvy.

I think he's trying to make a subtle attack on the whole Voltage v TekSavvy drama going on with the "IP is not a person" statement he's mentioned twice now.

Not subtle and not an attack. Just relaying an experience that caused me to consider how easy it is to become a victim. You've correctly identified why I thought it important to post here (or at all). Anyone thinking this has nothing to do with TekSavvy is not paying attention.

As both you and hm suggest my reliance on UAC and MSE demonstrates poor judgement and is not enough. Never would have thought so. With all of the exploits being identified lately I am left to wonder, given the complexity of the systems and software we use every day, how much is enough?


ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
kudos:4

So what was the software?



Tx
bronx cheers from cheap seats
Premium
join:2008-11-19
Mississauga, ON
kudos:12
Reviews:
·TekSavvy DSL
·FreePhoneLine
·Rogers Hi-Speed
reply to Jaxom

said by Jaxom:

Has absolutely nothing to do with Teksavvy.

Wow, you need a job dude. 80+ posts and 1\4 of them must be "What does this have to do with Teksavvy".

May i suggest you start your own forums and police them? Let people create threads how/where/when they want and if mods feel it's not topic enough they'll move it.

Oh wow, i forgot, that's what moderators around here are for.

said by QuantumPimp:

An IP address is not a person.

Maybe you've been too busy telling people what topics go where but maybe read his entire post and how it possibly relates to Teksavvy's recent events.