x404.co.uk
http://www.x404.co.uk/forum/

Tracking down a trojan
http://www.x404.co.uk/forum/viewtopic.php?f=4&t=17770		 Page 1 of 1
Author:  cloaked_wolf [ Sat Dec 01, 2012 3:24 pm ]
Post subject:  Tracking down a trojan
All of the computers in the workplace are suppled by the primary care trust. They've provided AV software through Sophos. The problem is that one computer was being worked on and had a warning come up about a virus on the system and how it needs to scan the computer. The manager was savvy enough to contact me rather than press anything and I immediately knew a trojan had gotten in and was trying to pass off as security software. My first action was to yank the LAN cable to stop potential spread; I then forced the computer off and ripped out the hard drive. Plan is to run it through my own anti virus and antitrojan software. Important files are always backed up.

Things I need to know:

- how can I detect the route it came through? The manager had been looking at bank accounts at the time before using Sage software. She denies any other usage at the time and I trust her word implicitly.

- how can I detect the spread? Given that Sophos never picked it up or did anything, it is quite conceivable that it may have spread undetected elsewhere. I honestly feel like ripping out all of the hdd and scanning them manually as an external drive.

- how can I check to ensure the backed up files on the servers, and the servers themselves, aren't affected?
Author:  MrStevenRogers [ Sat Dec 01, 2012 11:00 pm ]
Post subject:  Re: Tracking down a trojan
find out which trojan it is first and then work from there

chances are (if nothing was executed) that it is on the one system only ...
Author:  saspro [ Sun Dec 02, 2012 10:35 am ]
Post subject:  Re: Tracking down a trojan
Sounds more like scareware than a trojan.
Which would explain why Sophos didn't find it.
Malwarebytes should clear it & will tell you where it was, from there you can work out from their history which site caused it.
Author:  JJW009 [ Sun Dec 02, 2012 11:43 am ]
Post subject:  Re: Tracking down a trojan
It would be safest to erase the disk and re-image the machine, after saving any important data. If it really does have something nasty in it, they often have registry keys which reload the malware as soon as there's an internet connection. This will happen even though every file on the disk is "clean".

I think some software can scan off-line registry files, but I can't recommend any.

As to "where did it come from", unless something obvious shows up in Internet Explorer's browse history then that kind of detective work is certainly beyond my skills and may actually be impossible.
Author:  cloaked_wolf [ Mon Dec 03, 2012 9:02 am ]
Post subject:  Re: Tracking down a trojan
JJW009 wrote:
It would be safest to erase the disk and re-image the machine, after saving any important data. If it really does have something nasty in it, they often have registry keys which reload the malware as soon as there's an internet connection. This will happen even though every file on the disk is "clean".

Unfortunately, we don't have the images - the PCT has them, which would mean reporting this.

I've ran both Sophos and Malwarebytes on the HDD. They picked up infected files in the Temporary Internet Files, Application Data and System Volume Information folders. This is with the HDD as an external USB drive. Plan now is to see if the computer will boot up and see what happens.
Author:  JJW009 [ Mon Dec 03, 2012 10:40 am ]
Post subject:  Re: Tracking down a trojan
Boot it up with no network connection.

Then plug the network in and run a netstat to see if it connects to anything. There's a chance it'll just re-download the files.
Author:  MrStevenRogers [ Mon Dec 03, 2012 12:14 pm ]
Post subject:  Re: Tracking down a trojan
disable system restore before doing this !!! ...
Author:  cloaked_wolf [ Mon Dec 03, 2012 7:27 pm ]
Post subject:  Re: Tracking down a trojan
Deleted system restore points. Netstat didn't show anything abnormal. Computer has been running fine all day.
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/