Tweet
I would really like to know, from someone who knows about these things, what is a good system to use to keep my computer free from viruses/trojans/worms etc (as far as it is possible).
I'm asking because I have what seems to be a particularly nasty Trojan and the usual anti-virus software seems pretty crap at dealing with trojans. (the trojan is called Hacker Defender or Backdoor.hackdefender or is some variant of it - more info at end)
I'm running XP and have norton anti-virus (the 2002 version but it's updated weekly) however this clever little bastard trojan seems to beat it at every turn. If I logged on in XP as me, i.e. with the most XP powers, then norton won't even run. It tries to, stutters a bit, then shuts down.
If i log on as a guest or as another user then norton runs and it identifies the trojan but it can't repair it or quarantine it or delete it (this trojan has also managed to disable the "always on" aspect of norton as well as the ability to update it's virus list). I've tried norton in safe mode too and I have deleted it, but it's back there again next time I log on.
One of the other clever things this trojan does is to selectively close down Internet Explorer if you try to view certain sites that might help you get rid of it, so for certain anti-virus sites IE just disappears. There are even certain threads on tw forums that cause IE to shut down, threads about ad-aware for example, while all others are work as normal.
I'm not really asking about this particular problem (I'll ask later if I really can't fix it) but it amazes me that norton anti-virus, i.e. one of the biggies, can be so easily disabled like this. I've also run the online scan "HouseCall" from trend micro which found nothing and the online scan "FreeScan" from mcafee which found a different, easy to get rid of trojan, but couln't find this nasty one. I've done ad-aware too - no luck.
So what are these anti-virus people playing at??? In trying to get rid of this thing, I've been to lots of websites with people trying to sell their software along the lines of "end your sasser worm worries for only $29.99", so these guys seem to just love a new outbreak of something or other whilst they continue to peddle their shitty programs.
I'd just like to know a good way of stopping this stuff. Do i need two or maybe three anti-virus programs? I have a firewall (MS XP) but is there a better one? Is it better to also have a program specific to trojans? Ad-aware vs. spybot?
What is a good, and preferably free, system to use?
Trojan info from mcafee for Backdoor.hackdefender
*****************************
This detection covers several versions of a rootkit for WindowsNT/2000/XP. The purpose of this rootkit is to give an attacker remote access to the compromised system by creating a remote shell. This rootkit hooks the operating system at a very low level, allowing it to conceal its presence very effectively. Once installed, the rootkit is capable of hiding files, processes, services, and registry information. This kit uses an INI file, allowing the attacker to customize various aspects of the trojan. Such as:
Specify files, directories, processes, services, and registry keys to hide
Backdoor password
Service name, display name, and description
Program to execute after the rootkit has run
The rootkit monitors all incoming TCP port traffic. If the traffic is identified as being sent by the rootkit client component, it is verified as having the correct password, and then passed to the remote shell. For example, if an IIS web server is running on a compromised system, an attacker can connect to the backdoor on port 80. Since the trojan is intercepting the traffic before the IIS server has access to it, IIS never sees the packets. This enables the trojan to bypass the firewall.
The trojan has a port redirector component, which works under WindowsNT.
Indications of Infection
There are no obvious signs of infection.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal Instructions
Submit a copy of the detected file to AVERT for further instructions.
**********************************
Helpful eh..
I'm asking because I have what seems to be a particularly nasty Trojan and the usual anti-virus software seems pretty crap at dealing with trojans. (the trojan is called Hacker Defender or Backdoor.hackdefender or is some variant of it - more info at end)
I'm running XP and have norton anti-virus (the 2002 version but it's updated weekly) however this clever little bastard trojan seems to beat it at every turn. If I logged on in XP as me, i.e. with the most XP powers, then norton won't even run. It tries to, stutters a bit, then shuts down.
If i log on as a guest or as another user then norton runs and it identifies the trojan but it can't repair it or quarantine it or delete it (this trojan has also managed to disable the "always on" aspect of norton as well as the ability to update it's virus list). I've tried norton in safe mode too and I have deleted it, but it's back there again next time I log on.
One of the other clever things this trojan does is to selectively close down Internet Explorer if you try to view certain sites that might help you get rid of it, so for certain anti-virus sites IE just disappears. There are even certain threads on tw forums that cause IE to shut down, threads about ad-aware for example, while all others are work as normal.
I'm not really asking about this particular problem (I'll ask later if I really can't fix it) but it amazes me that norton anti-virus, i.e. one of the biggies, can be so easily disabled like this. I've also run the online scan "HouseCall" from trend micro which found nothing and the online scan "FreeScan" from mcafee which found a different, easy to get rid of trojan, but couln't find this nasty one. I've done ad-aware too - no luck.
So what are these anti-virus people playing at??? In trying to get rid of this thing, I've been to lots of websites with people trying to sell their software along the lines of "end your sasser worm worries for only $29.99", so these guys seem to just love a new outbreak of something or other whilst they continue to peddle their shitty programs.
I'd just like to know a good way of stopping this stuff. Do i need two or maybe three anti-virus programs? I have a firewall (MS XP) but is there a better one? Is it better to also have a program specific to trojans? Ad-aware vs. spybot?
What is a good, and preferably free, system to use?
Trojan info from mcafee for Backdoor.hackdefender
*****************************
This detection covers several versions of a rootkit for WindowsNT/2000/XP. The purpose of this rootkit is to give an attacker remote access to the compromised system by creating a remote shell. This rootkit hooks the operating system at a very low level, allowing it to conceal its presence very effectively. Once installed, the rootkit is capable of hiding files, processes, services, and registry information. This kit uses an INI file, allowing the attacker to customize various aspects of the trojan. Such as:
Specify files, directories, processes, services, and registry keys to hide
Backdoor password
Service name, display name, and description
Program to execute after the rootkit has run
The rootkit monitors all incoming TCP port traffic. If the traffic is identified as being sent by the rootkit client component, it is verified as having the correct password, and then passed to the remote shell. For example, if an IIS web server is running on a compromised system, an attacker can connect to the backdoor on port 80. Since the trojan is intercepting the traffic before the IIS server has access to it, IIS never sees the packets. This enables the trojan to bypass the firewall.
The trojan has a port redirector component, which works under WindowsNT.
Indications of Infection
There are no obvious signs of infection.
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal Instructions
Submit a copy of the detected file to AVERT for further instructions.
**********************************
Helpful eh..
I just can't help myself. 
Comment