Security Basics: Re: Windows 98 box is 'owned'

["John R. Morris" <jrmorris () nerdality com>]

Darren Kirby wrote:

> Hello all,
>
> I am writing this on behalf of my Mom. She was complaining that her computer 
> was sluggish, and that her HD space was getting used up faster than it 
> should. So I went over and fired up my trusty Linux live cd and had a look.
> Anyway, I found a directory right in C: named 'Downloads', and inside were 
> about 50 or so files, which were all warez, porn, windows exploits and 
> cracker 'howto's. Quite obviously this computer is owned, and is being used 
> as a warez server. I deleted the files, booted win, but they reappeared after 
> about 10 minutes. The strange thing is that these files are ALL 29k, and all 
> have filenames like:
> Adobe Photoshop crack.exe
> Smashing the Stack.txt.exe
> Eminem - full album.mp3.exe
> Office 2003 full.exe
> ...
> On further inspection I found an identical directory at C:/windows/Downloaded 
> Program Files/. God only knows how many trojans and other nasties are 
> sprinkled around...
> So I yanked the power cord out of her adsl modem, and told her not to plug it 
> back in unless she was checking her mail. Bad advice for sure, but try 
> telling your mom that her computer is rooted by punk kids and it is too 
> cracked to have safe internet access at all. Seems that a complete OS 
> reinstall is in order, but it seems to me that if they can own her box once 
> they can own it again just as easy, which leads me to this list...I would 
> like to try some investigating, and try to figure out where the backdoor is, 
> what exactly they are doing...and of course how to prevent it.
> Some background on myself...I am a Linux sysadmin, and have a great deal of 
> experience with UNIX operating systems...however, I have never run a windows 
> box, and have only used one in the 'point-and-drool' sort of way. So I really 
> know nothing of how the underlying OS works (or doesn't...). 
>
> So I guess I am just asking for some opinions of the situation, and perhaps 
> some links to docs about this type of attack, and how to prevent it. Also, 
> any software along the lines of chkrootkit or other forensic tools, but for 
> windows would be a big help.
> TIA
> -d 
>  
Well, definitely a reinstall... And do have your Mom change all her 
passwords afterwards, especially for her e-mail, any online banking or 
anything like that. Also, if she has done any online shopping or 
ordering keep a close eye on credit card bills for anything unusual and 
get in touch immediately with said CC company's fraud division. Backup 
the critical docs and e-mail, bookmarks, so the pain factor of all this 
is as minimal as possible.
For an ad-hoc amateur forensic audit, try all the tools 
www.sysinternals.com has for free. They have quite a selection to 
monitor access to the registry, filesystem, network, and Windows 
versions of things like strings to check out those binaries. Of course 
doing forensics on a broken box from the box in question is not really 
as fruitful but should still give some useful info. Another way of 
course is to image the windows partition(s) off via network to a linux 
box, mount them there and pick away at things, maybe even bring it up 
under VMware and use Linux to watch the network. Do it first offline and 
see what it trys to connect to, and then plug it in and see what 
connects to it. Put together as much information as possible, especially 
any IP addresses or identifying information that shows up, and send that 
to the ISP's abuse/security folks, and let them know that you've 
completely reinstalled the OS and patched it.
Consider making Norton AV, Ad-aware, and a good host firewall program 
(Outpost, Zone Alarm, Norton Personal Firewall) part of the install as 
well, and perhaps an upgrade from Windows 98 to XP, too. Patches and 
turning off unneeded services and installing desired user apps/games 
should complete the task. Switch her from IE to Firefox/Mozilla if not 
already switched.
For the services, here is a good guide to turning stuff off:
http://www.blackviper.com/Articles/OS/OSguides.htm

HTH,
John