Monday, November 03, 2003

Trust No One!

That was the mantra of an old favorite Role Playing Game of mine, "Paranoia". (Before they ruined it with the 2nd edition)

So, back to the point.

I'm working on a client's computer this weekend. It has two problems, CPU Utilization in Windows XP is a constant 100%, and Microsoft Word would not open any files. So I start poking around with the obvious things. Spyware and Viruses.

The computer already has Norton Internet Security on it (up to date), and the user ran Adaware multiple times. With the CPU being at 100%, I didn't want to try to run anything on it. Besides, if it was compromised, it wouldn't have done any good. So off comes the cover, out comes the hard drive, and in it goes to my forensics workstation, which has several versions of different scanners of different types.

So I run Command Antivirus, Norton Antivirus, Trend Micro's Housecall Web-based Free Scanner, Spybot Search and Destroy, Adaware (again), McAfee's AntiVirus, Grisoft's AVG. Basically, the kitchen sink of scanners.

Nothing.

Didn't find a thing, and CPU was still at 100% when the Hard Drive was replaced.

OK - System process was using 80-90% of CPU time. That usually indicates a device driver using the wrong version (Say for Windows ME, which this machine originally had installed.)

Check all the drivers by hand. All are the Digitally Signed XP versions. Shoot. No dice.

Check the registry (where I should have started). Found buried in an obscure section a reference to 'server.exe' (Sub7 trojan program) and 'systray.exe' where it shouldn't have been (another Trojan). Removed those two files, reboot.

System works fine now.

The date on the Trojans were October 24th, 2003. I took the hard drive out of a system and scanned it in another, yet it never found those two programs (One in C:\ and the other in C:\Windows\System32) even though they were in non-hidden directories. The drive was even formatted in FAT32, so it didn't have anything to do with file permissions or ownership. The Anti-Virus program on the system had been there for 8 months and was kept up to date.

Still feel protected by your Anti-virus programs?

Think again.

Just be careful using your system.