Tag Archives: malware

TCPView & AutoRuns vs Undetectable Backdoor

Filed under Downloads, Misc, Personal, Security News
Tagged as , , ,

We’re going to useTCPView to check active network traffic and AutoRuns to check and see what’s loading with Windows.

The user is complaining of system slowness. Upon looking at the workstation I noticed AVG Free Edition, Spybot Search and Destroy installed and Windows Firewall enabled. Pretty standard novice user protection plan. Almost a given this system is infected.

I close Firefox and all open applications. Open TCPView and right off the bat I see outbound traffic to *.CO.UK using Firefox to make the remote connection. This is common in backdoors to use reverse connection methods. Once you execute the backdoor, it binds to a common process (IE, Firefox) and then reverse connects to the attacker. The reason for binding to a common process such as Internet Explorer or Firefox, is the fact that most novice users create rules for their software firewall and select “always allow” for common processes. This way the user isn’t bothered every time they open Firefox with “Do You want to allow firefox.exe access…” This is perfect for the backdoor, you’ve allowed unrestricted access outbound through firefox. Strike 1 for this novice user.


Port 95? Firefox should only be allowed access on port 80 and 443 (HTTP / HTTPS) Now that I know the user is infected, I need to find out what the file is called, where it lives, and why AVG’s superior detection is showing a clean system. I load AutoRuns and check for the suspicious Logon items. Bingo Bango! I see scchost.exe (not to be confused with svchost.exe, which is actually legit in most cases) loading upon reboot and it’s stored safely from novice users in the system32 folder. Now, 100% sure that is the backdoor, I would like AVG to agree, so I attempt to update AVG and check the file, No! AVG insists the file is clean. OK, to the USB drive for MalwareBytes. Sure enough a nice password stealer has been detected. Strike 2 for trusting AVG (signature based detection).


MalwareBytes detected and removed the password stealer, I then put in the KAV rescue disk to scan the system and everything came back clean. In the end, I convinced the user to let me perform a clean install and even teach this user how to properly use Firefox (w/NoScript). Reminding the user that the software firewall is only as good as the user and that the AntiVirus program is only as good as its definitions.

TCPView provided you with the information needed to see you have unauthorized access to a server in the UK. AutoRuns was able to show us the malicious file loading with Windows. The actual detection and removal is up to you and your utilities, however TCPView and AutoRuns gave you the heads up. On the flip side, the backdoor successfully executed and called home on the system. Being that it’s a password stealer, the information it was programmed to gather completed successfully.

I call this one a DRAW. Why? because a backdoor is designed to go unnoticed and AVG let it do just that, but with a few basic programs you can see that your system is not preforming normally. Also, after detecting the backdoor, I installed it on a virtual machine and after about 18 hours of leaving it alone, it downloaded a new executable and maintained a connection to the client. This shows that we caught it early enough on the users computer to detect and remove it before it phoned home for the latest instructions.

Malwarebytes – Bites Malware Back!

Filed under Downloads, Security Programs
Tagged as , , , , ,

Let’s face it! The same tools you used to remove malware/spyware/adware in 2006, are out of date and completely ineffective in battling malware/spyware/adware that actually has a purpose. That’s right! I said it, AdAware, Spy Bot Search and Destroy are no more than basic registry and cache cleaners. These days that can be accomplished with a simply application called, CCleaner.

So you ask, “Oh sweet nectar! What can I do to protect myself?” Well, rather than going on and on with a list of tools longer than your to-do list around the house, I’ll simply list a new one for you to add to your collection.

Malwarebytes’ Anti-Malware, This bad boy you should have already been using for some time now, so if that’s not the case, START NOW! It’s free, or for the 24.95 you can get automated scanning and automatic updates with real time protection. If you have a tidy system and stay on top of your computer cleansing and play nice around the web, the free version will do just fine. However, if your a click happy user who clicks on any link sent to you, please do yourself a favor and anyone else whom uses your high risk computer and purchase the full version.

Malwarebytes Free Version:

Malwarebytes Full Version:

Note: I’ll be adding this program into my future post, “Your Computer : A Fresh Start” This will be a complete guide from a clean install, into completely securing your Windows desktop (The best you can!).