Possible hacking of Spybot's 21320 Port

[LDMarks]

A brief expansion/clarification. Previously the Event Log was showing entries where Symantec was preventing ransom malware pages to run. Symantec was reporting that program these came from was SpyBot, and at the time I misinterpreted this as just a relay via SpyBot but I now believe it was hijacked to open a proxy. Unfortunately in the process of cleaning the old Event Log has been deleted.

I have a backup with the relevant AppData (and other) directories including much/most of the Windows directory. If someone can provide me with information about where to look I can send the information; perhaps better not on this forum but offline. I would prefer to be able to use SpyBot but currently I no longer trust it to be safe.

ESET Online reports no threats, which is what I expected and I believe I previously removed everything.


The main point of my post in the first place was to inform whoever runs SpyBot that they have a vulnerability, and in fact SpyBot can be a source of malware and/or hide an open proxy.

[Juliet]

I will try to contact administrators to see what we can do with this.

[Juliet]

After waiting days and no reply to a personal message, I did have a little feedback from a colleague

since it appears to be a university or private lan they may be configured to use a proxy. As for the port probably in a listening state, not connected out
if its a private lan at a college then its IT people can tell the poster if a proxy setting is required.

As for SpyBot

The main point of my post in the first place was to inform whoever runs SpyBot that they have a vulnerability, and in fact SpyBot can be a source of malware and/or hide an open proxy.

I have no information I can add to this.

[LDMarks]

I was away on travel, so did not see this comment.

Good try, but no, there was nothing related to the university or private lan. It was a hack of SpyBot's proxy setup, exploiting it for other purposes, 99.99% confident. As I said before, the fact that the port had been reconfigured to act as an open http proxy only showed up when SpyBot was uninstalled, otherwise it was hidden.

I would bet that there are a decent (large?) number of machines out there running SpyBot which have also been hijacked in the same way.

After waiting days and no reply to a personal message, I did have a little feedback from a colleague

since it appears to be a university or private lan they may be configured to use a proxy. As for the port probably in a listening state, not connected out
if its a private lan at a college then its IT people can tell the poster if a proxy setting is required.

As for SpyBot

I have no information I can add to this.

[Juliet]

the fact that the port had been reconfigured to act as an open http proxy only showed up when SpyBot was uninstalled, otherwise it was hidden.

reset the proxy settings and clear this out.

1.Go to Control Panel>Internet Options>Connections>LAN Settings
2.Uncheck "Use a Proxy server for your LAN",and click "ok"Button.
3.Restart Internet Explorer.

3. Reset the IP/DNS settings of your interent connection:

• Go to Start -> Control Panel -> Double click on Network Connections.
• Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  
• Select the General tab.
• Double click on Internet Protocol (TCP/IP).
  ?Under General tab:
• Select "Obtain an IP address automatically".
• Select "Obtain DNS server address automatically".
  
• Click OK twice to save the settings.
• Reboot if you had to change any setting.

4. Flush the DNS cache:

• Click the Start logo in the bottom left corner of the screen
• Click on Run or press Windows Logo+R
• In the command window copy/paste the following (one at a time):
  
  
  Code:

  ipconfig /flushdns
  
  netsh winsock reset

• Then hit enter.
• Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet

[LDMarks]

The proxy is gone, removed some time ago. Sorry, but you are missing the point.

When Spybot was hacked, none of what you suggested in your latest post had any effect on the proxy, it was hidden and changing the LAN settings did nothing at least with what I tried then (a month or so ago). It was only after I uninstalled Spybot that the presence of the http proxy showed up.

At the time Symantec was reporting/blocking ransom attacks (in the Windows Events log) as coming from Spybot which I misinterpreted at that time. In hindsight Symantec was correct, the port Spybot uses had been hacked. My conclusion is that there is an intrinsic vulnerability in Spybot which someone needs to pay some attention to. As I said before I have a backup where I can look to see whether the vulnerability occurs via the Spybot configuration files or somewhere else if someone can suggest where to look.

reset the proxy settings and clear this out.

1.Go to Control Panel>Internet Options>Connections>LAN Settings
2.Uncheck "Use a Proxy server for your LAN",and click "ok"Button.
3.Restart Internet Explorer.

3. Reset the IP/DNS settings of your interent connection:

• Go to Start -> Control Panel -> Double click on Network Connections.
• Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  
• Select the General tab.
• Double click on Internet Protocol (TCP/IP).
  ?Under General tab:
• Select "Obtain an IP address automatically".
• Select "Obtain DNS server address automatically".
  
• Click OK twice to save the settings.
• Reboot if you had to change any setting.

4. Flush the DNS cache:

• Click the Start logo in the bottom left corner of the screen
• Click on Run or press Windows Logo+R
• In the command window copy/paste the following (one at a time):
  
  
  Code:

  ipconfig /flushdns
  
  netsh winsock reset

• Then hit enter.
• Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet

[Juliet]

I believe I was missing the point and I do understand now a little bit better.
When it sank in my first thought was 'wowssa!, that's the first I've heard of anything like this.

I did find through researching that a few other tools/scanners and programs at times did use that same port but, not many.

I am glad you found this and I have sent a message, a while back, to one of the administrators here at SaferNetworking explaining there did appear to be a vulnerability in a port Spybot created and uses.

Appears I took you for a ride in malware removal trying to find an answer, I apologize, but this is what I've trained and schooled for so that was where my mind set was and the reason for my responses.

Let me ask you a question:
When you uninstall SpyBot is it possible it had left some benign entries behind, such as ones that might have had an influence in updating for the program? I have a feeling your going to say no but I felt compelled and curious and just thought I'd ask.

I know I don't have the right answer, wish I did because I do know students I have under training right now who do follow me and the logs I work will probably be surprised I admitted to not have a solution here.

Be assured, if I receive any notification back for the message I've sent I will be happy to pass them to you.

May we now proceed to remove tools/quarantine folders and view my preventive tips?

[LDMarks]

No problems. I did the checks that you suggested before and I am OK that I did -- to make sure. It was also a good learning experience for me and I now have my students using some of the tools to double check my group's computers/LAN. (I know some of my PhD students have more malware on their computers, it can be almost unavoidable in a University setting with shared data -- another issue.)

Concerning any benign entries left behind when I uninstalled Spybot, no idea. It did leave a protected hosts files but some of the other tools decided to remove them.

With reservations let's go ahead with your other suggestions. I might not do everything, for instance I need to add back a few aliases into the hosts file for my linux nodes, and UAC drives me nuts.

I believe I was missing the point and I do understand now a little bit better.
When it sank in my first thought was 'wowssa!, that's the first I've heard of anything like this.

I did find through researching that a few other tools/scanners and programs at times did use that same port but, not many.

I am glad you found this and I have sent a message, a while back, to one of the administrators here at SaferNetworking explaining there did appear to be a vulnerability in a port Spybot created and uses.

Appears I took you for a ride in malware removal trying to find an answer, I apologize, but this is what I've trained and schooled for so that was where my mind set was and the reason for my responses.

Let me ask you a question:
When you uninstall SpyBot is it possible it had left some benign entries behind, such as ones that might have had an influence in updating for the program? I have a feeling your going to say no but I felt compelled and curious and just thought I'd ask.

I know I don't have the right answer, wish I did because I do know students I have under training right now who do follow me and the logs I work will probably be surprised I admitted to not have a solution here.

Be assured, if I receive any notification back for the message I've sent I will be happy to pass them to you.

May we now proceed to remove tools/quarantine folders and view my preventive tips?

[Juliet]

students have more malware on their computers, it can be almost unavoidable in a University setting with shared data -- another issue.)

This is not surprising. We do a lot of work on college computers.

If you feel you might have malware issues we'll continue with tools to find it, but I have a gut feeling your machine is probably clean.

Let's take steps to remove what we've already done and I'll post preventive tips you can share later with your students.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
no needed to post the log this time.

start
DeleteQuarantine:
end

~~~~~~~~~~~~~~

Please take the time to read over a few of my preventive tips.

Computer Security
http://malwareremoval.com/forum/view...557960#p557960
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know

CryptoLocker Ransomware Information Guide and FAQ

to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

AdblockPlus

• AdblockPlus, Surf the web without annoying ads!
• Blocks banners, pop-ups and video ads - even on Facebook and YouTube
• Protects your online privacy
• Two-click installation, It's free!
• click the icon that corresponds to your browser and download.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

• Green should be good to go
• Yellow for caution
• Red to stop
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  How to prevent Malware: Created by Miekiemoes
  
  
  WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
  See this article (http://www.forbes.com/sites/eliseack...-disable-java/
  and this article (http://www.nbcnews.com/technology/te...late-1B7938755
  
  I would recommend that you completely uninstall Java unless you need it to run an important software.
  In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to...r-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-un...m-the-browser/)
  
  
  Avoid P2P
  
  P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.
  
  Please read these short reports on the dangers of peer-2-peer programs and file sharing.
  
  • FBI Cyber Education Letter
    USAToday
    infoworld
  
  *********************************************
  Please read the following safe computing articles..
  
  Secure My Computer: A Layered Approach
  
  
  Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

[LDMarks]

Thanks, done.

N.B., in the context of scientific data sharing there are some potential horrors looming; beyond college computers where the issues (with undergraduates) are obvious.

This is not surprising. We do a lot of work on college computers.

If you feel you might have malware issues we'll continue with tools to find it, but I have a gut feeling your machine is probably clean.

Let's take steps to remove what we've already done and I'll post preventive tips you can share later with your students.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
no needed to post the log this time.




~~~~~~~~~~~~~~

Please take the time to read over a few of my preventive tips.

Computer Security
http://malwareremoval.com/forum/view...557960#p557960
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know

CryptoLocker Ransomware Information Guide and FAQ

to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

AdblockPlus

• AdblockPlus, Surf the web without annoying ads!
• Blocks banners, pop-ups and video ads - even on Facebook and YouTube
• Protects your online privacy
• Two-click installation, It's free!
• click the icon that corresponds to your browser and download.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

• Green should be good to go
• Yellow for caution
• Red to stop
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  How to prevent Malware: Created by Miekiemoes
  
  
  WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
  See this article (http://www.forbes.com/sites/eliseack...-disable-java/
  and this article (http://www.nbcnews.com/technology/te...late-1B7938755
  
  I would recommend that you completely uninstall Java unless you need it to run an important software.
  In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to...r-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-un...m-the-browser/)
  
  
  Avoid P2P
  
  P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.
  
  Please read these short reports on the dangers of peer-2-peer programs and file sharing.
  
  • FBI Cyber Education Letter
    USAToday
    infoworld
  
  *********************************************
  Please read the following safe computing articles..
  
  Secure My Computer: A Layered Approach
  
  
  Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.