Where can I go to purposely infect a machine for testing? 1

[jbrackett]

I am setting up a test box for an eval of the network version of Pest Patrol and am looking to REALLY test the software. I have a test box that I want to load up with adware & spyware, but only by going to websites that our surf control box will allow. That excludes porn, mp3, and casino sites.

Am looking for suggestions of where I can visit to really load up on spyware/adware/hijackers.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[diogenes10]

I don't know but I think one thing I might try if I wanted to do that would be to go over the coolwebsearch domainname list and try going to 2 or 3 of the search sites and doing some clicking and setting up.

Another possibility:
Somebody maintains a rogue spyware listing. Try installing some of the "cleaners" and toolbars on that list.

I have no idea how kazaa works and whether it would get you in trouble with corporate policies, but doing something with kazaa might be another possibility.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[dyarwood]

Search for HOtBar. Nasty little thing as it puts itself in so many places on the machine.

 

[jbrackett]

Here's what I've done so far. Machine is actually an old rebuilt test server - 863 MHz processor, 512 MB RAM, running Server 2003. It has McAfee VScan Enterprise 7.0 managed through an ePO 3.0 agent. Up to date on Critical Updates, as well. Machine is freshly rebuilt from a newly formatted drive to eliminate any chance of old contamination.

Disabled ActiveX security settings in IE. Checked on Spybot S&D's restricted site list for some relatively innocuous sounding site names. Visited Gator.com & downloaded their free "software". Visited "0008k.com" (Boy was THAT one a mistake! Turned out to be an adult site. I'm sure I got red flagged in surf control on that one .) Visited "igetnet.com", 1800search.com", "accessthefuture.net", "ace-webmaster.com", "acemedic.com", and "hotbar.com". Clicked several search links on each site while watching my processes in taskmanager. Processor on the machine fluctuated between 2% and 100% during those visits.

Went to Pest Patrol test server & opened PPManagement Console, ran scan on the test machine & found 9 "pests", two of which were actually detections of UltraVNC, which I installed to run the test box remotely. The rest were nothing more than tracking cookies. Decided to leave the machine online overnight and checked it again this morning. Opened IE again & surfed to some of the same sites, clicking various links and bouncing around. Checked PP console and found several more cookies, of course, but nothing else.

Why is it our users have NO trouble completely hosing a pc accidentally, and I can't do it when I'm TRYING to?

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[vop]

A malware HOSTS file reads like a 'do not go to list - you will be sorry block list'. See link for resource tools and discussion:

http://www.bleepingcomputer.com/forums/tutorial51.html

Look through a malware HOSTS file for URL terms that appear in multiple variations (scumco[highlight].ad2.[/highlight]com, scumco[highlight].ad3.[/highlight]com, etc). These multiple variations (many times in the hundreds) most often all redirect to the same scumware site. Try surfing some of those sites. You just haven't managaed to pick any real bad sites yet. A malware HOSTS file may prove to be the rogues gallery that you are looking for.

Here's hoping that you achieve the bad luck that you are looking for!!

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[jbrackett]

Thanks for the lead vop.

I've decided to start timestamping my posts here, to see how quickly/slowly an infection moves.

9:00 a.m.
Got a ticket re: a user who thought he had a virus. Kept receiving messages referencing "about four files, something about TVMedia."

Voila! I have a test subject for Pest Patrol.

Accessed user machine via Pest Patrol Management Console & scanned. Came back with 91 hits, including CWS, CleverIEHooker, Clearsearch, ISTBar, Clearsearch, Huntbar, and several other fun hijackers.

Scanned again using the "Delete" option, then ran another report. Every single item came back with either "Delete: Reboot Needed" or "Deletion Failed". Even Gator requires a reboot. <sigh> Called & left user a message to reboot, then call me. Will run new scan at that point.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[bankboysb]

Interesting. We are trying same thing. I have always been very wary of WAREZ sites. Might give them a try.

 

[amen1973]

If you want spyware, WAREZ sites are the place to be hehe. Most of them, on page load, try to download "software" onto your computer.

 

[jrbarnett]

I'd also try the EICAR antivirus test file (

http://www.eicar.org/anti_virus_test_file.htm).

Its not a real virus, but all good scanners will throw up an alert message if they detect it, just as if a real virus had been found.

John

 

[jbrackett]

Results so far . . . rewritten <sigh>
_______________________________________

Crap! Lost all my notes! Working on three projects, in addition to regular tickets and reports, and I guess this one got lost in the shuffle. Aarrgghhh!!!

All right, going by memory and printed reports, here’s as much as I can recall. Will list time stamps generated by Pest Patrol reports I ran.

Test 1 (BR1-DC-0001) – the machine I built out intending to intentionally infest with spyware and hijackers. As stated above, I’ve had trouble finding a site with which I can “catch” anything other than basic adware or tracking cookies.

Test 2 (HO-DT-0039) –
2004/09/17-08:53:29 - Shifted testing emphasis to the user machine that was mentioned in posting above. Once he called with confirmation that he had rebooted I ran another scan.
2004/09/17-10:34:25 - Went from 91 instances to approximately 50 and requested another reboot. Idiot that I am, I neglected to set an exception for our VNC program, so PP “cleaned” it from the machine.
2004/09/17-11:08:36 - Next scan brought the results down to approximately 20 “pests”.
2004/09/17-11:25:05 - Another reboot & clean brought it down to 2 pests.
2004/09/17-11:43:36 - Repeated further attempts did no good. The final 2 instances appear to be too tenacious for Pest Patrol. Still, I’d much rather clean 2 than 91.

Test 3 (HO-DT-0023) - Tried to run a remote scan on my own pc, but the remote agent will not load. Have not yet checked to see what it is that is keeping the agent from loading. I am running SBS&D Tea Timer, McAfee 7.0 Enterprise w/ ePO agent, and MS XP sp2, any one of which, or any combination of which could conceivably be blocking Pest Patrol’s remote agent.

Test 4 (HO-GMZ) – 2004/09/17-13:19:32 - Received call from another user that sounded like it might be spyware related. Ran PP Remote scan (without delete option set) on his machine. Detected 54 pests, mostly tracking cookies, but there was one instance of Virtual Bouncer, and the “PeopleOnPage” hijacker. Set exclusion for his version of VNC & ran again with the delete option set. Pest Patrol cleaned all without a reboot.

Test 5 (BR2-DT-0001) – 2004/09/17-14:10:57 - Called our IT guy at one of our branch locations & explained what I was doing. Asked if he had a machine that he wouldn’t mind my “experimenting” on. He laughed and suggested several. Ran remote scan on the first one he suggested & found 50 pests. Mostly tracking cookies, and nothing worse that “Virtual Bouncer” adware. Pest Patrol cleaned the machine without hesitation. No reboot needed.

Test 6 (BR2-DT-0002) –
2004/09/17-14:38:14 - Next machine he suggested was a bit more of a challenge. Initial scan detected 26 pests, including “TrojanDownloader.Win32.Agent.f” (a CWS agent).
2004/09/17-15:06:41 - Set proper exclusions and ran again with delete option. Report indicated that it successfully deleted all but three pests, and that it required a reboot for the last three.
2004/09/17-15:57:38 - Rebooted & ran another scan, which came back clean. I thought that was another successful test until the Branch IT staff called back & indicated that they still had an issue resetting the test user’s home page. Said it kept resetting to “about:blank” suggesting that CWS was still resident. Another PP Scan indicated that, as far as Pest Patrol is concerned, the machine is completely clean. To me, this is more serious than if it showed that there was still an infestation that it was unable to remove.

Test 7 (HO-DT-0036) – 2004/09/17-15:23:39 – Decided to show my boss what Pest Patrol was capable of doing. Ran a remote scan on his machine & found 62 pests including the “DataNotary” variant of CWS. Then ran the scan again with proper exclusions (after all, it IS my boss’s computer), and deleted all but 2 pests (reboot required for those two). Ran a report and took it to him. Reboot cleaned CWS.

Now of course, the question is whether or not it really DID clean CWS. Report shows it clean, but until I can actually hit the machine with HJT or a registry scan, there is going to be a question in my mind.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[jbrackett]

Whew! You guys weren't kidding about the WAREZ sites. Third one I tried wanted to load a special "downloader" tool. I ran it and my processes shot through the roof. Continued running for a few minutes and the machine prompted me to reboot. Rebooted and checked the system and there were my old buddies Wintools, DyFuCa, BlazeFind, and several others.

Let me point out that Pest Patrol's Active Protection was already enabled on the machine. This seems to indicate that a user's actions can override the Active Protection agent. Anyone else had any experience with this?

Went to the Management Console and forced a scan with the delete option selected. This cleaned all but one of the hijackers (ISTBar).

Repeated scans yield the same results. ISTBar is buried in the registry & Pest Patrol evidently cannot clean it. I don’t really understand this, as it tells me exactly where it is in the report. Anyone have any insight into this?

Ran HJT.

Logfile of HijackThis v1.97.7
Scan saved at 1:47:49 PM, on 9/20/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\ppRemoteService.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =

http://google/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [rodarab] C:\WINDOWS\rodarab.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_f...4424f05e9add:133fa6db93b1a3bc33dac6d5a5648475

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38190.3988425926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = edited.com
O17 - HKLM\Software\..\Telephony: DomainName = edited.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = edited.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = edited.com



As you can see there are still a few problems, especially the line:
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_f...4424f05e9add:133fa6db93b1a3bc33dac6d5a5648475

From what I can see, this appears to be an actual Downloader Trojan. Am going to force VScan next. Will let you know what happens.

ITMT, anyone know what "rodarab.exe" or "syncroad.exe" are? I find business references to a company called SyncroAd, but that's about it. Any help there would be greatly appreciated.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[2ffat]

Gut feeling, SyncroAd == Adware!

We are also evalutating Pest-Patrol. I'm very suprised that it let you install all that junk with active protection enabled. That is one thing we haven't gotten to checking yet.

James P. Cottingham
-----------------------------------------
[sup]To determine how long it will take to write and debug a program, take your best estimate, multiply that by two, add one, and convert to the next higher units.[/sup]

 

[jbrackett]

2ffat,

It surprised me as well. I will give it props for getting rid of the majority of what I loaded, but it seems to me that the active protection should have stopped the installation in the first place. At the very least, I would have expected a warning dialog box.

As for SyncroAd, I had the same instinct. However, the ONLY references I can find to this name are legit. I find no negative hits at all.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[amen1973]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm

that is probably your downloader trojan
get reglite (registrar lite) and check
hklm\software\microsoft\windows NT\windows\appinit_Dll value
see if you see a DLL in its value and then see if that DLL is visible in the path where it says it is. Alot of the new hijackers like using ADS(Alternate Data Streams) and most of them add the value in this reg key. If it shows a DLL as the value .. run the Recovery Console and go to the directory it is pointing to. Attrib -r dll_name and then rename it to something else. Reboot your system and then delete the renamed file (it should not be invisible anymore). Run reglite and remove the value from the appinit_DLL key. Then run Hijack this and remove the R# entries.

 

[jbrackett]

amen1973,

At first I was also suspicious of that line. However, while I have been able to find several references to the line in various HJT logs, I have only found one instance where it was recommended that the line be removed, and even then it was with a comment something like, "not sure what this one is, but let's get rid of it anyway".

I am much more cautious in my approach and try to research each line until I have a good idea as to what it does. In this case, the only references that have any firm relevance are from Microsoft (

http://support.microsoft.com/default.aspx?kbid=323916)

which actually only refers to the "shdoclc.dll" part of the line. They say

Shdoclc.dll (the Shell Document Object and Control library) is a resource-only library that is used by Internet Explorer to store localized items such as menus, dialog boxes, and strings.

I realize that this isn't conclusive, and that even legitimate dll's can be misused, but at this time I have more evidence indicating that it is legit than not. Based on this information, I'm inclined to leave the line for now.

Don't get me wrong, I'm not trying to be a know it all (because I know I don't), but like I said before, I'm pretty cautious with this stuff. If anyone can tell me what this line is, and where they got the information, I would greatly appreciate it.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[jbrackett]

Regarding the final two pests (amazing how quickly I fall into Pest Patrol's terminology ) on Test 2 (HO-DT-0039):

I ran McAfee's VScan Enterprise (All Fixed Disks, All Running Processes, Scan within Zip, Full Heuristics, No Non-Virus Detection, Clean/Delete) in an attempt to detect the Downloader that was still resident. No luck.

On a hunch, I enabled the Non-Virus Detection and ran again with a Clean/Quarantine option. This time McAfee detected and quarantined three instances of "Downloader-KL", two instances of "Adware-180Solutions", and two instances of "Adware-DFC". After determining that there were no legitimate programs quarantined, I reran with the Clean/Delete option. McAfee deleted all infected files. Machine now shows 100% clean with Pest Patrol, McAfee, and HJT.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[2ffat]

BTW, have you tried their Tech Support? During your evaluation, it's free. I got a good response from them for XP SP2. I'f be interested to hear what they say about not removing the problem adware and the active protection not working.


James P. Cottingham
-----------------------------------------
[sup]To determine how long it will take to write and debug a program, take your best estimate, multiply that by two, add one, and convert to the next higher units.[/sup]

 

[jbrackett]

2ffat,

I was unaware that support was free during eval. I will definitely try that, since the sales rep at Computer Associates doesn't know anything about the product. Thanks for the heads up.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[Silmarillion]

jbrackett,

I have also been evaluating PestPatrol. I have used your approach and have been doing testing on machines internally that have already amanged to get infected with malware. A few questions:

Have you managed to figure out why the agent won't install on your PC? I also have this problem, but I am still going back and forth with tech support. They are a bit slow, generally two or three days for a response (which is frustrating on an ongoing issue, especially when you only have a 30 day eval. I know File and Print Sharing needs to be enabled, which is not as clearly stated in the manual as it could be. I am still trying to figure out how to enable this through group policy or SMS, if anyone has any ideas. Tech Support sent me an article on how to remove the client agent that wasn't on their knowledgebase (which seems a bit skimpy - about three page listings of articles in total), but it hasn't resolved the problem.

The first machine I tried it on had a home page hijacker called "iwantsearch" that PestPatrol didn't pick up. I e-mailed tech support about it, and they suggested submitting a report using their Digital Detective tool. When I tried that, their web site was GONE. I was a bit worried at this point, as it wasn't just down, but a Verisign page came up saying "Under Construction". I e-mailed them back, and apparently it was just part of the move to CA. CA still doesn't have the product listed as eTrust PestPatrol, but the pest research centre now resides on their site. I don't know if they have updated it to pick up that particular pest yet, as I had to clean it off manually. I also wound up with an "about:blank" redirect after I had cleaned the machine, and had to fix that manually. We force the home page internally to our intranet via group policy and then lock that setting down, so I am still not clear on whether PestPatrol can override that to remove a home page hijacker.

If anyone is interested, I can post my dialogue with their tech support. It is pretty long, but I asked some pretty pointed questions, so their responses were interesting.

BTW, CWShredder is a great point product for cleaning CoolWebSearch. It is built specifically for that purpose, and it small, quick, effective and free. I haven't had a chance to run it on a CWS infection after PestPatrol, but it would probably be worthwhile if you think there are still bits of CWS hanging around.

I also noticed that PestScan (their free on-line scanning tool) picked up a couple of things that the Corporate Edition did not, so that is probably another test worth doing when evaluating the product. It is also worth running after Spybot S&D or AdAware, even if you are not considering PestPatrol - I was amazed at how much stuff Spybot missed (not just cookies, but executables, etc.). It gives you all the file and registry locations, so you can at least go and clean the leftovers manually.

This is a great thread! I really appreciate the information from testing, etc. Will be interested to see if anyone chooses to use PestPatrol. Have also seen a few posts about McAfee v8.0i - I will probably look at that as well.

 

[jbrackett]

Silmarillion,

I honestly was thinking that I might be taking too much room on this thread, or that there might not be anyone else interested in the results, so I haven't posted for a while.

Re: removing the agent - I was able to reinstall the next day. Simply removed the agent by highlighting my computer name in the management console, and clicked the "Remove" button. It took it right out. Gave it a little time, and went back to run another scan. Worked fine. Actually, it shook me up a bit, since I found that my pc was one that had a keylogger on it, and I run SBSD regularly. Also found keyloggers on several machines at one of my branch locations. That's what prompted me to post "Pest Patrol question re: Keylogger detections" (thread760-921779).

I have continued to take notes, but as they are pretty lengthy, I've refrained from posting any more here. Is anyone interested in seeing them? If so, I can post them Monday when I get back in. If not, I'll let the thread die with no hurt feelings.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]