Sign in with
Sign up | Sign in
Your question

Urgently! "Backdoor.PoisonIvy" How bad is it?

Last response: in Applications
Share
December 13, 2009 9:55:38 AM

Hello Everybody:

My "Malwarebytes' Anti Malware" Just finished doing it's scan and found two Trojans; "Trojan.Agent" and "Backdoor.PoisonIvy".

I read that the second one ("Backdoor.PoisonIvy") can cause real damage to the user by stealing his passwords (functioning like a key logger) and to even record the user's activities in the computer.

Is it really that bad? Do I have to format my whole system because of it? Can I know how inserted this Trojan to the computer or via which program it got in?

Is the first one that I mentioned "Trojan.Agent" is also that dangerous?

I appreciate will help.

Thank you.
a b 8 Security
December 15, 2009 7:58:24 PM

don't reformat .if malwarebytes removed it you'll be fine!
m
0
l
December 16, 2009 7:11:01 PM

Are you sure? I read that once this malware got inside the computer, even if deleted, the system is not safe any more.

I wanted to check if it's true and any one has any thing else to say about it.

About the other malware "Trojan.Agent", what about it?

Thank you.
m
0
l
Related resources
December 17, 2009 6:58:18 PM

As Area51 said, i wouldnt worry that much if your Antivirus already deleted those malwares. But to be sure run a full scan again and try with a free online scanner also such as kaspersky http://www.kaspersky.com/kos/eng/partner/default/pages/... - dont worry, it's a completely safe and reliable virus scanner.

If kaspersky or whatever you are gonna use finds those malware again then i would definitely consider reformat if nothing worked..
m
0
l
December 17, 2009 8:13:27 PM

Alright, I'll try it.

Thank you.
m
0
l
a b 8 Security
December 18, 2009 12:35:15 AM

I personally use and recommend a combination of Malwarebytes and Avira. Malwarebytes is very good at removing malware, and Avira is a high quality live updating AV. Both programs are completely free.

If they've removed your infections, and both programs show your system clean, you're fine.
m
0
l
December 18, 2009 1:31:03 PM

I've never trusted backdoor infections.

Their primary function is to basically allow untethered access to a PC by an unwelcome entity.

While they are present it is their purpose that is the worry. Most are designed as a gateway to the host PC via the web for automated malicious downloads / activity and / or to include it in a botnet.

For antimalware applications this is fine, they will detect these changes / configurations and remedy.

The worrying part is that while a backdoor infection is present, this allows the attacker to change any or all security settings. They don't have to be OS specific, they can also target third party applications too. Changes to security settings aren't flagged by security apps as they appear to be user specific settings, e.g. allowing trusted zones (malicious or otherwise), reconfiguring DNS settings, installing custom rootkits. The list goes on.

By the time they are discovered there is no telling how much damage / reconfiguring is done.

While antimalware apps may remove all suspicious files (this is what they look at), they will often overlook security weaknesses.

The attacker has logged the IP address, and likely left holes in the system to recover control.

The delivery method of backdoor malware (most malware) is mostly automated, meaning they target weak or unpatched systems. Very rarely is it specific to one PC (as a hacker would do), which means that unless directly targeted removal of the malware will be enough. The problem is knowing the difference.

I always recommend an operating reinstall in the case of backdoor infections... actually I would be paranoid enough to request an external / public ip address change from my ISP too.
m
0
l
December 26, 2009 8:27:42 PM

btk1w1 Thank you for your detailed reply, and I'm sorry for replying only now.

I want to ask you to be, if you can, more specific about a few thing that you mentioned in your reply:

1) What does it mean reconfiguring DNS settings?

2) How can I Trace the attacker if left his IP, and made holes? (Of course, if possible).

3) On one hand, you say, that by removing the malware it's alright. On the other hand, you say that you would reformat the whole system.

4) How can I know (If possible) if the backdoor delivery system was automated, or by a specific person?

5) What does an external / Public Ip address mean?

(Sorry if some of the questions are stupid, but please try answering them all).

Thank you.
m
0
l
December 27, 2009 10:36:23 AM

Hi l_r_c_t

None of your questions are stupid, all quite valid actually, I will be happy to clarify as much as I can.

Quote:
1) What does it mean reconfiguring DNS settings?


When discussing malware, reconfiguring DNS settings occur by a DNS hijack. If you Google "DNS hijack" you will see many threads that will enlighten you. I will give you my take on it, but it will be put to you in laymens terms, I hope you don't mind.

DNS is an acronym for "Domain Name Server". The domain name is what you type into the browser address bar... e.g. www.google.com. This is translated into an IP address which is a set of numbers... e.g. 209.85.229.99

So basically DNS resolving is like translating from one language to another. Words to numbers.

A hijack occurs when you type into the address bar the site you would like to visit, and your DNS resolver has been told to send you to a different IP address, another site. (Google "phishing")

Quote:
2) How can I Trace the attacker if left his IP, and made holes? (Of course, if possible).


I'm afraid that to track an attack of this kind would be near impossible. If they were easy to find law enforcement would be knocking on their door. They employ methods to disguise and hide themselves from detection.

To discover what weaknesses they may have left is equally difficult to tell. You see, security updates and patches are usually responsive to their already compromised operating systems. If you can imagine a dog chasing it's tail, well thats what it is like. Programmers find or create holes, they patch them.

You can run online security tests such as GRC's online security check (which is very good in my opinion), but there are so many vulnerabilities that can be exploited that it would be near impossible to detect them all.

Quote:
3) On one hand, you say, that by removing the malware it's alright. On the other hand, you say that you would reformat the whole system.


By this I meant there's no way of telling how you became infected.

If you were a target, specifically to your external IP address (unique to you) by an individual, your PC would be at very great risk, even if you remove all of the malicious programming. Even with a complete OS reinstall you are still at risk because your IP address would be known. An attacker with this capability would easily be able to exploit your system again simply by knowing your external IP address. This is why I said a requested IP address change is good. Mine isn't static (which means it should change often) but it hasn't changed in 2 years.

On the other hand if you are a victim of a drive-by backdoor install, you are probably safe with just the OS reinstall as all your security settings are re-applied with the new OS and providing all patching (updating) is done you should be safe.

Quote:
4) How can I know (If possible) if the backdoor delivery system was automated, or by a specific person?


There's really no way of knowing. The only real way is if you noticed a sudden change after a specific action. Bad website you were wary of, chatting to a stranger. If your PC become sluggish or non-responsive after doing something different (like letting somone use it or visiting a site out of the norm). If you have monitoring utilities such as WinPatrol you might get a few clues. But it is the nature of the beast to attempt to remain hidden and beyond suspicion.

Quote:
5) What does an external / Public Ip address mean?


Basically an external / public IP address is how the world contacts you. It is like a road map to your front door the world has access to. It is unique to your internet connection. No one else has the same address.


I hope this makes sense for you.
The other is an internal IP address. This is the IP address that defines your PC inside your home or intranet environment. It is only unique to your device from within the home network.

It is like you are in a suburb in a city. There is only one Smith St. In the world there are countless Smith Streets. Your internal / private IP address is easily resolved as you are the only one on your internal network. But to define your public IP address you are give one unique to you so no one else gets your mail.
m
0
l
December 30, 2009 6:04:46 PM

Hello btk1w1 again, and thank you for answering.

Quote:
There's really no way of knowing. The only real way is if you noticed a sudden change after a specific action. Bad website you were wary of, chatting to a stranger. If your PC become sluggish or non-responsive after doing something different (like letting somone use it or visiting a site out of the norm). If you have monitoring utilities such as WinPatrol you might get a few clues. But it is the nature of the beast to attempt to remain hidden and beyond suspicion.


I really didn't notice any sudden change, and I can't remember any specific action / program execution / website visit that may had caused it.

As a continuation to your explanation, I've got some more questions, (hopefully won't bother you):

Quote:
A hijack occurs when you type into the address bar the site you would like to visit, and your DNS resolver has been told to send you to a different IP address, another site. (Google "phishing" )


1) What did you mean when you wrote "Google "phishing""? Is it possible, that I got to websites, which their URL was correct (after checking) and it wasn't them for real?

Quote:
If you were a target, specifically to your external IP address (unique to you) by an individual, your PC would be at very great risk, even if you remove all of the malicious programming. Even with a complete OS reinstall you are still at risk because your IP address would be known. An attacker with this capability would easily be able to exploit your system again simply by knowing your external IP address. This is why I said a requested IP address change is good. Mine isn't static (which means it should change often) but it hasn't changed in 2 years.


2) Would changing the external IP address be enough? (Done by the ISP, right?)

3) Can another computer within the domestic network (connected via a wireless network card) can be hijacked now? in result of my computer's hijack.

4) The wireless network card (connected to another computer in the domestic network) blinks without anything being done in the computer; can it be something that I should be worried about?

Thank you again, and I hope that you are not tired of it already.
m
0
l
!