junction51 :
I am on a large LAN that I absolutely cannot disconnect from. I am using Windows 7 Home Premum with the latest updates. I use Comodo Internet Security (AV and firewall). Here is the problem: I am being hacked from the LAN level. What can I do to lock down my OS and minimize my attack surface?
My Macbook doesn't succumb to this, but my fully updated Windows 7 PC gets hacked relatively easily from other users on the same LAN. I am experiencing remote code execution (IE9), unattended installs and system wide changes.
What can I do to minimize my attack surface?
I have been experiencing something very similar. I haven't solved it yet, but I've narrowed it down with a lot of research. Most likely scenarios are a netbot or something screwy in Microsoft's registration files.
Most frustrating is that it is recurring and survived two clean installs. I even bought a new computer (another Win7 Home Premium). I plugged it in and connected to the internet and eventually the configuration and behavior started again -- but before I entered any personal info. That was a big clue. It seems somehow tied to my internet access/ISP/IP address? (My other computer was turned off to ensure it wasn't "talking" to the new computer).
It's helped to get insight to its activity, and separate out what's normal Win7 and what's malicious. Definitely malicious are the code injections. It injected all of my common apps, including Office and my virus protection. On my last computer I had Norton 360, and the next computer had Comodo. Both were taken over, but you wouldn't know unless you knew what to look for. As they were running, they were ultimately acting as agents while pretending to protect my computer.
Here are some of the best tools I've found, and would love suggestions if you know any:
The Sysinternals suite of tools are excellent (free on Microsoft's website), and they released a manual/book that I highly recommend (I got the Kindle version at Amazon). The book tells how to use the tools to track down malware, and it's in a quick-reference format.
So many great tools among them, but the bread and butter for me are Process Explorer and Process Monitor. One brief example: Run Process Monitor, then download an app such as HijackThis (from a reputable site) and install it. Then go back thru the Process Monitors log and and look at what happened to the file. Then launch Process Explorer and the app you just installed. Give it a little time to get active. Then double click the app in Process Explorer and look through all the dialogs to see what attached itself and what the app is really doing. Launch TCPView to monitor the network traffic. I was disturbed to find that my *system* files were all set up to open ports and initiate connections.
Another excellent free utility (available on cnet.com) is SIW.exe. It showed I was running "Terminal Services with remote admin mode." I later found by launching Computer Management (a Win7 admin tool) and going to Shared Folders > Shares it designates Remote Admin and Remote IPC. It's so frustrating...I'm a basic home user... why is my computer set up with this complicated configuration???
I found a lot of debris in logs and temp files and such. Set your indexing rules to index everything, including content, in all files including system files, etc. Then search on things like "terminal" (which catches terminal server and terminal services) and "manifest" (which catches many altered files and apps). Put spaces between letters to catch entries embedded in code (e.g. "p r i v a t e" catches some private builds). Search "log" and "active setup" for installation roots. And so on. In the c:\Windows\Installers (or something like that) folder were a bunch of .tmp files that were suspicious. If you have that directory check out the files and see what you think.
One other item of note is how limited (and vulnerable) Home Premium is. There isn't access to viewing and administering Group Policy and that's how a lot of this is controlled. I upgraded one computer to Win7Pro. It didn't solve the problem, but it gave me a lot more access to see what was happening. It was also curious that I had features activated in Home Premium that aren't even supposed to be available with that edition (enterprise services, "terminal services," etc.).
The last thing I'll mention is the Active Setup. I think it was in the registry that I found the list of components that were managed like the unattended installs you mentioned. I traced a lot of this back to Windows updates configured with Windows Live. That's what makes me think it's a MS registration thing -- this configuration seems to be originating at MS. It's like their registration db thinks I have a different version so it's installing the wrong files. However, talking with MS tech support, they said that what gets installed is determined from my computer. The jury is still out on that one.
I could go on and on but not even sure if we are dealing with the same thing. I hope this helped. If you have any feedback or suggestions for me, I'd all ears.
Facebook
Twitter
Instagram