every internet connection downloads a trojan

cubby1223

Lifer
May 24, 2004
13,518
42
86
Working on someone else's computer, every time any program connects to the internet, something tries to download a trojan, named "HTML/framer" by AVG, called other things by other. I've scanned with AVG, Kaspersky, Superantispyware, HijackThis, Combofix, none of them find anything unusual. Windows Firewall blocks nothing, nor does Zone Alarm tell what's trying to download the file. Removing all BHOs, toolbars, plug-ins, etc. from Internet Explorer do not help. Resetting ip & winsock configurations do not help.

Best I can tell, it's downloading the trojan from some random poor soul also with an infected machine. So Google searches are worthless to focus on what's being downloaded.

Heck, even from the start menu selecting "search" will cause the machine to go out and download the trojan (which AVG then blocks). It's not just Internet Explorer, but pretty much every software that connects out to the internet.

The only other symptom I've found is that the Linksys router was reprogrammed with static DNS entries (the standard 85.xxx.xxx.xxx). When I cleared that out, at least a few more things started working with the internet, but does not solve the big problem.



My best guess right now is to backup the drive, run a repair install of Windows. Who knows what will happen, but so far all software utilities have failed.
 

MustISO

Lifer
Oct 9, 1999
11,927
12
81
Have you checked the HOSTS file to see what's in there? Have you done these scans in safe mode?
 

cubby1223

Lifer
May 24, 2004
13,518
42
86
Yes and yes. Redoing a virus scan right now with the drive connected as slave to a clean computer. I know all the general procedures to find infections, I gotta find something specific.
 

cubby1223

Lifer
May 24, 2004
13,518
42
86
Well, computer hooked up to a different network, doesn't download trojans anymore. I guess on Monday I'm resetting the router, or replacing it? Then search all computers trying to find out what happened? And why no other computer exhibits the same behavior, they all have the same anti-virus software. Doesn't sound like fun.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: cubby1223
Well, computer hooked up to a different network, doesn't download trojans anymore. I guess on Monday I'm resetting the router, or replacing it? Then search all computers trying to find out what happened? And why no other computer exhibits the same behavior, they all have the same anti-virus software. Doesn't sound like fun.

I wonder if another computer on the network is infected with malware that injects malicious code into network packets on-the-fly. To give a couple concrete examples as described by Symantec:

Trojan.Arposon

Trojan.Arpiframe


Couple more reasons to use a non-Admin account for daily-driver stuff, I guess. If there's a wireless access point, make sure it's secure so outsiders can't sneak onto the network with their infected computers.

 

Medea

Golden Member
Dec 5, 2000
1,606
0
0
Originally posted by: cubby1223
The only other symptom I've found is that the Linksys router was reprogrammed with static DNS entries (the standard 85.xxx.xxx.xxx). When I cleared that out, at least a few more things started working with the internet, but does not solve the big problem.

Edited

Just read about this, so forget my earlier post.

You've got a brand new nasty there. AFAIK, you get infected with this if you have a Linksys router with upnp turned on and get hit by an exploit.

Two ways to fix it are to hard reset the router (use the magic button on the back), or to log into it and remove the DNS servers from the list. Apparently, all you have to do to prevent this is to turn upnp off because it appears that the exploit will pass right through passwords and other router security since all it needs is upnp turned on to gain direct access.
 

cubby1223

Lifer
May 24, 2004
13,518
42
86
Originally posted by: Medea
Apparently, all you have to do to prevent this is to turn upnp off because it appears that the exploit will pass right through passwords and other router security since all it needs is upnp turned on to gain direct access.

Do you know if Linksys routers can be exploited from the outside? In other words, should I be scrambling around turning off upnp on every Linksys router I've giving to someone?
 

Medea

Golden Member
Dec 5, 2000
1,606
0
0
Originally posted by: cubby1223
In other words, should I be scrambling around turning off upnp on every Linksys router I've giving to someone?

As it stands now, on Linksys routers, to avoid the exploit, set UPnP to 'DISABLED'.

Even though you only posted '85' as part of the DNS entry that you cleared out, I'd bet money that the second set of numbers was 255, i.e., '85.255.xxx.xxx which are InHoster servers. Wareout, which is a DNS hacker/changer infection, uses these servers. They will show in an HJT log if there's a Wareout infection. This exploit of the Linksys routers, however, will NOT show in a HJT log because of the way Windows works with DNS servers from the routers

As a side note, it's my understanding that, if you hook an XBox up to a Linksys router, you have to shut it off anyway, so that's a chunk that's taken care of.

 

bsobel

Moderator Emeritus<br>Elite Member
Dec 9, 2001
13,346
0
0
Originally posted by: cubby1223
Originally posted by: Medea
Apparently, all you have to do to prevent this is to turn upnp off because it appears that the exploit will pass right through passwords and other router security since all it needs is upnp turned on to gain direct access.

Do you know if Linksys routers can be exploited from the outside? In other words, should I be scrambling around turning off upnp on every Linksys router I've giving to someone?

There are a bunch on non uPNP attacks that rely on the fact that most users do not change the admin name/password. These attacks reprogram (usually) the dns on the router or open ports but not via upnp.
 

Medea

Golden Member
Dec 5, 2000
1,606
0
0
Well, since hardware is not my forte, I can only pass on what I just recently read from a very reputable source. This exploit is different from not having changed the pw. cubby1223's symptoms, especially the 'hacked to' DNS beginning with '85.' are signs of the newest exploit. I did some googling, and it looks like it may be another twist in a prior flaw.

 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: bsobel
Originally posted by: cubby1223
Originally posted by: Medea
Apparently, all you have to do to prevent this is to turn upnp off because it appears that the exploit will pass right through passwords and other router security since all it needs is upnp turned on to gain direct access.

Do you know if Linksys routers can be exploited from the outside? In other words, should I be scrambling around turning off upnp on every Linksys router I've giving to someone?

There are a bunch on non uPNP attacks that rely on the fact that most users do not change the admin name/password. These attacks reprogram (usually) the dns on the router or open ports but not via upnp.


And from what I read, one method used is exploits built into maliciously-constructed banner advertisements slipped into rotation on popular websites, so it would be a good idea to check all computers to see if they need updates for stuff like Adobe Reader, Flash Player, etc. The goal here would be to eliminate as many known vulnerabilities as practical. A couple easy methods:

Secunia Personal Software Inspector, free for home users

Secunia's online checkup, which AFAIK is free for home & commercial users

F-Secure's Health Check online checkup, which uses ActiveX so run it using Internet Explorer


Obviously, secure the router too. And if you are using non-Admin user accounts, and if your Windows version supports Software Restriction Policy, then using SRP should also arbitrarily stop the payload of even a successful exploit that's running with the user's privilege level.
 

cubby1223

Lifer
May 24, 2004
13,518
42
86
I really didn't find anything much today back at the office. I did a hard reset of the router. Upnp is disabled by default. Password is changed. Nothing anymore is pushing trojans onto the original computer in question. Ran quick scans & updated anti-virus software, java, flash on the 12 other computers. One computer had a dozen .dll files deleted out of the system32 directory. Combofix didn't identify why it was deleting them. I should have written down the names, but didn't, they were something along the lines of tmp_001.dll, tmp_002.dll...

I don't think I'll ever really know what happened. Router could have been reprogrammed a month ago for all I know. Or 6 months ago. New anti-virus definition updates could have caught the problem files along the way. Or the problem could have been from one of the laptops they no longer have in the office. Just have to wait and see if there are more symptoms or not.