Re: Spyware going thru firewall

From: qqqqqqqqqq (sfdASF@dfgagf)
Date: 06/30/02 

From: "qqqqqqqqqq" <sfdASF@dfgagf>
Date: Sat, 29 Jun 2002 16:58:14 -0700

"John Roth" <johnroth@ameritech.net> wrote in message
news:uhsepl5f6bn0c7@news.supernews.com...
|
| "qqqqqqqqqq" <sfdASF@dfgagf> wrote in message
| news:uhrqa3ape3egb9@corp.supernews.com...
| > I worked in a high tech company and network guys send me to my home
| address
| > an email with link to trap web page which I opened (as was kind of
| naive, it
| > said you have a postcard..). That thing installed something no my PC,
| it
| > seems some kind of virus or spyware that was logging my internet
| profile
| > (web sites + newsgroups visited) and emailing it to them. That was
| claimed
| > to be done "for security reasons"....
| >
| > I was regularly using antiviral (Norton corporate version) and had
| firewall
| > (zone alarm). I thought that is sufficient, but it seems it was not.
| >
| > From conversations I figured out that they cooked something on their
| own,
| > like ActiveX or VBS, but I do not know what exactly. I could not find
| it.
|
| If they cooked it up on their own, you're not going to find it with a
| commercial product (or even a free product.)
===yes, I know. Different digital signature.
|
| > What is puzzeling me is that that thing was going thru firewall - that
| > suggests that thing was not independent process, but inside some other
| > process (?).
|
| Check your firewall's definitions. They may have added a process
| to the permitted processes. I'm not going to discuss the approaches
| I would take for this - there is no good reason to give people ideas.
====I haven't seen anything unusual in Zone alarm. I haven't seen extra
process in task manager that would look suspicious.

| > Could someone give me advice:
| >
| > 1.. where to look for virus?
|
| Everywhere. Specifically, look at all of the standard run keys in the
| registry, autoexec.bat, your StartUp folder, and your scheduled task
| manager.
=====I did good effort, (although this is the first time i deal with such
problem, had no clue before about all this registry keys for autorun ..). I
just can't find.
|
| > 2.. how it works?
|
| You'll find out when you find it.
|
| > 3.. how is it going thru firewall?
|
| You'll find out when you find it.
|
| The next things you need to do are:
|
| 1. start monitoring your internet activity with a packet sniffer. I
| use Ethereal, but there are other products that will do what you
| need. That will find the e-mail, and you can go from there.
===Yes I was logging with BlackIce, and tried to analyze traffic with
Etheral and fluke. I lack expertise. And not sure if this thing is activated
periodically - every few hours or when log becomes bigger - got big loggs,
hard to analyze.

| 2. Discuss this with an attourney that specializes in employment law.
| Bring your employment contract, and any personnel manual pages
| that are relevant. If you didn't agree to monitoring of your home
| activity as part of your employment contract, you may have redress,
| and the people who did this may be in deep doo-doo.
======That is not part of my contact. Lower was reluctant, difficult to
prove thing, company denies, even if i find virus, it is sending to public
mail, how to prove who is reading.
| Make certain your activities are clean, though. Either these people
| are on their own, or they're doing it as part of a corporate project
| of some kind. In the second case, either they are doing it generically,
| to all their employees, or you are under suspicion for something.
=========My activities are (I think) mostly clean. They though that I was
hacking in company, and needed some inteligence to see what kind of web
sites I was visiting. Some were security articles, but I was not hacking
company or anyone else. It was done by my manager and network manager (i
know, how to prove?), with participation of members of network team. I am
not the first one (I know, they were talking, but how to prove..). I am the
first one that "sensed" something and complained. It lasted 3-5 months
before I realized what is going on. Whole management team was getting this
reports, whole HR, and a number of older employees.
| 3. Back up your data, and reload your system and applications
| from the original manufacturer's disks. That should remove it. Then
| apply all of the Microsoft security patches, and take care to lock
| down as much of the system as possible to prevent it from happening
| again.
========yes, I created clean partition.
| >
| > Thanks,
|
| You're welcome.
|
| John Roth
| >
| >
| >
| >
| >
| >
| >
|
|

Quantcast