Is someone watching my computer?

Hello,

I am quite new to firewalls, therefore I am hoping for some general advice on what I can do to learn about all this.

I am using Windows XP. I have installed Norton Internet Security 2006 and Ad-Aware SE, but still wonder how others can infiltrate my computer. I assume there are VNC type applications and keyboard loggers that have ways of getting around both Norton and Ad-Aware.

Are there ways to detect the use of programs like VNC and key loggers sending data out by looking at firewall logs? Is Norton a good tool for doing this with? Other suggestions for analyzing my network traffic?

As an experiment I made a copy of winvnc and renamed it as systemfile.exe. After launching it, Norton came up with the regular message asking if it was ok to give this application to the Internet. It certainly didn't say that this looked like WinVNC given a different name... Couldn't one of these monitor programs be given an official looking name and launched along with everything else?

Therefore...I have been wondering about reviewing network traffic...Any advice?

Thanks!

Reply to
greyteabox
Loading thread data ...

snipped-for-privacy@yahoo.com wrote in news:1168667967.088345.174880@

11g2000cwr.googlegroups.com:

There are so many ways for your computer to be compromised. The vnc service and keyloggers don't even make a drop in the bucket. winvnc is a service. You can monitor that through your services in administrative tools. Set it to disabled, not manual and definitely not auto. Most readily available vnc remote viewers use a standard default port setting, 5800 (webGUI) and 5900, so check for activity on these ports if you are concerned. Keyloggers are a different animal all together. This is no sure fire way to tell though. If you are really concerned, I don't know if I would leave my fate in the hands of anything Symantec.. that is just personal experience. PFW's are easily circumvented from the inside out, so the application control is merely there as a "hope you feel better now" function. It does work on a basic level, but I wouldn't trust it with anything critical. An example of this would be a trojan that made its rounds a while back (name slips my mind- sorry) that would rename itself as notepad.exe, wmplayer.exe, or something like that and rename the original file as .exe.bak in the hopes of slipping past. Alot don't work, but just as many do I suspect.

Any odd outbound traffic could be an indication of infection of some sort, but it is hard to tell you exactly what to look for. For the most part, if the vnc service is being compromised, you will likely know in short order, or you can monitor its status as mentioned above, or likely see it running in the process list. VNC attacks are not very common though, as the attacker has to physically sit there and concentrate on an individual machine. Keyloggers are harder. There are lots of ways to catch these unless they are hardware based. Do you have reason to believe that someone has planted a keylogger, or is it just paranoia from the media frenzy as of late?

In short, yes. Good experiment. You now see that whatever you name it, the function still stays the same unless you change the extension so winows does not know what to do with it, although it is just harder to find by would be bad guys who are expecting the default filename.

Advice- hmm.. kind of. If you are that worried, then I would suggest running an actual external firewall with logging functions that is not at the mercy of the system it resides on. Since Norton is resident on your system, it also makes sense that it is going to be susceptible to any compromises or flaws in that system. An external device running under its own steam would not be influenced by any gremlins that may reside on your system. What kind of firewall, or NAT device, or whatever you want to run depends entirely on your experience and budget. The simple NAT routers include the SNMP function that, when combined with an SNMP logging agent such as Kiwi Syslog or wallwatcher can capture a fair amount of traffic stats. You will see a huge amount of information there though, so don't be alarmed by every address that does not appear the same as yours. I would watch for a certain port (or port range) communicating out to a specified address at fairly regular intervals. Then google the port it is using to see if it comes up as a fairly commonly used trojan port. Then determine if this is a known application to you (such as a P2P or whatever) This will give you an idea. Keep in mind that some legitimate services will use the same ports as trojans, so you may need to dig deeper. The best defense that you can apply is to know what you are doing, and what the consequences are, and if you don't- just ask, like you have done. Run a good AV app (opinions are as varied as the programs- use your judgement) and Spyware removal tools. No promises you will catch it all, but do what you can with what you've got, because it often is more than most do. While PFW's are at least *some* measure of protection, they are not perfect, as I am sure nothing really is. They are better than the alternative- being nothing. Lastly, if you have reason to wonder if someone has installed a keylogger, I guess I would ask myself "Did they have reason to?"

Welcome, hope this helps.

Reply to
AwPhuch

snipped-for-privacy@yahoo.com wrote: ...

And other security software as well.

Hm... No. Well, in a fact, the answer is sometime (Norton logs all kind of things). But you should have advance knowledge to interpret logs in a proper way (Norton is not interpreting always in a correct way).

It has extremly high hardware demands, it is very unstable, and tends to fight with your OS. So IMHO it is not, there are other software.

Sniff it, but that demand advance knowlage.

There is a technique called process infection doing that. You are not defending yourself from malware by employing some software, but by not running malware. Limited account on Windows helps. AV is only a helpper, everyone can do a mistake or malware is using some exploit and it don't need to interact with user to download, install and run itself.

Well, since you are asking you probably can't do it, sorry but that is usually a fact. Anyway, for example

formatting link
This is sniffer, can you use it? Or
formatting link
Now how to use this to find malware, and test your firewall?

If you know how, good for you, do it. If you don't, yes I know that is advanced, I'm home user like you (i.e. familiar with your troubels). So I would advice you something else. Simplier to do, well it is simplier than sniffing.

  1. If you have a router with NAT and firewall builtin use it.
  2. Use Limited account for daily usage.
  3. Think about using something lighter than Norton, check reviews on internet and pick something.
  4. Keep your OS up to date, and use some alternative browser (Opera, Firefox).
  5. Think while you working, many malware authors relies on a fact that users don't think while they work. They run everything served to them.
  6. Run away form warez, crackz, XXX content.
  7. Shutdown services you don't need, and configure software in a way that software don't connect to internet if you don't need it.
  8. Use NTFS on your partitions.
  9. Backup

I belive that you don't need to be 1337 g33k to do this, little bit of googling and reading manuals and you can do all of that.

Take a look on this utilities, you might find it usefull:

formatting link
Many things these utilities do, you can do from your OS, but I found this simplier to use. Well, they have GUI.

Note this. Despite any software or firewall solution you are using, _You_ are ultimate protection, and vulnarbililty in a same time. Try to be protection most of the time.

Reply to
alf

Trivially: You're using an old version of Firefox with know exploits. Surfing to a website is sufficient.

Counterquestion: Why do think infiltrating your computer would get any harder by running the above-mentioned crap? Actually it just makes your commuter even more vulnerable.

Trivial, because it's the default assumption.

Generally: no.

Norton is no such tool at all.

Wireshark? Anyway, that won't solve your problem either.

As an experiment, you should write your own code.

Exactly because it should implement something to circumvent such crap. I'd say WinVNC itself doesn't.

Yes: Rethink from the beginning. If you're getting to the point "I've already run the malicious software, what can I do?", then you're already on the wrong path.

Reply to
Sebastian Gottschalk

Visit grc.com and run shieldsup. It'll probe your computer/router for any open ports that you may have. Remember, an attacker needs and open port to gain access via a compromised internet service. If you don't host internet services then none should be enabled. I would highly, highly recommned that you NOT rely on any of the available software firewalls, even the one built into windows and opt for one in hardware...

That said, you could always run linux.

Reply to
Jerry McBride

According to the analysis from grcsucks.com, it will do anything random and report such.

Um... where exactly is the difference wrt. not exposing services?

Reply to
Sebastian Gottschalk

You asked two questions (I think) of me... would you be so kind to rephrase your English? I simply don't understand what you wrote.

Reply to
Jerry McBride

I'm not Sebastian, but if I may:

a) Steve Gibson (the person behind grc.com) does not have the best reputation in the security community, so you may want to take anything coming from him with a grain of salt. The page Sebastion mentioned [1] does some explanation as to why that is.

b) There's no such thing as a "hardware firewall". What you probably mean with this term is a firewall application or a firewalling router, but their operating system and firewall code is implemented in software as well. The advantage such devices have over so-called software firewalls is, that they can protect an entire subnet, and that they cannot be easily modified by arbitrary software running on a host in said subnet. However, when it comes to filtering unsolicited inbound traffic, there's not much of a difference between software firewalls and firewall applications.

c) If you remove the services you don't need to be accessible from external networks (be it by disabling them, or by unbinding them from the external interface), you don't even need a firewall in the first place, since the TCP/IP stack will reject incoming connection attempts all by itself.

HTH.

[1]
formatting link
cu 59cobalt
Reply to
Ansgar -59cobalt- Wiechers

I've been to that site and while it makes good sense, there's nothing wrong with refering a person to grc.com. It's probably the easiest port sniffer for new users or the curious to access and understand.

What do you suggest to regular users?

Again, for new firewall users or those interested in firewalling... there's nothing wrong with refering to standalone routers as "hardware firewalls". Indeed, there's no easily accessable software inside them, unless you like hacking such devices for fun. In any piece of complex internet appliances there's going to be software... but it's buried in such good hardware that it's totally invisible to normal users.

So, what's the harm with the term "hardware firewall"?

That's the first step for securing any desktop or server and that's why I mentioned it.

As a side note, it amazes me how people are so quick to correct and re-define something as simple as offering help to someone.

You're totaly correct ofcourse, but is it really necessary to split hairs and possibly confuse the original poster with all gritty details?

Cheers.

Reply to
Jerry McBride

Don't ask me. I was merely trying to explain what Sebastian probably meant to tell you.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Did you even read the article about ShieldsUp on grcsucks.com? It is not easy, because it's technically disfunctional to no end. And it's not good for new users, because it tells a lot of nonsense.

AFAIK the onle portscan at speedguide.net seems to work well without telling nonsense. There are some other well-known port scan services based on Nmap, but sadly most of them mangle the output at the backend. I'd prefer the pure output like the Nmap at linux-sec.net, and I don't think that the text output is really that hard to understand.

After all, why should someone without a clue about networking hassle with a port scan? They should shut down their services and verify that with 'netstat'. And please just that. No bullshitting around with pseudo firewalls.

Nothing. But wu were suggesting that dedicated firewall would be any better wrt to filtering inbound traffic because they're running on decicated hardware.

Now if just the users would get that instead of installing a pseudo firewall...

This is Usenet - a medium for discussion, not a support medium. Finding answers to your questions when starting a discussion about it is mere correlation, no goal.

Reply to
Sebastian Gottschalk

And don't forget to visit

formatting link
Yours, VB.

Reply to
Volker Birk

First, thank you everyone for your replies to my questions.

Since reading your replies I have investigated sniffing and tried out Cain & Able with two of my computers. I set up an "ARP Attack"...or whatever you want to call it. I was shocked, and still am, at how easy it was to steal passwords from another computer on the network via this sniffing program. On the computer I was using to run Cain & Able Norton threw MANY dialogs my way...as it should. But, the computer I was sniffing noticed nothing. I was able to steal passwords from hotmail and yahoo accounts. Unsecured and secure connections both. On the victims computer I did have to accept a bogus certificate. But, after this certificate has been accepted everything appears to be ok from the users point of view. After shutting down Cain & Abel on the attacking computer, the victim's internet browser now realized that the certificates for hotmail and yahoo were bogus and threw up dialogs about invalid certificates. I had to go to my certificates section of the browser and delete an extra, "odd" looking certificate. That fixed the problem.

I have downloaded Promqry, a program that detects sniffing, and it did identify the computer I was attacking with.

I have read that a different way to steal passwords is to create a fake hotmail page, for example. After checking into this I have noticed that some of the web pages for e-mail login are different at my work place than they are at home. They don't give us company e-mail, but have us use our personal e-mail for work communication. The fact that the login pages look slightly different causes me to wonder about this. The address in the address bar is exactly the same as at home...

Is is possible, on a local network, to set up a phishing site that will go undetected by users? Make the address in the address bar look legitimate, deal will all certificate issues?

Thanks!

Reply to
teabox

formatting link
bloddy good for Linux users.

Anybody know of a site for Win XP Pro Sp2 (home) users, stand-alone pc ?

| > You're totaly correct ofcourse, but is it really necessary to split hairs | > and possibly confuse the original poster with all gritty details? | | This is Usenet - a medium for discussion, not a support medium. Finding | answers to your questions when starting a discussion about it is mere | correlation, no goal.

Reply to
Mel Bourne

formatting link
Yours, VB.

Reply to
Volker Birk

To set up it? Easy. To attack successfully? Depends on if users are checking certificates with care.

Yours, VB.

Reply to
Volker Birk

Lets say that someone else uses the computer and accepts bogus certificates. How can subsequent users double check these certificates?

Thanks!

TB

Reply to
teabox

Who accepts bogus certificates, loses.

By not trusting in other users.

Yours, VB.

Reply to
Volker Birk

Great, thanks a bunch!!! :)

Reply to
Mel Bourne

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.