I apologize in advance for the long-winded post. I posted it all because I believe its informative and may be useful. Also, I posted my question at the end.
Moments ago I was RDC to a file server in my home (from inside my home). I had opened Firefox and Googled for a manufacturers website. Immediately after clicking the link, Firefox abruptly closed. This seemed odd to me to so I checked the running processes and discovered d.exe, e.exe, and f.exe running.
I Googled these processes on a different machine and found them belonging to a key-logger/screen-capturer/trojan called defender.exe, which according to the Prevx lives in c:\documents and settings\user\local settings\temp. (Prevx link http://www.prevx.com/filenames/147352809685142526-X1/DEFENDER32.EXE.html)
Simultaneously, an obviously-spoofed Windows Firewall popup appeared on the server asking me to click ‘yes’ to update Windows Firewall.
At this time I ended all rogue processes, emptied the temp folder, removed defender.exe from startup, and checked my registry and a few other locations. Before deleting Defender.exe I noted that it was created moments ago, just before Firefox crashed. I believe that I was ‘almost’ infected with this malware. I believe that it needed me to click the phony popup in order to complete infection because it wasn’t allowed to execute processes from the temp folder. After cleaning the machine, I restarted it and have been monitoring it for over an hour. I am debating on whether or not to restore the Windows partition (a separate physical drive from the data) or to just watch it for awhle.
I should mention that, because of the specs on this machine, I do not run antivirus software, but I know it well and inspect it regularly. It is a very old Compaq with a 400mhz processer and 512mb of ram. I have a static IP and the server is in the DMZ running an FTP client and some HTTP server software. All files transferred to and stored on this machine are scanned for malware before transferring. Usually the machine only runs 19 processes and performs pretty well for its intended purpose.
I posted the story so that you could be aware of a possible new piece of malware and how it acts, but I also have a question or two. First, over the last few months I have noticed that PREVX is listed at the top of most of my Google searches when researching malware, especially for new or obscure malware…and they always want you to purchase something. I don’t think they are one of the top AV companies, so it seems odd that they are always the top Google result. Does anyone have any experience with any of their products?
Also, what sites do you rely on for malware researching? Recently, I have found it difficult to find good info because of HijackThis-logs and other deadend info cluttering up my searches.
And lastly, besides antivirus, third-party firewall, etc, what settings would you use to lock down a machine to make it more secure in instances where a stubborn admin like myself refuses to run AV?
Thanks.
Once it's created a process on your server I would consider it as good as hacked. Time to reload or restore. Make sure updates are all setup and lock it down.
You say that the box is in a DMZ and only runs an FTP client and a HTTP server. You also say that files being transferred, presumably transferred using the FTP client, are scanned. So, you're not averse to AV entirely. So, I guess the ultimate answer is, don't use a web browser on this machine. This is the quickest path to ensuring security and adheres to a number of common security principles. prevx.com is a terrible resource for malware research. I'd simply avoid it unless your morbidly curious, working in a virtual machine and like drive-by downloads.
Run an antivirus, please. Even if only once a week or once a month with no "always on" activity scanner.
Hmm. While I personally would now refuse to have anything to do with Prevx due to ethical concerns about their behaviour, they are a legitimate a/v and security research company as far as that goes.
Malware news: I subscribe to websense's blog and also Kaspersky and F-Secure are both also pretty good, I find.
As for antivirus on that box, have you considered something like Clam AV? This can be an "on demand" scanner that isn't running all the time, and you can just set it to check every now and again to keep your machine clean. If you're putting a Windows machine up on the web as a server you really do need to have some kind of scanning going on. And don't use it as a client too - this server can't get rooted via the browser if you don't use the browser on it.
Prevx is most definitely Legit. They are probably some of the most passionate security professionals out there. It is by no surprise that they are often the first, and frequently the only security vendor to know something about new infections. It is simply down to their use of Cloud based technology leveraging their now quite considerable client base to help them spot new infections first. And it works brilliantly. In April/May PC Magazine praised these guys and made their Prevx 3.0 Editor's Choice for anti-malware coming top or joint top in nearly every category. Their cleanup is very good too and the scan speed is amazing.
If you're still not convinced nosey on down to the Wilders Security forum http://www.wilderssecurity.com where the offical Prevx forum gathers.
I hope this helps you on the question you raise.
ever heard of possible malware rascrypt64.dll PREVX is the only site that know anyhting about this.. Strange I say.. SO I wandered down to wilderssecurity.com who seem to be one of the few people who say PREVX is legit, and check for rascrypt64.dll down there and guess what..NOTHING
I think PREVX and WILDERSECURITY are a crock of ????\
I am PrevxHelp from WildersSecurity, one of the Prevx support technicians who helps out over there. We are definitely legitimate and if anyone has any questions, please feel free to write into our customer support inbox or onto our forum, hosted by WildersSecurity. We have reverified that none of our website contains any malware so it is likely that it came in through another vector. If the OP is still infected, please contact us and reference this thread and we will have one of our engineers help you out personally to ensure that your PC is fully cleaned, although the issue was not caused by the Prevx website.
Thank you for your time!
(Also, regarding rascrypt64.dll posted earlier, the Prevx database has known about it since December 2009 and it is most commonly a component of a Vundo infection. WildersSecurity is a product support forum and we don't try to post information on every threat (as we see more than 250,000 new files every day) so that is why it is not referenced there.)