Is someone watching my computer?

Hello,

I am quite new to firewalls, therefore I am hoping for some general
advice on what I can do to learn about all this.

I am using Windows XP. I have installed Norton Internet Security 2006
and Ad-Aware SE, but still wonder how others can infiltrate my
computer. I assume there are VNC type applications and keyboard
loggers that have ways of getting around both Norton and Ad-Aware.

Are there ways to detect the use of programs like VNC and key loggers
sending data out by looking at firewall logs? Is Norton a good tool
for doing this with? Other suggestions for analyzing my network
traffic?

As an experiment I made a copy of winvnc and renamed it as
systemfile.exe. After launching it, Norton came up with the regular
message asking if it was ok to give this application to the Internet.
It certainly didn't say that this looked like WinVNC given a different
name... Couldn't one of these monitor programs be given an official
looking name and launched along with everything else?

Therefore...I have been wondering about reviewing network traffic...Any
advice?

Thanks!

Re: Is someone watching my computer?

greyteabox@yahoo.com wrote in news:1168667967.088345.174880@
11g2000cwr.googlegroups.com:

> Hello,
>
> I am quite new to firewalls, therefore I am hoping for some general
> advice on what I can do to learn about all this.
>
> I am using Windows XP. I have installed Norton Internet Security 2006
> and Ad-Aware SE, but still wonder how others can infiltrate my
> computer. I assume there are VNC type applications and keyboard
> loggers that have ways of getting around both Norton and Ad-Aware.

There are so many ways for your computer to be compromised. The vnc service
and keyloggers don't even make a drop in the bucket. winvnc is a service.
You can monitor that through your services in administrative tools. Set it
to disabled, not manual and definitely not auto. Most readily available vnc
remote viewers use a standard default port setting, 5800 (webGUI) and 5900,
so check for activity on these ports if you are concerned. Keyloggers are a
different animal all together. This is no sure fire way to tell though. If
you are really concerned, I don't know if I would leave my fate in the
hands of anything Symantec.. that is just personal experience. PFW's are
easily circumvented from the inside out, so the application control is
merely there as a "hope you feel better now" function. It does work on a
basic level, but I wouldn't trust it with anything critical. An example of
this would be a trojan that made its rounds a while back (name slips my
mind- sorry) that would rename itself as notepad.exe, wmplayer.exe, or
something like that and rename the original file as .exe.bak in the
hopes of slipping past. Alot don't work, but just as many do I suspect.

> Are there ways to detect the use of programs like VNC and key loggers
> sending data out by looking at firewall logs? Is Norton a good tool
> for doing this with? Other suggestions for analyzing my network
> traffic?

Any odd outbound traffic could be an indication of infection of some sort,
but it is hard to tell you exactly what to look for. For the most part, if
the vnc service is being compromised, you will likely know in short order,
or you can monitor its status as mentioned above, or likely see it running
in the process list. VNC attacks are not very common though, as the
attacker has to physically sit there and concentrate on an individual
machine. Keyloggers are harder. There are lots of ways to catch these
unless they are hardware based. Do you have reason to believe that someone
has planted a keylogger, or is it just paranoia from the media frenzy as of
late?


> As an experiment I made a copy of winvnc and renamed it as
> systemfile.exe. After launching it, Norton came up with the regular
> message asking if it was ok to give this application to the Internet.
> It certainly didn't say that this looked like WinVNC given a different
> name... Couldn't one of these monitor programs be given an official
> looking name and launched along with everything else?

In short, yes. Good experiment. You now see that whatever you name it, the
function still stays the same unless you change the extension so winows
does not know what to do with it, although it is just harder to find by
would be bad guys who are expecting the default filename.

> Therefore...I have been wondering about reviewing network traffic...Any
> advice?

Advice- hmm.. kind of. If you are that worried, then I would suggest
running an actual external firewall with logging functions that is not at
the mercy of the system it resides on. Since Norton is resident on your
system, it also makes sense that it is going to be susceptible to any
compromises or flaws in that system. An external device running under its
own steam would not be influenced by any gremlins that may reside on your
system.
What kind of firewall, or NAT device, or whatever you want to run depends
entirely on your experience and budget. The simple NAT routers include the
SNMP function that, when combined with an SNMP logging agent such as Kiwi
Syslog or wallwatcher can capture a fair amount of traffic stats. You will
see a huge amount of information there though, so don't be alarmed by every
address that does not appear the same as yours. I would watch for a certain
port (or port range) communicating out to a specified address at fairly
regular intervals. Then google the port it is using to see if it comes up
as a fairly commonly used trojan port. Then determine if this is a known
application to you (such as a P2P or whatever) This will give you an idea.
Keep in mind that some legitimate services will use the same ports as
trojans, so you may need to dig deeper.
The best defense that you can apply is to know what you are doing, and what
the consequences are, and if you don't- just ask, like you have done. Run a
good AV app (opinions are as varied as the programs- use your judgement)
and Spyware removal tools. No promises you will catch it all, but do what
you can with what you've got, because it often is more than most do. While
PFW's are at least *some* measure of protection, they are not perfect, as I
am sure nothing really is. They are better than the alternative- being
nothing.
Lastly, if you have reason to wonder if someone has installed a keylogger,
I guess I would ask myself "Did they have reason to?"

>
> Thanks!
>

Welcome, hope this helps.



--

Back to your bridge Troll! You have no powers here!

Re: Is someone watching my computer?

greyteabox@yahoo.com wrote:
....
> I am using Windows XP. I have installed Norton Internet Security 2006
> and Ad-Aware SE, but still wonder how others can infiltrate my
> computer. I assume there are VNC type applications and keyboard
> loggers that have ways of getting around both Norton and Ad-Aware.

And other security software as well.

> Are there ways to detect the use of programs like VNC and key loggers
> sending data out by looking at firewall logs?

Hm... No.
Well, in a fact, the answer is sometime (Norton logs all kind of
things). But you should have advance knowledge to interpret logs in a
proper way (Norton is not interpreting always in a correct way).

> Is Norton a good tool
> for doing this with?

It has extremly high hardware demands, it is very unstable, and tends to
fight with your OS. So IMHO it is not, there are other software.

> Other suggestions for analyzing my network
> traffic?

Sniff it, but that demand advance knowlage.

> As an experiment I made a copy of winvnc and renamed it as
> systemfile.exe. After launching it, Norton came up with the regular
> message asking if it was ok to give this application to the Internet.
> It certainly didn't say that this looked like WinVNC given a different
> name... Couldn't one of these monitor programs be given an official
> looking name and launched along with everything else?

There is a technique called process infection doing that. You are not
defending yourself from malware by employing some software, but by not
running malware. Limited account on Windows helps. AV is only a helpper,
everyone can do a mistake or malware is using some exploit and it don't
need to interact with user to download, install and run itself.

> Therefore...I have been wondering about reviewing network traffic...Any
> advice?

Well, since you are asking you probably can't do it, sorry but that is
usually a fact.
Anyway, for example http://www.wireshark.org/ This is sniffer, can you
use it?
Or http://insecure.org/nmap/ Now how to use this to find malware, and
test your firewall?

If you know how, good for you, do it. If you don't, yes I know that is
advanced, I'm home user like you (i.e. familiar with your troubels). So
I would advice you something else. Simplier to do, well it is simplier
than sniffing.

1. If you have a router with NAT and firewall builtin use it.
2. Use Limited account for daily usage.
3. Think about using something lighter than Norton, check reviews on
internet and pick something.
4. Keep your OS up to date, and use some alternative browser (Opera,
Firefox).
5. Think while you working, many malware authors relies on a fact that
users don't think while they work. They run everything served to them.
6. Run away form warez, crackz, XXX content.
7. Shutdown services you don't need, and configure software in a way
that software don't connect to internet if you don't need it.
8. Use NTFS on your partitions.
9. Backup

I belive that you don't need to be 1337 g33k to do this, little bit of
googling and reading manuals and you can do all of that.

Take a look on this utilities, you might find it usefull:

http://www.microsoft.com/technet/sysinternals/Security/Proce ssExplorer.mspx
http://www.microsoft.com/technet/sysinternals/Networking/Tcp View.mspx
http://www.microsoft.com/technet/sysinternals/Security/Autor uns.mspx
http://www.microsoft.com/technet/sysinternals/Security/Rootk itRevealer.mspx

Many things these utilities do, you can do from your OS, but I found
this simplier to use. Well, they have GUI.

Note this. Despite any software or firewall solution you are using,
_You_ are ultimate protection, and vulnarbililty in a same time. Try to
be protection most of the time.

Re: Is someone watching my computer?

Post removed (X-No-Archive: yes)

Re: Is someone watching my computer?

greyteabox@yahoo.com wrote:

> Hello,
>
> I am quite new to firewalls, therefore I am hoping for some general
> advice on what I can do to learn about all this.
>
> I am using Windows XP. I have installed Norton Internet Security 2006
> and Ad-Aware SE, but still wonder how others can infiltrate my
> computer. I assume there are VNC type applications and keyboard
> loggers that have ways of getting around both Norton and Ad-Aware.
>
> Are there ways to detect the use of programs like VNC and key loggers
> sending data out by looking at firewall logs? Is Norton a good tool
> for doing this with? Other suggestions for analyzing my network
> traffic?
>
> As an experiment I made a copy of winvnc and renamed it as
> systemfile.exe. After launching it, Norton came up with the regular
> message asking if it was ok to give this application to the Internet.
> It certainly didn't say that this looked like WinVNC given a different
> name... Couldn't one of these monitor programs be given an official
> looking name and launched along with everything else?
>
> Therefore...I have been wondering about reviewing network traffic...Any
> advice?
>
> Thanks!

Visit grc.com and run shieldsup. It'll probe your computer/router for any
open ports that you may have. Remember, an attacker needs and open port to
gain access via a compromised internet service. If you don't host internet
services then none should be enabled. I would highly, highly recommned that
you NOT rely on any of the available software firewalls, even the one built
into windows and opt for one in hardware...

That said, you could always run linux.

--

Jerry McBride

Re: Is someone watching my computer?

Post removed (X-No-Archive: yes)

Re: Is someone watching my computer?

Sebastian Gottschalk wrote:

> Jerry McBride wrote:
>
>> Visit grc.com and run shieldsup. It'll probe your computer/router for any
>> open ports that you may have.
>
> According to the analysis from grcsucks.com, it will do anything random
> and report such.
>
>> I would highly, highly recommned that
>> you NOT rely on any of the available software firewalls, even the one
>> built into windows and opt for one in hardware...
>
> Um... where exactly is the difference wrt. not exposing services?

You asked two questions (I think) of me... would you be so kind to rephrase
your English? I simply don't understand what you wrote.
--

Jerry McBride

Re: Is someone watching my computer?

Jerry McBride wrote:
> Sebastian Gottschalk wrote:
>> Jerry McBride wrote:
>>> Visit grc.com and run shieldsup. It'll probe your computer/router
>>> for any open ports that you may have.
>>
>> According to the analysis from grcsucks.com, it will do anything
>> random and report such.
>>
>>> I would highly, highly recommned that you NOT rely on any of the
>>> available software firewalls, even the one built into windows and
>>> opt for one in hardware...
>>
>> Um... where exactly is the difference wrt. not exposing services?
>
> You asked two questions (I think) of me... would you be so kind to
> rephrase your English? I simply don't understand what you wrote.

I'm not Sebastian, but if I may:

a) Steve Gibson (the person behind grc.com) does not have the best
reputation in the security community, so you may want to take
anything coming from him with a grain of salt. The page Sebastion
mentioned [1] does some explanation as to why that is.

b) There's no such thing as a "hardware firewall". What you probably
mean with this term is a firewall application or a firewalling
router, but their operating system and firewall code is implemented
in software as well. The advantage such devices have over so-called
software firewalls is, that they can protect an entire subnet, and
that they cannot be easily modified by arbitrary software running on
a host in said subnet.
However, when it comes to filtering unsolicited inbound traffic,
there's not much of a difference between software firewalls and
firewall applications.

c) If you remove the services you don't need to be accessible from
external networks (be it by disabling them, or by unbinding them from
the external interface), you don't even need a firewall in the first
place, since the TCP/IP stack will reject incoming connection
attempts all by itself.

HTH.

[1] http://grcsucks.com/

cu
59cobalt
--
"Personal Firewalls are crap. Throw away any personal firewall. Personal
Firewalls are bad[tm]."
--Malte von dem Hagen on security-basics

Re: Is someone watching my computer?

Ansgar -59cobalt- Wiechers wrote:

> Jerry McBride wrote:
>> Sebastian Gottschalk wrote:
>>> Jerry McBride wrote:
>>>> Visit grc.com and run shieldsup. It'll probe your computer/router
>>>> for any open ports that you may have.
>>>
>>> According to the analysis from grcsucks.com, it will do anything
>>> random and report such.
>>>
>>>> I would highly, highly recommned that you NOT rely on any of the
>>>> available software firewalls, even the one built into windows and
>>>> opt for one in hardware...
>>>
>>> Um... where exactly is the difference wrt. not exposing services?
>>
>> You asked two questions (I think) of me... would you be so kind to
>> rephrase your English? I simply don't understand what you wrote.
>
> I'm not Sebastian, but if I may:
>
> a) Steve Gibson (the person behind grc.com) does not have the best
> reputation in the security community, so you may want to take
> anything coming from him with a grain of salt. The page Sebastion
> mentioned [1] does some explanation as to why that is.
>

I've been to that site and while it makes good sense, there's nothing wrong
with refering a person to grc.com. It's probably the easiest port sniffer
for new users or the curious to access and understand.

What do you suggest to regular users?

> b) There's no such thing as a "hardware firewall". What you probably
> mean with this term is a firewall application or a firewalling
> router, but their operating system and firewall code is implemented
> in software as well. The advantage such devices have over so-called
> software firewalls is, that they can protect an entire subnet, and
> that they cannot be easily modified by arbitrary software running on
> a host in said subnet.
> However, when it comes to filtering unsolicited inbound traffic,
> there's not much of a difference between software firewalls and
> firewall applications.
>

Again, for new firewall users or those interested in firewalling... there's
nothing wrong with refering to standalone routers as "hardware firewalls".
Indeed, there's no easily accessable software inside them, unless you like
hacking such devices for fun. In any piece of complex internet appliances
there's going to be software... but it's buried in such good hardware that
it's totally invisible to normal users.

So, what's the harm with the term "hardware firewall"?

> c) If you remove the services you don't need to be accessible from
> external networks (be it by disabling them, or by unbinding them from
> the external interface), you don't even need a firewall in the first
> place, since the TCP/IP stack will reject incoming connection
> attempts all by itself.
>

That's the first step for securing any desktop or server and that's why I
mentioned it.

As a side note, it amazes me how people are so quick to correct and
re-define something as simple as offering help to someone.

You're totaly correct ofcourse, but is it really necessary to split hairs
and possibly confuse the original poster with all gritty details?

Cheers.

--

Jerry McBride

Re: Is someone watching my computer?

Jerry McBride wrote:
> You're totaly correct ofcourse, but is it really necessary to split
> hairs and possibly confuse the original poster with all gritty
> details?

Don't ask me. I was merely trying to explain what Sebastian probably
meant to tell you.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Is someone watching my computer?

Post removed (X-No-Archive: yes)

Re: Is someone watching my computer?

Jerry McBride wrote:
> Visit grc.com

And don't forget to visit http://grcsucks.com

Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Cain & Abel and phishing sites

First, thank you everyone for your replies to my questions.

Since reading your replies I have investigated sniffing and tried out
Cain & Able with two of my computers. I set up an "ARP Attack"...or
whatever you want to call it. I was shocked, and still am, at how easy
it was to steal passwords from another computer on the network via this
sniffing program. On the computer I was using to run Cain & Able
Norton threw MANY dialogs my way...as it should. But, the computer I
was sniffing noticed nothing. I was able to steal passwords from
hotmail and yahoo accounts. Unsecured and secure connections both. On
the victims computer I did have to accept a bogus certificate. But,
after this certificate has been accepted everything appears to be ok
from the users point of view. After shutting down Cain & Abel on the
attacking computer, the victim's internet browser now realized that the
certificates for hotmail and yahoo were bogus and threw up dialogs
about invalid certificates. I had to go to my certificates section of
the browser and delete an extra, "odd" looking certificate. That fixed
the problem.

I have downloaded Promqry, a program that detects sniffing, and it did
identify the computer I was attacking with.

I have read that a different way to steal passwords is to create a fake
hotmail page, for example. After checking into this I have noticed
that some of the web pages for e-mail login are different at my work
place than they are at home. They don't give us company e-mail, but
have us use our personal e-mail for work communication. The fact that
the login pages look slightly different causes me to wonder about this.
The address in the address bar is exactly the same as at home...

Is is possible, on a local network, to set up a phishing site that will
go undetected by users? Make the address in the address bar look
legitimate, deal will all certificate issues?

Thanks!

Re: Is someone watching my computer?

http://www.linux-sec.net/Harden/harden.gwif.html bloddy good for Linux
users.

Anybody know of a site for Win XP Pro Sp2 (home) users, stand-alone pc ?

"Sebastian Gottschalk" wrote in message
news:5107m1F1i3ganU1@mid.dfncis.de...
| Jerry McBride wrote:
|
| > I've been to that site and while it makes good sense, there's nothing
wrong
| > with refering a person to grc.com. It's probably the easiest port
sniffer
| > for new users or the curious to access and understand.
|
| Did you even read the article about ShieldsUp on grcsucks.com? It is not
| easy, because it's technically disfunctional to no end. And it's not good
| for new users, because it tells a lot of nonsense.
|
| > What do you suggest to regular users?
|
| AFAIK the onle portscan at speedguide.net seems to work well without
| telling nonsense. There are some other well-known port scan services based
| on Nmap, but sadly most of them mangle the output at the backend. I'd
| prefer the pure output like the Nmap at linux-sec.net, and I don't think
| that the text output is really that hard to understand.
|
| After all, why should someone without a clue about networking hassle with
a
| port scan? They should shut down their services and verify that with
| 'netstat'. And please just that. No bullshitting around with pseudo
| firewalls.
|
| > So, what's the harm with the term "hardware firewall"?
|
| Nothing. But wu were suggesting that dedicated firewall would be any
better
| wrt to filtering inbound traffic because they're running on decicated
| hardware.
|
| > That's the first step for securing any desktop or server and that's why
I
| > mentioned it.
|
| Now if just the users would get that instead of installing a pseudo
| firewall...
|
| > As a side note, it amazes me how people are so quick to correct and
| > re-define something as simple as offering help to someone.
| >
| > You're totaly correct ofcourse, but is it really necessary to split
hairs
| > and possibly confuse the original poster with all gritty details?
|
| This is Usenet - a medium for discussion, not a support medium. Finding
| answers to your questions when starting a discussion about it is mere
| correlation, no goal.

Re: Is someone watching my computer?

Mel Bourne wrote:
> Anybody know of a site for Win XP Pro Sp2 (home) users, stand-alone pc ?

http://ntsvcfg.de/ntsvcfg_eng.html

Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Re: Cain & Abel and phishing sites

teabox wrote:
> Is is possible, on a local network, to set up a phishing site that will
> go undetected by users? Make the address in the address bar look
> legitimate, deal will all certificate issues?

To set up it? Easy. To attack successfully? Depends on if users are
checking certificates with care.

Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Re: Cain & Abel and phishing sites

> To set up it? Easy. To attack successfully? Depends on if users are
> checking certificates with care.

Lets say that someone else uses the computer and accepts bogus
certificates. How can subsequent users double check these
certificates?

Thanks!

TB

>
> Yours,
> VB.
> --
> "Pornography is an abstract phenomenon. It cannot exist without a medium
> to propagate it, and it has very little (if anything at all) to do with sex."
> Tina Lorenz
>

Re: Cain & Abel and phishing sites

teabox wrote:
> Lets say that someone else uses the computer and accepts bogus
> certificates.

Who accepts bogus certificates, loses.

> How can subsequent users double check these
> certificates?

By not trusting in other users.

Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Re: Is someone watching my computer?

"Volker Birk" wrote in message
news:45b1e1df@news.uni-ulm.de...
| Mel Bourne wrote:
| > Anybody know of a site for Win XP Pro Sp2 (home) users, stand-alone pc ?
|
| http://ntsvcfg.de/ntsvcfg_eng.html
|
| Yours,
| VB.
| --
| "Pornography is an abstract phenomenon. It cannot exist without a medium
| to propagate it, and it has very little (if anything at all) to do with
sex."
| Tina Lorenz
|


Great, thanks a bunch!!! :)