Trojan causes problems with authentification in DEFCON!

The place to hang out and talk about totally anything general.
User avatar
Johnis
level2
level2
Posts: 196
Joined: Sat Jun 16, 2007 12:26 pm
Location: GREECE
Contact:

Trojan causes problems with authentification in DEFCON!

Postby Johnis » Wed Dec 19, 2007 6:43 pm

Today i had serious problem with DEFCON authentification.an UKNOWN istead of REGISTERED apeared.
After many many many hours of searching i have found that i had a Trojan. Everything was working fine exept DEFCON
So..
if you have same problem like that search for "core.sys"
c:\windows\system32\drivers\Core.sys
c:\windows\backup_core.sys <----------------------------or similar name
go in safe mode (because the files are loaded as drivers in memory and cannot be deleted)
delete these 2 ugly files
regedit
delete a reg folder named CORE
REBOOT
the problem is over
User avatar
jelco
level5
level5
Posts: 6018
Joined: Sat Feb 18, 2006 7:45 am
Location: Cygnus X-1
Contact:

Postby jelco » Thu Dec 20, 2007 12:42 pm

I think it'd be a good idea to post this in the DEFCON Windows Troubleshooting forum instead of the Lounge. Apart from that, it seems highly unlikely to me that a trojan would infect purely DEFCON, so you might want to check for other stuff running on your PC as well.

I must say that filenames like 'core.sys' would occur to me as crucial components of the system. I couldn't find enough info about it in a quick search, so I will not say that you're talking nonsense, but I'm a little uncertain as to whether this is true or not.

Jelco
"The ships hung in the sky much the same way that bricks don't."
- Douglas Adams
User avatar
KingAl
level5
level5
Posts: 4138
Joined: Sun Sep 10, 2006 7:42 am

Postby KingAl » Thu Dec 20, 2007 12:49 pm

jelco the galactaboy wrote:I think it'd be a good idea to post this in the DEFCON Windows Troubleshooting forum instead of the Lounge. Apart from that, it seems highly unlikely to me that a trojan would infect purely DEFCON, so you might want to check for other stuff running on your PC as well.

I must say that filenames like 'core.sys' would occur to me as crucial components of the system. I couldn't find enough info about it in a quick search, so I will not say that you're talking nonsense, but I'm a little uncertain as to whether this is true or not.

Jelco


core.sys isn't a system critical file; it's a common technique for trojans to use names that sound like system files - or even are exact matches of the names of system files - in order to divert suspicion, or lead people to err on the side of caution and assume it's safe.
Gentlemen, you can't fight in here: this is the War Room!
Ultimate Uplink Guide
Latest Patch
User avatar
jelco
level5
level5
Posts: 6018
Joined: Sat Feb 18, 2006 7:45 am
Location: Cygnus X-1
Contact:

Postby jelco » Thu Dec 20, 2007 1:02 pm

I kind of expected that, but I just couldn't find enough information about it on the net. Anyway, I'd still advise Johnis to run a scan on his PC because trojans keep getting more difficult to remove.

Jelco
"The ships hung in the sky much the same way that bricks don't."

- Douglas Adams
coolsi
level5
level5
Posts: 3990
Joined: Wed Apr 10, 2002 6:46 pm

Postby coolsi » Thu Dec 20, 2007 1:46 pm

jelco the galactaboy wrote:I must say that filenames like 'core.sys' would occur to me as crucial components of the system. I couldn't find enough info about it in a quick search, so I will not say that you're talking nonsense, but I'm a little uncertain as to whether this is true or not.


Then you've been fooled, exactly as the trojan wanted.

Exactly how quick was your search? A Google search for "core.sys" tells you that it is a rootkit. Look for yourself...
Nakatomi is coming
User avatar
shinygerbil
level5
level5
Posts: 4667
Joined: Wed Dec 22, 2004 10:14 pm
Location: Out, finding my own food. Also, doing the shinyBonsai Manoeuvre(tm)
Contact:

Postby shinygerbil » Thu Dec 20, 2007 2:21 pm

I had some kind of keylogger called svchost.exe on my old computer for weeks. Didn't even notice. Damn always-on connections.
Here is my signature. Make of it what you will.
Image
User avatar
jelco
level5
level5
Posts: 6018
Joined: Sat Feb 18, 2006 7:45 am
Location: Cygnus X-1
Contact:

Postby jelco » Thu Dec 20, 2007 5:24 pm

coolsi wrote:Then you've been fooled, exactly as the trojan wanted.

Exactly how quick was your search? A Google search for "core.sys" tells you that it is a rootkit. Look for yourself...


Well, the Dutch Google didn't really return any useful results. As for the fooling part, that was a possibility I thought about (as mentioned above). I experimented with an advanced keylogger/screencapture app once which disguised itself as svchost.exe (believe it was called SpyAnytime). That didn't work on Windows 98 though. :D

Jelco
"The ships hung in the sky much the same way that bricks don't."

- Douglas Adams
User avatar
LordSturm
level4
level4
Posts: 562
Joined: Mon Oct 02, 2006 5:13 am
Location: Australia - No Nukes :(
Contact:

Postby LordSturm » Fri Dec 21, 2007 9:23 am

However i doubt this 'trojan' has any relevance to DEFCON.

There could be many reasons for the "UNKNOWN" showing up.

Your key is not "AUTHENTICATED" permanently when you enter it first, it will check the internet constantly, without the "access" it needs to connect it resorts to "unknown" which means, "I've authenticated this key, but I can't do it again right now." ( Which is the approach the first defcon 'crack's took... [Just a FYI] )

The trojan was probably obscuring your dns, and therefore probably disallowing defcon to check the key... something like that.
"Surely you didn't mean to press that button just then did you?"
"No, nor will i disarm the nukes."
"Oh well, I will have my Fighters shoot them down."
"Sure you will."
"Oh NOES, ITS BEEN PATCHED!!!"
User avatar
Johnis
level2
level2
Posts: 196
Joined: Sat Jun 16, 2007 12:26 pm
Location: GREECE
Contact:

THATS IT !!

Postby Johnis » Fri Dec 21, 2007 10:51 am

Its called Smitfraud-C.CoreService

This trojan horse gets installed as a driver and constantly runs in background and connects to malicious servers without any user consent. Removal may require to manually close the file handles of the core.cahce.dsk and core.sys residing in the folder \windows\system32\drivers\.

i found the answer at a forum.

Return to “Introversion Lounge”

Who is online

Users browsing this forum: No registered users and 7 guests