Trojan causes problems with authentification in DEFCON!

Johnis · Postby **Johnis** » Wed Dec 19, 2007 6:43 pm

Today i had serious problem with DEFCON authentification.an UKNOWN istead of REGISTERED apeared.
After many many many hours of searching i have found that i had a Trojan. Everything was working fine exept DEFCON
So..
if you have same problem like that search for "core.sys"
c:\windows\system32\drivers\Core.sys
c:\windows\backup_core.sys <----------------------------or similar name
go in safe mode (because the files are loaded as drivers in memory and cannot be deleted)
delete these 2 ugly files
regedit
delete a reg folder named CORE
REBOOT
the problem is over

KingAl · Postby **KingAl** » Thu Dec 20, 2007 12:49 pm

jelco the galactaboy wrote:I think it'd be a good idea to post this in the DEFCON Windows Troubleshooting forum instead of the Lounge. Apart from that, it seems highly unlikely to me that a trojan would infect purely DEFCON, so you might want to check for other stuff running on your PC as well.

I must say that filenames like 'core.sys' would occur to me as crucial components of the system. I couldn't find enough info about it in a quick search, so I will not say that you're talking nonsense, but I'm a little uncertain as to whether this is true or not.

Jelco

core.sys isn't a system critical file; it's a common technique for trojans to use names that sound like system files - or even are exact matches of the names of system files - in order to divert suspicion, or lead people to err on the side of caution and assume it's safe.

coolsi · Postby **coolsi** » Thu Dec 20, 2007 1:46 pm

jelco the galactaboy wrote:I must say that filenames like 'core.sys' would occur to me as crucial components of the system. I couldn't find enough info about it in a quick search, so I will not say that you're talking nonsense, but I'm a little uncertain as to whether this is true or not.

Then you've been fooled, exactly as the trojan wanted.

Exactly how quick was your search? A Google search for "core.sys" tells you that it is a rootkit. Look for yourself...

shinygerbil · Postby **shinygerbil** » Thu Dec 20, 2007 2:21 pm

I had some kind of keylogger called svchost.exe on my old computer for weeks. Didn't even notice. Damn always-on connections.

LordSturm · Postby **LordSturm** » Fri Dec 21, 2007 9:23 am

However i doubt this 'trojan' has any relevance to DEFCON.

There could be many reasons for the "UNKNOWN" showing up.

Your key is not "AUTHENTICATED" permanently when you enter it first, it will check the internet constantly, without the "access" it needs to connect it resorts to "unknown" which means, "I've authenticated this key, but I can't do it again right now." ( Which is the approach the first defcon 'crack's took... [Just a FYI] )

The trojan was probably obscuring your dns, and therefore probably disallowing defcon to check the key... something like that.

Johnis · Postby **Johnis** » Fri Dec 21, 2007 10:51 am

Its called Smitfraud-C.CoreService

This trojan horse gets installed as a driver and constantly runs in background and connects to malicious servers without any user consent. Removal may require to manually close the file handles of the core.cahce.dsk and core.sys residing in the folder \windows\system32\drivers\.

i found the answer at a forum.

Trojan causes problems with authentification in DEFCON!

Trojan causes problems with authentification in DEFCON!

THATS IT !!

Who is online