[Dshield] Consensus Question

Internet Security Surfer issc at pfunkjr.dissimulo.com
Wed Dec 3 15:38:01 GMT 2003

After reading this from Panda Software's Web Site Description of

"It also sometimes acts as a backdoor type Trojan, allowing a hacker to
carry out the following actions on affected computers:
- List, start and end processes.
- List, copy and delete files.
- Send out files containing the keystrokes captured by the keylogger.
- Send information from the affected computer.
- List the network resources and characteristics.
- Open an HTTP server to interact remotely through a web interface.
It looks for a series of processes related to antivirus and security
programs. If they are enabled, it ends them. By doing this these
programs will stop running. For a list of these processes, click here.
It opens port 1080, which allows hackers to gain remote access to the
affected computer.
It logs the keystrokes in a file. By doing this, hackers that accessed
this file would be able to obtain confidential data such as passwords
for accessing certain Internet services, bank accounts, etc. The
keylogger information is sent when the data saved exceeds 25,000 bytes
or every two hours."

So, how long was this machine infected before you were notified? I have
to go with a worst case and assume days.

I would inform the customer that ALL of his/her passwords and accounts
are potentially compromised. If, possible I would them view one of the
A-V web sites that has an explanation like the above and discuss what it
means. It is then the customer's responsibility to believe it or not.

You would be well advised to consult an attorney so that your service
agreements contain a "hold-harmless" and "limitation of liability."
Whether the customer believes that their bank accounts and credit cards
are compromised or not, I would have the customer sign a hold-harmless
and limitation of liability agreement(s) which reads that you have
discovered a malicious program that has the potential to cause serious
injury to the customer's financial and physical  well-being (Someone,
using this information could show up at their address to rob them - who
knows what could happen) and that you will accept no liability for those
potential damages. I mention this because this is a litigious society
and people do not understand our business. As a result, you could wind
up being sued.

Now, having said all that, I think that a customer would then be
motivated to change their account information after being presented with
a "hold-harmless" and "limitation of liability" contract by you.

If you are loath to contact an attorney, then pick up one of those "be
your own lawyer" kits and copy the information into an agreement that
you could use.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Paul Marsh
Sent: Wednesday, December 03, 2003 9:11 AM
To: list at dshield.org
Subject: [Dshield] Consensus Question

Morning All:

  This has been on my mind for awhile now and even more last night while
I was working on a customers box that was infected with Bugbear along
with a few other nasty little bugs.  With all the Viri and Trojans
running around these days for the most part an average user is unknowing
and unprotected which inevitability ends them up being infected and
compromised.  What do you tell them when you return the box?  I don't
know if it's over kill telling them that they should really think about
changing credit card numbers, password and take a good hard look at what
personal information is/was on the box.  What is the general consensus
of the list? 

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list