Home | About |
 Subscribe E-mail |  Subscribe RSS
Home » Monster Servant

Virus running through Celcom’s Broadband service

paan 7 March 2008 Monster Servant 1,063 views No CommentPrint This Post Print This Post Email This Post Email This Post

If you are using Celcom’s Broadband services then this is something that you have to know. First some background. Celcom’s way of connecting to the internet is sort of putting everybody in the same big LAN and then connecting the users to the internet through their proxy. To anyone else on the internet, we are all just 1 person/computer. That is why If you are using Celcom you sometimes are blocked by services like http://www.spamhaus.org  or http://cbl.abuseat.org/ or any other services that do any sort of IP based filtering and/or banning. If some jerk that is on Celcom is being a jerk on your favorite message board and get banned, chances are you’ll be banned too.

Spamhaus Banning

Another caveat of this is that everyone using Celcom will essentially be as if on the same LAN as you are. So if someone have a virus, It’ll spread more easily. And now apparently someone got infected by a Fujacks worm. Technically it is called Win32/Fujacks.S by ESET.

The virus spreads by trying to infect any shared folder on the network. At work I swapped files  a lot with my fellow co-worker so I have a shared folder with write access enabled so that anyone can just copy a file over when they want me to take a look at it. This is a BIG risk. But sometimes convenient trumps security, even if all the guys at the office are very very tech and security savvy. We work on identity management system, security is out job after all.

Nod32 Detecting Win32/Fujacks.S

Windows shared folder has a hard time with computers across different domains/workgroup so usually spreading anything through Windows shared folder only happened on networks and not the open internet. And guys here all have PC clean as a wistle. But with Celcom broadband connected, suddenly I am on a big networks with all kinds of (infected) PC.

So, the combined two factors above lead to an infection. The virus does a lot of things, like disabling services that it thinks will stop its spread like commonly used virus scanner (AVG, McAfee, etc). One nasty thing it does is that it deletes any .GHO files it finds. .GHO are Norton ghost files, usually used to image a harddisk for backup.  That’s why you always hear people telling you to have an offsite physical backup.  It also infects popular web files, all files with the extension ASP,PHP,HTML,JSP are modified so that they show certain website when they are run. So if you are running a webserver it’s also a very nasty thing to have. 

So after that little incident I have disabled all the shares on my PC. And if you are like me and want to have a way to share files on your network. I suggest a SFTP server. coreftp.com the makers of the CoreFTP client, also have a simple, stripped down SFTP server. Core FTP/SFTP Server is a very simple SFTP server, no fancy configuration, no multi level ACL, just a plain SFTP server. You fire it up, it ask for a username and password that you want people to use to connect to the server and you put in the root path of the directory you wish to share and click “Start”. That’s all, you got it running. No messing around with any SSH keys, no config, no nothing. Just a simple SFTP server, good enough to use in the office’s LAN.

Core FTP/SFTP Server

This just one of the ways to secure your PC, I’m sure they are many other.  You can tell me how you secure your PC in the comment.

Digg!
Rate this:
2.5

Have your say!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>