Solved Possible Network Intrusion.

Status
Not open for further replies.

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Although my other posts may seem like I’m paranoid, I think this is a cause for concern.

I’ve noticed a file from wire guard VPN on my computer. I dont use wireguard, nor have it installed. I also have noticed weird registry changes, leading me to believe it’s a malware infection which I’ll deal with.

However: Wireguard has the ability to connect to a home network and view things within it externally. I’m concerned about them possibly enabling network settings on my devices or there being a intrusion on the network.

1: Is this a legitimate cause for concern?
2: What should I do here considering I do not have access to everything in my network as my parents manage the Wi-Fi.
 
  • Like
Reactions: Nevi and vtqhtr413

Bot

AI-powered Bot
Apr 21, 2016
3,562
1: Yes, this is a legitimate cause for concern as unauthorized files and registry changes can indicate a security breach.
2: Firstly, run a thorough malware scan on your system. Secondly, inform your parents about the potential security threat and ask them to change the Wi-Fi password. Finally, consider contacting a professional to inspect your network for any vulnerabilities.
 

Azazel

Level 6
Jun 15, 2023
267
Two possibilities to protect yourself:
1. Harden your Computer firewall
2. Assume your Network is insecure and use vpn
3. Ask your parents to check the router is up to date and the firewall is on with closed ports.
 
  • Like
Reactions: Nevi

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Two possibilities to protect yourself:
1. Harden your Computer firewall
2. Assume your Network is insecure and use vpn
3. Ask your parents to check the router is up to date and the firewall is on with closed ports.
So always use a VPN? Is there any way to get to a point where I don’t have to use a VPN?

Do I need to mess with passwords again on my phone or will 2FA cover that?
 
Last edited:

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
Hello @Xeno1234

I would highly suggest the following.

To be safe boot Windows in to "Safe Mode without Network".

Reason is the following:
- Identify what has been done!
- Some things do not need Malware to be found as to be an intrusion. (Zero Days exist too...)
- The other part is to see what changes have been made? (Mega Share / Dropbox / Windows File Share / One Drive and so on...) could be used to exfiltrate Data.
- Checking Windows Services (Zero Tier, TeamViewer, AnyDesk and so on...) could be used to Remote to devices
- SSH Ports / Remote PowerShell / RDP can be hijacked too.

What to do next?
- Best Practice would be to Reinstall Windows if you want to be super safe.
- In terms of reinstall - prepare a USB-Boot Windows Image on a safe system.
- Wipe the SSD / HHD and Reinstall Windows

Why so harsh?
- As long as there is no XDR / EDR to truly identify what has been done. This is the safest way!!!

What next?
- Install Windows and Drivers as usual.
- Harden your Windows Settings
- Use an AV or Windows Defender with an active O365 Subscription (As a Private Person)

Why do standard AVs not find the intrusion?
- It truly depends on the budget and expertise of the user.
- 1st line of defence is the User.
- 2nd a secure Network Infrastructure (Router with Firewall enabled and NO Port Forwardings or Upnp)
- 3rd solid Secure configuration Windows (Disable Network Sharing is just an example...)
- 4th if Wireless is in use this can be hijacked if the SSID is not secure with WPA3 plus a strong Password
- 5th if Bluetooth is in use check to see that only known devices are connected
- 6th Browse the WWW with care and always use a Propper Blocker (Ublock Origin in Expert Mode but needs some getting use too...)

What can I recommend? (As a Sophos Architect on Endpoint Security I am biased and am not a friend of AV-Products for Consumers) Reason for that is unneeded bloat...
- Business Class Security Products need expertise to use.
- Consumer Class Security Products are made for ease of use. Please refer to the community here for recommendations. There are Users that have great experiences.
- There are AV Products that can Prevent Infection before it creates files on the system others can revert changes made and so on... (As a minimum I would suggest: Zero-Day Protection / Application Control / Ransomware Protection / Web Control / SSL-Inspection (WARNING: SSL-Inspection can cause issues also with games))

If you have any questions, I am happy to help

Sincerely
Val.
 
  • Like
  • +Reputation
Reactions: Nevi and Shadowra

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Hello @Xeno1234

I would highly suggest the following.

To be safe boot Windows in to "Safe Mode without Network".

Reason is the following:
- Identify what has been done!
- Some things do not need Malware to be found as to be an intrusion. (Zero Days exist too...)
- The other part is to see what changes have been made? (Mega Share / Dropbox / Windows File Share / One Drive and so on...) could be used to exfiltrate Data.
- Checking Windows Services (Zero Tier, TeamViewer, AnyDesk and so on...) could be used to Remote to devices
- SSH Ports / Remote PowerShell / RDP can be hijacked too.

What to do next?
- Best Practice would be to Reinstall Windows if you want to be super safe.
- In terms of reinstall - prepare a USB-Boot Windows Image on a safe system.
- Wipe the SSD / HHD and Reinstall Windows

Why so harsh?
- As long as there is no XDR / EDR to truly identify what has been done. This is the safest way!!!

What next?
- Install Windows and Drivers as usual.
- Harden your Windows Settings
- Use an AV or Windows Defender with an active O365 Subscription (As a Private Person)

Why do standard AVs not find the intrusion?
- It truly depends on the budget and expertise of the user.
- 1st line of defence is the User.
- 2nd a secure Network Infrastructure (Router with Firewall enabled and NO Port Forwardings or Upnp)
- 3rd solid Secure configuration Windows (Disable Network Sharing is just an example...)
- 4th if Wireless is in use this can be hijacked if the SSID is not secure with WPA3 plus a strong Password
- 5th if Bluetooth is in use check to see that only known devices are connected
- 6th Browse the WWW with care and always use a Propper Blocker (Ublock Origin in Expert Mode but needs some getting use too...)

What can I recommend? (As a Sophos Architect on Endpoint Security I am biased and am not a friend of AV-Products for Consumers) Reason for that is unneeded bloat...
- Business Class Security Products need expertise to use.
- Consumer Class Security Products are made for ease of use. Please refer to the community here for recommendations. There are Users that have great experiences.
- There are AV Products that can Prevent Infection before it creates files on the system others can revert changes made and so on... (As a minimum I would suggest: Zero-Day Protection / Application Control / Ransomware Protection / Web Control / SSL-Inspection (WARNING: SSL-Inspection can cause issues also with games))

If you have any questions, I am happy to help

Sincerely
Val.
What would I check to see if these services could remote to devices?
 
  • Like
Reactions: Nevi and vtqhtr413

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
What would I check to see if these services could remote to devices?
It depends on your network:
- IoT devices could create persistence
- Other Computers can be Beacons for intrusion on a shared network
- Insecure Router or other Network devices Firmware can be used as an intrusion point

Why check for Windows Services?
- This can help on when things happen (Example: Teamviewer Service) Check file path to see when files have been created and check what has been changed on that day.

Now what?
- Even if all that can be found out on the current infiltrated system a reinstall is recommended!

If you have local Password Managers installed like Keepass / Keepass XC and such... It could be that those Passwords are insecure now... You can never know if stuff lands in the darkweb for analytics.

So, it is safe to change Passwords last used on all important accounts ASAP!

Best regards
Val.
 
  • Like
Reactions: Nevi

Azazel

Level 6
Jun 15, 2023
267
So always use a VPN? Is there any way to get to a point where I don’t have to use a VPN?

Do I need to mess with passwords again on my phone or will 2FA cover that?
I don't use VPN at Home, I trust my Network.
If you trust your Home Network, don't use VPN.
If you don't trust it, use a VPN.

Use this on your Kaspersky.
 

Attachments

  • image.png
    image.png
    15.3 KB · Views: 33
  • Like
Reactions: Nevi
Mar 10, 2024
474
So let me get this straight, you found traces of wire guard protocol on your system, and claim you have not ever had a VPN on the system. Not one that may have been included in a security suite or anything correct, that could have left traces upon uninstalling?

Also I'm pretty sure the answer to your OP above is not to smother your system in more applications and security.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
So let me get this straight, you found traces of wire guard protocol on your system, and claim you have not ever had a VPN on the system. Not one that may have been included in a security suite or anything correct, that could have left traces upon uninstalling?

Also I'm pretty sure the answer to your OP above is not to smother your system in more applications and security.
Only Kaspersky VPN. Wireguard file appeared one day after no uninstillations or anything.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Kaspersky VPN uses the wire guard protocol.
I don’t see why that file appeared randomly on a specific day when I’ve had Kaspersky VPN installed before.

The file was called setupapihost.dll

It was ran from system temp multiple times each from a different like folder with random numbers.
 
  • Like
Reactions: vtqhtr413

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
You probably just used another VPN service.... (and since you use VPNs quite often from reading your old messages)
It was all Kaspersky VPN. I’ve never installed another VPN.

I should also mention that this file wasn’t dropped, it was being ran and logged by K intrusion prevention. It was a active file.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
How did you already see this Wireguard file?
Is it an information file? A driver?
I'd need more information to understand too :/
I saw setupapihost.dll being ran in the intrusion prevention reports. I’m not sure what it does but I’m pretty sure it’s part of wireguard.
 
Mar 10, 2024
474
I saw setupapihost.dll being ran in the intrusion prevention reports. I’m not sure what it does but I’m pretty sure it’s part of wireguard.
setupapi.dll file is a system file that is used by various Windows components and applications to install, configure, and manage.

If it appeared a day after like you stated above, that's probably when you first accessed and tried to use the VPN.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
setupapi.dll file is a system file that is used by various Windows components and applications to install, configure, and manage.

If it appeared a day after like you stated above, that's probably when you first accessed and tried to use the VPN.
I’ve used K VPN earlier and I also used K VPN and the file wasn’t ran when I was using it, only delayed and after.

It just was ran one day multiple times from a different system temp folder each time and I wasn’t interacting with a VPN at that time.

It was also setupapihost.dll, not setupapi.dll
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top