Solved Possible Network Intrusion.

[Xeno1234]

Although my other posts may seem like I’m paranoid, I think this is a cause for concern.

I’ve noticed a file from wire guard VPN on my computer. I dont use wireguard, nor have it installed. I also have noticed weird registry changes, leading me to believe it’s a malware infection which I’ll deal with.

However: Wireguard has the ability to connect to a home network and view things within it externally. I’m concerned about them possibly enabling network settings on my devices or there being a intrusion on the network.

1: Is this a legitimate cause for concern?
2: What should I do here considering I do not have access to everything in my network as my parents manage the Wi-Fi.

 

[Bot]

1: Yes, this is a legitimate cause for concern as unauthorized files and registry changes can indicate a security breach.
2: Firstly, run a thorough malware scan on your system. Secondly, inform your parents about the potential security threat and ask them to change the Wi-Fi password. Finally, consider contacting a professional to inspect your network for any vulnerabilities.

 

[Azazel]

Two possibilities to protect yourself:
1. Harden your Computer firewall
2. Assume your Network is insecure and use vpn
3. Ask your parents to check the router is up to date and the firewall is on with closed ports.

 

[Xeno1234]

Two possibilities to protect yourself:
1. Harden your Computer firewall
2. Assume your Network is insecure and use vpn
3. Ask your parents to check the router is up to date and the firewall is on with closed ports.

So always use a VPN? Is there any way to get to a point where I don’t have to use a VPN?

Do I need to mess with passwords again on my phone or will 2FA cover that?

 

[valvaris]

Hello @Xeno1234

I would highly suggest the following.

To be safe boot Windows in to "Safe Mode without Network".

Reason is the following:
- Identify what has been done!
- Some things do not need Malware to be found as to be an intrusion. (Zero Days exist too...)
- The other part is to see what changes have been made? (Mega Share / Dropbox / Windows File Share / One Drive and so on...) could be used to exfiltrate Data.
- Checking Windows Services (Zero Tier, TeamViewer, AnyDesk and so on...) could be used to Remote to devices
- SSH Ports / Remote PowerShell / RDP can be hijacked too.

What to do next?
- Best Practice would be to Reinstall Windows if you want to be super safe.
- In terms of reinstall - prepare a USB-Boot Windows Image on a safe system.
- Wipe the SSD / HHD and Reinstall Windows

Why so harsh?
- As long as there is no XDR / EDR to truly identify what has been done. This is the safest way!!!

What next?
- Install Windows and Drivers as usual.
- Harden your Windows Settings
- Use an AV or Windows Defender with an active O365 Subscription (As a Private Person)

Why do standard AVs not find the intrusion?
- It truly depends on the budget and expertise of the user.
- 1st line of defence is the User.
- 2nd a secure Network Infrastructure (Router with Firewall enabled and NO Port Forwardings or Upnp)
- 3rd solid Secure configuration Windows (Disable Network Sharing is just an example...)
- 4th if Wireless is in use this can be hijacked if the SSID is not secure with WPA3 plus a strong Password
- 5th if Bluetooth is in use check to see that only known devices are connected
- 6th Browse the WWW with care and always use a Propper Blocker (Ublock Origin in Expert Mode but needs some getting use too...)

What can I recommend? (As a Sophos Architect on Endpoint Security I am biased and am not a friend of AV-Products for Consumers) Reason for that is unneeded bloat...
- Business Class Security Products need expertise to use.
- Consumer Class Security Products are made for ease of use. Please refer to the community here for recommendations. There are Users that have great experiences.
- There are AV Products that can Prevent Infection before it creates files on the system others can revert changes made and so on... (As a minimum I would suggest: Zero-Day Protection / Application Control / Ransomware Protection / Web Control / SSL-Inspection (WARNING: SSL-Inspection can cause issues also with games))

If you have any questions, I am happy to help

Sincerely
Val.

 

[Xeno1234]

Hello @Xeno1234

I would highly suggest the following.

To be safe boot Windows in to "Safe Mode without Network".

Reason is the following:
- Identify what has been done!
- Some things do not need Malware to be found as to be an intrusion. (Zero Days exist too...)
- The other part is to see what changes have been made? (Mega Share / Dropbox / Windows File Share / One Drive and so on...) could be used to exfiltrate Data.
- Checking Windows Services (Zero Tier, TeamViewer, AnyDesk and so on...) could be used to Remote to devices
- SSH Ports / Remote PowerShell / RDP can be hijacked too.

What to do next?
- Best Practice would be to Reinstall Windows if you want to be super safe.
- In terms of reinstall - prepare a USB-Boot Windows Image on a safe system.
- Wipe the SSD / HHD and Reinstall Windows

Why so harsh?
- As long as there is no XDR / EDR to truly identify what has been done. This is the safest way!!!

What next?
- Install Windows and Drivers as usual.
- Harden your Windows Settings
- Use an AV or Windows Defender with an active O365 Subscription (As a Private Person)

Why do standard AVs not find the intrusion?
- It truly depends on the budget and expertise of the user.
- 1st line of defence is the User.
- 2nd a secure Network Infrastructure (Router with Firewall enabled and NO Port Forwardings or Upnp)
- 3rd solid Secure configuration Windows (Disable Network Sharing is just an example...)
- 4th if Wireless is in use this can be hijacked if the SSID is not secure with WPA3 plus a strong Password
- 5th if Bluetooth is in use check to see that only known devices are connected
- 6th Browse the WWW with care and always use a Propper Blocker (Ublock Origin in Expert Mode but needs some getting use too...)

What can I recommend? (As a Sophos Architect on Endpoint Security I am biased and am not a friend of AV-Products for Consumers) Reason for that is unneeded bloat...
- Business Class Security Products need expertise to use.
- Consumer Class Security Products are made for ease of use. Please refer to the community here for recommendations. There are Users that have great experiences.
- There are AV Products that can Prevent Infection before it creates files on the system others can revert changes made and so on... (As a minimum I would suggest: Zero-Day Protection / Application Control / Ransomware Protection / Web Control / SSL-Inspection (WARNING: SSL-Inspection can cause issues also with games))

If you have any questions, I am happy to help

Sincerely
Val.

What would I check to see if these services could remote to devices?

 

[valvaris]

What would I check to see if these services could remote to devices?

It depends on your network:
- IoT devices could create persistence
- Other Computers can be Beacons for intrusion on a shared network
- Insecure Router or other Network devices Firmware can be used as an intrusion point

Why check for Windows Services?
- This can help on when things happen (Example: Teamviewer Service) Check file path to see when files have been created and check what has been changed on that day.

Now what?
- Even if all that can be found out on the current infiltrated system a reinstall is recommended!

If you have local Password Managers installed like Keepass / Keepass XC and such... It could be that those Passwords are insecure now... You can never know if stuff lands in the darkweb for analytics.

So, it is safe to change Passwords last used on all important accounts ASAP!

Best regards
Val.

 

[Azazel]

So always use a VPN? Is there any way to get to a point where I don’t have to use a VPN?

Do I need to mess with passwords again on my phone or will 2FA cover that?

I don't use VPN at Home, I trust my Network.
If you trust your Home Network, don't use VPN.
If you don't trust it, use a VPN.

Use this on your Kaspersky.

 

[Practical Response]

So let me get this straight, you found traces of wire guard protocol on your system, and claim you have not ever had a VPN on the system. Not one that may have been included in a security suite or anything correct, that could have left traces upon uninstalling?

Also I'm pretty sure the answer to your OP above is not to smother your system in more applications and security.

 

[Xeno1234]

So let me get this straight, you found traces of wire guard protocol on your system, and claim you have not ever had a VPN on the system. Not one that may have been included in a security suite or anything correct, that could have left traces upon uninstalling?

Also I'm pretty sure the answer to your OP above is not to smother your system in more applications and security.

Only Kaspersky VPN. Wireguard file appeared one day after no uninstillations or anything.

 

[Practical Response]

Only Kaspersky VPN. Wireguard file appeared one day after no uninstillations or anything.

Kaspersky VPN uses the wire guard protocol.

 

[Xeno1234]

Kaspersky VPN uses the wire guard protocol.

I don’t see why that file appeared randomly on a specific day when I’ve had Kaspersky VPN installed before.

The file was called setupapihost.dll

It was ran from system temp multiple times each from a different like folder with random numbers.

 

[Shadowra]

You probably just used another VPN service.... (and since you use VPNs quite often from reading your old messages)

 

[Xeno1234]

You probably just used another VPN service.... (and since you use VPNs quite often from reading your old messages)

It was all Kaspersky VPN. I’ve never installed another VPN.

I should also mention that this file wasn’t dropped, it was being ran and logged by K intrusion prevention. It was a active file.

 

[Shadowra]

It was all Kaspersky VPN. I’ve never installed another VPN.

How did you already see this Wireguard file?
Is it an information file? A driver?
I'd need more information to understand too :/

 

[Xeno1234]

How did you already see this Wireguard file?
Is it an information file? A driver?
I'd need more information to understand too :/

I saw setupapihost.dll being ran in the intrusion prevention reports. I’m not sure what it does but I’m pretty sure it’s part of wireguard.

 

[Shadowra]

I saw setupapihost.dll being ran in the intrusion prevention reports. I’m not sure what it does but I’m pretty sure it’s part of wireguard.

After checking, yes it is a file used by WireGuard

 

[vtqhtr413]

I don’t see why that file appeared randomly on a specific day when I’ve had Kaspersky VPN installed before.

The file was called setupapihost.dll

It was ran from system temp multiple times each from a different like folder with random numbers.

All a hammer sees are nails.

 

[Practical Response]

I saw setupapihost.dll being ran in the intrusion prevention reports. I’m not sure what it does but I’m pretty sure it’s part of wireguard.

setupapi.dll file is a system file that is used by various Windows components and applications to install, configure, and manage.

If it appeared a day after like you stated above, that's probably when you first accessed and tried to use the VPN.

 

[Xeno1234]

setupapi.dll file is a system file that is used by various Windows components and applications to install, configure, and manage.

If it appeared a day after like you stated above, that's probably when you first accessed and tried to use the VPN.

I’ve used K VPN earlier and I also used K VPN and the file wasn’t ran when I was using it, only delayed and after.

It just was ran one day multiple times from a different system temp folder each time and I wasn’t interacting with a VPN at that time.

It was also setupapihost.dll, not setupapi.dll