Can this backdoor.bot rootkit spread to my tablet from my router?

[trippie]

I love this forum. I got one heck of a backdoor.bot / rootkit of a trojan. These are the names I remember seeing on my Trojan Loaris remover before it disabled it about a week ago. I realized I had the trojan with all the familiar things happening to my computer. I unplugged it from the internet and did a windows image restore. I couldn't find the windows disk to do a totally new install and I hoped this did the same thing. I know there was no getting this bugger out without just starting over, so I went for it. I didn't back anything up and even if I did I surely wouldn't take a chance by putting it back on my computer. These hackers are good. I followed the steps in the booklet that came with my computer. F8 several times during startup and then went to the one where it wiped everything clean. Then I had to put my computer name, choose language etc and choose a password. I thought this would take the trojan out. So no problems with the image recover and I quickly followed the steps found on this forum, updating windows etc., running scans, setting up firewall etc. The computer worked great for two hours, like it was brand new. Nothing on it. I decided not to go to any sites except the 2 or 3 for updates. I did no web surfing or anything. That bugger of a trojan must have survived the start over thing, within about 2 hours it began doing the same things. Internet connection struggling, several icons not registering, rebooting itself, then I tried to open file manager and it won't even let me do that. Now none of this would have bothered me too much except that I swear my Toshiba thrive tablet that is hooked up to the same comcast wireless moden/router began having problems as soon as I turned off my desk computer for the final time =) I think I was even directed away from this site while on my tablet and it didn't even show in the history. My cellphone is also using the wireless internet but has not shown any symptoms. My question is: is it remotely possible that the trojen is able to go through other devices through my router? You know, like see my keysrokes, passwords as I type them in? My favorites on my tablet and phone? I had changed all my passwords and online accounts info immediatly when I saw the descriptor

backdoor.bot but have been using my phone and tablet to access these accounts using my wireless internet, thinking they were not infectable because I never actually hook them up to each other with wires or wireless. I have already changed all my onlines passwords again, using a computer not tied into my router and I feel pretty good with my new passwords. I will only access my bank account and a few other sensative accounts from my work computer for now. That router from comcast has phone stuff built in and looks like other things too. If I clean my tablet will the modem reinfect my device? Is the hacker sitting in my router waiting to gather more information? One other thing that I should mention. When I got this backdoor.bot a week ago, I was using quest dsl. I switched to comcast and yesterday was the first day with my new comcast wireless account and modem. We just set up the tablet first to get comcast up and running and later in the day after I did the windows image restore I then started brand new and my computer recognized the new wireless signal and I entered the long password comcast gave me for the modem. So the hacker now has that password because I typed it on the desk computer when I set it up yesterday. I think this is some super advanced trojan I got. I noticed when my newly cleaned computer started acting up yesterday it was telling me it couldn't connect to the internet successfully but I saw the internet icon in the on position and the comcast modem recieving it. I know I need to find the windows disk that probably came with my compute and try that. I am fine just not worrying about my desk computer for now. Heck, I would probably just go buy a new one after all this crazy stuff. My worries now are with my modem and tablet and do I need to switch router with comcast just to be sure he isn't learking in there? I really think he got into my thive last night. I have never had it just leave a webpage while I am reading it. ON top of that when I hit back the page was nowhere in my history. It was this forum as I was gathering information on what to do next. I don't dare type all these details at home on my tablet, he would know my next step for sure. I am using a computer 30 miles away and unrelated to me. I need this guy out of my life for good. I realize he isn't giving up easy. Just how far can he take this gathering of my information????????????????

[David H. Lipman]

That's a lot of information that's dizzying.

Can you please boil it down to just the simple facts and your question.

[trippie]

That's a lot of information that's dizzying.

Can you please boil it down to just the simple facts and your question.

Sorry, here are my questions: Can a backdoor.bot go from a desktop computer into a wireless modem and then access other devices that are using the router? Can they do this after the main computer with the problem is turned off permanently? Once the hacker has your ip address and router name/password are they going to continue attacking through your router to get to other devices? Thanks, hope that is more to the point.

[David H. Lipman]

Sorry, here are my questions: Can a backdoor.bot go from a desktop computer into a wireless modem and then access other devices that are using the router? Can they do this after the main computer with the problem is turned off permanently? Once the hacker has your ip address and router name/password are they going to continue attacking through your router to get to other devices? Thanks, hope that is more to the point.

The declaration "backdoor.bot" is a generic name and as a non-specified malware, the answer can't be completely specific.

However...

Backdoor.Bot usually refers to to externally controller sub-system that exists on your system and has entered through your computer as if through a backdoor. It is not a virus so it doesn't self replicate. You say "Once the hacker has your ip address..." What hacker ? How did we go from a Backdoor.Bot to a hacker who is a specific who has gained full or partial access to your system ? The Bot may be on your system but that doesn't mean there is a person behind it who has full access to the system its installed on and how did we get to an unknown entity now in control of a SOHO Router ?

Too many suppositions based upon a "backdoor.bot" declaration. It is good to be paranoid. To me paranoia is a is a heightened sense of situational awareness. However it has to be grounded in fact.

If a system had a Backdoor.Bot on it you can be sure that a Command & Control (C&C) system had your computer doing something malicious. What ? No clue.

As for the Router, you would have to show that the Router was indeed compromised.

Has it been reprogrammed ?

Has the password changed ?

Did YOU change the default password from something like "admin" to your own personal Strong Password ?

Lets assume it is a case of one of the very, very, rare pieces of malware that can affect/infect a Router. It will not attack other computers on the LAN side or infect computers on the LAN side.

Malware that infects, modifies, or roots SOHO Routers are very rare and many require the Router to be a specific make and model and firmware revision.

The most common was the DNSChanger trojan. What it did was compromise the Router via the weak default router password and then change the Router's DNS table to malicious DNS servers thus redirecting Domain Name resolutions to sites the malicious actor wants you to access instead of the site you want to access.

In short, you are worried about has an extremely low probability. The kind of probability that you will win a .25Billion Dollar lottery Tomorrow will be even higher. Before you can presume such activities, you would need more evidence than just a "Backdoor.Bot" declaration.

How can you mitigate that ?

Make sure your Router has a Strong Password

Make sure if you have WiFi you are using WPA2 don't announce the SSID and again use a Strong Password

Make sure ALL computers on the LAN side are FULLY and COMPLETELY patched and up-to-date on all software

Make sure you users on the LAN practice Safe Hex

Make sure all anti virus/anti malware is enabled and up-to-date.

Make sure you monitor your LAN nodes to make sure there is no abnormal activity.

[trippie]

David, thank you for your reply. I left out a few details: The final symptoms in the end were: Blue screen- system preparing for dump, reboots, desktop changes afterword, unable to access my antivirus, Several programs tell me shortcut is no longer awailable.

These are the steps:

1. One week ago my desktop computer was found to have backdoor.bot (followed by a bunch of numbers) diagnosed by my anti-malware.

It then disabled my antivirus program so I couldn't get the full name. I think I also saw rootkit on a different line.

2. My computer had been acting strangly for several weeks.

3. I was unsuccessful in removing the trojan.

4. I did a system image restore, wiping off everything on my windows 7 home premium addition.

5. Started over like it was brand new and set it up, scanning, windows update, firewall, etc. I did not re-download any saved stuff

6. Set up comcast wireless router using this desktop.

7. Worked beautifully for less than 2 hours.

8. Original symptoms came back:

9. I turned off desktop computer and realized my tablet was having trouble getting online using the same wireless router.

I thought the system image restore would rid me of trojan. When I set up my comcast modem/router right after system restore I had to put in the 18 digit or so password for router using the infected computer. At the time I thought the trojan was not in my computer. If it was recording my keystrokes, wouldn't it now have my comcast router setup password? Wouldn't it just leave the password the same if changing other information on the router?

[David H. Lipman]

David, thank you for your reply. I left out a few details: The final symptoms in the end were: Blue screen- system preparing for dump, reboots, desktop changes afterword, unable to access my antivirus, Several programs tell me shortcut is no longer awailable.

These are the steps:

1. One week ago my desktop computer was found to have backdoor.bot (followed by a bunch of numbers) diagnosed by my anti-malware.

It then disabled my antivirus program so I couldn't get the full name. I think I also saw rootkit on a different line.

2. My computer had been acting strangly for several weeks.

3. I was unsuccessful in removing the trojan.

4. I did a system image restore, wiping off everything on my windows 7 home premium addition.

5. Started over like it was brand new and set it up, scanning, windows update, firewall, etc. I did not re-download any saved stuff

6. Set up comcast wireless router using this desktop.

7. Worked beautifully for less than 2 hours.

8. Original symptoms came back:

9. I turned off desktop computer and realized my tablet was having trouble getting online using the same wireless router.

I thought the system image restore would rid me of trojan. When I set up my comcast modem/router right after system restore I had to put in the 18 digit or so password for router using the infected computer. At the time I thought the trojan was not in my computer. If it was recording my keystrokes, wouldn't it now have my comcast router setup password? Wouldn't it just leave the password the same if changing other information on the router?

You asked...

"Wouldn't it just leave the password the same if changing other information on the router?"

Not necessarily. It would likely change the password to lock you out such that you can't easily note there had been changes made as well as making it more difficult for you to correct those changes.

As for...

"I did a system image restore, wiping off everything on my windows 7 home premium addition."

That would depend completely on how it was done. For example if you booted off a CD/DVD and restored a factory image from external media. If it was software on a partition then whatever was on the computer has a possibility of survival.

[trippie]

Thank you very much for your help. I did the image restore by using what was built in to the computer. I needed no outside cd/dvds or media. Obviously the malware was in there. As for the router I will get help from comcast. Thanks again, take care!!