firedaemon.exe: System Cleanup After Trojan/Worm Compromise

Introduction

FireDaemon is a legitimate product that has been included, illegally, as part of the payload in a series of Worms and Trojans that exploit various security holes in Microsoft's Operating System products. It should be noted that FireDaemon on its own is incapable of compromising a vulnerable Windows-based PC.

FireDaemon contains no malware, parasites, viruses, trojans and so forth. FireDaemon has been fully vetted by Symantec Security Response in Australia and the US and is certified malware/parasite/virus free. McAfee also gives FireDaemon a clean bill of health.

Symptoms Of Compromise

If you have found that FireDaemon has mysteriously appeared on your machine then it is highly likely that your machine has been compromised and a derivative of the BackGate kit (BackDoor.NTHack Trojan) has been installed on it. The symptoms of this style of compromise include seeing Windows Error Reporting complain of a software failure in firedaemon.exe (FireDaemon.EXE version 0.0.0.0 crashing on unknown ver. 0.0.0.0) and your machine running multiple instances of the firedaemon.exe process.

The Backgate kit exploited a known flaw in Microsoft's Web Server: IIS, that allowed the remote installation and execution of executables and batch files. Most of the derivatives of Backgate follow a similar pattern: exploit a known flaw in the operating system (eg. DCOM vulnerability) then remotely install and execute a payload that invariably uses FireDaemon to set up and run various network-related services (eg. Serv-U FTP, IRC, SUD, Cygwin etc.).

Cleaning Up

It is possible to stop and clean up the services installed on your machine but it is probably impossible to determine what other file or operating system modifications or damage could have taken place.

However, given the vagaries of the compromise specific techniques might be required to restore your system to its original state. We recommend you visit Symantec's website for the complete list of Viruses and Trojans that include FireDaemon (search on the word FireDaemon).

Cleanup in a nutshell:

1. Go to the Control Panel Applet, Administrative Tools, Services

2. Look for any services prefixed as follows:

FireDaemon Service: ...

Ensure that you stop and disable each service you encounter.

3. Find the firedaemon.exe or fd.exe file in your filesystem

4. Start / Run / cmd

5. Change directory to the location of firedaemon.exe in your filesystem. For example: cd \some\path

6. For each FireDaemon service you encountered in Step 2, you now need to uninstall it by typing:

firedaemon -u "..."

Replace the ... with the remainder of the name of the service in Step 2. For example if the service is called "FireDaemon Service: MyService", to uninstall it at the command prompt you would type:

firedaemon -u "MyService"

You should see a message saying that the service has been successfully uninstalled.

7. You can then delete firedaemon.exe and other related files. It is also worthwhile looking for very large files on your machine as often your machine might have been used to distribute video and other large file types.

8. Now you are going to need to look into your system security. The primary reason your machine was hacked was that a weak or non-existent administrative password was set.

Security Notes

When you install Win2K or XP the default security settings are generally very relaxed:

Generally no or trivial administrator / guest passwords
Remote registry service is running
Default shares can be easily enumerated and mapped
Code can be easily remotely executed

Consequently, if your Win2K/XP machine is directly connected to the Internet breaking into it is generally a snap. Once your machine has been broken into FireDaemon is used, as previously mentioned, to start various 3rd party applications for sharing Warez and so forth. These "kits" are pretty much all derivatives of the BackGate kit that turned up a few years ago and the problem is just about any script kiddie can put together.

There isn't much we can do to stop this except advise the following:

Never directly connect any Windows machine to the Internet or other public network
Firewall your machines or minimally place a simple router that performs NAT between it and the public network (NetGear, DLink and similar manufacturers supply simple, inexpensive devices such as this)
Ensure all local user accounts have strong passwords set - and reset them regularly
If you have to be connected directly make sure you disable the Remote Registry Service and preferably the Workstation and Server Services
Then purchase, run and configure a good quality software firewall such as BlackICE or ZoneAlarm which _MAY_ prevent intrusion. Antivirus software will generally not help you (that said Symantec Antivirus now provides worm-blocking capabilities). Windows XP has a simple built-in firewall (Internet Connection Firewall) that can be enabled on any PPP or Ethernet interface. Windows XP Service Pack 2 provides a much more comprehensive firewall solution.

Trojan Worm List

We are aware of FireDaemon being included in the following list of Worm/Trojans. In each and every Worm/Trojan listed below, Symantec has noted that FireDaemon is a legitimate program.

W32.Tkbot.Worm is a worm that installs a backdoor on compromised systems and allows a hacker to gain access to your computer without your knowledge, controlling it via IRC. W32.Tkbot.Worm consists of several parts, including an FTP server and an IRC client.

Backdoor.Hale is a package of programs that provide backdoor access to an infected computer. This threat includes a Backdoor Trojan detected as Backdoor.Padmin, an FTP server, and various system utilities.

BAT.Boohoo.Worm is a collection of batch files and utilities that copies itself across network shares that have weak administrator passwords. The worm establishes backdoor access to a compromised system using IRC on the IRC server port 6666 or 7000.

Backdoor.NTHack is a backdoor Trojan that steals passwords.

Backdoor.Vmz is a Trojan that installs an IRC client on the computer; this allows a hacker to control the computer through IRC. The client allows the uploading and downloading of pirated movies.

Backdoor.IRC.Flood.G is a Backdoor Trojan Horse that will attempt to connect to an IRC server on port 6667. Once the Trojan is connected to the IRC server, it waits for commands from its creator.

Backdoor.IRC.Zcrew.B is a Backdoor Trojan Horse that may allow remote control of an infected system through IRC and FTP.

W32.Dinfor.Worm is a worm that spreads across network shares. It exploits weak passwords and uses the DCOM RPC vulnerability.

Backdoor.IRC.Aladinz.R is a backdoor server that allows a remote attacker to obtain access to your computer. The backdoor server uses an mIRC client.

How can we help you today?