Citrix Reciever installed ?

[coffee]

Just finishing up a compromised win 7 pro computer and was looking at how they were accessing the computer (according to the customer) and found a plugin called "Citrix Reciever" installed in firefox. I know this is not a normal plugin as doing a search for it in the 'add plugins' comes up with nothing. I am familiar with citrix for remote work and figured they used this to get in. RDP is off on the computer and this is a residential computer. Its not in a business environment.

To be sure, Does anyone know if any apps install this program to run? Something like itunes maybe or something? Or do you expressly have to install it and basically know what you are doing? I figure this is how they were getting in.

All scans for malware and viruses / rootkits came back clean.

 

[oldtech]

It's dropped by gotomeeting as well as other citrix apps. Shouldn't be malicious.

 

[Markverhyden]

It's dropped by gotomeeting as well as other citrix apps. Shouldn't be malicious.

Yep, I see them all of the time. Both OS X and Windoze. People that do a lot of webinars might have as many as 30-40 copies in their downloads/apps folder.

 

[coffee]

Yep. This customer said she called facebook and they got on her computer and took a look and told her horror stories. I personally find it hard to believe that it was facebook and just possible a scam. I dont know for sure.

Thank you,

Happy 4th everyone

 

[Markverhyden]

I just shake my head sometimes when I hear some of these "I've been hacked" claims. A recent customer says that happened because she got "bad links" via Twitter and Facebook. They wanted to me do some kind of forensic examination to see if I can find out who, what, when and where. The problem is all the evidence is gone. All Social Media accounts deleted, old devices replaced with new ones, old ones reset, etc. The one thing I found was a couple of browser history entries on her iPad which had recently been reset. So I check it and iCloud syncing is on so if browser history and bookmarks had been shared they will replicate across all devices linked to that account.

 

[coffee]

I just shake my head sometimes when I hear some of these "I've been hacked" claims. A recent customer says that happened because she got "bad links" via Twitter and Facebook. They wanted to me do some kind of forensic examination to see if I can find out who, what, when and where. The problem is all the evidence is gone. All Social Media accounts deleted, old devices replaced with new ones, old ones reset, etc. The one thing I found was a couple of browser history entries on her iPad which had recently been reset. So I check it and iCloud syncing is on so if browser history and bookmarks had been shared they will replicate across all devices linked to that account.

I agree with you. In reality, I didnt find anything really suspicious on her computer. there was a normal amount of PUPS but nothing else really. Firewall was fine, No wierd settings in the networking and RDP not even setup. I did hook it into my shop network and looked at it from another system and nothing.

I just updated everything and had run virus / rootkit scans - just the basics.

The inside was quite a bit dusty and I cleaned out the processor heatsink / fan and everything else.

After working on computers for a very long time you develop an instinct for things not running right. I am sure you know what I mean

Her computer was just fine. However, I really have doubts that she was actually talking to someone at Facebook.

Thanks for your replies

 

[YeOldeStonecat]

Very common to find the Citrix Receiver in business computers, they use it quite often for services they use. Healthcare....for training webinars, last week I had to fix a botched Citrix Receiver install on an insurance client of mine, they use it to access a portal that she gets certain insurance related info from.

 

[jzukerman]

Very common to find the Citrix Receiver in business computers, they use it quite often for services they use. Healthcare....for training webinars, last week I had to fix a botched Citrix Receiver install on an insurance client of mine, they use it to access a portal that she gets certain insurance related info from.

Same. And since my insurance client has no admin rights, they're always calling saying "we need this or that Citrix plugin updated or installed on this user profile". A pain.