|
Honey Im Homme posted:http://sites.google.com/site/koironauthree/pe-builder-bartpe-plugins/sophos-anti-virus-plugin But this is just a standard AV scanner, isn't it? I want something that locates any discrepancies between the file system as seen from outside the OS and the file system as seen from inside the OS. Kelson's idea is closer, but I haven't really done much shell scripting.
|
#
?
Mar 11, 2010 23:33
|
|
|
|
| # ? Jun 7, 2024 22:43 |
|
Honey Im Homme posted:http://sites.google.com/site/koironauthree/pe-builder-bartpe-plugins/sophos-anti-virus-plugin Grab sbav_10_sfx.exe Follow this KB http://www.sophos.com/support/knowledgebase/article/52011.html Creates a Slax bootable disc with SAV for Linux and the newest IDEs If it works, switch to Sophos or something
|
|
|
#
?
Mar 11, 2010 23:34
|
|
|
So my father has some kind of virus on his computer that was sending out spam emails to people in his address book. I told him to install MSE and scan he said it found some stuff and took care of it yet today I check my email and I've got four more spams from him. Any of you guys know what this is so I can point him in the right direction or are these emails too generic to make an identification from?
|
|
#
?
Mar 25, 2010 19:03
|
|
|
Trisk posted:So my father has some kind of virus on his computer that was sending out spam emails to people in his address book. I told him to install MSE and scan he said it found some stuff and took care of it yet today I check my email and I've got four more spams from him. Any of you guys know what this is so I can point him in the right direction or are these emails too generic to make an identification from? Honestly that's too generic. Hit his system with ComboFix and MalwareBytes and see what comes up.
|
|
#
?
Mar 25, 2010 22:39
|
|
|
All right, I've just started seeing this everywhere the last couple days: Anyone know if this is on my end or something going around? None of my scans have found anything on my system.
|
|
#
?
Mar 26, 2010 06:24
|
|
|
http://deletemalware.blogspot.com/2010/03/how-to-remove-online-protection-tool.html
|
|
#
?
Mar 26, 2010 07:06
|
|
|
Well that sucks. I've already run Malware, Super, and Spybot without any of them finding it. Guess I'll try this google one. Edit: Awesome, nothing. And I can't boot into safe mode, bluescreens and reboots immediately. gently caress I wish I had Win 7 so I could just reinstall. Grand Fromage fucked around with this message at 16:51 on Mar 26, 2010 |
|
#
?
Mar 26, 2010 07:43
|
|
|
This isn't really a virus, but I doubt there's enough material out there for a "generic exploit" thread. http://www.theregister.co.uk/2010/03/26/open_source_wireless_sniffer/ quote:Keykeriki not only allows researchers or attackers to capture the entire layer 2 frames, it also allows them to send their own unauthorized payloads. That means devices that don't encrypt communications - or don't encrypt them properly - can be forced to cough up sensitive communications or be forced to execute rogue commands. Sounds pretty cool, but seems like unlike most other ways of screwing with a computer you'd need an actual visual on the screen to be able to tell what was going on with your spoofed commands. Next up in specs for secure data handling: Faraday cages.
|
|
#
?
Mar 26, 2010 22:16
|
|
|
Midelne posted:Sounds pretty cool, but seems like unlike most other ways of screwing with a computer you'd need an actual visual on the screen to be able to tell what was going on with your spoofed commands. If you can remotely send keystrokes, it's trivial to install software that would allow for a full takeover.
|
|
#
?
Mar 27, 2010 13:42
|
|
|
Doody the Clown posted:If you can remotely send keystrokes, it's trivial to install software that would allow for a full takeover. Assuming the victim is still running on an admin account, sure, that could be considered trivial. If they're running in Vista/Win7 on a standard user account, they would need to remotely capture the keystrokes for an admins password as well to bypass UAC.
|
|
#
?
Mar 27, 2010 14:09
|
|
|
frabba posted:Assuming the victim is still running on an admin account, sure, that could be considered trivial. If they're running in Vista/Win7 on a standard user account, they would need to remotely capture the keystrokes for an admins password as well to bypass UAC. Yeah, that was my thought as well. Besides that, you would also need -- ideally -- a computer that has not locked from inactivity but that has no one watching it, since your spoofed input is going to be exactly as visible as normal input from the keyboard.
|
|
#
?
Mar 27, 2010 16:57
|
|
|
Well...got XP Antivirus 2010 from thepiratebay :/
|
|
#
?
Mar 27, 2010 21:42
|
|
|
Grand Fromage posted:Well that sucks. I've already run Malware, Super, and Spybot without any of them finding it. Guess I'll try this google one. This is why you need a copy of UBCD4Win. It is my primary tool of choice for cleaning up nasty stuff that refuses to allow you to function in safe mode. Edit : http://www.bleepingcomputer.com/forums/topic296821.html mAlfunkti0n fucked around with this message at 21:51 on Mar 27, 2010 |
|
#
?
Mar 27, 2010 21:45
|
|
|
Epikhigh posted:Well...got XP Antivirus 2010 from thepiratebay :/ You should run firefox or chrome with a adblock filter/plugin. I find this dramatically cuts down on XP Antivirus infections. A friend of mine kept infecting his machine with that crap from some bullshit "scene release" website. I installed Adblock plus and that stopped. (I hope) Also of course a AV should be run.
|
|
#
?
Mar 28, 2010 04:41
|
|
|
Epikhigh posted:Well...got XP Antivirus 2010 from thepiratebay :/ I recently fixed up a laptop that got XP Antivirus even with Firefox. I have no idea if the idiot was even using it, but all the links to IE had been deleted and Firefox was set as default. I don't care about ads, but this sort of poo poo is reason enough to run noscript and adblock. Advertising money is basically blood money at this point, all the real profit comes somewhere down the line from malicious, unattended installs of XP antivirus.
|
|
#
?
Mar 28, 2010 04:55
|
|
|
NOTinuyasha posted:I recently fixed up a laptop that got XP Antivirus even with Firefox. I have no idea if the idiot was even using it, but all the links to IE had been deleted and Firefox was set as default. I don't care about ads, but this sort of poo poo is reason enough to run noscript and adblock. Advertising money is basically blood money at this point, all the real profit comes somewhere down the line from malicious, unattended installs of XP antivirus.
|
|
#
?
Mar 28, 2010 05:55
|
|
|
Capnbigboobies posted:You should run firefox or chrome with a adblock filter/plugin. I find this dramatically cuts down on XP Antivirus infections. A friend of mine kept infecting his machine with that crap from some bullshit "scene release" website. I installed Adblock plus and that stopped. (I hope) I was running the most updated Firefox along with Adblock Plus + Noscript. I also was using MSE.
|
|
#
?
Mar 28, 2010 06:57
|
|
|
Jetsetlemming posted:I don't know what ads could do without flash, plugins, and js, which are what noscript blocks. I'll turn adblock off on sites that rely on ad revenue that I like (Ars Technica recently had a bitchfest about people blocking ads), but I won't ever turn off Noscript. I could have more to do with other lovely plugins like Java or Adobe reader - as far as I know NoScript deals with that too. Either way I keep it on primarily because there are some really lovely sites that assault you with lots of worthless ad-driven scripts that slow my browser down. As for the ads themselves, I don't care at all. NoScript by itself seems to kill ads for 90% of all sites because they don't bother having fallbacks to plain images, including the SA ads, which are by the way notorious for having all sorts of malicious poo poo. Lowtax or whoever does it now can manually block whatever they want, but if that actually got to the root of the issue then the ads wouldn't make money. They're basically getting paid to let someone try and load malware on your system.
|
|
#
?
Mar 28, 2010 07:29
|
|
|
I've got a laptop running XP and SP3. I just ran malware bites and it snagged quite a bit (90 items) and I'm now able to view all the sites I wasn't before. I suspected it was XP anti-virus or some variant. Now, whenever I try to run a DOS boot disk or the XP install disk, my system shuts off immediately, not allowing me any options to format. What is going on?
|
|
#
?
Jun 19, 2010 00:33
|
|
|
Grand Fromage posted:Well that sucks. I've already run Malware, Super, and Spybot without any of them finding it. Guess I'll try this google one. Probably a bit late in your case but the "repair safeboot key" option in sdfix sometimes fixes this problem. In cases where it doesn't malwarebytes, spybot and combofix usually do. The process I usually use for cleaning system is Malwarebytes and spybot at the same time in safemode, check for anything suspicious in Autoruns while they run their scans(deleting the files for poo poo like xp antivirus as well as removing their entries), once MWB has finished/restarted go back into safemode and run combofix, choosing safemode if it has to restart in the middle of the scan. Then normal mode and run a scan with an antivirus(MSE if it has none, whatever it has otherwise). Since having problems with Virut I also only use CD's for the tools I use burning a new one whenever combofix needs updated(like every three days), I would use lockable USB's if I trusted my coworkers/boss.
|
|
#
?
Jun 19, 2010 05:56
|
|
|
Update: Was able to START formatting with an XP disk, and 1/4th of the way through the system shut down. This ONLY happens when I try to do anything permanent to the hard dirve, and mostly when I am at the command prompts to do it. WTF? Are some viruses so bad they don't need the OS to load to do it or am I missing something? I'm about one click away from just ordering a new hard drive but am starting to get worried, due to lack of knowledge, that this thing has some how hosed the firmware on something?
|
|
#
?
Jun 19, 2010 14:55
|
|
|
You got a problem, but the problem is physical errors on either the hard drive or in RAM. It's not because of a virus. Run memtest, try with a new drive if you don't find any errors.
|
|
#
?
Jun 19, 2010 15:51
|
|
|
That's really drat weird. When you say shutdown, I assume you mean it just powers off instantly? AFAIK no hard disk problem could cause that behavior, and I kinda doubt bad ram could either. Maybe the power supply? (Still weird though because you say it's only when working with the disk and/or at a cmd prompt.)
|
|
#
?
Jun 19, 2010 21:46
|
|
|
You could also get that behavior if you live in a dusty environment with cats or some other similarly shed-happy fine-haired animal and never clean out the heatsink attached to your processor. High activity pushes the system into higher temperatures, system begins to overheat and shuts down. Like they said, though, there's no realistic virus infection that can affect a reinstallation and format of Windows, because the code being run is coming directly from the (read-only) CD/DVD that you're using. You're looking at a physical problem that is almost certainly incidental to the virus infestation.
|
|
#
?
Jun 20, 2010 00:18
|
|
|
Thank you guys for the input. I suspected as much this was the issue, but wanted more informed input on the matter since it was coincidental with a virus infection. Would it most likely be a hard drive failure? Because the system was able to handle higher end games no problem for long periods of time. And yes, it would power off completely. Totally, utterly, no power instantly. Tommy 2.0 fucked around with this message at 00:42 on Jun 20, 2010 |
|
#
?
Jun 20, 2010 00:39
|
|
|
I just went to download combofix from here http://www.bleepingcomputer.com/combofix/how-to-use-combofix As soon as I clicked the bleeping computer link under "Next you should download ComboFix from one of the following URLs:" NOD immediately said it blocked "win32/kryptik yi trojan.". Anyone think this can be a false positive? Yesterday it blocked html/scrinject.b gen virus. I haven't had a virus prompt in a very long time. Anyone know where else to find combofix or should I be good since Nod apparently blocked it right away? I ran a full scan earlier today and it found nothing.
|
|
#
?
Jul 2, 2010 08:32
|
|
|
When I worked on a computer that had McCrappy on it, it flagged my combofix file as some kind of trojan, too. Speaking of that, I need to download a new combofix file.
|
|
#
?
Jul 2, 2010 15:45
|
|
|
pooface posted:"Next you should download ComboFix from one of the following URLs:" McAfee Enterprise routinely detects ComboFix as a trojan as well, though I don't recall right off-hand which one. When in doubt, upload to VirusTotal.com and wait a couple minutes for the results.
|
|
#
?
Jul 2, 2010 16:06
|
|
|
I had an awesome idea for a virus the other day, and was wondering if anyone had seen something like it, or knew if it was even possible. It would search for known router firmwares and replace them with a modified version that has the virus embedded in it. It would then proceed to reinfect any computers you cleaned and hooked back up to the network. If done right, it would be hell on earth to discover what was really happening.
|
|
#
?
Jul 10, 2010 02:15
|
|
|
KillHour posted:I had an awesome idea for a virus the other day, and was wondering if anyone had seen something like it, or knew if it was even possible. It would search for known router firmwares and replace them with a modified version that has the virus embedded in it. It would then proceed to reinfect any computers you cleaned and hooked back up to the network. If done right, it would be hell on earth to discover what was really happening. Unless it is an unsecured network or unsecured setup page, I doubt this would be plausible. What I have seen though is where a virus sets up an adhoc network in a computers wireless control panel that broadcasts when no other network is present. What then happens is that people around the machine connect to the adhoc network and get infected or worse, the adhoc ssid is the same as ones that are legitimately used by businesses so machines that have connected to the legitimate ssid automatically connect to the malicious adhoc network absent of a real network.
|
|
#
?
Jul 13, 2010 21:44
|
|
|
KillHour posted:I had an awesome idea for a virus the other day, and was wondering if anyone had seen something like it, or knew if it was even possible. It would search for known router firmwares and replace them with a modified version that has the virus embedded in it. It would then proceed to reinfect any computers you cleaned and hooked back up to the network. If done right, it would be hell on earth to discover what was really happening. You'd either have to have a modified version of every firmware version out there -- which is not plausible -- or pack around at least a subset of a Metasploit library to selectively break through the security surrounding the router's internals without triggering a denial of service condition. Any router worth its salt is going to at least make a token effort to prevent firmware or configuration changes without authentication, and it's unlikely that there's going to be a vulnerability affecting multiple vendors' router authentication mechanisms over the substantial number of firmware revisions you're likely to find in the wild even for a single given model number. Something else you might like the sound of, though, is a virus I recall reading about a few years ago that appeared to be specialized for enterprise-level networks. Infected a host, retained that host's IP settings for reference, then sent out DHCP broadcasts indicating that the new default gateway was the infected host. Relayed the traffic to the original default gateway (iirc) and theoretically nobody was the wiser, but all enterprise traffic for that subnet now went through a compromised host. Caveats for this story are that I wasn't aware DHCP supported partial updates of information like that, that I don't recall the details clearly, and that I haven't tried to find the article I read a few years ago.
|
|
#
?
Jul 13, 2010 22:51
|
|
|
Had a new (to me) one today, Security Tool. Looks like someone aping Antivirus 2009/XP using div windows instead of windows forms. The usual "you're infected with <xx> files give us $$$ to remove", however it's really egregiously in your face. The popup won't go away no matter how often you click "continue unprotected/cancel". It's got a nasty thing it'll do; close any program you open a fraction of a second after you open it. This includes cmd, anything launched from run menu, any exe run through explorer, .msi, etc. I was able to get around it by running cmd as local admin, safe mode will probably work too. Once you've done that it's pretty easy, just kill the randomly named .exe file out of processes (it was always a series of numbers for me), hijack this out the startup entries, and then delete its \documents and settings\ home temp folder. Procexp will tell you where its home folder is if you check before you kill it. Pretty sure it got in through a java exploit on the latest batch of Dells. I was surprised it went down so easy after I killed the initial process, usually these things have a backup watcher process that will automatically re-launch the program if someone closes it. I installed Kaspersky on the machine and it stopped it when I tried to reinfect so hooray for enterprise software I guess. EDIT-oh yeah and it hides your desktop icons and changes your background to default blue. People were freakin'. Where's my icons??? I CAN'T READ EMAILS Scaramouche fucked around with this message at 01:41 on Jul 14, 2010 |
|
#
?
Jul 14, 2010 01:32
|
|
|
There's a new worm going around called Stuxnet that's exploiting a Windows vulnerability that isn't yet publicly disclosed. The worm autoruns from USB sticks even if you have autorun disabled fully. It does this by exploiting a vulnerability in the way Windows parses .lnk shortcut files. Once run, it installs a rootkit that hides the files on the USB disk so you can't tell you (or it) are infected. From looking at the vulnerability today, it isn't specific to USB drives -- all that's needed to execute the worm is that you browse to the shortcut files from explorer. The good news is it's relatively easy for anti-virus products to detect for the .lnk files in a way that (should) stop them running if you have an on-access scanner.
|
|
#
?
Jul 15, 2010 19:55
|
|
|
BillWh0re posted:The worm autoruns from USB sticks even if you have autorun disabled fully. It does this by exploiting a vulnerability in the way Windows parses .lnk shortcut files. Once run, it installs a rootkit that hides the files on the USB disk so you can't tell you (or it) are infected. From looking at the vulnerability today, it isn't specific to USB drives -- all that's needed to execute the worm is that you browse to the shortcut files from explorer. When you say "browse to", do you mean open a folder containing the malicious .lnk, or does there actually need to be some selection or clicking of the file in question? Either way, goddamn, that's slick.
|
|
#
?
Jul 15, 2010 20:01
|
|
|
Midelne posted:When you say "browse to", do you mean open a folder containing the malicious .lnk, or does there actually need to be some selection or clicking of the file in question? Just open a folder. The critical thing is that explorer loads the icon. There's a thread on Wilders here: http://www.wilderssecurity.com/showthread.php?t=276994
|
|
#
?
Jul 15, 2010 20:03
|
|
|
BillWh0re posted:There's a thread on Wilders here: http://www.wilderssecurity.com/showthread.php?t=276994 That was a fun read, thanks. Any opinion on the later posts suggesting that it was custom-made for targeted industrial espionage?
|
|
#
?
Jul 15, 2010 20:27
|
|
|
Midelne posted:That was a fun read, thanks. Any opinion on the later posts suggesting that it was custom-made for targeted industrial espionage? I haven't looked at the usermode part of the payload yet but I might get a chance tomorrow. Frank Boldewin is a fairly well-respected reverse engineer though it looks like he's just seen a string rip from the executable and I think it'll probably be a day or two before anyone says for sure. I'm more interested in how they managed to sign their rootkit drivers as Realtek. Gotta be some sweet drama there. Also there's no obfuscation at all on any of the kernel modules so I'd guess this is a completely different group to those that release most of the major malware families.
|
|
#
?
Jul 15, 2010 20:31
|
|
|
BillWh0re posted:I'm more interested in how they managed to sign their rootkit drivers as Realtek. Gotta be some sweet drama there. Didn't seem to be any significant consensus at this point as to whether it was a valid signature or not, but yeah, I'd certainly be interested in knowing whether Realtek's CA had been subverted somehow. If so, that's, uh, substantial.
|
|
#
?
Jul 15, 2010 20:34
|
|
|
Midelne posted:Didn't seem to be any significant consensus at this point as to whether it was a valid signature or not, but yeah, I'd certainly be interested in knowing whether Realtek's CA had been subverted somehow. If so, that's, uh, substantial. Windows tells you the signature is OK if you right-click properties the file. But the timestamp on it is expired and I'm not sure if it's since been revoked.
|
|
#
?
Jul 15, 2010 20:37
|
|
|
|
| # ? Jun 7, 2024 22:43 |
|
|
BillWh0re posted:Windows tells you the signature is OK if you right-click properties the file. But the timestamp on it is expired and I'm not sure if it's since been revoked. That's actually pretty interesting in and of itself. Seems like if you were just going to copy over a monkeyed signature that you'd take the time to spruce up the timestamp. My completely unfounded guess is that something was thrown away that didn't get wiped.
|
|
#
?
Jul 15, 2010 20:55
|
|