|
Why wouldn't you run MBAM in safe mode?
|
# ? May 17, 2011 03:11 |
|
|
# ? Jun 8, 2024 01:38 |
|
coinstarpatrick posted:-Some MWB staff member "This goes into areas where I cant say much without giving away the internal workings but MBAM is stronger from regular mode . This is by design as the majority of new malware runs from safemode so you gain nothing anyway . Well, other than being able to run MBAM at all since most competent malware authors refuse to let you run programs other than the malware in regular mode.
|
# ? May 17, 2011 06:03 |
|
I guess the implication is that MBAM relies to some extent on services that run in normal mode but not safe mode. Are there any likely suspects? I wonder if it's related to their unwillingness to support running MBAM in a PE.
|
# ? May 17, 2011 06:15 |
|
I think the biggest lesson to take from MBAM vs. SAS is to run SAS in safe mode, do more cleaning, then run MBAM in normal mode to double-check you're clean just before the computer heads out the door. I've caught a few computers with nasty reinstalls, like one that I swear was timed to wait out four or five reboots before resintalling. Hell, that's how I'd make a virus. It would also overclock your CRT and make it explode.
|
# ? May 17, 2011 22:48 |
|
It actually used to be possible, back before sanity checking, to damage hardware given highly specific instructions, didn't it?
|
# ? May 17, 2011 23:03 |
|
bbcisdabomb posted:I think the biggest lesson to take from MBAM vs. SAS is to run SAS in safe mode, do more cleaning, then run MBAM in normal mode to double-check you're clean just before the computer heads out the door. I've caught a few computers with nasty reinstalls, like one that I swear was timed to wait out four or five reboots before resintalling. This is a good policy, we do that here too. It's also gotten to the point on XP machines where we will rebuild the MBR and do a fixboot as part of policy just for the sake of ensuring there's no rootkit hiding out there.
|
# ? May 17, 2011 23:04 |
|
Pope Guilty posted:Well, other than being able to run MBAM at all since most competent malware authors refuse to let you run programs other than the malware in regular mode. If you run Rkill first you will almost always be able to run MBAM right then and there from regular mode.
|
# ? May 18, 2011 02:11 |
|
Pope Guilty posted:It actually used to be possible, back before sanity checking, to damage hardware given highly specific instructions, didn't it? It still is; just ask Iran
|
# ? May 18, 2011 03:24 |
|
It's fairly trivial to write malware for old old IBM PCs that would tell the hard drive head to repeatedly seek between certain invalid sectors until the arm was stuck and the drive rendered useless.
|
# ? May 18, 2011 03:52 |
|
Pope Guilty posted:It actually used to be possible, back before sanity checking, to damage hardware given highly specific instructions, didn't it? CRT monitors could be damaged by forcing them to refresh too fast, and a ...Motorolla (I think?) CPU had an instruction that would trigger an infinite loop or something and actually overheat the CPU. Here we go, some afternoon reading: http://en.wikipedia.org/wiki/Killer_poke
|
# ? May 18, 2011 04:05 |
|
Pope Guilty posted:Well, other than being able to run MBAM at all since most competent malware authors refuse to let you run programs other than the malware in regular mode. This is why rkill has a version that reports as iexplore.exe.
|
# ? May 19, 2011 00:27 |
|
I have Snow Leopard running in a VM and I'd like to infect it with this new MAC Defender malware...anyone know of a site that will cause this?
|
# ? May 21, 2011 15:28 |
|
Mr. Clark2 posted:I have Snow Leopard running in a VM and I'd like to infect it with this new MAC Defender malware...anyone know of a site that will cause this? I can't find a specific url, but it seems to all be coming through Google Images at this point. It's a pretty boring piece of malware actually. EDIT: This thread has a few URLs and search terms. FCKGW fucked around with this message at 21:31 on May 21, 2011 |
# ? May 21, 2011 21:29 |
|
Really long and detailed PDF on the end-to-end analysis of how a spam network operates and generates income. The purpose of the study was to identify weaknesses and determine the best way to shut down a spam network. I found this part pretty interesting: quote:Without an effective mechanism to transfer
|
# ? May 24, 2011 01:34 |
|
Has anyone had Windows 7 Recovery delete all the shortcuts in c:\program data\all users\Microsoft\Windows\Start Menu? I helped a lady with her infection, and I was able to use the single-line attrib command from around page 50 to show the hidden files. Her Start Menu remained empty, and she had been backing up her profile and system only, not program data. Is it likely they were deleted, or simply moved somewhere?
Oddhair fucked around with this message at 14:16 on May 25, 2011 |
# ? May 25, 2011 14:09 |
|
Oddhair posted:Has anyone had Windows 7 Recovery delete all the shortcuts in c:\program data\all users\Microsoft\Windows\Start Menu? I helped a lady with her infection, and I was able to use the single-line attrib command from around page 50 to show the hidden files. Her Start Menu remained empty, and she had been backing up her profile and system only, not program data. Is it likely they were deleted, or simply moved somewhere? It moves the shortcuts to a random temp location, so if you've run any sort of temp file cleaner you probably deleted them by accident.
|
# ? May 25, 2011 15:31 |
|
Is Windows Security Essentials worth installing, or should I use Avast/AVGfree. I just reinstalled windows, and always used Avast, but if WSE is actually decent now I'll use that. Also - regarding MBR/rootkits, is just deleting the partitions and reformating not good enough? Alctel fucked around with this message at 17:30 on May 25, 2011 |
# ? May 25, 2011 17:08 |
|
Alctel posted:Is Windows Security Essentials worth installing, or should I use Avast/AVGfree. Microsoft Security Essentials. Any other name is likely fake/spyware. Also yes, it's very good, and since it's more integrated into Windows, program updates come in more reliably than other free antiviruses. Avast gets glitches where it sucks up all the system resources for a while for no apparent reason, and AVG has been crap for several major versions now.
|
# ? May 25, 2011 17:56 |
|
Oddhair posted:Has anyone had Windows 7 Recovery delete all the shortcuts in c:\program data\all users\Microsoft\Windows\Start Menu? I helped a lady with her infection, and I was able to use the single-line attrib command from around page 50 to show the hidden files. Her Start Menu remained empty, and she had been backing up her profile and system only, not program data. Is it likely they were deleted, or simply moved somewhere? Dealt with this today, I just remade the missing shortcuts. Edit, check %temp% warning fucked around with this message at 18:51 on May 25, 2011 |
# ? May 25, 2011 18:36 |
|
warning posted:Dealt with this today, I just remade the missing shortcuts. Found mine in c:\users\username\appdata\local\temp\smtmp\1\ It was well worth it due to how much stuff the boss has installed, and how busy he is. Now I have to call back the first person I helped with this, hopefully her stuff is still there.
|
# ? May 25, 2011 18:56 |
|
Oddhair posted:Found mine in c:\users\username\appdata\local\temp\smtmp\1\ Great find you guys, just saved me a shitload of work too
|
# ? May 25, 2011 19:52 |
|
My sister is saying she just got an infection from simply clicking on an image from google image search using Chrome as her browser. She says didn't install anything, it installed without any prompts. She's using Microsoft Security Essentials as her anti-virus. I haven't been keeping up the current state of malware. Is it really this bad these days or is she not telling me the whole truth? Either way, I had her boot into safe mode and she's scanning with SuperAntiSpyware now. I'm going to have her follow it up with Malwarebytes in both safe and normal mode. Anything else I should have her do?
|
# ? May 25, 2011 20:18 |
|
Yeah, one of the most popular attacks right now is seeding GIS results with SEO bullshit that leads to sites hosting malware (which gets in through a plug-in like Flash, most likely) or XSS attacks.
|
# ? May 25, 2011 20:54 |
|
New version of that Mac trojan is out, this time installation does not require an administrator password.MacRumors.com posted:Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind. Now, to be fair the malware still requires the user to go through the setup process; it does not automatically drop any files on the system. The frightening this is that the original Mac Defender trojan is built from a malware kit selling for around $1k so we're bound to see plenty of variants popping up soon, building on the strengths of the previous version..
|
# ? May 25, 2011 22:27 |
|
Crossbar posted:I haven't been keeping up the current state of malware. Is it really this bad these days or is she not telling me the whole truth? It really is that bad, and a lot of nasty poo poo has been getting into legit ad networks. Besides cleaning out that infection impress upon her how imperative it is to keep Flash, Java, and Adobe Reader up to date because those are the major infection vectors of the moment.
|
# ? May 25, 2011 22:42 |
|
Am I protected from the new MacDefender crap if I'm using Firefox or Chrome rather than Safari? (because they don't open dmg files automatically, which I guess I should disable in Safari as soon as possible :-S)
|
# ? May 25, 2011 22:50 |
|
Malware distributors are going to take any major news item and use SEO bullshit both in GIS, and normal search results, to bump up their infected sites on the list. Googling for a major news story is risky business nowadays, it really is that bad. Combine that with malware distributors finding ways to compromise or trick legitimate ad networks(this includes ad networks owned by both microsoft and google, for gently caress's sake) into serving up infected ads, and lots of people are going to get poo poo on their computer without doing anything all that unreasonable.
|
# ? May 25, 2011 22:54 |
|
pienipple posted:It really is that bad, and a lot of nasty poo poo has been getting into legit ad networks. Besides cleaning out that infection impress upon her how imperative it is to keep Flash, Java, and Adobe Reader up to date because those are the major infection vectors of the moment. I just installed Windows 7 on their computer about 2 weeks ago and did my best to make sure everything would auto-update. I specifically installed Chrome so that Flash would always be up to date and didn't install Java since they didn't need it. I think I installed Sumatra PDF so they didn't have to worry about updating Reader. My sister asked what she can do to avoid this in the future and I didn't know what to tell her
|
# ? May 25, 2011 22:55 |
|
I'm pretty impressed with how big a pain these programs can make themselves even on a system with all the proper UAC enabled in 7.
|
# ? May 25, 2011 22:59 |
|
J posted:Malware distributors are going to take any major news item and use SEO bullshit both in GIS, and normal search results, to bump up their infected sites on the list. Googling for a major news story is risky business nowadays, it really is that bad. Combine that with malware distributors finding ways to compromise or trick legitimate ad networks(this includes ad networks owned by both microsoft and google, for gently caress's sake) into serving up infected ads, and lots of people are going to get poo poo on their computer without doing anything all that unreasonable.
|
# ? May 25, 2011 23:01 |
|
FCKGW posted:The frightening this is that the original Mac Defender trojan is built from a malware kit selling for around $1k so we're bound to see plenty of variants popping up soon, building on the strengths of the previous version. "Malware kit"? Really? I mean, there's being a jerk and then there's being a goddamn rear end in a top hat.
|
# ? May 25, 2011 23:15 |
|
m2pt5 posted:"Malware kit"? Really? I mean, there's being a jerk and then there's being a goddamn rear end in a top hat. Ever notice how all the malware that hits Windows machines is always "Win Security 2011"? And then a week later it's "Microsoft Security 2011"? Congratulations, it's a malware kit! Change a few words on a template, change the randomization scheme and you just made a new rogue that can't be detected (one big reason why signature detection doesn't work). co199 fucked around with this message at 00:36 on May 26, 2011 |
# ? May 25, 2011 23:23 |
|
co199 posted:Ever notice how all the malware that hits Windows machines is always "Win Security 2011"? And then a week later it's "Microsoft Security 2011"? Congratulations, it's a malware kit! Change a few words on a template, change the randomization scheme and you just made a new rogue that can't be detected (one big reason why heuristic detection doesn't work). Don't you mean signature detection?
|
# ? May 25, 2011 23:41 |
|
Scaramouche posted:Don't you mean signature detection? Yeah, sorry. I get my terms mixed up sometimes. co199 fucked around with this message at 00:41 on May 26, 2011 |
# ? May 26, 2011 00:36 |
|
m2pt5 posted:"Malware kit"? Really? I mean, there's being a jerk and then there's being a goddamn rear end in a top hat. Yeah, malware kits have been around on the Windows side for a while, but this new Mac Defender is from the first kit written for OSX.
|
# ? May 26, 2011 00:48 |
|
FCKGW posted:Yeah, malware kits have been around on the Windows side for a while, but this new Mac Defender is from the first kit written for OSX. I think you probably mean the first publicly available kit. The first Windows kits were kept private and unknown before the first publicly known ones came out.
|
# ? May 26, 2011 03:07 |
|
Early this morning one of my secondary gmail accounts e-mailed my primary account and several other addresses (all addresses I had previously sent to, I think) with spam. MSE and MBAM turn up clean on both of my computers (the only ones I can recall entering the compromised account's password on), and I've changed the password on both of my gmail accounts. It's unlikely I'll discover how the account was compromised, but are there any other actions I should take to prevent continued access to my accounts?
|
# ? May 26, 2011 04:33 |
|
co199 posted:Ever notice how all the malware that hits Windows machines is always "Win Security 2011"? And then a week later it's "Microsoft Security 2011"? Congratulations, it's a malware kit! Change a few words on a template, change the randomization scheme and you just made a new rogue that can't be detected (one big reason why signature detection doesn't work). Detection is hard because the authors are manually updating the obfuscation they use on the code. It doesn't have too much to do with the name or branding of the fake AV program itself, and the creation kits can't usually make changes that break detection signatures (except straight checksums) -- it takes a human author to do that.
|
# ? May 26, 2011 09:49 |
|
Just got a call from a tech who is very technically sound who claims a new variant of Windows Recovery deleted the users documents. He did also mention that the user may have tried some things on his own before he gave the laptop to IT. Looks like this one is getting some nasty variants real quick.
|
# ? May 26, 2011 15:27 |
|
|
# ? Jun 8, 2024 01:38 |
|
BillWh0re posted:Detection is hard because the authors are manually updating the obfuscation they use on the code. It doesn't have too much to do with the name or branding of the fake AV program itself, and the creation kits can't usually make changes that break detection signatures (except straight checksums) -- it takes a human author to do that. That's true, and I was over simplifying the process. I've been out of the research game for a couple years now so I don't have the details I used to. That being said, it's really hard to find an explanation for a customer when they ask "well why didn't xxx program detect this?" The "malware kit", while not 100% correct, works when you're dealing with someone who doesn't give a poo poo about the technical details and just wants an answer. Hell, it's a better answer than a bunch of other shops around here give, which is "because that one is a bad AV program, buy this one". Neither answer solves the problem, but one doesn't cost the customer unnecessary money.
|
# ? May 26, 2011 16:26 |