|
Hex Darkstar posted:Yea i'm not sure if they ran into complications with the rootkit component of it but for at least the past 3+ weeks it has changed its distribution method to include only the user mode infection even on admin privileged accounts. loving virus writers write better code than Symantec/Macafee
|
#
?
Jun 6, 2012 04:01
|
|
|
|
| # ? Jun 7, 2024 22:20 |
|
|
http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ Article that details some of the Zero Access changes, pretty decent write-up on it, their speculation on the change actually seems very probable too: quote:It's clear that the malware's authors have decided on a more unified approach to supported platforms and to change the footprint of ZeroAccess both on infected machines and on infected networks.
|
|
#
?
Jun 6, 2012 23:27
|
|
|
Hex Darkstar posted:http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ My favorite part of that article (emphasis mine): Sophos posted:The goal of ZeroAccess remains the same: to download further malware onto the infected machine. The types of malware we are seeing downloaded are broadly the same: click fraud and spam bots, although a BitCoin miner has now been added to the mix.
|
|
#
?
Jun 7, 2012 16:08
|
|
|
gently caress me I think I got some unknown trojan/virus on my system. Just did a full scan with Kaspersky/Avira and nothing. Here are the symptoms: Every 5 minutes my Kaspersky tells me it blocked an attempt by IEXPLORE.EXE to access a suspicious url. Full Report: Internet Explorer u.php Denied: http://cloudice.net/was/u.php (analysis using the database of suspicious URLs) 11.06.2012 09:30:27 That sounds like a trojan that wants to update his modules, right!? gently caress! Ah well, time for a system wipe then I guess...
|
|
#
?
Jun 11, 2012 09:59
|
|
|
Recently came across a demonstration of Spy Eye: http://tweakers.net/video/5455/demonstratie-hoe-gaan-cybercriminelen-te-werk.html The intro is in Dutch but the rest is in English (starts at 0:30).
|
|
#
?
Jun 11, 2012 12:05
|
|
|
Came across another one of those drat Google redirect virus. Forefront doesn't pick it up. Goddamnit. User isn't an admin, so it couldn't write to the machine registry, but it can to the local profile. Any ideas?
|
|
#
?
Jun 12, 2012 03:27
|
|
|
I'm pretty late to the thread. I've been using AVGfree and MBAM together, is that okay? Also, I've been hearing alot of criticism of AVG, should I switch that for MSE?
|
|
#
?
Jun 12, 2012 07:39
|
|
|
AVG pretty much fell off a few years back. People have anecdotally reported letting real viruses through and blocking false positives; perhaps more significantly, it performs really poorly in general multi-product scanner tests, especially against more sophisticated threats.
|
|
#
?
Jun 12, 2012 15:34
|
|
|
Phobophilia posted:I'm pretty late to the thread. I've been using AVGfree and MBAM together, is that okay? AVG is also extremely resource intensive compared to others, especially MSE. It will bring an older machine to it's knees. From my experience it doesn't protect any better. quote:Came across another one of those drat Google redirect virus. Is it redirecting you to NewsFudge? I've had 2 machines on the bench this week with this virus. Your hosts file is most likely modified. Try combofix.
|
|
#
?
Jun 12, 2012 23:26
|
|
|
Read this on TheReg: http://www.theregister.co.uk/2012/06/19/schneier_flame_malware_antivirus/ It's about Bruce Schneier chiding AV companies for not being on top of Flame/Stux. I'm kind of wondering if we're nearing the end of life for traditional anti-virus methods. If you have (x) number of guys working on anti-virus I can almost guarantee that there are (y) (let's say (x)*50) guys out there writing viruses and trying to exploit new security holes. Combine that with the fact that the (x) guys are split up among various AV companies, and the (y) guys can theoretically use each other's work, and it gets kind untenable. Now you throw nation-state players into the mix, can signature-based AV even work anymore in this kind of scenario?
|
|
#
?
Jun 19, 2012 23:39
|
|
|
Scaramouche posted:Read this on TheReg: Schneier has misunderstood the malware industry. Flame and Stuxnet go undetected because they are so narrowly targetted that no one sees a sample for years (even though backend AV systems have collected them). Their authors are only interested in some very specific information from a few targets. Commercial malware can't do that because the return per infection is so low that they need to infect a whole load of machines to make any real money. Of course there will be financially motivated, targeted threats out there but they're rare. They aren't as well engineered as Stuxnet and Flame so they're much more likely to be picked up by AV heuristics even though they've not been seen before (although most likely they were created with a kit that has been seen a lot).
|
|
#
?
Jun 20, 2012 00:34
|
|
|
Scaramouche posted:Read this on TheReg: Eh, from my understanding, AVs aren't made (for the most part) to stop 0-day threats, they're made to stop already identified malware that still roams wild. Heuristics is good at spotting suspicious activity, but really modern day AV + keeping your programs patched should keep you relatively safe. If there's some crazy 0-day super virus then everyone is hosed until the vector gets identified and patched and new definitions are released.
|
|
#
?
Jun 20, 2012 00:36
|
|
|
Zero-days are one thing, but I have to agree with Scaramouche. Traditional methods have fallen way behind. I routinely upload suspicious .exe files I come across to Virustotal. Drive by downloads, e-mail attachments, etc. More and more often nothing detects them as being malicious. Testing them in a VM confirms they are the same popular Trojans, and they misbehave in the same ways. The only real difference is the dropper's file name, and the possibly that it's freshly compiled code. It seems like these programs are changing their signatures every few hours in the more extreme cases.
|
|
#
?
Jun 20, 2012 02:39
|
|
|
He's about 3 years late in telling AV companies that they are largely useless.
|
|
#
?
Jun 20, 2012 03:37
|
|
|
I think too that the nation state players are going to discover methods that are a bit more invasive than the normal 'low hanging fruit' that for profit malware makers are going to go for, and that we'll see those technologies 'trickle down'. Basically the state of the art of malware might be getting a big shot in the arm.
|
|
#
?
Jun 20, 2012 04:06
|
|
|
tjl posted:Zero-days are one thing, but I have to agree with Scaramouche. Traditional methods have fallen way behind. I routinely upload suspicious .exe files I come across to Virustotal. Drive by downloads, e-mail attachments, etc. More and more often nothing detects them as being malicious. Virustotal only tests static file detection, which is something AV companies have been moving away from for the last 7+ years. It's not a representative test of what would happen if you actually ran the file on a machine with a particular AV product. The reason for this is exactly what you posted -- the files themselves are tweaked by hand several times a day to make sure they evade detection on Virustotal-style scanners. That's why AV companies now care less about just detecting the files (except they still have to detect them retroactively to pander to independent testers and people who judge effectiveness with Virustotal) and more about blocking or reversing what they do to a system.
|
|
#
?
Jun 20, 2012 11:25
|
|
|
Another example of state sponsored malware, though apparently this was off the shelf: http://www.theregister.co.uk/2012/06/20/syrian_skype_trojan/
|
|
#
?
Jun 20, 2012 22:00
|
|
|
I got infected again, now with "F a lot of random digits.exe". The only thing I have done lately was to install (and uninstall minutes later) Bluestacks (android emulator-ish). MSE even told me "Hey, I don't recognize F******.exe, want to send it to us?" and I said no.  Maybe formatting would be for the best. EDIT: Malwarebytes found it. quote:Files Detected: 2 The weird thing is that I started getting these things only after switching to Firefox. I used Chrome for years without any problem. lunar detritus fucked around with this message at 04:30 on Jun 21, 2012 |
|
#
?
Jun 21, 2012 04:10
|
|
|
gmq posted:I got infected again, now with "F a lot of random digits.exe". The only thing I have done lately was to install (and uninstall minutes later) Bluestacks (android emulator-ish). Sounds like you got hit with something that pulled in a second piece of malware, which MSE caught. But the original didn't get removed and so it keeps installing more poo poo. Flatten/Reinstall.
|
|
#
?
Jun 21, 2012 05:01
|
|
|
I've been lurking this thread since yesterday when I got hit by Sirefef. It disabled MSE and ruined my firewall, which I can't turn back on. I installed Malwarebytes to no avail, then tried Avast. I've managed to stop the adds, redirects and remove the bitcoin miner (yes, I had a bitcoin miner  ) but now I keep getting warnings about something called "Atraps" and my computer seems to be running a bit slower. How can I reactivate my firewall, if that's possible?
|
|
#
?
Jul 2, 2012 17:55
|
|
|
Wanted By Weed posted:I've been lurking this thread since yesterday when I got hit by Sirefef. It disabled MSE and ruined my firewall, which I can't turn back on. I installed Malwarebytes to no avail, then tried Avast. I've managed to stop the adds, redirects and remove the bitcoin miner (yes, I had a bitcoin miner I worked on a computer that was affected by this and lost the firewall. Are you seeing a missing firewall service as well? I googled one of the error messages that I received when I tried to reactivate the service and it led to a microsoft KB article that had one of those FixIt things that worked, amazingly enough. Unfortunately, I don't have that computer here anymore to look it up to reference it, but I was able to find it quickly enough.
|
|
#
?
Jul 2, 2012 18:07
|
|
|
Well, I ran ComboFix after seeing it being praised in this thread, and it seems to have restored the firewall. I was even able to reinstall Microsoft Security Essentials and get it to run again.
|
|
#
?
Jul 2, 2012 21:24
|
|
|
Wanted By Weed posted:Well, I ran ComboFix after seeing it being praised in this thread, and it seems to have restored the firewall. I was even able to reinstall Microsoft Security Essentials and get it to run again. Lemme guess, you don't run backups and that's why you aren't just flattening and reinstalling that fucker?
|
|
#
?
Jul 3, 2012 05:25
|
|
|
Well, I'd rather not flatten and reinstall unless I absolutely had to, especially when it seems like everything's working now. I do run backups, I was just hoping I wouldn't have to do it.
|
|
#
?
Jul 3, 2012 05:53
|
|
|
Yet another victory for ComboFix. It's getting really good at removing the fake AV programs. (Or maybe the malware authors are getting their summer vacations in.)
|
|
#
?
Jul 4, 2012 00:52
|
|
|
Wanted By Weed posted:Well, I ran ComboFix after seeing it being praised in this thread, and it seems to have restored the firewall. I was even able to reinstall Microsoft Security Essentials and get it to run again. Check if the firewall still has its default rules. I had the same problem and the virus took with it the firewall and MSE. I was able to restore both but my home network mysteriously stopped working, refusing to even allow file sharing. In the end I figured out that the virus also deleted all the default firewall rules. I had to copy the registry key from my netbook.
|
|
#
?
Jul 4, 2012 14:25
|
|
|
I don't really know the history of combofix - but why is it so good at what it does, while anti-malware and AV programs completely suck?
|
|
#
?
Jul 7, 2012 08:47
|
|
|
I seem to have picked up something pretty nasty on my desktop, but I'm not entirely sure how to get it off. MSE picks it up, but it crashes windows before it can remove it. What are my options when it comes to boot CDs? I'd use a USB stick but my laptop's USB ports are all fried. E: I couldn't get much info out of Microsoft Security Essentials before it shut down on me but I do know it's flagged as a trojan of some sort, and it's running as services.exe. E2: got it! Trojan/Sirefef.M, Trojan/Sirefef.W and Phdet.E, hopefully I should be able to find something on google now. A Real Happy Camper fucked around with this message at 22:57 on Jul 7, 2012 |
|
#
?
Jul 7, 2012 22:42
|
|
|
Captain Novolin posted:I seem to have picked up something pretty nasty on my desktop, but I'm not entirely sure how to get it off. MSE picks it up, but it crashes windows before it can remove it. What are my options when it comes to boot CDs? I'd use a USB stick but my laptop's USB ports are all fried. To be safe, you'll want some sort of offline scanner that will work outside of Windows. You can just use Microsoft's Windows Defender Offline to make a boot CD. Best if you can make it on a clean PC.
|
|
#
?
Jul 7, 2012 23:09
|
|
|
-Dethstryk- posted:To be safe, you'll want some sort of offline scanner that will work outside of Windows. You can just use Microsoft's Windows Defender Offline to make a boot CD. Best if you can make it on a clean PC. Thanks! I knew there was a microsoft one but I couldn't remember what it was called. After it finishes I'll probably give Malwarebytes and stuff a go to make sure I got it all. Ironically when I booted up my computer my first thought was that I should run a scan because I hadn't done one in a while 
|
|
#
?
Jul 8, 2012 01:26
|
|
|
mindphlux posted:I don't really know the history of combofix - but why is it so good at what it does, while anti-malware and AV programs completely suck? One of the main things ComboFix does that no other tool seems to, is kill a lot of "unstoppable" Windows processes so that they can actually be scanned correctly. "Rootkit" viruses hide themselves in this way by making themselves invisible while the system is running normally, and you pretty much have to scan the system in some type of offline mode to be able to find them. My guess is that doing this requires interrupting the system and making it unusable during the scan, which is seen as a no-no for most AV programs.
|
|
#
?
Jul 8, 2012 15:42
|
|
|
speaking of which - there are so many times when I need to use combofix via remote access - but combofix kills the logmein service, and will sit there waiting for prompts from the user. has anyone had any luck using some other remote access program to run combofix? or does combofix have an unattended mode? I hate that they try to hide information about the program on the basis that only their dumb trained 'malware gurus' can handle using the tool properly.
|
|
#
?
Jul 13, 2012 21:31
|
|
|
mindphlux posted:speaking of which - there are so many times when I need to use combofix via remote access - but combofix kills the logmein service, and will sit there waiting for prompts from the user. Same thing happens with GoToAssist. 
|
|
#
?
Jul 13, 2012 23:47
|
|
|
goddamnit there's gotta be a way
|
|
#
?
Jul 14, 2012 19:11
|
|
|
so after spending a day getting rid of smarthdd in may I got my msn account disabled twice the last 30 days by microsoft. Are MSN accounts frequently just hacked or do I basically have a keylogger/trojan installed?
|
|
#
?
Jul 16, 2012 00:36
|
|
|
Dante posted:so after spending a day getting rid of smarthdd in may I got my msn account disabled twice the last 30 days by microsoft. Are MSN accounts frequently just hacked or do I basically have a keylogger/trojan installed? Assuming that your password is sufficiently complex, and you aren't reusing it anywhere, you've got a rootkit.
|
|
#
?
Jul 16, 2012 03:08
|
|
|
mindphlux posted:speaking of which - there are so many times when I need to use combofix via remote access - but combofix kills the logmein service, and will sit there waiting for prompts from the user. ComboFix specifically kills all network connectivity while running, so no remote login program is going to work, short of something like a KVM switch you can remote into. Even connecting to another computer local to it, the network is flat-out not there. This is mainly due to a lot of malware infecting the network stack in Windows for redirection purposes. As for an unattended, sadly they decided to make the tool without one; there's no way to fully automate it, and no command-line switches programmed into it either.
|
|
#
?
Jul 16, 2012 13:33
|
|
|
univbee posted:ComboFix specifically kills all network connectivity while running, so no remote login program is going to work, short of something like a KVM switch you can remote into. Even connecting to another computer local to it, the network is flat-out not there. This is mainly due to a lot of malware infecting the network stack in Windows for redirection purposes. You should be able to RDP into the machine after the reboot to log in. It's not ideal, but if it's absolutely necessary to be remote this might work. Or, find a lackey.
|
|
#
?
Jul 16, 2012 22:43
|
|
|
Hello guys, I've got something that befuddles me. The operating system is Windows Server 2008 R2. Recently it was hit by a cocktail of backdoors/ trojans. It seems that somehow a trojan has done something to hook itself to the spacebar keypress(?). Here's what's happening: When I RDP into the server and press space, I don't get a space character. Instead, the system tries to run a file in %windir%\system32\bootsysten.exe. Now, this bootsysten.exe was a trojan detected by Forefront as "Zegost.AF" and removed, so I get a cannot find file error. The funny thing is this: Let's say I start a command prompt. I press space. I do not get a space character sent to the command prompt, but instead the keypress is hijacked to try to run the removed file. If I start a command prompt as administrator, I can press space and get spaces. How do you hijack keypresses, and where do I go to remove it?
|
|
#
?
Jul 19, 2012 04:16
|
|
|
|
| # ? Jun 7, 2024 22:20 |
|
|
Depends on how it's doing it. The easy way is through a registry entry, check out your HKEY_LOCAL\System\CurrentControlSet\Control\Keyboard Layout and see if there's anything wacky in there. There's other ways but I don't remember off hand. What you're experiencing is called a keyboard hook. Maybe check out the registry keys referenced here: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1011218 I'd suggest doing a full/better removal though, especially for a server.
|
|
#
?
Jul 19, 2012 19:33
|
|