|
Walter_Sobchak posted:I've had someone get hit by 2 variants of the "FBI found kiddie porn!" virus in one week. As it's the same person, I'm inclined to think that there was something I didn't get the first go round that let the PC get reinfected. Besides MBAM and ComboFix, what else am I forgetting to do here? Sometimes it's just too new and you aren't going to get the whole thing. Other times you miss that it added a legitimate windows task to the windows\tasks folder and that's just old school sneaky:(
|
#
?
May 21, 2013 18:45
|
|
|
|
| # ? Jun 7, 2024 08:27 |
|
|
Tools are the just first stage of cleaning and giving you an idea of what you're up against. If you aren't searching for the rest of it yourself then welp
|
|
#
?
May 21, 2013 18:57
|
|
|
Walter_Sobchak posted:I've had someone get hit by 2 variants of the "FBI found kiddie porn!" virus in one week. As it's the same person, I'm inclined to think that there was something I didn't get the first go round that let the PC get reinfected. Besides MBAM and ComboFix, what else am I forgetting to do here? It's also somewhat likely he's just visited the same site which has done a drive-by for the second time. You probably want to look at how you manage java on the machines.
|
|
#
?
May 21, 2013 19:01
|
|
|
Khablam posted:It's also somewhat likely he's just visited the same site which has done a drive-by for the second time. Basic protocol I have is asking: Do you need java? No? Then don't install it Yes? Install it but always keep it up to date, you a/v definitions up to date and anything else you might have that can prevent or block malware, like other software, firewall or NAT, etc.
|
|
#
?
May 21, 2013 19:18
|
|
|
Dice Dice Baby posted:Basic protocol I have is asking: Do you need java? The only problem I've seen with Java at a lot of places is that developers aren't keeping their applications or programs up to date, so they end up using some old, outdated, more vulnerable version of Java rather than being compatible with the newest. Two of my last employers had that issue where they required specific versions of Java in order for certain apps to work, and if you loaded anything other than those versions, it broke the app and caused all sorts of problems.  And the antivirus stuff is great, but there are a few that completely suck rear end and don't get new updates often enough, some not until after the fact. Forefront Endpoint Protection and pretty much anything Symantec or McAfee all suck rear end, I can't count how many times they've showed "up to date" and some virus/malware that's been known about for weeks or months ends up sneaking through and has to be killed by a third party app like Malwarebytes. Not to mention some of these AV suites are serious resource hogs and slow the system nearly to a halt just running a goddamn virus scan.
|
|
#
?
May 21, 2013 19:36
|
|
|
Ozz81 posted:The only problem I've seen with Java at a lot of places is that developers aren't keeping their applications or programs up to date, so they end up using some old, outdated, more vulnerable version of Java rather than being compatible with the newest. Two of my last employers had that issue where they required specific versions of Java in order for certain apps to work, and if you loaded anything other than those versions, it broke the app and caused all sorts of problems. Unfortunately, anti-virus software with heuristics will have that effect... slowing things down while offering a possible shield against unknown threats A tip I forgot for Java: if you need an older version of java, have the newest version installed AND the old version, but disable the old version in the Control Panel. Make a shortcut by hand to the software that needs the old version of java. I have appended an example of a shortcut that runs jperf on JRE 5. Notice the "Start in" entry is the file location of the software I'm running. The Target location will usually be like code:code:Dice Dice Baby fucked around with this message at 05:22 on May 22, 2013 |
|
#
?
May 21, 2013 20:23
|
|
|
Walter_Sobchak posted:I've had someone get hit by 2 variants of the "FBI found kiddie porn!" virus in one week. As it's the same person, I'm inclined to think that there was something I didn't get the first go round that let the PC get reinfected. Besides MBAM and ComboFix, what else am I forgetting to do here? If you want to be more thorough run rkill and TDSSKiller before MBAM and ComboFix. Windows Defender Offline is a good idea too http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline
|
|
#
?
May 21, 2013 20:34
|
|
|
If you go to my company's IT department asking for help getting our expense report software running, they will actually uninstall any versions of java newer than Java 6 Update 21 from your computer.
|
|
#
?
May 22, 2013 09:51
|
|
|
MeramJert posted:If you go to my company's IT department asking for help getting our expense report software running, they will actually uninstall any versions of java newer than Java 6 Update 21 from your computer. Now that's just lazy and retarded
|
|
#
?
May 22, 2013 18:11
|
|
|
There's a lot of places like that One of them that I worked for actually had Java 6 Update 22 in their image and it was the *only* thing they distributed (This was as of like 6-7 months ago too). Apparently it was needed for some legacy web applications and it was far more cost effective to run the risk of utilizing that horribly buggy and vulnerability ridden mess rather than updating their applications.
|
|
#
?
May 22, 2013 23:36
|
|
|
I wanted to mention that W32.Changeup is indeed a bitch to get rid of, but as far as worms go it's not hugely destructive. The main factors that cause it to be a pain are its network replication abilities, pseudo-"polymorphism" (differing MD5s downloaded from C&C servers) and the other malware it can download (Zeus/Zbot, etc.) I've been dealing with major corporate clients infected with the worm since December of last year, although the worm itself has been in the wild since roughly 2009. Symantec has a very good writeup here: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2 and here: http://www.symantec.com/connect/blog-tags/w32changeup In almost every instance, the customers' AV implementation was able to remove the infection, but it took anywhere from two-three days to a week to get the network entirely clean due to endpoints coming online without updated virus definitions and the like. It also involved sample submission to the major AV vendors for expedited definition sets.
|
|
#
?
May 29, 2013 03:44
|
|
|
Dice Dice Baby posted:Now that's just lazy and retarded Nope, that's just how huge enterprise works.
|
|
#
?
May 29, 2013 18:16
|
|
|
I've come across a website (non e-commerce site for a shop) that appears to be serving malware (it was blocked by the firewalls at work, and I didn't note the malware name). There's some rather suspicious obfuscated javascript that inserts iframes from a second website (which serves up a clone of a respectable website). I've send an email to the proprietor of the hijacked website, and used google's report malware page to flag up the dodgy looking url. Is there anywhere else it's worth reporting to?
|
|
#
?
May 29, 2013 22:47
|
|
|
Pablo Bluth posted:I've come across a website (non e-commerce site for a shop) that appears to be serving malware (it was blocked by the firewalls at work, and I didn't note the malware name). There's some rather suspicious obfuscated javascript that inserts iframes from a second website (which serves up a clone of a respectable website). you have done your job, good citizen
|
|
#
?
May 29, 2013 23:58
|
|
|
What are the recommended ad-blockers and spyware removal programs nowadays?
|
|
#
?
May 30, 2013 08:15
|
|
|
Avalanche posted:What are the recommended ad-blockers and spyware removal programs nowadays? To block ads: https://adblockplus.org/en/firefox http://mywot.com/ This thread has a lot more information: http://forums.somethingawful.com/showthread.php?threadid=3448981
|
|
#
?
May 30, 2013 21:31
|
|
|
Is it okay to ask a general question about how something works in this thread? Didn't seem to fit into any other thread. A friend and me ("Hey you spend lots of time on a PC, you can fix my stuff, right?" guys for relatives) were talking about handling infections. He liked trying to clean systems, while I prefered reinstallations. Topic comes to MBR infections and we couldn't agree on whether a new installation of a newer Windows (Vista, 7, 8) on a disc without any partitions would automatically clean up any MBR infections as well. My understanding was that Windows would write a clean MBR on install overwriting everything that was in place before. Google does not seem to find a reliable and clear-cut answer to this either.
|
|
#
?
Jun 5, 2013 00:24
|
|
|
FDisk doesn't re-write the MMR on installing Windows to an existing partition or re-partitioning under most conditions. If you want to be safe and the drive is blank, there's really no reason why you wouldn't simply use the 'fdisk /mbr' command to write a new one. If your MBR is compromised and you want to preserve the current installation, then under newer versions of Windows you can boot into the recovery mode and go troubleshoot > advanced > command prompt then use the 'bootrec.exe /fixmbr' command.
|
|
#
?
Jun 5, 2013 10:53
|
|
|
Microsoft has released version 4 of the Enhanced Mitigation Experience Toolkit (EMET) http://blogs.technet.com/b/security/archive/2013/06/17/now-available-enhanced-mitigation-experience-toolkit-emet-version-4-0.aspx quote:EMET is a free mitigation tool designed to help IT Professionals and developers prevent vulnerabilities in software from being successfully exploited. The tool works by protecting applications via the latest security mitigation technologies built into Windows, even in cases where the developer of the application didn’t opt to do this themselves. By doing so, it enables a wide variety of software to be made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied.
|
|
#
?
Jun 18, 2013 18:02
|
|
|
Does turning on DEP in Windows 7 actually make things more secure? I remember seeing an article about it a while back and switched the option to on for everything but sometimes it causes old programs to crash with no explanation until I add an exception and I wanted to make sure it actually works properly in Windows to begin with.
|
|
#
?
Jul 8, 2013 19:55
|
|
|
It's an added layer of security for free. I've had it on for everything for a few years, and only two programs have poo poo the bed - CMud and an old version of Unity. You'll know if they'll crash with DEP because they'll do it straight off the bat.
|
|
#
?
Jul 8, 2013 20:31
|
|
|
Fortuitous Bumble posted:Does turning on DEP in Windows 7 actually make things more secure? I remember seeing an article about it a while back and switched the option to on for everything but sometimes it causes old programs to crash with no explanation until I add an exception and I wanted to make sure it actually works properly in Windows to begin with. tjl fucked around with this message at 01:07 on Jul 11, 2013 |
|
#
?
Jul 11, 2013 01:03
|
|
|
I got hit with the iehighutil bit coin miner  virus. Even though I don't have java installed (although I did run Chrome in the wilderness without a No Script extension and I had Python installed (??)) and had a really great false sense of security from DEP/Win7-64/MSE/myself. I'm wondering how hard I should nuke my Windows install. Is the old format and reinstall still the only way to go or are these rootkit tools good enough?Before I deleted it, I ran Malwarebytes on it and it only detected one of the exes. (MSE didn't see poo poo.) Then I deleted the c:\temporary dir it was in and removed the reference to iehighutil from the registry/msconfig. I read about the miner virus frequently getting placed through ZeroAccess so I ran TDSS Killer in default mode (clean), then Malwarebytes Anti-Rootkit (clean), then ComboFix. ComboFix found some weird java Standard Widget Toolkit DLLs in the App Data\Temp folder: .cpswt\swt-gdip-win32-4234.dll and swt-win32-4234.dll, a Frapsvid.dll in SysWow64 (legit I'd think) and finally a c:\windows\TEMP\jna6351097746654618341.dll that I think is a legit part of my CrashPlan backup service (same timestamp as a bunch of other java-type files created at the same time as my backup started). Anyways, I had ComboFix delete all of them. Then I ran TDSS Killer again with all the boxes checked and it was clean again. I ran RogueKiller 64 and it found a few registry entries that I can't judge: [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND Just for fun, I ran Adwcleaner and it found some registry refs to what just seemed like Ask.com garbage ("APN PIP") that Foxit PDF Reader installed despite me checking no to that toolbar poo poo. I even ran Universal Virus Sniffer but immediately closed it because it seemed to be above my paygrade. It did only seem to find "suspicious" entries though and I assume that it's maybe a little paranoid? So does this seem like a ZeroAccess/rootkit thing or just a simple virus? Or does the lack of detection mean it's a newer ZeroAccess variant or some other rootkit? el_caballo fucked around with this message at 19:58 on Jul 15, 2013 |
|
#
?
Jul 15, 2013 19:53
|
|
|
Here's a cool new one, specifically targeting Safari on Mac. Takes advantage of a neat feature of Safari to use a bit of social engineering to get someone to download their "system cleaner" http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/ quote:FBI Ransomware Now Targeting Apple’s Mac OS X Users tl;dr: Make 150 iframes on a page pop up a prompt, user aint got time for that so they force quit the app. Safari will reload all the old pages, including iframes if you force quit the app. Either click 150 times or pay $300 if you can't figure out how to ctrl-click to reopen the app next time.
|
|
#
?
Jul 17, 2013 02:47
|
|
|
Little bit of thread necromancy, but this was unusual... I came across a system infected with Sirefef / ZeroAccess that had created a directory in %temp% who's path was: %temp%\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{ I'd never seen quite that odd of a naming convention. Random alphanumeric crap, yeah, but never gibberish.
|
|
#
?
Sep 11, 2013 23:46
|
|
|
I have no idea if this will ever happen since it sounds like a lot of bullshit and rainbows, but apparently the era of antivirus is over: http://techcrunch.com/2013/09/09/shine-security-is-reinventing-the-antivirus-company-for-the-age-of-zero-day-attacks/ Some choice quotes from the CEO: quote:PG: It looks like you’re capturing signatures? Are you finding new attacks on the fly? Do you have false positives?
|
|
#
?
Sep 12, 2013 02:20
|
|
|
I have a bridge to sell you. AV in the long-term is dead, but that's some pretty tripe stuff there.
|
|
#
?
Sep 12, 2013 16:11
|
|
|
Tapedump posted:Little bit of thread necromancy, but this was unusual... I especially like the skull and crossbones in there. More viruses need to use that.
|
|
#
?
Sep 12, 2013 16:20
|
|
|
Scaramouche posted:I have no idea if this will ever happen since it sounds like a lot of bullshit and rainbows, but apparently the era of antivirus is over: It's going to do a just grand job of "self healing" after it lets the machine get a rootkit installed, since it needs to let it install to tell what it is. It needs to let code do it's thing to know what it does ... and why is letting it do it to the machine better than doing it in a sandbox again? Not to mention it's USP (self healing) is a paid feature of a freemium model, which is pretty much akin to the whole thing being hostageware you pay for. Also traditional A/V detection rates are up-to 99%, and 25% of appstore purchases don't contain malware, you lying sack of poo poo. In the Q&A he states the CPU use is so low because it doesn't get analysed on the device but in the cloud, and later states security isn't a concern because it's all done on the device. THEN says they do all the analysis "back in the lab", and THEN says nothing gets transmitted to them. Which is it? Then of course the kicker - techcrunch is on the payroll of the company they're writing a glowing review of  
Khablam fucked around with this message at 19:59 on Sep 12, 2013 |
|
#
?
Sep 12, 2013 19:57
|
|
|
Interesting antivirus idea. I could see this detection AI working quite well on a honeypot system, which can then be used to generate real-time signatures on the network. I would not trust "self repair" of any sort on a production system based on what this guy said though; that sounds like utter bullshit until proven otherwise. How can their magic AV be immune to system changes itself? To me it would only be a matter of time before the bad guys figure that little trick out.
|
|
#
?
Sep 12, 2013 20:30
|
|
|
"We'll protect you from rootkits! Install our rootkit and it will kick all the bad ones out!"
|
|
#
?
Sep 12, 2013 21:44
|
|
|
Khablam posted:Also traditional A/V detection rates are up-to 99%, and 25% of appstore purchases don't contain malware, you lying sack of poo poo. This product is still horseshit though.
|
|
#
?
Sep 12, 2013 23:19
|
|
|
Ozu posted:99% of known infections maybe. AV used in conjunction with EMET, you're probably doing pretty well. Yeah, true, though heuristics on new samples is still like 90%+ and doesn't work on fairy magic.
|
|
#
?
Sep 13, 2013 00:15
|
|
|
Avira Free Antivirus sure is on my poo poo list since their last major update, that caused it to give those annoying pop-up ads. $34.99 for some online tech support for my free antivirus? Sounds great! Glad that popped up twice today! Time to move on. It was a good few years, Avira. 
|
|
#
?
Sep 17, 2013 15:33
|
|
|
Anyone encountered Cryptolocker yet? Apparently they make good on their threat to encrypt your files. Have one on my bench that I didn't take seriously and now it looks like I might be forced to pay the ransom. Info: http://community.spiceworks.com/topic/381787-crypto-locker-making-the-rounds-beware http://www.geek.com/apps/disk-encryptiing-cryptolocker-malware-demands-300-to-decrypt-your-files-1570402/
|
|
#
?
Sep 18, 2013 13:00
|
|
|
abominable fricke posted:Anyone encountered Cryptolocker yet? Apparently they make good on their threat to encrypt your files. Have one on my bench that I didn't take seriously and now it looks like I might be forced to pay the ransom. We've discussed it a little in the 'A ticket came in...' thread and I've been following it extensively. Its going to be a real issue. So far payments made have resulted in the files being decrypted. Once time is up the program removes itself and most importantly removes the registry entries containing the public key and list of encrypted files. Long story short, if you don't have backups/system restore, pay the ransom. I don't think anyone is holding out much hope on the encryption being broken. Welcome to the future, guys.
|
|
#
?
Sep 18, 2013 14:30
|
|
|
go3 posted:We've discussed it a little in the 'A ticket came in...' thread and I've been following it extensively. Its going to be a real issue. So far payments made have resulted in the files being decrypted. Once time is up the program removes itself and most importantly removes the registry entries containing the public key and list of encrypted files. I've read a little bit about it, and I guess my understanding is unclear. Does the software encrypt the data when it is installed? Or, does it encrypt when the timer reaches 0? Another thing that I am wondering about, does it run from a system context or a user context? I ask because I have a machine that sat on my bench (off), while the timer was still running and I booted it after the timer expired (but didn't log in). So I am wondering if I set the clock on the computer to a time shortly after the machine as brought in, can the ransom be paid and the machine restored to backup up the data and then flatten it?
|
|
#
?
Sep 18, 2013 14:48
|
|
|
abominable fricke posted:I've read a little bit about it, and I guess my understanding is unclear. Does the software encrypt the data when it is installed? Or, does it encrypt when the timer reaches 0? Another thing that I am wondering about, does it run from a system context or a user context? I ask because I have a machine that sat on my bench (off), while the timer was still running and I booted it after the timer expired (but didn't log in). So I am wondering if I set the clock on the computer to a time shortly after the machine as brought in, can the ransom be paid and the machine restored to backup up the data and then flatten it? I haven't run into it personally, but I believe the software starts encrypting everything as soon as it gets on the machine, and only pops up the ransomware notice once it's done. I don't know about the second part of your question, but I wouldn't count on it working.
|
|
#
?
Sep 18, 2013 15:02
|
|
|
I was going to suggest using undelete tools to restore as much of the non-encrypted content as possible, but this software goes ahead and securely overwrites what it encrypts. It's actually better at locking down your files than most off-the-shelf encryption software. I'm morbidly impressed and will likely deliberately infect a virtual machine tonight to see it go
|
|
#
?
Sep 18, 2013 15:05
|
|
|
|
| # ? Jun 7, 2024 08:27 |
|
|
abominable fricke posted:I've read a little bit about it, and I guess my understanding is unclear. Does the software encrypt the data when it is installed? Or, does it encrypt when the timer reaches 0? Another thing that I am wondering about, does it run from a system context or a user context?...... It starts silently encrypting the second it gets installed. It does not pop up the ransom notice until after it has finished encrypting. And it runs from the user context out of that users AppData directory. Putting a software restriction policy in place that prevents app execution in the AppData directory does stop it currently. Such a policy actually stops several forms of spyware from working. It also blocks some legitimate software such as Google Chrome and Dropbox, but those can be fixed by not installing them to the AppData directory. My company is lucky so far.. We use Google Apps and so far their spam/virus filter seems to be catching it.
|
|
#
?
Sep 18, 2013 15:08
|
|