|
A long time ago I remember hearing Steve Gibson say he will only browse the world wide web in a virtual machine inside his computer. I am starting to think that's not a bad idea, and I also heard suggestions of only doing online banking via something like a Live CD on your computer. As far as Java goes, I do have a few apps on my computer that rely on Java (unfortunately, like Art of Illusion), so I need it, but I've disabled it in my browsers.
|
#
?
Jan 6, 2014 23:44
|
|
|
|
| # ? Jun 7, 2024 22:27 |
|
|
It's a bit paranoid, any proper sandboxing does the same effective thing without being an enormous piece of poo poo to work with. As soon as you try to make working with a VM more convenient, you bridge any supposed 'gap' in a much more real and exploitable way than sandboxed processes. The LiveCD thing is all about having a "known clean" system to use, but outside of some very narrow scenarios you can be sure to within reasonable doubt in ways that are wholly more convenient.
|
|
#
?
Jan 7, 2014 02:24
|
|
|
Ceros_X posted:Someone posted instructions (earlier this thread, I think) on how to make multiple installs of Java and set up the shortcut for legacy app so that it calls on only that version. I had a screen shot but it is gone now :/ I've done something similar in the past with some stuff, but other stuff needs to launch from the browser and gets a bit finicky. It's easy to target different versions of java if you have a self contained applet (like, for example, the Cisco ASDM). Things get a little wiggy when you have an interface that's primarily HTML, but then launches applets for sub-portions of the interface. Netscaler VPX is an example of this. Most of the nav is HTML, but if you want to drill down into the settings of any item, it launches an applet. In the later example, the last time I updated java, all browsers gave a "java not installed" error when I tried to get into any of the java portions of the interface despite the fact that it was in the middle of launching java when it gave the error. I do most of the stuff from the command line anyways so it's not a huge deal. It's just sometimes you don't feel like looking up the syntax for a particular command when you could just log in and do it in two clicks. bull3964 fucked around with this message at 04:45 on Jan 7, 2014 |
|
#
?
Jan 7, 2014 04:40
|
|
|
Khablam posted:It's a bit paranoid, any proper sandboxing does the same effective thing without being an enormous piece of poo poo to work with. As soon as you try to make working with a VM more convenient, you bridge any supposed 'gap' in a much more real and exploitable way than sandboxed processes. There are no application sandboxes that provide true process isolation, at least on Windows x64.
|
|
#
?
Jan 10, 2014 12:55
|
|
|
omeg posted:There are no application sandboxes that provide true process isolation, at least on Windows x64. In theory you can be much safer, sure, but in practice people get lazy, and you're more likely to find common-garden malware that exploits network shares than an attack against a specific sandbox technique.
|
|
#
?
Jan 10, 2014 15:06
|
|
|
I wonder when we'll see first malware that exploits protected processes on Windows 8 to protect itself.
|
|
#
?
Jan 10, 2014 19:43
|
|
|
What are your guys' thoughts on CryptoPrevent (by the Author of d7)? http://www.foolishit.com/vb6-projects/cryptoprevent/
|
|
#
?
Jan 14, 2014 18:10
|
|
|
Just had a machine owned by the Zeus trojan.  Worryingly both trend WFBS and the Kaspersky rescue boot disc I normally use failed to fully detect all the components it installed. What do people use for ensuring machines are clean? We're going to nuke the affected machine but I wanted to scan other machines on the same lan segment to make sure it's not managed to spread.Ideally something that runs off a boot disc.
|
|
#
?
Jan 17, 2014 15:20
|
|
|
Tapedump posted:What are your guys' thoughts on CryptoPrevent (by the Author of d7)? Seems like an overly-engineered way of blocking executables from the appdata folders, which will work fine until - A genuine program needs to execute from there (Google chrome, ironically some malware/AV update programs) - The virus author wises up and goes for system32 or something. Cryptolocker doesn't do anything 'clever', any antivirus with up-to-date definitions should block it effortlessly. There's probably little harm in these fixes, though. jre posted:Just had a machine owned by the Zeus trojan. If you want to verify a machine is clean (and have some doubt) then, like above, a full scan repeated with a different AV engine can give you a very high confidence it's fine.
|
|
#
?
Jan 17, 2014 16:13
|
|
|
Thank you for your reply, Khablam. I appreciate the insight.
|
|
#
?
Jan 17, 2014 21:47
|
|
|
omeg posted:There are no application sandboxes that provide true process isolation, at least on Windows x64. What would you recommend as far as browsers/utilities go to at least make it harder to target? . One other question (I hope this is OK to ask here since this is a discussion of viruses) - I've been hearing about Neverquest, and my understanding is that it utilizes VNC (virtual network computing) to hijack computers and even perform banking transactions as the target computer. So to a bank, the users' normal computer connects and asks to transfer funds, not some oddball computer at a different IP address. That would make it difficult to prove what is going on. One of the things I noticed is that Neverquest utilizes VNC ports 5800-5900 to allow the malicious computer to hijack the target computer. Would blocking those ports (preferrably at a router, not in Windows itself) effectively stop Neverquest from operating correctly? I occasionally use Remote Assistance, and I'm not sure if Microsoft uses VNC ports to do that or not.
|
|
#
?
Jan 18, 2014 17:13
|
|
|
RDP/Remote Assistance/Terminal Services all rely on port 3389. You can safely block all of the VNC ports at the router to stop all remote VNC access without any effect on Remote Assistance. Even if RA were blocked, you can still initiate the connection yourself by sending a request using Windows Messenger. Sane routers will already have a basic no-replies firewall setup and Network Address Translation setup, which is sufficient to block remote RDP, remote VNC, etc. on any locally-attached computer without further configuration. However, this only applies to incoming requests. If the malware affirmatively reaches out to create a connection, rather than just waiting for an incoming connection, there might still be a connection made. In this case, you have to hope to get lucky: if you set your firewall to block VNC affirmatively for all IP addresses, then the malware attempt will fail to complete a connection, but only if it tries to use the default VNC ports. If the malware is smart enough to try an alternate set of ports, then you're boned unless you block literally all traffic into or out of your network at the router level. And if you do that, may as well pull the plug and cancel your internet service. Your first and best line of defense is going to be avoiding the malware infection in the first place. This means good browsing habits and up-to-date security software.
|
|
#
?
Jan 18, 2014 18:21
|
|
|
There exists several different highly robust ways of stopping those types of attack (IPS). Unfortunately they require incredible amounts of user input to work effectively. There's a catch-22 wherein anything comprehensive enough to give you near-100% network shielding from things making connections out, are an incredible pain in the rear end to use. Even very anal people will eventually get into a habit of mashing "accept" on the 50+ notifications they get every day, and tada, one of them wasn't legit. Not operating on a local-admin is probably the 'sane' way to stop malware doing a whole lot of bad stuff if it gets missed by your AV scanner. A hardware firewall (effectively, any router) is a fully effective shield against all the threats that were in the wild between 2000-2005 or so, that leapt through XP SP1 and did all manner of lovely things. The advice that connecting to the internet without a software firewall is an awful idea is a bit of an anachronism now. If you're online in coffee shops or large scale networks, then you probably want to have something making the computer treat LAN as WAN, usually Vista/Win7s network options are sufficient. You might want to pop the windows firewall on (you can set it to only work when connected to 'public' networks).
|
|
#
?
Jan 18, 2014 21:55
|
|
|
Khablam posted:Not operating on a local-admin is probably the 'sane' way to stop malware doing a whole lot of bad stuff if it gets missed by your AV scanner. This cannot be emphasized enough. I don't work on other people's computers professionally but I taught both my parents to do this and voila no malware problems. Although my dad went full Apple for some reason so he's pretty much safe with his MBP, mac mini and iPad. Holidays free from "why is this doing this" are always a plus.
|
|
#
?
Jan 18, 2014 22:09
|
|
|
Apparently Oracle has finally decided browsers running any arbitrary code is a bad thing. Starting with the latest version of Java, all applets must be digitally signed by default. That probably makes it about as secure as ActiveX (which isn't saying much, but hey, it's something).
|
|
#
?
Jan 23, 2014 03:46
|
|
|
dpbjinc posted:Apparently Oracle has finally decided browsers running any arbitrary code is a bad thing. Starting with the latest version of Java, all applets must be digitally signed by default. That probably makes it about as secure as ActiveX (which isn't saying much, but hey, it's something). Not like that will matter much because there are loads of computers running on outdated versions of Java, either because they don't know how to update, can't update, or need an old version for some program that won't run on a newer version.
|
|
#
?
Jan 23, 2014 06:29
|
|
|
So they have pretty much given up on making Java secure. Or relevant at alldpbjinc posted:That probably makes it about as secure as ActiveX (which isn't saying much, but hey, it's something). ActiveX controls have more restrictions because they are native code components. Applets are supposed to be sandboxed, they shouldn't have a signature requirement: Flash doesn't, Silverlight doesn't either, and they don't have half of the security holes Java applets have
|
|
#
?
Jan 23, 2014 12:13
|
|
|
Leave the java plugin disabled. That one day six weeks later you decide you need it, turn it on. More likely, you'll realise it's a java applet that saves you 5 clicks on an update page and can therefore never need enable it.
|
|
#
?
Jan 23, 2014 13:23
|
|
|
I have a windows 8 laptop on my desk that i swear I must be missing something on. Ads are being injected into pages, downloads are being intercepted and modified in-transit, but malwarebytes, superantispyware, everything i can think of is coming back clean. what. the. gently caress. edit: I checked proxies too. also also, combofix is now running.
|
|
#
?
Feb 12, 2014 02:07
|
|
|
sfwarlock posted:Ads are being injected into pages, downloads are being intercepted and modified in-transit, Disable all your extensions/plugins and see if it keeps happening. If so, back up, format, and reinstall.
|
|
#
?
Feb 12, 2014 02:53
|
|
|
sfwarlock posted:I have a windows 8 laptop on my desk that i swear I must be missing something on. Ads are being injected into pages, downloads are being intercepted and modified in-transit, but malwarebytes, superantispyware, everything i can think of is coming back clean. It'd be interested to know how this turns out. May i ask what browser? Considering the amount of problems your having, I'd consider a root compromise and just wipe it all and update the firmware.
|
|
#
?
Feb 12, 2014 02:55
|
|
|
sfwarlock posted:I have a windows 8 laptop on my desk that i swear I must be missing something on. Ads are being injected into pages, downloads are being intercepted and modified in-transit, but malwarebytes, superantispyware, everything i can think of is coming back clean. If it's happening outside of that box check the router, too, just in case it's somehow gotten stuffed with some malware (you never know). But it honestly sounds like a lost cause. Back it up, nuke it, and reinstall.
|
|
#
?
Feb 12, 2014 03:07
|
|
|
Based on the computers I've seen lately, a big thing with Windows 8 is garbage software like Scorpion Saver that does nothing but serve ads, but that seems to actually go away if you uninstall it from add/remove programs, which may be why malware scanners seem reluctant to target them.
|
|
#
?
Feb 12, 2014 04:22
|
|
|
KuNova posted:It'd be interested to know how this turns out. May i ask what browser? Considering the amount of problems your having, I'd consider a root compromise and just wipe it all and update the firmware. dpbjinc posted:Disable all your extensions/plugins and see if it keeps happening. If so, back up, format, and reinstall. Chrome, no extensions/anything active, and it all started when user had a webpage tell her she needed to update Java, just click here to download the installer. Zamujasa posted:If it's happening outside of that box check the router, too, just in case it's somehow gotten stuffed with some malware (you never know). It's definitely OS-level. I had to boot to a Linux livecd (and I've bitched elsethread about the total shitstorm that is) to download the installers I want, since I don't want to plug a thumbdrive in. I just didn't want to reinstall because I need to dig up install media and drivers and and and. At least I could use Belarc to grab the Win8 key.
|
|
#
?
Feb 12, 2014 16:03
|
|
|
Toast Museum posted:Based on the computers I've seen lately, a big thing with Windows 8 is garbage software like Scorpion Saver that does nothing but serve ads, but that seems to actually go away if you uninstall it from add/remove programs, which may be why malware scanners seem reluctant to target them. It was this right here. Something called "Filterbull" or somesuch.
|
|
#
?
Feb 13, 2014 02:56
|
|
|
sfwarlock posted:Chrome, no extensions/anything active, and it all started when user had a webpage tell her she needed to update Java, just click here to download the installer. Possibly this bastard from the bad ads thread in forum Q&A?  It can also show up as a Flash updater, Firefox updater and I've seen a Safari updater as well. S&D picked it up on the ones I had to remove, ADW did the rest. Now any machine that comes in with a possible infection gets an initial Norton scan via cradle, followed by local install Spybot, SuperAnti, MBAM, ADW and finished with CCleaner, then reset all browsers to default settings. If after all that it's still compromised, we wipe and reinstall. So far I've only had to flatten to one machine, and that one was so messed up, it took 13 minutes to be useable, MBAM hit 350 something objects detected and NIS reported object after object for 12 minutes nonstop as soon as it was installed.
|
|
#
?
Feb 13, 2014 04:04
|
|
|
Just posting this because holy poo poo it took 4 hours to get rid of this loving thing: If anyone runs into a chrome extension by the name of 'Instant Savings App' that shows up as managed and blocks you from uninstalling it.. 1. Kill the process it keeps active and kill the scheduled task to respawn the process 2. Wipe out the registry entries for it in software/policy 3. Delete the chrome extension folder for it 4. Uninstall chrome entirely since it messes with some of its internals 5. Edit the hosts file so you don't get silently redirected to a compromised Chrome installer when you redownload it. 6. Reinstall chrome I had to transplant the drat thing into a virtual machine with a file/registry monitor active to finally figure out how to get rid of it. Submitted it to a bunch of the antivirus sites too, gently caress this stupid thing.
|
|
#
?
Feb 15, 2014 06:17
|
|
|
If it helps anyone else, Adwcleaner does a good job of cleaning up after those extension-based malware threats.
|
|
#
?
Feb 15, 2014 10:48
|
|
|
The most annoying virus to me would be the "FBI Virus" . The variant i ran into prevented access to safe mode and required me to use a BlacX on a separate machine and had to use TDSS Killer to just get into safe mode- then had to combofix and TDSS Killer again to get into normal windows, and redid the whole process with a standard virus scan at end to fully remove it. Biggest pain in the rear end I have ever had to deal with 
|
|
#
?
Feb 17, 2014 04:32
|
|
|
Lasernuts posted:The most annoying virus to me would be the "FBI Virus" . The variant i ran into prevented access to safe mode and required me to use a BlacX on a separate machine and had to use TDSS Killer to just get into safe mode- then had to combofix and TDSS Killer again to get into normal windows, and redid the whole process with a standard virus scan at end to fully remove it. Those ones are "backup crucial data, flatten with extreme prejudice" ones for me. Some of that poo poo is just so persistent, I'm never comfortable that I've fully removed it.
|
|
#
?
Feb 17, 2014 17:28
|
|
|
I just boot from a WinPE disk and use Autoruns to remove it from startup, then manually delete the files. Virus scan afterwards for good measure. I haven't seen a variation yet that I couldn't remove this way.
|
|
#
?
Feb 17, 2014 18:26
|
|
|
Yeah, they're about the easiest to remove. Rarely if ever are they stronger than a startup entry. The one that's actually got the minimum fix time of "Hope your backup is recent and restore everything" is cryptolocker and it's variants.
|
|
#
?
Feb 17, 2014 20:02
|
|
|
So an old friend of mine (among others) uncovered a surveillance network of dubious ethics created (among others) by old friends of mine. Future hack meets in Italy will be even more awkward than Christmas dinner e: Here's the analysis hackbunny fucked around with this message at 11:15 on Feb 18, 2014 |
|
#
?
Feb 18, 2014 10:58
|
|
|
I agreed to help remove some kind of what sounds like malware from a coworkers computer tonight, he is clueless about what it could be or where he got it from. I used to do that pretty often like 6 years ago but I can't remember the freeware I was happy with anymore and I'm sure things have changed. All I remember is rkill was very useful back then. Is there a kind of catch-all list of stuff to try on this? I'm assuming it's not the only thing on there.
|
|
#
?
Feb 18, 2014 22:59
|
|
|
Ignoarints posted:I agreed to help remove some kind of what sounds like malware from a coworkers computer tonight, he is clueless about what it could be or where he got it from. I used to do that pretty often like 6 years ago but I can't remember the freeware I was happy with anymore and I'm sure things have changed. All I remember is rkill was very useful back then. I'd be interested in such a list.
|
|
#
?
Feb 19, 2014 01:46
|
|
|
I'm sure there will be other opinions, but after dealing with this on a day to day basis, my super list consists of: Spybot S&D - http://www.safer-networking.org/mirrors16/ SuperAntiSpyware - http://www.superantispyware.com/ MalwareBytes - https://www.malwarebytes.org/ RKill - http://www.bleepingcomputer.com/download/rkill/ TDSS - http://www.bleepingcomputer.com/download/tdsskiller/ ADW Cleaner - http://www.bleepingcomputer.com/download/adwcleaner/ Hitman Pro - http://www.surfright.nl/en Spybot 2 is a little confusing to use I've found, since they hosed with the UI and made a mess of it. 1.6 still works fine, and is quicker / easier to use so I've linked to that. Just install and run one after the other, check and disable any weird browser addons / search engines, and that should get rid of 99.9% of infections.  E: While I'm here, someone mentioned the FBI lockout [U.Kash] earlier. We had a rash of mutations coming in, but all with the same U.Kash base code. If you don't have access to a USB dock / second machine to stick the infected drive in, try putting MBAM / Spybot on a thumbdrive, enter safe mode with command prompt, and run either from the command window off the thumbdrive. Some variants will lock you out before you can get the prompt up, but I've had good success doing it this way when I didn't have any other option handy. H1KE fucked around with this message at 02:16 on Feb 19, 2014 |
|
#
?
Feb 19, 2014 02:09
|
|
|
I'm trying to find a solid enterprise malware solution but it doesn't have to include anti-virus as we are still having success with Symatec corporate AV as far as finding viruses and notifying us when it does. Does anybody have any recommendations? It looks like Malwarebytes and Webroot enterprise are the two big names but I was curious if anybody is using something else?
|
|
#
?
Feb 21, 2014 15:50
|
|
|
Combofix and DelProf2 (to delete unused profiles) should be added to the list above, as well. CCleaner and Eusing Registry Cleaner will also help out. Your list and those four basically round out my "clean everything aside from a format" routine.
|
|
#
?
Feb 21, 2014 16:12
|
|
|
dox posted:Combofix and DelProf2 (to delete unused profiles) should be added to the list above, as well. CCleaner and Eusing Registry Cleaner will also help out. Your list and those four basically round out my "clean everything aside from a format" routine. What does Combofix even do? It appears to be nearly completely undocumented, and everything says "only use at the direction of a properly trained helper" or something. fakeedit: oh, it's undocumented to prevent malware authors fighting whatever it does. That seems... dicey.
|
|
#
?
Feb 21, 2014 16:55
|
|
|
|
| # ? Jun 7, 2024 22:27 |
|
|
dox posted:Combofix and DelProf2 (to delete unused profiles) should be added to the list above, as well. CCleaner and Eusing Registry Cleaner will also help out. Your list and those four basically round out my "clean everything aside from a format" routine. Combofix I treat as a last resort option, something to try before wiping the system. 90% of the time it fixes things without issue, but the other 10% of the time it does stuff that makes things quite annoying. For example, completely uninstalling a browser along with all of its bookmarks, cookies, and saved logins. While that stuff's pretty easy to recover from if you know what you're doing, if I'm fixing a computer for someone else they can get pretty pissed off when you explain that it's all gone. (Even if it's their own fault for not keeping track of their passwords.)
|
|
#
?
Feb 21, 2014 18:33
|
|
