|
Wow, Windows Recovery Tool loving sucks. We started seeing it last week and this morning we've already got multiple machines in with it on there. Easy to get cleaned up and unhidden, but I'm about ready to be done talking people down from the edge when they think all their data's gone.
|
#
¿
May 2, 2011 18:03
|
|
|
|
| # ¿ May 17, 2024 13:45 |
|
|
PopeOnARope posted:Don't forget to zero that fucker on the way out. Quoting this for good measure, had a bunch of customers customer get frustrated after they reinstalled Windows and were still infected. Pointed out that just doing an over the top reinstall isn't gonna fix poo poo with an MBR rootkit on the system. A lot of people haven't dealt with something like this in a long time, MBR and boot rootkits are all the domain of the 80s and 90s.
|
|
#
¿
May 5, 2011 03:03
|
|
|
gruvmeister posted:Some of the newer poo poo I've been seeing has an MBR rootkit component that prevents TDSSKiller from running (gets to 80% of the initialization process and then crashes, sound familiar?) along with the usual signs (redirected search results, prevention of any connection to a site with 'windowsupdate' anywhere in the URL including searches, svchost process that runs out of control). After nearly giving up, I discovered a simple 'FIXMBR' from the Windows Recovery Console does the job on this one. You'll get a warning that it appears you have a non-standard MBR or some poo poo and that your partitions might be lost, but I haven't seen that happen yet. Yup, that's a great fix, we do the same thing in my shop, good to know that more people are seeing this bullshit. My roster of tools is up to rKill, ComboFix, TDSS Killer, GMER, Malwarebytes, Super AS, Hitman Pro and Stinger. Stinger's a little lacking since it's a virus removal tool, but it seems to catch some stuff. As an aside, it's loving hilarious that McAfee removes rKill as malware, talk about loving ineffective. I'm not surprised, though. I used to work in the AV industry and the amount of incompetence among the big companies is astounding. It's hard enough to keep up with all the new variants and bugs that come out without having lovely researchers to complicate the issue. co199 fucked around with this message at 07:30 on May 5, 2011 |
|
#
¿
May 5, 2011 07:28
|
|
|
RichieWolk posted:I guess this is the best place to ask: Is there a version of hitman pro for computer janitors to just cart around and use as a one-time "loving fix it right now" solution? I searched and it looks like there's just the 1-3 pc home license, or the 25-250 enterprise version. I'd really like something that just works on 1 pc at a time, but can be used on like a hundred machines through the year for like $200. If you find an answer to this, I'd sure like to be pointed in that direction. We've limited our reliance on Hitman for just that reason. BTW, looks like a new version of TDSSKiller got released on the 20th of April, seems to be working well so far.
|
|
#
¿
May 5, 2011 20:42
|
|
|
Hey look, now even Mac users have to deal with rogueware bullshit: http://blog.intego.com/2011/05/02/intego-security-memo-macdefender-fake-antivirus/ Intego's Blog posted:Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results). When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open.
|
|
#
¿
May 10, 2011 06:17
|
|
|
tsbicca posted:Just had a user turn in a Mac with this installed. First time I've ever seen Mac malware in the wild. Everything I'd seen before this has been proof of concept. If you don't mind, can you explain how you got rid of it after you've done your cleanup? I think it'd be helpful for us computer janitors in the thread.
|
|
#
¿
May 10, 2011 18:59
|
|
|
PopeOnARope posted:Somehow I'm not surprised that there's still infections with this being the case. See every fake "Adobe Update, click here!!!" infection in the last 5 years.
|
|
#
¿
May 12, 2011 08:11
|
|
|
tsbicca posted:I didn't actually do the cleanup, another tech did but he did something similar to this: http://www.bleepingcomputer.com/virus-removal/remove-mac-defender It worked pretty well as far as we could tell. Ok, yeah I'd seen that article. Between what you and FCKGW posted, it looks like it's pretty standard. Still haven't seen on in our shop, but we do almost 0 Apple support so that's not surprising. Thanks!
|
|
#
¿
May 16, 2011 23:00
|
|
|
bbcisdabomb posted:I think the biggest lesson to take from MBAM vs. SAS is to run SAS in safe mode, do more cleaning, then run MBAM in normal mode to double-check you're clean just before the computer heads out the door. I've caught a few computers with nasty reinstalls, like one that I swear was timed to wait out four or five reboots before resintalling. This is a good policy, we do that here too. It's also gotten to the point on XP machines where we will rebuild the MBR and do a fixboot as part of policy just for the sake of ensuring there's no rootkit hiding out there.
|
|
#
¿
May 17, 2011 23:04
|
|
|
m2pt5 posted:"Malware kit"? Really? I mean, there's being a jerk and then there's being a goddamn rear end in a top hat. Ever notice how all the malware that hits Windows machines is always "Win Security 2011"? And then a week later it's "Microsoft Security 2011"? Congratulations, it's a malware kit! Change a few words on a template, change the randomization scheme and you just made a new rogue that can't be detected (one big reason why signature detection doesn't work). co199 fucked around with this message at 00:36 on May 26, 2011 |
|
#
¿
May 25, 2011 23:23
|
|
|
Scaramouche posted:Don't you mean signature detection? Yeah, sorry. I get my terms mixed up sometimes. co199 fucked around with this message at 00:41 on May 26, 2011 |
|
#
¿
May 26, 2011 00:36
|
|
|
BillWh0re posted:Detection is hard because the authors are manually updating the obfuscation they use on the code. It doesn't have too much to do with the name or branding of the fake AV program itself, and the creation kits can't usually make changes that break detection signatures (except straight checksums) -- it takes a human author to do that. That's true, and I was over simplifying the process. I've been out of the research game for a couple years now so I don't have the details I used to. That being said, it's really hard to find an explanation for a customer when they ask "well why didn't xxx program detect this?" The "malware kit", while not 100% correct, works when you're dealing with someone who doesn't give a poo poo about the technical details and just wants an answer. Hell, it's a better answer than a bunch of other shops around here give, which is "because that one is a bad AV program, buy this one". Neither answer solves the problem, but one doesn't cost the customer unnecessary money.
|
|
#
¿
May 26, 2011 16:26
|
|
|
Same as Webroot bundling Ask Toolbar, imo.
|
|
#
¿
Jun 12, 2011 04:10
|
|
|
Nam Taf posted:Well I guess I'll be moving myself and my family away from them. Pity, they've served us well ever since the free-av days. MSE is the best free offering, NOD32 or Kaspersky if someone insists on a paid AV.
|
|
#
¿
Jun 24, 2011 06:24
|
|
|
any colour you like posted:Has anyone encountered Windows AV Component? Actually just got one in today with this on it, but this customer is known for his porn and piracy habits so it's no surprise he got it. Standard tools worked fine in this case (Combofix, Hitman Pro, MBAM, SAS Portable).
|
|
#
¿
Jun 27, 2011 20:58
|
|
|
Hex Darkstar posted:Not that anyone should use CNet to download files to begin with but it looks like they're packaging legit software with toolbars and changes the default search engine and home page to Bing/MSN. Webroot used to bundle Ask toolbar with Spy Sweeper. Yeah.
|
|
#
¿
Dec 6, 2011 19:18
|
|
|
Maniaman posted:IO don't know what is sitting out there without a patch yet, but my computer shop has been going crazy with computers coming in for virus removal with the Vista 7 Antivirus Platinum Pro 2012 XP antivirus crap, generally bundled with TDSS or ZeroAccess. Went from a slow period to every bench spot is full and the shelf is getting full, and 90% of them are virus removals. We're in the same boat at our shop - XP, Vista, 7 - everyone is getting hit. I've had systems with KAV, Avira, McAfee, Norton and MSE (respectively, not all at the same time) get infected. It's pretty bonkers right now.
|
|
#
¿
Jan 6, 2012 22:15
|
|
|
Hex Darkstar posted:C:\Documents and Settings\[Removed]\Local Settings\Temporary Internet Files\Content.IE5\U6VNK9EL\Ticket_American_Airlines_pdf[1]\Ticket_American_Airlines_pdf.exe We've seen a bunch of infections like this in our shop - airline tickets, missed package notifications from FEDEX and UPS, etc. etc. It's a pretty good social engineering technique. Fucks a system right up, though.
|
|
#
¿
Mar 20, 2012 20:40
|
|
|
March has been quiet for us as well. We started off on a huge run of dead or dying hard drives, then a spattering of ZA and TDS rootkits.
|
|
#
¿
Mar 30, 2012 02:30
|
|
|
Tardcore posted:So going into Firefox's content menu in options and unchecking Enable Javascript is going to protect me from this right? No. Java and JavaScript are two seperate things. You need to update (but preferably uninstall) Java to be completely safe.
|
|
#
¿
Aug 31, 2012 07:02
|
|
|
Less of a traditional virus, but this came out of the Pwn2Own contest today: http://www.networkworld.com/news/2012/091912-galaxy-s3-hacked-via-nfc-262590.html?source=nww_rss NFC exploit on an S3 allows root access on the phone with no user interation.
|
|
#
¿
Sep 20, 2012 22:13
|
|
|
I wanted to mention that W32.Changeup is indeed a bitch to get rid of, but as far as worms go it's not hugely destructive. The main factors that cause it to be a pain are its network replication abilities, pseudo-"polymorphism" (differing MD5s downloaded from C&C servers) and the other malware it can download (Zeus/Zbot, etc.) I've been dealing with major corporate clients infected with the worm since December of last year, although the worm itself has been in the wild since roughly 2009. Symantec has a very good writeup here: http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2 and here: http://www.symantec.com/connect/blog-tags/w32changeup In almost every instance, the customers' AV implementation was able to remove the infection, but it took anywhere from two-three days to a week to get the network entirely clean due to endpoints coming online without updated virus definitions and the like. It also involved sample submission to the major AV vendors for expedited definition sets.
|
|
#
¿
May 29, 2013 03:44
|
|
|
It's not that MSE is a bad AV, it's simply that Microsoft has indicated that MSE should be supplemented by another AV, should the user wish. For a regular user, MSE is fine. I'd argue that a secured browser is more important (say, Firefox with AdBlock, FlashBlock and if you're feeling saucy, noScript), but Firefox / Chrome + Adblock is fine for users that don't want to tinker.
|
|
#
¿
Mar 2, 2014 15:55
|
|
|
Kafeine has a good write-up on it (they paid him to test it) here: http://malware.dontneedcoffee.com/2014/06/mbae.html. It should block exploit kits like Angler and Nuclear which deliver ransomware among other things.
|
|
#
¿
Oct 3, 2015 01:41
|
|
|
The thing with AV and all of the tools mentioned is that by their very nature, they are reactive. Today your standard user (and by a larger measure corporations) have to be proactive against malware / other attacks. Non-IE based browser with adblock (within the scope of environment requirements), limited Java and Flash installs, GPO policies preventing executables from running out of %APPDATA%, limited user accounts, etc, etc. Even this won't prevent Joe Randomuser in accounting from plugging in the USB drive he found in the parking lot, but with the goal being prevention rather than reaction, it will be possible for IT / IS to get a grasp on his machine before it can allow an attacker to pivot into the core network and steal all the data. Ultimately it's a losing battle and it's a matter of when, not if. The best thing companies can do is be prepared. I worked in a screwdriver shop and for run-of-the-mill stuff the tools mentioned in this thread serve a purpose, but there's never a 100% guarantee without completely rebuilding the drive and reinstalling the OS. As a consultant I often do full write-ups on malware with remediation steps and the like, but at the end of the day our recommendation to customers if they're going to put an infected box (and god forbid a compromised server) back into rotation is to restore from a verified gold image.
|
|
#
¿
Oct 30, 2015 16:01
|
|
|
OSI bean dip posted:One thing I don't miss about being an infosec consultant (other than having to fly somewhere on a moment's notice) is how you'll spend half of the allocated hours to writing a report and then having it outright ignored. Yup. Had a client get hit with Cryptowall 2, flew out, did the imaging and post-mortem, wrote a whole report with site-specific recommendations for prevention. Due to internal battles (IS/Risk vs IT pissing match) none of it ever got implemented. They came back three months later with the same goddamn thing. It was too bad I really couldn't send them the same report with a giant 72pt font header that said I TOLD YOU SO.
|
|
#
¿
Oct 30, 2015 17:33
|
|
|
|
| # ¿ May 17, 2024 13:45 |
|
|
Khablam posted:The problem is that Beandip is right, it's just that getting people to follow correct advice when there's a way of being almost-certain you're fine with 1/50th the effort is a hard sell. It was almost impossible to firewalls pre-sasser, and still hugely painful to get people into the habit of regular backups before the encrypting viruses started freaking people out. You're right here, but the trick is to let them know that it's going to cost them more money in the long run if they don't deal with the root of the problem. Some of this has been a circular argument but in the modern security industry people are slowly starting to realize that they are super hosed if they don't take a proactive stance against malware. Proactive stances include changing the mindset of dealing with malware - it's no longer a tool-based fix. I've used an argument that AV is no longer the first line of defense, it's the last line of defense. If your AV solution is detecting something, chances are it's the tip of the iceberg in how hosed your environment is. Using Cryptowall as an example, AV tools very rarely detect new variants of Cryptowall until the binary is in the wild, because that team actively develops their malware. They have VTI accounts just like researchers do and as soon as a binary is submitted, they change their code. IP blocking the C2 servers helps as well, but ultimately there needs to be a mindset shift within organizations to a proactive stance rather than reactive. Yes, it costs money. Yes, they'll argue that it's just easier to remove the sample, and yes, you'll want to kill yourself. I think anyone that's been in this industry for any amount of time knows that you construct arguments in terms of cost, not in terms of capability. When you can reasonably make the argument that formatting this machine and spending that two hours now will save you another engagement cost down the road ($24,000-$100,000+++ depending on severity), it's a lot easier to fight that fight.
|
|
#
¿
Oct 30, 2015 22:28
|
|