Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Rootkit.KInject is a sexy new virus. Let's talk about notable viruses we have recently encountered
 
  • Locked thread
pr0zac
Jan 18, 2004

~*lukecagefan69*~


Pillbug

Ynglaur posted:

Lenovo is obviously in damage control mode, though. More companies need to learn from BP. Don't cover things up: just come out, tell the truth, and fix the problem. The long-term damage to stock price is generally less the sooner and more honest companies are when it comes to problems. See also: politicians. Americans in particular love comeback stories, but hate snakes.

Wait... are you comparing the Lenovo fiasco with the BP Deepwater Horizon oil spill?

* # ¿ Feb 21, 2015 00:05
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 21, 2024 10:05
  • Quote
pr0zac
Jan 18, 2004

~*lukecagefan69*~


Pillbug

Subjunctive posted:

The Superfish stuff is comically, implausibly broken. I don't think any of us realized how deep the pit of stupidity would go while it was playing out.

At this point we're lucky that it doesn't execute base64'd x86 machine code stored in some extended attribute.

Please don't give them any ideas.

* # ¿ Feb 22, 2015 23:06
  • Quote
pr0zac
Jan 18, 2004

~*lukecagefan69*~


Pillbug

Khablam posted:

You might all be overthinking this. It is RSA, which is asymmetric. It's essentially like using PGP, HTTPS etc where you can give someone your public key with no expectation of secrecy. It can only be used to encrypt the data. You on the other hand have the private key (generated as a pair), which is what you use to decrypt it.

The server just makes a pair, ships the public key, and the exe just runs it against your files until it's done. The speed is about "as fast as your HDD can read+write" whilst maintaining a relatively low CPU footprint.

There's no computational way to recover the private key which doesn't leave "heat death of the universe" as more likely to occur first.

e:

If it's AES over RSA then it probably works like SSL encryption, where it's the actual symmetrical key itself that is exchanged/protected via RSA and the actual file-level encoding is done via AES. Either way, no part of your computer, drive, RAM or CPU actually sees (or needs to see) the private key to encrypt the data. This is completely essential for asymmetric encryption to work at all (and for HTTPS to exist) as you would simply be able to sniff it being exchanged otherwise. MITM attacks are necessary for this reason.

You do not understand how RSA works and should probably stop posting as if you do.

* # ¿ Jun 23, 2015 00:18
  • Quote
pr0zac
Jan 18, 2004

~*lukecagefan69*~


Pillbug

Khablam posted:

Eh my post is the victim of editing in 3 different answers. Everything I've seen about these ransomware viruses suggests it's RSA encryption at 2048. With RSA encryption on encrypt though, it doesn't suffer the crippling performance issues you get with decryption - I assume they only care about the encrypt time?
You're right, I assume if AES were actually involved someone would have written a program for reading memory dumps for the key. RSA/AES hybrids assume the host machines are trusted. With previous generations (cryptolocker) a tool to decrypt was only made possible after the servers were raided, and private keys recovered.

You do not understand how RSA works and should probably stop posting as if you do.

* # ¿ Jun 23, 2015 02:20
  • Quote
pr0zac
Jan 18, 2004

~*lukecagefan69*~


Pillbug

BaseballPCHiker posted:

Has anyone tried using this Tron script yet:
https://github.com/bmrf/tron/
Seems like it could be good for those start it and forget it situations where you can just let it run all day and check back on it later. Was curios to see if anyone has found it to be useful at all, or if it's basically a glorified batch script that just runs a bunch of AV scans in a row.

Speaking of what is the go to free AV to recommend to people these days? I have friends and relatives ask me all the time and I don't know what to tell them now except for watch what you click on and install ublock or something on your browser.

Please do not use something that installs flash, adobe reader, and java automatically.

* # ¿ Jul 31, 2015 17:50
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 21, 2024 10:05
  • Quote
pr0zac
Jan 18, 2004

~*lukecagefan69*~


Pillbug

Khablam posted:

Do you (for the 5th .. 6th?) time of asking, actually know of one that will defeat this

I seriously don't understand why you keep asking this. No one can point to something that can defeat all automated malware detection methods because the minute something is discovered through other means the automated methods are updated with the necessary process for finding it. There have been plenty of examples of malware that has gone through this process, namely 99% of the discrete types that are currently detectable. Assuming this means "no currently undetectable malware exists" is just nonsensical though.

This fact is the entire problem with signature (or behavioral) anti-virus as a protection method. It is unable to adapt to a constantly changing attack surface without being continuously updated with new information.

* # ¿ Oct 28, 2015 19:24
  • Quote
  • Locked thread
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Rootkit.KInject is a sexy new virus. Let's talk about notable viruses we have recently encountered