Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it,
follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given
their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!
[Shields Up] Computer Security Thread
Posts
Tetra, since we just had that little tdss discussion a week or so ago, figured i'd share this image I captured today while working on a client's computer, disinfecting it. Note the two different versions infecting the same computer, in different locations. The clean was successful btw.
Damn, thanks for sharing. It makes me wonder if the second infection occurred as a result of the first one opening a backdoor, or if it was a separate compromise. Nevertheless, the TDL3 infection on the boot service VolSnap is scary enough, but the TDL4 in the HDD (I presume the MBR?) is just double bad.
Did you catch this in safemode without networking, running TDSSkiller from there? Or did you boot to another partition/removable media? I'm impressed TDSSkiller can catch/clean something from the MBR! Sadly, it looks like there's no x64 version of the software. Considering how x64 rootkits are alive, well, and growing, I hope some decent anti-rootkit solutions emerge for x64 systems soon.
Unrelated update: Hey everyone! It's Tuesday! Do you know what that means? It's time for another round of In-The-Wild Flash Exploit Theater! Basically, there's a new nasty already striking at the last version of Flash I posted about a few days ago. So, grab the new version (10.3.181.26). Get Ye Flash.
Dude is now running Ubuntu 10.4 for the time being, though he was clueless enough with Windows as it is.
At least he can't break that... I hope.
Don't ever say that. Even if he can't infect himself he can still allow his system to be used as a host to infect others. Make sure he still has a Linux AV running, I don't mean Clamshell either. Both Avast! & AVG have Linux versions. I'm going to try them out when I get around to setting up a new Puppy Linux boot flash drive. Also never discount the user's ability to FUBAR a system no matter if its Linux or AppleOS they will find a way to mess things up.
http://www.avast.com/linux-home-edition
http://free.avg.com/us-en/download
Curious that it's just Firefox, apparently? I imagine that won't stay the case for long. Thanks for the heads up, even though I no longer use Firefox.
I did this one from safe mode, no networking, booting off the infected drive itself. TDSSKiller cannot currently scan a target drive, it has literally no options. However, it can manage to clean the MBR of the very drive it boots off of (requiring a reboot to rewrite the MBR of course).
No clue if the infections were linked or separate and coincidental...but both are purged. Computer's been fine since.
I've also noticed that Malwarebytes AntiMalware has *some* TDSS recognition in its current engine, as does SuperAntiSpyware and of course Microsoft Security Essentials. However, TDSSkiller is still the go-to tool for actually removing them... MSE seems to detect it but fail to remove it (it shows up as Alureon in MSE).
I read the synopsis you linked to earlier in the thread: Nasty, nasty little thing, that. Any infection that corrupts and nests inside your files in a self-propagating way is a double-pain to deal with, since it makes backing up extremely difficult... And cleaning even moreso. I think the nuke from orbit was the right choice.
I was curious about that too, but it seems to be a recent trend. There was a report not too long ago about impersonating the Firefox security warnings specifically. Gone are the days of Firefox being the bulletproof browser. Indeed, I don't think any browser is safe these days, if used inappropriately.
Thanks! I'll be keeping this in mind. I'm still a bit irked that no x64 version of TDSSKiller (or any good Anti-Rootkit) exists, but nevertheless this is good information. I think HitMan Pro might also know how to target TDL3/4, but I'm not sure if it's been keeping up with the nasty's evolution.
In other news: Lulzsec has been busy again this morning. I don't have a direct link to a story, but after encouraging their followers to flood /b/ on 4chan, they 'rewarded' them by releasing a grab-bag of about 62,000 email credentials. Apparently Facebook and WoW accounts have been compromised as a result.
Yesterday they targetted CIA.gov for a DDoS, which has apparently garnered some ire from another hacker, who claims to be targeting them now.
wait, you mean people actually use real email addresses on 4chan?
Sorry, I phrased that poorly. What happened was that Lulzsec prompted their followers on Twitter to mob /b/ this morning. They encouraged everyone to visit and post, mostly for the purpose of irritating the regulars there (They said "Ask how to Triforce" and "Post about Boxxy", both things designed to piss off /b/, I believe). When the flooding of /b/ reached their satisfaction, they released a list of ~62,000 email account logins and passwords from an unrelated hack, harvested from a variety of different servers. It was sort of a 'reward' from them to those they egged on to flood /b/, rather than a breach of 4chan itself.
Also, given their boasting in the past, it sounds like they've got some mechanism set up to drive-by infect people browsing 4chan and /b/, so I'm guessing the flood was something that worked in their favor to recruit new bots to their network. That's just speculation on my part, though.
Changing topics slightly, to the subject of Anti-Rootkit technology. There's a new build of Hitman Pro that went live this morning. Among the new features included is a bit of tech they call Cloud Assisted Miniport Hook Bypass, which is essentially a method of scanning the MBR for infections from within the afflicted system.
If this works in practice, then it will be a nice tool indeed for the x64 platforms. Particularly since, I believe, Hitman will remove rootkits for free. As always, your mileage may vary. I'll be testing the new build tonight to see what it comes up with.
I just finished two and a half days of work at a site infected by the Worm:Win32.Rorpian.B. Woop woop.
Ended up reimaging every single desktop.
Culprit? Everything you read in that article. A user somehow stumbled into it and opted to Update their browser (despite the glaring 'download<dot>phpnuke<dot>org' at the top of the page) which I believe is what brought it in. Microsoft Security Essentials can actually detect and remove the worm part of it, malwarebytes doesn't see it, ComboFix can see the loadpoints but can't do anything about it, and the latest version of TDSSKiller comes up blank.
I followed instructions from here --> http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=7473 which was excellent. Particularly, this little rogue DHCP finder here --> http://www.softpedia.com/get/Network-Tools/Network-IP-Scanner/DHCP-Find.shtml
More info --> http://blog.mxlab.eu/2011/03/27/%E2%80%9Cunited-parcel-service-notification-48161%E2%80%9D-from-ups-contains-trojan/
More info --> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRorpian&ThreatID=160608
It also managed to bring in a ton of other stuff, namely kufgal.B --> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FKufgal.B and Lightroom, which I don't have any info on, but coupled with everything else I found onsite I just decided to nuke everything from orbit. I brought down the internet, spent some time on the server making sure everything was ok, went around to the clean desktops and installed the relevant XP patches and got everything up to date, disconnected the infected DTs from the network, then blew them all away, patched, and got everything back up and running cleanly this afternoon. Awful experience.
The killer... I'd been hounding the client for months to renew their IPS/firewall subscription (expired in April, Sonicwall TZ210) which I'm sure would have intercepted the bad packets, or at least put a stop to the rogue DHCP.
Anyway. Yeah. Nasty bugger!
Quote for lolz (though this was an entirely different client)
From that, and your experiences uean, TDL3/4's new DHCP capabilities sound like a nightmare and a half. Good gravy, but in a corporate environment that's going to raise hell.
Thanks for all the information and linke, uean. I think in the end doing a nuke from orbit was the best way to handle things, even if it was a headache. If it's at all possible, I would strongly recommend restricting the privileges of your users, either by reverting them to limited accounts, or else by making sure their browsers and email applications are all running under reduced rights (With tools like DropMyRights). Hopefully if you can do one of those two things, then your users won't be able to contaminate your network, because they won't have the ability to install new software.
A Software Restriction Policy is ideal in these situations, but often times after implementing it the complaints of the users are more annoying than the infections they would otherwise cause.
The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
I had not noticed that at all. If I could furrow my brow disapprovingly over the internet, I would.
That's a weird place for the program to run from regardless of personal directory structure. I wonder if it's just the default download location.
Blog||Z Connect|Tumblr|Steam|Twitter
Turning on Safe Mode allowed me to install SD. Then leaving Safe Mode, I figured out the virus was named vas.exe or something and was repetedly turning off the process while trying to update Spyware Doctor. It finally cured her machine and she is now saving her pennies for Windows 7.
I have Windows Essentials but I don't really know how to use it. But that's because it's not as intrusive as SD Can anyone compare the two?
Spybot is largely considered outdated these days. Malwarebytes Antimalware has supplanted it for removal of malware, for the most part. I know a new version is in the works and is soon to be released, but I'm not sure about the specifics.
I still use Spybot myself, but largely for the immunization feature. TeaTimer is (and always has been) more trouble than it's worth. For the same functionality something like WinPatrol is much, much better.
Spyware Doctor is a malware scanner that operates on demand, I believe. Microsoft Security Essentials is a resident on-access antivirus scanner that's always running. They're different solutions, mostly because MSE is an always-on preventative measure in addition to being a removal tool. Also, it's usually safe to run one antivirus and any on-demand antimalware together - I've been using MBAM with ESET for years now.
If you've downloaded and installed MSE, just make sure you keep it up to date and allow it to run a scan at least once a week, and you should be good (at least on the antivirus end of things).
When combating nasties like the horrid one you just faced, it tends to get tricky to remove them when they're fully in control of the system. As always, a complete reformat and reinstall is a good idea if you can manage it (it's the safest, fastest way). The next option is to boot from some other media (LiveCD/RescueCD/bootable USB) and scan the afflicted drive from a different operating system - Then the infection can't launch and make your life hell. A third option is to combat resident malware with RKill to terminate it before scanning.
Regarding my roomate, it's annoying because he works 12 hours a day most of the week and we tend to have very different schedules. What's more worrisome is that he has not complained at all about being unable to use the internet, so I'm thinking he probably clicked the "Update Browser" button.
Ah, the virus came back regardless of Spyware Doctor finding a lot of crap and killing it all. When it came back, Spyware Doctor quarantined it....and I lost explorer.exe.
So now we're backing up everything because her usb port started working again, and we're putting Windows 7 on it. It will at least buy her 30 days of a working computer while she saves up.
Interesting. Perhaps I'll switch to that instead.
In any event, for adequate security, would I have to install one of each program in the OP, or just stick to a specific handful?
Blog||Z Connect|Tumblr|Steam|Twitter
Sorry to hear that the cleaning didn't kill the bastard. For what it's worth, though, reinstalling is the best way to ensure the system is clean. Plus, Windows 7 is super nice. Just make sure when you're done reinstalling that you get all the patches. Service Pack 1 is pretty essential at this point.
It's also the perfect time to set up a limited user account for added security, if you're comfortable with that.
Definitely keep Spybot around if you like it (it's not terrible, and like I said, the Immunize function is nice), but MBAM won't hurt anything if you install it.
Also, most of the software in the OP are tools for specific purposes, so don't pull your hair out trying to install one of each of them, by any means! You're not likely to need a rootkit scanner on a regular basis, for instance. I've been meaning to write up a 'layered security guide', for the purpose of explaining what's what, but I've been struggling with a proper way to visualize it.
Each person is going to be comfortable with a different setup, so it's really quite difficult to give a configuration that pleases everyone. For a quick rundown of what I'd consider effective but minimal (and noting that these suggestions contain my bias):
So, tl;dr: Have an up to date antivirus, up to date antimalware scanner, and a securely configured browser with script, flash, and ad blocking. If you can, run from a limited user account, and use sandboxing.
amusingly enough, it's actually getting to be faster for me to clean fake antivirus infections MANUALLY than for cleanup utilities to do it for me...but that's because they're all variants of the same core that operate mostly the same way (with a very few variants in apparent-destructive behavior).
First off, of course, boot into safe mode (no networking). Run TDSSKiller to clear up any potential tdss rootkit infections.
Then, usually executables will be hijacked. Browse to \Windows\System32\ copy regedit.exe and paste it immediately, rename the copy to regedit.com (bypassing the exe hijack). Run regedit.com, browse to hkey_classes_root\.exe and hkey_classes_root\exefile -> and under BOTH of these, go to shell\open\command, and change the default to: "%1" %* (if your keys have been hijacked, there will be a path to an executable here before that string. This tells you where the infection resides).
After purging it from both keys, browse to the location of the infection (usually in <user>\appdata\local\ or <user>\local\temp\ or sometimes in \programdata\
The file will almost always be hidden AND system-flagged, so just set the folder view to show hidden files AND show protected system files. Purge the infection files, which will usually be a 3-letter random string + extension, like uhh.exe AND another longer-named exe with a random string like 8g8fhsd3sf.exe which should also be accompanied by an identical-named .dll, .sys, or .tmp file. Look at last modified or creation dates in the folder you found the infection, just to make sure you get rid of any other suspicious files.
Once purged, you'll also need to run msconfig, go to the startup tab, and remove the autorun item that launches the trojan.
Depending on apparent-damage caused by the hijacks, taskmgr, desktop, and even icons and shortcuts may all be disabled.
taskmgr and desktop are generally disabled via Policy settings, so in regedit (you still need to use the .com version until you reboot so that the classes hive can be properly reloaded), you need to browse to both hkey_current_user AND hkey_local_machine as follows: \software\microsoft\windows\currentversion\policies\ (same path in both hives), and look for any policies that disable things you need, such as disabletaskmgr set to 1 (to enable it again, set this to 0) or disableDesktop 1 (set to 0 of course). If the keys aren't in either of those policies, then you don't have to worry about them.
Hidden shortcuts and files can be taken care of at a command prompt, by navigating to the drive root (usually with "cd \"), and running the following command: attrib -h /s /d *
This unhides any file that's set to hidden OTHER than system files, anywhere in the system, so only do it if your infection actually SET all files to hidden. (it isn't harmful, it just makes hidden things show up).
If this doesn't restore desktop icons, right click the desktop and make sure "show desktop icons" is enabled.
Also, in your start menu, if your folders are there, but the shortcuts inside them aren't hidden but gone ENTIRELY, some infections actually move them to a temp structure buried in <user>\appdata\local\temp\<infection folder>\1 \2 \4 and other such named folders. If you can't find them, just do a search for *.lnk within the user profile directory itself (not the entire drive).
After all is said and done, a reboot, back into safe mode, and then run a scan with malwarebytes antimalware (or your cleaner of choice), should pick off any remnants.
Sad that I could write this entirely from memory, having done it so many times...
If your infection manages to respawn itself after THIS, then you've got something ELSE respawning it. microsoft security essentials should be able to pick up what that might be (there is a virus going around lately that infects explorer.exe, winlogon.exe, and wininit.exe that acts as a dropper for other malware).
In other news: Today Lulzsec has launched what they term Operation Anti-Sec, though it's connection to the Antisec Movement feels tenuous at best. They've begun DDoSing government servers, and are calling publicly for attacks on banks, and other government installations.
Meanwhile, Gabe and Tycho discuss the recent rash of hacking exploits on the web! (Tangentially related, but hey, how often do we get to post comics in this thread?)
Amusingly enough, it isn't a special kind of hell. It's my job. I'm a tech at a computer repair center, so this is the standard problem about 80% of our clients bring in for us to fix. If I had the time, I'd script the entire repair, but just haven't yet.
Hope it helps anyone who has to face the slew of fake antivirus trojans out there...seems to be almost epidemic-level lately. ^_^
Also: For those of you who use Sandboxie, I thought it was worth mentioning that Tuzk released version 3.56 recently. The noteworthy aspect of this release is that it contains Experimental x64 Kernel Protection. When activated, these measures make the x64 version of Sandboxie as secure as the x86 version. When x64 Windows was still relatively new, some of you might remember that Patch Guard made it difficult for security software of all stripes to defend against rootkit and the like - Tzuk apparently found a way around this.
It's a nice feature, and one that drastically improves the security of the x64 version of Sandboxie... But it should be approached with some mote of caution. If Tzuk has tweaked the kernel in any way, it stands to reason that the next time Microsoft releases a kernel update for Patch Guard, this experimental protection could cause BSoD crashes without warning (That's what Patch Guard does - crash the system when the kernel is modified).
I'm running with it for now, though, so I'll update this thread for sure if it ever happens.
No kidding - one of my co-workers just got nailed by one (Security Shield 2011 - bunch of fucking wankers), and now I can't even get his computer to boot up properly. It just gets stuck on black screen with a blinking cursor on the top left.
Looks like I'll probably have to pick up a new hard drive and start over, because if I can't even boot to safe mode, then I think his comp is SOL.
The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
What you need to do is make a rescue flash drive or cd to boot from. Then either go to a site with a hosted virus scanner or use Avast! & AVG's linux versions. Do not waste your time with ClamAV.
I recommend Puppy Linux as it was designed for booting from portable media.
It decided to block Malware Bytes when I attempted to scan it this evening. I think I'm going to just uninstall it and get microsoft security essentials if that's the best thing right now.
Color me completely surprised. Apparently there are a number of posts and stories around the net that Trend Micro is incompatible with MalwareBytes. If this is in fact the case, and hasn't been resolved, I would highly recommend moving away from Trend. Blocking MalwareBytes seems ridiculous. While there's really not a 'best' antivirus, with other protective measures in place (script blocking, adblocking) MSE is going to do a fine job.
On the lighter side of security (relatively speaking), it's always a good idea to treat IT professionals with respect. Otherwise, something like this might happen.
I'm gonna go with my gut on this one. Boot into a rescue environment (miniXP is great), run a nice lil program called BootICE, and use it to rebuild the MBR. I'm gonna further bet that TDSS hosed it when it tried to write to the boot sector. After you revive windows, just safe mode and run a scan for it per instructions above.
The drive probably isn't dead, its just got its boot information hosed up. It's repairable in the best case, and at worst, a repair/reinstall of the OS should do the trick.
Other news outlets are misrepresenting the advice as Microsft saying you need to reformat/reinstall, but it seems that MBR repair and system restore will do the trick.
Personally, though I know it's possible to restore a system without reformatting, I'd still recommend a complete disk wipe and reinstall in a situation like this. However, I did find it quite interesting that the Microsoft System Recovery Console has a 'fixmbr' command. That could be quite useful in a pinch!