Don't like the snow? You can make a bookmark with the following text instead of a url: javascript:snowStorm.toggleSnow(). Clicking it will toggle the snow on and off.
Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

[Shields Up] Computer Security Thread

1192022242535

Posts

  • khalathaskhalathas Registered User
    edited June 2011
    249659_10150198257586572_667286571_7444829_3277265_n.jpg

    Tetra, since we just had that little tdss discussion a week or so ago, figured i'd share this image I captured today while working on a client's computer, disinfecting it. Note the two different versions infecting the same computer, in different locations. The clean was successful btw.

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    khalathas wrote: »
    ~Snip~

    Tetra, since we just had that little tdss discussion a week or so ago, figured i'd share this image I captured today while working on a client's computer, disinfecting it. Note the two different versions infecting the same computer, in different locations. The clean was successful btw.

    Damn, thanks for sharing. It makes me wonder if the second infection occurred as a result of the first one opening a backdoor, or if it was a separate compromise. Nevertheless, the TDL3 infection on the boot service VolSnap is scary enough, but the TDL4 in the HDD (I presume the MBR?) is just double bad.

    Did you catch this in safemode without networking, running TDSSkiller from there? Or did you boot to another partition/removable media? I'm impressed TDSSkiller can catch/clean something from the MBR! Sadly, it looks like there's no x64 version of the software. Considering how x64 rootkits are alive, well, and growing, I hope some decent anti-rootkit solutions emerge for x64 systems soon.

    Unrelated update: Hey everyone! It's Tuesday! Do you know what that means? It's time for another round of In-The-Wild Flash Exploit Theater! Basically, there's a new nasty already striking at the last version of Flash I posted about a few days ago. So, grab the new version (10.3.181.26). Get Ye Flash.

    qwlru.png
  • Zilla360Zilla360 Spaaaace! In Space.Registered User regular
    edited June 2011
    Unrelated update: Hey everyone! It's Tuesday! Do you know what that means? It's time for another round of In-The-Wild Flash Exploit Theater! Basically, there's a new nasty already striking at the last version of Flash I posted about a few days ago. So, grab the new version (10.3.181.26). Get Ye Flash.
    Holy crap. Blackhats never sleep. :x

  • Zilla360Zilla360 Spaaaace! In Space.Registered User regular
    edited June 2011
    Ended up nuking W32.Ramnit from orbit. I even tried the programmer's own back-door registry setting that was supposed to disable it's propagation, and failed.

    Dude is now running Ubuntu 10.4 for the time being, though he was clueless enough with Windows as it is.

    At least he can't break that... I hope.

  • Dark ShroudDark Shroud Registered User regular
    edited June 2011
    Zilla360 wrote: »
    At least he can't break that... I hope.

    Don't ever say that. Even if he can't infect himself he can still allow his system to be used as a host to infect others. Make sure he still has a Linux AV running, I don't mean Clamshell either. Both Avast! & AVG have Linux versions. I'm going to try them out when I get around to setting up a new Puppy Linux boot flash drive. Also never discount the user's ability to FUBAR a system no matter if its Linux or AppleOS they will find a way to mess things up.

    http://www.avast.com/linux-home-edition

    http://free.avg.com/us-en/download

  • SynthesisSynthesis Honda Today! Registered User regular
    edited June 2011
    Sorry for the lack of input, advice, or updates recently. I've been traveling, and out of the loop because of that.

    Anyhow, here's a little tidbit I've been expecting for some time now. Malware that disguises itself as Microsoft Update in order to launch it's social engineering attack. Nothing particularly shocking about the payload, but again, the targets are shifting here in terms of fooling the end user.

    This particular nasty is set to look like the Windows XP update protocol. I wouldn't bet against our seeing Windows 7 and OS X varients popping up soon. These might not be enough to fool savvy users, but I can see their being very confusing for laymen.

    Curious that it's just Firefox, apparently? I imagine that won't stay the case for long. Thanks for the heads up, even though I no longer use Firefox.

    Orca wrote: »
    Synthesis wrote:
    Isn't "Your sarcasm makes me wet," the highest compliment an Abh can pay a human?

    Only if said Abh is a member of the nobility.
  • khalathaskhalathas Registered User
    edited June 2011

    Damn, thanks for sharing. It makes me wonder if the second infection occurred as a result of the first one opening a backdoor, or if it was a separate compromise. Nevertheless, the TDL3 infection on the boot service VolSnap is scary enough, but the TDL4 in the HDD (I presume the MBR?) is just double bad.

    Did you catch this in safemode without networking, running TDSSkiller from there? Or did you boot to another partition/removable media? I'm impressed TDSSkiller can catch/clean something from the MBR! Sadly, it looks like there's no x64 version of the software. Considering how x64 rootkits are alive, well, and growing, I hope some decent anti-rootkit solutions emerge for x64 systems soon.

    I did this one from safe mode, no networking, booting off the infected drive itself. TDSSKiller cannot currently scan a target drive, it has literally no options. However, it can manage to clean the MBR of the very drive it boots off of (requiring a reboot to rewrite the MBR of course).

    No clue if the infections were linked or separate and coincidental...but both are purged. Computer's been fine since.

    I've also noticed that Malwarebytes AntiMalware has *some* TDSS recognition in its current engine, as does SuperAntiSpyware and of course Microsoft Security Essentials. However, TDSSkiller is still the go-to tool for actually removing them... MSE seems to detect it but fail to remove it (it shows up as Alureon in MSE).

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    Zilla360 wrote: »
    Ended up nuking W32.Ramnit from orbit. I even tried the programmer's own back-door registry setting that was supposed to disable it's propagation, and failed.

    I read the synopsis you linked to earlier in the thread: Nasty, nasty little thing, that. Any infection that corrupts and nests inside your files in a self-propagating way is a double-pain to deal with, since it makes backing up extremely difficult... And cleaning even moreso. I think the nuke from orbit was the right choice.
    Synthesis wrote: »
    Curious that it's just Firefox, apparently? I imagine that won't stay the case for long. Thanks for the heads up, even though I no longer use Firefox.

    I was curious about that too, but it seems to be a recent trend. There was a report not too long ago about impersonating the Firefox security warnings specifically. Gone are the days of Firefox being the bulletproof browser. Indeed, I don't think any browser is safe these days, if used inappropriately.
    khalathas wrote: »
    I did this one from safe mode, no networking, booting off the infected drive itself. TDSSKiller cannot currently scan a target drive, it has literally no options. However, it can manage to clean the MBR of the very drive it boots off of (requiring a reboot to rewrite the MBR of course).

    No clue if the infections were linked or separate and coincidental...but both are purged. Computer's been fine since.

    I've also noticed that Malwarebytes AntiMalware has *some* TDSS recognition in its current engine, as does SuperAntiSpyware and of course Microsoft Security Essentials. However, TDSSkiller is still the go-to tool for actually removing them... MSE seems to detect it but fail to remove it (it shows up as Alureon in MSE).

    Thanks! I'll be keeping this in mind. I'm still a bit irked that no x64 version of TDSSKiller (or any good Anti-Rootkit) exists, but nevertheless this is good information. I think HitMan Pro might also know how to target TDL3/4, but I'm not sure if it's been keeping up with the nasty's evolution.

    In other news: Lulzsec has been busy again this morning. I don't have a direct link to a story, but after encouraging their followers to flood /b/ on 4chan, they 'rewarded' them by releasing a grab-bag of about 62,000 email credentials. Apparently Facebook and WoW accounts have been compromised as a result.

    Yesterday they targetted CIA.gov for a DDoS, which has apparently garnered some ire from another hacker, who claims to be targeting them now.

    qwlru.png
  • acidlacedpenguinacidlacedpenguin Registered User regular
    edited June 2011
    Zilla360 wrote: »
    Ended up nuking W32.Ramnit from orbit. I even tried the programmer's own back-door registry setting that was supposed to disable it's propagation, and failed.

    I read the synopsis you linked to earlier in the thread: Nasty, nasty little thing, that. Any infection that corrupts and nests inside your files in a self-propagating way is a double-pain to deal with, since it makes backing up extremely difficult... And cleaning even moreso. I think the nuke from orbit was the right choice.
    Synthesis wrote: »
    Curious that it's just Firefox, apparently? I imagine that won't stay the case for long. Thanks for the heads up, even though I no longer use Firefox.

    I was curious about that too, but it seems to be a recent trend. There was a report not too long ago about impersonating the Firefox security warnings specifically. Gone are the days of Firefox being the bulletproof browser. Indeed, I don't think any browser is safe these days, if used inappropriately.
    khalathas wrote: »
    I did this one from safe mode, no networking, booting off the infected drive itself. TDSSKiller cannot currently scan a target drive, it has literally no options. However, it can manage to clean the MBR of the very drive it boots off of (requiring a reboot to rewrite the MBR of course).

    No clue if the infections were linked or separate and coincidental...but both are purged. Computer's been fine since.

    I've also noticed that Malwarebytes AntiMalware has *some* TDSS recognition in its current engine, as does SuperAntiSpyware and of course Microsoft Security Essentials. However, TDSSkiller is still the go-to tool for actually removing them... MSE seems to detect it but fail to remove it (it shows up as Alureon in MSE).

    Thanks! I'll be keeping this in mind. I'm still a bit irked that no x64 version of TDSSKiller (or any good Anti-Rootkit) exists, but nevertheless this is good information. I think HitMan Pro might also know how to target TDL3/4, but I'm not sure if it's been keeping up with the nasty's evolution.

    In other news: Lulzsec has been busy again this morning. I don't have a direct link to a story, but after encouraging their followers to flood /b/ on 4chan, they 'rewarded' them by releasing a grab-bag of about 62,000 email credentials. Apparently Facebook and WoW accounts have been compromised as a result.

    Yesterday they targetted CIA.gov for a DDoS, which has apparently garnered some ire from another hacker, who claims to be targeting them now.

    wait, you mean people actually use real email addresses on 4chan?

    GT: Acidboogie PSNid: AcidLacedPenguiN
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    wait, you mean people actually use real email addresses on 4chan?

    Sorry, I phrased that poorly. What happened was that Lulzsec prompted their followers on Twitter to mob /b/ this morning. They encouraged everyone to visit and post, mostly for the purpose of irritating the regulars there (They said "Ask how to Triforce" and "Post about Boxxy", both things designed to piss off /b/, I believe). When the flooding of /b/ reached their satisfaction, they released a list of ~62,000 email account logins and passwords from an unrelated hack, harvested from a variety of different servers. It was sort of a 'reward' from them to those they egged on to flood /b/, rather than a breach of 4chan itself.

    Also, given their boasting in the past, it sounds like they've got some mechanism set up to drive-by infect people browsing 4chan and /b/, so I'm guessing the flood was something that worked in their favor to recruit new bots to their network. That's just speculation on my part, though.

    Changing topics slightly, to the subject of Anti-Rootkit technology. There's a new build of Hitman Pro that went live this morning. Among the new features included is a bit of tech they call Cloud Assisted Miniport Hook Bypass, which is essentially a method of scanning the MBR for infections from within the afflicted system.
    Now in order to read the actual infected MBR you need get around the rootkit’s filtering mechanism.

    For this you need to know two things:

    1.) The hard disk miniport driver that is hooked (e.g. atapi.sys, iaStor.sys, nvstor32.sys, amdsata.sys, etc.)

    2.) How the rootkit is hooking into it

    When you know the exact hard disk driver that is in use, you are able to communicate directly with it, reading around the hooks of the rootkit.

    The problem is that there are literally thousands of different brands, types and versions of hard disk drivers and they all need to be addressed differently. This is where Cloud Assisted Miniport Hook Bypass comes in.

    Cloud Assisted Miniport Hook Bypass collects hard disk miniport driver information from clean computers and stores a representation of this information (a fingerprint of a few bytes) in the Cloud. When Hitman Pro detects a hook on the hard disk driver, it consults the Cloud on how to work around it. This allows Hitman Pro to read around the rootkit’s filtering and effectively reading the actual infected sectors. This works for ANY hard disk driver and not just the common ones.

    If this works in practice, then it will be a nice tool indeed for the x64 platforms. Particularly since, I believe, Hitman will remove rootkits for free. As always, your mileage may vary. I'll be testing the new build tonight to see what it comes up with.

    qwlru.png
  • Bobkins FlymoBobkins Flymo FF69B4 Registered User, Moderator mod
    edited June 2011
    Okay, so I have that stupid DHCP bullshit. I have run so many various scanners that I've lost track, including TDSS Killer and Rkill. My only assumption is that my roommate's PC is infected, which is going to be fun because he's even more computer illiterate than I am. But I am way more active on the internet, so I assumed it'd be me if anyone. But man, I am coming empty except for a tiny bit of malware MBAM and Avast found.

    73zrBvC.png
  • ueanuean Registered User regular
    edited June 2011
    khalathas wrote: »
    Needed to give everyone a heads up. TDSS has evolved again.
    http://www.securelist.com/en/blog/208188095/TDSS_loader_now_got_legs

    It now includes a DHCP server and a self-propagating worm component.

    I just finished two and a half days of work at a site infected by the Worm:Win32.Rorpian.B. Woop woop.

    Ended up reimaging every single desktop.

    Culprit? Everything you read in that article. A user somehow stumbled into it and opted to Update their browser (despite the glaring 'download<dot>phpnuke<dot>org' at the top of the page) which I believe is what brought it in. Microsoft Security Essentials can actually detect and remove the worm part of it, malwarebytes doesn't see it, ComboFix can see the loadpoints but can't do anything about it, and the latest version of TDSSKiller comes up blank.

    I followed instructions from here --> http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=7473 which was excellent. Particularly, this little rogue DHCP finder here --> http://www.softpedia.com/get/Network-Tools/Network-IP-Scanner/DHCP-Find.shtml

    More info --> http://blog.mxlab.eu/2011/03/27/%E2%80%9Cunited-parcel-service-notification-48161%E2%80%9D-from-ups-contains-trojan/

    More info --> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRorpian&ThreatID=160608

    It also managed to bring in a ton of other stuff, namely kufgal.B --> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FKufgal.B and Lightroom, which I don't have any info on, but coupled with everything else I found onsite I just decided to nuke everything from orbit. I brought down the internet, spent some time on the server making sure everything was ok, went around to the clean desktops and installed the relevant XP patches and got everything up to date, disconnected the infected DTs from the network, then blew them all away, patched, and got everything back up and running cleanly this afternoon. Awful experience.

    The killer... I'd been hounding the client for months to renew their IPS/firewall subscription (expired in April, Sonicwall TZ210) which I'm sure would have intercepted the bad packets, or at least put a stop to the rogue DHCP.

    Anyway. Yeah. Nasty bugger!

    Guys? Hay guys?
    steam_sig.png
  • ueanuean Registered User regular
    edited June 2011
    uean wrote: »
    So now TDSS will basically try to infect any machine on the local network. That thing is getting more and more vicious by the day. I'm dreading the day it starts targeting intermediaries like routers, or the like. Fortunately, it still looks like it's exploiting social engineering to spread from one machine to another, by rerouting to malicious pages and trying to convince the user to install the payload... But still, that rootkit is the stuff of nightmares.

    Unrelated: Hey hey, everyone! I can't think of anything witty to preface this today, so I'll just lay it on out there. In a downright shocking turn of events, a vulnerability has been discovered in Flash! So fire up those downloads and patch yourself up.

    Urk!!! I ran TDSSKiller yesterday and found a rootkit on a system. I've always been curious, so I'll ask here - find a nasty bugger like this, is imaging the machine safe, or a full ntfs format and reinstall necessary?

    Quote for lolz (though this was an entirely different client)

    Guys? Hay guys?
    steam_sig.png
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    Rorus, if you can, I'd advise or assist your roommate with using a LiveCD or a RescueCD to scan the computer in question. Hopefully by booting to one of those disks, you'll be able to circumvent the bootkit behavior of TDL3/4, and you'll be able to uncover the infection much more effectively. Alternatively, you can wait for build 124 of Hitman Pro to go live, which should presumably be able to detect those bootkit infections. Sorry you're still fighting this thing.

    From that, and your experiences uean, TDL3/4's new DHCP capabilities sound like a nightmare and a half. Good gravy, but in a corporate environment that's going to raise hell.

    Thanks for all the information and linke, uean. I think in the end doing a nuke from orbit was the best way to handle things, even if it was a headache. If it's at all possible, I would strongly recommend restricting the privileges of your users, either by reverting them to limited accounts, or else by making sure their browsers and email applications are all running under reduced rights (With tools like DropMyRights). Hopefully if you can do one of those two things, then your users won't be able to contaminate your network, because they won't have the ability to install new software.

    A Software Restriction Policy is ideal in these situations, but often times after implementing it the complaints of the users are more annoying than the infections they would otherwise cause.

    qwlru.png
  • OrcaOrca Registered User regular
    edited June 2011
    On the MSDN DropMyRights page O_o

    IC60006.gif

    evilthecat wrote: »
    "Bioware I want to suck on your teets of gamingness".

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    Orca wrote: »
    On the MSDN DropMyRights page O_o

    IC60006.gif

    I had not noticed that at all. If I could furrow my brow disapprovingly over the internet, I would.

    That's a weird place for the program to run from regardless of personal directory structure. I wonder if it's just the default download location.

    qwlru.png
  • Dark ShroudDark Shroud Registered User regular
    edited June 2011
    It might sound silly but I would recommend you guys switching your DNS servers. I had a laptop with over 3000 infections in it. Many items were spamming the desktop as well. These things tend to load their own DNS if they're able to. OpenDNS helped me one that one, my preference is DynDNS since they block known malicious sites via Baracuda hardware their network uses.

  • ueanuean Registered User regular
    edited June 2011
    Lol. Client paid for their firewall subscription quite promptly :) Backup and running like it should, now all I'm getting is complaints facebook is down and there is another virus that redirects facebook to some weird Sonicwall page *snicker*

    Guys? Hay guys?
    steam_sig.png
  • Professor SnugglesworthProfessor Snugglesworth Are You Satisfied?Registered User regular
    edited June 2011
    No recommendations for Spybot? Been using it for years.

  • CantidoCantido Registered User regular
    edited June 2011
    Jeez, it just took me two hours to get the fake Vista Antivirus 2012 spyware off her machine. I couldn't go to the internet and look for help, and I couldn't install Spyware Doctor via a Flash Drive.

    Turning on Safe Mode allowed me to install SD. Then leaving Safe Mode, I figured out the virus was named vas.exe or something and was repetedly turning off the process while trying to update Spyware Doctor. It finally cured her machine and she is now saving her pennies for Windows 7.

    I have Windows Essentials but I don't really know how to use it. But that's because it's not as intrusive as SD Can anyone compare the two?

    steam_sig.png
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    No recommendations for Spybot? Been using it for years.

    Spybot is largely considered outdated these days. Malwarebytes Antimalware has supplanted it for removal of malware, for the most part. I know a new version is in the works and is soon to be released, but I'm not sure about the specifics.

    I still use Spybot myself, but largely for the immunization feature. TeaTimer is (and always has been) more trouble than it's worth. For the same functionality something like WinPatrol is much, much better.
    Cantido wrote: »
    Jeez, it just took me two hours to get the fake Vista Antivirus 2012 spyware off her machine. I couldn't go to the internet and look for help, and I couldn't install Spyware Doctor via a Flash Drive.

    Turning on Safe Mode allowed me to install SD. Then leaving Safe Mode, I figured out the virus was named vas.exe or something and was repetedly turning off the process while trying to update Spyware Doctor. It finally cured her machine and she is now saving her pennies for Windows 7.

    I have Windows Essentials but I don't really know how to use it. But that's because it's not as intrusive as SD Can anyone compare the two?

    Spyware Doctor is a malware scanner that operates on demand, I believe. Microsoft Security Essentials is a resident on-access antivirus scanner that's always running. They're different solutions, mostly because MSE is an always-on preventative measure in addition to being a removal tool. Also, it's usually safe to run one antivirus and any on-demand antimalware together - I've been using MBAM with ESET for years now.

    If you've downloaded and installed MSE, just make sure you keep it up to date and allow it to run a scan at least once a week, and you should be good (at least on the antivirus end of things).

    When combating nasties like the horrid one you just faced, it tends to get tricky to remove them when they're fully in control of the system. As always, a complete reformat and reinstall is a good idea if you can manage it (it's the safest, fastest way). The next option is to boot from some other media (LiveCD/RescueCD/bootable USB) and scan the afflicted drive from a different operating system - Then the infection can't launch and make your life hell. A third option is to combat resident malware with RKill to terminate it before scanning.

    qwlru.png
  • Bobkins FlymoBobkins Flymo FF69B4 Registered User, Moderator mod
    edited June 2011
    I keep getting errors when trying to install MSE. Various fixes I've read up on have not solved the problem.

    Regarding my roomate, it's annoying because he works 12 hours a day most of the week and we tend to have very different schedules. What's more worrisome is that he has not complained at all about being unable to use the internet, so I'm thinking he probably clicked the "Update Browser" button.

    73zrBvC.png
  • CantidoCantido Registered User regular
    edited June 2011
    No recommendations for Spybot? Been using it for years.

    Spybot is largely considered outdated these days. Malwarebytes Antimalware has supplanted it for removal of malware, for the most part. I know a new version is in the works and is soon to be released, but I'm not sure about the specifics.

    I still use Spybot myself, but largely for the immunization feature. TeaTimer is (and always has been) more trouble than it's worth. For the same functionality something like WinPatrol is much, much better.
    Cantido wrote: »
    Jeez, it just took me two hours to get the fake Vista Antivirus 2012 spyware off her machine. I couldn't go to the internet and look for help, and I couldn't install Spyware Doctor via a Flash Drive.

    Turning on Safe Mode allowed me to install SD. Then leaving Safe Mode, I figured out the virus was named vas.exe or something and was repetedly turning off the process while trying to update Spyware Doctor. It finally cured her machine and she is now saving her pennies for Windows 7.

    I have Windows Essentials but I don't really know how to use it. But that's because it's not as intrusive as SD Can anyone compare the two?

    Spyware Doctor is a malware scanner that operates on demand, I believe. Microsoft Security Essentials is a resident on-access antivirus scanner that's always running. They're different solutions, mostly because MSE is an always-on preventative measure in addition to being a removal tool. Also, it's usually safe to run one antivirus and any on-demand antimalware together - I've been using MBAM with ESET for years now.

    If you've downloaded and installed MSE, just make sure you keep it up to date and allow it to run a scan at least once a week, and you should be good (at least on the antivirus end of things).

    When combating nasties like the horrid one you just faced, it tends to get tricky to remove them when they're fully in control of the system. As always, a complete reformat and reinstall is a good idea if you can manage it (it's the safest, fastest way). The next option is to boot from some other media (LiveCD/RescueCD/bootable USB) and scan the afflicted drive from a different operating system - Then the infection can't launch and make your life hell. A third option is to combat resident malware with RKill to terminate it before scanning.

    Ah, the virus came back regardless of Spyware Doctor finding a lot of crap and killing it all. When it came back, Spyware Doctor quarantined it....and I lost explorer.exe.

    So now we're backing up everything because her usb port started working again, and we're putting Windows 7 on it. It will at least buy her 30 days of a working computer while she saves up.

    steam_sig.png
  • Professor SnugglesworthProfessor Snugglesworth Are You Satisfied?Registered User regular
    edited June 2011
    No recommendations for Spybot? Been using it for years.

    Spybot is largely considered outdated these days. Malwarebytes Antimalware has supplanted it for removal of malware, for the most part. I know a new version is in the works and is soon to be released, but I'm not sure about the specifics.

    I still use Spybot myself, but largely for the immunization feature. TeaTimer is (and always has been) more trouble than it's worth. For the same functionality something like WinPatrol is much, much better.

    Interesting. Perhaps I'll switch to that instead.

    In any event, for adequate security, would I have to install one of each program in the OP, or just stick to a specific handful?

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    Cantido wrote: »
    Ah, the virus came back regardless of Spyware Doctor finding a lot of crap and killing it all. When it came back, Spyware Doctor quarantined it....and I lost explorer.exe.

    So now we're backing up everything because her usb port started working again, and we're putting Windows 7 on it. It will at least buy her 30 days of a working computer while she saves up.

    Sorry to hear that the cleaning didn't kill the bastard. For what it's worth, though, reinstalling is the best way to ensure the system is clean. Plus, Windows 7 is super nice. Just make sure when you're done reinstalling that you get all the patches. Service Pack 1 is pretty essential at this point.

    It's also the perfect time to set up a limited user account for added security, if you're comfortable with that.
    Interesting. Perhaps I'll switch to that instead.

    In any event, for adequate security, would I have to install one of each program in the OP, or just stick to a specific handful?

    Definitely keep Spybot around if you like it (it's not terrible, and like I said, the Immunize function is nice), but MBAM won't hurt anything if you install it.

    Also, most of the software in the OP are tools for specific purposes, so don't pull your hair out trying to install one of each of them, by any means! You're not likely to need a rootkit scanner on a regular basis, for instance. I've been meaning to write up a 'layered security guide', for the purpose of explaining what's what, but I've been struggling with a proper way to visualize it.

    Each person is going to be comfortable with a different setup, so it's really quite difficult to give a configuration that pleases everyone. For a quick rundown of what I'd consider effective but minimal (and noting that these suggestions contain my bias):
    • (Essential) - Have at least one regularly updated antivirus suite running at all times. Do not have more than one active-scanning (i.e. always running) antivirus running simultaneously.

    • (Essential) - Run a weekly scan with MalwareBytes Antimalware. Installing a copy of this is something everyone should do. It's free, effective, and lightweight. As an on-demand scanner, it won't run unless you tell it to.

    • (Essential) - Configure your browser to block or whitelist javascript and plugins. Also, use an ad-blocker of some sort. How you do this depends on what browser you're using, but all of the major browsers should have a method.

    • (Essential) - Configure your browser NOT to auto-open downloaded files. Especially PDFs.

    • (Essential) - Always update your browser, and operating system, as soon as possible. Ditto Flash.

    • (Optional but recommended) - If you can stomach it (and it's really quite easy) look into a method of sandboxing your web-facing applications, particularly your browser. It's also recommended to run as a limited user instead of an administrator.

    So, tl;dr: Have an up to date antivirus, up to date antimalware scanner, and a securely configured browser with script, flash, and ad blocking. If you can, run from a limited user account, and use sandboxing.

    qwlru.png
  • khalathaskhalathas Registered User
    edited June 2011
    Needless to say, you always need your security definitions up to date, as they pick up the most with recent databases and engines...

    amusingly enough, it's actually getting to be faster for me to clean fake antivirus infections MANUALLY than for cleanup utilities to do it for me...but that's because they're all variants of the same core that operate mostly the same way (with a very few variants in apparent-destructive behavior).

    First off, of course, boot into safe mode (no networking). Run TDSSKiller to clear up any potential tdss rootkit infections.

    Then, usually executables will be hijacked. Browse to \Windows\System32\ copy regedit.exe and paste it immediately, rename the copy to regedit.com (bypassing the exe hijack). Run regedit.com, browse to hkey_classes_root\.exe and hkey_classes_root\exefile -> and under BOTH of these, go to shell\open\command, and change the default to: "%1" %* (if your keys have been hijacked, there will be a path to an executable here before that string. This tells you where the infection resides).

    After purging it from both keys, browse to the location of the infection (usually in <user>\appdata\local\ or <user>\local\temp\ or sometimes in \programdata\

    The file will almost always be hidden AND system-flagged, so just set the folder view to show hidden files AND show protected system files. Purge the infection files, which will usually be a 3-letter random string + extension, like uhh.exe AND another longer-named exe with a random string like 8g8fhsd3sf.exe which should also be accompanied by an identical-named .dll, .sys, or .tmp file. Look at last modified or creation dates in the folder you found the infection, just to make sure you get rid of any other suspicious files.

    Once purged, you'll also need to run msconfig, go to the startup tab, and remove the autorun item that launches the trojan.

    Depending on apparent-damage caused by the hijacks, taskmgr, desktop, and even icons and shortcuts may all be disabled.

    taskmgr and desktop are generally disabled via Policy settings, so in regedit (you still need to use the .com version until you reboot so that the classes hive can be properly reloaded), you need to browse to both hkey_current_user AND hkey_local_machine as follows: \software\microsoft\windows\currentversion\policies\ (same path in both hives), and look for any policies that disable things you need, such as disabletaskmgr set to 1 (to enable it again, set this to 0) or disableDesktop 1 (set to 0 of course). If the keys aren't in either of those policies, then you don't have to worry about them.

    Hidden shortcuts and files can be taken care of at a command prompt, by navigating to the drive root (usually with "cd \"), and running the following command: attrib -h /s /d *
    This unhides any file that's set to hidden OTHER than system files, anywhere in the system, so only do it if your infection actually SET all files to hidden. (it isn't harmful, it just makes hidden things show up).

    If this doesn't restore desktop icons, right click the desktop and make sure "show desktop icons" is enabled.

    Also, in your start menu, if your folders are there, but the shortcuts inside them aren't hidden but gone ENTIRELY, some infections actually move them to a temp structure buried in <user>\appdata\local\temp\<infection folder>\1 \2 \4 and other such named folders. If you can't find them, just do a search for *.lnk within the user profile directory itself (not the entire drive).

    After all is said and done, a reboot, back into safe mode, and then run a scan with malwarebytes antimalware (or your cleaner of choice), should pick off any remnants.

    Sad that I could write this entirely from memory, having done it so many times...

    If your infection manages to respawn itself after THIS, then you've got something ELSE respawning it. microsoft security essentials should be able to pick up what that might be (there is a virus going around lately that infects explorer.exe, winlogon.exe, and wininit.exe that acts as a dropper for other malware).

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    Thanks for the rundown, khalathas. The fact that you have such an in-depth technique committed to memory does indeed speak to the special kind of hell you must endure daily. My condolences for that, but again my thanks for sharing your knowledge!

    In other news: Today Lulzsec has launched what they term Operation Anti-Sec, though it's connection to the Antisec Movement feels tenuous at best. They've begun DDoSing government servers, and are calling publicly for attacks on banks, and other government installations.

    Meanwhile, Gabe and Tycho discuss the recent rash of hacking exploits on the web! (Tangentially related, but hey, how often do we get to post comics in this thread?)

    i-w4rz3gw-L.jpg

    qwlru.png
  • khalathaskhalathas Registered User
    edited June 2011
    Thanks for the rundown, khalathas. The fact that you have such an in-depth technique committed to memory does indeed speak to the special kind of hell you must endure daily. My condolences for that, but again my thanks for sharing your knowledge!

    Amusingly enough, it isn't a special kind of hell. It's my job. I'm a tech at a computer repair center, so this is the standard problem about 80% of our clients bring in for us to fix. If I had the time, I'd script the entire repair, but just haven't yet.

    Hope it helps anyone who has to face the slew of fake antivirus trojans out there...seems to be almost epidemic-level lately. ^_^

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    Getting paid certainly makes that a more bearable burden, to be sure. And yeah, as in the past, the malware authors seem more adept at changing their payloads and exploits than the security firms are at detecting them.

    Also: For those of you who use Sandboxie, I thought it was worth mentioning that Tuzk released version 3.56 recently. The noteworthy aspect of this release is that it contains Experimental x64 Kernel Protection. When activated, these measures make the x64 version of Sandboxie as secure as the x86 version. When x64 Windows was still relatively new, some of you might remember that Patch Guard made it difficult for security software of all stripes to defend against rootkit and the like - Tzuk apparently found a way around this.

    It's a nice feature, and one that drastically improves the security of the x64 version of Sandboxie... But it should be approached with some mote of caution. If Tzuk has tweaked the kernel in any way, it stands to reason that the next time Microsoft releases a kernel update for Patch Guard, this experimental protection could cause BSoD crashes without warning (That's what Patch Guard does - crash the system when the kernel is modified).

    I'm running with it for now, though, so I'll update this thread for sure if it ever happens.

    qwlru.png
  • The Raging PlatypusThe Raging Platypus Registered User regular
    edited June 2011
    khalathas wrote: »
    Thanks for the rundown, khalathas. The fact that you have such an in-depth technique committed to memory does indeed speak to the special kind of hell you must endure daily. My condolences for that, but again my thanks for sharing your knowledge!

    Amusingly enough, it isn't a special kind of hell. It's my job. I'm a tech at a computer repair center, so this is the standard problem about 80% of our clients bring in for us to fix. If I had the time, I'd script the entire repair, but just haven't yet.

    Hope it helps anyone who has to face the slew of fake antivirus trojans out there...seems to be almost epidemic-level lately. ^_^

    No kidding - one of my co-workers just got nailed by one (Security Shield 2011 - bunch of fucking wankers), and now I can't even get his computer to boot up properly. It just gets stuck on black screen with a blinking cursor on the top left.

    Looks like I'll probably have to pick up a new hard drive and start over, because if I can't even boot to safe mode, then I think his comp is SOL.

    Spoiler:
  • OrcaOrca Registered User regular
    edited June 2011
    Nah, that means it's time to boot from clean media: e.g. a CD. There aren't many viruses or trojans that will take over your BIOS, and even if it does, usually there's a backup copy you can reflash if you short the right jumpers.

    evilthecat wrote: »
    "Bioware I want to suck on your teets of gamingness".

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
  • Dark ShroudDark Shroud Registered User regular
    edited June 2011
    khalathas wrote: »
    Thanks for the rundown, khalathas. The fact that you have such an in-depth technique committed to memory does indeed speak to the special kind of hell you must endure daily. My condolences for that, but again my thanks for sharing your knowledge!

    Amusingly enough, it isn't a special kind of hell. It's my job. I'm a tech at a computer repair center, so this is the standard problem about 80% of our clients bring in for us to fix. If I had the time, I'd script the entire repair, but just haven't yet.

    Hope it helps anyone who has to face the slew of fake antivirus trojans out there...seems to be almost epidemic-level lately. ^_^

    No kidding - one of my co-workers just got nailed by one (Security Shield 2011 - bunch of fucking wankers), and now I can't even get his computer to boot up properly. It just gets stuck on black screen with a blinking cursor on the top left.

    Looks like I'll probably have to pick up a new hard drive and start over, because if I can't even boot to safe mode, then I think his comp is SOL.

    What you need to do is make a rescue flash drive or cd to boot from. Then either go to a site with a hosted virus scanner or use Avast! & AVG's linux versions. Do not waste your time with ClamAV.

    I recommend Puppy Linux as it was designed for booting from portable media.

  • OghulkOghulk whale oil beef hooked james k. polk middle schoolRegistered User regular
    edited June 2011
    So out of curiosity what do you guys think of Trend Micro?

    It decided to block Malware Bytes when I attempted to scan it this evening. I think I'm going to just uninstall it and get microsoft security essentials if that's the best thing right now.

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    Yeah, as other have said, Platypus, you should be able to boot from a Disk or USB stick in order to proceed. I'd suggest doing so from the Windows installation CD, formatting, and reinstalling - But Live and RescueCD options should also be available for cleaning should you so wish. Take Shroud's advice and avoid ClamAV - it's useless.
    Oghulk wrote: »
    So out of curiosity what do you guys think of Trend Micro?

    It decided to block Malware Bytes when I attempted to scan it this evening. I think I'm going to just uninstall it and get microsoft security essentials if that's the best thing right now.

    Color me completely surprised. Apparently there are a number of posts and stories around the net that Trend Micro is incompatible with MalwareBytes. If this is in fact the case, and hasn't been resolved, I would highly recommend moving away from Trend. Blocking MalwareBytes seems ridiculous. While there's really not a 'best' antivirus, with other protective measures in place (script blocking, adblocking) MSE is going to do a fine job.

    On the lighter side of security (relatively speaking), it's always a good idea to treat IT professionals with respect. Otherwise, something like this might happen.
    52-year-old Walter Powell used to be an IT manager at Baltimore Substance Abuse System Inc, until he was fired in 2009. Clearly someone who believed that revenge should be served red hot, Powell used his computer knowledge to hack into his former employer's systems from his home and install keylogging software to steal passwords.

    On one occasion, Powell took remote control of his former CEO's PowerPoint presentation to the board of directors, and projected pornographic images on the 64 inch TV.

    qwlru.png
  • autono-wally, erotibot300autono-wally, erotibot300 love machine Registered User regular
    edited June 2011
  • XeddicusXeddicus Registered User regular
    edited June 2011
    That is awesome assuming a) He wasn't fired for a reason b)He didn't end up in jail/fined into oblivion.

    "For no one - no one in this world can you trust. Not men. Not women. Not beasts...this you can trust."
  • Dark ShroudDark Shroud Registered User regular
    edited June 2011
    He got 3 years probation, 2 years commuited, and 100 hours of community service.

  • khalathaskhalathas Registered User
    edited June 2011
    No kidding - one of my co-workers just got nailed by one (Security Shield 2011 - bunch of fucking wankers), and now I can't even get his computer to boot up properly. It just gets stuck on black screen with a blinking cursor on the top left.

    Looks like I'll probably have to pick up a new hard drive and start over, because if I can't even boot to safe mode, then I think his comp is SOL.

    I'm gonna go with my gut on this one. Boot into a rescue environment (miniXP is great), run a nice lil program called BootICE, and use it to rebuild the MBR. I'm gonna further bet that TDSS hosed it when it tried to write to the boot sector. After you revive windows, just safe mode and run a scan for it per instructions above.

    The drive probably isn't dead, its just got its boot information hosed up. It's repairable in the best case, and at worst, a repair/reinstall of the OS should do the trick.

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited June 2011
    There's a new Boot/Rootkit making the rounds that some security firms are calling "Popureb". The latest variant, labeled as Trojan:Win32/Popureb.E by Microsoft, is apparently a royal pain in the MBR. Microsoft's official word on the subject is:
    MS Technet wrote:
    If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

    Other news outlets are misrepresenting the advice as Microsft saying you need to reformat/reinstall, but it seems that MBR repair and system restore will do the trick.

    Personally, though I know it's possible to restore a system without reformatting, I'd still recommend a complete disk wipe and reinstall in a situation like this. However, I did find it quite interesting that the Microsoft System Recovery Console has a 'fixmbr' command. That could be quite useful in a pinch!

    qwlru.png
  • autono-wally, erotibot300autono-wally, erotibot300 love machine Registered User regular
    edited June 2011
    my sister got tdss on her computer, malwarebytes found and removed it.. how good should I sleep without reinstalling everything? :P

    sc.jpgsc.jpg
Sign In or Register to comment.