There's a new Boot/Rootkit making the rounds that some security firms are calling "Popureb". The latest variant, labeled as Trojan:Win32/Popureb.E by Microsoft, is apparently a royal pain in the MBR.
Read that first as "poperub." Pictured someone rubbing the Pope. This has already been a very damaging virus for me.
There's a new Boot/Rootkit making the rounds that some security firms are calling "Popureb". The latest variant, labeled as Trojan:Win32/Popureb.E by Microsoft, is apparently a royal pain in the MBR. Microsoft's official word on the subject is:
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
Other news outlets are misrepresenting the advice as Microsft saying you need to reformat/reinstall, but it seems that MBR repair and system restore will do the trick.
Personally, though I know it's possible to restore a system without reformatting, I'd still recommend a complete disk wipe and reinstall in a situation like this. However, I did find it quite interesting that the Microsoft System Recovery Console has a 'fixmbr' command. That could be quite useful in a pinch!
Sweet. I just used fixmbr today repair a hosed image gone bad.
uean on
Guys? Hay guys?
PSN - sumowot
0
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
my sister got tdss on her computer, malwarebytes found and removed it.. how good should I sleep without reinstalling everything? :P
Kaspersky offers a free download 'TDSSKiller'. Works great.
TDSSKiller is an excellent suggestion (though I believe it only works on x86 systems - could be wrong, but I'm not sure). Another measure you can take would be to boot from a LiveCD or USB stick and use a scanner from outside the OS, where the rootkit can't hide as easily.
On the Topic of TDSS/TDL, recently Kaspersky did an interesting write up of the threat's evolution here. Some interesting tidbits include an examination of the affiliate program (i.e. people get paid to infect machines, to the tune of $20 - $200 per 1,000 infections, depending on region), and an analysis of the bootkit component of TDL, which includes its own antivirus to remove rival infections. The botnet is also controlled via a public P2P system, where newly infected machines automatically connect, and are then given specific instructions to connect to other TDSS infected machines - effectively creating a private P2P network which the malware authors control. Not only does control of such a network decentralize their command and control (meaning the network is harder to take out), but they've started to monetize the P2P network. By installing proxy-server type software on infected machines, TDL controllers are offering anonymous internet browsing for all who want to pay $100 a month. Essentially, if you pay for this service you connect to a proxy server that is (in actually) someone else's infected computer. So activity from your end looks to be originating from the victim's IP.
And perhaps the most notable element of the article? Kaspersky managed to penetrate the TDL botnet's command and control databases, where they found some interesting data:
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
Good God Damn.
TetraNitroCubane on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited June 2011
Holy fucking shit.
Given those numbers, how would I go about ensuring I haven't in fact been infected? Running Malware Bytes and MSE right now and haven't seen any weird behaviors...but goddamn if that doesn't make me paranoid.
That is very interesting. Part of me admires the developers resourcefulness.
Samir Duran Duran on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2011
I know exactly how you feel, Orca. I'd say that there are a number of tools you can use, depending on your operating system, to check and see if anything suspicious is occurring. The first would be the lauded TDSSKiller, which Kaspersky recently confirmed DOES work on x64 systems. You can also try a scan with Hitman Pro, which has a good track record against TDL3/4. There are other solutions for rootkit scanning as well, including Sophos Antirootkit and GMER. I'd be wary, though, as GMER tends to be much more of a professional tool that can be hard to parse, and apparently Sophos tends to yield many false positives. Hitman is pretty straightforward, and people sing the praises of TDSSKiller constantly.
Actually, to those of you who use TDSSKiller frequently, is it a pretty safe tool to employ on a system? Or are we talking about something like Combofix here, where you don't want to run it at all unless positively necessary? Combofix can mess your computer up proper if you run it when you don't need to.
That is very interesting. Part of me admires the developers resourcefulness.
I have to agree. For as scary as the malware is, it's genius level amazing stuff. Evil genius, of course, but still impressive. TDL4 truly is a magnificent bastard.
I know exactly how you feel, Orca. I'd say that there are a number of tools you can use, depending on your operating system, to check and see if anything suspicious is occurring. The first would be the lauded TDSSKiller, which Kaspersky recently confirmed DOES work on x64 systems. You can also try a scan with Hitman Pro, which has a good track record against TDL3/4. There are other solutions for rootkit scanning as well, including Sophos Antirootkit and GMER. I'd be wary, though, as GMER tends to be much more of a professional tool that can be hard to parse, and apparently Sophos tends to yield many false positives. Hitman is pretty straightforward, and people sing the praises of TDSSKiller constantly.
Actually, to those of you who use TDSSKiller frequently, is it a pretty safe tool to employ on a system? Or are we talking about something like Combofix here, where you don't want to run it at all unless positively necessary? Combofix can mess your computer up proper if you run it when you don't need to.
That is very interesting. Part of me admires the developers resourcefulness.
I have to agree. For as scary as the malware is, it's genius level amazing stuff. Evil genius, of course, but still impressive. TDL4 truly is a magnificent bastard.
TDSSKiller hardly ever finds anything. When it does, it gets rid of it. Never seen anything go wrong with it yet.
uean on
Guys? Hay guys?
PSN - sumowot
0
Options
Zilla36021st Century. |She/Her|Trans* Woman In Aviators Firing A Bazooka. ⚛️Registered Userregular
edited July 2011
Whoa, Anon/AntiSec is really stepping up it's game, they just completely owned the entirety of Arizona P.D :
That was up for a while, looks like they've gone and scrubbed the server now.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited July 2011
Regarding TDSSKiller: Thanks for the input, guys. I'm certainly adding this one to the toolbox. I'm also thinking about trying to cobble together a good BootCD for emergencies. TDSSKiller would be a good thing to have around, I think, in those instances.
Whoa, Anon/AntiSec is really stepping up it's game, they just completely owned the entirety of Arizona P.D :
That was up for a while, looks like they've gone and scrubbed the server now.
Damn, they're still hitting the AZ PD? I had no idea that they were still targeting them after Lulzsec disbanded (and arguably diffused into Anon). That's... a pretty huge leak right there. I wonder if the media will cover the actual documents leaked, or just focus on the fact that the hack occurred. Either way, I imagine the AZPD and the associated entities involved are squirming in the wake of this breach. They really dug deep this time, and I'd imagine this leak will hurt quite a bit in the long run. To say nothing of the morality of the hack itself, some of the things that Anon/Lulzsec have uncovered and disclosed about these guys is patently shocking, and frankly disturbing.
On the topic of Anon/Lulzsec claiming to be Antisec: I brought this up in the G&T Lulzsec thread, but it seems that they're completely missing the point of Antisec. Antisec isn't a 'Fuck the Power! Wooo Anarchy!' movement. It was a movement started in the late 1990s in order to censor the disclosure of vulnerabilities and exploits. Specifically for the purpose of preventing script kiddies from using that information. Considering that Lulzsec/Anon have been vocally anti-censorship, and considering that their tools during the Lulzsec storm were largely SQL injection and Remote File Inclusion attacks (i.e. attacks automated and enabled via methods AntiSec is about censoring), and I have to wonder what the hell they actually have to do with AntiSec besides hijacking the term for their own purposes.
The AntiSec 'manifesto' from Wikipedia is under the spoiler.
The purpose of this movement is to encourage a new policy of anti-disclosure among the computer and network security communities. The goal is not to ultimately discourage the publication of all security-related news and developments, but rather, to stop the disclosure of all unknown or non-public exploits and vulnerabilities. In essence, this would put a stop to the publication of all private materials that could allow script kiddies from compromising systems via unknown methods.
The open-source movement has been an invaluable tool in the computer world, and we are all indebted to it. Open-source is a wonderful concept which should and will exist forever, as educational, scientific, and end-user software should be free and available to everybody.
Exploits, on the other hand, do not fall into this broad category. Just like munitions, which span from cryptographic algorithms to hand guns to missiles, and may not be spread without the control of export restrictions, exploits should not be released to a mass public of millions of Internet users. A digital holocaust occurs each time an exploit appears on Bugtraq, and kids across the world download it and target unprepared system administrators. Quite frankly, the integrity of systems world wide will be ensured to a much greater extent when exploits are kept private, and not published.
A common misconception is that if groups or individuals keep exploits and security secrets to themselves, they will become the dominators of the "illegal scene", as countless insecure systems will be solely at their mercy. This is far from the truth. Forums for information trade, such as Bugtraq, Packetstorm, www.hack.co.za, and vuln-dev have done much more to harm the underground and net than they have done to help them.
What casual browsers of these sites and mailing lists fail to realize is that some of the more prominent groups do not publish their findings immediately, but only as a last resort in the case that their code is leaked or has become obsolete. This is why production dates in header files often precede release dates by a matter of months or even years.
Another false conclusion by the same manner is that if these groups haven't released anything in a matter of months, it must be because they haven't found anything new. The regular reader must be made aware of these things.
We are not trying to discourage exploit development or source auditing. We are merely trying to stop the results of these efforts from seeing the light. Please join us if you would like to see a stop to the commercialization, media, and general abuse of infosec.
Even assuming they believe their 'manifesto' what the hell does that have to do with that article up there? Jack shit, is what. They're just upset with Arizona and that's that. Defacing their websites etc will sure strike a blow for...uh...whatever, I'm sure.
For a nice premade bootcd with tons of utilities, give http://www.hirensbootcd.org/download/ a shot. You can edit the ISO and add any other tools (or updated versions) you want as well.
For a nice premade bootcd with tons of utilities, give http://www.hirensbootcd.org/download/ a shot. You can edit the ISO and add any other tools (or updated versions) you want as well.
I've got that. Much prefer Ultimate Boot CD. I use it all the time to blank out the admin password and get into a system mainly, but use pretty much all of the rest of it as well from time to time.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited July 2011
Speaking of hackers causing chaos with a "political agenda", last night someone hacked Fox News' Twitter account. The responsible party then began tweeting multiple false reports of the President's assassination.
As of this posting, the offending tweets were made twelve hours ago, and are still up and visible on the afflicted Twitter page.
A minor bump in the hacking news, by itself. I have heard some grumblings around various other message boards, though, that Twitter accounts are getting compromised with higher frequency recently. There's some speculation that hashed password tables may have been stolen, so people with weak/dictionary passwords might be getting picked off as a result. That's just rumor and conjecture at this point, though it might explain the story above.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited July 2011
News seems rather slow lately (perhaps that's a good thing!), so forgive me for a lack of updates.
One interesting story I read recently has dealt with the growing trend of imported hardware/pre-built computer systems being loaded with malware before being purchased by the end consumer.
Confirming years of warnings from government and private security experts, a top Homeland Security official has acknowledged that computer hardware and software is already being imported to the United States preloaded with spyware and security-sabotaging components.
...
Schaffer began his answer by stating how important the issue is to President Barack Obama. But Chaffetz cut him off and, at Schaffer's request, broadly restated the question to extend it beyond government infrastructure:
"Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?"
Schaffer paused for about 10 seconds before replying:
"I am aware that there have been instances where that has happened."
We knew this was happening with thumbdrives, but pre-infected off-the-shelf systems is a new one on me.
I'd like to take a moment for anyone using Hotmail and outlook. The new Office Outlook Connector is out and it uses HTTPS now. So you can enable the HTTPS security in your Hotmail/Live Accounts now and use the new connector to sync everything up.
If they are embedding the malware into the hardware, then buying components and cleaning storage will be of no avail.
True enough. This reminds me of a writeup I saw via Reddit's NetSec feed recently. The security firm (and I use the term loosely) Netagard was charged with compromising a specific machine within a corporation, but their customer laid down some requirements that "excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas."
Because the dangers of USB stick malware are becoming better understood, what Netagard wound up doing was making a mouse with an embedded piece of hardware to infect the machine as soon as it was plugged in. The reasoning here being that someone's more likely to plug in a mouse thoughtlessly than a USB stick. They called the device Prion (Note that the images are broken on the blog entry as of writing this, for some reason. But the text is the interesting part).
A prion is an infectious agent composed of a protein in a misfolded form. In our case the prion isn’t composed of proteins but instead is composed of electronics which include a teensy microcontroller, a micro USB hub (small one from RadioShack), a mini USB cable (we needed the ends) a micro flash drive (made from one of our Netragard USB Streamers), some home-grown malware (certainly not designed to be destructive), and a USB device like a mouse, missile turret, dancing stripper, chameleon, or whatever else someone might be tempted to plug in. When they do plug it in, they will be infected by our custom malware and we will use that point of infection to compromise the rest of the network.
That's fascinating. If a device like that were subtle and well constructed it could go on reinfecting the network forever.
Sentret on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
So apparently Lulzsec dusted off their sail and set a course for more mischief. They never really went anywhere, I don't think, but they had disbanded under the Lulzsec name for a while there. Today they came out swinging at the Sun, taking control of the paper's website in supposed retaliation against Rupert Murdoch. They initially defaced the website to publish a false news story about Murdoch's suicide - Involving the ingestion of large amounts of palladium. Eventually they just redirected traffic from the site to their own Twitter feed.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited July 2011
Here's an interesting development out of Google recently: Apparently Google have become aware of a specific type of malware, which causes the afflicted machine to send information to Google via proxies. If Google sees your machine trying to send data via one of these proxies, it will now alert you that you're infected.
As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results.
Running a Google search for any term will display the notification if you're infected. Otherwise, this particular strain of nasty probably hasn't touched you.
Internet Explorer 9 really has stepped up the security game in a number of ways. To be fair, this test was about URL blocking, less than it was about browser flaws/exploits, but prevention can be extremely effective in situations where social engineering is the primary vector. It's just a shame that IE still carries a heavy stigma with it. The most blanket advice I see about security on various sites and message boards is still "Use Firefox instead of IE". I maintain that any browser is going to be as secure or vulnerable as you make it, and that IE can be a good, solid choice if configured and updated correctly.
Here's another interesting, if old, discussion. A while ago there was an article published about how the password "This is fun" would be more secure than "J4fS<2". I'm not going to link to this article, because it is incredibly wrong and misleading. Instead, I'll link to Troy Hunt's evisceration of that article, wherein he discusses that entropy is still king when it comes to (relative) password security.
The thing about the word “secure” is that it tends to get thrown around in a very binary fashion; you’re either secure or you’re not. The reality is there are a whole bunch of shades of grey. Security is all about mitigating risk, nothing more. Certainly being as emphatic as saying “secure forever” is a misguided statement at best.
It’s a little bit like saying a Volvo is “safe”. Sure, you get lots of airbags and intrusion bars and stability controls and whatnot but I’ll tell you what; if you hit that semi-trailer head on at 100kph it’s all over red rover. Of course comparatively the Volvo is very safe compared to, say, a Chery, but it’s certainly not an absolute.
When it comes to password security, the accepted measure of strength is entropy. To achieve greater entropy we need passwords consisting of more possible symbols and of greater length with more randomness. When you limit yourself to one character set – lowercase letters in this case – you create very low entropy passwords.
It's an excellent read, and goes into detail about brute-forcing techniques, rainbow tables, and dictionary attacks. His ultimate conclusion, though, is "The only secure password is the one you can’t remember". Nevertheless, I recommend reading it, if just to dispel the myths about how brute-force attacks work (Hint: No one sits at the GMail login page and attempts to crack passwords remotely).
0
Options
Captain Marcusnow arrives the hour of actionRegistered Userregular
Ok I have a question and I'm not sure if this is the right place for it, but here goes-
My computer is not obeying me when I click on a Google result. Instead of going to "delicious beef jerky recipes" on the website I want, it loads up "vice-presidentliquid.com or verseinequality.com" or some other ridiculous result. I've run microsoft security essentials, windows defender, and malwarebytes but none of those have picked up anything.
Any suggestions?
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Ok I have a question and I'm not sure if this is the right place for it, but here goes-
My computer is not obeying me when I click on a Google result. Instead of going to "delicious beef jerky recipes" on the website I want, it loads up "vice-presidentliquid.com or verseinequality.com" or some other ridiculous result. I've run microsoft security essentials, windows defender, and malwarebytes but none of those have picked up anything.
Any suggestions?
Certainly the right place to ask! Sounds like a Google redirect infection, which is sometimes caused by TDL3, a rather nasty rootkit/bootkit. If you are infected with TDL3, then none of the antivirus/antimalware solutions you listed would be able to see it.
As a recommendation to begin with, I'd start with running a scan with TDSSKiller. Run it once in normal operation, which will ensure you've got the latest version. Then try running the same tool in safe mode - but ensure you've started safe mode without networking. As another measure, you can try running Hitman Pro, which is also pretty good at sniffing out rootkits.
If either of these tools find a TDL3 infection (or any rootkit), they will offer to remove it for you. You can do that if you want, but my advice in any situation where a computer has been infected with a rootkit is to backup and reformat the machine (complete reformat - NOT just a reinstall of the OS) as soon as is convenient for you. Rootkit compromised machines just can't be trusted after the fact, owing to the level of access the infection's been provided with. Opinions on this matter vary widely, so obviously take the course that you feel best with. If you opt not to reformat, be sure to run MSE and Malware bytes after the rootkit's been removed. Rootkits tend to open the door for a number of other nasties, ones that TDSSKiller won't find or remove.
If the tools turn up with nothing, or you still see a redirect after rootkit removal, you might try looking at your HOSTS file (See Wikipedia for explanation and file location, depending on OS), and see if anything nasty has pointed www.google.com to some look-alike domain. Essentially, you shouldn't see anything in your HOSTS file for www.google.com at all.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Sorry for the double post, but I thought this was really interesting: Threatpost have complied an interesting Infographic of malware distribution and hosting networks. I'll rehost under the spoiler, for those who don't want to click offsite.
The most interesting fact on there is by far how much search engines are used to spread malware. Google Image Search in particular seems to be the big culprit these days for spreading around the nasties. Perhaps they're not too far off when they say "Image searchs are the most dangerous activity users can engage in on the web."
Internet Explorer 9 really has stepped up the security game in a number of ways. To be fair, this test was about URL blocking, less than it was about browser flaws/exploits, but prevention can be extremely effective in situations where social engineering is the primary vector. It's just a shame that IE still carries a heavy stigma with it. The most blanket advice I see about security on various sites and message boards is still "Use Firefox instead of IE". I maintain that any browser is going to be as secure or vulnerable as you make it, and that IE can be a good, solid choice if configured and updated correctly.
Most malware/viruses attack third party plug-ins now, the browsers themselves are all pretty secure. And because several plugins are written for multiple browsers, and the exploits work in each of the browsers equally, virus/maleware makers are finding it a better vector of attack.
Why attack IE when you can attack Adobe Flash which is installed on 96% of computers connected to the internet? Far greater than IE's share. In a way the stigma IE has is a good thing, simply because it helps expand the alternatives, which means a virus that does target a specific exploit in a specific browser is going to cause less overall damage.
The interesting part of that article to me is the introduction of Application Reputation in IE9, and according to that study 100% of (social engineering) malware was blocked between smart screen and AR.
Ok I have a question and I'm not sure if this is the right place for it, but here goes-
My computer is not obeying me when I click on a Google result. Instead of going to "delicious beef jerky recipes" on the website I want, it loads up "vice-presidentliquid.com or verseinequality.com" or some other ridiculous result. I've run microsoft security essentials, windows defender, and malwarebytes but none of those have picked up anything.
Any suggestions?
Certainly the right place to ask! Sounds like a Google redirect infection, which is sometimes caused by TDL3, a rather nasty rootkit/bootkit. If you are infected with TDL3, then none of the antivirus/antimalware solutions you listed would be able to see it.
As a recommendation to begin with, I'd start with running a scan with TDSSKiller. Run it once in normal operation, which will ensure you've got the latest version. Then try running the same tool in safe mode - but ensure you've started safe mode without networking. As another measure, you can try running Hitman Pro, which is also pretty good at sniffing out rootkits.
If either of these tools find a TDL3 infection (or any rootkit), they will offer to remove it for you. You can do that if you want, but my advice in any situation where a computer has been infected with a rootkit is to backup and reformat the machine (complete reformat - NOT just a reinstall of the OS) as soon as is convenient for you. Rootkit compromised machines just can't be trusted after the fact, owing to the level of access the infection's been provided with. Opinions on this matter vary widely, so obviously take the course that you feel best with. If you opt not to reformat, be sure to run MSE and Malware bytes after the rootkit's been removed. Rootkits tend to open the door for a number of other nasties, ones that TDSSKiller won't find or remove.
If the tools turn up with nothing, or you still see a redirect after rootkit removal, you might try looking at your HOSTS file (See Wikipedia for explanation and file location, depending on OS), and see if anything nasty has pointed www.google.com to some look-alike domain. Essentially, you shouldn't see anything in your HOSTS file for www.google.com at all.
This is one of the reasons I'm still using Spybot SD. It's the only malware cleaner I've seen that checks the HOSTS file and locks it.
If MSE pops up to tell me it's found and removed a threat, is there anything else I should do? Given that they say proactive virus scanners are only around 70% effective, I'm a little paranoid that something else might have slipped through. I ran a full scan with MSE, MBAM, TDSSKiller, and Hitman. If they all turned up nothing can I assume that means I'm OK? I really can't be bothered to reformat right now.
We cannot tell you unless you tell us what threat it removed.
But generally no, you can never be certain its 100% gone without a reformat. But in a general sense you are probably safe right now especially if several other scanners didnt pick up anything.
It said it was adware that 'displays pop-up advertisements'. So it wasn't anything like a rootkit.
I've just started an internet security subject, so I'm in the awkward phase where I know a lot of terrible things that can go wrong, but I don't know much of anything else, so when MSE warns me about stuff I get super-paranoid.
0
Options
Captain Marcusnow arrives the hour of actionRegistered Userregular
OK thanks! I'll check that stuff out later today; I ran TDSkiller earlier but it didn't come up with anything. I didn't try running it in safe mode however.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Up in the sky! It's a bird! It's a plane! It's... a...
Last year at the Black Hat and Defcon security conferences in Las Vegas, a former Air Force cyber security contractor and a former Air Force engineering systems consultant displayed their 14-pound, six-foot-long unmanned aerial vehicle, WASP (Wireless Aerial Surveillance Platform). Last year it was a work in progress, but next week when they unveil an updated WASP they’ll be showing off a functioning homemade spy drone that can sniff out Wi-Fi networks, autonomously crack passwords, and even eavesdrop on your cell phone calls by posing as a cell tower.
Posts
Read that first as "poperub." Pictured someone rubbing the Pope. This has already been a very damaging virus for me.
Sweet. I just used fixmbr today repair a hosed image gone bad.
PSN - sumowot
Kaspersky offers a free download 'TDSSKiller'. Works great.
TDSSKiller is an excellent suggestion (though I believe it only works on x86 systems - could be wrong, but I'm not sure). Another measure you can take would be to boot from a LiveCD or USB stick and use a scanner from outside the OS, where the rootkit can't hide as easily.
On the Topic of TDSS/TDL, recently Kaspersky did an interesting write up of the threat's evolution here. Some interesting tidbits include an examination of the affiliate program (i.e. people get paid to infect machines, to the tune of $20 - $200 per 1,000 infections, depending on region), and an analysis of the bootkit component of TDL, which includes its own antivirus to remove rival infections. The botnet is also controlled via a public P2P system, where newly infected machines automatically connect, and are then given specific instructions to connect to other TDSS infected machines - effectively creating a private P2P network which the malware authors control. Not only does control of such a network decentralize their command and control (meaning the network is harder to take out), but they've started to monetize the P2P network. By installing proxy-server type software on infected machines, TDL controllers are offering anonymous internet browsing for all who want to pay $100 a month. Essentially, if you pay for this service you connect to a proxy server that is (in actually) someone else's infected computer. So activity from your end looks to be originating from the victim's IP.
And perhaps the most notable element of the article? Kaspersky managed to penetrate the TDL botnet's command and control databases, where they found some interesting data:
Good God Damn.
Given those numbers, how would I go about ensuring I haven't in fact been infected? Running Malware Bytes and MSE right now and haven't seen any weird behaviors...but goddamn if that doesn't make me paranoid.
Actually, to those of you who use TDSSKiller frequently, is it a pretty safe tool to employ on a system? Or are we talking about something like Combofix here, where you don't want to run it at all unless positively necessary? Combofix can mess your computer up proper if you run it when you don't need to.
I have to agree. For as scary as the malware is, it's genius level amazing stuff. Evil genius, of course, but still impressive. TDL4 truly is a magnificent bastard.
TDSSKiller hardly ever finds anything. When it does, it gets rid of it. Never seen anything go wrong with it yet.
PSN - sumowot
Damn, they're still hitting the AZ PD? I had no idea that they were still targeting them after Lulzsec disbanded (and arguably diffused into Anon). That's... a pretty huge leak right there. I wonder if the media will cover the actual documents leaked, or just focus on the fact that the hack occurred. Either way, I imagine the AZPD and the associated entities involved are squirming in the wake of this breach. They really dug deep this time, and I'd imagine this leak will hurt quite a bit in the long run. To say nothing of the morality of the hack itself, some of the things that Anon/Lulzsec have uncovered and disclosed about these guys is patently shocking, and frankly disturbing.
On the topic of Anon/Lulzsec claiming to be Antisec: I brought this up in the G&T Lulzsec thread, but it seems that they're completely missing the point of Antisec. Antisec isn't a 'Fuck the Power! Wooo Anarchy!' movement. It was a movement started in the late 1990s in order to censor the disclosure of vulnerabilities and exploits. Specifically for the purpose of preventing script kiddies from using that information. Considering that Lulzsec/Anon have been vocally anti-censorship, and considering that their tools during the Lulzsec storm were largely SQL injection and Remote File Inclusion attacks (i.e. attacks automated and enabled via methods AntiSec is about censoring), and I have to wonder what the hell they actually have to do with AntiSec besides hijacking the term for their own purposes.
The AntiSec 'manifesto' from Wikipedia is under the spoiler.
I've got that. Much prefer Ultimate Boot CD. I use it all the time to blank out the admin password and get into a system mainly, but use pretty much all of the rest of it as well from time to time.
PSN - sumowot
I'm sure even they don't believe their manufactured anarchist bullshit though.
I'd be interested to know about the techniques they used to steal this information and break into these servers though.
The anarchism stuff is just 'Fight Club' inspired spiel, from people who don't know better.
As of this posting, the offending tweets were made twelve hours ago, and are still up and visible on the afflicted Twitter page.
A minor bump in the hacking news, by itself. I have heard some grumblings around various other message boards, though, that Twitter accounts are getting compromised with higher frequency recently. There's some speculation that hashed password tables may have been stolen, so people with weak/dictionary passwords might be getting picked off as a result. That's just rumor and conjecture at this point, though it might explain the story above.
One interesting story I read recently has dealt with the growing trend of imported hardware/pre-built computer systems being loaded with malware before being purchased by the end consumer.
We knew this was happening with thumbdrives, but pre-infected off-the-shelf systems is a new one on me.
True enough. This reminds me of a writeup I saw via Reddit's NetSec feed recently. The security firm (and I use the term loosely) Netagard was charged with compromising a specific machine within a corporation, but their customer laid down some requirements that "excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas."
Because the dangers of USB stick malware are becoming better understood, what Netagard wound up doing was making a mouse with an embedded piece of hardware to infect the machine as soon as it was plugged in. The reasoning here being that someone's more likely to plug in a mouse thoughtlessly than a USB stick. They called the device Prion (Note that the images are broken on the blog entry as of writing this, for some reason. But the text is the interesting part).
ZDNet has a story here, though it's a scant one.
Running a Google search for any term will display the notification if you're infected. Otherwise, this particular strain of nasty probably hasn't touched you.
Internet Explorer 9 really has stepped up the security game in a number of ways. To be fair, this test was about URL blocking, less than it was about browser flaws/exploits, but prevention can be extremely effective in situations where social engineering is the primary vector. It's just a shame that IE still carries a heavy stigma with it. The most blanket advice I see about security on various sites and message boards is still "Use Firefox instead of IE". I maintain that any browser is going to be as secure or vulnerable as you make it, and that IE can be a good, solid choice if configured and updated correctly.
Here's another interesting, if old, discussion. A while ago there was an article published about how the password "This is fun" would be more secure than "J4fS<2". I'm not going to link to this article, because it is incredibly wrong and misleading. Instead, I'll link to Troy Hunt's evisceration of that article, wherein he discusses that entropy is still king when it comes to (relative) password security.
It's an excellent read, and goes into detail about brute-forcing techniques, rainbow tables, and dictionary attacks. His ultimate conclusion, though, is "The only secure password is the one you can’t remember". Nevertheless, I recommend reading it, if just to dispel the myths about how brute-force attacks work (Hint: No one sits at the GMail login page and attempts to crack passwords remotely).
My computer is not obeying me when I click on a Google result. Instead of going to "delicious beef jerky recipes" on the website I want, it loads up "vice-presidentliquid.com or verseinequality.com" or some other ridiculous result. I've run microsoft security essentials, windows defender, and malwarebytes but none of those have picked up anything.
Any suggestions?
Certainly the right place to ask! Sounds like a Google redirect infection, which is sometimes caused by TDL3, a rather nasty rootkit/bootkit. If you are infected with TDL3, then none of the antivirus/antimalware solutions you listed would be able to see it.
As a recommendation to begin with, I'd start with running a scan with TDSSKiller. Run it once in normal operation, which will ensure you've got the latest version. Then try running the same tool in safe mode - but ensure you've started safe mode without networking. As another measure, you can try running Hitman Pro, which is also pretty good at sniffing out rootkits.
If either of these tools find a TDL3 infection (or any rootkit), they will offer to remove it for you. You can do that if you want, but my advice in any situation where a computer has been infected with a rootkit is to backup and reformat the machine (complete reformat - NOT just a reinstall of the OS) as soon as is convenient for you. Rootkit compromised machines just can't be trusted after the fact, owing to the level of access the infection's been provided with. Opinions on this matter vary widely, so obviously take the course that you feel best with. If you opt not to reformat, be sure to run MSE and Malware bytes after the rootkit's been removed. Rootkits tend to open the door for a number of other nasties, ones that TDSSKiller won't find or remove.
If the tools turn up with nothing, or you still see a redirect after rootkit removal, you might try looking at your HOSTS file (See Wikipedia for explanation and file location, depending on OS), and see if anything nasty has pointed www.google.com to some look-alike domain. Essentially, you shouldn't see anything in your HOSTS file for www.google.com at all.
The most interesting fact on there is by far how much search engines are used to spread malware. Google Image Search in particular seems to be the big culprit these days for spreading around the nasties. Perhaps they're not too far off when they say "Image searchs are the most dangerous activity users can engage in on the web."
Most malware/viruses attack third party plug-ins now, the browsers themselves are all pretty secure. And because several plugins are written for multiple browsers, and the exploits work in each of the browsers equally, virus/maleware makers are finding it a better vector of attack.
Why attack IE when you can attack Adobe Flash which is installed on 96% of computers connected to the internet? Far greater than IE's share. In a way the stigma IE has is a good thing, simply because it helps expand the alternatives, which means a virus that does target a specific exploit in a specific browser is going to cause less overall damage.
The interesting part of that article to me is the introduction of Application Reputation in IE9, and according to that study 100% of (social engineering) malware was blocked between smart screen and AR.
wow.
This is one of the reasons I'm still using Spybot SD. It's the only malware cleaner I've seen that checks the HOSTS file and locks it.
But generally no, you can never be certain its 100% gone without a reformat. But in a general sense you are probably safe right now especially if several other scanners didnt pick up anything.
I've just started an internet security subject, so I'm in the awkward phase where I know a lot of terrible things that can go wrong, but I don't know much of anything else, so when MSE warns me about stuff I get super-paranoid.
It's a Wi-Fi hacking, Password cracking, Cell phone jacking UAV?