TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
The latest TDL4 variant is a beast you don't want to meet, ever.
In the event that any scans ever reveal the presence of TDL3, TDL4, TDSS or any other rootkit, the recommended course of action is always to reformat the drive completely, reinstall the operating system, and then install security software. Afterward, a full scan of the backups, and finally restoration of data.
A reformat is required for exactly the reason khalathas mentions: If the MBR gets compromised, the machine can't be cleaned with any confidence.
The latest TDL4 variant is a beast you don't want to meet, ever.
In the event that any scans ever reveal the presence of TDL3, TDL4, TDSS or any other rootkit, the recommended course of action is always to reformat the drive completely, reinstall the operating system, and then install security software. Afterward, a full scan of the backups, and finally restoration of data.
A reformat is required for exactly the reason khalathas mentions: If the MBR gets compromised, the machine can't be cleaned with any confidence.
Tetra, ironically, a safe mode (no networking) scan with the latest version of TDSSKiller actually does find and repair the MBR infection, but requires a reboot, which I always do immediately back into safe mode again and immediately scan again, because I've had an MBR infection of tdss actually mask a kernel driver infection of another tdss (different version numbers too...). I do this for a living mind you, so I get to see a *LOT* of computers and infection scenarios. TDSS isn't really as bad as they make it sound. What I'm worried about is the hypothetical rootkit we DON'T have detections for yet...like a theoretical TDL5. I have zero evidence of such a thing existing, mind you..I just know the nature of tdss in general, and how stealthy it is, and how unlike most trojans, it does NOT announce itself with any real noticable issues.
khalathas on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
That's good to know, khalathas! I didn't know the efficacy of TDSSKiller in this context. As a personal note, though, my policy with rootkits (particularly ones of this variety) is certainly to reformat. Mainly because, well, precedent speaks volumes - And these rootkits are constantly getting nudged to evade detections. Like you said, they're made to be invisible... But, that's just my personal opinion.
Unrelated: Apple have finally released official word about the rash of malware targeting OS X!
A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender "anti-virus" software to solve the issue.
This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.
The most common names for this malware are MacDefender, MacProtector and MacSecurity.
In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.
In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.
The relatively simple removal instructions are posted on that same page. Good to know they'll be releasing a system update to shore up this, but the fact remains that the attack was largely a social vector rather than a technical one.
The mac infection was inevitable. The rise of macs among the general populace (mostly thanks to "hipsters" in recent years), has made them more of a target. I guarantee this is simply the start, as mac users generally consider themselves immune and still won't bother with an anti-malware tool of some sort. The thing I'm waiting to see is the first outbreak of mac rootkits.
khalathas on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The mac infection was inevitable. The rise of macs among the general populace (mostly thanks to "hipsters" in recent years), has made them more of a target. I guarantee this is simply the start, as mac users generally consider themselves immune and still won't bother with an anti-malware tool of some sort. The thing I'm waiting to see is the first outbreak of mac rootkits.
Without wanting to heap on flames, I'll say that I completely agree with you. Any increase in market share makes them a more appealing target, and there's nothing about OS X that makes it bulletproof.
Also, more news on this front: It's already mutating. New variants of the MacDefender malware no longer require the user to input their admin passwords to install.
If the default setting of “Open “Safe” Files After Downloading” is enabled in your browser, the software will download, the installer will launch, and you will be prompted to enter your password to complete installation of software, which is actually the malware payload. A new variant called MacGuard is also live and will install without credentials.
Not using Safari, or disabling the automatic file opening option, should provide simple protection for now.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
ESET recently posted a write up about the social engineering approach toward malware distribution, specifically in regard to its indifference to operating system. As you might expect, it deals with the recent OS X malware. However, it goes a bit deeper than just the latest threat, and I found it to be a good read. You can find the whole article on this page, if you're curious.
Most systems can be configured in ways that make them more, or less, secure. And, since security can be usually reduced or overridden by user action – malware authors often rely on tricking the user into accepting/installing malicious software, as it’s much easier than trying to attack vulnerabilities in the system or applications (which can often be quickly patched when discovered). For instance, fake anti-virus scam attacks are entirely predicated on such social engineering. It’s not really about what OS you use – some of the threats will be common across all platforms, (there is also, in fact, a steady trickle of application-specific malware that doesn’t care much about hardware) while others are unique to the ‘platform’.
Viruses are now a tiny subset of the sorts of malware we see in the 21st century, and the idea that viruses (that is, self-replicating pieces of code) are the ‘main problem’ relating to system compromise by malicious software is very much “last century” thinking. In principle, any system that can run computer software can run self-replicating computer software – there’s no magic to a virus. However, most modern malware does not replicate by itself – it has a different purpose: malware designed to disrupt or destroy systems has largely been replaced by malware intended to commit financial or identity theft related crimes.
It doesn’t matter how silly you think it is, but people are very frequently manipulated into entering their admin credentials to install malware and bypass security, and this is totally independent of the system. People do it because they are used to the requirement to enter an admin password to install a legitimate piece of software (or even to change the time on the system). Malware authors know that if they trick you into believing you need to install software, you will do the very thing required to bypass system security. If you feel secure in your status as an advanced user with superior knowledge of every file on your system, you are not the majority, and you, lucky you, are not the target of the social engineer. Your immunity is probably due to years of expertise on a system and maybe a technical background, and is not a general rule for the wider population.
"I’ve never been infected so I don’t have a problem." How do you know? This assumption is related to the 20th century thinking about viruses being nasty programs that delete things, pop up funny messages on your screen and blow smoke out of your monitor. In an era where much well designed malware is designed to be invisible to the user, this is no longer valid logic.
wow, that was quite a good article Tetra, thank you! Gonna pass that around the office to our other techs as well.
The bits about social engineering, virus vs other malware, and people being USED to everything asking for permission/credentials giving way to easier infections are particularly relevant. The social engineering has been around as long as computers...but I have on more than one occasion lamented the decline of the virus and the rise of these "dumb scripts" as I like to call 'em. I've always admired the engineering that went into the true infection process. That is, being able to patch existing code without breaking it, knowing what it is, and being able to load when the executable runs, and self-replicate.
The new crap we see mostly just runs itself, hooks a DLL, maybe plays havoc in the registry (setting restrictive policies and hijacking HKEY_Classes_Root/.exe and HKEY_Classes_Root/exefile to pass all exe requests through itself first..
But nothing truly as elegant as a virus anymore. If malware were star wars weapons, in Obi Wan's own terms, the fake antivirus is a blaster, and a real virus is a lightsaber. An elegant weapon for a more civilized time.
khalathas on
0
Options
MichaelLCIn what furnace was thy brain?ChicagoRegistered Userregular
edited May 2011
Windows risk mitigation question.
I've been put "in charge" of 5 WinXP (SP3) desktops. All have IE8, MSE, and are kept scanned and up-to-date. They're running wired through a rack to Comcast cable internet. Anything else I can do? Any major holes I can plug?
Upgrading to Win7 is not an option at this point, and wouldn't run on these things anyway. Thanks!
I've been put "in charge" of 5 WinXP (SP3) desktops. All have IE8, MSE, and are kept scanned and up-to-date. They're running wired through a rack to Comcast cable internet. Anything else I can do? Any major holes I can plug?
Upgrading to Win7 is not an option at this point, and wouldn't run on these things anyway. Thanks!
The only things I can really think of is installing firefox with my favorite three addons: adblock plus, flashblock, and noscript. Also maybe get a decent external firewall if you have the monies.
Aeyther on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
How much control will you have over the systems and how they operate? If you're given free reign to operate the systems in any manner you see fit, I would strongly recommend setting them up to run with standard/limited user accounts instead of administrator accounts. Doing this alone is a huge mitigating factor on XP machines. If you're going to have total control, I would also set up a Software Restriction Policy to accompany your reduced privilege users. Running LUA + SRP like this will make your life one hell of a lot easier, and also will prevent users from installing or running things they shouldn't be in the first place.
In situations where your users are simply unable to run in a Limited Account Environment, I would look into some method of dropping Administrator rights for your internet-facing applications at the very least. If you employ something like Drop My Rights to launch browsers/IM/Mail clients, then your users can still run their programs as administrator while having reduced risk on the net-connected side of things.
You can also look into sandboxing your internet facing applications. It's one of the better methods of protecting a system, but it does come at a cost if you're imposing it on users who have never dealt with it before. I've had many users I've helped complain about sandboxing I've set up to help them, because they feel it 'breaks' their computer. Sometimes the sacrifice in convenience causes more tech requests than it prevents.
Regardless of what approach you take, definitely follow Aeyther's suggestions about browser security. You don't have to go Firefox: Just make sure you're blocking javascript and flash on a whitelist basis, and most browsers will be equally secure.
Spybot or some other malware scanner wouldn't hurt.
I've got Microsoft Security Essentials. Would you say that's sufficient, or would another be better? I know more is always better, but these boxes (old Shuttles) are nearly groaning as it is. Most of the desktops won't see a lot of use, but the machine in the owner's office is a concern. Admin account with no password. :x .
TetraNitroCubane - thanks for the suggestions and that Drop program; that looks excellent. Particularly since I won't always be available if the user has an issue. Yeah, I've been working with PCs since DOS, so still have old mindset of Windows = completely insecure, but know it's gotten a little better with IE8 and included tools.
Aeyther - I'd like to, but users are pretty IE-only.
Spybot has 'immunization' for instance and is bit more targeted than MSE. Running both can't hurt. Spybot can can just be run occasionally when you update the immunization database while MSE is on-guard real time. Spybot can help lock down the system too with it's 'tea timer', though that may be overkill depending on your level of paranoia/justified worry.
Malwarebytes' Anti-Malware also seems to pick up on malware MSE may not.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited May 2011
Not content to target antivirus products alone, scareware authors have now upped the ante by targeting web browsers specifically. In this case, after identifying the user agent string from your browser and verifying that Firefox is in use, a new social engineering attack closely resembling the Firefox security warnings will be displayed.
There's nothing amazing or even groundbreaking in the actual payload delivery. This attack still relies upon the end user to install the software manually (provided we're talking about a fully patched system). What's more notable is that these scareware authors are taking great pains in their counterfeiting measures, and are starting to move their social engineering targets around.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2011
Recently Apple released a security update for OS X, as they had announced they would last week. In addition to blocking and removing the new MacDefender variants in the wild, it also provided some additional tweaks to the OS X platform, through which the operating system can be automatically updated with a signature based download blacklist. According to ISC, the new option is available in the System preferences pane, under Security, in the General heading ("Automatically update safe downloads list").
Let's hope Apple intend to update that list frequently, because their latest security update was defeated 8 hours after release. The great, unending race seems to have begun for the OS X platform.
TetraNitroCubane on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited June 2011
Welcome, Apple platforms, to the mainstream.
I hope they enjoyed the security through obscurity while it lasted...and at least none of these are remote exploits, or I'd actually have to worry too.
My laptop has some sort of malware that masquerades as a windows message that does a scan, states i have a virus, and demands i purchase something to fix it.
It prevents me from opening basically every program on my computer. So, i put it into safe mode and ran spybot from my external hard drive, didn't do anything. I've been mulling over how to fix it when i realized i could do system restore. So, i went into safe mode hoping to do that, now the fucking thing has gotten into my safe mode somehow.
Frequently these buggers get into your restore points to keep themselves installed in case you do exactly what you did.
I'd start with Hijackthis in safe mode. If it's not immediately obvious which bit is the malware post a log here or at the Hijackthis support forum and you can get it sorted out in short order.
Download MBAM (malwarebytes anti malware) and the latest MBAM definitions from another computer, and ComboFix (from bleepingcomputer.com, not combofix.org) and put them on a USB stick. Boot the infected desktop into safemode with networking, install MBAM and the new definitions and run a full scan on all drives including recovery partitions. Remove any infections and reboot. Disable any anti-virus software, copy combofix to the desktop and run it, and just leave your PC to sit until it is finished. Reboot when finished. Take note of everything deleted and detected during these scans. To be thorough, open task manager and do some google-fu on any running process you're not sure about (especially gibberish ones, or seemingly legit ones that are duplicated as both a user process and a system process) then do a search through your registry to see where they are called. If you're not familiar with the registry, leave the scanners to deal with the issues... probably safest to not even bother with regedit.
If you are unable to run either of the programs I mentioned, try renaming them. Go to folder options and show hidden files and show extensions for known file types, then rename the programs from (eg.)MBAM.exe to something.com. The .com is important, most of the current viruses that are detroying file associations target .exe files so renaming .com is working. You can also access a microsoft technet article with a registry fixit for file associations... here's a fixit for Windows Vista (http://support.microsoft.com/kb/950505), but search out your operating system for a specific fix.
Make sure you have admin rights on your desktop when doing these steps and let us know how it goes.
uean on
Guys? Hay guys?
PSN - sumowot
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2011
In a situation like this, I'd recommend backing up, reformatting and reinstalling your operating system, then scanning your backups before data restoration. These infections are hard to remove completely, and a reformat is the surest way to know you've removed it. It's also less of a pain in the ass than trying to remove the infection and repair the damage.
I understand that such an option is not always viable. In that case, I'd recommend using a LiveCD or Bootable USB stick to load an OS off of the infected machine, and then scan from there onto your afflicted drive. If you're booting into Windows, use MBAM as uean suggested. Then I'd follow it up with another few scanners. Check the OP under the software list in the LiveCD and RescueCD sections. Many of those packages come with their own scanners, or are just dedicated scanners themselves.
Uean offers good advice, and do follow it if you're up to the task and can't bring yourself to reformat. However, two caveats: First, Combofix is not to be fucked with. If you're not getting guidance on how to use it, follow the directions from bleeping computer exactly. Otherwise you could cause damage to your machine. Second, MBAM actually works better in normal mode, rather than safemode. The developers have said as much.
Since you're having problems getting anything to run in normal mode, I'd recommend the following: Download one of the RKill files from this link. I'd recommend going with the .com or the .scr file. They're all the same, but the naming conventions will allow them to circumvent the infection blocking them. Run the downloaded RKill, and then run MBAM in normal mode. If you still can't run MBAM, download a different RKill, and try again. After running MBAM successfully, run another scanner to shore up the leftovers. As a last pass, I'd recommend using HitMan Pro as a second opinion scanner. Don't buy Hitman - just use it as a way to check your system. The scan is free, and can find rootkits other scanners sometimes overlook. If it finds stuff, you don't have to purchase it. You can just use it as an indication that there's still work to be done.
Good luck, and sorry you're dealing with this crap.
I know nothing about computer security. My friend has a relatively new laptop running Windows 7 and Kaspersky Anti-Virus, and has just now had 'threats' show up for the first time. There are three listed, which are all labeled as "Trojan-Downloader.JS.Agent.fxe". Any of the buttons that claim to be able to rectify the problem seem to have no effect. I've tried a little googling with no luck, just throwing this up in the hopes that someone might be familiar with the issue.
Thanks in advance for any help.
KillerBeeGees on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited June 2011
Disclaimer: I know enough to be dangerous to myself and others.
But a quick googling turned this up, which makes it sound relatively benign as of the time of writing. Follow the instructions and figure out where/how the trojan got on and it looks like you can just delete the files without a problem, if it is the trojan listed there.
I hate Kaspersky, or at least the version we have been using here at work. We've recently switched to FEP 2010 which is alot less intrusive and annoying from a management standpoint. It seems to be catching more problems before they actually become problems as well (real time protection).
I know nothing about computer security. My friend has a relatively new laptop running Windows 7 and Kaspersky Anti-Virus, and has just now had 'threats' show up for the first time. There are three listed, which are all labeled as "Trojan-Downloader.JS.Agent.fxe". Any of the buttons that claim to be able to rectify the problem seem to have no effect. I've tried a little googling with no luck, just throwing this up in the hopes that someone might be familiar with the issue.
Thanks in advance for any help.
If I remember correctly, most of the trojans labeled as *.JS.Agent are threats embedded in the javascript themselves. In other words, if you were redirected to a page that hosted a malicious javascript, or visited one where such a javascript file was embedded, your antivirus would flag the JS file before it has the chance to do something nasty. The real payload is delivered later, via use of the JS file to redirect you, or automatically download/install something malicious.
If Kaspersky caught it in action, you should be safe. If it's only catching it on a system scan after the fact, then there's a possibility it's examining your browser cache at the attack already happened.
Regardless, and due to the fact that you can't seem to impact the result, I'd recommend doing a full system scan with MalwareBytes Antimalware, after fully updating it. See what MBAM says, and then take it from there, if further action is required.
It now includes a DHCP server and a self-propagating worm component.
khalathas on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2011
So now TDSS will basically try to infect any machine on the local network. That thing is getting more and more vicious by the day. I'm dreading the day it starts targeting intermediaries like routers, or the like. Fortunately, it still looks like it's exploiting social engineering to spread from one machine to another, by rerouting to malicious pages and trying to convince the user to install the payload... But still, that rootkit is the stuff of nightmares.
Unrelated: Hey hey, everyone! I can't think of anything witty to preface this today, so I'll just lay it on out there. In a downright shocking turn of events, a vulnerability has been discovered in Flash! So fire up those downloads and patch yourself up.
So now TDSS will basically try to infect any machine on the local network. That thing is getting more and more vicious by the day. I'm dreading the day it starts targeting intermediaries like routers, or the like. Fortunately, it still looks like it's exploiting social engineering to spread from one machine to another, by rerouting to malicious pages and trying to convince the user to install the payload... But still, that rootkit is the stuff of nightmares.
Unrelated: Hey hey, everyone! I can't think of anything witty to preface this today, so I'll just lay it on out there. In a downright shocking turn of events, a vulnerability has been discovered in Flash! So fire up those downloads and patch yourself up.
Urk!!! I ran TDSSKiller yesterday and found a rootkit on a system. I've always been curious, so I'll ask here - find a nasty bugger like this, is imaging the machine safe, or a full ntfs format and reinstall necessary?
So now TDSS will basically try to infect any machine on the local network. That thing is getting more and more vicious by the day. I'm dreading the day it starts targeting intermediaries like routers, or the like. Fortunately, it still looks like it's exploiting social engineering to spread from one machine to another, by rerouting to malicious pages and trying to convince the user to install the payload... But still, that rootkit is the stuff of nightmares.
Unrelated: Hey hey, everyone! I can't think of anything witty to preface this today, so I'll just lay it on out there. In a downright shocking turn of events, a vulnerability has been discovered in Flash! So fire up those downloads and patch yourself up.
Urk!!! I ran TDSSKiller yesterday and found a rootkit on a system. I've always been curious, so I'll ask here - find a nasty bugger like this, is imaging the machine safe, or a full ntfs format and reinstall necessary?
Well, what did you find? I'd imagine imaging a harddrive will also image the bootkit/rootkit with it. If we know what you are dealing with we could give you more accurate information.
Well I ran TDSSKiller, and found one rootkit. Which one? not sure, but some variant of TDSS. Reimaged with a known good image using clonezilla and rescanned, no problem.
I've just heard of some types of malware/virus/rootkits persisting and loading themselves into scary places, eg, reimaging a desktop doesn't bring the version of the BIOS with it AFAIK
Well I ran TDSSKiller, and found one rootkit. Which one? not sure, but some variant of TDSS. Reimaged with a known good image using clonezilla and rescanned, no problem.
I've just heard of some types of malware/virus/rootkits persisting and loading themselves into scary places, eg, reimaging a desktop doesn't bring the version of the BIOS with it AFAIK
Well, TDSS is MBR resident, so your current, and possibly future installations of windows without a proper format (maybe even with a proper format... I'd suggest a 0fill) could possibly be compromised. But if you imaged your HDD with a clean image you're probably fine as long as it over wrote the entire thing.
It's sometimes MBR resident. Sometimes it infects drivers instead. I've found it in MBR, cdrom.sys, the network driver, and a variety of other places. TDSSkiller does a pretty good job of cleaning it, as long as you do the scan in safe mode (without networking, to be sure it isn't in the network driver). Also, the MBR can be cleanly rewritten with BootICE. Having done all of that, you can probably feel comfortable in knowing the drive is ok.
Edit: forgot to mention, live demonstrations of rootkits infecting hardware firmware (flashable ones) such as the actual firmware on the network controller (most popular since it's the first place to intercept traffic), are already done...so your hard drive is not the only hiding place anymore.
khalathas on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited June 2011
Rootkits infecting firmware is my special nightmare.
Orca on
0
Options
Zilla36021st Century. |She/Her|Trans* Woman In Aviators Firing A Bazooka. ⚛️Registered Userregular
edited June 2011
Argh, trying to fix a friends PC today (a trojan/rootkit called W32.Raminc) and even Combofix hasn't worked.
Moving onto ClamAV from Linux rescue CD at the moment, and then if that doesn't work it'll have to be a full nuke from orbit.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2011
Sorry for the lack of input, advice, or updates recently. I've been traveling, and out of the loop because of that.
Anyhow, here's a little tidbit I've been expecting for some time now. Malware that disguises itself as Microsoft Update in order to launch it's social engineering attack. Nothing particularly shocking about the payload, but again, the targets are shifting here in terms of fooling the end user.
This particular nasty is set to look like the Windows XP update protocol. I wouldn't bet against our seeing Windows 7 and OS X varients popping up soon. These might not be enough to fool savvy users, but I can see their being very confusing for laymen.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited June 2011
An interesting development with Avira Antivirus has surfaced in the past few days. I'm not entirely sure what to make of it, but here's a brief rundown (from what I can gather).
Recently, Avira has made two changed to the free version of their software that hasn't settled well with the security community and their users. First, it seems that Avira is displaying ads. Normally these ads in the free version are just upgrade incentives, encouraging the user to purchase the full version of Avira. However, lately, these ads have been replaced with Uniblue product ads. This has raised some hackles over on the Avira forums, as Uniblue's ad techniques are rumored to boarder on Scareware tactics, and their products are of dubious quality and safety.
Secondly, apparently the next revision of Avira's free software will require the ASK toolbar to be installed for web protection. This is according to the DSLreports security forum.
As for ASK toolbar, when Service Pack 2 for Avira 10 is released (very soon now) free users will be able to install the Webguard module free IF they also install ASK toolbar and make ASK.com their default search engine. Until now, Avira has always detected ASK toolbar as malware as they have also detected Uniblue products until now. Enough pressure has been brought on Avira last week that an Avira employee finally posted and stated that if we didn't lke Uniblue products we could uninstall them (forget that the registry cleaner has probably hosed your computer and is extremely difficult to uninstall) and that Uniblue has a 30 day money back guarantee.
There's a lot of tempers flaring about this issue currently, as well as a lot of names being thrown around. That makes it a bit difficult to separate the valid concerns from the inflated threats, at least for me. Hopefully things will cool off soon, and I'm sure the folks at Avira are taking notice.
Unrelated Edit: In the wake of their recent beaches of the PBS, Bethesda, and US Senate webpages, (in)famous hacking group Lulzsec are continuing their "work" today with what they've been calling Titanic Takeover Tuesday. They've already hit Epic Megagames, Codemasters, EVE Online, the Escapist Magazine and Minecraft. Apparently, some of these are just DDoS attacks, rather than intrusion and data theft. Their twitter is abuzz, and more updated information can be found in the G&T thread here. Post-Edit Edit: After tagging the League of Legends login servers, they claim to be done for today.
Posts
In the event that any scans ever reveal the presence of TDL3, TDL4, TDSS or any other rootkit, the recommended course of action is always to reformat the drive completely, reinstall the operating system, and then install security software. Afterward, a full scan of the backups, and finally restoration of data.
A reformat is required for exactly the reason khalathas mentions: If the MBR gets compromised, the machine can't be cleaned with any confidence.
Tetra, ironically, a safe mode (no networking) scan with the latest version of TDSSKiller actually does find and repair the MBR infection, but requires a reboot, which I always do immediately back into safe mode again and immediately scan again, because I've had an MBR infection of tdss actually mask a kernel driver infection of another tdss (different version numbers too...). I do this for a living mind you, so I get to see a *LOT* of computers and infection scenarios. TDSS isn't really as bad as they make it sound. What I'm worried about is the hypothetical rootkit we DON'T have detections for yet...like a theoretical TDL5. I have zero evidence of such a thing existing, mind you..I just know the nature of tdss in general, and how stealthy it is, and how unlike most trojans, it does NOT announce itself with any real noticable issues.
Unrelated: Apple have finally released official word about the rash of malware targeting OS X!
The relatively simple removal instructions are posted on that same page. Good to know they'll be releasing a system update to shore up this, but the fact remains that the attack was largely a social vector rather than a technical one.
Without wanting to heap on flames, I'll say that I completely agree with you. Any increase in market share makes them a more appealing target, and there's nothing about OS X that makes it bulletproof.
Also, more news on this front: It's already mutating. New variants of the MacDefender malware no longer require the user to input their admin passwords to install.
Not using Safari, or disabling the automatic file opening option, should provide simple protection for now.
Some choice bits follow:
The bits about social engineering, virus vs other malware, and people being USED to everything asking for permission/credentials giving way to easier infections are particularly relevant. The social engineering has been around as long as computers...but I have on more than one occasion lamented the decline of the virus and the rise of these "dumb scripts" as I like to call 'em. I've always admired the engineering that went into the true infection process. That is, being able to patch existing code without breaking it, knowing what it is, and being able to load when the executable runs, and self-replicate.
The new crap we see mostly just runs itself, hooks a DLL, maybe plays havoc in the registry (setting restrictive policies and hijacking HKEY_Classes_Root/.exe and HKEY_Classes_Root/exefile to pass all exe requests through itself first..
But nothing truly as elegant as a virus anymore. If malware were star wars weapons, in Obi Wan's own terms, the fake antivirus is a blaster, and a real virus is a lightsaber. An elegant weapon for a more civilized time.
I've been put "in charge" of 5 WinXP (SP3) desktops. All have IE8, MSE, and are kept scanned and up-to-date. They're running wired through a rack to Comcast cable internet. Anything else I can do? Any major holes I can plug?
Upgrading to Win7 is not an option at this point, and wouldn't run on these things anyway. Thanks!
The only things I can really think of is installing firefox with my favorite three addons: adblock plus, flashblock, and noscript. Also maybe get a decent external firewall if you have the monies.
In situations where your users are simply unable to run in a Limited Account Environment, I would look into some method of dropping Administrator rights for your internet-facing applications at the very least. If you employ something like Drop My Rights to launch browsers/IM/Mail clients, then your users can still run their programs as administrator while having reduced risk on the net-connected side of things.
You can also look into sandboxing your internet facing applications. It's one of the better methods of protecting a system, but it does come at a cost if you're imposing it on users who have never dealt with it before. I've had many users I've helped complain about sandboxing I've set up to help them, because they feel it 'breaks' their computer. Sometimes the sacrifice in convenience causes more tech requests than it prevents.
Regardless of what approach you take, definitely follow Aeyther's suggestions about browser security. You don't have to go Firefox: Just make sure you're blocking javascript and flash on a whitelist basis, and most browsers will be equally secure.
I've got Microsoft Security Essentials. Would you say that's sufficient, or would another be better? I know more is always better, but these boxes (old Shuttles) are nearly groaning as it is. Most of the desktops won't see a lot of use, but the machine in the owner's office is a concern. Admin account with no password. :x .
TetraNitroCubane - thanks for the suggestions and that Drop program; that looks excellent. Particularly since I won't always be available if the user has an issue. Yeah, I've been working with PCs since DOS, so still have old mindset of Windows = completely insecure, but know it's gotten a little better with IE8 and included tools.
Aeyther - I'd like to, but users are pretty IE-only.
Malwarebytes' Anti-Malware also seems to pick up on malware MSE may not.
I think the immunisation thing just adds entries for sites that are known malware distributors into your HOSTS file, but I might be mistaken on that.
Definitely no downside to running it alongside MSE.
There's nothing amazing or even groundbreaking in the actual payload delivery. This attack still relies upon the end user to install the software manually (provided we're talking about a fully patched system). What's more notable is that these scareware authors are taking great pains in their counterfeiting measures, and are starting to move their social engineering targets around.
Let's hope Apple intend to update that list frequently, because their latest security update was defeated 8 hours after release. The great, unending race seems to have begun for the OS X platform.
I hope they enjoyed the security through obscurity while it lasted...and at least none of these are remote exploits, or I'd actually have to worry too.
My laptop has some sort of malware that masquerades as a windows message that does a scan, states i have a virus, and demands i purchase something to fix it.
It prevents me from opening basically every program on my computer. So, i put it into safe mode and ran spybot from my external hard drive, didn't do anything. I've been mulling over how to fix it when i realized i could do system restore. So, i went into safe mode hoping to do that, now the fucking thing has gotten into my safe mode somehow.
Any ideas?
I'd start with Hijackthis in safe mode. If it's not immediately obvious which bit is the malware post a log here or at the Hijackthis support forum and you can get it sorted out in short order.
EDIT: In case it prevents you from loading the Trendmicro site (which is probably) I've mirrored it for you here: https://rapidshare.com/files/3961615962/HijackThis.msi
If you are unable to run either of the programs I mentioned, try renaming them. Go to folder options and show hidden files and show extensions for known file types, then rename the programs from (eg.)MBAM.exe to something.com. The .com is important, most of the current viruses that are detroying file associations target .exe files so renaming .com is working. You can also access a microsoft technet article with a registry fixit for file associations... here's a fixit for Windows Vista (http://support.microsoft.com/kb/950505), but search out your operating system for a specific fix.
Make sure you have admin rights on your desktop when doing these steps and let us know how it goes.
PSN - sumowot
I understand that such an option is not always viable. In that case, I'd recommend using a LiveCD or Bootable USB stick to load an OS off of the infected machine, and then scan from there onto your afflicted drive. If you're booting into Windows, use MBAM as uean suggested. Then I'd follow it up with another few scanners. Check the OP under the software list in the LiveCD and RescueCD sections. Many of those packages come with their own scanners, or are just dedicated scanners themselves.
Uean offers good advice, and do follow it if you're up to the task and can't bring yourself to reformat. However, two caveats: First, Combofix is not to be fucked with. If you're not getting guidance on how to use it, follow the directions from bleeping computer exactly. Otherwise you could cause damage to your machine. Second, MBAM actually works better in normal mode, rather than safemode. The developers have said as much.
Since you're having problems getting anything to run in normal mode, I'd recommend the following: Download one of the RKill files from this link. I'd recommend going with the .com or the .scr file. They're all the same, but the naming conventions will allow them to circumvent the infection blocking them. Run the downloaded RKill, and then run MBAM in normal mode. If you still can't run MBAM, download a different RKill, and try again. After running MBAM successfully, run another scanner to shore up the leftovers. As a last pass, I'd recommend using HitMan Pro as a second opinion scanner. Don't buy Hitman - just use it as a way to check your system. The scan is free, and can find rootkits other scanners sometimes overlook. If it finds stuff, you don't have to purchase it. You can just use it as an indication that there's still work to be done.
Good luck, and sorry you're dealing with this crap.
Thanks in advance for any help.
But a quick googling turned this up, which makes it sound relatively benign as of the time of writing. Follow the instructions and figure out where/how the trojan got on and it looks like you can just delete the files without a problem, if it is the trojan listed there.
It seems to do its job and I just keep it on 'gaming mode' so i don't have to deal with popups.
Critical Failures - Havenhold Campaign • August St. Cloud (Human Ranger)
If I remember correctly, most of the trojans labeled as *.JS.Agent are threats embedded in the javascript themselves. In other words, if you were redirected to a page that hosted a malicious javascript, or visited one where such a javascript file was embedded, your antivirus would flag the JS file before it has the chance to do something nasty. The real payload is delivered later, via use of the JS file to redirect you, or automatically download/install something malicious.
If Kaspersky caught it in action, you should be safe. If it's only catching it on a system scan after the fact, then there's a possibility it's examining your browser cache at the attack already happened.
Regardless, and due to the fact that you can't seem to impact the result, I'd recommend doing a full system scan with MalwareBytes Antimalware, after fully updating it. See what MBAM says, and then take it from there, if further action is required.
http://www.securelist.com/en/blog/208188095/TDSS_loader_now_got_legs
It now includes a DHCP server and a self-propagating worm component.
Unrelated: Hey hey, everyone! I can't think of anything witty to preface this today, so I'll just lay it on out there. In a downright shocking turn of events, a vulnerability has been discovered in Flash! So fire up those downloads and patch yourself up.
Urk!!! I ran TDSSKiller yesterday and found a rootkit on a system. I've always been curious, so I'll ask here - find a nasty bugger like this, is imaging the machine safe, or a full ntfs format and reinstall necessary?
PSN - sumowot
Well, what did you find? I'd imagine imaging a harddrive will also image the bootkit/rootkit with it. If we know what you are dealing with we could give you more accurate information.
I've just heard of some types of malware/virus/rootkits persisting and loading themselves into scary places, eg, reimaging a desktop doesn't bring the version of the BIOS with it AFAIK
PSN - sumowot
Well, TDSS is MBR resident, so your current, and possibly future installations of windows without a proper format (maybe even with a proper format... I'd suggest a 0fill) could possibly be compromised. But if you imaged your HDD with a clean image you're probably fine as long as it over wrote the entire thing.
Edit: forgot to mention, live demonstrations of rootkits infecting hardware firmware (flashable ones) such as the actual firmware on the network controller (most popular since it's the first place to intercept traffic), are already done...so your hard drive is not the only hiding place anymore.
Moving onto ClamAV from Linux rescue CD at the moment, and then if that doesn't work it'll have to be a full nuke from orbit.
Just finished and it found two Trojan labeled files, but they didn't infect anything apparently and MBAM successfully deleted them, so...yay.
Nasty little thing. Won't even let Avast contact it's registration/update server.
Anyhow, here's a little tidbit I've been expecting for some time now. Malware that disguises itself as Microsoft Update in order to launch it's social engineering attack. Nothing particularly shocking about the payload, but again, the targets are shifting here in terms of fooling the end user.
This particular nasty is set to look like the Windows XP update protocol. I wouldn't bet against our seeing Windows 7 and OS X varients popping up soon. These might not be enough to fool savvy users, but I can see their being very confusing for laymen.
Recently, Avira has made two changed to the free version of their software that hasn't settled well with the security community and their users. First, it seems that Avira is displaying ads. Normally these ads in the free version are just upgrade incentives, encouraging the user to purchase the full version of Avira. However, lately, these ads have been replaced with Uniblue product ads. This has raised some hackles over on the Avira forums, as Uniblue's ad techniques are rumored to boarder on Scareware tactics, and their products are of dubious quality and safety.
Secondly, apparently the next revision of Avira's free software will require the ASK toolbar to be installed for web protection. This is according to the DSLreports security forum.
There's a lot of tempers flaring about this issue currently, as well as a lot of names being thrown around. That makes it a bit difficult to separate the valid concerns from the inflated threats, at least for me. Hopefully things will cool off soon, and I'm sure the folks at Avira are taking notice.
Unrelated Edit: In the wake of their recent beaches of the PBS, Bethesda, and US Senate webpages, (in)famous hacking group Lulzsec are continuing their "work" today with what they've been calling Titanic Takeover Tuesday. They've already hit Epic Megagames, Codemasters, EVE Online, the Escapist Magazine and Minecraft. Apparently, some of these are just DDoS attacks, rather than intrusion and data theft. Their twitter is abuzz, and more updated information can be found in the G&T thread here. Post-Edit Edit: After tagging the League of Legends login servers, they claim to be done for today.