|
Did you ever want to know what a botnet looks like from space? http://www.f-secure.com/weblog/archives/00002428.html
|
#
?
Sep 17, 2012 20:20
|
|
|
|
| # ? May 28, 2024 20:19 |
|
|
TwoKnives posted:Did you ever want to know what a botnet looks like from space? While this image is great it looks like it was taken in google earth, do you happen to have the file? I'd love to zoom around and check the population of local towns infected (I know this is just one of many botnets but still would be fun).
|
|
#
?
Sep 17, 2012 20:34
|
|
|
Unfortunately, I don't. It may be added later in an update. I found an interactive map of the ZeuS trojan, but it's not as interesting since it was nowhere near as prolific. http://www.f-secure.com/weblog/archives/00002424.html
|
|
#
?
Sep 17, 2012 21:09
|
|
|
https://www.damballa.com/press/2012_09_17bPR.php http://threatpost.com/en_us/blogs/new-iteration-tdsstdl-4-botnet-uses-domain-fluxing-avoid-detection-091712 TDL back from the dead with new toys? IE Zero Day is out in the wild being exploited at the moment too! Should make for some interesting times ahead.
|
|
#
?
Sep 18, 2012 01:32
|
|
|
I disabled my Java v6 in Chrome, am I protected from this Zero-day thing?
|
|
#
?
Sep 18, 2012 03:41
|
|
|
Revitalized posted:I am indeed using Firefox, and I tried the GooRedFix. It was done in a second but I still seem to get redirected on first click. I just decided to google "What exactly does Combofix do?" and the first link was to a forum post. Clicking on it redirected me to a Norton Security advertisement page, but I went back and clicked the link again and it took me through to the forum post. so, I've been having this happen on my personal machine, which is embarrassing considering I fix computers for a living. can't seem to get the bugger. done gooredfix, combofix, tdss, gmer scan, checked stuff with hijackthis, and no dice. did you ever end up figuring this one out?
|
|
#
?
Sep 20, 2012 19:09
|
|
|
mindphlux posted:so, I've been having this happen on my personal machine, which is embarrassing considering I fix computers for a living. can't seem to get the bugger. done gooredfix, combofix, tdss, gmer scan, checked stuff with hijackthis, and no dice. Windows offline defender fixed it for me. Had to do a full scan but it worked.
|
|
#
?
Sep 20, 2012 19:13
|
|
|
Worth a shot but give RogueKiller a run and see if it detects anything on your machine http://www.sur-la-toile.com/RogueKiller/ the site is all in french but the application will run in english. It has been useful in the past for diagnosing various crapware that other applications couldn't find. e: if it is SST or a bootkit based on Alureon I used Windows Offline Defender against it and it rendered the machine I was fixing unbootable I had to use bootrec to fix things.
|
|
#
?
Sep 20, 2012 19:23
|
|
|
mindphlux posted:so, I've been having this happen on my personal machine, which is embarrassing considering I fix computers for a living. can't seem to get the bugger. done gooredfix, combofix, tdss, gmer scan, checked stuff with hijackthis, and no dice. Do these redirects happen on other machines on the network? It could be the DNS given by your router. Some viruses will attempt to attack the router and change the DNS to a hackers, and they could hijack whatever links they want with it. Basically it might not be you, but someone else on your network and you are chasing the wrong target. Virus makers are clever bastards.
|
|
#
?
Sep 20, 2012 22:00
|
|
|
Less of a traditional virus, but this came out of the Pwn2Own contest today: http://www.networkworld.com/news/2012/091912-galaxy-s3-hacked-via-nfc-262590.html?source=nww_rss NFC exploit on an S3 allows root access on the phone with no user interation.
|
|
#
?
Sep 20, 2012 22:13
|
|
|
All you Oracle admins might want to check this one out: http://techcrunch.com/2012/09/20/authentication-flaw-allows-hackers-to-easily-crack-oracle-database/ It is a Big Deal.
|
|
#
?
Sep 20, 2012 22:26
|
|
|
Weird....my machine was working fine for a while (tdsskiller found nothing, MSE seemed to agree, but just now I went to watch a video and not only did the video driver crash but it then told me no boot object was found and to install an operating system--so I turned it off and turned it back on, and it seems okay now. Anyone ever encounter this or know what exactly was the gently caress?
|
|
#
?
Sep 24, 2012 18:48
|
|
|
When it comes to manual removal of Bad Stuff I didn't see one useful technique mentioned in this thread (or just missed it). Let's say you browse through processes with Process Explorer and you identify some rogue ones (or just injected threads). You kill one only to see it being resurrected by another one. What you can do is to suspend bad threads one by one. You're not killing them so most "safeguards" will not raise alarm, but the malware will be effectively non-functioning. After everything suspicious is sent to bed you can safely kill/remove it most of the time.
|
|
#
?
Sep 26, 2012 13:01
|
|
|
omeg posted:When it comes to manual removal of Bad Stuff I didn't see one useful technique mentioned in this thread (or just missed it). Let's say you browse through processes with Process Explorer and you identify some rogue ones (or just injected threads). You kill one only to see it being resurrected by another one.
|
|
#
?
Sep 26, 2012 14:46
|
|
|
Huh, wonder what's going on. We gotten no less than 4 separate detections this morning for "LooksLike.HTML.Blacole.a (v)". Anyone else been seeing this pop up recently?
|
|
#
?
Sep 28, 2012 14:16
|
|
|
Guessing that would be the IE zero day that was going around that Microsoft patched. Blackhole probably incorporated it into their attack platform.
|
|
#
?
Sep 28, 2012 16:39
|
|
|
Walter_Sobchak posted:Huh, wonder what's going on. We gotten no less than 4 separate detections this morning for "LooksLike.HTML.Blacole.a (v)". Anyone else been seeing this pop up recently?
|
|
#
?
Oct 2, 2012 22:30
|
|
|
weeeeeeee User sent in a machine loaded with the 'FBI ransomeware' variant that accuses them of downloading child porn and music and whatnot and demands they go to walmart/cvs/walgreens/k-mart to get a MoneyPak worth $200 to get the FBI to release the machine, or you can put in your credit card information right from that interface! How convenient! I admire the thought put into this one though. I've got it running the MS Defender-Offline boot disc, we'll see how well that works.
|
|
#
?
Oct 9, 2012 19:41
|
|
|
If it doesn't remove/detect it boot up into Safe mode and go to Start Button=>All Programs =>Startup and look for "ctfmon" (not related to the real ctfmon) right click the shortcut and check the properties that'll point you to the exe or dll file it is running. For all the work he put into making the window look presentable the actual malware itself is lazy. Although that could just be the author realizing that if someone doesn't pony up the cash they're probably taking the machine to a shop/relative/friend to have it fixed so it isn't worth trying to protect their malware with elaborate setups or all that other junk. Just some quick cash.
|
|
#
?
Oct 9, 2012 20:40
|
|
|
slightpirate posted:weeeeeeee User sent in a machine loaded with the 'FBI ransomeware' variant that accuses them of downloading child porn and music and whatnot and demands they go to walmart/cvs/walgreens/k-mart to get a MoneyPak worth $200 to get the FBI to release the machine, or you can put in your credit card information right from that interface! How convenient! I admire the thought put into this one though. The variants I have seen of this in the UK (looks different, same thing) simply disappear after a reboot, leaving behind a couple of files that don't seem to be properly linked to run at startup. If you get major issues, there's probably something else alongside it.
|
|
#
?
Oct 9, 2012 22:27
|
|
|
Is a MalwareByte/Essentials combination good enough for anti-virus protection?
|
|
#
?
Oct 14, 2012 01:41
|
|
|
Farecoal posted:Is a MalwareByte/Essentials combination good enough for anti-virus protection?
|
|
#
?
Oct 14, 2012 01:52
|
|
|
Throw in a sprinkle of SuperAntiSpyware and maybe a dash of SpywareBlaster. SAS and MBAM are reactionary programs. SB basically just blocks known bad sites in hosts file...I don't know if I still use it out of habit, or if it's doing me much good ever since I switched to browsers that have proper ad blockers...but it doesn't hurt.
|
|
#
?
Oct 14, 2012 02:54
|
|
|
NecessaryEvil posted:Throw in a sprinkle of SuperAntiSpyware and maybe a dash of SpywareBlaster. At which point your machine will be at 75% of it's actual performance or so. Multiple programs with an active resident is just not good. MSE is already an anti-virus/spyware/malware program so just stacking that isn't helpful. No-script will keep you safe from 99% of web-based threats, and sandboxing your browser will take that to 99.999999% (there is no known attack vector yet) - neither of which impact system performance. Neither is a good choice for a computer novice, but if you know what you're doing (to some level) simply preventing the intrusion / preventing it from leaving the browser is the best way to go. Sit behind a NAT-router, install MSE and consider it an on-demand scanner for things you're not sure about (USB sticks, etc) and sandbox your browser. You'll never encounter anything that will affect your system. You'll also enjoy much better performance as you won't have multiple residents bogging you down, and multiple services updating their engines every few minutes. E: vvvvvv I slightly misread and thought you were suggesting the non-free versions. Khablam fucked around with this message at 15:43 on Oct 14, 2012 |
|
#
?
Oct 14, 2012 13:51
|
|
|
Khablam posted:At which point your machine will be at 75% of it's actual performance or so. Multiple programs with an active resident is just not good...You'll also enjoy much better performance as you won't have multiple residents bogging you down, and multiple services updating their engines every few minutes. Which is good advice, other than the fact that the free versions of MalwareBytes AntiMalware, SuperAntiSpyware, and SpywareBlaster aren't active residents. They're normally run manually. You tell it when to update, you tell it when to scan. And when you're closed out of them, they're not doing anything to bog the computer down. If they were automated like MSE, I'd agree.
|
|
#
?
Oct 14, 2012 15:04
|
|
|
slightpirate posted:weeeeeeee User sent in a machine loaded with the 'FBI ransomeware' variant that accuses them of downloading child porn and music and whatnot and demands they go to walmart/cvs/walgreens/k-mart to get a MoneyPak worth $200 to get the FBI to release the machine, or you can put in your credit card information right from that interface! How convenient! I admire the thought put into this one though. ugh, a guy just showed up with one of these and he actually sent them 200 bucks
|
|
#
?
Oct 17, 2012 17:50
|
|
|
skipdogg posted:ugh, a guy just showed up with one of these and he actually sent them 200 bucks *the reason isn't always retardation
|
|
#
?
Oct 17, 2012 18:34
|
|
|
Virus:Win32/Xpaj.gen!F can kiss my rear end. It got past MSE, Combofix, TDSSkiller, Windows Defender Offline, MBAM, SuperAntiSpyware. Hours put into scanning this, and now hours into backing stuff up and rebuilding the machines that are infected. It's been a long long time since I've run into anything this malicious.
|
|
#
?
Oct 17, 2012 22:12
|
|
|
Isn't that like a year old, or am I off-base here? What kind of system, AV, and environment? All your scans were done against the hard drive slaved to another system, right (with the exception of those than cannot do so, i.e.; ComboFix)?
|
|
#
?
Oct 17, 2012 22:52
|
|
|
Tried out Kaspersky's utility "XpajKiller"? (I'm not sure if it'll work but they have a killer devoted to it so I would hope it does since their Zbot one is a miracle worker.)
|
|
#
?
Oct 17, 2012 23:27
|
|
|
This dumb google redirect thing on my laptop has gotten past every scanner I've thrown at it, and I can't track it down with like hijackthis or anything, though I see symptoms of it in my registry. anyone run into a really hard to find redirect recently?
|
|
#
?
Oct 17, 2012 23:42
|
|
|
If possible can you provide examples/screenshots what you're seeing in the registry? Also if you haven't already try giving that rogue killer application I recommended above a run.
|
|
#
?
Oct 18, 2012 00:13
|
|
|
Tapedump posted:Isn't that like a year old, or am I off-base here? That's kind of what I thought as well...but I've also never run into that one before. Yes. Scan were done both on the system, outside of the Windows environment. Only thing that I didn't do was the slaving, simply because at that point they'd been unable to work for almost a day due to the scans running, and it was decided to just blow it away, especially since it took out 1/3 of the company during their crunch time. Hex Darkstar posted:Tried out Kaspersky's utility "XpajKiller"? (I'm not sure if it'll work but they have a killer devoted to it so I would hope it does since their Zbot one is a miracle worker.) Downloaded. Hopefully if it pops up again that will do something. NecessaryEvil fucked around with this message at 01:55 on Oct 18, 2012 |
|
#
?
Oct 18, 2012 01:52
|
|
|
mindphlux posted:This dumb google redirect thing on my laptop has gotten past every scanner I've thrown at it, and I can't track it down with like hijackthis or anything, though I see symptoms of it in my registry.
|
|
#
?
Oct 18, 2012 03:04
|
|
|
NecessaryEvil posted:That's kind of what I thought as well...but I've also never run into that one before. Your company's IT structure needs a heavy handed professional look. A year old virus should not take out 1/3 of one system, let alone your entire workstation count. Especially when any combination of machine firewalls, an enterprise level AV or even just security updates would have prevented this. Unless you were just using weird plurals and superlatives to describe a single computer  What's confusing me is that removal of this particular virus is not at all complicated; when you say it is malicious, are you meaning it is reappearing or you are simply failing to find anything and think you're still infected? It sounds more likely you have contracted a much newer rootkit which has pulled down the virus you're discussing as an additional payload.
|
|
#
?
Oct 18, 2012 22:08
|
|
|
Hex Darkstar posted:If possible can you provide examples/screenshots what you're seeing in the registry? Also if you haven't already try giving that rogue killer application I recommended above a run. So, when I run hijackthis, there are tons of references to files that no longer exist - basically anything that says "file missing". And yeah, I did give that rogue killer app a run too. no dice. O23 - Service: Bluetooth OBEX Service - Intel Corporation - C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe O23 - Service: Intel(R) Centrino(R) Wireless Bluetooth(R) + High Speed Security Service (BTHSSecurityMgr) - Intel(R) Corporation - C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe O23 - Service: Intel(R) Dynamic Platform & Thermal Framework Processor Participant Service Application (DptfParticipantProcessorService) - Unknown owner - C:\Windows\SysWOW64\DptfParticipantProcessorService.exe O23 - Service: Intel(R) Dynamic Platform & Thermal Framework Config TDP Service Application (DptfPolicyConfigTDPService) - Unknown owner - C:\Windows\SysWOW64\DptfPolicyConfigTDPService.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Zero Configuration Service (ZeroConfigService) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
|
|
#
?
Oct 19, 2012 06:54
|
|
|
Tapedump posted:Don't suppose Disk Management shows an extra 10MB or so partition hanging off the end of your hard drive? Even if not, check using gparted/linux live cd. Try TDSSKiller, too. nope - I'm 1000% sure of this too, because I just made an image of my win7 partition, wiped my disk clean, installed backtrack linux and grub, then restored my win 7 backup to a different partition. I basically just got done making sweet love to my entire partition table, I know it like uhhh the back of my hand or something. now that I think about it, I don't know why I didn't just reinstall windows while I was going to all that trouble, but I guess I want to get to the bottom of this since it's my job and all. it's been like 4 years since there was a virus/malware I couldn't track down.
|
|
#
?
Oct 19, 2012 06:57
|
|
|
I've been seeing a lot of infections hanging out in the recovery partition lately. Not that it's all that unique historically, but there seems to be a pattern.
|
|
#
?
Oct 19, 2012 07:30
|
|
|
mindphlux posted:So, when I run hijackthis, there are tons of references to files that no longer exist - basically anything that says "file missing". And yeah, I did give that rogue killer app a run too. no dice. You could very well have a system file that has been replaced with a modified version. Open a command prompt and hit "sfc /scannow" and let it verify your Windows files. You may need your installation media. If this doesn't work, backup and do a clean install, as there's no option available to you that would take less time, so you may as well invest that time in a guaranteed fix. I assume both your hosts file and DNS addresses are standard? If so, it looks like the dns dll has been modified, which is something a few rootkits do.
|
|
#
?
Oct 19, 2012 11:30
|
|
|
|
| # ? May 28, 2024 20:19 |
|
|
Khablam posted:Your company's IT structure needs a heavy handed professional look. A year old virus should not take out 1/3 of one system, let alone your entire workstation count. Especially when any combination of machine firewalls, an enterprise level AV or even just security updates would have prevented this. I certainly don't disagree that there need to be some changes, especially after actually being there for the past few days. Some more details: 2 computers (maybe a third), out of a company of 7 architects (and 4 administrative people) are confirmed. They are being kept up to date on Windows updates, their AV updates are up to date, their firewalls are on, and they're not running local admin. The xpajkiller program sees nothing while MSE goes crazy detecting items every minute or so. Apparently the Trend version they're using is incompatible with Windows 7 64bit, which is why these machines are running MSE. After reformatting the machines (DBAN included in case of a screwed up boot record), it got reinfected upon putting it back on their network. I think it's got to be something on their network, as those machines were clean. I'm going to have to go back there today and look into it. 2 XP machines had no AV. Installed MSE, and set it to scan last night. 2 XP/MSE machines detect nothing. 2 XP/Trend machines detect nothing. 2 7/MSE machines (put in 2 years ago) show clean. 2 7/MSE machines (the originally infected) are reinfected 1 7/MSE machines had MSE installed, but wouldn't run. After trying to uninstall and reinstall, I found it wouldn't reinstall. Neither would Forefront. Neither would Avast Free. Rootkit scans haven't found anything. I've got it running a slaved scan overnight, and will check on it this morning. I'm thinking this might be the culprit. But, if it was something on the network, it should be hitting more systems...especially the ones where there is local admin, or where there's no AV whatsoever. And a rootkit shouldn't get past a rebuilt boot record, should it? **Update** On site now. Everything but Trend machines say they're infected. Network rebuild from the ground up time? I imagine so, at this point. Unless I can find some single computer that's screwing everything else up... **Update2** 1 Trend PC says it has bad drive. That happened before this malware...so I get to definitely rebuild that one. The other, just started doing this NecessaryEvil fucked around with this message at 15:59 on Oct 19, 2012 |
|
#
?
Oct 19, 2012 13:27
|
|