|
Ozu posted:I've been reading 'Practical Malware Analysis' out of general curiosity/interest and building out a segregated VMware test lab. I'm not interested in having it compromise other systems so a 30 minute test VM lifecycle while I log WireShark and procmon activity is really all I want to do. http://www.kernelmode.info/forum/viewforum.php?f=16 http://contagiodump.blogspot.ca/ These are two places where you can get some malware to try out.
|
# ¿ Mar 28, 2013 18:33 |
|
|
# ¿ Apr 29, 2024 00:19 |
|
A batch script it is not, but try to use this tool: http://support.microsoft.com/mats/program_install_and_uninstall/ It might be automatable but I do know it works for force-removals of most applications.
|
# ¿ Apr 5, 2013 21:12 |
|
Khablam posted:Back in the year 2000 I crippled my schools IT room by running a dumb EXE/trojan and infecting all the machines on that network. This is generally overlooked by most systems administrators whose first reaction is to blame the anti-virus vendor as opposed to actually investigating what made it get into their systems in the first place. If one user has the ability to compromise network shares and create headaches for your 1,000+ machine network all through one false move, you have a problem with an infection as well as your IT policy. Anti-virus solves the layer 8 problem only so much. It isn't bullet-proof and considering the type of infection previously indicated, it's the type that the AV vendors struggle with a lot. Lain Iwakura fucked around with this message at 06:44 on May 8, 2013 |
# ¿ May 8, 2013 06:42 |
|
I have a bridge to sell you. AV in the long-term is dead, but that's some pretty tripe stuff there.
|
# ¿ Sep 12, 2013 16:11 |
|
bull3964 posted:I just wish every piece of networking equipment in existence didn't require Java to use the interface. Hell, flash would be preferable at this point. You should be sandboxing Java then.
|
# ¿ Jan 6, 2014 19:17 |
|
Scaramouche posted:So new 'exploit of the week': Shellshock affecting MacOSX and most flavours of Linux. Have you guys noticed any changes in remediation strategies now that vulns seem to have pr campaigns and dedicated web pages? I think you should check out this thread since stuff is getting posted there about it once in a while. But to answer your question: the solution is to just update your Bash installation on any system that may be running Bash and to consult with any vendors. The biggest pain you might have may be any systems that have the console locked out. There are no sensible remediation steps other than that sadly.
|
# ¿ Sep 25, 2014 21:23 |
|
I don't think many of you have ever worked in a high-security environment either.
|
# ¿ Nov 25, 2014 18:27 |
|
Khablam posted:Eh my post is the victim of editing in 3 different answers. Everything I've seen about these ransomware viruses suggests it's RSA encryption at 2048. With RSA encryption on encrypt though, it doesn't suffer the crippling performance issues you get with decryption - I assume they only care about the encrypt time? You sound like you've been reading up on Wikipedia. Of course the malware is going to use an asymmetrical cipher. Most of these file encrypting malware work silently and only alert you once it has completed its task. There is no need to necessarily worry about performance but if you must then yes the process to encrypt using an asymmetrical cipher like RSA is substantially faster than the decryption process due to the need to compute large numbers in order to initiate the process. I won't elaborate further but if you had spent enough time on Wikipedia like you did earlier, you'd already know this and wouldn't need to spout this off. The idea that it would store an AES key somewhere in memory to encrypt files "like SSL" means that not only do you know absolutely nothing about malware (as evident in another thread), but how encryption can be properly implemented safely and adequately. I don't care to admit that I am a crypto expert (I am not), but what I will tell you is that it is people like you that make my job a pain in the rear end. I kindly suggest that you help people set up Microsoft Outlook or give tips on how to succeed at League of Legends instead of mouthing off opinions about security as if you have any clue. Lain Iwakura fucked around with this message at 02:33 on Jun 23, 2015 |
# ¿ Jun 23, 2015 02:27 |
|
Mustache Ride posted:Yeah, the payload is delivered by an exploit kit (the most popular one I've seen is called Neutrino), and once the payload has been deployed it calls back to a command and control server to request a unique AES-256 public key for that machine. There have been different encryption methods in the past, but the more recent actors have been using AES. Then that public key is used by the payload to search out specific file extensions and encrypt them with the unique AES key. An "AES-256 public key"? AES is a symmetrical cipher. You're being just as bad as Khablam and shouldn't talk about encryption either.
|
# ¿ Jun 23, 2015 15:12 |
|
tentative8e8op posted:So what I'm getting is, if AES is used for their encryption, theres no real reason I shouldnt be able to restore my files? I dont know much about encryption but most articles I read online mentioned using RSA as their encrypter, and I feel like using AES to encrypt, instead of a public key, is like a thankfully weird flaw if true. If AES were being used to encrypt your files then you'd be able to pull the details for the key out of memory if you were to catch it in time. The reason why you'd use an asymmetrical cipher is that you'd keep one of the key pairs remotely so even if the public key were to be found (which isn't hard), it would be useless to your victim because it cannot be used to decrypt the contents. Your odds are in the realm of possibility if they were being loving stupid and used AES to encrypt everything (assuming you got the key out of memory, not bruteforced it), but your odds are near-infinity before you'd decrypt it without knowing the private key pair. This is why CryptoWall and its ilk are so effective: without a backup you're beholden to the malware writers for that paired key. Lain Iwakura fucked around with this message at 15:25 on Jun 23, 2015 |
# ¿ Jun 23, 2015 15:22 |
|
Mustache Ride posted:Sorry, not enough coffee yet. Yes. https://kc.mcafee.com/resources/sit..._Cryptowall.pdf quote:The malware uses an AES algorithm to encrypt the files. The malware first generates a 256-bit AES key which will be used
|
# ¿ Jun 23, 2015 15:42 |
|
Khablam posted:Have you even noticed that you've contradicted yourself in your never ending urge to be a pedantic shitler every time I make a post? At first I'm a complete idiot for thinking it was probably using RSA for key exchanges and running AES locally, but then here you are posting a tear-down where it's doing exactly that. Good stuff all around. If you clued into what I wrote you'd notice I didn't contradict myself. But that's okay, I am not going to argue with someone who thinks it works "like SSL".
|
# ¿ Jun 24, 2015 00:44 |
|
mindphlux posted:I've encountered a large number of machines over the last 6 months with corrupted .NET 4.0 or 3.5 files, which I'm pretty sure are virus related. My team wastes an inordinate amount of time on fixing these issues, and it usually boils down to copying over known good mscoree.dll or mscorwks.dll files over on top of a hosed up install. That sounds unusual and doesn't really seem to exhibit common malware traits--I wouldn't rule it out however. Here's a question though: have you checked the MD5/SHA/whatever sums of what you consider broken to what you know is working? If you can at least narrow down what files are actually getting broken it might be able to help you determine a cause. I wouldn't just look at the two aforementioned files and assume that is the whole story.
|
# ¿ Jun 27, 2015 17:52 |
|
BaseballPCHiker posted:Has anyone tried using this Tron script yet: http://forums.somethingawful.com/showthread.php?threadid=3723583 Read this thread to determine what AV to use.
|
# ¿ Jul 31, 2015 15:22 |
|
BaseballPCHiker posted:Cool so pretty much watch what you click on and install ublock. That's what I thought, but I know grandma is going to ask me about Norton protecting her eWallet from the hackerz she saw on the news and oh lordy now I got a recipe toolbar. Did you read the part about picking and choosing an AV? It's pretty clear there on how to choose. If you pay for Norton, it's going to be no more effective than if you decide to get McAfee. If you want to save some money, any of the free AVs will do. All AV is the same and effectively useless. Get your grandma a Chromebook if you don't want to spend too much time fixing her stuff.
|
# ¿ Jul 31, 2015 15:59 |
|
BaseballPCHiker posted:I think we're agreeing? They all use the same amount of resources give or take. Just get a free one and be done with it. Here, I made a choice at random for you: Microsoft has an AV so use that.
|
# ¿ Jul 31, 2015 16:30 |
|
Professor Shark posted:I posted this in Hardware but maybe this is a better spot to ask: I just got my computer back from the shop after getting infected with Malware. I've changed all my important passwords and requested a new credit card, but I'm worried about plugging in my External Hard Drive. Is it possible for it to be infected? What can I run to put my mind at ease? Two things: 1) Just boot off of an Ubuntu disk and see what's on there. If you see anything malicious on there, remove it or somehow neuter it. 2) Make sure AutoRun is completely turned off. If AutoRun does not pick up on your drive, you should not have an issue plugging it in even if it is infected. I guess the third thing could be don't have it plugged in at bootup too.
|
# ¿ Aug 26, 2015 18:51 |
|
-Troika- posted:An old router I plugged in to test for something became infected with Linux.Wifatch within minutes, which... hardens the router against further attacks? Throw it out. While sure this malware may have protected you from something, the fact that this happened and the fact that foreign software was installed on your device without your consent does mean that you cannot trust it. Just buy a new D-Link or something router and don't plug it into the Internet until you're certain that nothing can access the device from the outside.
|
# ¿ Oct 4, 2015 16:13 |
|
OWLS! posted:To be fair, it infects devices via insecure telnet passwords and removes itself upon reboot. To be fair, you're assuming that you know exactly what the third-party code did and assume that it removed itself at reboot. You are also assuming that the flashing mechanism hasn't been touched either. Please don't take offence but don't give lovely advice like this. It's what makes my job much harder. Thanks.
|
# ¿ Oct 5, 2015 20:58 |
|
Prosthetic_Mind posted:Once a system like that gets infected, you're relying on the malware to allow you to flash the firmware. There's nothing you can do to verify that it isn't installing hooks into it when you upgrade and even reporting an MD5 that indicates that the image is clean. This is exactly the thing I am bantering about. For the majority of you in this thread, you're all likely going to try and flash the device via the web interface. You have no assurances that the flashing tools included with the software haven't been compromised and you definitely cannot tell me that the settings stored within the router's NVRAM will not persist after a flash and restart. Even trying to fix it using TFTP and whatnot does not provide you a guarantee that the problem has been mitigated. The purpose of such software is to remove the problem from the public Internet. It's a bandaid and an improper one at best. If you find out your device is affected, the best course of action is to outright remove it from your network and pick up another one. Someone has gone and modified your device without your consent and even if you think it was for the best you cannot be ascertain of that. Lain Iwakura fucked around with this message at 21:27 on Oct 5, 2015 |
# ¿ Oct 5, 2015 21:23 |
|
Toast Museum posted:Didn't it come out that intelligence agencies were intercepting shipments of hardware and reflashing them with compromised firmware before they hit the market? Yes. But for devices that typically cost thousands as opposed to $60 for a home network device.
|
# ¿ Oct 5, 2015 23:50 |
|
Subjunctive posted:The cheaper ones they can probably compromise during manufacturing. If it's a TP-LInk, you're right.
|
# ¿ Oct 6, 2015 05:06 |
|
pixaal posted:What should we be using instead for passwords that don't realistically work with keepass such as windows login and the keepass password itself? It takes forever to crack a 30+ character password even if you knew it was only letters, which you obviously shouldn't do. Or are you bashing keepass? You shouldn't leave a note about the password at all unless you are using it as your sole system because you find keepass too much of a pain somehow. Uh. So you're making too many assumptions here. First of all, you should be using passwords where you cannot use a password manager to be something you can actually remember. There is nothing wrong this mindset as there are solutions around this but they're not really practical for most people's day-to-day use. The kicker is that you are supposed to not reuse the password anywhere else. If you are using the same password at home as you are at work, you're being stupid about it. If you have the same password across your desktop and your laptop for example, that is not really dumb because they're your machines and you reduce the risk between your home life and work life getting compromised. However, when it comes to using services that you have zero control over or beyond your own computer's login, you should be using randomly-generated passwords stored within a password manager. Starting off, your password manager should not have a password that is not reused elsewhere as well and if you can help it, introduce some sort of two-factor authentication (be it a key file or some sort of token-based device). It's very easy to keep a few passwords memorized as long as they're limited to things like your password manager or computer login, but these passwords should not be reused elsewhere at all and should be unique to the service or system it is for. For a nice convenience factor, you can use your password manager in conjunction with a cloud-based file sharing service like Dropbox or OneDrive so you can have access to the password file from your work computer, home computer, mobile phone, or whatever. In the password manager, you should be taking an inventory of all of the services and systems you have access to and want to manage within it. When you start to use one, you should immediately use this as an excuse to do two things: the first being change the passwords on all of the services and the second is enabling any sort of two-factor authentication scheme that the service provides. When you reset the passwords, you should make note of the password length requirements and use them to their maximum. Save the passwords and make your accounts are up to date with regards to e-mail address and phone numbers if you should run into problems getting into them later on. There is absolutely no excuse for not using a password manager if you're resorting to silly ideas like songs or mnemonics. Please don't suggest this openly and if you wish to continue using this idea then keep it to yourself as you're putting others as risk. I do also suggest reading this thread and to ask questions there.
|
# ¿ Oct 16, 2015 15:52 |
|
myron cope posted:I also don't understand the why them being hacked should be a factor. To me, their response should carry more weight than just the fact that they were hacked. We have a security guy at work and it seems like his only consideration is if something was hacked or not. Because it comes down to how they were breached and the consistency of them being so. Here's articles from the past four years of LastPass being breached: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ - PII details stolen http://arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse/ - exploit to steal credentials for other websites https://blog.lastpass.com/2011/05/lastpass-security-notification.html/ - likely a database breach So we have one vulnerability on the software allowing attackers to potentially steal credentials and then the other is where information was compromised. Even if LastPass is using sane software development techniques, they're still a target and I don't think that the worst to happen to them has happened. Personally I'd avoid them simply because you have zero control over how your passwords are stored and there are far more reasonable methods to go about this. If you or your security person (which I think and hope you're giving a gross simplification of their statement here) have this idea that a website should be "hacked" before you'll consider it secure, then that's woefully ignorant. Breaches do happen and can be forgivable, but you should not have trust over a site after the fact without a decent understanding of how they got breached in the first place. In the case of LastPass we've had stolen information and a vulnerability that could have lead to users having their credentials stolen. None of this would have happened if you had a password manager like KeePass or it would have been quite limited with something like 1Password.
|
# ¿ Oct 18, 2015 17:54 |
|
Read this thread if you have malware on your workstation.
|
# ¿ Oct 22, 2015 03:58 |
|
mindphlux posted:someone should just add this to the OP tbqh No. Stop giving terrible advice. Just read the thread I linked to and consider your options.
|
# ¿ Oct 22, 2015 04:02 |
|
mindphlux posted:you have given some decent advice in this thread, but.......... really? your linked thread doesn't address malware removal at all, and the advice given is.... errr.... ??? "unplug your machine from the internet and run an (undefined) scan"? or reformat? dunno what you're on about dude... Yes. This is sane advice. Is it hard to understand? mindphlux posted:it has been effective in practice for me for the past 5 years, I can think of only 2 machines out of several hundred where I wasn't able to identify/remove the malware, and had to reflatten. I mean, I do this for a living. Great. I am glad that something that has "worked" for you over the past five-years has been effective in giving you the illusion that you've "fixed" the problem. How about understanding the problem at hand or as you put it "GTFO"? mindphlux posted:rkill If you're so certain about this advice, please explain to me in detail why you feel justified in suggesting each of these tools and methods. If your experience is as good as you think, you should be able to tell me with confidence why your advice is sound and why I am completely wrong. I am waiting with eagerness here.
|
# ¿ Oct 22, 2015 15:49 |
|
mindphlux posted:almost every one of the tools I listed gives you logs that are very useful in tracking down whatever the gently caress has gone wrong, and if you're competent, you can identify and remove the most lovely portions of the malware on a system and rehabilitate it in 30-45 minutes. that's 30-45 minutes too long, but again, give me a more time effective solution and I'm all about it. flatten and reinstall? lol yeah, totally going to bill a client for 5 hours of time while I do the needless and support them while they try and track down all their software installs and licenses and reconfigure all their poo poo. should I have prefaced this by saying my company is a MSP for small to midsize clients, with very disparate budgets and operating environments? And of course right off the bat you go to your example of your clients and not to the fact that you're cited off a list of applications that you yourself had claimed as sure-fire by stating "someone should just add this to the OP tbqh". I don't give a gently caress if your attitude is because your clients are cash-strapped and-or insignificantly-sized leads you to believe that your advice is sound by your accounts, because it is not. You're free to go and milk your clients for your work by underselling them, but you're not free to give poo poo advice with the expectation that said poo poo advice won't be called out upon. Again, can you explain to me what each of those tools do and why you think that they're good enough for you to come into this thread and cite them as a solution? Or are you unwilling to do this because you feel it is better to boast about owning some insignificant service provider and that you've managed to save your clients money by not being truthful about what these tools actually do? Of course you cannot prove a negative: that is exactly my point. So again, instead of citing "experience" or "saving my client money", why not tell me why you think those tools are good enough for the OP? Lain Iwakura fucked around with this message at 17:26 on Oct 22, 2015 |
# ¿ Oct 22, 2015 17:21 |
|
mindphlux posted:Yes, I'm completely willing to do this, and have already several times. They are diagnostic tools that help identify malware, provide their user with logs, and allow you to rehabilitate otherwise unusable systems. And yes, of course scanning offline. As expected, you're incapable of responding seriously about why those ten items are good enough for you to suggest that they go into the OP and would rather instead back-peddle, resorting to telling me that "I am trolling you" and as a result you "shouldn't continue seriousposting". I'll gladly say this: you're fleecing your customers and I can easily tell you this because you cited ComboFix, which is generally the go-to tool for those who wish to come off as "superhero IT person". I've provided more than enough information on why your advice is dangerous, wrong, and bullshit in the thread I posted. So I'll change my request to the following questions: - Why do you believe that ComboFix is the best tool for the job? - Why do you suggest those two malware solutions over something else? - What belief do you have that the logs have not been tainted post-infection? I am not "trolling you", I am calling you out on your feckless ability to actually tell me what you're attempting to accomplish. Why are you too chicken-poo poo to reply to me with an answer? In the eyes of others reading the thread, you're contributing sweet gently caress all as the link to the thread I created has more than enough information for a person to decide what the best course of action is. If you have even bothered to read it, it doesn't immediately tell you to "flatten the machine" as you erroneously claim, it suggests to consider the ramifications of not doing so which means I am asking for people to assess the risk. In your case, you do zero risk assessment and falsely assume that your fixes will be fine, which is outright dangerous considering you must have clients who work with sensitive information. To add to this, at no point have I cited my credentials, work experience, or the fact that I have been doing this for n years. This is irrelevant to the conversation when I am asking you questions about why you are reluctant to come out and explain why your advice is sound. Answer my questions and stop giving loving idiotic advice.
|
# ¿ Oct 22, 2015 17:50 |
|
Khablam posted:Beandip and Wiggly aren't wrong, they're just approaching the problem as though every piece of malware is custom written for their machine and they're a middle-eastern state starting a nuclear program. So you're just arguing a POV, and they won't ever budge. Just give up. You just like the other person don't understand the concept of "risk assessment" which is something that glorified help desk technicians fail to grasp. Have you even read the thread I posted after your idiotic one was closed? I know that you have sour grapes for having been called out in the past for giving bad advice, but it does say that you need to consider how bad the situation is before you decide on what to do next. Post infection, do you trust that machine to handle sensitive tasks? For the average user in this thread, are you willing to log into your various accounts (like online banking) given the past history of your current OS install? Considering consumer protection laws in the United States, do you really want to continue to access details on your finances on a machine that may still be compromised? This is part of why I rail against you and the other person for these things because neither of you have the concept of "risk assessment". I think it's telling that you have no clue about things when you go about a "0.001% threat chance", but unlike mindphlux, I don't think you're fleecing clients and are just generally unaware of what is going on. You and mindphlux are being called out because you give bad advice and have no concept of other terms used in information security. I get that you believe you're doing the right thing, but you do not demonstrate an understanding of fundamental concepts and have never given consideration to the ramifications of outright "fixing" an infected machine. Lain Iwakura fucked around with this message at 19:00 on Oct 22, 2015 |
# ¿ Oct 22, 2015 18:56 |
|
Geemer posted:How do you trust your computer not to be infected already? Maybe it's such a good malware that you can't even find it. Why I bring this up is that banks want to limit liability as much as possible and it shouldn't surprise anyone that if they get wind of your computer being the sole reason or even just a contributing factor for your account getting breached that they gain the ability to tell you to deal with the matter yourself since they're not at fault. I was trying to dig up a news piece on this very thing happening but in my cursory search I couldn't find the article I knew about where this did happen. So yes. My statement about consumer protection laws is more than apt here. Khablam posted:How have you concluded the threat chance of a machine that shows clean to the list of things he mentioned? Of course there is a chance. I have never disputed that. What I am saying and what you're failing to understand here is that you cannot prove that the infection has been resolved. Again, does the concept of "risk assessment" allude you? Read my above post for why any person should be paranoid. It's not without justification and I think you're arguing with me because I've proven time and time again that you're wrong.
|
# ¿ Oct 22, 2015 19:50 |
|
Wiggly Wayne DDS posted:Analogy, but when we're talking about infections and how poor solutions make a situation worse the line really becomes blurred. Oh. But it's okay because I'll just state that it's not worth my client's time to go and do things the right way and then go on about someone being a "loony" when they call me out on my inability to comprehend the problem at hand. And that is why we have things in the state they are because people don't want to take the time to understand things.
|
# ¿ Oct 23, 2015 21:21 |
|
Khablam posted:Usually people only get as mad-angry as you do over this when they feel like their USP is being infringed upon. I get it, 10 years ago you were a ~genius~ if you could stop mom's PC from having that weird popup, but now that people have largely worked this out for themselves you need to constantly yell that they're doing it wrong to convince people you have value. Sure. How about a rootkit where the OS is compromised before the bootloader is even engaged? I am sure your help desk experience will give me an enlightened response.
|
# ¿ Oct 24, 2015 22:30 |
|
Khablam posted:Which one in particular does this whilst not appearing to an offline scan or the other rootkit tools mindplux mentioned? You're failing to provide answers with examples where I am supposedly wrong other than theoreticals. So far you've demonstrated that you can only think of what a tool outputs and have provided no notion of experience of working with real malware. Tell me, what experience do you have with malware? Is it just from the help desk that you work at? Once again, tell me how you address a rootkit where the OS has been compromised before its bootloader has been engaged. Cite the exact process and why you think that this methodology is foolproof. Don't go on about some other thing where all you're doing is trying to belittle me while failing to adequately answer my question. Also, to your "risk assessment" point: you're being completely obtuse and because of this I reserve the right to belittle you here. I've spelt out a perfect example where a typical user is at risk for having issues with their financial institution due to an infected machine, leading to a potential for real financial loss--was my post too complicated for you? If so, I'll gladly simplify it. To add: a "risk assessment" is not about "analysing hostile elements". A "risk assessment" involves researching the situation and determining the outcomes and consequences, leading to a result that'll let you determine if the risk is acceptable or not. Here's something from the US government if you need to learn a bit more because I think you probably do. Also, at no point have I brought up any "half-insane researchers" so I am not sure why you're choosing to say this. Hate to break it to you, but I have met the "half-insane researcher" you're alluding to and you don't even know half the truth of his nuttiness. So again, instead of trying to go on a feckless tirade about I am supposedly wrong here, why not answer my question? Surely your confidence in your response can be turned into a technical answer right? Lain Iwakura fucked around with this message at 18:23 on Oct 25, 2015 |
# ¿ Oct 25, 2015 18:17 |
|
mindphlux posted:no, I actually have asked about 5 times for examples of how you guys propose to handle malware/virus problems in a reasonable amount of time. I outlined my SOP line by line, please outline yours line by line. But your suggestion from earlier is good enough to tell people that your method should go into the OP? Do you tell your customers that they're putting themselves at risk by just having things "cleaned up" instead of addressed properly? This is why you're getting shitted all over here. You come into the thread, list off a bunch of tools without explaining anything about what each does (and I suspect that you don't anyway), and then cry foul when you're called out over it. If you had at least disclaimed, "this is a way that you could address your malware infection but you should think about the risk you have by not reformatting" then I wouldn't have given a drat because that is the way you should approach it. However, you instead didn't like the criticism I gave of your post and then went on some dumb tirade about how I am "trolling you" when in reality pointing out that you have no clue. Most people who go about suggesting ComboFix tend to be the type that think that it's an IT worker's wet dream. You just wanted to come into here and act like an "IT superhero" like most of your type believe you are, with a suggestion without warning. You don't even point out the problems that someone will have with the tools you suggest either. How did you know the person who requested help could use at least a third of them and knowing what they do? That's loving dumb and in some ways dangerous and negligent. Lain Iwakura fucked around with this message at 15:07 on Oct 27, 2015 |
# ¿ Oct 27, 2015 15:05 |
|
Since Khablam has yet to answer my question about how to deal with rootkits, I'll ask mindphlux here:mindphlux posted:rkill Of which of these tools will it address a rootkit where the malware is loaded before the bootloader? Explain to me why you'd think that if you really do believe you understand how the tools work.
|
# ¿ Oct 27, 2015 15:33 |
|
Toast Museum posted:While we wait, can you talk a bit about your process? What tips you off that such an infection is present? Do you attempt to identify the malware, and if so, how? What additional steps do you take before/after formatting and reinstalling? These are good trick questions and something I did cover in in the thread I made that tells one how to properly address malware. What tips me off when an infection occurs is really no different than most: something obviously malign has happened. The problem we have though is that that isn't always the way that something will get detected because if the malware is designed to hide itself, you may just not know. In a controlled environment (like a sandbox), it's quite apparent what changes were made by the malware, but on your day-to-day machine? Good luck. For those of you who want to refute this, even anti-virus vendors themselves cannot detect some malware that's sitting right under their nose. Detections are easy to avoid if you understand how anti-virus engines work. I know of cases where the AV vendor gets desperate enough to just detect malicious software by its icon resource and nothing more because the file is packed in such a way that makes it difficult to write an effective signature. Suspicious behaviour creates far too many false positives for what it is worth--it's bad to the point where rolling it out on a corporate network would probably generate far too much noise. More often than not I do not attempt to detect the type of malware except if I am of the belief that it is a targeted attack. In that case, I do go and retrieve the malicious files and then run it in a sandbox. If it looks dire, I'll go and do some simple reverse engineering to see what it may be. At the extreme end, I have in the process taken over a botnet in order to get an idea of the problem at hand. It's a lot to go over but I am always happy to share stuff with people who are interested in this sort of thing. For your last question: it's pretty simple as all I suggest is nuking the bootloader as that is for now the best course of action. My biggest fear is that with SSDs becoming more mainstream and the fact that there is little care put into how these drives are designed (I legitimately have no faith), it may get to the point where malware remediation may become nigh-impossible. SSDs do happen to run their own software stack to manage everything and we already have proof of concepts with old fashioned platter disks. Of course this is "looney talk" as Khablam puts it. redeyes posted:Roguekiller would check the boot stuff. You didn't list it. So the malware is loaded before the boot loader? How about imaging the hard drive and then zero'ing it out and restoring only the MBR and main partition? Re-read what I posted: I didn't create this list. And yes. Destroying the bootloader is the only way to fix it. Of course, mindphlux's list of idiot tools would have not done this and therefore his client's machines run the risk of getting reinfected. Also this infection vector does exist and was a way that fake anti-virus kept leverage on machines. But hey! They're not my clients! Lain Iwakura fucked around with this message at 17:22 on Oct 27, 2015 |
# ¿ Oct 27, 2015 16:55 |
|
Toast Museum posted:I want to be clear that I did not intend for them to be trick questions. I guess I'm admitting to some ignorance here, but I'm not even sure what the trick would've been. Thanks for replying; I'll check out the other thread. Nah. I know you didn't. But they're trick questions nonetheless.
|
# ¿ Oct 27, 2015 17:17 |
|
mindphlux posted:so finally, after all this, your argument is 'you didn't check the bootloader'. why didn't you say this ages ago? I do when I think it's warranted, but it doesn't matter at this point - what matters is having an educational thread for the forum. not e-pointscoring or swinging your dick. PS, I've read your thread, it doesn't really have any helpful information beyond a paranoid 'you guys are hosed, reformat!!'. stop pointing people at it. Sorry. So far what you've opened up with is, "you've caught me not knowing what I am talking about but I've opted to continue on about how you're wrong because my ego cannot take a hit". You went and suggested a list of tools, said it belonged in the OP, failed to demonstrate what you know about those tools, and then got upset when I demonstrated that you're talking out of your rear end. Here's what I said in the thread I made: quote:Secondly, you'll want to evaluate what action you'll want to take. If you believe that the infection is something minor like fake anti-virus or something that is creating popups, perhaps you should just do an offline scan of the machine. However, if the machine is severely infected where you are not sure what is going on, are you going to continue to trust that machine with details like your online banking, e-mails, and perhaps your SA forum account? If no, consider a wipe and restore here. Because I think you have poor reading comprehension skills, I'll simplify this for you further:
At no point do I suggest "format first; don't ask questions" because all I am asking for the individual is to make a personal risk assessment of the continued use of that machine. If the risk is acceptable, then continue to use the machine; if you believe otherwise, then loving don't. This concept goes over your head because you appear to have a lack of critical thinking skills, but it's easier for you to go back on telling me I am wrong I am sure. quote:w/rt clients : some have spare machines, some have budgets where the concept of 'a spare machine' is laughed at. 'we'll buy it when we need it!!' or 'why are you asking me to spend $1000 and hours of billable time on something that I'm not going to use'. I'm good at persuading and justifying a responsible approach to IT, but unless you've worked for a MSP, I don't think you'd understand what you're up against. You're making assumptions about me and my job history; it's really cute. I have a very, very good understanding of the MSP world--a lot of providers tend to undercut their competition and do so by offering shoddy services like you do. I like how you keep falling back to "well in my experience" statements instead of actually taking the time to understand what I am saying. I don't give a gently caress about your MSP experience because all you're telling me is that it's better to do the job quickly than to do it correctly. It's as if you don't really give a gently caress about what happens to the clients as long as you get your money. quote:ask me about how I've desperately tried (in writing), to change the password policy of a financial services company from 'a standard variation on your last name' to 'literally anything remotely sensible'. as in, everyone's password is the same variation on their last name. noting their entire network is open to even recently departed employees. you can VPN in with full access by just guessing the managing partner's user/pass. 4mm company. Great! I have horror stories too like that. I am sure you have a great idea for password policies. quote:you can either help and inform as many people as you can, and nudge them in the right direction as often as possible - or you can get all aspergery and throw your hands up and go 'you're an idiot' and walk away. I choose the former. Let me rewrite this as: "you can keep telling me I am wrong, but I'll go tell other people that I am right and then demonstrate I have no skill in arguing my supposedly solid points". Since you're in the Atlanta area and run your own business, I suggest merging your company with this local to you moron.
|
# ¿ Oct 27, 2015 18:24 |
|
|
# ¿ Apr 29, 2024 00:19 |
|
mindphlux posted:wow, we're agreeing on something! this is exactly what I do and recommend in practice! my list you're hung up so much about is my 'how to perform a scan' 101 checklist. I've just actually detailed what I do to run a scan, whereas you waive your arms and say 'run a scan', which is not helpful for the less savvy readers of this thread. How are we agreeing on something? Let me remind you of the post that started it all: shyduck posted:
Then you chime in: mindphlux posted:rkill Then added: mindphlux posted:someone should just add this to the OP tbqh At no point did I see anything relating to what I said being said in your post. quote:yes. I'm telling you sometimes it is better to do the job quickly than to do it correctly. Just let this sink in: you have no clue about what you're talking about and would rather keep defending your original posts because I have somehow maligned your ego. It's one thing to make mistakes but it's another to keep going on and beating a dead horse even though you are without a doubt wrong.
|
# ¿ Oct 27, 2015 18:36 |