|
brc64 posted:McAfee Speaking of viruses, I hate EPO so much. It doesn't help the dislike that every time I fire up Nessus it paints any system that has EPO installed -- nearly everything in my domain -- bright red for what is purportedly a high-level unpatched vulnerability featuring potential denial of service on the scanner, potential denial of service for the system it's installed on, arbitrary code execution with SYSTEM-level privileges, the whole nine yards. I guess it's just me, but I figure if you're going to make a crappy product it should at least be easy to work with, and if you're going to make one that's hard to work with it should at least be highly configurable and ultimately function as an unstoppable behemoth for the purpose you have in mind. McAfee/Groupshield/EPO works a lot of the time, but goddamn if there aren't a lot of times it doesn't. I can't imagine working with as many copies of the thing as it's intended to have used at once. I'd spend my entire day dealing with EPO not synchronizing, not updating, not starting up on system startup, not sending props to the main server, not responding to commands from the main server -- something.
|
#
?
Mar 2, 2009 17:35
|
|
|
|
| # ? Apr 27, 2024 13:54 |
|
|
brc64 posted:58 minutes...
|
|
#
?
Mar 2, 2009 17:41
|
|
|
I've had a few in the past few months where after I finish scans in UBCD4Win, explorer won't start up anymore. I can deal with explorer just needing to be run from task manager and then editing a registry key, but this one is different. Explorer is there, the shell key is set to Explorer.exe, but it won't start. Gives an error message saying that explorer.exe can not be found. I've tried repair installs, sfc, chkdsks, flat out replacing explorer.exe but nothing has worked so far. Anybody know of anything besides reinstalling? Recently had to give a machine back because the guy thought it was "unacceptable" to do a fresh install because he would have to reinstall all his programs.
|
|
#
?
Mar 2, 2009 19:01
|
|
|
Cojawfee posted:Recently had to give a machine back because the guy thought it was "unacceptable" to do a fresh install because he would have to reinstall all his programs. I loving hate people like this. If the customer knows so much about computers, they shouldn't be in this predicament let alone think it's unacceptable that he have to reinstall his pirated copy of Photoshop 7 and softcore porn collection.
|
|
#
?
Mar 2, 2009 19:08
|
|
|
Independence posted:and softcore porn collection.
|
|
#
?
Mar 2, 2009 19:44
|
|
|
brc64 posted:I don't think I've ever seen a computer like that before. It's either nasty homegrown crap, crazy fetish poo poo or nothing at all. I've seen regular porn, weird porn, and creepy homegrown, but never softcore. Though, I don't always go through the fonts directory, so who knows what people download.
|
|
#
?
Mar 2, 2009 19:51
|
|
|
For the edification of other enterprise admins and frontliners, I have a workstation right now that appears (haven't scanned it yet) to have a cheerful little XP Antivirus 2009 infection. Infection vector was a buffer overflow exploit on a fully patched copy of IE7. I know how it got infected because McAfee wasn't allowing IE to run on the user's computer -- kept popping up a buffer overflow notice. I disabled buffer overflow protection to get IE temporarily working thinking, "Well, I'm fully patched and I haven't seen any IE exploits reported in the wild on SANS, should be okay for a little while". Start up IE and hello popups.  McAfee catches the exploit but not the file causing it.Will update with any details I find, but I really hope we don't have a new IE7 exploit in the wild. edit: It's not XP Antivirus 2009, just some generic Trojan.BHO that looked a lot like it. Still concerned about that buffer exploit though, wish I had more details on the mechanics of what I watched. Midelne fucked around with this message at 20:39 on Mar 2, 2009 |
|
#
?
Mar 2, 2009 20:08
|
|
|
Midelne posted:edit: It's not XP Antivirus 2009, just some generic Trojan.BHO that looked a lot like it. Still concerned about that buffer exploit though, wish I had more details on the mechanics of what I watched. Any chance you've got a browsing history or 'suspicious' cache items?
|
|
#
?
Mar 3, 2009 03:44
|
|
|
It looks like ESET has officially released NOD32 v4 to the public. I just installed it so I don't really know how well it works. What's neat so far is its SysInspector utility and RescueCD creator. It feels like v3 but it seems to do a little bit more. Maybe someone can try it out in the field and see if it's any better at picking up on the latest infections.
|
|
#
?
Mar 3, 2009 06:30
|
|
|
Kelson posted:Any chance you've got a browsing history or 'suspicious' cache items? User browses primarily news sites, with a couple very regular dieting sites that are (one of my top 15 bandwidth users, shows up on the logs almost daily) and almost no variation in what they do, how much, or where. Very, very consistent and I'm inclined to believe them when they say that they didn't go anywhere unusual. MalwareBytes pulled out five registry entries tagged with Trojan.BHO and four files that were tagged with something even less specific that escapes me. I don't think any of the files were in Temporary Internet Files. Either way, I deleted everything in every temp directory everywhere and all the system restore points just as a matter of common courtesy, so I don't think there's much left to work with. If the infection persists, I'll take a deeper look.
|
|
#
?
Mar 3, 2009 06:42
|
|
|
Midelne posted:Start up IE and hello popups. Does IE autorestore tabs on re-execution?
|
|
#
?
Mar 3, 2009 19:11
|
|
|
Elected by Dogs posted:Does IE autorestore tabs on re-execution? Depends on what you tell it to do when closing it in a situation involving tabs for the first time, I believe. In this case, no.
|
|
#
?
Mar 3, 2009 20:08
|
|
|
I really want to stress what a great piece of software Secunia PSI is.
|
|
#
?
Mar 3, 2009 20:26
|
|
|
People Talking about Virut posted:Virut There is a free stand alone AV called Dr.Web that will clean .exe files that are infected with Virut.
|
|
#
?
Mar 4, 2009 17:38
|
|
|
I used DrWeb as a last ditch attempt, and sure enough it found a couple of extra infected/introduced exes that the other progs didn't. I still had to format the disk and reinstall everything, I think it's safest with Virut. I am waiting for my new HD today, and I am going to clone it. I don't want to piss around if this happens again.
|
|
#
?
Mar 5, 2009 12:16
|
|
|
Adobe PDF Vulnerability - No Click Necessary Proof-of-concept code is out demonstrating that it is possible to utilize the recent Adobe exploit in such a way that it can be triggered by hovering your mouse over the PDF. If you've ignored PDFs, now is a freakin' excellent time to stop.
|
|
#
?
Mar 6, 2009 18:35
|
|
|
Midelne posted:Adobe PDF Vulnerability - No Click Necessary loving poo poo, another "you don't need to open it" vulnerability? I was hoping the WMF thing was the last we'd see of that. Edit: Oh, you actually have to have Adobe's PDF reader installed to get hit by it. Good thing I only have Foxit reader. m2pt5 fucked around with this message at 18:43 on Mar 6, 2009 |
|
#
?
Mar 6, 2009 18:39
|
|
|
I tried to like Foxit but it drove me insane with how it would hang on scrolling until it completely renders a page instead of render it as much as it can and allow free scrolling like Adobe reader does.
|
|
#
?
Mar 6, 2009 19:50
|
|
|
On the other hand, it doesn't take its sweet, sweet time starting up. Have you tried Sumatra?
|
|
#
?
Mar 6, 2009 23:41
|
|
|
Sumatra is good, and is what I currently use, but I've noticed it doesn't resize things for printing properly.
|
|
#
?
Mar 7, 2009 15:19
|
|
|
abominable fricke posted:There is a free stand alone AV called Dr.Web that will clean .exe files that are infected with Virut. You're a legend. Thanks for the recommendation. This program was able to run and do its job in place of MalwareBytes which was being blocked by the virus/spyware.
|
|
#
?
Mar 9, 2009 06:05
|
|
|
I've got an XP Virtual Machine running right now with a VIPRE Enterprise agent installed. I've been clicking on things from malwaredomainlist and following banner ads and honestly, I'm pretty amazed at the results so far. So far the only thing I've been able to successfully install is The Weather Channel Desktop, which, while a bit annoying, isn't really malware. Everything else that I've tried to install has either crashed or mysteriously vanished. If somebody can provide me with a working link to some vundo, antivirus 2009 or other common nasty poo poo, I'd really like to test that out in my VM.
|
|
#
?
Mar 9, 2009 14:17
|
|
|
m2pt5 posted:Edit: Oh, you actually have to have Adobe's PDF reader installed to get hit by it. Good thing I only have Foxit reader. Yeah, good thing. By the way, go patch your buffer overflow and glaring security oversights. My favorite: quote:SUMMARY
|
|
#
?
Mar 9, 2009 17:07
|
|
|
And because I'm impressed, this is the result of what the new FakeXPA variants do to your HOSTS file, courtesy of Microsoft's Malware Blog: Misspell "antivirus"? Well, no worries, Microsoft apparently guessed what you were looking for and gave you relevent results anyway! Let's click on one of those links, since we've been getting annoying popups lately asking us to get an antivirus software and these look like reputable sites. I've heard of CNet, let's try them.  Well, here we are at .. Cnet? Wow, high reviews, I better click this. For reference, the original review:  These guys continue to be smart as hell about how they present the social engineering portion of their product. Public service reminder to the people around you that aren't technologically inclined -- you can't trust something just because it came from a trusted source, not anymore. I expect to see this all over the place in the near future.
|
|
#
?
Mar 9, 2009 17:44
|
|
|
Midelne posted:AV2010 stuff
|
|
#
?
Mar 9, 2009 18:08
|
|
|
WHAT THE gently caress! My posts keep disappearing from all these threads I am posting in. Anyway, earlier I had said I was wondering how people get infected so easily. I was browsing on my virtual install for half an hour trying to get something, but nothing ever popped up. Yet some lady keeps getting the same thing over and over again at work. Ok, finally got one by searching for antivirus on malwaredomainlist. I got "Internet Antivirus Pro" Seems kind of lazy, the viruses aren't even selectable.  Click here for the full 1030x793 image. What do you mean I'm not protected? Cojawfee fucked around with this message at 18:55 on Mar 9, 2009 |
|
#
?
Mar 9, 2009 18:39
|
|
|
Cojawfee posted:Anyway, earlier I had said I was wondering how people get infected so easily. I was browsing on my virtual install for half an hour trying to get something, but nothing ever popped up. Yet some lady keeps getting the same thing over and over again at work. Pull her browsing history. If the infection vector is consistent, it's either a website she shouldn't need to go to, a website she does need to go to that needs to be notified that it's serving up malware, or the real infection is being missed when it's cleaned.
|
|
#
?
Mar 9, 2009 19:05
|
|
|
Cojawfee posted:What do you mean I'm not protected? Does that application try to force a fake XP-styled window or is your display settings for titlebar actually bold verdana 10(?)?
|
|
#
?
Mar 9, 2009 19:49
|
|
|
It's a fake XP style title bar.
|
|
#
?
Mar 9, 2009 20:04
|
|
|
On Friday computers started losing connections to the network and the only way I could find to get them going again was to assign a static ip address. I noticed the DHCP Server on the computers was different that what we use, and my boss just happened to make some changes to our subnet and DHCP settings that week, so I forwarded the problem to him. He got back to me yesterday and updated me today with what he found: -Guy has Bittorrent/P2P/whatever on his computer, most likely source of the virus -Virus spoof's itself as the default gateway -Virus listens for DHCP requests on the network, constructs a packet, tells the computer to keep it's current address and changes the DNS servers. -DNS servers resolve to Russia and redirect every major Bank's webpage to an duplicate Not very conspicuous on a business network, but for a home network that is one very sneaky virus. I'm hoping to get a better look at it before I wipe his computer, but my boss may have already tried removing it.
|
|
#
?
Mar 9, 2009 21:07
|
|
|
Drighton posted:-Virus listens for DHCP requests on the network, constructs a packet, tells the computer to keep it's current address and changes the DNS servers. I remember reading a writeup of a virus that did this and being fascinated by how it worked. Out of all the protocols you're likely to be using in a business environment, it seems like DHCP is probably the one sitting widest open. After all, if it has an address in the right subnet and the request eventually gets to the right server you're not even going to see NACKs in the logs.
|
|
#
?
Mar 9, 2009 21:29
|
|
|
Here's an excellent quote from The Register about some infected hospitals.quote:A senior Gartnavel staff member told The Herald: "They are calling it a worm and when they identify it it burrows deeper into the system and duplicates itself, and it is getting through some very strong firewalls." Yup straight out of Hackers. And apparently appointments for cancer patients were rescheduled because there guys are idiots.
|
|
#
?
Mar 9, 2009 21:36
|
|
|
Drighton posted:On Friday computers started losing connections to the network and the only way I could find to get them going again was to assign a static ip address. I noticed the DHCP Server on the computers was different that what we use, and my boss just happened to make some changes to our subnet and DHCP settings that week, so I forwarded the problem to him. Do you have any more information about this? Someone at my school seems to have gotten this and it messed stuff up. EDIT: Looks like that there is some documentation about it around. BKDR_AGENT.CAHZ or TROJ_AGENT.NDT are both identified as being rogue DHCP worms. http://itw.trendmicro.com/pdfs/121508-networks_nulnerable_to_rogue_dhcp_attack.pdf darkforce898 fucked around with this message at 21:55 on Mar 9, 2009 |
|
#
?
Mar 9, 2009 21:47
|
|
|
Midelne posted:Out of all the protocols you're likely to be using in a business environment, it seems like DHCP is probably the one sitting widest open. After all, if it has an address in the right subnet and the request eventually gets to the right server you're not even going to see NACKs in the logs. I just love the idea of how it works. Most home users wouldn't even know the difference since they're gateway usually IS the DHCP server, if they even knew what it was. Go to BoA, type in account information, get identity stolen, go visit crochetinggrannies.com. Unless it can detect other services on the network and keep the user connected to them, the help desk will start getting whiffs of it almost immediately. darkforce898 posted:Do you have any more information about this? Someone at my school seems to have gotten this and it messed stuff up. Still haven't looked at it yet. It's Monday, so it's all Help Desk today. Thanks for this though.
|
|
#
?
Mar 9, 2009 22:24
|
|
|
Drighton posted:Unless it can detect other services on the network and keep the user connected to them, the help desk will start getting whiffs of it almost immediately. Yeah. I guess it wouldn't be hard to snap up cached DNS information and serve it back, but if you're using a single outside DNS server as your rogue and you tried to serve internal DNS information to cloak your presence -- man that's a lot of data. If it were smart enough to set up its own DNS mini-server and ensure that it was on a workstation rather than a server, though, I could see it having a bit larger time-to-detect on an enterprise network. Still though, that'd produce intermittent lookup failures and intermittent failures mean one of the first things to come out is nslookup. Still a fascinating idea, though, and a good reminder of how things fit together vulnerability-wise.
|
|
#
?
Mar 9, 2009 22:40
|
|
|
Wait, why is an office network using DHCP and getting DNS servers dynamically?
|
|
#
?
Mar 9, 2009 22:50
|
|
|
Elected by Dogs posted:Wait, why is an office network using DHCP and getting DNS servers dynamically? Do you seriously expect me to configure a hundred and fifty workstations by hand? Because I'm not gonna do it.
|
|
#
?
Mar 9, 2009 23:10
|
|
|
LordKain posted:My wife works in a Jewish family's house every Friday and recently they had been having PC (WinXP) issues. So I head over about a week or so ago and check it out. Well, my wife had said that Norton was up and a few other windows, but I said I'd just have to take a look to be usre. So I look and Norton is up along with a few other windows. After a minute I realize that the other's don't say Norton 360 they say Antivirus 360. God damnit, another variant. So all the sudden the screen blanks and restores, except it's blown up and in some insanely small res that only shows about a quarter of the screen. After about 30 seconds it BSoDs (and I haven't done anything yet). Well I read the BSoD and towards the bottom it stops looking legit. It said something about checking your antivirus/antispyware or something. Then it says that it's restarting so I let it. It looks like this:  Very clever how they cop the "360" from Norton and the shield logo from the Windows Firewall so it looks pretty legit, and how they claim your system is filled with Trojans that are doing what Antivirus 360 itself is aiming to do, which is to cop your credit card info and steal your money. My wife just got hit up with this "Antivirus 360" poo poo this weekend on her laptop. I was out of town, she told me she had a virus issue/warning, I suggested, without much more info, that she get malwarebytes and run it. She tried to go to the site (malwarbytes.com or .org both go there) but sounds like she was redirected to Antivirus 360's lovely site by the Trojan (Vundo or Zlob I believe), and fell for the "pay to register" phishing scam, and had already sent in her credit card info by the time I got there. So she wound up having to cancel her credit card. The program shows, as per the sample window, that you have all these viruses/Trojans, but it will only find them and will not eradicate them unless you register/send them money! (That's the part where I knew something was up even before I googled about this poo poo.) But what was even more interesting was the fact that this was actively suppressing the installation and running of malwarebytes. I was able, in between browser redirects, to actually download the malwarebytes installation file, but it wouldn't run for some reason or other. After reading a bit about this malware on the web, I changed the name of the malwarebytes installation program by one character (added a "1") and voila, program installs. Same issue with the installed program... program would not run, I added a "1" the .exe filename, and voila, working malwarebytes. Once I'd removed all the crap with malwarebytes, I was able to change the filenames back to their original names and they now worked. So, I don't know how common it is for malware to specifically try to suppress antivirus programs. If the intent is just to cause havoc, I wouldn't think it worth their while to research how to shut down the security software, but since the aim of this program is to actually make money, they have a little more skin in the game. What's also interesting is that when you send them your credit card info and "register", they do send you email with a code and all that. Apparently they will even send a few followup tech support emails to people who reply and complain that they are unable to get the program to work despite registering and getting the emailed code, heh. I'm still thinking perhaps we should nuke her system from orbit, but I will have to figure out how to reinstall Windows, I'm not sure if her laptop shipped with a Win XP disk.
|
|
#
?
Mar 9, 2009 23:14
|
|
|
Yeah, pretty standard TDSserv operating procedure.
|
|
#
?
Mar 9, 2009 23:38
|
|
|
|
| # ? Apr 27, 2024 13:54 |
|
|
Is there a standalone virus scanner I can throw on a USB stick? Doesn't have to be free, but that would be nice. 
|
|
#
?
Mar 9, 2009 23:39
|
|
