|
We saw a varient of DNSChanger/Flush.m which acts as a rogue DHCP server handing out leases with false DNS info recently on one of our more open networks (different to the 85.255.* addresses being handed out in December time). SANS picked up on it today and it looks like at least McAfee have updated their DAT files to cover it. Running dhcploc off the XP cd helped us quickly find infected machines and deal with them accordingly. Didn't have my hands on an infected machine long enough to have a proper look, but Combofix found something before the user decided they'd just reinstall.
|
#
?
Mar 18, 2009 20:38
|
|
|
|
| # ? Apr 27, 2024 09:02 |
|
|
SPTH is Back - Sort Of Someone feel free to disagree with me on this, but I don't think the tone of the article is going to be conducive to convincing SPTH that he should stop writing viruses anytime soon. Seems almost like goading him to do something big.
|
|
#
?
Mar 18, 2009 21:44
|
|
|
I went and looked in my junk mail folder at work, there's a "Bomb explosion" email with "oh poo poo!!! maue dot breakingnewsltd dot com slash main dot php" (written out 'cause NO CLICK ZONE but in case someone wants to investigate it) Wacky. I agree with the previous poster: If a little more thought was put into the subject/body, I might be tempted to open the link (if it came from a familiar sounding name). E: Looking in the junk folder, I found my two favorite spams so far "Get SMASHING love power" and "We have everything to cure your masculinity" I don't think that word means what you think that word means.
|
|
#
?
Mar 18, 2009 22:25
|
|
|
My office is now engaged in the great debate on how to keep users from getting malware, as it's up to 4-6 infections a week. It's impossibly frustrating, as we can't even just recommend safe browsing habits, as the local newspaper recently displayed a banned ad that installed AV2009. My only recommendation have been setting everyone up with the cisco software (or similar) that mandates a fully patched and updated system (this will never happen) or disabling flash and java on webpages unless specifically activated. While annoying, it seems like it would eliminate most of the infection vectors. Anyone have experience implementing a policy like that? I mean, NOBODY in my org is going to go for it, but it's nice to dream... Doc Faustus fucked around with this message at 01:52 on Mar 19, 2009 |
|
#
?
Mar 19, 2009 01:39
|
|
|
Tell them that corporations have been banned from using the internet by the liberal congress and they have to do research at the library now.
|
|
#
?
Mar 19, 2009 01:41
|
|
|
Doc Faustus posted:My office is now engaged in the great debate on how to keep users from getting malware, as it's up to 4-6 infections a week. It's impossibly frustrating, as we can't even just recommend safe browsing habits, as the local newspaper recently displayed a banned ad that installed AV2009. My only recommendation have been setting everyone up with the cisco software (or similar) that mandates a fully patched and updated system (this will never happen) or disabling flash and java on webpages unless specifically activated. While annoying, it seems like it would eliminate most of the infection vectors.
|
|
#
?
Mar 19, 2009 01:56
|
|
|
Ensign Expendable posted:Is Windows update turned off or something? Fully patched machines shouldn't be infected so often. My systems are fully patched and I had a single user get infected twice in two weeks from what was probably a similar situation since the only significant browsing she did was at local news and other similarly bland sites. Most likely vector was as described, a Java or Flash vulnerability exploited in an ad run in good faith by a careless website. On the other hand, I'd be curious to see why special software is needed to force Windows Updates -- unless you're not in a domain. If you're in one, force down a Group Policy locking automatic updates on, optional updates on, autodownload, automatic install for 3AM on Thursday. This presupposes that you don't use any funky proprietary programs that are going to break from a patch and that no one is working at 3AM. Also it's generally considered bad form to patch without testing, but I'm a maverick and I don't mind fixing things before anyone else gets there. If you want more granular control but don't really want to dedicate much in the way of resources to it (and are in a domain, since it'd be aggravating to do otherwise), download WSUS for free from Microsoft, set it up, and then use Group Policy to lock all your systems into downloading patches directly from the WSUS server. If you don't want to take up extra hard drive space on the WSUS machine, set it to leave downloading to the clients and to basically just function as an approval/mandate server. You point, patches install themselves. This doesn't take care of third-party software like Java, Flash, and Adobe Reader (wouldn't it be great if Adobe bought the rights to Java? We could have my three favorite infection vectors under one brand!), but Java and Reader at least will nag you update if there's a new version available and you haven't turned off the feature.
|
|
#
?
Mar 19, 2009 02:18
|
|
|
I thought Java only had vulnerabilities in the early JVMs. You could always get them to run Firefox with NoScript or similar, unless your corporate policy prohibits it for some reason.
|
|
#
?
Mar 19, 2009 02:24
|
|
|
Ensign Expendable posted:I thought Java only had vulnerabilities in the early JVMs. The new exploits primarily target javascript as executed by other applications (for example, J2BIG is a javascript exploit for adobe reader). There are exploits periodically found against the VMs however, so even it isn't a cover all. Ensign Expendable posted:You could always get them to run Firefox with NoScript or similar, unless your corporate policy prohibits it for some reason. Yea, first try getting an enterprise to run Firefox. Second try getting them to intentionally use any software which blocks 90% of stuff out there... without either disabling all its capabilities or allowing globally each session. Good luck!
|
|
#
?
Mar 19, 2009 03:14
|
|
|
Ensign Expendable posted:I thought Java only had vulnerabilities in the early JVMs. You could always get them to run Firefox with NoScript or similar, unless your corporate policy prohibits it for some reason. why isnt my facebook working its not popping up that cute little window with the gradiented gray borders in the page OH I SEE ALLOW SCRIPTS GLOBALLY
|
|
#
?
Mar 19, 2009 03:41
|
|
|
Kelson posted:Yea, first try getting an enterprise to run Firefox. Second try getting them to intentionally use any software which blocks 90% of stuff out there... without either disabling all its capabilities or allowing globally each session. Good luck! We're a university, so people run whatever software they want. Based on just what I've seen people use, I'd say were split about evenly between IE and firefox. Firefox is a part of all our images. Almost every machine is on the domain (some older machines still connect to an old system). Yes, auto-updates are enabled. And yet, somehow, there are *still* people I find who have the little gold shield sitting there day after day, waiting for them to install SP3.  I'll have to look into NoScript. Even if it never ever gets implemented as policy, I can still recommend it to users as a preventative measure.
|
|
#
?
Mar 19, 2009 08:39
|
|
|
Im pretty sure you can set it to autoinstall and autoreboot. I know because at least once a month I come home from work to find my computer logged out at the ctrl alt del prompt waiting for me, after I clicked "restart later" about 500 times (this was before I found net stop wuauserv)
|
|
#
?
Mar 19, 2009 17:19
|
|
|
Doc Faustus posted:Almost every machine is on the domain (some older machines still connect to an old system). Yes, auto-updates are enabled. And yet, somehow, there are *still* people I find who have the little gold shield sitting there day after day, waiting for them to install SP3. This can be symptomatic of a couple of things. First, service packs for the OS come with a flag that says "must be installed exclusively". This means that -- at least using automatic updates, not sure about manually -- you need to install the service pack by itself and that automatic updates won't install it in the same batch as other updates. I couldn't say how it's prioritized, but judging from the results it seems like it probably gets pushed back if there's anything else that needs installation. Second, your users might not be logging off and your update settings might not be set to force users off following updates. This can be changed with group policy, but should be done carefully since particularly at a university there are probably people leaving work open all night long in their offices, working into the night, or doing something else legitimate that's going to cause problems from a forced logoff. Third, if update policies are in place they might not be applied correctly. RSoP can help you check that out. There are also a lot of more exotic reasons why updates might not install automatically, but I like to assume that it's going to be simple.
|
|
#
?
Mar 19, 2009 17:51
|
|
|
Doc Faustus posted:My office is now engaged in the great debate on how to keep users from getting malware, as it's up to 4-6 infections a week. It's impossibly frustrating, as we can't even just recommend safe browsing habits, as the local newspaper recently displayed a banned ad that installed AV2009. My only recommendation have been setting everyone up with the cisco software (or similar) that mandates a fully patched and updated system (this will never happen) or disabling flash and java on webpages unless specifically activated. While annoying, it seems like it would eliminate most of the infection vectors. Just force users to work off of network shares and wipe and reimage each computer every night. I know that sounds like a huge headache, but at least it's automated.
|
|
#
?
Mar 19, 2009 20:49
|
|
|
Well, I've never had a serious infection....until now. I'm not even sure how I got it, since I keep AVG, SuperAntiSpyware, and MalwareBytes updated and run at least once a week. On top of that, I haven't even been able to get at that computer because my roommate has been home and watching TV in the living room. Whatever it is, I can't get into Firefox, msconfig, Task Manager, SuperAntiSpyware (even after renaming it), or MalwareBytes. All of them say I don't have permission to run them. Working on getting a UBCD4Win CD ready now. And here I was, expecting to have an easy night tonight...
|
|
#
?
Mar 20, 2009 05:33
|
|
|
You can't really prevent a lot of these infections. You just get them, and then try to remove them. Have you tried combofix yet? Saved me from a fresh install today.
|
|
#
?
Mar 20, 2009 05:39
|
|
|
Cojawfee posted:Have you tried combofix yet? Saved me from a fresh install today. No, I haven't. Mainly because I can't get into Firefox, and I don't want to risk infecting my thumbdrive. Still, the CD's coming along, the image just finished getting ready to burn.
|
|
#
?
Mar 20, 2009 06:12
|
|
|
Gonna have to give Dial-a-Fix a shout-out this week, it's helped me twice with great success this week. It can fix issues with Windows Updates, permissions issues, and file-corruption issues. Two viruses, both different strains, both corrupted the registry hardcore. Dial-a-Fix saved me a great deal of time. Hint: Hit Check-All, then hit Go. If it runs through the entire list without an error box, then all is well. If you get an error box, it will instruct you what to do. Pro-Tip: the "Tools" menu is the tiny hammer in the lower right-hand corner.
|
|
#
?
Mar 20, 2009 08:47
|
|
|
Otacon posted:Gonna have to give Dial-a-Fix a shout-out this week, it's helped me twice with great success this week. It can fix issues with Windows Updates, permissions issues, and file-corruption issues. Two viruses, both different strains, both corrupted the registry hardcore. Dial-a-Fix saved me a great deal of time. This really can be a life-saver with a lot of the common infections, since it's getting more common to disable the task manager and other common tools that we use. Dial-A-Fix really does fix a surprising number of things and enable you to fix a lot of things that were trying hard not to be.
|
|
#
?
Mar 20, 2009 16:09
|
|
|
devmd01 posted:Just got off the phone with my Dad...their computer exhibits the exact same issues as my coworker's laptop last week, can't even get into safe mode.
|
|
#
?
Mar 20, 2009 18:26
|
|
|
taiyoko posted:Well, I've never had a serious infection....until now. Stop using AVG, it's a bad A/V. Switch over to Avira Free or something.
|
|
#
?
Mar 20, 2009 22:48
|
|
|
If you want to manually re-enable Task Manager: Start -> Run -> REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f regedit: Start -> Run -> REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f Make a .bat file that just loops that poo poo to keep them enabled if the virus sets them back, or use ProcessExplorer. (Remember to rename the .exe first, works in some cases) edit - Copy, paste, save as blahblah.bat and double click. :FUCKYOU REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f GOTO FUCKYOU URL grey tea fucked around with this message at 23:42 on Mar 20, 2009 |
|
|
#
?
Mar 20, 2009 23:38
|
|
|
Stanley Pain posted:Stop using AVG, it's a bad A/V. Switch over to Avira Free or something. Seriously? I always heard AVG and Avira were about equal. Has AVG gone really downhill recently or something?
|
|
#
?
Mar 21, 2009 01:43
|
|
|
Has anybody upgraded to Antivir 9? I am wondering if you can still disable the "buy me" popup.
|
|
#
?
Mar 21, 2009 02:12
|
|
|
Idran posted:Seriously? I always heard AVG and Avira were about equal. Has AVG gone really downhill recently or something? Yes, check the A/V comparatives. AVG has been pretty lovely at finding things as well as having quite a number of false positives. Avira is very solid for a free A/V, and NOD32 is still pretty much the king of the pay ones. I switched over from NOD32 to Avira paid for a year just to check out the Premium suite. edit: I should clarify. AVGs heuristic scanning has gone down hill in recent times. It's signature based scanning is still good.
|
|
#
?
Mar 21, 2009 04:36
|
|
|
AVG blows, didn't pick any of the viruses I had. Reinstalled NOD32 after a long while, picked up 5 viruses I did have. (One of which infected 3000+ files, gently caress that poo poo) Also, to add to the discussion on how to prevent malware and viruses. You could always do what my company did, outright deny browsing outside of the company's intranet. It's a pain in the rear end, but it works.
|
|
#
?
Mar 23, 2009 00:24
|
|
|
Neat, Conficker.C has some super secret payload nobody can figure out scheduled to go off April 1. Will it blow up the internet like Slammer? Will it spawn 5 million "BUY ANTIVIRUS XP 2010!" windows on everyone's computer? Will it turn my toaster's dial to 7?
|
|
#
?
Mar 24, 2009 19:18
|
|
|
Probably just some dumb joke.
|
|
#
?
Mar 24, 2009 19:24
|
|
|
Cute, theres a worm/virus with mipsel shellcode and bruteforcing ddwrt/etc routers.
|
|
#
?
Mar 24, 2009 20:08
|
|
|
Cojawfee posted:Probably just some dumb joke. Viral advertising finally just stops giving a gently caress
|
|
#
?
Mar 24, 2009 20:15
|
|
|
Luigi Thirty posted:Neat, Conficker.C has some super secret payload nobody can figure out scheduled to go off April 1. Will it blow up the internet like Slammer? Will it spawn 5 million "BUY ANTIVIRUS XP 2010!" windows on everyone's computer? Will it turn my toaster's dial to 7? It's not really that nobody can figure it out. It's more that it's not there yet. It will only download the payload on 1st April so no one can analyse it until then and anything in the press (the most ridiculous I've seen so far was "dark google") is just wild speculation. In fact, I'm surprised they aren't laying on the G20 hacktivism argument more thickly. The rest of Conficker as it exists right now really isn't that hard to analyse, it's just time consuming, which is why some companies are still trying to work out the complete operation of the peer to peer networking code (which is under further obfuscation, but it's fairly easy to work around in IDA).
|
|
#
?
Mar 24, 2009 21:40
|
|
|
This is sort of an odd request, but does anyone have an image w/ Zlob or know some drive-bys that toss it?
|
|
#
?
Mar 24, 2009 23:28
|
|
|
Elected by Dogs posted:Cute, theres a worm/virus with mipsel shellcode and bruteforcing ddwrt/etc routers. For those who don't know what that's about see this link. Anyone who set up a home router with these firmwares and configured it in this lovely way should be aware. They should also learn how to secure their poo poo.
|
|
#
?
Mar 25, 2009 03:57
|
|
|
So basically you just have to disable WAN access and not have a lovely password.
|
|
#
?
Mar 25, 2009 04:40
|
|
|
Otacon posted:Gonna have to give Dial-a-Fix a shout-out this week, it's helped me twice with great success this week. It can fix issues with Windows Updates, permissions issues, and file-corruption issues. Two viruses, both different strains, both corrupted the registry hardcore. Dial-a-Fix saved me a great deal of time. Dial-a-Fix is pretty awesome, I found out it also fixed a weird networking issue with one PC I was dealing with(Couldn't change the manually-set IP address, XP spit useless error messages at me the moment I tried, reinstalling the NIC didn't fix it) and it's one of the first things I run after MB/SAS to get rid of any remaining issues with inaccessible settings.
|
|
#
?
Mar 25, 2009 09:39
|
|
|
GREAT BOOK OF DICK posted:For those who don't know what that's about see this link. Anyone who set up a home router with these firmwares and configured it in this lovely way should be aware. They should also learn how to secure their poo poo. Anyone smart enough to set ddwrt up shouldn't be that retarded. Though.. don't some small ISPs hand out like, custom gw/switch/routers for DSL or something that run ddw?
|
|
#
?
Mar 25, 2009 13:00
|
|
|
Antivirus 2009 has a new feature. Hope you like talking to people who paid $50 to recover a "corrupted" (encrypted) file from their My Documents folder, because ransomware is back. Important item of note to take away from this article is that a free service exists to decrypt those files, they're not gone forever and they aren't protected by strong encryption. According to the writeup here, VirusTotal currently has a 0/39 detection rate for the binaries involved in "fixing" your computer. Could be a benign file, but I can't imagine the authors of Antivirus 2009 missing a chance to stick something else on a user's hard drive.
|
|
#
?
Mar 25, 2009 14:30
|
|
|
Does anyone have a link to an unbiased, up-to-date A/V comparison that includes AVG and Avira? All the ones I've seen are a couple of versions old, or don't include both of the above. Dreading the start of the calls regarding Conficker, here. Edit: Thanks \/\/ Biggus Dickus fucked around with this message at 20:19 on Mar 26, 2009 |
|
#
?
Mar 26, 2009 10:29
|
|
|
Biggus Dickus posted:Does anyone have a link to an unbiased, up-to-date A/V comparison that includes AVG and Avira? All the ones I've seen are a couple of versions old, or don't include both of the above. http://www.av-comparatives.org/ is all you need. Always up to date, and they provide results for signature and heuristic based testing.
|
|
#
?
Mar 26, 2009 12:56
|
|
|
|
| # ? Apr 27, 2024 09:02 |
|
|
Midelne posted:Antivirus 2009 has a new feature. Hope you like talking to people who paid $50 to recover a "corrupted" (encrypted) file from their My Documents folder, because ransomware is back. According to the writeup a few pages ago, Conficker and Antivirus XP are probably made by the same group. At least they both call home to the same city in Latvia or something. Test run? 
|
|
#
?
Mar 26, 2009 14:05
|
|