|
Luigi Thirty posted:According to the writeup a few pages ago, Conficker and Antivirus XP are probably made by the same group. At least they both call home to the same city in Latvia or something. Test run? I guess it's not so much of a stretch to assume that two of the most wildly prevalent and successful pieces of malware out there have related dev families. On the other hand, it's at least a little comforting to think that there's no real way that anyone using anything less than Google-level infrastructure could handle the traffic that would be generated by attempting to install malware on six million computers simultaneously.
|
#
?
Mar 26, 2009 15:41
|
|
|
|
| # ? Apr 27, 2024 10:48 |
|
|
Midelne posted:I guess it's not so much of a stretch to assume that two of the most wildly prevalent and successful pieces of malware out there have related dev families. On the other hand, it's at least a little comforting to think that there's no real way that anyone using anything less than Google-level infrastructure could handle the traffic that would be generated by attempting to install malware on six million computers simultaneously. Actually, they've solved that bandwidth problem. Only a few Conficker infected computers will succeed in contacting their website to grab an update (each one only contacts a randomly chosen set of 500 domains a day out of a possible 50,000). Once those few succeed, they'll distribute it to the rest via a peer-to-peer network that Conficker has set up between infected machines.
|
|
#
?
Mar 26, 2009 20:19
|
|
|
BillWh0re posted:Actually, they've solved that bandwidth problem. I noticed that doing further reading after I'd posted, but it didn't register that it would mitigate the bandwidth problem in addition to making it harder to track. That's a pretty bright move.
|
|
#
?
Mar 26, 2009 20:23
|
|
|
Is there a specific time Conficker is meant to go off on April 1st? I'm in the Pacific Time Zone and am a single Home/SOHO level IT support person and would like to know at what time poo poo is meant to hit the fan (like if New Zealanders will start receiving/distributing the infection early on the morning of the 31st my time and stuff like that). Can the "timebomb" part of the Conficker.C virus be removed pre-emptively to avoid April Fool's mega-infection (assuming that's what they're going for)? I want to be as ready as possible in case I end up with my service phone ringing off the hook on that day.
|
|
#
?
Mar 26, 2009 20:30
|
|
|
univbee posted:Is there a specific time Conficker is meant to go off on April 1st? I'm in the Pacific Time Zone and am a single Home/SOHO level IT support person and would like to know at what time poo poo is meant to hit the fan (like if New Zealanders will start receiving/distributing the infection early on the morning of the 31st my time and stuff like that). Can the "timebomb" part of the Conficker.C virus be removed pre-emptively to avoid April Fool's mega-infection (assuming that's what they're going for)? I want to be as ready as possible in case I end up with my service phone ringing off the hook on that day. It's not really such a precise "timebomb" as no one knows when Conficker will actually succeed in downloading an update -- it depends when the authors choose to register one of the domains it's going to contact, and they can do this any time on or after April 1st. So there's a fair chance you won't see anything at all happen on that date (aside from the traffic to those randomly named domains), but perhaps some time afterwards. This was the case with the previous version too which started calling home from January 1st and was eventually updated in February and March. The HTTP headers and user agents it uses are either completely normal (uses IE settings from the infected machine) or massively randomised so it'd be hard to write a signature for them. If you want to block the domains it contacts you can do that but it's 50,000 unique domains each day which might be tricky depending on your firewall or whatever you're using. BillWh0re fucked around with this message at 20:44 on Mar 26, 2009 |
|
#
?
Mar 26, 2009 20:42
|
|
|
Hrm. That article mentioned that if your computer has had a Windows Update sometime in March, it's probably okay. But how can I find out if mine has? (It may have but I honestly wouldn't remember.)
|
|
#
?
Mar 26, 2009 23:23
|
|
|
I still wonde why they picked such a "late" date for their update. It would seem like the less time the monitoring companies have to respond, the more successful the update will be. Or they could just have made it check for updates every other day, so nobody knew when it would hit.
|
|
#
?
Mar 26, 2009 23:29
|
|
|
Customer Service posted:Hrm. That article mentioned that if your computer has had a Windows Update sometime in March, it's probably okay. But how can I find out if mine has? (It may have but I honestly wouldn't remember.) Internet Explorer->Tools->Windows Update
|
|
#
?
Mar 27, 2009 08:42
|
|
|
The actual update you need is 958644 (MS08-067). http://support.microsoft.com/kb/962007
|
|
#
?
Mar 27, 2009 12:50
|
|
|
One of my users got a trojan I have never seen before. SuperAntiSpyWare picks it up as: Trojan.Agent/Gen.RedDragon I can't find anything on it. Google returns a whole bunch of reggae and D&D matches. Anyone know anything about it? Also what is a good trusted site to look up info on trojans/ viruses?
|
|
#
?
Mar 27, 2009 16:43
|
|
|
Delicious Sci Fi posted:One of my users got a trojan I have never seen before. SuperAntiSpyWare picks it up as: I would take the file and upload to a site to see if you can get a different name for it. http://www.virustotal.com/ works well, I looked around but didn't really see anything. symantec and trendmicro have nothing by that name. http://www.symantec.com/norton/security_response/threatexplorer/index.jsp http://www.trendmicro.com/vinfo/
|
|
#
?
Mar 27, 2009 17:36
|
|
|
Posting this from a user's infected machine. They picked up a nasty piece that randomly redirects from google results (to playboy, among other places), crashes rededit and cmd. Crashes browsers if you attempt to find ways to remove it. I was able to get to the link below before, but now it just crashes. A malwarebytes scan founds some stuff but didn't resolve the issue, superantispyware has found some things but the scan is still ongoing. Anyone else seen this before. Based on the link, I'm inclined to think it's a fairly new variant of something. http://www.bleepingcomputer.com/forums/lofiversion/index.php/t211718.html
|
|
#
?
Mar 27, 2009 23:53
|
|
|
That does seem new, his antivirus didn't pick it up either. It doesn't appear to do anything drastically different than old hijackers, it will probably be added to the definitions soon enough.
|
|
#
?
Mar 28, 2009 00:26
|
|
|
I've run into some malware on Vista 64, which is characterized by deleting my system restore points and preventing me from logging in now and then. When the latter happens, my log-in upon entering the password either loads the Loading log-in infinitely, or keeps at only displaying the log-in background. If I hold the shutdown button for a short while, the screen goes black, but with the mouse becoming active. No other issues seem to exist currently. I've run about every free and online scanner available, along with Avira Free, Malwarebytes, CCleaner, the ESET Smart Security and removal tools, along with the bulk of Conficker removal tools. I always keep my computer updated, but there were a couple of days where ESET SS wasn't installed due to some software snags with it, after deleting some malware on an external harddrive. It may or may not be the culprit. Finding an all-round tool seems improbable, but if anyone recognizes the above symptoms as characteristic of a specific piece or bread of malware, let me know. According to ESET telephone support, it's a type of malware that would gently caress up my computer, if I tried to reformat, so I seem to be somewhat stuck. They didn't report back to me this Friday, and they haven't told me what type of malware they believe me to be infected with.
|
|
#
?
Mar 29, 2009 13:22
|
|
|
That sounds like either winlogon.exe or userinit.exe is not initializing properly. Get a setup disk and manually copy the files over.
|
|
#
?
Mar 29, 2009 16:35
|
|
|
If the author(s) of Conficker are truly insane (like The Joker kind of crazy), they could simply use April Fool's day as a parting gift to the world. Force all infected clients to format C: on April 1st and delete everything, including Conficker. I'd have to give a round of applause to that.
|
|
#
?
Mar 29, 2009 20:04
|
|
|
Ensign Expendable posted:That sounds like either winlogon.exe or userinit.exe is not initializing properly. Get a setup disk and manually copy the files over. SFC /scannow - use it, brother.
|
|
#
?
Mar 29, 2009 20:51
|
|
|
Otacon posted:SFC /scannow - use it, brother. Can't log in by the looks of it either, but this is probably the same sporadic thing which has plagued me for a while. cnrkb fucked around with this message at 00:23 on Mar 30, 2009 |
|
#
?
Mar 30, 2009 00:19
|
|
|
Otacon posted:SFC /scannow - use it, brother. Right, that's the command I was thinking of. I knew there was something that does that, but couldn't remember what it was.
|
|
#
?
Mar 30, 2009 01:40
|
|
|
GREAT BOOK OF DICK posted:If the author(s) of Conficker are truly insane (like The Joker kind of crazy), they could simply use April Fool's day as a parting gift to the world. Force all infected clients to format C: on April 1st and delete everything, including Conficker. It would be a refreshing change from running a botnet for sending out penis pill emails. Quick, someone buy stock in OnTrack!
|
|
#
?
Mar 30, 2009 14:14
|
|
|
Conficker Network Signature Discovered For those of you freaking out about Conficker, now you can use nmap to do large-scale infection-checks. There's officially no longer an excuse for not knowing whether you're infected or not, and not knowing whether your enterprise is infected or not.
|
|
#
?
Mar 30, 2009 14:19
|
|
|
Midelne posted:Conficker Network Signature Discovered
|
|
#
?
Mar 30, 2009 15:14
|
|
|
Put in your IP address range in the Target field. I'm not sure which scan to do though, and I'm not sure what you will see if you are infected. Big red CONFICKER label on the IP address or maybe you're looking for a specific port, I don't know.
|
|
#
?
Mar 30, 2009 15:22
|
|
|
Drighton posted:Put in your IP address range in the Target field. I'm not sure which scan to do though, and I'm not sure what you will see if you are infected. Big red CONFICKER label on the IP address or maybe you're looking for a specific port, I don't know.
|
|
#
?
Mar 30, 2009 15:25
|
|
|
Theres some instructions for running the Python script in the comments section. I'm putting that together now to give it a try. Interestingly, did a scan of the another subnet with nmap and a few returned with a red "6129/tcp closed unknown". edit: So you need to download Python 2.6 for Windows and Impacket. I had to extract the files directly to the python directory in order for the install to run. Extract the SCS zip anywhere. Open the command prompt, navigate to the python directory, execute "python setup.py install". When finished you can run "python [directory]\scs.py [IP 1] [IP 2]". I had to run it on a computer without SEP, though. Drighton fucked around with this message at 17:02 on Mar 30, 2009 |
|
#
?
Mar 30, 2009 15:49
|
|
|
PoC (inc Download tool) for Conficker detection: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
|
|
#
?
Mar 30, 2009 16:58
|
|
|
Welp, I don't have conficker B or C on any of the machines in my house.
|
|
#
?
Mar 30, 2009 18:43
|
|
|
I'm confused: do you absolutely have to use a special program just to detect Conficker, or just to remove it? NOD32 and Superantispyware didn't find anything on mine but I want to be sure.
|
|
#
?
Mar 30, 2009 19:23
|
|
|
Customer Service posted:I'm confused: do you absolutely have to use a special program just to detect Conficker, or just to remove it? NOD32 and Superantispyware didn't find anything on mine but I want to be sure. No, the network scanning method is for checking remote computers that may or may not having working anti-virus installed. Your anti-virus product should detect it just fine on the local machine assuming it has the necessary updates (which it might not do if you're infected, since Conficker blocks that).
|
|
#
?
Mar 30, 2009 19:31
|
|
|
The university I work for is having a problem with DNS changer viruses and they are not fun at all. They seem to all be Trojan.Flush.M but they aren't at all. None of the files are the same, but they have the exact same symptoms. http://arstechnica.com/security/news/2009/03/new-version-of-dns-server-trojan-flushm-spotted-in-the-pipe.ars Seems to be exactly what they have but I can't get any removal information. The onyl thing that has been found has been through GMER and is a rootkit called 'gaopdxserv.sys'. Unfortunatly this can only be deleted through a recovery console or through another operating system. This isn't really a good solution and doesn't have anything to do with Flush.M. The only thing I can think of is that the rootkit is hiding the files of the Flush.M virus and we need to remove the rootkit first. Another cool thing is that MAlwarebytes will not run at all. It installed fine but it crashed on load, even when changing the name of the process.
|
|
#
?
Mar 30, 2009 22:17
|
|
|
I've got a TDSServ infection on my 32-bit Vista machine, and it's dug in. The catch is, everything mentioned in the thread thus far seems ineffective. I've checked the Non-Plug and Play Drivers list, but there are no TDS variations. Spyware Doctor can detect it, but refuses to remove it unless I buy a full version. MalwareBytes always crashes before completing its scan. SUPERAntiSpyware didn't detect anything. GMER bluescreened the computer, even when renamed. ComboFix ran, had an adverse reaction to avast! (maybe?), and almost lobotomized my computer when it bluescreened on restart. Avira detected a couple of trojans, but not TDSServ, and then it crashed my computer. I'm starting to wonder if the trojan's creating fake bluescreens. Any help would be appreciated. Edit: I'm also running Spyware Terminator, and - looking for more data online - it's suggested that it's a rogue program. God dammit. Also, I double-checked the Device Manager, and it's running a driver called "catchme". Cheeky bastards. Tsercele fucked around with this message at 03:18 on Mar 31, 2009 |
|
#
?
Mar 31, 2009 03:14
|
|
|
Use the Ultimate Boot CD to scan the system from outside Windows. That should get rid of it if it keeps killing off your tools.
|
|
#
?
Mar 31, 2009 03:35
|
|
|
Trying to remotely fix a friend's computer right now. No idea what he's managed to get on his system offhand. He says IE and Firefox won't load any pages, but his instant messaging still works, so it's not a problem with the connection. We've tried MalwareBytes and SUPERAntiSpyware to no effect, though they can't access updates. Combofix does nothing. AVG didn't pick up anything. I'm unable to physically go over there and do anything, as I'm at college and don't have a car on campus. Aside from sending him over AIM the installer for LogMeIn and me attempting to see if I can fiddle with stuff that way to fix it from here, I'm pretty much stumped.
|
|
#
?
Mar 31, 2009 03:38
|
|
|
The Man with a Hat posted:I've got a TDSServ infection on my 32-bit Vista machine, and it's dug in. The catch is, everything mentioned in the thread thus far seems ineffective. I've checked the Non-Plug and Play Drivers list, but there are no TDS variations. Spyware Doctor can detect it, but refuses to remove it unless I buy a full version. MalwareBytes always crashes before completing its scan. SUPERAntiSpyware didn't detect anything. GMER bluescreened the computer, even when renamed. ComboFix ran, had an adverse reaction to avast! (maybe?), and almost lobotomized my computer when it bluescreened on restart. Avira detected a couple of trojans, but not TDSServ, and then it crashed my computer. I'm starting to wonder if the trojan's creating fake bluescreens. Any help would be appreciated. Catchme is from Gmer, and is harmless. Give this a shot: Boot into Safe Mode, download Combofix, drop it in C: and rename it to 'cf.exe' - run this as administrator, and let it go through. If it reboots your machine and it blue screens, there should be a combofix.txt file in your root drive - paste the text and we'll get some more info. However, popping the drive into computer and running an external virus scan will help - just be prepared for blue screens as Windows tries to load device drivers that don't exist anymore. taiyoko posted:Trying to remotely fix a friend's computer right now. No idea what he's managed to get on his system offhand. He says IE and Firefox won't load any pages, but his instant messaging still works, so it's not a problem with the connection. We've tried MalwareBytes and SUPERAntiSpyware to no effect, though they can't access updates. Combofix does nothing. AVG didn't pick up anything. I'm unable to physically go over there and do anything, as I'm at college and don't have a car on campus. Open up Notepad and look for the HOSTS file: c:\windows\system32\drivers\etc\ - it's not a text file, it's just called HOSTS. See if there is anything else other than 127.0.0.1 listed - if not, tell him to download Dial-A-Fix and to have that give a run through. Otacon fucked around with this message at 03:47 on Mar 31, 2009 |
|
#
?
Mar 31, 2009 03:44
|
|
|
Otacon posted:Open up Notepad and look for the HOSTS file: c:\windows\system32\drivers\etc\ - it's not a text file, it's just called HOSTS. See if there is anything else other than 127.0.0.1 listed - if not, tell him to download Dial-A-Fix and to have that give a run through. Nothing out of the ordinary with the hosts file. Sending him Dial-A-Fix now to try that out.
|
|
#
?
Mar 31, 2009 03:57
|
|
|
Check hosts and also look at proxy server settings for each browser. If hosts wasn't modified it's possible those were.
|
|
#
?
Mar 31, 2009 03:59
|
|
|
Ensign Expendable posted:Check hosts and also look at proxy server settings for each browser. If hosts wasn't modified it's possible those were. No proxy settings on IE or FF. Nothing suspicious listed in running processes, but this is rather strange to me... 
|
|
#
?
Mar 31, 2009 04:09
|
|
|
You didn't check to see what was using all that?
|
|
#
?
Mar 31, 2009 04:59
|
|
|
taiyoko posted:No proxy settings on IE or FF. Nothing suspicious listed in running processes, but this is rather strange to me... Might be a seismograph in an earthquake. Check his DNS settings to see if they point to something like 85.* or 64/63.*. If so he has Trojan.Flush.M Run a scan in GMER and see if anything comes up as a rootkit.
|
|
#
?
Mar 31, 2009 05:00
|
|
|
|
| # ? Apr 27, 2024 10:48 |
|
|
Cojawfee posted:You didn't check to see what was using all that?  As I said, nothing seemed particularly out of place at first glance. darkforce898 posted:Check his DNS settings to see if they point to something like 85.* or 64/63.*. If so he has Trojan.Flush.M I'll try that when he logs back on. It's a bit frustrating having to do everything via AIM.
|
|
#
?
Mar 31, 2009 06:09
|
|