|
KillHour posted:I had an awesome idea for a virus the other day, and was wondering if anyone had seen something like it, or knew if it was even possible. It would search for known router firmwares and replace them with a modified version that has the virus embedded in it. It would then proceed to reinfect any computers you cleaned and hooked back up to the network. If done right, it would be hell on earth to discover what was really happening. I haven't seen anything like that, but I have seen trojans that will attempt to bruteforce SOHO routers and then change the DNS settings on them to redirect the traffic to name servers controlled by the author of the trojan.
|
#
?
Jul 15, 2010 21:01
|
|
|
|
| # ? May 9, 2024 18:05 |
|
|
Anyone come across one that redirects webpages to websiteblockonline.com? I've thrown just about everything I've got against this machine and it turns up nothing. The only real useful google result on it is dated July 11, 2010 and it says to run malwarebyes (which I have). There is nothing except for local host in the host file, superantispyware, spybot, a2 free, eset online scanner, and bit defender online scanner find nothing. I have no proxy settings to remove. Basically I cannot find any good reason for this be going on and really don't want to have to flatten and reload this machine.
|
|
#
?
Jul 15, 2010 22:54
|
|
|
I don't see anywhere you've mentioned ComboFix. I would give that a shot. It seems to find and remove lots of nasty things most other tools won't find or touch. Also check the network settings and make sure it didn't change the DNS servers. I've seen lots of them change the DNS servers to an infected IP address that takes care of the redirecting.
|
|
#
?
Jul 16, 2010 03:13
|
|
|
abominable fricke posted:Anyone come across one that redirects webpages to websiteblockonline.com? I've thrown just about everything I've got against this machine and it turns up nothing. The only real useful google result on it is dated July 11, 2010 and it says to run malwarebyes (which I have). There is nothing except for local host in the host file, superantispyware, spybot, a2 free, eset online scanner, and bit defender online scanner find nothing. I have no proxy settings to remove. Basically I cannot find any good reason for this be going on and really don't want to have to flatten and reload this machine. Have you tried running HijackThis? That can usually show me a lot of redirects and other interesting things.
|
|
#
?
Jul 16, 2010 03:26
|
|
|
Maniaman posted:Also check the network settings and make sure it didn't change the DNS servers. I've seen lots of them change the DNS servers to an infected IP address that takes care of the redirecting. This is the most likely cause if you've already checked proxy settings. Perhaps you're even lucky enough to be sending DNS traffic to servers in Russia!
|
|
#
?
Jul 16, 2010 05:51
|
|
|
Forgot to mention that I've run combofix (it keeps detecting rootkit activity but doesn't resolve anything). Also ran Hijackthis! it found nothing out of the ordinary and the DNS is set for automatically assign from the gateway. I'm stumped here. I think I might give the Dr. Web live CD a try. edit: Dr. Web found nothing abominable fricke fucked around with this message at 14:57 on Jul 16, 2010 |
|
#
?
Jul 16, 2010 13:45
|
|
|
It could be a really deep rooted rootkit. At this point, it would probably just be better to reinstall Windows. After all, how much time have you already sunk in this? Here's my last resort threat removal. Generally, at this point, if there's something there, I'd just reformat anyway. GMER- Rootkit detector http://www.gmer.net/ Hitman Pro- It detected a rootkit that nothing else found. I think it's only a 10 day trial or something http://www.surfright.nl/en BlackLight- Rootkit remover. It's found things other programs didnt. http://www.f-secure.com/en_EMEA/products/technologies/blacklight/
|
|
#
?
Jul 16, 2010 15:00
|
|
|
Try The Conficker removal tool at http://www.bdtools.net/. Also, if this is a Vista or 7 machine and you have access to the Microsoft Desktop Optimization Pack (through MSDN or whatever), you can set up an official Microsoft Emergency Rescue Disc (6.0 if it's Vista, 6.5 if it's Windows 7), which has an offline spyware scanner that actually works well on rootkits I've found.
|
|
#
?
Jul 16, 2010 16:33
|
|
|
univbee posted:Try The Conficker removal tool at http://www.bdtools.net/. Also, if this is a Vista or 7 machine and you have access to the Microsoft Desktop Optimization Pack (through MSDN or whatever), you can set up an official Microsoft Emergency Rescue Disc (6.0 if it's Vista, 6.5 if it's Windows 7), which has an offline spyware scanner that actually works well on rootkits I've found. Do you know where it would reside on MSDN?
|
|
#
?
Jul 16, 2010 17:11
|
|
|
abominable fricke posted:Anyone come across one that redirects webpages to websiteblockonline.com? I've thrown just about everything I've got against this machine and it turns up nothing. The only real useful google result on it is dated July 11, 2010 and it says to run malwarebyes (which I have). There is nothing except for local host in the host file, superantispyware, spybot, a2 free, eset online scanner, and bit defender online scanner find nothing. I have no proxy settings to remove. Basically I cannot find any good reason for this be going on and really don't want to have to flatten and reload this machine. This stuff usually happens for a couple of reasons: hosts (scanner probably would have got this) DNS poison (you say you've checked) LSP Hijack (not as popular as it used to be) Maybe just to be safe take a look in the HOSTS file, and if you're at wit's end and don't care maybe try LSPFix.
|
|
#
?
Jul 16, 2010 17:33
|
|
|
Ted Stevens, Hitman Pro found it. Thank you so much. Let's talk about me having your e-love child.
|
|
#
?
Jul 16, 2010 22:08
|
|
|
Glad to hear it worked. I did a ton of research doing AV solutions and hitman did a great job finding poo poo others didn't. So, that redirect problem is gone and everything? And abominable, I'd love to be your e-child donor. At least I'd be getting some kinda sex 
Ted Stevens fucked around with this message at 03:07 on Jul 17, 2010 |
|
#
?
Jul 17, 2010 03:04
|
|
|
Ted Stevens posted:Glad to hear it worked. I did a ton of research doing AV solutions and hitman did a great job finding poo poo others didn't. The redirect problem is gone, as it turns out the machine was infected with a variant of TDSS that had infected the keyboard driver. Sneaky fuckers.
|
|
#
?
Jul 19, 2010 17:08
|
|
|
SANS ISC went to Yellow Alert for the second time in the roundabout three years I've been watching to call attention to the .LNK vulnerability discussed a bit earlier in this thread. There are a few mitigation options mentioned, but honestly most of them are non-starts in a real-world enterprise environment. Disabling icons on shortcuts domainwide, for instance, would go over just peachy.
|
|
#
?
Jul 19, 2010 20:03
|
|
|
Somewhat reasonable mitigation for the .LNK vulnerability: http://blog.didierstevens.com/2010/07/20/mitigating-lnk-exploitation-with-srp/ Basic idea is using software restriction policies to prevent everything from running, then excluding your C: and any other hard drives that happen to be present in your environment. This runs into issues when you're in a situation with dissimilar numbers of hard drives -- about half of the ones in my environment have recovery partitions and half don't, for instance -- and where CD/DVD-ROMs may or may not be present depending on the situation, but it's a start.
|
|
#
?
Jul 21, 2010 00:57
|
|
|
KillHour posted:I had an awesome idea for a virus the other day, and was wondering if anyone had seen something like it, or knew if it was even possible. It would search for known router firmwares and replace them with a modified version that has the virus embedded in it. It would then proceed to reinfect any computers you cleaned and hooked back up to the network. If done right, it would be hell on earth to discover what was really happening. Funny you mention that ... http://arstechnica.com/security/news/2010/07/millions-of-soho-routers-vulnerable-to-new-version-of-old-attack.ars
|
|
#
?
Jul 21, 2010 20:40
|
|
|
The whole "just listing directory contents / viewing icons" is a great argument as to why people should have the on-access antivirus installed. Lots of people makes claims like "I don't run antivirus and my system is fine! I don't open unknown files." Well, with this LNK issue, it really may not be fine.
|
|
#
?
Jul 21, 2010 21:01
|
|
|
Xenomorph posted:Well, with this LNK issue, it really may not be fine. This reminds me, Safari's been vulnerable to an exploit that forces it to drop arbitrary files onto the desktop for well over a year, last I checked. Good thing they have jack poo poo for a share in the PC browsing market. edit: iirc Apple wasn't fixing it because the vulnerability didn't actually run the file, just dumped it on the user's desktop.
|
|
#
?
Jul 21, 2010 21:05
|
|
|
Xenomorph posted:Well, with this LNK issue, it really may not be fine. There was an exploit a couple years ago that involved WMF files (I think) where all you had to do to invoke the code was for Windows to access the file. (Or run into it embedded in a web page.)
|
|
#
?
Jul 21, 2010 21:31
|
|
|
the LNK file exploit also works from a webpage, at least if the victim is using IE
|
|
#
?
Jul 21, 2010 22:22
|
|
|
I had a fake antivirus try to shutdown the computer right toward the end of a Malwarebytes scan. It included a custom message in the prompt about the computer being compromised, but left the default 30 second delay - about enough time to shutdown -a. Only reason I mention it is because its a very clever and evil last effort (aka "gently caress You") by the virus and made me smile. If I had walked away and let the scan run like I normally do, the removal could have taken twice as long.
Drighton fucked around with this message at 23:15 on Jul 22, 2010 |
|
#
?
Jul 22, 2010 22:26
|
|
|
This might sound a little lame, but what does the -a switch do? I tried doing a shutdown /? in cmd, but it did not show what it did.
|
|
#
?
Jul 22, 2010 23:07
|
|
|
Its in there. It aborts the command.
|
|
#
?
Jul 22, 2010 23:17
|
|
|
Thanks. Oh. I see it now. It would have been nice if they showed the switches in alphabetical order, though.
|
|
#
?
Jul 23, 2010 00:07
|
|
|
I ran across a variant of the TDSS rootkit that would let MalwareBytes run and scan but then it would close it when you clicked the show results button (so nothing would get cleaned). I give props to the guy who coded that, it pissed me off good and made me waste an extra hour.
|
|
#
?
Jul 26, 2010 15:25
|
|
|
warning posted:I ran across a variant of the TDSS rootkit that would let MalwareBytes run and scan but then it would close it when you clicked the show results button (so nothing would get cleaned). I give props to the guy who coded that, it pissed me off good and made me waste an extra hour. So how did you defang it?
|
|
#
?
Jul 26, 2010 16:31
|
|
|
Try Hitman Pro. I haven't seen any virus/trojan stop it, yet. http://www.surfright.nl/en
|
|
#
?
Jul 26, 2010 17:55
|
|
|
What's this horseshit?! GIS "Starcraft 2" and the first result takes me here:  Click here for the full 1024x712 image. Fantastic.
|
|
#
?
Jul 28, 2010 06:10
|
|
|
The Eleonore exploit back is pretty nasty. It keeps getting updated with new exploits for security holes in browsers, adobe reader, flash player, java, and other programs, and will probe the victims computer for security holes in all the places it knows of. Petr M Ivanko (it's creator and seller), I'm coming for you, you fucker.
|
|
#
?
Jul 28, 2010 16:24
|
|
|
I just had some weird dream/nightmare that my Windows 7 desktop computer somehow got completely hosed by some sort of Conficker worm/virus/rootkit something or other. In this dream, I started up my computer, was just browsing the internet, suddenly got a pop up ad saying "Your computer is infected!" like they always do. I ignored it because it was a stupid pop up, then I clicked on the start menu and everything was changed. My "All Programs" pointed to a bunch of fake programs, my bookmarks were replaced by various "Windows 7 AV" links and porn advertisements and same with My Documents. I kept trying to close them, I scanned with MSE and MWB, but neither of them found ANYTHING. I restarted my computer, only to have my computer bombard me with all sorts of fake Windows errors saying there were tons of infections and registry errors. Again, I ran multiple virus scsns and nothing came up. IE and FF kept popping up with very audible porno movies and clips playing and I couldn't close them. I was embarrased because a bunch of people were watching me while this was happening. In desperation, I went to restore my computer from a backup, but none of my backups worked due to the virus. I freaked out and for the first time in my life felt as hopeless as your typical user. I couldn't do anything, nothing worked, and all my backups were gone. Then I woke up in a cold sweat to my alarm clock going off. I think I need a vacation.
|
|
#
?
Jul 28, 2010 19:43
|
|
|
Ted Stevens posted:I just had some weird dream/nightmare that my Windows 7 desktop computer somehow got completely hosed by some sort of Conficker worm/virus/rootkit something or other. It's funny that to us this is a serious nightmare scenario.
|
|
#
?
Jul 29, 2010 20:36
|
|
|
Oddhair posted:Do you know where it would reside on MSDN? Strangely enough, it's under "Servers" for some reason. It's just called "Desktop Optimization Pack" and there's no point in downloading the older ones, I think you can just download 2010 Refresh and you're good.
|
|
#
?
Jul 29, 2010 21:03
|
|
|
That's great, thanks, I see it now.
|
|
#
?
Jul 29, 2010 21:24
|
|
|
 (USER WAS PUT ON PROBATION FOR THIS POST)
|
|
#
?
Jul 30, 2010 03:03
|
|
|
Edit: Nevermind, I guess i loving spoke too soon, I'm still getting redirected. I've run Malware Bytes, Ad-Aware, AVG, Avast, ComboFix and now Hitman Pro. Does anyone have any suggestions. I had a virus that hosed with my proxy setting, should it be set to auto detect proxy setting for this network for firefox? because I just changed it to that and it didn't redirect me on the link that I had just been redirected on before I changed it. E: No it wasn't that either. gently caress this is frustrating. Should I post my Hijack This log here or something? Mr. Fahrenheit fucked around with this message at 07:46 on Jul 30, 2010 |
|
#
?
Jul 30, 2010 07:23
|
|
|
Mr. Fahrenheit posted:Edit: Nevermind, I guess i loving spoke too soon, I'm still getting redirected. I've run Malware Bytes, Ad-Aware, AVG, Avast, ComboFix and now Hitman Pro. Does anyone have any suggestions. Best bet is for a quick re-install.
|
|
#
?
Jul 30, 2010 08:06
|
|
|
If it gets past combofix it gets reimaged. That is my motto.
|
|
#
?
Jul 30, 2010 14:42
|
|
|
pull the drive and run it through another machine's AV
|
|
#
?
Jul 30, 2010 15:36
|
|
|
If it showed signs of tdss in the past, run Tdsskiller on it. Looks like it was just updated too. http://support.kaspersky.com/viruses/solutions?qid=208280684 Its a quick scan that usually takes less then a minute and picks up infected drivers that some AV's don't always detect as TDSS.
|
|
#
?
Jul 30, 2010 23:43
|
|
|
|
| # ? May 9, 2024 18:05 |
|
|
Zeus Botnet v3 has reared it's ugly head and emptied out about $1 million from UK bank accounts in a currently undetected botnet scheme.The Register posted:The Zeus Trojan associated with the account ran a "man in the browser" attack. While earlier versions simply recorded banking login credentials and forwarded them back to hackers, the latest version of Zeus also performs illegal online banking transactions. The malware is sophisticated enough to wait for the entry of secondary authorisation data needed to make transfers - such as a date of birth - by victims onto compromised machines. The Register had a great article on it, but this part stuck out for me. The Register posted:It also found that the exploit pack used to seed to attack had claimed a much larger number of victims - as many as 300,000 machines. The vast majority were Windows boxes, but 4,000 Mac machines were also hit. This attack works through a browser plug-in, making secondary authentication methods useless and creates false bank statements on the fly, hiding any transfers from the victim's accounts. I'm sure we're bound to see more of these attacks crop up in the future. Social Engineering still works on any platform.
|
|
#
?
Aug 12, 2010 03:19
|
|