Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
BillWh0re
Aug 6, 2001


AceSnyp3r posted:

I have a question kind of related to this thread. Are there/have there been any known ways for a virus to spread via e-mail without the use of an attachment or embedded image/audio/video/java/etc.?

I can't remember any offhand but there have been a few that have sent emails with attachments then used a MIME vulnerability in Outlook to open the attachment without user intervention. Also if the mail reader is vulnerable to running HTML it shouldn't in the message body then the payload can come from a remote website rather than an attachment.

quote:

That's interesting, is there another new image vulnerability in Windows or something? I'm kind of interested in how exactly a hacked JPG like you're talking about works.

Most infected JPEGs, GIFs and PNGs there days are just legitimate image files with iframes or script tags appended. I think there's some way to get a browser to render them as HTML so the tags work but I forget how it happens.

Adbot
ADBOT LOVES YOU

BillWh0re
Aug 6, 2001


hyperborean posted:

How does GMER compare to Process Explorer? Looking at the screenshots it seems similar, although it's hard to tell because I can't read Polish or whatever that is.

Different tools for different jobs mainly. Process Explorer is great for seeing whats happening with loaded modules and handles. GMER is more of a rootkit-revealer type tool and extracts a lot of information about the internal state of the Windows kernel (and even the DOS IVTs and boot sectors). I haven't used Process Explorer for a year or so though so it might have changed since then.

BillWh0re
Aug 6, 2001


Hillridge posted:

Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now.

Are there other computers on your local network? The latest batch of Zlobs perform DNS poisoning so they end up redirecting DNS requests from clean computers that are networked to an infected one.

BillWh0re
Aug 6, 2001


Car posted:

This is a cool little feature.

Actually my post wasn't totally accurate as I seem to remember it poisons dhcp rather than dns directly, so you should be able to see it based on the dns server configured by dhcp. Still a nightmare to track down though.

BillWh0re
Aug 6, 2001


Cojawfee posted:

Are some of you guys forced into paying for these programs? I will never understand why people would pay for antivirus or antispyware. I hate when people come in and say "I just bought this Norton can you put it on?"

...and scan with antivir...

I dunno man kinda sounds like the reason you don't feel the need to buy antivirus is because you are illegally using the free personal editions for commercial use. :filez:

BillWh0re
Aug 6, 2001


Drighton posted:

I did. I pulled the flash key back to my computer to put some files on it and Symantec started deleting all the executables on the disk all as W32.Wowinzi.A
The flash disk looks like this now.

Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu.

Instead of running tools from flash drives run them from CDs so this can't happen. Especially if the computer has a file infecting virus. Also, never use explorer to open or browse drives on an infected computer because the open and explore actions usually execute the worm.

BillWh0re fucked around with this message at 21:16 on Dec 30, 2008

BillWh0re
Aug 6, 2001


Elected by Dogs posted:

CDs can autorun too.

They're read only which means they don't get infected the moment you stick them in an infected computer, which is what happens with USB sticks unless there happen to be some fancy ones that make themselves read only.

BillWh0re
Aug 6, 2001


Elected by Dogs posted:

CDRW? If it was burned along with the files (dunno if any malware does this kind of insertion) - it would still infect anyways.

I've not used Windows CD burning in some time but I don't think it kicks in automatically on file copies and no malware initiates the burn process. Probably just stays queued up in explorer forever or something.

Drighton posted:

Just grabbed the user's profile folder and started a format. gently caress this.

Better confiscate all their USB sticks and scan them too if you don't want to get called out again in an hours time. :(

BillWh0re
Aug 6, 2001


There are no known attacks to spoof existing executable digital signatures so either the signature doesn't work or this is a false positive from Panda. Since no one else detects it I would assume the latter.

BillWh0re
Aug 6, 2001


SecretFire posted:

So we recently had Trojan.Linkoptimizer spread around the office where I work, and one of the infected systems was mine. Seeing as I didn't browse any non-company sites in IE, or run anything new, and the system had the patch (or should have, I believe it was pushed out) for the new remote vulnerability, I have no idea how I got infected.

Is that malware known for using autorun on external drives or something? Or was an internal company page or something compromised with a drive-by for IE?

I think Symantec sometimes refer to the Conficker worm as Trojan.Linkoptimizer, perhaps because they have very similar obfuscation of the main DLL code.

If it's a Conficker variant it'll probably spread by all three of these:

- MS08-67 exploit (server service vulnerability that you say is patched)
- Writable shares with weak passwords, or unpassworded shares, on to which is copies the DLL file and sets up a scheduled task to run it
- USB drives where it creates an autorun.inf file full of random crap that still works becuase it has the proper autorun text in it, the actual DLL is in the RECYCLER folder on the drive

BillWh0re
Aug 6, 2001


SecretFire posted:

Wait...you can "share" the ability to schedule tasks? I had no idea.

They're stored as .job files so with access to the C$ or ADMIN$ share you can just drop them I believe.

BillWh0re
Aug 6, 2001


RivensBitch posted:

After fighting vundo for hours I finally managed to remove it, but now windows wont let me configure my wireless network adapter. Has anyone encountered this after a vundo removal, and is there a utility to rebuild the networking? A non-flatten windows reinstall doesn't work.

Sounds like it could be a problem with the LSP (Layered Service Provider) chain. Often removing malware improperly can leave the chain broken. I'm sure there are lots of free tools around to fix it but I don't know of any offhand.

BillWh0re
Aug 6, 2001


Midelne posted:

And you thought Storm was bad. At least this time around Microsoft is on top of it and the January MSRT will take out most versions of Conficker. The lesson today, as loving always? Update update update.

The way Conficker works now it seem the actual exploit it uses is pretty much interchangeable with any other. The group could keep updating it to use whatever the newest big Windows exploit is. The way it's really nasty is in how it does everything else.

The autorun.inf file is better obfuscated than anything seen before; usually you see a worm start using pretty simple autorun.inf files and gradually add more obfuscation over time as they become detected by AV software. Conficker starts off with something that's probably impossible for a lot of products to viably detect (not that they can't, but that they would have to look so deep into the file it would slow scans of clean files down too much).

The way it names its files means that the worm DLL on any one computer will always use the same pseudorandom name. Doesn't seem important (and could just have been implemented to prevent multiple infections of the same machine) until you realise that means that any registry keys or scheduled tasks let lying around after the file is deleted will cause it to run again as soon as the file reappears... which happens all the loving time since other infected computers are copying the file back over Windows file sharing. Oh and it removes all permissions on its service registry keys which breaks most registry tools, forcing the user to add permissions back again just in order to see the worm's service entries.

The deterministically generated domain name poo poo has been done before but it's still pretty smart.

BillWh0re fucked around with this message at 01:16 on Jan 16, 2009

BillWh0re
Aug 6, 2001


fygar posted:

All right, I think I may have messed up. I had a large PDF document to print for my job today, so I put it on my USB flash drive and took it to a local print shop. I scanned the drive the day before with AVG to make sure that it was clean. I plugged the flash drive into my computer at work after coming from the print shop, and OfficeScan quarantines an autorun.inf virus (some variant of Otorun). When I get home, I scan the drive again with AVG, and AVG quarantines two more virii (AutoRun.EQ and Heur). I'm pretty sure that these virii came from the print shop. OfficeScan picked up the one virus, but there was no notice about the other two. I'm not in the company's IT department, and I don't have the privileges on the machine at work to run a scan on my own.

There's a few scenarios racing through my mind right now:
  1. The drive was infected by the print shop with all three virii, and OfficeScan only caught the one.
  2. The drive was infected with one virus by the print shop computer, then the drive was infected with the two virii by my work computer.
  3. Maybe I'm remembering the order of things wrong, and I ran the scan before copying the PDF file to the flash drive (meaning I contracted three virii at home between yesterday and today).
If it's the last case, then I can't fathom how two separate machines would fail at detecting all three virii (assuming the print shop runs some sort of realtime antivirus detection). I'm probably going to get bitched-out by the IT department, but I'm going to have to give them a call in the morning about this.

Are virii exploiting the Windows Autorun feature only malicious if the file is allowed to run? Do these virii still execute if "Take No Action" is selected?

There are probably only two malicious files here, but AVG and Trend use different names for one of the components. Generally Otorun and Autorun refer to the same kinds of malware though that could be either the autorun.inf file itself or the executable it references.

There may be another reason Officescan only picked up one of the files -- did it perform a full scan of the disk, or just a quick on-access scan when you plugged it in? A likely explanation is that Windows tried to load the autorun.inf when you plugged the drive it, causing Officescan to scan and report (and block) it, and the second file was never scanned since you don't have permission to scan the whole drive and Windows never tried to load it since the autorun.inf that points to it was blocked. Then when you got home you scanned the whole drive with AVG and got both of them.

BillWh0re
Aug 6, 2001


Sanctum posted:

So I finally installed WinXP SP3 only 2 days ago and just today, browsing the internet, I notice my HD running too much, check processes and see acrord32.exe using 1.2 gigs of memory. I haven't been viewing any .pdf's since I booted. 5 minutes later my window is greyed out and I have a fake anti-virus program pretending to scan my system.

There have been lots of exploited PDF files around lately and it looks like that's what happened here. That acrord32.exe was using 1.2gb suggests that the PDF probably contained some Javascript that was spraying the heap in preparation for triggering a vulnerability. You don't say what AV you're using but detection of these PDFs varies greatly between antivirus vendors and is generally pretty poor across the board so it could easily have slipped through embedded in a webpage somewhere.

The sad thing is most people don't care as much about updating Acrobat reader as other software but the reality is it is just as much in the line of fire as a web browser or email client. I imagine it also doesn't help that a lot of the time if someone pirates Photoshop or other Adobe software they'll redirect the update domain to 127.0.0.1 in the hosts file to stop it phoning home -- I'm not totally sure but I imagine this also stops updates to Acrobat reader.

Sanctum posted:

:haw: prunnet.exe among other things in my processes now. I kill and delete everything, but I still have some randomly generated .dll's in system32 created at the same time which have hooked themselves into my winlogon.exe so I can't kill them or delete them. They generate new registry values every time I reboot so the same processes keep popping up no matter how many times I remove them from my registry and delete the files I can delete.

Is there any way to use an image of a CD-ROM/floppy boot disk and load it from the HD using boot.ini? I have no floppy drive, my DVD drive isn't recognized in my BIOS menu and I got nothing but my HD to boot to. Which is SATA, and every other HD in this house is IDE so I can't even put it in a different computer to just delete the goddamn files hooked into my winlogon.exe. :bang:

Whatever happened to being able to boot to a DOS prompt anyways. gently caress you safe mode with command prompt.

How did you install Windows without any way to boot from CD? Can you boot from a USB memory stick? If so, you can probably get an install of Knoppix or an Ubuntu LiveCD going and mount the Windows drive from there.

BillWh0re
Aug 6, 2001


averagebloke posted:

This is a good point.

Once I've cleaned a system, removed the old system restore points, updated to the latest security patches and installed an anti virus product I always update the trifecta of Adobe Flash, Java and Adobe Reader to try and prevent reinfection. Is there anything else that I should be doing?

That's pretty much all I can think of although if Office is on there you'd want to update that as well, basically anything that can open embedded in a browser, or that embeds a browser itself, needs to be kept up to date.

BillWh0re
Aug 6, 2001


Hank Killinger posted:

Doesn't automatic lockout of accounts on several authentication failures make it impossible/difficult to brute force an admin user password like the way conficker does? Is there any way for a malicious program to avoid the lockout?

These account lockouts happen and they loving kill a windows network so quickly when it gets Conficker. Though they're a good way to find out which computer is infected since all the requests come from it.

Even if it can't crack the account password it can still spread if someone logs on to the computer as a domain administrator as it will run with their account.

BillWh0re
Aug 6, 2001


univbee posted:

Man, these are fun. Had a user with THREE major viruses, each one only "activating" when I killed one. It was a Russian nesting doll made of failure. After close to six hours, I got the system to a point where everything appears clean and running fine, but Windows XP does stall for 2 minutes while loading the desktop. I couldn't for the life of me find out why.

Since I'm a new hire and am running the Home/SOHO division of my troubleshooting company, I get to propose software for us to license for use. What's good and legal without being crazy-expensive, considering at this stage it's only a few cases a week if that? I've mostly been running with freeware tools sans "personal use only" clauses thus far.

That pause can mean something that was supposed to load in winlogon.exe wasn't accessible. Often this is because the anti-virus software on that machine is blocking it. You might want to check winlogon-related registry keys (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and friends) for any suspicious DLLs that are trying to load.

BillWh0re
Aug 6, 2001


Here's an excellent quote from The Register about some infected hospitals.

quote:

A senior Gartnavel staff member told The Herald: "They are calling it a worm and when they identify it it burrows deeper into the system and duplicates itself, and it is getting through some very strong firewalls."

Yup straight out of Hackers. And apparently appointments for cancer patients were rescheduled because there guys are idiots.

BillWh0re
Aug 6, 2001


Luigi Thirty posted:

Neat, Conficker.C has some super secret payload nobody can figure out scheduled to go off April 1. Will it blow up the internet like Slammer? Will it spawn 5 million "BUY ANTIVIRUS XP 2010!" windows on everyone's computer? Will it turn my toaster's dial to 7?

It's not really that nobody can figure it out. It's more that it's not there yet. It will only download the payload on 1st April so no one can analyse it until then and anything in the press (the most ridiculous I've seen so far was "dark google") is just wild speculation. In fact, I'm surprised they aren't laying on the G20 hacktivism argument more thickly. The rest of Conficker as it exists right now really isn't that hard to analyse, it's just time consuming, which is why some companies are still trying to work out the complete operation of the peer to peer networking code (which is under further obfuscation, but it's fairly easy to work around in IDA).

BillWh0re
Aug 6, 2001


Midelne posted:

I guess it's not so much of a stretch to assume that two of the most wildly prevalent and successful pieces of malware out there have related dev families. On the other hand, it's at least a little comforting to think that there's no real way that anyone using anything less than Google-level infrastructure could handle the traffic that would be generated by attempting to install malware on six million computers simultaneously.

Actually, they've solved that bandwidth problem.

Only a few Conficker infected computers will succeed in contacting their website to grab an update (each one only contacts a randomly chosen set of 500 domains a day out of a possible 50,000). Once those few succeed, they'll distribute it to the rest via a peer-to-peer network that Conficker has set up between infected machines.

BillWh0re
Aug 6, 2001


univbee posted:

Is there a specific time Conficker is meant to go off on April 1st? I'm in the Pacific Time Zone and am a single Home/SOHO level IT support person and would like to know at what time poo poo is meant to hit the fan (like if New Zealanders will start receiving/distributing the infection early on the morning of the 31st my time and stuff like that). Can the "timebomb" part of the Conficker.C virus be removed pre-emptively to avoid April Fool's mega-infection (assuming that's what they're going for)? I want to be as ready as possible in case I end up with my service phone ringing off the hook on that day.

It's not really such a precise "timebomb" as no one knows when Conficker will actually succeed in downloading an update -- it depends when the authors choose to register one of the domains it's going to contact, and they can do this any time on or after April 1st. So there's a fair chance you won't see anything at all happen on that date (aside from the traffic to those randomly named domains), but perhaps some time afterwards. This was the case with the previous version too which started calling home from January 1st and was eventually updated in February and March.

The HTTP headers and user agents it uses are either completely normal (uses IE settings from the infected machine) or massively randomised so it'd be hard to write a signature for them. If you want to block the domains it contacts you can do that but it's 50,000 unique domains each day which might be tricky depending on your firewall or whatever you're using.

BillWh0re fucked around with this message at 20:44 on Mar 26, 2009

BillWh0re
Aug 6, 2001


Customer Service posted:

I'm confused: do you absolutely have to use a special program just to detect Conficker, or just to remove it? NOD32 and Superantispyware didn't find anything on mine but I want to be sure.

No, the network scanning method is for checking remote computers that may or may not having working anti-virus installed. Your anti-virus product should detect it just fine on the local machine assuming it has the necessary updates (which it might not do if you're infected, since Conficker blocks that).

BillWh0re
Aug 6, 2001


GREAT BOOK OF DICK posted:

Looks like I'm dealing with Win32/Virut.NBM on my aunt's PC. She said she was searching Craigslist for things to buy and she opened a link on there that probably infected her. At least she came forward and admitted that she's been using McAfee and it's since been expired for 2+ years.

This thing is a real bastard once you're infected because the infection routine has a significant chance to just trash each file it infects so it can't be recovered.

BillWh0re
Aug 6, 2001


Otacon posted:

Virut is NASTY.

Every .EXE, every .HTML file - all are probably infected by now. Any removable media that's been connected? USB drives? The cameras SD cards? All infected using an autorun.ini file.

Here's your game plan - remove the drive, install it in your own computer. Use Knoppix, or another CD-based Linux OS. Recover ONLY *.jpg, *.doc, and if she uses Outlook, any *.pst or *.wab files. After you get those files, format the drive. Don't keep the Dell partitions, don't keep anything. It's infected. After you format, mount her USB sticks and SD cards. Format those, too. Reboot, remove the drives, and install the hard drive back into the Dell. Pop in a Dell Recovery CD, and return the computer to factory settings.

All in all you're looking at about 1-2 hours - possibly longer depending on how much searching you have to do for your aunt's files. But don't even try to resurrect the drive - it's too late.

Virut is NASTY.

To be honest nine out of times I've been able to disinfect it fine booting into safe mode and using a command line scanner. Occasionally it will trash an executable beyond repair and that'll have to be restored from backup. The key is to realise it's a fast infector, so once Virut is loaded in memory any file you open will become infected (or all the files in any folder you browse in explorer), and using some anti-virus scanners will result in everything they scan becoming infected (which might not be a problem if they get immediately disinfected). Booting into safe mode and stopping all the non-essential services allows almost everything to be scanned and disinfected, aside from maybe cmd.exe if you're using a command line scanner since it'll be running.

BillWh0re
Aug 6, 2001


Ensign Expendable posted:

drat, that does sound nasty. What's the point of it? Is it somehow profitable to its creators or did some jackass write it for kicks?

The Virut family are all IRC backdoors.

BillWh0re
Aug 6, 2001


brc64 posted:

Maybe I don't understand what you're saying here. Isn't the point of a backdoor to give yourself covert access to a system? If that's the case, why start breaking other stuff and increase your chances of getting noticed?

The breaking stuff is accidental, as a result of the infection code being so randomized. It's probably a price worth paying for the authors as sometimes the infection code fucks up in a way that allows the file to run but is still weird enough that anti-virus programs can't properly disinfect it. In fact the infection code in Virut is so stupid that it actually tries to infect AMD64 executables with 32-bit code since it doesn't check the platform of the PE file its infecting -- this misinfected file actually runs briefly until it hits a stack operation where having an (unexpected) 8-byte stack causes it to crash.

BillWh0re
Aug 6, 2001


Midelne posted:

SANS reports the spread of an actual payload to Conficker-infected machines using the P2P mechanism. Purported to be a keylogger/data-miner.

edit:

The Register has more details. Appears to be talking to W32.Waledac sites, speculation is that Conficker would be used to compound infections with W32.Waledac. For those of you following along at home, this would mean a lot more spam.

Important to note that the Waledac link is just from a Conficker-infected machine being seen to contact a site that was known to host Waledac and be used as a link in spam emails. No one has statically analysed the new Conficker yet to determine a definite link. It might well be that the download occured as a result not of the Conficker update but one of the "mini updates" that can be pushed out over the Conficker P2P botnet -- small chunks of essentially shellcode that just runs and exits and is erased from the computer after 10 minutes, making it really hard to capture and analyse.

From static analysis I haven't seen anything yet to suggest keylogger though the use of MS08-067 to spread has returned as well as a significant amount of HTTP client and server code that may or may not be related (the original use of MS08-067 in Conficker used an HTTP server running on the attacker to download the payload to the victim).

Aside from that the main thing it drops is an update to the Conficker DLL, which is Conficker.C with some changes (process and domain block list updated, domain call-home code apparently completely removed or effectively obfuscated from quick analysis, NetpwCanonicalizePath hook updated to avoid network scanning from the likes of nmap). Also has an embedded sys file that it drops and loads as a driver, but this is exactly the same as the one from Conficker.B -- it just patches tcpip.sys to increase max connections then exits, no rootkit functionality at all.

Also releasing this at the last minute before Easter is really smart. All the virus analysts are going to be at home, most places will be running with a skeleton crew.

BillWh0re fucked around with this message at 21:53 on Apr 9, 2009

BillWh0re
Aug 6, 2001


Patchfoot posted:

I noticed some talk about PDF exploits earlier in the thread, I've run into sudden GPFs from acroread32 from web sites seemingly without any pdf content. Is that connected to the pdf exploits?

Yes and it generally means the exploit was successful though it might not have managed to download any malware. Websites can embed PDFs (I think they just open them in an iframe or something) and this can even happen on legitimate sites if they get owned via SQL injection or somesuch.

BillWh0re
Aug 6, 2001


LifeSizePotato posted:

Somehow a virus got into the webserver my site's on.

What it seems to do is go through all my files, and on any of the index .php/.html/.htm files, outside the </html> it adds a bit of Javascript.

Avast alerted me to the issue when I visited the site, saying it's a IFrame-EE trojan. The webhost has done a couple virus scans, but they say it comes up clean.

The code it adds looks like:

<?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,106,61,52,50,52,52,52,51, .......

and so on, with a bunch of other random numbers.

The only way I've found to "disable" it is to CHMOD every index.* file to 444/read only, after removing the Javascript. I've kept one blank index file in an empty hidden folder set to owner-writeable, and I can see by the modified dates that it gets hit just about every day, so I'm pretty sure it's an automatic thing.

Has anyone seen this?

Is it a Windows server, or do Windows machines have write access to those files over a network share?

If so, it could be a recent variant of Virut/Scribble which is a PE file infecting virus that also adds iframes to webpage files.

Send one of the infected HTML or PHP files to www.virustotal.com to see what people other than Avast call it.

BillWh0re fucked around with this message at 22:16 on May 15, 2009

BillWh0re
Aug 6, 2001


Ensign Expendable posted:

Who gives viruses names? I can't imagine that a lot of them have their name inside the infected files or that the creator(s) actually give it one. Is there some kind of virus analysis consortium that does this sort of thing?

The virus researcher that discovers it generally names something, often they pick a string or something about how it works and play around with the word, other times if its just not very interesting it gets a generic name like "Downloader" or "Agent".

When its first discovered the at a company's lab, they will scan it with the scanners from every other AV company to see if any of them detect it already -- if so, they'll usually copy the existing name if another company already detects and named it. When new stuff spreads quickly it'll often be the case that several AV companies discover it around the same time and don't know each other's name for it, so you end up with something having several different names such as Conficker/Kido/Downadup and Storm/Zhelatin/Dorf/Peacomm.

BillWh0re
Aug 6, 2001


BangersInMyKnickers posted:

If you hit a program that doesn't like DEP, you will see an error like this:



From there you can add an exception if the program crashes every time you try to run it. If you are just surfing around on the web and all of a sudden your browser session crashes with a DEP error, odds are something bad just tried to execute code out of a location it shouldn't have and DEP just saved your rear end.

The really lovely thing about plugin-based browsers (all of them at this point) is that a single plugin installed that wasn't compiled with the DEP flag will cause the browser processes to not use it. This corrects that at the somewhat higher risk of compatibility issues.

DEP is great and its worth noting that some AV products do also include buffer overflow protection, though they achieve it with a different method than using the NX bit. If you're running AV with such a feature make sure its enabled as some of them really can stop almost all of these PDF javascript exploits despite not being "perfect" protection in the way that DEP is.

Adobe really need to start shipping Reader (and probably Acrobat) with Javascript turned off by default anyway. Almost nothing uses it legitimately.

BillWh0re
Aug 6, 2001


Scaramouche posted:

Or is the patch only useful for stopping cross-internet attacks, but once it's in your network it's not going to help (e.g. over file/print sharing)?

As for the source, I'm pretty sure it was a Windows 2000 laptap a rep brought in since it all started happening 10 minutes after he plugged it in.

Pretty much this. If the laptop brought in was infected, it might have brute forced some Administrator accounts on the network if they had weak passwords.

Also Conficker spreads by removable drive autorun files so someone might have plugged an infected USB stick into a computer on your network, at which point it might have begun spreading from that computer. Particularly if the USB stick was plugged into a computer where a Domain Administrator was logged on, which allows Conficker to spread without having to brute force any passwords.

BillWh0re
Aug 6, 2001


Scaramouche posted:

Hmm, I've got a GP that prevents USB-auto boot (though obviously that's not perfect), and the rep that plugged his laptop in wasn't actually a domain member. The only interaction he would have had is with DHCP to get his IP since he wouldn't have credentials to do anything else. Admin passwords are >10 chars with at least 4 non-alpha so I hope that's strong enough...

How do I stop it inside, if anyone knows? Shut down file and print sharing completely, clean?

It uses a dictionary to crack the passwords so if they're random or unusual at all it probably wasn't that.

I'd put Wireshark on one of your test machines to see what's reinfecting it after you clean it off. You should be able to see the network copy if you filter for SMB traffic, then check the source machine to see if it's patched or has a Domain Admin logged on, and clean it if it's infected.

BillWh0re
Aug 6, 2001


Oddhair posted:

I had posted earlier in the thread about finding a computer which had files infected with Virut, but not many. I scanned offline on a different, plain-Jane XP machine I keep off my network just for that kind of thing, and cleaned it up pretty well, and then did a repair install. It seems fine, even now months later. I keep thinking there's some glaring hole in my knowledge that I'm overlooking, like the blind spot in each eye. I should be good, though right?

Virut is easy to remove as long as it's not active while you're doing it, and as long as you don't care about system files being slightly different compared to the original versions when it's all done.

BillWh0re
Aug 6, 2001


CraigK posted:

I'm just waiting for viruses that can survive a format c:\ *.* /y.

Mebroot/Sinowal already does. It loads its driver through an infected MBR and the driver itself is stored beyond the end of the last partition on the drive. Some versions also have a nasty bug in their stealthing code that will crash a lot of raw disk reading applications (such as hex editors) if they try to read the first few sectors of the disk.

BillWh0re
Aug 6, 2001


Jetsetlemming posted:

Would this survive a format of the entire hard drive? When I installed Ubuntu last week I had it remove the ntfs partition and create a new ext4 one over it, that wouldn't leave anything at all on the hard drive, right?

Assuming you were infected before (which I assume you aren't but hypothetically...): If you installed Ubuntu then the Ubuntu installer would have overwritten the MBR with Grub. However, if you set up Grub to dual-boot Windows it might have created a copy of the infected Windows MBR somewhere (not sure if the Ubuntu installer supports this or not). Also, assuming your partitions were the same size, the virus code at the end of the disk is probably untouched as it's not actually inside the NTFS partition -- it's just after it. But it doesn't load on anything except Windows anyway so you don't really need to care.

BillWh0re
Aug 6, 2001


Tapedump posted:

How effective would fixmbr be on Sinowal?

If you can get into the recovery console it works, but in a lot of cases it seems that the recovery console hangs while loading, even if you boot from the Windows install CD.

Bootable linux and dd is the easiest solution, as the original MBR is saved just past the end of the last partition (directly before the Sinowal driver module) and if you copy it back everything should be fine.

BillWh0re
Aug 6, 2001


On the subject of rootkits, the new TDL3 (which is itself the new TDSS) has a really annoying method that it uses to stealth raw disk reads and writes on at the sector level.

All you see from WinDbg when looking at the disk drivers is this:

code:
kd> !drvobj atapi 3
Driver object (82391338) is for:
 \Driver\atapi
Driver Extension List: (id , addr)
(f848dcd8 823e1720)  
Device Object list:
8239ab00  82360030  82390030  

DriverEntry:   f848e9f7	atapi!GsDriverEntry
DriverStartIo: 81c3e701	
DriverUnload:  f848a3d6	atapi!IdePortUnload
AddDevice:     f848847c	atapi!ChannelAddDevice

Dispatch routines:
[00] IRP_MJ_CREATE                      f84836f2	atapi!IdePortAlwaysStatusSuccessIrp
[01] IRP_MJ_CREATE_NAMED_PIPE           804fa87e	nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       f84836f2	atapi!IdePortAlwaysStatusSuccessIrp
[03] IRP_MJ_READ                        804fa87e	nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE                       804fa87e	nt!IopInvalidDeviceRequest
So the miniport driver looks completely normal, not hooked at all, same with the Disk driver and all the other usual suspects. So inspect the device stack...

code:
kd> !devstack Harddisk0\DR0
  !DevObj   !DrvObj            !DevExt   ObjectName
  823cc958  \Driver\PartMgr    823cca10  
> 823d8ab8  \Driver\Disk       823d8b70  DR0
Invalid type for DeviceObject 0x8235fd98
kd> !devobj Harddisk0\DR0
Device object (823d8ab8) is for:
 DR0 \Driver\Disk DriverObject 823e3a08
Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000050
Vpb 823e5128 Dacl e1012374 DevExt 823d8b70 DevObjExt 823d8fd0 Dope 823e1548 
ExtensionFlags (0000000000)  
AttachedDevice (Upper) 823cc958 \Driver\PartMgr
AttachedTo (Lower) 8235fd988235fd98: is not a device object

Device queue is not busy.
Welp, seems WinDbg poo poo itself for some reason.

If you manually inspect the DEVICE_OBJECT and DRIVER_OBJECT structures for those "invalid" devices it's clear that only the Type field is has been zeroed. Apparently windows gives no gently caress about this field despite it being the main way to tell what kind of kernel object you're looking it. WinDbg isn't so carefree, unfortunately.

code:
kd> dt _DEVICE_OBJECT 0x8235fd98
nt!_DEVICE_OBJECT
   +0x000 Type             : 0
   +0x002 Size             : 0x234
   +0x004 ReferenceCount   : 0
   +0x008 DriverObject     : 0x822df880 _DRIVER_OBJECT
   +0x00c NextDevice       : 0x82360030 _DEVICE_OBJECT
   +0x010 AttachedDevice   : 0x823d8ab8 _DEVICE_OBJECT
Manually restoring the object Type fields to 3 for device and 4 for driver lets you see the modified device stack and the dodgy driver functions:
code:
kd> !devstack Harddisk0\DR0
  !DevObj   !DrvObj            !DevExt   ObjectName
  823cc958  \Driver\PartMgr    823cca10  
> 823d8ab8  \Driver\Disk       823d8b70  DR0
  8235fd98                     8235fe50  
!DevNode 82360e68 :
  DeviceInst is "IDE\DiskWDC_WD400BB-75FJA1______________________14.03G14\4457572d4143414a303131393237203320202020"
  ServiceName is "disk"
kd> !drvobj 822df880 3
Driver object (822df880) is for:
 
Driver Extension List: (id , addr)
(f848dcd8 823e1720)  
Device Object list:
81e10030  

DriverEntry:   81c404e8	
DriverStartIo: f8480864	atapi!IdePortStartIo
DriverUnload:  00000000	
AddDevice:     f848847c	atapi!ChannelAddDevice

Dispatch routines:
[00] IRP_MJ_CREATE                      81c3e856	+0x81c3e856
[01] IRP_MJ_CREATE_NAMED_PIPE           81c3e856	+0x81c3e856
[02] IRP_MJ_CLOSE                       81c3e856	+0x81c3e856
[03] IRP_MJ_READ                        81c3e856	+0x81c3e856
[04] IRP_MJ_WRITE                       81c3e856	+0x81c3e856

81c3e856 is the address of the rootkit code in some arbitrary nonpaged memory region.

There's a nice writeup of TDL3 here but at the time I write this, it hasn't been updated for this new hooking technique. Still a really interesting read, particulary as the rootkit maintains its own filesystem at the end of the disk -- so it doesn't have to store any component in any "real" files (much like the MBR rootkit).

Adbot
ADBOT LOVES YOU

BillWh0re
Aug 6, 2001


bobua posted:

I've seen this a lot over the years, almost always the userinit entry messed up\replaced in winlogon

hklm\software\microsoft\windows nt\current version\winlogon\ somewhere in there is a userinit entry

Try then and if you get nothing try Autoruns. This is almost certainly something that's set to run when you log in as any local user.

  • Locked thread