Casao posted:You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too. It exploits the Server service vulnerability (MS08-067) and dumps x.exe / x.dll / x into C:\Windows\system32, which then pulls down other poo poo into .jpg files (which are actually .exe and .dlls) within your IE Temporary Internet Files folder. It's nasty as poo poo, get the MS patch, install, unplug, reboot and full system scan the poo poo out of it
|
|
# ¿ Dec 18, 2008 00:44 |
|
|
# ¿ Apr 19, 2024 10:14 |
FYI Conficker clean up guide from here at Sophos ---- - Cleanup Procedures - - Prevent re-infection by downloading and installing the Windows security update for this vulnerability from http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx - When looking to see if the patch is installed, go into Add\Remove Programs and look for KB958644 (ensure that the 'show updates' box at the top is ticked) - The Exploit Edition - In most cases, this is how the virus gets on the network in the first place. The virus takes advantage of the MS exploit. It creates a file within the Windows\System32 folder. Key things to note: - A dll file is created within the System32 folder - e.g. C:\Windows\System32\amcophji.dll - A service is created to run the dll file - It runs as a handle within one of the svchost.exe processes - normally the same one running Netsvcs - A JPG or PNG is dropped on the machine within the Temp Internet Files. - This can be easily stopped from spreading by applying the patch and cleaning the machine - The File and Print Sharing Edition - Once on the network the virus can spread using the exploit (above) or by accessing the file and admin shares on the network. When it infects an machine it will create a file with a random name and a random extension within the System32 folder. A scheduled task (running as SYSTEM) will execute this file using rundll32.exe You can prevent the creation of new scheduled tasks via a group policy using the following article- http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/92819.mspx?mfr=true Key things to note: - A dll file is created with a random extension and name within the System32 folder - e.g. C:\Windows\System32\zdtnx.g - A scheduled task(s) is created to run the above randomly named file using rundll32.exe - The task(s) is called AT*.job where * is a sequential number - It will be running within a rundll32.exe process - There will be one rundll32.exe process running for every scheduled task that has been created - To stop this from spreading, file and print sharing will need to be disabled until all machines have been fully cleaned This virus will also spread via USB drives and other removable devices; please ensure that they are scanned and cleaned before using them again.
|
|
# ¿ Jan 13, 2009 19:22 |
http://www.sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm/ List of default passwords that Conficker attempts to use on ADMIN$ shares Hope your domain controller isn't set up with any of these :<
|
|
# ¿ Feb 13, 2009 19:18 |
There is a really good breakdown of Conficker up @ http://mtc.sri.com/Conficker
|
|
# ¿ Feb 26, 2009 23:33 |
Elected by Dogs posted:Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability Roll that .dll out via a login script and disable the BHO via Group Policy? GPO / (Local or Global) Policy / (Computer or User Configuration) / Administrative Templates / Windows Components / Internet Explorer / Security Features / Add-on Management {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} URL grey tea fucked around with this message at 04:50 on Feb 27, 2009 |
|
# ¿ Feb 27, 2009 04:46 |
If you want to manually re-enable Task Manager: Start -> Run -> REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f regedit: Start -> Run -> REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f Make a .bat file that just loops that poo poo to keep them enabled if the virus sets them back, or use ProcessExplorer. (Remember to rename the .exe first, works in some cases) edit - Copy, paste, save as blahblah.bat and double click. :FUCKYOU REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f GOTO FUCKYOU URL grey tea fucked around with this message at 23:42 on Mar 20, 2009 |
|
# ¿ Mar 20, 2009 23:38 |
LifeSizePotato posted:<?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,106,61,52,50,52,52,52,51, http://malzilla.sourceforge.net/downloads.html
|
|
# ¿ May 17, 2009 17:45 |
Malicious PDF files are the most common attack vector lately. Open up a legit site with a malicious banner ad, or a hacked site with a hidden iFrame that autoloads a PDF -> attacks Adobe Acrobat -> hello dropper, pulls down more poo poo, oh gently caress I've got Virut and TDSS rootkit poo poo everywhere. Update to Acrobat 9.10, use Group Policy to turn off the Adobe Browser Helper object, or just remove the piece of poo poo. I've heard musings of globally disabling Javascript in all PDFs also stops these kind of buffer overflows but I wouldn't bet the house on it.
|
|
# ¿ Jun 29, 2009 00:12 |
Midelne posted:Last time there was an extensive discussion about PDF exploits, someone got all snooty about not using Adobe Reader and it being a exploit-infested piece of trash. I am pushing for everyone to disable Acrobat's ability to automatically load / execute via the IE Browser Helper Object or Firefox Extension, and disable all JavaScript functionality. Unless you specifically need it, don't turn it on. It's not that hard to download and open a PDF manually and if you get a random pop-up for a PDF download when you didn't request one, you dodged a bullet. Cancel and leave the site you are viewing ASAP
|
|
# ¿ Jul 6, 2009 23:42 |
Ran into a new variant of XP Police that linked the default .exe class extension to a helper .dll that would check to see if the process you are launching is on an internal whitelist. if you were trying to open something that wasn't on the list, it would auto-close the program and report it supposedly "infected", cascade with pop-ups to buy protection, etc. easily fixed by renaming taskmgr.exe to explorer.exe and closing the processes responsible, renaming the .dll, then fixing HKEY_CLASSES_ROOT\exefile\shell\open\command, but gently caress do they keep getting more persistent. This is almost impossible to walk someone through over the phone.
|
|
# ¿ Sep 24, 2009 04:45 |
The Pro posted:You should also only allow authorized programs with hash checking. Software Restriction Policies and Hash rules via Group Policy are very easily defeated. Open executable in hex editor, go to the end of the file, smash keyboard, save executable. Now I can play Solitaire in peace, you fuckers. Whitelisting all known, good, desired software and denying anything else is the way to go in a business environment, but good luck with that. I can barely get IT admins to stop sharing out the entire C:\ drive on 1,000 workstations with Read/Write permissions or turning off any useful security feature the minute it becomes more than 5 seconds of additional work, or causes a slight performance increase. MY MEGAHURTZZZ. The security problem right now isn't with anti-virus: it's with the people managing it. Every single virus outbreak scenario I walk into, there is something absolutely boneheaded configured somewhere, 100%, guaranteed. What's up, exclude remote files turned on. Why? Better performance! My users complained! Well, are the users complaining now that their machines are blissfully running autorun.inf from their network drives and infecting them with Virut or Conficker, spreading to any USB key they plug in, so they can take it home with them too? loving idiots. Eight step guide to nearly perfect security in Windows: 1) Install the KB patch and disable Autoruns via Group Policy. 2) AV and Anti-spam scanning at the gateway. 3) AV and Anti-spam scanning at the Exchange store / SMTP server. 4) Disable the ability to send any archive or executable attachments via e-mail. 5) Whitelist known applications, block all others (HIPS or similar systems). 6) Least privileged access for all service accounts and network shares, if possible. Ask vendors for documentation on this. 7) Use a regular user account for day to day activity, RunAs your administrator account only on a CLEAN and TRUSTED machine, and only to perform quick tasks. 8) USB keys / iPods / iPhones are banned from being plugged into company equipment. Kill anyone who violates this, get software to enforce it if needed. URL grey tea fucked around with this message at 12:51 on Oct 17, 2009 |
|
# ¿ Oct 17, 2009 12:01 |
Also, I had an interesting case at work today where a new variant of Scribble (you guys call it Virut here) had infected a bunch of other malware on 9 or so computers in this guy's network. The call was started by the fact the AV software was failing to clean these up, for seemingly no reason, and was throwing suspicious packer detections as well. After the customer sent us some of the files for testing, we found it was a new variant of Virut. Barf. Cleanup was (amusingly) failing on the other malware because they had been infected by the new virut routine, changing the file contents / positions, which broke cleanup. To remove those, we had to disinfect everything via a bootable CD scan, which removed the virut infections, and then had to re-run the scan again to remove the original malware that Virut had hosed with. Double virus. URL grey tea fucked around with this message at 12:55 on Oct 17, 2009 |
|
# ¿ Oct 17, 2009 12:53 |
Coffee Quack posted:Here's how good trojans/viruses work: If you stop looking at the hash of files and start looking at suspicious behavior in general, such as modification of other files, using cheap / free commercial packers, changing one or more of a list of particular registry keys, creating a new service, creating a new driver, etc, you can catch everything. Of course, this catches legit things as well, which have to be investigated manually and authorized if clean and desired.
|
|
# ¿ Oct 17, 2009 12:57 |
dazjw posted:InternetOpenUrl/InternetReadFile calls (that a lot of malware do use) do go through the IE cache.
|
|
# ¿ Nov 10, 2009 01:52 |
|
|
# ¿ Apr 19, 2024 10:14 |
Honey Im Homme posted:http://sites.google.com/site/koironauthree/pe-builder-bartpe-plugins/sophos-anti-virus-plugin Grab sbav_10_sfx.exe Follow this KB http://www.sophos.com/support/knowledgebase/article/52011.html Creates a Slax bootable disc with SAV for Linux and the newest IDEs If it works, switch to Sophos or something
|
|
# ¿ Mar 11, 2010 23:34 |