The Official Internet/Computer Security News Discussion Thread
#42
Drifting
Join Date: Jul 2007
Location: Stockton, California
Age: 33
Posts: 3,301
Likes: 0
Received 22 Likes
on
11 Posts
I've followed everything said in this thread. Great advice, please keep this up to date. I hate Google Chrome though but Firefox lost all of my info anyways so I'll try and make the switch.
#43
Sanest Florida Man
Thread Starter
Adobe announced Adobe Reader X a few days ago it is the next version of the PDF reader that runs in a protected sandboxed mode much like google chrome and internet explorer on Vista/7. If implemented properly this should do a lot to limit attacks via PDFs. It will be available next month and can't come soon enough. Now java and firefox need to join the club.
http://blogs.adobe.com/adobereader/2...-reader-x.html
http://blogs.adobe.com/adobereader/2...-reader-x.html
#44
Sanest Florida Man
Thread Starter
Here's a cool browser extension for Chrome, Firefox and Safari. Do you hate seeing facebook "like" infesting all the pages you visit, telling you what people liked, recommended and shared? Do you really not give a shit about who did what with Facebook? Do you NOT like the facebook "like" button on AZ? Then this extension is for you! It's called Facebook Blocker. It blocks communications with third party sites with facebook servers. Likes still work on the actual Facebook, it doesn't effect the facebook site at all just other sites that have embedded facebook shit on their pages.
To install click on the link below and choose your browser of choice. If you use chrome you can just install the extension and carry on and the browser starts working right away but if you use Firefox or Safari you actually have to restart the browser to take advantage of this extension, how primative!
http://webgraph.com/resources/facebookblocker/
Before Facebook blocker
After Facebook Blocker
To install click on the link below and choose your browser of choice. If you use chrome you can just install the extension and carry on and the browser starts working right away but if you use Firefox or Safari you actually have to restart the browser to take advantage of this extension, how primative!
http://webgraph.com/resources/facebookblocker/
Before Facebook blocker
After Facebook Blocker
Last edited by #1 STUNNA; 10-23-2010 at 01:23 AM.
#45
Needs more Lemon Pledge
I am not generally a fan of your witch craft, but this one makes my Azine pages load faster, so I am cool with it.
#46
Senior Moderator
Join Date: May 2003
Location: Better Neighborhood, Arizona
Posts: 45,641
Received 2,329 Likes
on
1,309 Posts
#47
Sanest Florida Man
Thread Starter
Yes, I should've mentioned that. I thought of it but didn't bother to add that.
#48
Needs more Lemon Pledge
#50
About to :surrender to a virus
I think it's some kind of Java exploit with what the PC's owner was telling me. Says it came from a link on Google Video.
Combofix cleared it, but says it detects rootkit activity every time it is ran. Malwarebytes cleared 8 files on the first run and doesn't detect anything again, but it's still there.
I've cleared everything bad out of:
HKEY LOCAL MACHINE --> Software --> Microsoft --> Windows --> Current Version --> Run and Run Once
HKEY LOCAL USER--> Software --> Microsoft --> Windows --> Current Version --> Run and Run Once
I've tried a couple of other tricks I've learned in the past but nothing has worked. I can't tell if it is clearing out and then coming back after a restart or not clearing at all. I believe it's infected and/or corrupted explorer.exe from what I can tell.
I have all the files backed up so wiping won't be a big deal, but I was trying to figure it out for a moral victory. Very few I've ever not been able to fix
I think it's some kind of Java exploit with what the PC's owner was telling me. Says it came from a link on Google Video.
Combofix cleared it, but says it detects rootkit activity every time it is ran. Malwarebytes cleared 8 files on the first run and doesn't detect anything again, but it's still there.
I've cleared everything bad out of:
HKEY LOCAL MACHINE --> Software --> Microsoft --> Windows --> Current Version --> Run and Run Once
HKEY LOCAL USER--> Software --> Microsoft --> Windows --> Current Version --> Run and Run Once
I've tried a couple of other tricks I've learned in the past but nothing has worked. I can't tell if it is clearing out and then coming back after a restart or not clearing at all. I believe it's infected and/or corrupted explorer.exe from what I can tell.
I have all the files backed up so wiping won't be a big deal, but I was trying to figure it out for a moral victory. Very few I've ever not been able to fix
#52
It doesn't act normal when it runs. Runs way longer than normal, and when the message about rootkit activity comes up it says it needs to restart. After restart it finishes and displays the log like normal (again taking forever), saying it's clearing different things each time. Doesn't matter if it's safe mode or not.
And the virus doesn't try to block combofix or task manager or anything like that. I thought it was gonna be a walk in the park before I started...
#53
Sanest Florida Man
Thread Starter
Run TDSS killer and also turn off system restore
Oh and clear your java cache in the control panel
Oh and clear your java cache in the control panel
#54
intelligentsia
Join Date: Nov 2003
Location: Land of cheap vodka, hot girls, and great nightlife
Age: 38
Posts: 4,376
Received 0 Likes
on
0 Posts
Damnit my stupid university requires me to run Cisco Nac Agent but the program doesn't work on my system at all anymore. They uninstalled my AVG pro too, since I have to download McAfee. Do you guys now any way around this and should I just install Microsoft Security Essentials instead of AVG again. I refuse to use McAfee and if I have to download it I will uninstall it.
#55
S E L L
Damnit my stupid university requires me to run Cisco Nac Agent but the program doesn't work on my system at all anymore. They uninstalled my AVG pro too, since I have to download McAfee. Do you guys now any way around this and should I just install Microsoft Security Essentials instead of AVG again. I refuse to use McAfee and if I have to download it I will uninstall it.
#57
Anyways I'll have to try the TDSS killer another time. Something you use often?
#58
#59
Hmm, I've actually wondered that but my boss says don't worry about it so I never did. Do you do it every time? What happens if you click yes for recovery console?
#61
Symantec. Like I said, it's not too bad now that they've fixed the severe performance draining problems that were affecting every PC, but I still don't see it protecting much of anything. We have Websense and the Symantec and these things still come in with viruses. Yes I know it can't prevent/detect them all but it still seems a little high IMO.
Most of the time, when they come back infected and you do a full scan, the Symantec won't detect a thing. Yet you can throw a freeware anti-virus on there and that program will go nuts.
Most of the time, when they come back infected and you do a full scan, the Symantec won't detect a thing. Yet you can throw a freeware anti-virus on there and that program will go nuts.
#62
Sanest Florida Man
Thread Starter
Symantec. Like I said, it's not too bad now that they've fixed the severe performance draining problems that were affecting every PC, but I still don't see it protecting much of anything. We have Websense and the Symantec and these things still come in with viruses. Yes I know it can't prevent/detect them all but it still seems a little high IMO.
Most of the time, when they come back infected and you do a full scan, the Symantec won't detect a thing. Yet you can throw a freeware anti-virus on there and that program will go nuts.
Most of the time, when they come back infected and you do a full scan, the Symantec won't detect a thing. Yet you can throw a freeware anti-virus on there and that program will go nuts.
I never felt I got good results from mcafee or norton and those avcomratives, virusvault AV effeciency tests are garbage, every AV catches at least 95% on of the malware in those test but IRL the results aren't anywhere near that high.
Yes I use TDSS killer cause it's effective and a very fast scan usually between 15-30 seconds and it can remove Alureon rootkits better than anything else.
http://support.kaspersky.com/viruses...?qid=208280684
I had been fighting Alureon on a few machines and I had some success with MSE and others I didn't (probably due to different strains of the TDSS rootkit) then I tried TDSS killer and it found it removed it in less than a minute saving me hours of time. Now I've seen a rootkit get past TDSS killer too (might not've been a TDSS rootkit to begin with) and I had to wipe and reinstall but still it's good to run it first cause it's so effective and fast.
Last edited by #1 STUNNA; 10-27-2010 at 04:03 PM.
#63
Drifting
iTrader: (1)
After looking into though, all it does is install the recovery console and adds the option to the boot.ini file so when you startup, you have the option to boot to your OS or the console. I can't find anything about combofix using the console to remove something. It appears to me the console would have to be invoked manually and you'd have to delete file(s) manually. With that being said, I don't think the console will help in this case unless you knew exactly what you needed to remove.
If someone knows more about it then please correct me if I'm wrong.
#64
Sanest Florida Man
Thread Starter
So you can't run the combofix exe from the recovery console? That would seem to make sense. You boot into recovery console and the main system isn't running but you can scan for malicious files and actually remove them since the system isn't running.
#66
intelligentsia
Join Date: Nov 2003
Location: Land of cheap vodka, hot girls, and great nightlife
Age: 38
Posts: 4,376
Received 0 Likes
on
0 Posts
I've used MSE before but uninstalled it because it was conflicting with AVG. I hate McAfee so much it always crashes my system and IT is not willing to allow me to surf the internet without McAfee. Such bullshit and Cisco Nac Agent has to be the worst piece of software I have ever seen.
#67
Sanest Florida Man
Thread Starter
You're not supposed to run AVG and MSE at the same time. You're not supposed to run two realtime AVs at the same time.
If you want to run MSE then you must uninstall AVG, restart your PC and then install MSE
If you want to run MSE then you must uninstall AVG, restart your PC and then install MSE
#68
Sanest Florida Man
Thread Starter
Good article on Lifehacker about how to break into a Windows Machine and also how to prevent it from happening to you. It covers how to access files on a Windows NTFS hard drive using a linux LiveCD and how to prevent it (encrypt the drive), also how to use Linux to reset the password and how to prevent it (again encrypt the drive) and finally using bruteforce like ophcrack to guess the user password and how to prevent ophcrack from guessing the password (secure password).
I tried to use Ophcrack on my boss's PC (with his permission) because we couldn't get log in to it and Ophcrack couldn't figure out his password cause it was too complex, which gave me a hint as to what his password was and I was right.
But I've used Ophcrack a few times and it works on simple passwords pretty quickly.
http://lifehacker.com/5674972/how-to...ppening-to-you
I tried to use Ophcrack on my boss's PC (with his permission) because we couldn't get log in to it and Ophcrack couldn't figure out his password cause it was too complex, which gave me a hint as to what his password was and I was right.
But I've used Ophcrack a few times and it works on simple passwords pretty quickly.
http://lifehacker.com/5674972/how-to...ppening-to-you
#69
Needs more Lemon Pledge
I am glad you are not freezing RAM to recover TrueCrypt passwords in volatile memory.
#70
Sanest Florida Man
Thread Starter
#71
Needs more Lemon Pledge
#72
Sanest Florida Man
Thread Starter
Hey check it there's a new trojan for OS X floating around in the WILD!
It appears as a video link on social networking sites or via email and it uses as a Java exploit (surprise, surprise!) and then modifies system files so that it doesn't need to prompt for password to run then it hijacks your user account and sends out spam messages to spread the infection.
Hope you Mac users have updated your Java!
If you want to remove this trojan.osx.boonana.a infection you can run the software from this link
http://macscan.securemac.com/files/BTRT.dmg
It appears as a video link on social networking sites or via email and it uses as a Java exploit (surprise, surprise!) and then modifies system files so that it doesn't need to prompt for password to run then it hijacks your user account and sends out spam messages to spread the infection.
Hope you Mac users have updated your Java!
If you want to remove this trojan.osx.boonana.a infection you can run the software from this link
http://macscan.securemac.com/files/BTRT.dmg
#73
Sanest Florida Man
Thread Starter
In related news, Apple has released a deprecated version of Java. To use their words
Apple used to port the Java VM to work with OS X and would release updates for it and now after announcing the Mac App Store that won't allow Java Apps Apple won't be supporting it much longer and it may not be available at all in 10.7 Currently no one has stepped up to fill in the void. Apparently besides Windows, Java has been maintained by the OS developer, HP, IBM, etc maintain java for their OS's as did Apple until now.
It'll be interesting to see who picks up the Apple's slack and if this will have an impact on OS X for more exploits like the one listed above.
As of the release of Java for Mac OS X 10.6 Update 3, the Java runtime ported by Apple and that ships with Mac OS X is deprecated. Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X.
The Java runtime shipping in Mac OS X 10.6 Snow Leopard, and Mac OS X 10.5 Leopard, will continue to be supported and maintained through the standard support cycles of those products.
The Java runtime shipping in Mac OS X 10.6 Snow Leopard, and Mac OS X 10.5 Leopard, will continue to be supported and maintained through the standard support cycles of those products.
It'll be interesting to see who picks up the Apple's slack and if this will have an impact on OS X for more exploits like the one listed above.
Last edited by #1 STUNNA; 10-28-2010 at 02:18 AM.
#76
Sanest Florida Man
Thread Starter
I bet you could if you booted to safe mode with command line. I've used that a few times to launch system restore on a system that refused to launch .exe files.
Speaking of which here's another tip I figured out for you guys that fight malware. Do you know how to get around when malware won't let you run any exe files?
One trick is to turn on hidden common file extensions in Folder options then go to c:\windows\ and change regedit.exe to regedit.com. Then try and open in it and if it opens then go to HKEY_CLASSES_ROOT\.exe. On an infected system you should see the folders "default icon" and "shell". Delete those! They aren't supposed to be there. Keep the "PersistentHandler" folder. Then click on the .exe folder and for the (Default) reg key it will probably say "secfile", edit that so that it says "exefile" (no quotes).
Secfile is added by the malware and shouldn't be in the registry, now if you scroll further down the HKEY_CLASSES_ROOT folder you should see a folder called "secfile", that folder is added by the malware and within that folder it will tell you the malware's file location. Make note of that location so you can delete the malware and then go ahead and delete the secfile folder cause it doesn't exist normally in the registry.
If you get worried you're going to fuck it up then find a known clean machine and compare the HKCR\.exe to the infected one and make the infected one match the clean one. There's a slight difference between HKCR\.exe in XP and 7 so be aware of that.
After modifying the registry with the steps above you should be able to run programs, just go and delete the malware whose file location was noted in the secfile folder and start with your normal cleanup routine.
You can also change mbam.exe to mbam.com to make malwarebytes run, I've had success doing that before too.
But remember I talk out of my ass 90% so I could be making this all up......
Speaking of which here's another tip I figured out for you guys that fight malware. Do you know how to get around when malware won't let you run any exe files?
One trick is to turn on hidden common file extensions in Folder options then go to c:\windows\ and change regedit.exe to regedit.com. Then try and open in it and if it opens then go to HKEY_CLASSES_ROOT\.exe. On an infected system you should see the folders "default icon" and "shell". Delete those! They aren't supposed to be there. Keep the "PersistentHandler" folder. Then click on the .exe folder and for the (Default) reg key it will probably say "secfile", edit that so that it says "exefile" (no quotes).
Secfile is added by the malware and shouldn't be in the registry, now if you scroll further down the HKEY_CLASSES_ROOT folder you should see a folder called "secfile", that folder is added by the malware and within that folder it will tell you the malware's file location. Make note of that location so you can delete the malware and then go ahead and delete the secfile folder cause it doesn't exist normally in the registry.
If you get worried you're going to fuck it up then find a known clean machine and compare the HKCR\.exe to the infected one and make the infected one match the clean one. There's a slight difference between HKCR\.exe in XP and 7 so be aware of that.
After modifying the registry with the steps above you should be able to run programs, just go and delete the malware whose file location was noted in the secfile folder and start with your normal cleanup routine.
You can also change mbam.exe to mbam.com to make malwarebytes run, I've had success doing that before too.
But remember I talk out of my ass 90% so I could be making this all up......
Last edited by #1 STUNNA; 10-28-2010 at 08:07 PM.
#77
Senior Moderator
I just ran across " backdoor:Win32/Cycbot.B " It's my dads computer that's infected but man is it a bitch so far. I assume because it's so new and the scans aren't picking it up completely yet.
#78
Go Giants
Look here: http://www.bleepingcomputer.com/forums/topic354181.html
Don't know about that Russian software though...
Don't know about that Russian software though...
#79
Senior Moderator
Look here: http://www.bleepingcomputer.com/forums/topic354181.html
Don't know about that Russian software though...
Don't know about that Russian software though...
Yea, I and tried Dr. WebCure It but no luck. It's better but something is still fucked up.
#80
Sanest Florida Man
Thread Starter
Another tip, if you can ping but can't load websites check internet options to see if a fake proxy has been setup. Go to internet options > connections > LAN > and if Proxy server it checked then uncheck it. If you click the advanced button it'll probably have 127.0.0.1 as your proxy server.
Also check your DNS server settings, I know Alureon rootkit sometimes puts in it's own DNS servers that won't work.
Also check your DNS server settings, I know Alureon rootkit sometimes puts in it's own DNS servers that won't work.