Interesting malware that had me scratching my head

Discussion in 'Windows - Virus and spyware problems' started by Mez, Jun 22, 2014.

  1. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    I was rebuilding my office computer before putting it into stasis. (Reboot Restore RX) A free VM utility used in many public computers. Anyway I imaged my C: then went to the internet to download clean new install files. When I re-imaged C: I discovered the imaging failed and I was locked out of making changes to the BIOS at boot time. I think the malware overwrote the keyboard driver and turned off the keyboard during the boot process. This prevented any corrective actions during the boot process. By formatting C: then re-imaging on a different computer the problem was fixed.

    The worrisome part is I had all my security up and I was infected in about 6 minutes. I assume you my security is better than most.
     
  2. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,167
    Likes Received:
    136
    Trophy Points:
    143
    what clean new install files did you download?
     
  3. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Please Mez, I never "assume' anything.. That only makes a "ASS" out of "U AND ME".. lol

    I cannot believe that you were infected in 6 mins. if you had proper security installed. I have asked you,
    on several occasions, to tell me what security you were using and post a log for me to evaluate and help you beef it up so as not to become infected but, you have never returned my request.. Put your pride in your hip pocket and allow me to help you as you are about the only one I know that has to Plow and Pave their drive every time they sneeze...

    List your security setup for me and I will look it over and give you some recommendations....

    Until then, your friend,
    2oG
     
  4. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    Avast, comodo firewall and sandboxie. I wasn't trying to be illusive I may not have read you requests or something.

    I am in the process of using Reboot Restore RX which it a virtual machine utility. You go back to a saved configuration after a reboot. That obviously was not in place. I move slowly.

    Thanks! 2old
     
  5. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    IE, sandboxie, teracopy and wsusoffline for Win7 and Reboot Restore RX.
     
    Last edited: Jun 26, 2014
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Sorry I haven't gotten back to you, Mez. Been busy and haven't been able to work up anything just yet.
    Reboot Restore RX is a very good start for securing your computer.. I use Deep Freeze Enterprise but that is only because I used it where I worked for years and I have a lifetime license..

    I'll get back to you as soon as I can so try to keep your paranoia at a low level and don't piddle on unknown fences. LOL
     
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    I reviewed a lot of these reboot VM's but can't remember anything about this one. I'm sure you will be happy with being "Bulletproof" while on the web. Once you have rebooted to the real machine, anything picked up in the VM is GONE!
    As I said, I use DeepFreeze and can pass Files and data between my real machine and the VM when needed. Don't know about RR RX... you can let me know..
    About all I can add is use K9 Web Protection and set your Avast To the Hardened Mode: Aggressive.
    Also, about the only hole in these reboot VM's is if you get a keylogger intsalled and running in the VM it can send out keystrokes. Unless you click on and install the keylogger it can't hurt you, they have to be installed and run for it to work.
    A good, paranoid idea is to install KeyScrambler.exe to screw up any keylogger that sends keystrokes out the internet (just in case lol).....
     
  8. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    Thanks for the advice!

    Deepfreeze is the high end while what I am using is a free utility that does not have many bells and whistles. Actually, I haven't installed it yet but plan to do that today. I am in the process of restoring a 'clean' version as I write this. This is one that has never seen the network. I will install a few more applications back that up before appling the VM. If the cheaper version becomes a pain I can fork over some money.

    I am using K9 on this computer (family computer) but I believe Sandboxie is catching what it needs to. I don't trust the kids/kids to use Sandboxie when they ought to. It also keeps my youngest out of porm sites. My wife does not mind getting blocked occasionally to keep her son out of those places. I have every reason to believe the effecting attacks are not coming though the browser but are attacks directed at my IP address. Why? My last known attack occurred when I only went to a few 'safe' web sites. I also have seen a prompt for a password as I connect to my network. I only connect to the network when surfing. I suspect my router is infected (why shouldn't it be) I am locked into that modem/router for my ISP service. They never came out with a patch to block all the router botnets like the Cisco and Netgear have. I clean it out every month with backed up configuration and firmware. I figure it gets reinfected that day but I am locked into the f***ing router. The password is only 6 characters long and the name is fixed. Verizon calls this a 'high security' router. I NEVER bought a router that was less secure than this one. I almost refused to take the package for security concerns. She also figures I am nuts so I was over ruled. We save $45/month by using FIOS.

    Sandboxie blocks attempts to attach key logger to browsers. When I see the error message that I can't update a browser while it is in a sandbox I know my security has been breached. I suspect if the keylogger is integrated into the browser the key scrambler will be circumvented. The browser can't send gibberish. I don't type passwords CC#s etc. I cut and paste sensitive info. I used to use a key scrambler it was smart enough to know when you are typing in a browser and that is when it would scramble the text. I am guessing key loggers only log browser key strokes so typing a CC# to notepad first defeats the keylogger. I usually shop by internet but use the phone to order if I can. I don't use internet banking ect.
     
    Last edited: Jun 30, 2014
  9. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    2old, note that I was using Avast hardened-agressive when attacked. This is why I am so paranoid. The black hats are way ahead of the white hats. The white listing should have at least given me a warning as the malware was installed. I do get warning when I install unusual software. That malware must have a way around the white listing protection. Maybe only scripts are used to use existing software in a malicious way. I remember seeing an error when I was mass moving files and I got an error from MS remote access utility I never used the error details blamed the error on a nonexistent file. That prompted me to up the anti for my security.
     
  10. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    In my humble opinion, the router from your ISP is the biggest problem. I never use a router/modem from an ISP after all they were the ones that said we didn't need a firewall cause they had one. LMAO
     
  11. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    Yes, I concur. As I said before, I am sure it is infected. This is a modem+router and the modem is the only modem that can handle the fiber signal and convert to phone and internet. Even if I bought my own which I can't there is only one option. I asked for a modem only option but got this piece of crap instead. I purge it routinely but it has no protection against reinfection. That is an uphill battle. All the computers in my house will be using VM shortly. I thought they would be done yesterday but didn't get around to it.

    Why shouldn't it be infected, it doesn't have a patch. I read an article that stated you can assume all unpatched routers to be infected. I doubt that a patch makes the router invincible but merely high hanging fruit while the rest are low hanging. I suspect the router signals something smarter and more powerful than what can exist in a router it is time to attack me since I am on line. I start getting attacked just after I connect. BTW after a successful attack that is the end of the attacks till I rid myself of the infection. I am now using VM on this computer. Good thing too something installed itself as I can see from the bubble message over the start button but it should be flushed away the next time I boot-up. That would be when the installed app would be on line? I think that is what that message means.
     
  12. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Mez, I have never seen a combo modem/router that was worth a dime.. I too have a fiber TV, phone, internet line and have an Arris modem, provided by Suddenlink, that has No router, I use my own Cisco router.
    But, even if your modem does have a router you should be able to turn it off and use your own router between it and your computers. That's what I would do..
    Also, are you using MBAM? and if you are is it the Premium, realtime version or the Free?
     
  13. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    Of course!

    Who is your ISP? I am wondering if I can change my modem if I raise enough stink. They are not many carriers using fiber.

    No, no MBAM. I stopped using it after the free version couldn't find the infection along with a dozen other utilities. I bought a new C: and kept the old as D:. 2 years later the problem was found. An Adobie updater had been forced into the dark side. Who knows what the actual malware was but I know how what installed it and I know for sure that was not paranoia. That is when I lost faith in AV scanners.
     
  14. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    My ISP carrier is Suddenlink. HD TV, Phone and internet @ 15 Mbps - I usually download at about 2.2 MBs.

    LOL MBAM, like all security products, is not 100% especially the free version. I use the Premium version with real time scanning it blocks bad IP addresses but not URL's, has great heuristics and teams up real good with Avast.

    Sounds like you had an exploit get into your Adobe, it's a magnet for that. I don't use Adobe Reader, Acrobat or Java. You might think about installing MBAE (anti-exploit) it's free and works very good.
     
  15. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    Agreed with the Adobe malware magnet. I have stopped using their products and java. I may be forced back if I ever build any more web sites.

    The airupdater was updated with a malware verson that installed malware instead of updating air. This is a well known tactic Apple discovered it had the same problem this year across all platforms another malware magnet. I remember posting that info here and a few persons claimed the hit must be a false positive. You were not one of those. Thing are much clearer now then they were then.
     
  16. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Malware producers are becoming more expert at it.. They now compromise web sites to have their wares come through the same IP address as the site. When you click on a site the routers NAT and SPI Firewall thinks that you have requested anything from that IP address and shoves it down your throat... That is why you need layered URL protection and a good whitelist behind your router..
     
  17. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    There are at least two classes of botnets that propagate without using a web page. The attacks are done on a range of IP addresses. Each zombie is given a range of IP addresses to attack. When the range is completed that are assigned a new one. I am sure they start with the low hanging fruit then start moving up the tree. By the time all the low hanging fruit has been acquired, the botnet could be at least tens of millions strong and probably hundreds of millions strong. With that kind of horse power they can afford to launch serious attacks on a stealthed computer hoping there is a computer at the address and hope to hit pay dirt. One attacks routers the other goes right to the computer. Stealthing your ports used to protect you against that type of attack but the botnets have gotten smarter.
     
  18. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    I think that is what I said.. lol
     
  19. electron286

    electron286 Newbie

    Joined:
    Oct 4, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    ok, I do not usually post... so I may not even see a reply to this for quite some time, if ever... But hopefully this may add to the discussion and help someone along the way...

    I never trust just ONE layer of router protection for that matter! I always use AT LEAST one router behind the first router exposed to the internet. It adds a level of magnitude of complexity from a standard internet sequential address/port attack. Even if a bot were to get past the first router, it would then also need to get through the second one. I also NEVER use two of the same types of routers in the same multi-tiered network. That way the same attack will not work on the next level(s) either.

    The more important the computer/data, another level of router protection and isolation is added... (such as archives and backups at the top, I place actual WORK computers with needed data just below that...) Any computer on this level has access to lower levels but not the other way around unless ports are opened, that would again lower security... Which in my example dictates back-ups are controlled and made by computers AT the highest level router tier, NOT by the computers that are being backed up.

    Of course, any level of paranoia also then dictates that all copied and backed-up data be scanned first, and verified afterwards... that is where scripting comes in to make it easy and automatic...

    Sorry, perhaps too much information here... but that was where my mind went with this discussion. Just wanted to also add a little about how such a multi-tiered router network ends up differing in actual use also. Some extra thought needs to go in if multiple computers are actually used at different levels. If all computers were to be used at a third level for example, and no computers were anywhere else, then the network would work like normal, just have a series of routers to propagate through for internet access.

    Note: I DO NOT count an integrated modem/router as a router in this type of a set-up either. If it does add any protection, I count it as an added but not counted on bonus.
     
  20. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    I have not had much success with routers providing much protection in the last few years. Maybe that is because they were infected. That was years before we knew about router malware which is pervasive today but usually the white hats are years behind the black hats. I understand why this would be so since they must react and may not be proactive. At least this year there are security patches for the top brands of routers.

    The most paranoid persons I know where hackers. They were full orders of magnitude more careful than I. The reason they are so careful is they know what is possible. So you suggest resurrecting an old router and apply a security patch to the older more secure router?

    I am not has happy with my VM as I had hoped. It is secure but probably can't be used on a general purpose working computer. I can't usually write to any device except maybe the documents folders. I tried burning a music CD yesterday and thought maybe the burner was on the fritz. I know know now it creates empy files that are never closed so they are not real. You 'think' you are writing a file but when you look for it it is not there. That ploy is great for stopping malware from getting a hold. You are also prevented from 'stealing data' from the computer. The software was developed for public and institutional labs. I have downloaded and copied files to a device so I know some folders such as downloads will permit writing and moving to another location. I will set up dedicated internet computers. I am quite pleased with the level of security and that it is pervasive. I will need to learn some of the nuances for Reboot Restore RX. It looks very secure.
     
    Last edited: Jul 12, 2014

Share This Page