1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Interesting malware that had me scratching my head

Discussion in 'Windows - Virus and spyware problems' started by Mez, Jun 22, 2014.

  1. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Hi electron286, welcome to AD. With only 2 posts after 9 months, I guess you've been lurking in the shadows.. lol
    Sounds like you may have some IT experience and know the value of a good backup system. After working in IT for 25 years, now retired, my first three rules for computing are 1. backup 2. backup and 3. backup. LMAO

    @Mez, I thought you might be a little put off with RR RX. It's great for public machines that need to clear any malware they encounter but have no need to retain any data. That's why I use DeepFreeze, it's basically bulletproof to malware but can transfer data to the real machine or server through a thawed partition and program called Igloo..

     
  2. electron286

    electron286 Newbie

    Joined:
    Oct 4, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hello 2oldGeek, Thanks for the welcome! Yes I am a long time lurker. I have used the AD forums during many quests for knowledge, and software suggestions over the years... Computers have been a VERY big hobby of mine since the old Atari 8-bit days, I even set up a network of those... and used Iomega bernoulli boxes with them... later upgraded to an IBM PC/XT, (yes both PCs with the cassette ports, and XTs) network with Arcnet cards and hubs, using a retired 286 based Novell server running Netware 2.xx... Many upgrades of technology later finds me where I am today; Still a computer hobbyist, keeping current with hardware and software... that has never really worked in IT, but often helps those that do. :) Free demos of various paid for software has helped greatly over the years too, to help me keep up with new versions and releases to be able to help others with questions when needed.

    @Mez, I also have liked DeepFreeze when I have tried it, it does a great job! I have also had many people suggest another program to me, though I have not personally tried it yet. System Safe from Returnil, has also gotten decent reviews, and may do what you need. There is a FREE license option for HOME USE, or a rather inexpensive seat licensing option. It also is supposed to be more compatible with older hardware/OSes than SandBoxie is, but since I have not tried it, I can not guarantee that is true.
     
    Last edited: Jul 11, 2014
  3. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    I hate to say this... no I don't he he.. returnil went defunk in about 2011.. I thought it was a great little VM for surfing but never caught on and died...
    In 72or 73 I built a mainframe micro with an intel cpu that ran at less than 1 MH.. whoooo haaaa! in 77 I got my first PC, a TRS 80 Model I, 4KB ram Level 1 B.A.S.I.C. ran at 1.44 MHz, cassette and all.............Wheeeee them were the days...
     
  4. electron286

    electron286 Newbie

    Joined:
    Oct 4, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    It seems that Returnil is still around, but has been rather quiet since 2011. It looks like they may tend to release a product, do some bug/feature updates, then move on to the next product, rather than keep releasing newer versions of the old product. It does seem to make things a bit confusing, at least to me, when looking at the various products list. Their newest offering called Quietzone, looks to be a somewhat odd item I think, but may actually prove to be very useful in practice. (intitial release seems to have been 2013, still getting features added now in 2014...) Quietzone seems to add to a virtualized system the ability to virtualize ALL user drives, (needs additional disc space...), seems to allow READ ONLY access to all "original" drives during a Quietzone session, Uses TOR browser for its capabilities, defaults to Startpage for a browser home page, then... and this is the part I am really thinking is interesting... when you are finished it will re-start your system, and "forensically" clean the virtualized discs to remove all traces of the sessions use...

    Since the so called virtualized discs seem to grow as the session is in use, the more that disc space is used during a session, the more free disc spave that would be needed. It also seems from looking at details of operation, that this is even more efficient than the previous offerings from Returnil, and requires fewer system resources to be usable. It is listed as being usable with XP (SP2), up through Windows 8. The price has also dropped on this product compared to the previous offerings they still have available.

    I do not have time now, but I have just downloaded the installs for SystemSafe and Quietzone. I will play with them later and post back what I see. I will start at XP, since I still use XP the most. If I am not happy with them on XP, I will drop testing.
     
  5. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    I haven't checked on Returnil in years. The last time I checked, all the links were dead so I just forgot about it.

    Have been building computers for years and have a long list of customers that I stay in touch with. Most of the "Die Hard" XPers are using DeepFreeze although a few of them have applied the patch to continue getting MS updates and, so far, haven't had any problems with it.

    Let me know what you find out about SystemSafe and Quitezone and I may look into them also.
     
  6. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,952
    Likes Received:
    9
    Trophy Points:
    68
    2old you may be right about me liking Deepfreeze. I do like the simplicity of what I am using now and the fact I can't modify the computer. I will probably give it a shot just to see what I am missing.
     
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Mez, I don't have the time right now but I will work up a way you can use Deepfreeze and PM it to you as soon as I can gather up some things. hang in there I know you will like it... after all you are my paranoia buddy. lol
     
  8. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,952
    Likes Received:
    9
    Trophy Points:
    68
    2old, thanks, I may have a use for Deepfreeze. My daughter requires software that must be installed on line. That is not possible with what I have. What I have read about Deepfreeze suggests that would not be a problem so I will down load it now and prepare a computer for her.
     
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Mez, you cannot install programs while in Deepfreeze, you must boot back to the real computer, install it and then go back to deepfreeze.
     
  10. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Here's the manual for Deepfreeze, look it over.... I thought I had a copy that I didn't use, I use to install them on machines I built for customers but I haven't located it.
     

    Attached Files:

  11. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,952
    Likes Received:
    9
    Trophy Points:
    68
    I did read the manual before I installed it. It was pretty short. Yes, I was well aware of that you can't update a VM. That is why they prevent even the most clever malware. I am convinced most malware do not install software. I had to go through 20 questions when I started installing software with the same security I have been using. It is very tight except it wasn't catching anything! I usually load security last just before I connect with the network. I even got warnings when a registry value was changed. I can't imagine how I was being infected except by an update. I don't have anything with automatic updates so it is getting around that as well.

    The difference between what I am using on 2 computers and Deepfreeze is reboot-restore can't be unfrozen. Deepfreeze can. Unfozen means booting up in real mode instead of VM. That makes it less secure but far more useful when you must update something from the internet.

    An update on my attacks... They have gotten far less frequent now that all computers on the network are all virtual computers. There is no reason for a robot to give up so I am a bit suspicious. I doubt that I was getting cross infections from the other computers since they are all set to hibernate after 5 minutes of inactivity. It would be rare that 2 computers were active at the same time. I am in real mode on that 'new' computer setting it up the way she wants. When I reboot the shields will be restored.

    Thanks!
     
  12. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Here's a little trick.. when installing Deepfreeze, you can keep a partition unfrozen and it can be used to pass files back and forth between VM and Real. I created a small (25 GB) partition and set it up un-frozen. that way I can download a program while in VM, scan it for malware, then pass it to my real machine to install it.
    Also, you can install a program while in VM, IF it doesn't have to boot to finish the install. As long as you are in VM the program works but when you boot -- it's gone!
    Also, with an un-frozen partition you can keep data there that you want to keep and if you have to reboot to get rid of something, the data in the un-frozen partition is still there..... You can reboot back to frozen state or to the real world.lol

    I love it, been using it for years and really like being "Bulletproof".....................
     
  13. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,952
    Likes Received:
    9
    Trophy Points:
    68
    This computer has several drives but the rest of my computers do not. They all have 32g flash drives to store what ever someone wants to keep. I bought a few on sale for $8.
     
  14. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    An unfrozen partition doesn't necessarily have to be on a second drive and a usb flash drive should work like a charm..
     
  15. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,952
    Likes Received:
    9
    Trophy Points:
    68
    2old, I would like to point out if you have been using Deepfreeze for years you must be as paranoid as I as well as wiser.
     
  16. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Mez, Good judgement is the result of experience and experience is the results of a lot of Poor judgement. Also paranoia is just good thinking...... o_O

    I learned years ago that it is better to block malware than to remove it. Just like it's better to block termites from getting into your house rather than try to evict them and repair all the damage they've done...:eek:

    I think you will like Deepfreeze after you see what all it can do. :)
     
  17. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,952
    Likes Received:
    9
    Trophy Points:
    68
    I couldn't agree more. VMs protect against anything that requires a re-boot to work. I am convinced the malware attacks are mostly updates or something else that can slip under the radar. Any of that should require a reboot. I still keep my browser sandboxed. Adding malware to an active browser is effective immediately and not protected by a VM. I figure it will be a while before someone can circumvent a VM.

    Being paranoid also comes about by paying attention to inconsistencies then digging in until you figure out what happened. Too often for me the error logs lead to non-existent files. The only conclusion is that the OS has been bamboozled. Years back I used a huge amount of utilities to look for the malware. After a few no finds I lost all faith in malware scanners. I researched to discover there are stealth viruses and most are at least fairly stealthy these days.

    As the linkin Information Technology Specialist Group recommends, format & reimage. Do you subscribe to that group?
     
  18. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Actually, some programs do not need a boot in order to run, you just need to install them. Malware can tag along and run with it or the malware you get from a drive-by can setup a run once registry entry to run a temp file that will set it up to autorun after a boot...

    If you get malware in your VM or if you delete something you need you can reboot back into the VM and all changes and malware will be gone and anything deleted that is supposed to be there will be restored.

    I use Acronis True image for image backups of my operating system and all programs. An image is created each day that I can always goback a day or so if I am infected. No need for a reformat.. Also, all my data files and the desktop are kept on a second drive and a running backup of the data files is kept.. That way if I need to reimage my boot drive, I don't loose any data or anything that is on my desktop.. It takes about 6 minutes to reimage my boot drive...
     
  19. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,952
    Likes Received:
    9
    Trophy Points:
    68
    Thanks for that info
    I think this is similar to what was happening but my registry can't be read or written to without me knowing unless the malware can put my security to sleep.

    Being very careful (parinoid) I only recover images that were taken of a drive that had never been attached to the network. I know there have been periods where I have been infected for over a year before I figure it out. AV scanners are near worthless so I assume the computer is compromised the second I attach it to my network.
     
  20. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    You know, that is one of the few things that HijackThis is still good for.... On a clean machine run HJT and add everything to the ignore list then have HJT run an auto scan on boot and it will show you anything added that is not on the list.
     

Share This Page