Interesting malware that had me scratching my head

What I was trying to say is with this post is, the attack that prevented me from using my keyboard during the boot process, occurred while my registry was protected. You can't even read my registry without me blessing it. As I stated in the initial post, my security is tighter than the average reader and still things are getting through. I was trying to reach readers that have an opened mind. Most users I know personally feel Avast or Norton is all the security they need to keep their computer impregnable and don't feel the need to do anything not even upgrade their firewall for free. I can't fathom their reasoning since most of them are pretty smart. I guess they choose to believe there is no danger. If there was real danger it would be in the news. From what I see the so called experts the media use are years out of touch and give advice that is only mildly useful.

2old, maybe you know what is doing on. I am using wsusoffline on the computers that use the free VM which does not have the thaw ability. I prefer that to Deepfreeze because the computer never sees the internet without being in VM mode. From my experience, I am convinced my current security can't block everything and only the VM keeps the computers secure. The Deepfreeze computer is the 'kid computer'

I use wsusoffline to download updates for the other computers and save them on a external drive. I re-image to a B4 VM image, apply the updates, image C: to the current B4 VM image then install the VM. My plan was to update this way monthly. I am getting 84 updates each time I turn off the computer. I checked off everything for wsusoffline I could for the OS (Win7) but didn't update Office because I am sure I specified no automatic updates for Office. I plan to update those as well today or at least this week to see if that alters the number of updates. It would be like M$ to ignore user preferences. Can you think of anything else that might be updating?

Thanks in advance!

 

Oh, Mez, I think you are bring just a little overly cautious, More is sometimes Less! I believe you are re-imaging and loosing the updates you have installed then they must be re-installed… Why are you re-imaging every time you do something??

No, having a thawed partition does NOT give access to the real computer when you’re in the VM.. That hole was plugged in 2002 and hasn’t been defeated since…

What you need to do is setup each of your machines with Deepfreeze that will only boot back to the frozen state and apply an Admin Password that only you can get into in order to apply updates or install programs….

I keep the M$ updates set at Auto install and use Secunia PSI to keep all of my programs updated automatically. That will work in VM mode but will have to be redone when switching to the Real mode in order to make it permanent.

 

This is what I stated in my original post.

I was infected in 6 minutes being protected with about the same security that you have when you boot thawed. In this case the malware was obvious but many are stealthy and just spy on you. Server Side Polymorphic Malware is over 5 years old now. None of that can be detected by any product on the market. There are so many different new malware signatures most new strains are ignored because AV scanners don't have the resources to add them to the signatures scanned. I had white list security protection wen I was infected so that doesn't work 100% either.

I hope it doesn't surprise you to know that I feel you are overly caviler. How can you feel secure that you aren't infected when you thaw your computer and connect to the internet? You just feel lucky? I guess you figure I am just too stupid to set instal and set up security software correctly and that was how I was infected or maybe I am delusional and I made up that attack? That is your right.

 

Another possibility is hackers just have it in for me. I don't think that is the case but I can't rule that out. My kids used to go to all sorts of sites. I suspect many bot nets keep records of their zombies and will try to re-acquire them ASAP as part of the routine. My computer is on the same network. I know I have been infected in the past.

On the other hand...
3.5 years ago a study was published where they tested 80 'caught in the wild' 'military grade malware'. All 80 defeated the leading security packages without detection. That was a long time ago. I suspect there has been an explosion of the military grade malware. I suspect even 3.5 years ago only a small precentage of this grade of malware were found. It is logical there are many more invincible malware out there and have probably infected a vast number of computers. That is why I go to the extra effort to never expose my clean backup to the internet except with the kids computer. We don't do anything sensitive with that one.

 

mez you are paranoid but personally if i was a hacker (i'm not a hacker) after reading all your paranoid posts i'd be trying to attack your system, not to do any real damage just to make you more paranoid for a bit of fun.

I generally don't let others use my computer, if i break it i fix it and its my problem,if others break it then i doubt they are gonna take responsibility and fix it.

 

xbox,

I am sorry to say that was a foolish thing to post. 1)When I refer to hackers I mean automated attacks made my zombies. No hackers do any attacks personally. That is too risky. 2)Why would a hacker stoop so low as to read this forum? Hackers are responsible for 8 million dollars loss in the US alone last year.

I see more than one attack per hour connected to the web that has been foiled. I have no idea how many got by. I guess you figure I am not smart enough to recognize and attack. Thing are trying to uninstall various security software, things are trying to add addins to my browser both on the fly and trying to use an installation process. I have all these processes monitored so I see the attacks of the foiled attempts. I am seeing way more attacks since I started using VM. The bigger question is why are you not being attacked. Maybe your security is tighter than mine. The more likely reason is your computer is infected with stealth malware. The first thing they do is compromise your security system. This is usually done during shutdown or during the boot process when the security software is not active.

I am taken much more seriously in more serious groups. I know you must think you are better educated than security managers for 1K+ networks.

Try reading this
Introducing Stealth Malware Taxonomy by Johanna Rutkowska 2006
http://www.net-security.org/dl/articles/malware-taxonomy.pdf
As of right now, 8 years later, we only have defenses for type I. How are you repelling these attacks that no security professional can stop. Maybe the hackers are just afraid of you since you are so smart!

 

Mez, I have no doubt that you are getting warnings that say you have been attacked. I have been scratching my head over this for two days now and have gone back through all the posts we have made and a very small light in my old brain just lit up.... I may have found your problem and if so will explain all later. First, I want you to run a little test to see if I can drive a nail in the problem..

Do this:
Disable your Comodo Firewall. Then turn on your Windows Firewall..
Run that setting on the internet for a while and come back and tell me how many attacks you have received..

Your paranoid buddy,
2oG

 

mez this might come across as stupid or naive or ignorant.
all my programs function normally,none of my accounts on various sites have been accessed illegally,my card hasn't got any transactions showing up that i havn't made,as far as i know my computer hasn't been used in attacks or ddosing.my internet speed is normal,my download speed is normal,browser redirect attempts are blocked,I even posted logs on here a few months ago and nothing abnormal showed up.
If i have malware or pc issues (look hard enough you might actually find some) they are not causing me issues. If they do start causing issues i will be investigating,i do run scans & i would notice if computer starts acting oddly.

i actually like your 2) but i gotta ask how much money is lost due to business's making mistakes and banks making mistakes or medical mistakes or scams, i am guessing its a lot more than 8million.

I never claimed to be better educated i just claimed to be less paranoid,maybe cause i'm on antipsychotics i am less paranoid,maybe 1 day i will stop taking them and go crazy with paranoia.

 

@xbox, Mez has a combo modem/router from his ISP and evidently it is NOT a NAT router, that is, it has no firewall. Every computer on the internet is being scanned every few minutes by hackers, malware and ad distributors. A computer with a personal firewall like Comodo that's just directly on the internet with no NAT router will start getting pop-up messages saying, oh no, you're being attacked, I'm blocking this, I'm blocking that, bla bla. Comodo is about the worst one for trying to sell you on all the benefit they are delivering. They're saying, look at all the good I'm doing for you. This horrible stuff would have actually reached into your computer if I, the software firewall, hadn't blocked it.

As soon as Mez turns off Comodo and Win Firewall on I am almost sure that his problem will subside. It can be enough to drive you over a cliff.......

 

xbox you are not stupid, naive or ignorant but a bit arrogant to think I am a fool. You need to do some reading. There are stealthy modes of malware attacks identified 10 years ago that still remain unstoppable today. I will post a link to a very interesting old article about these attacks. I haven't seen any -

- either.

I have seen lots of attacks since I started using a VM. Before the VM there wasn't anything over except that something wanted to modify my browser but it is in a sandbox that tells you when something is a miss. I believe I may be seeing more attacks because my software is more functional or maybe as you contend the whole hacker world is on my case because of this thread. (Just kidding you all think I am barking mad anyway)

The text book stealthy malware attack first takes out your security software. They appear to function normally but are broken. Have you picked up any viruses in the last year or so? Remember they are catching approximately 200,000 new strains per day. It would be very odd if you haven't caught anything in a year or so. Maybe your security is perfect maybe not I would have no way of knowing.

My router is an NAT router with a firewall. I looked at the specs before I signed up for FIOS triple play that require a certain router/modem. I was reluctant because they did not have a firmware update this year. All the good routers came out with security patches this year making it harder for them to become infected. My router is low hanging fruit. xbox if you haven't updated the firmware on your router yours is also low hanging fruit. 2old I am plenty smart enough to discern a concrete threat, a possible threat and chatter. I attached a screen shot of the most common error message which is simple and easy to understand error from a foiled attack. I feel like a school boy bringing in my homework. What do you two think seeing is believing? Do you think this is normal? Some thing is trying to uninstall a browser security package about every hour or two while connected to the web. Maybe you guys would laugh this off but I don't like things installing or uninstalling themselves. I get at least 1 failed attempt per hour of something either being installed. This bot isn't very smart at all I don't think it would ever work on a Win 7 machine. Good bots ought check the OS first and should be keeping notes. Maybe each attack is from a different bot in that case there are plenty of stupid ones.

2old, I got another malware even with VM. It infected the BIOS then the BIOS infected the MBRs for all the bootable drives during the boot process. I am trying password protecting the BIOS since this article claimed that stopped the re-infection. The malware was similar to this one.
https://community.mcafee.com/thread/39954

2Old what do you have against Comodo firewall? I have used it for years and have seen you recommend it a few times this year. What is a better one? You you recommend not using any??

This is an interesting article from 2006. From what I can find, there is still no protection from type II or type III attacks. http://www.net-security.org/dl/articles/malware-taxonomy.pdf
It also details how malware gets around download then install all-in-one you need to use for most software. The malware is smart enough to make the switch after the file is verified to be OK. I checked out the new firefox and they tried to make downloading more secure but is still vulnerable to the switcheroo.

 

funny you should mention the comodo firewall 2old.i used it for a time and it near drove me crazy with imaginary attacks.sort of like the bugs an alcoholic sees during the dts.lol.

 

I know, I was trying to help Mez but the paranoia and reading all those blogs from wannabe experts has got him pushed over the edge... he really needs some professional help.. sorry, My PHD is in basket weaving...

 

2old, so that something other than the user tried to uninstall privdog is something you would ignore? Because I am worried that someone other than the user is trying to uninstall security systems or installing other software I should seek professional help. I don't know why I bother, you are all fools if you ignore out right attacks. I don't care if you have 10 PHDs you can't have any common sense.

If you are so smart, tell me what really happened so I can ease my mind. If you can come up with a creditable explanation why it wasn't an attack and I will grovel at your genius! I always fess up when I wrongly malign someone. I will not hold my breath. I would bet that you never looked at the attached error message since I really have never taken you for a fool.

Did you read and understand the articles I posted links to? Without a PHD I was able to understand most of the technical one and all of the non-tech one. A stealth attack can change the pointers will say in Word, from the document being edited to a dat file which contains malicious code. When Word tries to accesses the file, the malicious code is executed then the real file is opened. The malicious code code 'updates' a update utility you have with malware or a dll at that time or overwrites the file during a shutdown or start up.. Neither the infected updater or the dll will be found by hijack.

By the way here is another warning of what I call an attack. Now something was trying to install a new version of Privdog just before I posted this reply. I blocked the attempt. What has me worried is how did it get the rights to make that installation? The bot is getting smarter.

file.net rates Trustedadssvc.exe as

so it is possible this is legit but since bot(s) have been trying to uninstall Privdog more than a dozen times over the last week I will pass. This time you can say I am paranoid but Comodo updates in a downloaded package through the Comodo app, not like this. I would say there is less than a 1% chance this was legit.

 

I am by no means going to pass judgment, I am not going to claim that I know it all, and neither am I going to portray myself as the ultimate expert. Please try to keep an open mind to what I have to say because it comes from nearly 50 years experience with computers.

I have never, nor will I ever recommend Comodo….. The screen shot of Comodo Hips is typical because Comodo does not have a full whitelist of all the programs that are legal and ok to run. Any time a program or application runs, Comodo will catch it with its HIPS and if not on the whitelist, will pop-up and ask the user what to do with it.

The screenshot you have is of Comodo catching the PrvDog service, trustedads.svc, that is attempting to setup PrvDog to monitor and block ads on the ie browser. Since PrvDog is not on Comodo’s whitelist it halts the service and asks you what you want to do with it? You can Block it if you know it’s a bad program or service or you can click the Treat as and define it as a whitelist item, then Comodo will not ask you the next time it runs.

It takes quite awhile to get everything added to the Comodo Whitelist and I do not really think that Comodo is worth the effort…. IMHO

Mez, I will attempt to help you anytime I can but, you must get the chip off your shoulder and keep an open mind for it to happen…

2oG

 

BTW - I don't think you are foolish and you are doing the world a service by helping out. When you miss read what I say then figure I am foolish I do get pissed. You were in IT, do you ever remember a lead developer that was wrapped too tight? They could do the impossible but they were high strung. I am more mellow now than I was 30 years ago but I am still wrapped a bit tight.

You figured the last error message out incorrectly. The first screen shot is something trying to uninstall Privdog. Please check it out. I realized I should have forced the full screen so it is hard to miss. I will not make that mistake again.
That has been the most persistent attack @ 1/hr of time connected to the internet. That gets old since it was happening to all our computers for over a week. It ought to be on Comodo's white list because it is either their product or their partner's. It was part of Comodo security package. I assure you Privdog was running when something tried to overwrite it. Since whatever(s) have not been able to uninstall the package something wants to update it. Comodo updates come through the package not 'out of the blue' like this so some bot wants to replace what is running with malware.

If they can get around that issue they will run into this issue (see post). Obviously someone clicked OK for the family computer and Pivdog got blown away with malware. I will need to reboot that computer tonight and flush away all the progress the bad guys made today and talk to my family about OKing these calls. Well it all happened as I was writing this. First the old uninstall attach was thwarted, then Privdog was taken down, then I block the install with Comodo but Comodo can't block the install. The last error looks like something is protecting that folder. Maybe I am in a pissing war with a hacker or maybe this is how a botnet learns. I am very impressed. It have been taking down my security right and left. When I reboot the changes will all go away but the hacker is becoming very proficient at an alarming rate. The same old message saying 'You need administrative rights to uninstall Privdog" is hidden under the other windows message.

 

You are not paying attention.... Comodo is THE problem.... I did not mis-read.. Your first screen shot is Comodo blocking PrivDog from doing what it is intended to do and your second screen shot is Comodo blocking FireFox from updating to the latest version.... I say again COMODO IS THE PROBLEM!!!!! Uninstall Comodo and use the Win 7 Firewall. It is as good or better than ANY 3rd party Firewall, especially COMODO! TRY IT and see, you can always re-install comodo.... But give it a try and then make that choice...

You have NO BOTS! it's all COMODO!

 

OK you have my undivided attention now! I am glad you didn't miss-read the error message I will need to get some questions asked before I believe you are correct. That this point I am incredulous but would welcome not believing I have angered the bot gods. Before I start, I know you didn't write either Comodo or Privdog. Be sure I have not updated any software that I am aware of in a week. Comodo has a specific routine for updates. Privdog was in the last Comodo update. The Comodo installation package info warned of Privdog and let you know you could opt out of installing it. Why should I believe Comodo was trying to uninstall Privdog about 20 times over the last week? See PrivDg.jpg

My 4 Questions you need to answer clearly not evasively.
1)My computer usually stays on all day but is only connected to web for about 2 hrs each day. In a week there are 168 hrs. I have been connected to the web 14 hrs last week. Why did all the attacks only occur in that 14 hrs and not 1 attack in the other 154 hrs? Why does Comodo happen go rogue only then? BTW - from my prospective, Comodo was acting normally except when I stop a process it usually stops.

2) Why would Comodo attack Privdog which was part of the Comodo installation package?

3) Why would Comodo attack Privdog not using the normal Comodo user interface which displays what it is going to do. Instead this was done stealthily.

4) Without updates, how did Comodo learn to kill PrivDog after about 20-30 failures? Programs are 100% repetitive. That is their strength. They only change when the code changes. A new subroutine was added to the kill PivDog program. How did that happen?

5) Paranoid me gets worried when something takes down Privdog after a week of something trying to take it down. Then a new PrivDog is installed in a non-standard method and I can't stop the installation as I should then a second later Firefox autoinstalls a new Firefox not using the normal interface and I cpuldn't prevent that installation either.

I am not from Missouri but you will need to 'show me' before I can believe you.


If that was Comodo trying to uninstall PrivDog why would it want to do so? Then why would Comodo try to overwrite the old version that was released last month? Why should I believe Comodo is attacking its own software? Why do you think this is not a malicious force? One other clue. Why does this ONLY happen when I am connected to the internet. I usually connect for about 2 hrs a day. Why would these incidents I call attacks and you figure that Comodo has just gone berserk only when I am connected to the web? Any fool like myself could blame hackers as the likely culprit. Why can't the privdg message be a result of a hacker trying to shut it down and not Comodo going rouge and doing it stealthily?
Trustedadssvc.exe is part of the PrivDog suite but file.net rated it 50% secure because it is vulnerable to infection. It is suppose to launch PrivDog NOT update it. Paranoid me is figuring the simplest solution is often correct. A hacker tried to replace a working PrivDog with malware.

 

Mez,
If you want me to help with this problem that you can't figure out you must follow my instructions..
If you can't trust me, then there is not a chance in hell that I could help you.
You can either do the things I ask, or not. Your choice. Your computer. Helping you is my choice.
Just let me know what you choose to do or not do.

 

Aldan, I am not bothered by warnings unless they warn of something that shouldn’t be happening. It is like the news. I think I know what your are complaining about. Comodo was probably warning you about incoming connections. Believe it or not you shouldn’t have incoming connections any more than you should have bullets flying through your kitchen. I had comodo cut them off years ago during my initial installation since I know I don’t have any need to have unknown entities putting files wherever they like on my computer without my notice. I really can’t figure why you would want this to happen? Comodo automatically recognizes Browsers and software that checks for updates as exempt. What special software did you have that needs constant updates from the internet? If you don’t know, the most likely culprit would be malware that is getting instructions from the master. So because the alarm kept going off you got rid of it. I guess you don’t have any smoke detectors. They make such a racket!

Maybe you were complaining about the alerts. You can shut them down. I set the alert level and I am satisfied with it. At no time does Comodo make a judgment. When software tries to do something it shouldn’t be able to do... Trustedadssvc.exe was designed to launch PrivDog. It does not have update capabilities. The only reasonable possibility is the Trustedadssvc.exe trying to update (overwrite) Privdog is the Trustedadssvc.exe is malware or some malware fooled the OS into believing it was Trustedadssvc.exe. File.net says Trustedadssvc.exe is vulnerable to attacks (like Adobe update programs). Why wouldn’t I think this was an attack?

2old wants me to turn off Comodo because it is a problem and to trust him. My daddy told me don’t jump off a cliff just because someone tells to.

I would like help, not to turn off my security that looks to be functioning properly. I may look at Zonealarm not because Comodo is acting up but because the enemy can compromise it.

With a legit Firefox upgrade you get a notice and the notice asks you if you want to install the latest version before updating. I got no notice, so that wasn’t a FireFox update that was malware being installed. Maybe if it happened on your computer you might have gotten suspicious. I hope so. With a legit upgrade I can block the install with Comodo. I couldn’t so the hacker can prevent Comodo from doing its job. There was a string of very suspicious events and your only advice is to shut my eyes. What you don’t know can hurt you.

What you say makes no sense! If you were typing in Word and Word asked you to type out your SSN you wouldn’t blink and just type it in and not give it a second thought. You wouldn’t wonder why Word would ask you such a thing. Comodo was warning me about an installation. I want to be alerted about any installation. I don’t mind getting the alert when I initiate an install. I figure if I see something about to be installed and I didn’t start the process who did? Nothing you have said makes me believe those were not attacks.

I gave you 5 questions I would need to know before you would have credibility with me. You couldn’t answer ANY of them. I can only assume you have no clue, you are just a talking head. If you were an expert, you would have been able to answer all the questions because they are important.

All of you have the best intentions but can’t think for yourselves. None of you ought to be giving security advice. I am not be a security expert but I can put 2 + 2 together which is a lot more than any of you! If you are all this gullible you shouldn’t be using the internet. You all better lock your credit scores.

 

mez,heres the deal.i dont give a shit whether or not i have any credibility with you.you have been given good advice and choose to ignore it.when it comes to audio you are the man,but your paranoia when it comes to malware is just overwhelming.and your comments about intelligence and common sense,please,they are not synonomous.you say we lack intelligence (or common sense) according to your mood?i stopped defending my points of view about 30 years ago.common sense,as you put it,dictates that you seek help for what is an obvious mental illnes.whether or not you do is up to you.i just not only stopped caring,but also stopped responding.