Author | Message | Time |
---|---|---|
BreW | Allright, so I'm just looking at some forums and apparently an ad from "adxgate.net" loaded, which uses some kind of exploit for IE6 that apparently downloads and installs "yazzlebundle.exe" and lots of other nasty stuff..... NOD32 just popped up showing I had an infection, but it was too late. It had installed, and infected winlogon.exe, and somehow "mljhfgf.dll" is involved.... this is very nasty and I still can't find a way to get rid of it. Anyone have an idea??? | April 19, 2007, 12:03 AM |
Grok | For starters, http://housecall.trendmicro.com/ Removing a trojan can be complicated, but isn't necessarily so. If you're not very familiar with how Windows is built, and how trojans bury themselves, you'll have a hard time with any instructions given. Best thing you can do is protect the backups you made, make an additional backup of any and all data you need to save, and reformat your drive(s). This time, reinstall your OS, turn on Automatic Updates for Windows, allow it to download, install, and reboot automatically at say 3:00 a.m. This way you will at least be protected from forgetting to patch known vulnerabilities. After you've patched your machine, create a non-privileged user which doesn't have install permissions. Always browse the internet from this low privilege account. No matter what page you visit, it'll never have permission to install anything locally. Live and learn. | April 19, 2007, 12:45 AM |
BreW | [quote author=Grok link=topic=16626.msg168110#msg168110 date=1176943530] For starters, http://housecall.trendmicro.com/ Removing a trojan can be complicated, but isn't necessarily so. If you're not very familiar with how Windows is built, and how trojans bury themselves, you'll have a hard time with any instructions given. Best thing you can do is protect the backups you made, make an additional backup of any and all data you need to save, and reformat your drive(s). This time, reinstall your OS, turn on Automatic Updates for Windows, allow it to download, install, and reboot automatically at say 3:00 a.m. This way you will at least be protected from forgetting to patch known vulnerabilities. After you've patched your machine, create a non-privileged user which doesn't have install permissions. Always browse the internet from this low privilege account. No matter what page you visit, it'll never have permission to install anything locally. Live and learn. [/quote] Switching to a low permission account every time one needs to browse the internet seems like a hassle. Also, low privliaged accounts are still able to run executable files, and it would just replace and restart an essential windows process being run as a system task, then would have system privilages (correct me if I'm wrong about that at all). What I should (really) do is just update my insecure Internet Explorer 6. However I am quite concerned about just how it was able to force my browser to download then run it, before my three (NOD32, AVG, Kaspersky) anti virus programs were able to do anything? By the way, I don't really think what I got was a "trojan", but instead just adware. And I was able to just log into safe mode and delete those two dlls. Nothing seems to be happening now, and I haven't seen any foriegn addresses/programs when I netstat -abn to check. | April 19, 2007, 1:09 AM |
Invert | I found this funny. Can we move it to the Fun forum? | April 19, 2007, 2:08 AM |
Barabajagal | [quote author=Invert link=topic=16626.msg168118#msg168118 date=1176948529] I found this funny. Can we move it to the Fun forum? [/quote] I second that... Use something other than IE. Firefox, Opera, etc. If you can, use Lynx! Text-based browsing is the most secure there is. | April 19, 2007, 4:40 AM |
Disco | [quote author=Invert link=topic=16626.msg168118#msg168118 date=1176948529] I found this funny. Can we move it to the Fun forum? [/quote] And I found THAT funny. Please do! | April 19, 2007, 5:04 AM |
Newby | [quote author=Invert link=topic=16626.msg168118#msg168118 date=1176948529] I found this funny. Can we move it to the Fun forum? [/quote] lol I love you. | April 19, 2007, 5:24 AM |
rabbit | [quote author=Invert link=topic=16626.msg168118#msg168118 date=1176948529] I found this funny. Can we move it to the Fun forum? [/quote]<3 | April 19, 2007, 11:41 AM |
LordNevar | http://usa.kaspersky.com/products_services/internet-security.php | April 19, 2007, 3:02 PM |
BreW | [quote author=Invert link=topic=16626.msg168118#msg168118 date=1176948529] I found this funny. Can we move it to the Fun forum? [/quote] You're so cute. Hey, why don't you go BROWSE a random internet site and all of a sudden have 30 notifications of an infected file being installed on your computer. Back on topic: Does anyone know how to Un-pack a PE32 file with UPX packers? I would love to reverse engineer this, and see if I missed cleaning up anything... | April 19, 2007, 7:27 PM |
rabbit | [quote author=brew link=topic=16626.msg168109#msg168109 date=1176941036] Allright, so I'm just looking at some forums and apparently an ad from "adxgate.net" loaded, which uses some kind of exploit for IE6 that apparently downloads and installs "yazzlebundle.exe" and lots of other nasty stuff..... NOD32 just popped up showing I had an infection, but it was too late. It had installed, and infected winlogon.exe, and somehow "mljhfgf.dll" is involved.... this is very nasty and I still can't find a way to get rid of it. Anyone have an idea??? [/quote] [quote author=brew link=topic=16626.msg168134#msg168134 date=1177010836] Back on topic: Does anyone know how to Un-pack a PE32 file with UPX packers? [/quote] On topic? [quote author=brew link=topic=16626.msg168134#msg168134 date=1177010836] You're so cute. Hey, why don't you go BROWSE a random internet site and all of a sudden have 30 notifications of an infected file being installed on your computer. [/quote]Actually, I'm pretty sure he's happy NOT going to some random site and getting spyware. | April 19, 2007, 9:21 PM |
UserLoser | [quote author=Invert link=topic=16626.msg168118#msg168118 date=1176948529] I found this funny. Can we move it to the Fun forum? [/quote] Same, I think he's probably trojanned too | April 20, 2007, 1:37 AM |
Myndfyr | In general the way that I remove virii from people's computers is to set the Execute - Deny permission on the file, then restart. Then you go about your business of fixing all the shit it's done to your computer. | April 20, 2007, 5:43 PM |
BreW | Do you think something like "Yazzle" is advanced enough to replace essential system files? (i.e. winlogon, explorer, smss) It injected some dll into winlogon, and attempted to create two registry keys every 1.5 seconds. Stopped when I killed that thread though... and if anything else is infected I always keep backups of them on my external hard drive (I use my own hexed version of explorer.exe & winlogon.exe) If it was serious, it would have prevented me from going into safe mode (right?) I guess I can call this silly attempt "owned" even though it did exploit IE6, and execute. | April 20, 2007, 7:07 PM |
Skywing | No way to know for sure without reverse engineering the particular piece of malware in question. The standard assumption is to assume that everything the malware had access to has been compromised and cannot be trusted. Making assumptions about benign-ness of any given malware is dangerous; if something compromised a process with admin/system privileges, you need to blow away the box and start from scratch (or backups, if you can with certainty trace the starting point of the compromise, though this is typically difficult to be entirely certain about as well). | April 20, 2007, 7:54 PM |
Newby | The funniest part is it happened to brew. heh heh heh. | April 20, 2007, 11:03 PM |
BreW | [quote author=Skywing link=topic=16626.msg168176#msg168176 date=1177098873] No way to know for sure without reverse engineering the particular piece of malware in question. [/quote] Exactly why I am interested in reverse engineering this malware. 7 posts ago... [quote] Does anyone know how to Un-pack a PE32 file with UPX packers? I would love to reverse engineer this, and see if I missed cleaning up anything... [/quote] Unpacking the "quarentined" files is what I should focus on first-- Then I would be able to disassemble and reverse engineer it. | April 21, 2007, 1:01 AM |
Newby | First you should make sure UPX was the original packer. :P | April 21, 2007, 1:11 AM |
BreW | I'm 100% confident it was UPX packed. | April 21, 2007, 1:23 AM |
Newby | Then get UPX (upx.sf.net) and unpack it? | April 21, 2007, 1:54 AM |
rabbit | [quote author=Newby link=topic=16626.msg168188#msg168188 date=1177120492] Then get UPX (upx.sf.net) and unpack it? [/quote]That's too logical. | April 21, 2007, 3:44 AM |
Newby | [quote author=rabbit link=topic=16626.msg168192#msg168192 date=1177127072] [quote author=Newby link=topic=16626.msg168188#msg168188 date=1177120492] Then get UPX (upx.sf.net) and unpack it? [/quote]That's too logical. [/quote] Shit, I forgot we were dealing with brew. | April 21, 2007, 4:03 AM |
iago | [quote author=MyndFyre[vL] link=topic=16626.msg168174#msg168174 date=1177091038] ...virii... [/quote] Sorry to throw this even more off-topic, but....... the proper pluralization of virus is viruses, not virii: http://en.wikipedia.org/wiki/Plural_of_virus#Use_of_the_form_virii | April 21, 2007, 4:06 PM |
BreW | That article is somewhat inaccurate: [quote] The form viri might also be incorrect in Latin. The ending -i is normally used for masculine nouns, not neuter ones such as virus, although there are exceptions such as humus -"soil" which is feminine and vulgus -"crowd" which is neuter; moreover, viri (albeit with a short i in the first syllable) is the plural of vir, and means "men." [/quote] Uh... if virus was neuter, wouldn't it have the ending -um? Therefore it'd be virum. And the plural form of 2nd declention nom neuter nouns is "o", therefore the correct plural of "virum" would be "viro". Although the romans apparently screwed up the ending of "virus", which is acually neuter, one may still note the nom. singular ending is "i", making the entire word "viri", which is translated as "toxins". "viri", as the article claims, would be the plural of "man", however this isn't so. "vir" is a word which does not exist in the latin language. Instead, the correct word for "man" is "vīr" (note the macron over the i) and thus, the plural of "man" is "vīri". (It is also notable that the gen. singular form ending of m/f second declention nouns is also -ī) | April 21, 2007, 6:12 PM |
rabbit | You're retarded. Stop trying to play smart. | April 21, 2007, 7:29 PM |
Kp | [quote author=brew link=topic=16626.msg168112#msg168112 date=1176944946] [quote author=Grok link=topic=16626.msg168110#msg168110 date=1176943530] After you've patched your machine, create a non-privileged user which doesn't have install permissions. Always browse the internet from this low privilege account. No matter what page you visit, it'll never have permission to install anything locally. [/quote] Switching to a low permission account every time one needs to browse the internet seems like a hassle. Also, low privliaged accounts are still able to run executable files, and it would just replace and restart an essential windows process being run as a system task, then would have system privilages (correct me if I'm wrong about that at all).[/quote] So do not switch when you want to browse. Instead, run as an unprivileged user except in those rare cases where you need privilege (for example, installing a software update). This is better anyway, since then you are running unprivileged when interacting with your e-mail program, chat servers, etc. Low privileged accounts can run executables, but if you are using XPPro, you could use a Software Restriction Policy to deny the ability to execute anything in the most likely places malware will land. You could also set a Deny Execute as Myndfyre suggested, but that would be part of a DACL that sufficiently advanced malware could change before it tries to execute a helper process. An invader can only replace a system process if that process runs one or more files that are modifiable by the invader. If you are running as an unprivileged user, there should not be any such processes that you can modify. Since the invader will be running as you (barring use of a privilege escalation exploit), it should be similarly curbed. | April 21, 2007, 8:01 PM |
BreW | Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600. And by the way, thank you for the intelligent post. [quote] You're retarded. Stop trying to play smart. [/quote] Immature. Please quit trolling. | April 21, 2007, 8:20 PM |
rabbit | That wasn't a troll, it was a direct response to your "I know Latin" rant (which you're wrong about, there was no macron in the Latin lingual system). | April 21, 2007, 8:55 PM |
Barabajagal | Rabbit, I took a few years of latin in high school,and it is vīr, not vir. | April 21, 2007, 9:09 PM |
rabbit | I also took 4 years of Latin. The macron is used in teaching Latin because it helps forming sounds, but ancient Latin didn't have a macron, or even a lower case, actually. Anyway, my point is, it's vir, a regular 3rd declension masculine noun, and virus, a regular 2nd declension masculine noun. | April 21, 2007, 9:20 PM |
Quarantine | There is no macron in latin, it's a little thing added to help with the sounds (long vs short letters) | April 21, 2007, 9:25 PM |
BreW | [quote author=rabbit link=topic=16626.msg168207#msg168207 date=1177190436] I also took 4 years of Latin. The macron is used in teaching Latin because it helps forming sounds, but ancient Latin didn't have a macron, or even a lower case, actually. Anyway, my point is, it's vir, a regular 3rd declension masculine noun, and virus, a regular 2nd declension masculine noun. [/quote] Rabbit, you're an idiot. We call it a macron-- they didn't call it anything. It's just a "long vowel". And if you look at ancient roman ruins you would see, they DO use macrons in their text. One more thing-- vir is NOT a 3rd declention noun, it's 2nd. Go look anywhere, puh-lease. Stop trying to outsmart me, especially in Latin. I am a three time ACL/NJCL National Latin Exam Summa cum laude winner (gold metal). So really, sum possum dicere Latinum perfectum. Et tu? EDIT*** Also, you're wrong. Virus is neuter. | April 21, 2007, 9:27 PM |
Newby | [quote author=brew link=topic=16626.msg168204#msg168204 date=1177186815] Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600. [/quote] 2600? That's pretty far off into the future. Internal leak? | April 21, 2007, 9:30 PM |
BreW | [quote author=Newby link=topic=16626.msg168210#msg168210 date=1177191027] [quote author=brew link=topic=16626.msg168204#msg168204 date=1177186815] Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600. [/quote] 2600? That's pretty far off into the future. Internal leak? [/quote] ...5.1.2600. | April 21, 2007, 9:31 PM |
Quarantine | ... Did you seriously call Windows XP by its build number? Moron. | April 22, 2007, 12:45 AM |
Barabajagal | You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it. | April 22, 2007, 12:56 AM |
Kp | [quote author=brew link=topic=16626.msg168204#msg168204 date=1177186815] Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600. [/quote] There would not be much point in having the concept of privilege if low privileged users could tamper with highly privileged processes. That said, I have read that XPHome skips security checks, so it might allow the behavior you are worried about. I know that XPPro does not allow it. Hopefully, someone will report whether XPHome enforces the relevant checks. [quote author=RεalityRipplε link=topic=16626.msg168214#msg168214 date=1177203385] You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it. [/quote] A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights. It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK. | April 22, 2007, 1:10 AM |
Barabajagal | [quote author=Kp link=topic=16626.msg168215#msg168215 date=1177204203] [quote author=RεalityRipplε link=topic=16626.msg168214#msg168214 date=1177203385] You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it. [/quote] A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights. It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK. [/quote] In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) . | April 22, 2007, 2:10 AM |
JoeTheOdd | [quote author=Warrior link=topic=16626.msg168213#msg168213 date=1177202751] ... Did you seriously call Windows XP by its build number? Moron. [/quote] Why wouldn't he, if he's discussing a trojan for a specific build of Windows? By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed. | April 22, 2007, 5:34 PM |
Newby | [quote author=Joe[x86] link=topic=16626.msg168251#msg168251 date=1177263258] [quote author=Warrior link=topic=16626.msg168213#msg168213 date=1177202751] ... Did you seriously call Windows XP by its build number? Moron. [/quote] Why wouldn't he, if he's discussing a trojan for a specific build of Windows? By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed. [/quote] The trojan was specific to his build of Windows? This is incredible. Now they're writing trojans for specific operating systems written hundreds of years in the future. What will malware writers do next? Write trojans for people's clothing? I also don't get the "try at being witty" comment. | April 22, 2007, 6:08 PM |
Quarantine | [quote author=Joe[x86] link=topic=16626.msg168251#msg168251 date=1177263258] [quote author=Warrior link=topic=16626.msg168213#msg168213 date=1177202751] ... Did you seriously call Windows XP by its build number? Moron. [/quote] Why wouldn't he, if he's discussing a trojan for a specific build of Windows? By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed. [/quote] Because unless you're using a Beta version of XP, the RTM build number is 2600. It can be assumed that 99.9% of the Computers running XP are running build 2600. It's really retarded to call it anything else. It's Windows XP and nothing fundementally changes build to build if (and only if) there so happens to be a build revision in the near future. | April 22, 2007, 7:06 PM |
Kp | [quote author=RεalityRipplε link=topic=16626.msg168217#msg168217 date=1177207849][quote author=Kp link=topic=16626.msg168215#msg168215 date=1177204203][quote author=RεalityRipplε link=topic=16626.msg168214#msg168214 date=1177203385]You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.[/quote]A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights. It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.[/quote]In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) .[/quote] Doing that would require an insecure DACL on the files and/or directories used by the target process. Although possible, it would be rather silly to see a process where someone managed to get the process DACL right, but left the file DACLs insecure. | April 22, 2007, 7:32 PM |
Barabajagal | [quote author=Kp link=topic=16626.msg168263#msg168263 date=1177270375] [quote author=RεalityRipplε link=topic=16626.msg168217#msg168217 date=1177207849][quote author=Kp link=topic=16626.msg168215#msg168215 date=1177204203][quote author=RεalityRipplε link=topic=16626.msg168214#msg168214 date=1177203385]You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.[/quote]A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights. It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.[/quote]In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) .[/quote] Doing that would require an insecure DACL on the files and/or directories used by the target process. Although possible, it would be rather silly to see a process where someone managed to get the process DACL right, but left the file DACLs insecure. [/quote] I've never found a program I can't make a copy of and edit. | April 22, 2007, 8:00 PM |
Skywing | [quote author=brew link=topic=16626.msg168183#msg168183 date=1177117278] [quote author=Skywing link=topic=16626.msg168176#msg168176 date=1177098873] No way to know for sure without reverse engineering the particular piece of malware in question. [/quote] Exactly why I am interested in reverse engineering this malware. [/quote] You're probably not interested in reverse engineering it. If you don't, and nobody else has (with verification that the code on your box is identical), then you should wipe the system clean. | April 23, 2007, 2:05 AM |
Skywing | [quote author=RεalityRipplε link=topic=16626.msg168264#msg168264 date=1177272025] I've never found a program I can't make a copy of and edit. [/quote] That doesn't really get you anything. You'll have no way to place the modified version of the binary where it will be run, assuming file ACLs are set properly and the lack of a security hole allowing an unprivileged user to convince a privileged process to load a binary from an untrusted location. If you run the modified version of the binary yourself, it will be executing with the privileges of your (unprivileged) account and thus will not be able to perform things outside the sandbox of that user account. | April 23, 2007, 2:15 AM |
Barabajagal | I use the following method for my media player's self-update system. It renames itself from LLMP.exe to LLMP.old. It then downloads the new LLMP.exe to the same location. It runs the new EXE and closes itself. The new copy deletes the old one now that it's no longer running. Doesn't the same ability apply to any program you can make? | April 23, 2007, 2:25 AM |
Skywing | Only if the user account with which you are doing that operation from has write access to the file/directory. If you placed your program in a location under, say, %ProgramFiles% (with the default ACL) and attempted the process running it as a limited user, it will fail. * Note: If you are using filesystem virtualization for Vista, the virtualization minifilter may make a shadow copy under your %userprofile% tree, with redirection in place to make it appear as the operation succeeded, despite the fact that the original in %ProgramFiles% is unchanged. If you accessed the program from a different user account, it would see the original in %ProgramFiles% and not the "modified" one. | April 23, 2007, 2:29 AM |
JoeTheOdd | @Newby, Warrior: Quit trying to be asses. Simple as that. EDIT - BreW, if you upload it I'll take a swing at reverse engineering it and seeing what's up. | April 23, 2007, 3:22 AM |
BreW | I deleted it. (lost interest) But thanks anyways. | April 23, 2007, 7:16 PM |