ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Massive malvertising campaign on Yahoo, AOL and other sites delivers ransomware

<< < (3/4) > >>

bit:
What I would do if hit with something like this, is;
-Shut down.
...
-bit (October 24, 2014, 09:06 AM)
--- End quote ---

Fail ... That is what they want you to do. Any rootkit's ability to burrow in and completely take over a machine is contingent on panicking the user into performing that ever critical first reboot. After which, with system level permissions it can do massive damage to mapped drives.

Now disconnecting any external backup drives you have would be a good idea in the hopeful assumption that the attack focused first on drive C: ... But nothing is guaranteed with these people.
-crabby3 (October 24, 2014, 09:27 AM)
--- End quote ---
I think I see what you mean; a rootkit can get into the mobo.
Actually, before shutdown, I ran Malwarebytes.

But one time, when I ran Malwarebytes before shutdown, then Malwarebytes itself wanted to reboot, and on reboot my vid card died.
But then I installed a friend's old vid card (that was actually newer than mine), and all problems disappeared.
I never could figure out if there was a virus-rootkit or not, or if the vid card just happened to pick a very odd moment to die.

So, do you think Norton 360 or Malwarebytes would stop the ransomware, or do I also need something like Hitman Pro?
Do do also run CryptoPrevent (paid version).
I don't have Hitman right now, b/c of cost, and it wants to run a scan on every boot-up.

Stoic Joker:
What I would do if hit with something like this, is;
-Shut down.
...
-bit (October 24, 2014, 09:06 AM)
--- End quote ---

Fail ... That is what they want you to do.-Stoic Joker (October 24, 2014, 11:50 AM)
--- End quote ---

I think if you take it in the context it was given, ie. prelude to wiping all HDDs from read-only media, then the methodology is fine.-4wd (October 24, 2014, 09:36 PM)
--- End quote ---

I was speaking about rootkits in general as they need that first reboot to get under (or replace) the shell.


However, if you were to power on the system after the shutdown in the hopes that it would come up on the original OS OK ... then you may have a problem.-4wd (October 24, 2014, 09:36 PM)
--- End quote ---

A big one yes. :) I have saved machines from the above discussed malady...but it always depended on when the user thought to call for help.

As most frequently is the case, panicking = death.


@crabby3 - Chances are the Vcard was just a freak coincidence, but you're on the right track otherwise.

bit:
^this -to me- is what donationcoder is all about; this is where 'the rubber meets the road';
I give a thoroughly thought-out, beautiful response of my tried-and-proven methodological approach to virus control, and Stoic Joker gives a straight-to-the-point no-frills wake-up call with one word: fail...
I like that.
Of course, my next question is, what's the best approach if you think you've already been infected (besides calling a shop)?
"Don't reboot." Okay, but what next?

Stoic Joker:
While the below does assume the user has a bit of skill in these matters. It's a skill that everyone should strive to learn...because these days you really have to drive defensively on the information highway. I'm also really not a fan of flattening a machine every time the lights blink funny as it's far too easy to lose something that was recently created/acquired/signed up for especially if it happens to involve some sort of encryption key/certificate (mind you I deal mostly with business machines).

There is also the issue that burning or imaging a drive is a lot of I/O that can only serve to prematurely age the drive when all you really need to do was rewrite the boot sector to either make a rootkit visible, or prevent it from re-infecting a new install (I've seen that one happen a few times - it sucks).

Of course, my next question is, what's the best approach if you think you've already been infected
-bit (October 24, 2014, 11:13 PM)
--- End quote ---

That is the key point. First thing you need to do is know if you've been infected...and with what. Because chances are when you do actually get that 'something be awry' funny feeling. It's generally because something odd just popped up on the screen...and at that point one of two scenarios will be true:
1. The bugg is taunting you with a cleverly cloaked may I please eat your computer prompt.
2. The game is already over...and you lost.

In the first case the resolution is a simple matter of saying no forcefully (e.g. TaskMan, right click, End Process Tree).

In the second case, you need to find out what the extent of the damage is without making it worse. So to avoid those fringe crossover cases, always take a screenshot of the offending message and jot down the filename of the process you have to kill to make it go away. Then from a known clean machine do a little quick research to see if it is a known bugg...or something completely new.

For the known bugs look at the type of software used for cleanup. If it first level Malware Bytes, Super AntiSpyware, etc. then you can use your preferred utility. If it is a advanced tool like ComboFix...then more care should be taken to see what is being fixed and how. Because many of these utilities - while effective - take the scorched earth approach, and can be as destructive as a registry cleaner if care isn't being taken to monitor what is being "cleaned".

So in a nut shell, the only procedure you use...is to never use a rigid procedure. Always know the enemy and react accordingly. Because if/when the hardware variety bugs become common in the wild it will quickly become crucial to know exactly what you're dealing with to have any chance of recovering. As there aren't any really user friendly methods available for wiping the other hardware components.


Like the USB controller chips that are in every USB device: This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”

Two separate Security Research groups have confirmed the viability of this attack. One of them released the source code for it during the last Black Hat conference to the public at large (it's available on GitHub). It's an equal opportunity infector that can bidirectionally hop from computer to any USB device (or device to computer) and is currently completely undetectable because - infecting the low level hardware controller chip - the OS never sees it.

bit:
Like the USB controller chips that are in every USB device: This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”

Two separate Security Research groups have confirmed the viability of this attack. One of them released the source code for it during the last Black Hat conference to the public at large (it's available on GitHub). It's an equal opportunity infector that can bidirectionally hop from computer to any USB device (or device to computer) and is currently completely undetectable because - infecting the low level hardware controller chip - the OS never sees it.
-Stoic Joker (October 25, 2014, 01:20 PM)
--- End quote ---
Awesome.
I'm a home user, no one else ever uses my machine, and I don't use a microphone.
I see Halloween is coming up; if anyone is planning on scaring the kiddies with spook stories, save your breath and just read this thread to the grownups instead.
What I just read in your link royally scared the crap out of me.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version