Main Area and Open Discussion > Living Room
New Virus or ??
cyberdiva:
The Malwarebytes blog focused on Rombertik a few days ago: https://blog.malwarebytes.org/security-threat/2015/05/whats-important-about-rombertik/. Interestingly, the blog claims "Malwarebytes Anti-Malware detects Rombertik as Trojan.Ransom.ED." It might be useful to post something about the user's experience described here (i.e., in the DC thread) on the Malwarebytes forum and try to get them involved. The company tends to take very seriously any report of MBAM's failure to detect/deal with malware.
Curt:
So, I am not sure why any of you suspect this Rombertik is what is infecting the machine.-app103 (May 10, 2015, 07:55 AM)
--- End quote ---
I think April is right. The infection described by questorfla, cannot be Rombertik.
Target:
I'm surely no expert but this sounds more like a very old virus (if that's what it is)
to me the operation sounds very clumsy, more like something a script kiddy might produce
Virus writers have become far more sophisticated in what they're delivering and uninstalling/deleting a random somebodies files like this seems like a poor return on their effort
questorfla:
Lots of good posts. I plan to look at each as we are still in the dark other than e know it was something and that whatever it was, it was as close to having some kind of AI running the show as i have ever seen.
Depending on too many variables it seemed to do different things. It also seemed to be tied in with multiple other "bad guys" such that oven when whatever the main threat was gone, there were many little things left laying around. If it was not Rombertik, it had all the earmarks. The weird background was probably part of the "trash" that is loaded into Rombertik in an attempt to obscure the Malware.
I can tied a few odd events that occurred to each of the people affected but there were people who also had those same odd events who did NOT get the "Full Monty" treatment.
For the time being, it is now using up more of my time trying to be sure it is GONE and not just HIDING. Once goingthrough an experiencelike this it leaves you feeling almost like there is no point in trying if there is no way to win :( I know the AV software companies probably have this one under control by now. At least we have not had any further issues so I hope so.
I even understand their reasoning behind each one giving the same virus a different name. But that same reasoning makes it nearly impossible to know if a threat removed by the AV program now is the same threat I was dealing with a few days ago. It is hard when they ask for a "sample" yet I don't even have a Vector at this point, much less a way to contain a sample.
By the time i THOUGHT i knew what to look for, it appeared to have morphed into so many varied forms and types of damage it honestly was easier to just reformat.
And:
Even then, I can't be sure. Reformat to Factory?... maybe. As long as it hasn't infect that sector too.
With Windows 8.1 having no external media that i can be 100% sure about, and with the license codes embedded in bios, there is only so far you go. When all seems well a week later it could be just because the AV companies had finally gathered enough evidence to add a specific marker to their signature files so they catch it before the damage is done.
Thanks for all the comment and if the discussion itself got even one person to be more aware of their vulnerabilities it was worth it. Those who got hit lost every file they had.... One way or the other. If the virus did not get it, i had no choice but to scrub anyway because i could not risk that it might be hiding there. Anyone displaying almost any of the symptoms was a suspected carrier.
If nothing else, i learned a lesson in humility. It is easy to play Monday Morning Quarterback but when you are in the game while the ball is in play, things look a lot different.
And i hope the employees learned to make backups. NONE of them, not a single one, has made any attempt to keep anything now for years. Worst of all, they use their desktops like a filing cabinet and no amount of pushing on my part has made even a dent in that practice.
It doesn't help that Windows has made it nearly impossible to "restore to 3 days ago" instead opting for a more useful (but far more complex) method of "version per file" which requires an additional drive and by default is set to OFF.
Because NO ONE here has made the final jump in user interface, all of them preferring to keep their old Windows 7 layout through various utilities, it left most with not even a chance of recovery if affected.
Stoic Joker:
It might not hurt to point out to the brass that the Blast-Effective-Zone could have been a lot smaller if they would have let you put in a proper domain back when you originally asked for it.
Because I'm guessing - from the descriptions you've given in other threads - that most folk are romping around with Admin rights. And the only truly proven method of ducking the 0-day stuff is by using reduced (e.g. user level) permissions ... Everything else has time and time again proven itself to be nothing more than a feeble attempt to water seal a screen door.
P.S. Feel free to quote me on that.. ;) :D
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version