Cyber Attack on Poor Old Harry / General Chatting / Forums

Forums

4hv.org :: Forums :: General Chatting

« Previous topic | Next topic »

Cyber Attack on Poor Old Harry

1 2 3 4 next

Move Thread

LAN_403

Proud Mary

Mon Aug 10 2009, 03:32AM

Registered Member #543 Joined: Tue Feb 20 2007, 04:26PM
Location: UK
Posts: 4992

I was just thinking of making myself a ham sandwich with a nice bit of French mustard in it, when a message suddenly appeared on the screen saying that I had five trojans and heaven knows what else, and that I must click on a link to have it put right.

I immediately recognised this is for what it was, and tried to close the window. Then a bogus Microsoft Security Centre message announced that I must take action at once by clicking on the link, as my PC was now a nest of viruses (It all happened too fast to remember all that was said - an attempt to stampede me).

I then tried to close that window, and another opened trying to force me to click on the link of doom.

I decided to disconnect at once, which failed, nor could I switch the computer off. It was paralysed except for the link of doom. I swiftly unplugged the modem, and physically disconnected the power to the computer.

I then re-booted in Safe Mode, and spent the whole rotten evening and half the night running anti-rootkit, anti-virus and anti-trojan and malware programmes, the which, as I largely anticipated, discovered nothing at all.

Now it's four in the morning, and I still haven't had my sandwich.

There's no trusting trust, as Ken Thompson famously reflected.

Now I shall have to put over putting up the first of my Iron Man experimental series in the Project section until tomorrow because of all the time and frustration of fending off these criminals. I was looking forward to getting this done today, and the 'flu made me feel hot and tearful.

All this on top of an attack of Swine 'Flu, so if Bird 'Flu should get me as well, it'll be either Boot Hill for Old Harry, or pigs will fly!

Has anyone else had a similar attack? Did I react in this best manner? I know very little about computing.

Nicko

Mon Aug 10 2009, 05:29AM

Registered Member #1334 Joined: Tue Feb 19 2008, 04:37PM
Location: Nr. London, UK
Posts: 615

In my day job, I run the IT, Infrastructure & Security for a largish financial company in the city of London.

This is an absolutely standard ploy by some of the more unscrupulous vendors of anti-viral snake-oil. Assuming you are running Windows XP or Vista...

Most of these types of applications install a GINA/winlogon extension dll into winlogon.exe - this is supremely cunning as you can't kill winlogon (its a key part of windows), but you can delete the DLL on disk (most decent anti-viral apps will do this). Unfortunately, as the DLL is held open by winlogon, it still exists in memory - the dll will regularly check if its still on disk, and if not, it recreates itself called something else and so on... so you think you are OK, reboot, and there it is again... These dlls are a legitimate way of extending windows security, but are really open to abuse by malware. You may find annoying "nag screen" coming up that you just can't get rid off.

A few strategies for when you see stuff like you did:

Do NOT try to close the windows normally (by clicking in the top right on the "X" etc.). Bring up task manager (menu bar, right-click, select task manager), select the "Applications" tab, select the app displaying the problem and then press "End Task". Or, in the Processes tab, sort by Image Name (click on that section of the title bar), find IEXPLORE.EXE (or chrome.exe), select each instance in turn, right click on the item and select End Process. In each case, if a confirmation box pops up, answer Yes to kill the task.

Firstly, get rid of rubbish on your system - this will radically speed up the following steps - do this by
running CCleaner - this wonderful tool will clean out an enormous amount of complete rubbish from your system. Browsing, virus scanning etc. will be so much faster. It's great. Should be run every month or so to keep systems sane. We've seen 6Gb or more of rubbish removed from systems - in particular the internet caches for the various browsers fill up with a gadzillion tiny files that really really (really!) slow system scanning, which you are just about going to be doing a lot of...

The best single tool (IMHO) for cleaning out the rubbish left by these apps is Malwarebytes - this is free and will remove just about anything - personally, I (and my security team) feel its better (finds and removes more rubbish) than Adaware and Spybot Search & Destroy. Adaware and SS&D are also free.

Make absolutely sure that you update the definition files for each app before you run them. Note these apps are complementary to each other - never rely on one - always use all three when dealing with something like this.

Personally, I would run Malwarebytes, then the other two. Then a full anti-virus scan using AVG Free or McAfee. Then go back to the start and run Malwarebytes etc. Continue his loop until no more positives. Reboot if/when requested as this may be needed to remove DLLs embedded in some apps.

Do the above weekly or monthly thereafter to be safe.

As an aside, it is sometimes helpful to normally run under an account without Administrator privileges - I do this for all my kids - what it means is that they can't install new s/w or cripple their PCs so easily - it also means that malicious web-based rubbish has a harder time getting inside your system.

This is a very brief tutorial - there are other tools, not for the inexperienced or faint of heart, like HijackThis etc. but unless you are certain you know what you are doing, you can wreck your system.

Some malware also seeks out anti-malware and attempts to disable it (self defense). In these cases, you might have to resort to extreme actions such as removing the disk, mounting it on another system on which the above tools are installed, and running the tools on the new system to scan the old disk (never, ever, run anything from the disk under test else you may spread the infection to the new system). Other options including booting a read-only windows system from CD, such as BartPE, and running the tools from there. Again, really only for people who know exactly what they are doing.

HTH

Proud Mary

Mon Aug 10 2009, 06:13AM

Registered Member #543 Joined: Tue Feb 20 2007, 04:26PM
Location: UK
Posts: 4992

Thanks for making the effort to explain things to me, Nicko. I am using XP Service Pack 2.

It wasn't possible to bring up task manager or anything else, as the screen had frozen into a cycle so that whatever I did would bring back messages about the viruses to give me the impression that my only option was now to click the link of doom - which I assumed would immediately install malware of some kind on the computer, or even subvert the compiler so it would be impossible to detect.

When I found the computer locked up in such a way that it no longer responded to software commands to disconnect, or shut down, and even the shutdown switches on the plastic box would not switch it off, I felt that the only way I could definitely arrest the spawning hazard was to unplug the machine and disconnect the telephone line.

I did as you suggest immediately scan with AVG Free using Safe Mode to reduce possible hiding places (or so I hoped) and it found nothing amiss, and had been updated only hours earlier.

Is it possible that I still have this mutating DLL trap on board that may come to life and cause further mischief? Would it be helpful to revert to an earlier restore point?

I know from Ken Thompson that the only way to neutralize compiler attacks is by making a laborious point by point comparison with a previous state, which is really beyond the simple means and abilities of the rank novice.

Against the day of viral doom, I always have one last strategy, which is keeping all my science files in .pdf on drive E. I don't see how the dll hack could get into them, so my final stand is to copy them safely onto storage plugs, and then perform the FDISK banishing ritual, reformat and begin all over again.

There is nothing else on the computer that could not be replaced in a couple of tedious hours - XP, MS Office, Nikon Camera Control, Irfanview, Adobe Reader, AVG, Easy Capture, Helicon Focus, - all the usual stuff which can be easily replaced on a rainy evening.

I don't keep any kind of financial or private inform,ation on the PC, even if I had any, and nothing that can't be replaced once FDISK has cleansed the disk, followed by a very thorough over-writing of every sector to mash up any malignant code before reformatting, and re-loading the OS.

I'm sure this isn't the best way of dealing with it, but I am very much a computer novice, and this strategy is easy to implement and recover from.

Nicko

Mon Aug 10 2009, 08:24AM

Registered Member #1334 Joined: Tue Feb 19 2008, 04:37PM
Location: Nr. London, UK
Posts: 615

Regardless of the current state of your system, I'd run CCleaner, then Malwarebytes, then Adaware & SBS&D anyway. Its just good practice... Oh, and make sure your firewall (you are using a firewall?) is also fully up to date. We advise most home users to use an external router, such as a Netgear DG834 or similar. This keeps most "probe" type attacks away from your PCs and home network, so dramatically reducing external attacks. You may think that no-one is interested in your little-old-home-setup... but gangs building botnets are continually scanning for vunerable machines and exposed home users are a favourite - we use "honey pots", deliberately exposed, useless but heavily monitored, hosts, to trap hackers that may be probing our networks.

Make sure you have Auto Update enabled - we always set it to update EVERY NIGHT at about 01:00 in the morning...

Note that AVG is anti-virus, Malwarebytes & the others are anti-malware, which is not quite the same thing...

If you follow the above plan, you should be ok. In 25 years of doing systems security stuff, we've only had to rebuild machines in a handful of cases. Normally, by being careful, you can recover systems 95% of the times as described. Of the remaining 5%, maybe 4.9% can be recovered by BartPE/HijackThis and other more low-level tools. If that fails, then, and only then, do we do a rebuild... Maybe 1 in 1000 is a bit on the low side, but the number we've rebuilt is in the low 10s, where as the number we have recovered safely with most of their data is in the high 100s...

Steve Conner

Mon Aug 10 2009, 09:58AM

Registered Member #30 Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706

What Nick said. Firewalls, routers, Automatic Updates, and for goodness sakes don't still be running an old version of Internet Explorer! Firefox is better because it's not written by Microsoft, and hence not integrated with the OS. But if you must use IE make sure it's version 7. The old IEs had vulnerabilities that let malicious websites install software on your machine. Try to avoid Outlook Express, too.

We've covered Winlogon trojans and how to get rid of them on the forum before. I favour a method using Process Explorer and a command window: with Process Explorer you can see which processes the malicious DLL is hooked into, and kill them, which releases the DLL to be deleted manually using the command window. Of course the system won't do a great deal once you've killed Explorer, Winlogon, Services.exe and so on, but the command prompt still works.

You do this once you've checked for autorun registry entries that will respawn the damn thing at the next boot. Regmon can help with this, by catching the trojan in the act of installing them (the ones I've seen rewrite the entries every few seconds to stop you deleting them) or you can just run all the cleaners Nick suggested and use this manual method as a last resort.

If all else fails, Windows benefits from a boot and nuke now and again. If you have all your data backed up properly (which you do of course

) But beware as a backup strategy that includes the Windows installation can back up the virus too, and reinstall it when you restore the system.

Or do what I did, buy a Mac. I have no idea how MacOS works, but that's the beauty of it, I don't need to know

Proud Mary

Mon Aug 10 2009, 10:42AM

Registered Member #543 Joined: Tue Feb 20 2007, 04:26PM
Location: UK
Posts: 4992

I have the free version of ZoneAlarm, Nick, but hadn't heard of the other programmes you mention except AdAware. Still, there's no time like the present for finding out. I'll report back later Nick, as I am determined to get the first of my Iron Man X-ray experimental series in the project section today,

I have my AVG auto updates daily in my elongated lunch hour, which puts me in the mood for a spot of technical writing talking up the products of the Capacitor Manufacturer's Association. You can sex up glass capacitors by rabbiting on about space probes, you can link large can capacitors to ideas of male prowess ("I like the man who likes me enough to buy me Evox Rifa") but you try it with some dreary little chip cap that no one can see without a magnifying glass and all you can do is link them to is the dreamy silvery wash of flow soldering, gently caressing a PCB board, while the aromatic fragrance of flux suffuses the air like an exotic incense in the harems of - erm - uh - or do I mean wearying economic arguments for using them, such as the goal of making the total component cost of a consumer "hi-fi" less than 1% of the retail price and such dull stuff you look forward to not merely a more extended lunch hour but a more extensive one than the day before. Night comes on like a coma and you are stuck on the writing of a blurb on the unique combination of lead pitch, hole pitch and component pitch of a slapper capacitor to be handed out by bikini bimbos at a trade fair, and suddenly you see it in exactly the terms the manufacturer wants to sex up his one-time single-use product. You think what 'slapper' means in English slang, and the words "Fever Pitch" come back at you like an echo from an empty concrete bunker, the carmine finger nails of some veiled Arabian beauty lingering on the tumescent titanium case of the capacitor etc etc etc....

Nicko

Mon Aug 10 2009, 11:01AM

Registered Member #1334 Joined: Tue Feb 19 2008, 04:37PM
Location: Nr. London, UK
Posts: 615

ProcessExplorer, and indeed anything from Mark Russinovich, falls into the same bracket of tools as HijackThis & RegEdit etc. i.e. pretty low level, and for the vast majority of users, a second or third line of attack. They are complex, and you really need to know what you are looking at. Having said that, a lot of SysInternals tools form part of our standard recovery CD

Steve McConner wrote ...

Or do what I did, buy a Mac. I have no idea how MacOS works, but that's the beauty of it, I don't need to know

Cheap shot

We have Macs too - lets not pretend for an instant that they & other Unix variants are somehow invunerable to such attacks - Apple regularly issue updates to address security issues as well. It's just that Macs reflect a tiny proportion of the total computer population and are therefore less attractive to the hackers - simple cost/benefit analysis shows that limited resources are best directed to the cheapest win...

Personally, I'm completely agnostic wrt operating systems and hardware - they are simply tools of my trade - FWIW, at home I don't have a Mac, but I have a bunch of WinTel boxes, some Unix systems, an Alpha/AXP running OpenVMS, a Solaris box and a huge bunch of embedded systems (mostly Atmel-based). Probably other stuff too, that I can't remember - I think the SAN in the loft is Unix-based, but not sure which version. I know my Netgear router is Unix for sure, as they publish the source code (you can download it from the Netgear web site). My fridge & heat pump are both web-enabled, and running embedded Unix, as is the phone on my desk (Avaya VoIP).

Proud Mary

Mon Aug 10 2009, 11:13AM

Registered Member #543 Joined: Tue Feb 20 2007, 04:26PM
Location: UK
Posts: 4992

Thanks for your interesting insights, Steve.

WINDOWS ISN'T FEELING VERY WELL

I do in fact use Mozilla Firefox already as you have suggested, and find it very good and stable.

I've had reason to do FDISK quite a few times over the years, and have always had the subjective impression that Windows runs noticeably faster and better in a totally clean install on a blank disc, and then over time it seems to grow weary and sluggish, as if tired out, but I've never understood how this can be possible. Cleaning rubbish out of the registry seems to make no difference to this slow decay, nor regular defragmentation and other routine data hygiene actions.

I do only have an elderly computer with a 1200MHz Athlon processor and 512Mb RAM, but as this is a constant, I don't understand the slow decay of Windows which you seem to have noticed too.

My knowledge of computing is pretty much 'special needs - remedial' muddling through rather than having any real understanding of what changing one programme element will have upon the whole.

I don't like the whole MS monopoly, its premature marketing of faulty products, and its mendacity to normal, healthy market competition, so I'd change to Linux were it not for the difficulties I had some years ago in getting all the peripherals to work with it - something no doubt due to my very slight knowledge of the subject, but a very real hurdle nonetheless.

Anyway, I'm fed up with it all today, and must go and eat my lunch alone in the park because I have Pig 'Flu, and so must avoid others to the best of my ability until I am no longer infectious,

_____________________________________ __________________________

Nicko I did in fact try HiJack This some time last year, but am afraid to say I found it too difficult for me - information somehow incompatible with the saurian brain.

One of the great things about 4HV is the enthusiasm many members have for paleo-electronics, the techno-fossils of the great Thermionic Age which can be brought roaring back to life like dinosaurs resurrected from a speck of DNA in Jurassic Park. So there is a cosy niche for me here, Pig Flu and all, which I would be denied me on the more IT-centric electronics forums. I think in an analogue way, Nick, and fear the day when people can relate to other hominids only in the context of the Windows environment.

Steve Conner

Mon Aug 10 2009, 11:26AM

Registered Member #30 Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706

Nicko wrote ...

It's just that Macs reflect a tiny proportion of the total computer population and are therefore less attractive to the hackers

I know that this is why Macs and Linux don't get viruses, but it's still a fact that they don't. Well almost. I once saw a Linux box that I maintained get hacked and used to host phishing sites. The culprit was a weak ssh password: I accidentally misconfigured samba so that when you changed the SMB password, it changed the Unix one, too.

Windows slowly decays because it's based on the silly concept of having the OS and all programs store their configuration in a single database, the registry. As time goes on, the registry bloats, slowing down every program that has to access it, which is to say, every program on the system. Our IT technicians had serious problems with this, because thousands of students could use a single computer over the course of a semester, and the registry would end up containing a user profile for every one of them. They ended up using DeepFreeze to trash everything whenever the machine was rebooted.

And again, this is why you need to nuke the whole system from orbit and reinstall all the programs to cure it. The registry gets deleted and rebuilt from scratch. All other system restore methods go to great lengths to protect the registry, because that's where everything is!

*nix traditionally kept configuration in hundreds of .rc files hidden in dozens of places around the system, so it solved this problem, at the expense of never being able to find the setting you wanted to change. The cyber equivalent of Douglas Adams' "Beware Of the Leopard" filing cabinet.

Anyway, Windows for business, Mac for pleasure

Proud Mary

Mon Aug 10 2009, 11:45AM

Registered Member #543 Joined: Tue Feb 20 2007, 04:26PM
Location: UK
Posts: 4992

Whilst Steve was writing his last, I realized I had not responded to Nicko, so added an appendix addressed to him to avoid double posting.

1 2 3 4 next

Moderator(s): Chris Russell, Noelle, Alex, Tesladownunder, Dave Marshall, Dave Billington, Bjørn, Steve Conner, Wolfram, Kizmo, Mads Barnkob