Discussion:
From Russia Without Love
(too old to reply)
David Kaye
2014-11-17 00:37:41 UTC
Permalink
Raw Message
My first zombie! I have a customer who downloads everything she can find,
especially programs that claim to fix everything that is not wrong with her
computer.

Anyhow, I'm dealing with a for-real zombie that continues to write about 1
MB/s of data to temp directories. I can only stop it in safe mode. What's
curious about this is that when running in regular mode MalwareBytes keeps
blocking its attempt to connect to 95.215.1.57. Guess where that lands --
RUSSIA. The poor thing it trying to phone home for further instructions and
just can't get through to the mother ship.

By the way, the processes involved include powershell, dplaysvr, and of
course our fave, svchost. Even looking at tools that attempt to show entry
points I can't get a handle on exactly what is launching this stuff.

So, this is so full of intrigue. Are the javascripts trying to infiltrate
the Pentagon and using this poor computer as part of its attack network?

All in all, I can get most stuff to work on the computer, so this zombie
likely would have gone undetected if it had been written better. I'm
assuming that it keeps writing more temp files because it's being denied
access to the internet. Looking them over, I'm seeing scripts that attempt
to link to sites with randomized names or names that sound legit but aren't
quite (such as "mirosoft.com", etc.

This infection has apparently come to the fore only in the last few days,
and somebody has written some tools which may or may not fix the problem. I
have no idea who the author is, so I'm going to have to do lots of research
before I use them.

Or wipe the partition and start over....

International intrigue!




---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
David Kaye
2014-11-17 00:38:44 UTC
Permalink
Raw Message
Windows 7, by the way. Win 7 seems to attract a much more sophisticated
kind of malware than XP did.




---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Jeff Liebermann
2014-11-17 03:10:57 UTC
Permalink
Raw Message
On Sun, 16 Nov 2014 16:38:44 -0800, "David Kaye"
Post by David Kaye
Windows 7, by the way. Win 7 seems to attract a much more sophisticated
kind of malware than XP did.
That's because Win 7 is the biggest target. From Oct 2014:
<http://en.wikipedia.org/wiki/Usage_share_of_operating_systems>
Win 7 53%
XP 17%
Win 8/8.1 17%
OS/X 7%
Vista 3%
Other 1.7%
Linux 1.4%
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
David Kaye
2014-11-17 04:40:57 UTC
Permalink
Raw Message
Post by Jeff Liebermann
<http://en.wikipedia.org/wiki/Usage_share_of_operating_systems>
Yeah, I see that on the hits to the SF Games website. XP is shrinking fast.
One interesting thing is browsers. Opera now has twice the users as Mozilla
(1.2% to 0.5% based on hits to my site).

It's just that with all the bells and whistles one would think Win 7 would
be near bulletproof, but when it gets an infection it's a bear to deal with.
Had one come into a POS system a few weeks ago and it was murder.




---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Bhairitu
2014-11-17 19:45:06 UTC
Permalink
Raw Message
Post by David Kaye
My first zombie! I have a customer who downloads everything she can find,
especially programs that claim to fix everything that is not wrong with her
computer.
Anyhow, I'm dealing with a for-real zombie that continues to write about 1
MB/s of data to temp directories. I can only stop it in safe mode. What's
curious about this is that when running in regular mode MalwareBytes keeps
blocking its attempt to connect to 95.215.1.57. Guess where that lands --
RUSSIA. The poor thing it trying to phone home for further instructions and
just can't get through to the mother ship.
By the way, the processes involved include powershell, dplaysvr, and of
course our fave, svchost. Even looking at tools that attempt to show entry
points I can't get a handle on exactly what is launching this stuff.
So, this is so full of intrigue. Are the javascripts trying to infiltrate
the Pentagon and using this poor computer as part of its attack network?
All in all, I can get most stuff to work on the computer, so this zombie
likely would have gone undetected if it had been written better. I'm
assuming that it keeps writing more temp files because it's being denied
access to the internet. Looking them over, I'm seeing scripts that attempt
to link to sites with randomized names or names that sound legit but aren't
quite (such as "mirosoft.com", etc.
This infection has apparently come to the fore only in the last few days,
and somebody has written some tools which may or may not fix the problem. I
have no idea who the author is, so I'm going to have to do lots of research
before I use them.
Or wipe the partition and start over....
International intrigue!
I see all kinds of hits from foreign countries on my gateway firewall. I
wonder if US hackers are into RF'ing these by sending them off to places
like the NSA or maybe angry oligarchs in their own country. Wouldn't
that be hoot!

Loading...