Discussion:
Trojan:Win32/Tesch.B Entry Point?
(too old to reply)
David Kaye
2014-08-13 20:58:52 UTC
Permalink
Does anybody know how the Trojan:Win32/Tesch.B malware would get into a
computer? This is appearing (and being quarantined) on a point of sale
computer in a a business. There are security cameras on the registers and
nobody was doing anything but ringing up sales for the entire day prior to
the appearance (and removal) of this threat.

Given that Trojan:Win32/Tesch.B is one of the more malicious infections, I'm
really curious to know how it's getting in. Wireless is turned off.

Ideas anyone?




---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Thad Floryan
2014-08-13 21:43:08 UTC
Permalink
Post by David Kaye
Does anybody know how the Trojan:Win32/Tesch.B malware would get into a
computer? This is appearing (and being quarantined) on a point of sale
computer in a a business. There are security cameras on the registers and
nobody was doing anything but ringing up sales for the entire day prior to
the appearance (and removal) of this threat.
Given that Trojan:Win32/Tesch.B is one of the more malicious infections, I'm
really curious to know how it's getting in. Wireless is turned off.
Ideas anyone?
Hi David,

Microsoft has some ideas here:

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%25253aWin32%25252fTesch.B&ThreatID=-2147283565

and here:

http://www.microsoft.com/security/portal/mmpc/help/infection.aspx

Want a wild-ass guess? "Something new" using a deliberately
manipulated and infected credit or debit card in the POS' card
reader that's obviously connected to the POS' computer. This has
already happened as can be seen by Googling:

how can a point-of-sale terminal be infected with malware

with these as the first several hits:

https://www.us-cert.gov/ncas/alerts/TA14-002A

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf

http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks

http://www.secureworks.com/cyber-threat-intelligence/threats/point-of-sale-malware-threats/

http://www.techradar.com/us/news/world-of-tech/target-s-point-of-sale-terminals-infected-with-malware-1215021

and 1000s more.

Thad
Jeff Liebermann
2014-08-13 22:33:09 UTC
Permalink
On Wed, 13 Aug 2014 13:58:52 -0700, "David Kaye"
Post by David Kaye
Ideas anyone?
Some of my customers got clobbered by this one earlier this year:
<http://www.pcworld.com/article/2084160/malware-delivered-to-thousands-via-ads-on-yahoocom.html>
I had to remove all the Yahoo toolbars and add-ons in order to get rid
of it. It's probably fixed by now, but someone may have cloned the
idea.

According to this article "90% of unknown malware is delivered via the
web" and not via email. I believe it:
<http://www.infosecurity-magazine.com/news/90-of-unknown-malware-is-delivered-via-the-web/>
The various auntie-virus programs seem to do well at catching malware,
but not browser based attacks.

In March(?), I had several weather stations, with no human operators,
get infected within a few days of each other. It had to be something
in the installed software. I would delete the malware, but it would
come back after a few hours or days. It turned out to be a local
small footprint web server, which was checking for updates from a
server, with no authentication. Someone had hijacked the domain,
redirected the update checks, and replaced the updates with malware
and spyware.

Reverse engineering the successful malware infections on my customers
machines yielded an odd pattern. Most were the result of clicking on
fake updates and popups. A few were from bogus email. However, the
largest number were from web exploits that attacked via Adobe Acrobat
and Adobe Flash, both of which have a built in Javascript engine with
little security. Both seem to be getting better with updates, but
rather than become part of a damage control exercise, I've removed
Flash from most machines, and replaced Acrobat with PDF-Xchange. If
Flash is needed, they use the built in Flash player in Google Chrome.
I'm not tracking all my customers machines, but the one's that
previous gave me the most problems have not had any malware infections
for about 6 months.

Assuming nobody is web browsing or checking email on the POS
terminals, I would check what programs are doing automagic updates and
temporarily kill those updates to see if that's the culprit. Also,
look (again) for a root kit, which can be difficult to find. Also use
Gparted or other partition editor to see if there are any mysterious
partitions that don't belong.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Steve Pope
2014-08-13 22:44:53 UTC
Permalink
Post by Jeff Liebermann
However, the
largest number were from web exploits that attacked via Adobe Acrobat
and Adobe Flash, both of which have a built in Javascript engine with
little security.
So even if I've de-installed Javascript from my machine, Adobe is
still using it?



Steve
Jeff Liebermann
2014-08-14 15:36:14 UTC
Permalink
Post by Steve Pope
Post by Jeff Liebermann
However, the
largest number were from web exploits that attacked via Adobe Acrobat
and Adobe Flash, both of which have a built in Javascript engine with
little security.
So even if I've de-installed Javascript from my machine, Adobe is
still using it?
Steve
Ummm... I think you might be mixing up Java and Javascript. They're
totally different. Javascript is a scripting language that is usually
built into an application or browser. You can easily have a dozen
programs on your Windoze machine with built in Javascript engines.
Javascript is NOT a stand alone program like Java which can be
uninstalled. You can turn Javascript off in various browsers, but you
can't uninstall it.
<http://www.alanwood.net/demos/enabling-javascript.html>
You'll probably find that disabling Javascript in a browser will also
break most complex web sites.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Steve Pope
2014-08-14 16:15:31 UTC
Permalink
Post by Jeff Liebermann
Post by Steve Pope
So even if I've de-installed Javascript from my machine, Adobe is
still using it?
Steve
Ummm... I think you might be mixing up Java and Javascript. They're
totally different. Javascript is a scripting language that is usually
built into an application or browser. You can easily have a dozen
programs on your Windoze machine with built in Javascript engines.
Javascript is NOT a stand alone program like Java which can be
uninstalled. You can turn Javascript off in various browsers, but you
can't uninstall it.
Right. I am thinking of Javascript, not Java, because it's been
widely recommended that you turn Javascript off. But what I did not
realize is that by turning it off in the browser(s), it still might get
activated elsewhere.

So, I guess I'd like to figure out how to get Adobe reader / Adobe
flash to stop using it.

Steve
Jeff Liebermann
2014-08-14 18:25:46 UTC
Permalink
Post by Steve Pope
So, I guess I'd like to figure out how to get Adobe reader / Adobe
flash to stop using it.
As I suggested, replace Adobe Reader with PDF-Xchange-viewer (free):
<http://www.tracker-software.com/product/pdf-xchange-viewer>
I've been using it for about 9 months. No problems and greatly
improved stability over Adobe Acrobat Reader. Also includes an OCR
"reader" feature, where you can make a scanned PDF searchable.

No clue what to do about Flash except to uninstall it. That hasn't
worked for me because there is just so much Flash content out there.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Jeff Liebermann
2014-08-14 18:40:49 UTC
Permalink
Post by Jeff Liebermann
<http://www.tracker-software.com/product/pdf-xchange-viewer>
I've been using it for about 9 months. No problems and greatly
improved stability over Adobe Acrobat Reader. Also includes an OCR
"reader" feature, where you can make a scanned PDF searchable.
I just checked the preferences. Both Adobe Acrobat Reader and
PDF-Xchange viewer have a Javascript engine built in, but both can be
disabled.
--
Jeff Liebermann ***@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Steve Pope
2014-08-14 20:54:21 UTC
Permalink
Post by Jeff Liebermann
I just checked the preferences. Both Adobe Acrobat Reader and
PDF-Xchange viewer have a Javascript engine built in, but both can be
disabled.
Jeff -- thanks. So that takes care of Reader.

When Flash is invoked from IE, is it possible the "Active Scripting
Disabled" setting in IE will override Flash's attempts to run
Javascript?


Steve

Loading...