Been seeing a lot of rookits lately, so much so that I haven't had a day off for a few weeks. What is quite worrying is that both MSE and Malwarebytes often don't detect them and say the system is clean.
I am now worried about how far I am supposed to go to detect them on clients machines when the job wasn't virus related. I am also staggered that so many of these so called security programs miss simple things like modified host files, proxy redirects and DNS hijacks.
In the past the rootkit was always obvious even if it was missed because they would often cause redirects, porn links to randomly clear or your email accounts to be hacked into but the new ones seem to be a lot quieter. So if you're PC is behaving oddly it might be a worth while checking for rootkits.
GMER is one of the best tools but you need to understand how the OS works in order to use it properly
TTDSKILLER is another good tool.
I am just worried how this will pan out and how it will effect my job, I am not sure clients will be willing to pay £70+ for virus removal. Also formatting in many cases dosn't work either unless you clear the RAM, replace the MBR etc.
For those that don't understand a word of this, I have seen a lot of computers infected in the past few weeks when the virus scanners make the client think their machine is secure. Its only when the internet stops working they phone me and I discover it.
I think I am going to have to write something up to give me clients regarding rookits to explain the dangers.
Edit so far all the machines I've seen with these problema are Windows XP 32-BIT, but Vista and Windows 7 can also be infected its just rarer. 64-BIT operating systems are now being infected with rookits too but I have not seen this myself yet.
Last edited by: RattleandSmoke on Mon 30 Aug 10 at 16:28
|
|
well if you have to resort to a format to get rid of infection, it makes sense to erase the MBR as well.
|
|
I do it out of practice now, but many people don't and just reinstall windows causing the rootkit to linger. It is a hidden danger. No techs like having to reformat as it is an admission of failure but sometimes it is the only commercial thing to do which makes sense.
|
Lets be honest ratts, its the easiest, quickest, and for the user the cheapest fix.
30 quid for an hour and halfs format and reinstall, or 120 quid for 4 hours fiddling about
|
I just don't charge for the fiddeling about but it is wasted time. The problem is anybody can nude and pave and charge for it. Removing a rootkit is a completly different skill.
At least in my dead time even if I am not making any money I learn more about how the rookits work, of I did N&P it would not be a learning curve. That said I admit only last week I had to it after spending hours trying to sort of rookits which not much sucess.
Think in future I need to give clients a choice, either £60 for a full backup or reinstall and disinfection of any viruses in their data or £xxx an hour if they didn't want it reformated (which is quite common).
|
Reinstalling got a lot quicker with Windows 7 (possibly vista but I've never done it) but reinstalling all the extra programs takes a while, firefox, flash, avast, and all the other things.
Anyway I found this a few weeks ago, have not had any reason to use it yet though.
ninite.com/
Has anyone here heard of this or, even better, used it?
|
|
Nice idea, that ninite. Will bookmark that...
|
I just keep the install exes in a folder on a data partition, which would have to be reinstalled anyway if everything went belly up. Who is ninite? How do you know their versions aren't bug ridden? They're probably ok but how do you know?
JH
|
|
Obviously I wouldn't just use ninite without testing it a bit, or looking at reviews, but it's a neat idea, as a lot of products in their list are ones that I use. The problem with keeping the original install files is that they get out of date, unless you specifically need that version for a reason.
|
...Will bookmark that...
I've done the same, although the bookmark might be blitzed when I come to need it.
|
|
Dat's what backups are for... :-)
|
If you ge to the stage where you need to do a reload, I wouldnt want all my "old" progs back
If you are rebuilding, rebuild it all with the latest versions.
|
|
Ninite looks interesting, but I think I would still rather download from the original websites.
Last edited by: Stuartli on Mon 30 Aug 10 at 23:33
|
>> If you ge to the stage where you need to do a reload, I wouldnt
>> want all my "old" progs back
>>
>> If you are rebuilding, rebuild it all with the latest versions.
I agree, and it's a great chance to get rid of all the crap that you no longer use.
I love the lightning speed of a freshly installed machine. There's something quite satisfying about it.
|
>> Also formatting in many cases dosn't work either unless you clear the RAM, replace the
>> MBR etc.
How does information get hard stored in RAM when the power supply is completely off?
|
|
I assume Rattle meant memory, and static memory linked to the BIOS at that.
|
|
I propose it's the same as the CMOS info is stored - date and time etc - powered by the little battery. That wouldn't power your RAM though.
|
No but 'DIYers' often reformat their PCs to get rid of a virus, they tend to do a soft restart thus the RAM is still powered up.
The only way to properly clear the RAM is to drain it off power e.g take the cord out.
It is also possible for viruses to infect the BIOS but I have never seen an example of it. I would imagine modern operating systems make that very difficult to do.
|
Hi,
Picking up on a rather old thread, I've got a nasty feeling our laptop might be infected. SWMBO's hotmail account has been hacked, everyone in her address book has received an email with a link to www.healthfoodmedsguide.net which seems to be some dodgy turkish site. A full system scan using Avast and Malwarebytes revealed nothing. I'll admit I'm no expert in this area. I want to be sensible but don't want to do anything too drastic if it's really unnecessary. I don't want to go running this TTDSKILLER unless I really have to - a quick google search suggested it might cause lots of problems. And don't want to spend a fortune plus all the hassle of the options suggested here if they're not necessary. After all I don't know for sure this computer's infected - she sometimes (though not often) accesses it on her phone and at work.
This is a fairly nice new laptop so really don't want to ruin it on a wild goose chase.... would appreciate any advice.
Thanks
Last edited by: Pugugly on Wed 3 Nov 10 at 22:26
|
|
Its a hotmail password hack, there is no virus on your PC.
|
|
But surely only some kind of malware could have done that - SWMBO swears blind she's never left it herself logged on on a public computer. But if you're really sure then, besides changing her password (and the bank password just in case), is there anything else you'd suggest?
|
I have had similar things from customers, and without inspecting every system file which would take for ever all the tests I did do confirmed there were no viruses or rookits on the system.
Every one the hackings did have a fairly weak password which used a real word rather than random combinations of letters or numbers.
I believe the hackers create a sepetate API which connects to Hotmail and Yahoo this means they can try loads of different passwords without it triggering the usual attempt limit.
I personaly believe that Hotmail and Yahoo are not doing enough to stop these hackings .
Of course if you're using the name email address and password for other sites login if that site gets hacked then it could steal your passwords and usernames. This is a common way this is happening.
The first thing which needs to be done make sure she uses a very secure password. Something like:-
sxsd9343kdcfsd
It is still possible that there is a rookit on the system but usualy you get more obvious viruses first. Has their been any recent infections? If not I would be surprised if there was a rookit.
|
|
No I've never had an infection, at least not one that Avast's spotted. However she does use a weak password so guess she needs to tighten that up. Thanks for the reassurance - I think I'll just keep a close eye on it for now. I was breaking out into a bit of a cold sweat...
|
Speaking as one of the many who has had their Hotmail account password cracked (because it was a weak password), it's worth going through the settings to see if there is any residual mischief, and also a look in the "sent mail" folder.
Mine had been set to forward all incoming mail to (yet another) hacked hotmail account.
(options/email forwarding).
The biggest problem I had was getting the account back, as the password had been changed.
|
|
Yep in my customers cases too the sent folder was full of all the spam. I do really believe Hotmail are not doing enough to stop this.
|
On the subject of security.............................
I have just bought (!) Avast Internet Security, with firewall, web scanning, anti-virus, anti-spam, anti-rootkit etc.
It is running very well and lightly on both our laptops - one XP Home & the other Windows 7, 64 bit.
The licence covers up to THREE computers.
There is currently a deal available to members of Wilder's Security Forums :-
www.wilderssecurity.com/showthread.php?t=285920
Use the coupon code on check-out (55WILDERS2010) for a BIG discount.
I paid just 29,97 € for 12 month licence which works out at a pretty good deal for two PCs, let alone three.
|
>> On the subject of security.............................
>> I have just bought (!) Avast Internet Security, with firewall, web scanning, anti-virus, anti-spam, anti-rootkit
www.cio.com/article/626813/Tests_Show_Consumer_Antivirus_Programs_Falling_Behind?source=rss_news
NSS Labs is an independent security software company that does not accept vendor money for performing comparative evaluations. Although it normally sells its reports, the company released the consumer anti-malware test results to the public for free.
Last edited by: John H on Fri 5 Nov 10 at 14:55
|
|
My hotmail was hijacked. I believe it was because I used the same password for an account I opened with a supplier and communicated with them via my hotmail account.
|
|
Surely the solution is to ditch Hotmail? It gets a mention every time security or spam comes up...
|
>> Surely the solution is to ditch Hotmail? It gets a mention every time security or
>> spam comes up...
>>
That does not solve PEBKAC.
The reason hotmail, gmail etc. get attacked is that they are popular with the public, and a large majority of them cannot be bothered to select secure passwords.
It does not help when someone can enter that email address at login and ask for a password reminder and the screen pops up to with a security question that the dumbo had set up, which can be answered by most of dumbo's contacts or by strangers who look up dumbo's facebook pages.
|
"hotmail, gmail etc"
Maybe I've been lucky, but my Gmail account is fine. It gets minimal spam, and what there is is intercepted and shoved in the appropriate folder automatically. No false positives yet!
|
Gmail has been good for me, too.
99.99% of spam doesn't hit my PC.
As I have said before (yawn for those who have seen that!) I use their pop & smtp servers to send and receive mail by Mozilla Thunderbird, thus not only bypassing my ISP's mail servers, but also transmitting by SSL.
Avast! can scan SSL email by the neat trick of scanning the message in non-SSL (you have to set Thunderbird to use the ports associated with non-secure mail and tell Avast! the name of your mail servers and the SSL ports they use) and then converting it to SSL to either send or receive it.
|
Rootkit warnings - Zero
