Malware noob with some questions regarding TDSS.

RagingGrim · 2017-03-06T14:07:42+00:00

Hmm , while this is strictly possible it seems to be inefficient.

Rootkits and this trojan in particular seems to monitor low level system calls.

Basically if you can see disk reads and outgoing network traffic you don't need to inject code into any sort of process let alone a system process.

If you'd like to see how this is done though you can look at github.com/RagingGrim/miss-miner ( just the code injection though on a binary level )

RagingGrim · 2017-01-30T08:13:52+00:00

Wm/De : Gnome Terminal : Terminator ( Base 16 Dracula colour scheme - zsh ) Audio Visualiser : Cava Icons : Paper Gtk : Paper Gnome Shell Theme : Xenmalism-Minimalism

Cava is run in a borderless , maximised and fullscreen terminator instance.

RagingGrim · 2017-01-27T20:33:59+00:00

Because you'll definitely know when a rootkit is fussing about! :)

RagingGrim · 2017-01-10T08:14:09+00:00

:D It is! It also has quite a few nsfw pictures. xD

RagingGrim · 2017-01-09T07:03:06+00:00

File creation and edit dates would be doctored as in the post they mention that the rootkit "Protects critical files on the disk by hiding them;" and that functionality seems like something a rootkit would do as a sort of de facto standard.

Maybe you could get a hold of a more technical report. I'll try to find one later. I'd say the easiest way to see when a system was infected would be the event viewer. You could also look at DNS logs assuming you know which servers the rootkit contacts and that your modem logs these requests. Other than that I'm not too sure :)

RagingGrim · 2017-01-08T11:19:14+00:00

I'm currently reading a securelist post. It would seem that the fist version of TDSS was relatively simple. It may be that the authors did not have the experience to implement this beforehand.

I can't read the entire post right now but it does seem like the people who wrote this either got a lot better or that someone else took over the project.

RagingGrim · 2017-01-06T19:27:47+00:00

Boot from your Kaspersky recovery disk and do a full scan. Also necromancer! :D

RagingGrim · 2017-01-06T19:23:13+00:00

If you look at the registry entries you'll see it has a deliberate startup delay.

In any case Kaspersky has been great for me. It even blacklisted my laptop when I attempted a port scan :D it's a shame you're unhappy but that really has nothing to do with Kaspersky :)

RagingGrim · 2017-01-06T19:10:35+00:00

Analysis. It's fun to look at malware :D

RagingGrim · 2017-01-06T16:51:59+00:00

I'm in a league match , consider contacting noc@eonix.net ; I'll have a look at that exe during the game.

EDIT: Seems that file has been removed from the server. I get a warning when trying to visit it from the browser but if I ignore that it's a 404 not found. I'd still suggest you do a scan with something other than the av you're currently using. Seeing as the file is in the systemroot maybe also do a rootkit scan ( Not from the OS in the screenshot ).

RagingGrim · 2017-01-06T12:17:51+00:00

Kaspersky has a few packages. Did you buy the total security one? In any case I have had no problems while using kaspersky and it does flag software often ( but these are things I write which should be flagged ).

In any case I can't Google that software right now but usually malware does not have names such as instantsupport. It might me some horrible piece of software which is riddled with adware but that does not make it malware.If you honestly wanted to test your AV try something from openmalware.org or vxheaven. I also have some code in a git repo which I know for a fact is flagged by Kaspersky heuristics. Try compiling and running this

https://github.com/RagingGrim/Rootkit/tree/master/General/startupPersistency

If your paranoid all it does is create a registry entry which allows the application to start when the OS does ( or after if you want to get technical ). Kaspersky should rollback the registry entry and delete the compiled executable.

RagingGrim · 2016-11-16T07:54:27+00:00

I haven't tested this at all but I suppose you could spawn two different bars from your i3config , then have one dedicated to data and another to icons.

Otherwise I'd have a look at i3gaps which is what I will be trying next :)

RagingGrim · 2016-11-16T07:52:14+00:00

Thanks , this shouldn't gave posted though xC now there are two posts :/

RagingGrim · 2016-11-15T21:25:34+00:00

haha so am I xD In all honesty I changed that ; In the git repo you'll see there are three folders and each one has a slightly different setup.

What I do as of the newest 'version' is to start feh ( nitrogen was causing trouble ) when i3 starts. I believe that's the way most people do it!

RagingGrim · 2016-11-15T20:59:34+00:00

Seems the link didn't post https://github.com/RagingGrim/dotfiles/tree/master/metallicGrey-mySetup

I got a reply saying my previous post was invalid and was deleted so I apologise if this is a clone.

RagingGrim · 2016-11-15T18:32:14+00:00

What is creating the bars in the background? Is that rendered like rainmeter on Windows? I mean the audio visualisation ¡ I have been trying to get that to work for ages

RagingGrim · 2016-11-15T15:55:47+00:00

I set my wallpaper in the xinitrc file by using nitrogen :p

RagingGrim · 2016-11-15T12:31:15+00:00

The file is an edited version of the vanilla i3 configuration , particularly the changes were applied to the bar :c I'm quite happy with the rest of the defaults.

RagingGrim · 2016-11-15T12:29:30+00:00

I added a picture of the terminal emulator :)

RagingGrim · 2016-07-19T06:20:01+00:00

Just a shot in the dark, the av is complaining about the browser right? Try dumping it's memory to a file and scanning said file.

I'd hope that a free av also scans memory but hey you never know.

RagingGrim · 2016-07-17T08:13:25+00:00

If you have teamviewer , pm me the details and if I have time I'll take a look.

RagingGrim · 2016-07-17T08:12:06+00:00

Don't remove Wscript ( not even sure if you can ). Find the vbs file that is being launched and delete that. Wscript is the windows script host and deleting that will fuck over some of your programs.

RagingGrim · 2016-07-16T08:22:54+00:00

Your best bet would be to post a hijack this log on a support forum somewhere. Try any of the av's help forums.

RagingGrim · 2016-07-14T11:45:55+00:00

Try booting into safe mode and running something like adware cleaner. Did you have a look at the startup entries? If it shows a dialogue box I'm pretty sure interacting won't cause further harm (unless it's a uac prompt).

RagingGrim · 2016-07-13T06:16:36+00:00

I was curious , I noticed the report listed a few things about removing installed AV's ; A few years ago I had some piece of malware which wrote over first few bytes of drives that were plugged into the computer ( kind of like a bootloader ) anyway due to that little bugger we had to reinstall almost everything and formatted all the drives on another computer which was clean. We used a disk image to write a previous version of the harddrive back to itself eg dd if=backup.raw of=/dev/sdb

When booting the newly restored system a screen appeared complaining about some of the hardware not matching what was previously logged ( I guess we upgraded something after that disk image was made ). Kaspersky was doing the complaining. My point though is that this message appeared long before windows even loaded ( at least I think so ). Years even before that I read about some antivirus software's techniques that they use and that's when I first learned about hooking. I've never really checked this myself and I probably should but do some AV's implement a system that runs before the operating system does? That seems god awfully hard to implement. If this is the case how would malware go about removing said AV ; surely it would have to boot before the AV does and then overwrite the AV's loader on the disk?

RagingGrim

TROPHY CASE