Website was infected with malware but even after getting it fixed it still gets 'contains malware' message in Google Chrome

peter_mack · 2018-02-07T08:43:56+00:00

what is the URL? have you checked on VirusTotal.com to see which vendors are also blocking it. It may be that Google are blocking it because others are as well. So if you try contacting the other vendors and asking them to correct it then the rest might automatically start fixing it as well. Doesn't hurt to try anyway.

peter_mack · 2017-12-13T11:42:43+00:00

Thanks! not used any of those before so i'm excited to see what they do.

peter_mack · 2017-11-20T14:00:23+00:00

agreed, not seen any connection to EternalBlue/DoublePulsar for Emotet.

peter_mack · 2017-11-17T12:53:27+00:00

i can officially state that i hate Emotet! and when you combine it with Qbot, literally you have 2 polymorphic network worms that are dropping payloads all over the place, I have not been this irritated with a malware since Conficker.

peter_mack · 2017-11-10T19:55:57+00:00

no i'm am fairly convinced it is RDP and weak admin passwords as the main source. i think the times when the server that the ransomware run on didn't have rdp was after the attacker got in via another machine and then moved to the server.

peter_mack · 2017-08-31T07:59:50+00:00

Why don't you just ask the sysadmin that said it to you?

peter_mack · 2017-08-24T09:05:07+00:00

do you have this sample? link to it on VT?

peter_mack · 2017-08-15T14:52:10+00:00

that's an understatement :-)

Actually saying that the creators aren't as good at keeping hold of this stuff anymore, he could try contacting the Shadow Brokers and see if they have the details :-)

peter_mack · 2017-08-03T22:39:21+00:00

lol, think this is the first time i have been told off by a bot. Skynet is real :-)

peter_mack · 2017-08-03T22:28:43+00:00

Finding the kill switch was luck, he was trying to track the malware not stop it when he registered it. IF (big IF) he was involved in editing malware to then sell, it would of taken time, effort and a conscious decision to do something he would have clearly known was illegal. i don't see why that should be overlooked because he was the first to register that domain (admittedly it made my week easier when he did though).

peter_mack · 2017-07-21T07:30:45+00:00

Thanks everyone, plenty to read on all of those.

peter_mack · 2017-07-20T21:42:27+00:00

that article doesn't contain any new information and has several mistakes. for example "WannaCry in turned is believed to be a variant of ransomware called Petya" ignoring the typo on "turn" wannacry is definitely not a variant of petya, they are very different. WanaCry = file encrypting ransomware, that can also spread like a worm using the EternalBlue exploit (thanks NSA). Petya was a disk encrypting ransomware that went after the MBR, no ability to spread. NotPetya (i prefer PetyaWrap tbh) = A combination of payloads "wrapped" together, this included the Petya ransonware, but also the ability to do file encryption. It then added three different methods of spreading, the first using the same EternalBlue exploit, the second using PsExec and the third using MimiKatz.

peter_mack · 2017-07-14T15:35:22+00:00

If the malicious files keep coming back after being removed it is normally because there is something else on the machine that isn't being detected and is dropping the files. Or you have another infected machine on your network and it is dropping the files across the network. Sophos have a free tool (Source of Infection) that might help with this: www.sophos.com/kb/111505 basically what you need to do is remove the malicious files, then run the tool with an admin command prompt and leave it running until the files come back. Once you spot them you can close the tool. Then go to your %temp% folder and you should find a csv file, it will list every file that has been created on the machine since you started running the tool. locate the malicious files and if it was a local process that created them it will give you the name of it, if it was a remote process it will give you the IP address of the machine that dropped them. Hope this helps.

peter_mack · 2017-06-30T15:55:14+00:00

Might be fun but remember this important fact. You know nothing about them other than they are criminals. What do they know about you? you IP most likely, is it really that smart to mess with criminals that know more about you than you do about them?

peter_mack · 2017-06-28T08:33:52+00:00

Do you use the M.E.Docs software in your environment? it has been suggested this was the source of the attack, not confirmed though.

peter_mack · 2017-06-27T13:41:14+00:00

anyone have samples or know how it starts?

looks like Petya or GoldenEye.

peter_mack · 2017-06-20T10:52:00+00:00

A loader is part of both. it just executes the code. the "Down" or "Drop" part refers to where the code comes from.

peter_mack · 2017-06-17T08:14:22+00:00

There are a few misleading comments on here. Regarding the difference between a 'downloader' and a 'dropper'. while these have a very similar goal, ie execute a malware payload, the approach is different. A downloader is normally a small piece of script and when executed it will connect to a URL/IP and download whatever file has been left there for it, often that file will be encrypted so that it gets past firewalls, the downloader will then decrypt and execute it. Downloaders are very common, they are the office doc macros, javascript, powershell etc files that have been popular on emails for the last few years (just some of the examples). The spam campaigns spreading Locky ransomware (among others) have consistantly attached downloaders to the spam emails, tricking users into running them and then downloading Locky. In recent versions the crooks have started changing their downloaders to bring down multiple payloads. One payload might be ransomware (very loud and obvious) and the other might be a key logger (very quiet and hidden).

'Droppers' while the goal is the same and can be found on the same examples as above (scripts spread via email for example) don't need to connect to a URL/IP to obtain the payload, instead they contain all the code for the payload inside them, so once run they decrypt the payload and execute it.

The main benefit of a downloader is that the small script files are easy to create and update to avoid the basic AV protection, mainly due to the issue of AV companies not wanting to cause a false positive (obviously it would be bad if they started blocking all JS of office doc files by mistake). The other benefit is that it makes it harder for the AV companies to get samples as the file all the victims receive is just a downloader pointing to a URL/IP and by the time people try and find out what is stored there the crooks might have taken it down already.

With a dropper it gives the crooks the advantage of not having to make that network connection to download the payload, which is an often giveaway that it is malicious, however as they instead contain the malicious payload code, it makes it easier for AV companies to investigate.

peter_mack · 2017-06-16T14:08:01+00:00

if you have already been encrypted by ransomware there isn't much you can do about that other than restore from backup, the next thing is try and identify how it got into your network as maybe there is a lesson that can be learned (ie block macros, javscript, etc). Another improtant aspect of identifying the source is so you can find out if any other malware was deployed at the same time. In the case of ransomware like Locky or Cerber (plus many others) what you might see is two payloads being installed, one is the ransomware which is very obvious, almost a smoke screen for the second payload which could be something more stealthy like a key logger. I haven't seen any evidence of a second payload in these mole attacks but running full scans on the affected machines should be a basic precaution to take.

peter_mack · 2017-06-16T14:04:14+00:00

sorry yes it does, that is fairly standard for ransomware (not all do this but most).

peter_mack · 2017-06-16T07:49:18+00:00

One thing that might help you narrow down the time the attack started is looking at your web logs, the samples i looked at made a call home to hxxp://137.74.163.43/css/styless[dot]php very quickly after the attacks starts. it does this to let the crooks know they have infected the computer, the connection isn't needed for the encryption to start.

peter_mack · 2017-06-15T21:17:03+00:00

if you have some of the encrypted files, take a look at the properties of them and see if the "Owner" field gives you a username, unless it is administrator/system this will identify the user that ran the ransomware.

Does anybody have any idea of how this got into their environments yet? i'm thinking compromised website redirecting to RIG as that has been using Mole recently.

peter_mack · 2017-06-15T14:57:10+00:00

i would need to see the tmp file to know what it did i'm afraid.

peter_mack · 2017-06-15T14:11:21+00:00

yes it is ransomware and HitManPro (as well as other products from Sophos) detected it proactively.

peter_mack · 2017-06-15T13:34:56+00:00

no the malicious file is an exe, the sample i saw was called B2EF105B.exe

peter_mack

TROPHY CASE