Author Topic: Catched a 0 day malware just while browsing (Read 11282 times)

BucklingSpring · « **on:** Sat, 21 May 2011, 18:15:58 »

I was looking for an image on google images to put some colors in a post then WAM!
This window popups

Then this one

Must be a new variation of XP Home Security, since the name itself is pretty common.
I found the culprit and submitted it to a Meta Virus Search Engine.

Only one anti-malware out of 37 was able to detect something "Generic"

This little bastard breaks EXE associations and LNK associations. So Windows can't run any applications and keeps asking whet applications to use for .EXE and .LNK extentions

I thought latest and greatest browsers were little more robust against running arbitrary code exploits.

I case you get hit... Here's the registry fix file
http://filext.com/WinXP_EXE_Fix.reg

bionicroach · « **Reply #1 on:** Sat, 21 May 2011, 18:33:23 »

That sucks, man. What browser were you using when it happened?

BucklingSpring · « **Reply #2 on:** Sat, 21 May 2011, 19:26:13 »

Quote from: bionicroach;349613

That sucks, man. What browser were you using when it happened?

Opera 11.11 released couples of days ago supposedly to fix arbitrary code executions.

I'm glad it was an "obvious" intrusion. Although I always keep an eye on the running processes and services, something more subtle could have fooled me long enough to cause more damage.

bionicroach · « **Reply #3 on:** Sat, 21 May 2011, 19:35:06 »

Wow. Yeah, that's what scares me: the malware that is NOT an obvious scam like this to fool grandmas into giving their credit card numbers out to "clean" their computer. I'm worried about rootkits that sit there silently listening in the background and phoning home.

If you have a router with logging capabilities, it's not a bad idea to review them once in a while and see if there is traffic happening that you don't expect to see.

BucklingSpring · « **Reply #4 on:** Sat, 21 May 2011, 20:28:15 »

I tried to relocate the page where I got hit... Couldn't :-(

Oh well.

BucklingSpring · « **Reply #5 on:** Sat, 21 May 2011, 20:31:48 »

My Java JRE was 6u13... Just updated to 6u25, might have been a java exploit... Who knows.

keyb_gr · « **Reply #6 on:** Sun, 22 May 2011, 16:12:32 »

Any popular kind of plugin = larger target area, hence why my main browser is pretty "naked" in that regard (Java and Flash are only on by default in the secondary browser, which does all the "multimedia" stuff). Besides, you must have missed that GH got infected with some malware using a combination of Java and Windows Help Center vulnerabilities not too long ago.

bionicroach · « **Reply #7 on:** Sun, 22 May 2011, 17:19:59 »

If you are a Google Chrome user, this tweak works pretty well to help stop plugins from running without your consent.

DaemonRaccoon · « **Reply #8 on:** Sun, 22 May 2011, 17:26:10 »

Windows XP? Well there's your problem.

Zamorph · « **Reply #9 on:** Sun, 22 May 2011, 18:31:50 »

Quote from: DaemonRaccoon;349998

Windows XP? Well there's your problem.

XP is the best OS

bionicroach · « **Reply #10 on:** Sun, 22 May 2011, 18:50:23 »

ricercar · « **Reply #11 on:** Sun, 22 May 2011, 19:16:45 »

I got that same-ish security center intrusion the other week on Windows7 and Firefox, calling itself Win7 Home Security. Since I use Windows 7 Enterprise, not Home, it was pretty easy to recognize as bogus.

It's a browser exploit, not an OS exploit. I got it surfing on Google images; no binaries were downloaded or executed by me. Made me really mad even when I realized it was relatively easy to clean up (assuming one has another machine to research and download the fixes, since it disables the target machine pretty thoroughly).

Beware: The legit Windows Security Essentials did NOTHING to protect from this intrusion.

keyboardlover · « **Reply #12 on:** Sun, 22 May 2011, 19:55:31 »

The latest stuff I'm seeing is all the same - Javascript browser exploits which download java executables to your local machine. Since most OSes have a JVM running, this is pretty scary. Means it doesn't matter what OS you use.

Make sure you use virus protection and it's up to date!

bionicroach · « **Reply #13 on:** Sun, 22 May 2011, 20:02:33 »

Quote from: ricercar;350028

Beware: The legit Windows Security Essentials did NOTHING to protect from this intrusion.

I'm seeing that more and more at work. It's scary -- albeit kind of funny -- that our IT security guy tortures our poor end users with all manner of hellish Windows group policy lockdowns, performance destroying anti-virus utilities, etc, and we *still* get constant malware infestations.

The best defense is a solid backup strategy, including system image restore-from-bare-metal type of backups. I rarely bother with trying to remove malware anymore, unless it's for fun / challenge reasons. It's so much faster to just roll back to the most recent known-good system image.

BucklingSpring · « **Reply #14 on:** Sun, 22 May 2011, 20:08:08 »

Quote from: DaemonRaccoon;349998

Windows XP? Well there's your problem.

What are you using smart arse?

I bet I can get a load of CVE's for it as well.

BucklingSpring · « **Reply #15 on:** Sun, 22 May 2011, 20:15:35 »

Quote from: ricercar;350028

It's a browser exploit, not an OS exploit. I got it surfing on Google images; no binaries were downloaded or executed by me. Made me really mad even when I realized it was relatively easy to clean up

Quote from: keyboardlover;350035

The latest stuff I'm seeing is all the same - Javascript browser exploits which download java executables to your local machine. Since most OSes have a JVM running, this is pretty scary. Means it doesn't matter what OS you use.

Make sure you use virus protection and it's up to date!

You guys nailed it. NOT OS PROBLEM - But BROWSER PROBLEM. As I wrote in the OP, that 0day sh!t didn't have any problems bypassing the AV line. 36 of the 37 up to date mainstream AV's didn't catch it. The only one who did is well known for it's false positive and didn't have much credibility.

Quote from: bionicroach;350036

I'm seeing that more and more at work. It's scary -- albeit kind of funny -- that our IT security guy tortures our poor end users with all manner of hellish Windows group policy lockdowns, performance destroying anti-virus utilities, etc, and we *still* get constant malware infestations.

The best defense is a solid backup strategy, including system image restore-from-bare-metal type of backups. I rarely bother with trying to remove malware anymore, unless it's for fun / challenge reasons. It's so much faster to just roll back to the most recent known-good system image.

That's a Yoda grade advice :-) I feel master level of Force ;-)

bhtooefr · « **Reply #16 on:** Tue, 24 May 2011, 16:05:47 »

Myself, I find that the best way to stay safe is to require all plugins to have user intervention to start. Opera can do it pretty easily, and Firefox can at least do Flashblock.

I've gotten owned by a bad Flash ad on a legit site, FFS.

BucklingSpring · « **Reply #17 on:** Tue, 24 May 2011, 16:29:43 »

Quote from: ripster;350868

Methinks Scott Adams also likes Amy Pond.
Show Image

Do you own this trackball as well? ;-)

BucklingSpring · « **Reply #18 on:** Tue, 24 May 2011, 21:32:14 »

Quote from: ripster;350883

You're doing something wrong if you aren't staring at her legs.

You got a virus?

I like legs with little more meat on it.

Figure Skaters ... Best to my taste.

Zamorph · « **Reply #19 on:** Wed, 25 May 2011, 09:49:11 »

Anyone recommend a program to backup files?

bionicroach · « **Reply #20 on:** Wed, 25 May 2011, 10:07:58 »

Quote from: Zamorph;351257

Anyone recommend a program to backup files?

For file-based backup, my current favorite tool is CrashPlan.

http://www.crashplan.com/

Works on Windows, Mac, and Linux and is free for local or peer-to-peer backup. Online subscription is pretty reasonable for unlimited data.

For smaller amounts of data, Dropbox is a decent backup solution as well, but it's really more suited for file sync than backup, IMHO.

For whole-system image-based backup, I use Acronis True Image. My only complaint about it is that their new releases tend to be somewhat buggy. Best to wait a while before upgrading each version. Other than that, I haven't had any problems with it and it has saved my bacon a number of times.

A similar product that is also good is Macrium Reflect. Not quite as full-featured as Acronis, but seems to work fine in my testing.

For a super lightweight solution, another nice imaging tool is Drive Snapshot. The cool thing about it is that it is only like a 500k executable that requires no install. (Unless you want the Windows file associations to browse its backup archives in Windows Explorer.) The only real drawback is that it doesn't have any built-in scheduling capabilities for automatic backup, but if you're handy with batch files / powershell / etc, that's pretty trivial to do on your own.

And of course if you're using Windows 7 (Professional or greater, I think...?) full system image backup capability is included in the OS.

bionicroach · « **Reply #21 on:** Wed, 25 May 2011, 10:16:49 »

Quote from: ripster;351262

I use Acronis but am about to give SyncBack a whirl after seeing a writeup in Maximum PC.

SyncBack is a very nice tool. I can only recommend the paid version of their product, though. My quibble with the freeware one is that I noticed that it did not support Unicode characters in filenames when some of my backups were failing with bizarre error messages that made me think my hard drive was failing. I emailed their tech support and got a snarky reply about how their product page for the freeware version *clearly* stated Unicode support wasn't included in the freeware version and that they couldn't add it because the third party library the product was based on didn't support it. I argued that they could still put a decent error message in so as not to confuse the user, but they didn't agree and said they shouldn't even reply to my email since they don't offer support for their freeware. This miffed me because I have been a paying customer of their flagship SyncBack Pro product for YEARS, and I mentioned this in my initial email...I also recommended that maybe they should just get rid of the third party codebase and release a crippled version of the Pro product to replace the old freeware (easier maintenance, I would think). But no go.

keyb_gr · « **Reply #22 on:** Wed, 25 May 2011, 11:10:14 »

Something I just remembered: If your browser does any sort of "smart" prefetching, it may not be the worst idea to turn that off.

BucklingSpring · « **Reply #23 on:** Wed, 25 May 2011, 17:05:14 »

Quote from: ripster;351262

I use Acronis but am about to give SyncBack a whirl after seeing a writeup in Maximum PC.

Backup - I'm with Acronis too... I've heard few horror stories with it but so far, it's been good to me.

For file synch, have been using SuperFlexible for many years. Very very happy with it.
http://www.superflexible.com/

iMav · « **Reply #24 on:** Thu, 26 May 2011, 05:56:09 »

McAfee Online Backup of course!

BucklingSpring · « **Reply #25 on:** Thu, 26 May 2011, 08:48:14 »

Quote from: iMav;351572

McAfee Online Backup of course!

Sigh, yet another product converted into a service... At that pace, we will rent word processor services and pay as we type...

I don't like to send all my data I don't where, managed and accessed by I don't know who.

Takes less time to bring an external drive with TB of data to a friend than doing the same over the wire.

But of course, offsite storage is a good $$$solution$$$... Corporations do it all the times (Iron Montain, SunGard, etc...)

BucklingSpring · « **Reply #26 on:** Thu, 26 May 2011, 09:00:15 »

No longer 0 day... Good old reactive AV solution has reacted.
The culprit now has a name

...\Local Settings\Temp\jar_cache105771765234917354.tmp - a variant of Win32/Kryptik.NZU trojan
...\SANDBOX\Virus\tjb.exe - a variant of Win32/Kryptik.NZU trojan

As with the JAR crap (Java ARchive) we can also conclude it was a Sun Java exploit. Thank you Mr Unix.

DarthBaiter · « **Reply #27 on:** Thu, 26 May 2011, 20:39:54 »

My son's system just got hit with that "Windows Security Center" crap.
Good thing I warned em about suspicious windows and not to click on any thing and just shut the page down. He ran restore...not sure if that's gonna solve anything.
Anyway, he tried to search for "windows security center on google on the infected system and it kept returning a fake google page...forgot to take a snap shot of it.

ricercar · « **Reply #28 on:** Fri, 27 May 2011, 09:41:16 »

Yes, this trojan disables your browser's trustworthiness: doesn't give valid results. I found that a second uninfected computer was needed to research and download the fixes.

Crypt · « **Reply #29 on:** Fri, 27 May 2011, 14:39:30 »

How does malware work on Win7? Would UAC disallow this exe from running without permission?

DaemonRaccoon · « **Reply #30 on:** Fri, 27 May 2011, 15:00:10 »

UAC is broken by design.

DesktopJinx · « **Reply #31 on:** Fri, 27 May 2011, 15:16:34 »

Surfing Google Image search results is not exactly low-risk behavior. Sure, malware could be anywhere, but like mugging, there are places where it's much more likely, and behaviors that make you much more likely to get hit.

BTW, if you want a pretty safe browser for running in less-safe neighborhoods, run Internet Explorer 64-bit. Classic safe-by-incompatibility. Almost no plug-ins support it.

cromartie · « **Reply #32 on:** Fri, 27 May 2011, 18:58:19 »

You can always run your browser inside Sandboxie to protect against drive by malwares or vulnerabilities. What happens inside the sandboxed environment will stay inside the sandbox until the sandbox is closed. After which the changes made will be deleted and reverted back to its original state. Also good for testing some random programs.

Linky http://www.sandboxie.com

Hydroid · « **Reply #33 on:** Sat, 28 May 2011, 07:39:04 »

I don't run any live AV software, I prefer to keep a few discrete scanners, and I use them more to try find hidden files when I discover a virus myself. I'm the only one who uses my computer so I'm fairly well acquainted with what usually runs. I'm not really an expert, but I'm learning and when its only my computer at risk I don't see any reason not to. I do have backups of anything I wouldn't want to lose, although my life wouldn't end if I lost it all anyway. I don't keep that much important stuff only on my computer.

To keep yourself clean you could always run a minimal OS in a virtual machine for browsing. I've got a couple of Virtual Machines setup, although I don't use them for that. I'm going to try that sandboxie thing out though. It looks interesting.

drsauced · « **Reply #34 on:** Sat, 28 May 2011, 12:13:40 »

I used to not run AV either, for a long time. The last couple of years I have, though, because teh nasties have really gone through the roof. One workstation at work also got this Fake AV thing last week and it was left running for a day. It called friends, a few of which were quite resistant to MalwareBytes (and Symantec SEP did nothing at all), so the nucular option was exercised.

DesktopJinx · « **Reply #35 on:** Sat, 28 May 2011, 14:13:53 »

Also, don't be Admin.

BucklingSpring · « **Reply #36 on:** Sun, 29 May 2011, 18:54:47 »

Quote from: cromartie;352223

You can always run your browser inside Sandboxie to protect against drive by malwares or vulnerabilities. What happens inside the sandboxed environment will stay inside the sandbox until the sandbox is closed. After which the changes made will be deleted and reverted back to its original state. Also good for testing some random programs.

Linky http://www.sandboxie.com

Good advice... I do use a similar product when I look for trouble. Bufferzone from Trustware... http://www.trustware.com/download/
I even paid for it before it became totally free for home use. Pretty happy with it.

You can run pretty much anything including browsers. When the sh!t hit the fan, you click "empty" bufferzone and all your troubles go away.

News:

Author Topic: Catched a 0 day malware just while browsing (Read 11282 times)