backdoor.rustock virus (trojan)

[Sam1]

If ya get unlucky and innocently click the wrong place that happens to have been just hacked by a newish malware, yer gonna get infected no matter how careful you are.

 

A virtual machine or "disposable laptop" that you don't mind wiping and re-installing, which contains NO security sensitive information on the system, dedicated to recreational web surfing, does seem the safest alternative.

 

I've used several antivirus programs. I don't like McAfee or Norton, though many moons ago they were decent enough products. The MS Security Essentials ain't too bad really. Currently using Kaspersky included from EPB fiber account, seems to work OK. For many years I used AVG small business site license because it was only about $100 for three years, wheras Norton was about $100 per machine per year.

 

I have the puters set up to do full scans nightly, and consider myself fairly careful and paranoid about security, and run browser "near crippled" with most of the convenience features disabled. In spite of that, about a year ago I got a massive infection that almost required a wipe and reinstall on my main programming machine. I suspect I picked it up clicking on theulstermanreport.com when that site had been hacked. I don't know if that site ever got hacked, but I got the infection a few minutes after hitting that web page, and within a few days my personal web page got hacked, and I had to take down the web page and disinfect it and put it all back up. My theory is when the PC got infected, in short order they downloaded my filezilla settings file and got the access info for my web page. Later I discovered that filezilla doesn't encrypt passwords saved to file, and even if filezilla DID encrypt passwords, it wouldn't help because if you get silently hacked they will just get your password next time you sign onto the site with a FTP program.

 

So I set filezilla to never save passwords, and changed to using SFTP, and removed ALL fancy features from my website. Just dumb basic html, and all file permissions locked down as best I can figure out on the web site. Which has avoided re-infection of the web site so far. And I don't surf the web on work computers any more. Don't surf the web on computers that have quicken or turbotax files on them, or online banking or whatever. Do the financial stuff on a puter that is rarely connected to the interwebz. Do online orders on a secured puter, but ONLY online orders. Find out what you wanna buy on the disposable computer, then sign on from a secured computer just long enough to make your order, then sign off again. But even those precautions are not 100 percent secure.

 

There are very few things that can intercept and decrypt SSL traffic, so if you're careful where you put your information in, you could skip 95% of what you're doing.

[Guest Lester Weevils]

There are very few things that can intercept and decrypt SSL traffic, so if you're careful where you put your information in, you could skip 95% of what you're doing.

 

Guess you are speaking of file security against hacks, but if your computer gets hacked by a "first day virus" hacked into some "usually rock solid trusted" website that gets hacked, you can figure one of the first things a hacker will put on your now-zombiefied puter is a keyboard monitor, so if he is smart enough to hide the contagion for awhile, he will get all your typed-in passwords and account numbers. Once the hacker is in, then if he is smart he is in all the way.

[rugerla1]

Sorry guys, I've been slammed at work and haven't been able to get back on here to respond. I'd heard complaints about Norton before, but it's what my wife had put on her laptop. I have Malwarebytes put on my desktop because our IT guy recommended it to me. I'm going to let my wife read this thread and decide on which one to go with, because I'm sure she's going to want to change now after this happening. I'm glad it happened 2 weeks before her online classes start instead of a day before they start though. Thanks everyone for all of the feedback.

[rugerla1]

I use the Free Microsoft Security Essentials and I've never had a problem with a virus since. It also doesn't bog down the computer like other antivirus software did.

 

http://windows.microsoft.com/en-us/windows/security-essentials-download

 

Try it. :up:

I'm going to recommend this to the Mrs. Thanks!

[rugerla1]

Have you tried booting in safe mode and running the scan?

Yes, that's when it got stuck scanning the backdoor.rustock file. I just for craps and grins, Googled it and that's when I found out that it was a Trojan. It never let me finish the scan, it would freeze up on that file every time.

[Guest 6.8 AR]

A router and the free AVG version has worked fine for me for many years now.

 

I go way back with Norton, best thing they ever did was the Norton Utilities for DOS days and early Windows version. Their anti-virus stuff was always an unacceptable hit to the system, and had so many hard to get rid of fingers into the operating system it trashed as many puters as it saved. Gave up on it sometime during first version of Windows 98, and never tried it again.

 

- OS

I used Norton on 98, also. Machine would barely crawl. Those were the good old days, weren't they? Took forever

to get rid of all those fingers you mention. Put it on my wife's machine and got rid of it, too. The Avast tells me to

do a boot scan when it comes upon a problem. So far, so good, but I think my wife's machine will get to try that ESET.

[Dennis1209]

I used Norton on 98, also. Machine would barely crawl. Those were the good old days, weren't they? Took forever

to get rid of all those fingers you mention. Put it on my wife's machine and got rid of it, too. The Avast tells me to

do a boot scan when it comes upon a problem. So far, so good, but I think my wife's machine will get to try that ESET.

 

I can seem to find a 5'1/4 inch floppy for my machine anymore for my modern DOS machine :ugh:

 

I can't think of any other product I've purchased where it's either out dated and obsolete, or about to be when bought brand new.

[ted]

I use Trend Micro have never ever had a virus on any of my comp scents I have used there software , best anti virus and security software out there , you can even go to there web site and get a free scan , and if you have there software on there comp it will let you click on a link and it will fix any of your problems right then with a click of a button , problem solved , and your comp up and running with no problems. It will also keep it self up to date automatically , Hope this helps

[Oh Shoot]

I can seem to find a 5'1/4 inch floppy for my machine anymore for my modern DOS machine :ugh:

 

I got 'em. Need LD, DD or HD? :)

 

- OS

[TripleDigitRide]

I use Trend Micro have never ever had a virus on any of my comp scents I have used there software , best anti virus and security software out there , you can even go to there web site and get a free scan , and if you have there software on there comp it will let you click on a link and it will fix any of your problems right then with a click of a button , problem solved , and your comp up and running with no problems. It will also keep it self up to date automatically , Hope this helps

I've used Trend Micro for 10+ years. Never a single issue. I don't buy into the free stuff.

Edited October 16, 2013 by TripleDigitRide

[analog_kidd]

I can seem to find a 5'1/4 inch floppy for my machine anymore for my modern DOS machine :ugh:

 

I can't think of any other product I've purchased where it's either out dated and obsolete, or about to be when bought brand new.

 

I realized that over time I had accumulated so many boxes of computer parts that I was keeping "just in case someone needed something". I went through it a few months ago and found video cards with 1992 copy writes on the circuit boards. I think I did have some 5-1/4 drives in there too, along with some old modems, original Pentium motherboards, and tons of cables. I boxed it all up, and took it and a few old cases down to the local recycle center, where I cashed it all in for about $100. It probably would have been worth $1000's back in the day brand new, but it was so old now and obsolete they were worthless. I was glad to get what I got, and freed up some space in the basement.

[Guest Wildogre]

I have used AVAST for years at least 10 or more and about every 5 years or so I still get hit but have not lost any data due to a virus......yet.

[Sam1]

Guess you are speaking of file security against hacks, but if your computer gets hacked by a "first day virus" hacked into some "usually rock solid trusted" website that gets hacked, you can figure one of the first things a hacker will put on your now-zombiefied puter is a keyboard monitor, so if he is smart enough to hide the contagion for awhile, he will get all your typed-in passwords and account numbers. Once the hacker is in, then if he is smart he is in all the way.

 

Again that's a really long way to say that you have malware on the system, which can be avoided with extremely simple steps but it is getting off track of my prior statement concerning ssl communications.

 

If you're are talking about having a trojan on the system before using the https sites, multiple systems have to fail miserably before that could even begin to be a concern.

[BryanP]

If you're still trying to disinfect it, I would start with these two tools:

 

BitDefender Rescue Disk:  Burn the ISO and boot from the CD.  If you can, have it connected to a cabled (not wireless if you can manage it) internet connection so it can grab new  definitions and run a scan

 

http://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html

 

For more general purpose rescue disk work (it does antivirus too, but it's not dedicated to it like the BitDefender) I use Hiren's BootCD

 

http://www.hirensbootcd.org/download/

Edited October 16, 2013 by BryanP

[Guest Lester Weevils]

Again that's a really long way to say that you have malware on the system, which can be avoided with extremely simple steps but it is getting off track of my prior statement concerning ssl communications.

 

If you're are talking about having a trojan on the system before using the https sites, multiple systems have to fail miserably before that could even begin to be a concern.

 

I'm not claiming that ssl, https is completely ineffective.

 

Was just saying that it is possible to be protected to the hilt, very careful, and still get infected merely by innocently clicking on some random website that was completely secure until it got hacked the day before, with new malware that hasn't been detected by the AV community yet.

 

Once that happens, if you were recreational browsing on a mission critical work computer, then once you notice the infection you will have to stop work until the system is either disinfected or reinstalled from backup or reinstalled from scratch.

 

Once that happens, if the hack is at all competent and criminal, if you have financial data on the computer you were using for recreational browsing, some mobster from eastern europe will have all your financial data. If you order stuff or sign onto important websites before you notice you have been hacked, the criminal has your credit card info and/or sign in info for business-critical sites you may have signed onto.

 

Ergo, it is at least a SLIGHT risk of avoidable troubles, by recreational browsing on work computers or computers holding sensitive data.

Edited October 16, 2013 by Lester Weevils

[Sam1]

Yes I understand how it all works, I've been working in the field for a few days.  To squish the entire argument, it is fairly easy to perform virtualization hacks and take control of the host system through a guest application.  NIST even goes so far as to say that any system containing protected data (classified/sensitive) that uses VM software still falls under the same regulatory controls as if the guest and host are restricted the same.  VM's weren't designed for security, they were designed to utilize hardware resources more efficiently.

 

That's not where I was going with the discussion though, I was simply saying that someone can spend 6 hours a day trying to avoid an issue that will more than likely never exist.

[Guest Keal G Seo]

Just thought I would give an update on the named virus. Norton now has a live update that includes the fix for rustock...both a and b.

Just goes to show you that they are just as good as everything else out there but get caught just like everyone else by new stuff.

Edited October 17, 2013 by Keal G Seo

[Oh Shoot]

Just goes to show you that they are just as good as everything else out there but get caught just like everyone else by new stuff.

 

Maybe just shows that their heuristics aren't as good or too slow to respond as a company.

 

Quick search sees news about Norton finding (but not preventing) and failing to remove backdoor.rustock a and b from July of this year. And references to it as far back as 2008.

 

- OS

[Guest Lester Weevils]

I get the impression that all the AV companies, and many interested third parties share discoveries, so that when a threat is detected, within a short time all the AV products will have updates, though perhaps some products work better than others in preventing or repairing.

There are also false positives which are annoying, sometimes caused by too-crude detection methods. The software company I work with has had products identified as malware several times, and we have to complain to the AV companies and a few days later they remove us from the lists. Each time this happens it is real bad for customer trust.

The typical way this happens for us-- Some lowlife will make a malware and use the same open source installer which we use to package his product. And then the antivirus company starts looking for code patterns that are part of the installer program rather than the payload inside the installer program, and starts alerting on every legitimate program in the world that happens to use the same exact version of that installer product. Edited October 17, 2013 by Lester Weevils

[Jonnin]

I get the impression that all the AV companies, and many interested third parties share discoveries, so that when a threat is detected, within a short time all the AV products will have updates, though perhaps some products work better than others in preventing or repairing.

There are also false positives which are annoying, sometimes caused by too-crude detection methods. The software company I work with has had products identified as malware several times, and we have to complain to the AV companies and a few days later they remove us from the lists. Each time this happens it is real bad for customer trust.

The typical way this happens for us-- Some lowlife will make a malware and use the same open source installer which we use to package his product. And then the antivirus company starts looking for code patterns that are part of the installer program rather than the payload inside the installer program, and starts alerting on every legitimate program in the world that happens to use the same exact version of that installer product.

 

Yep.  For this reason I still "install" programs the old fashioned way whenever possible --- dump the files on the disk, give em a shortcut to the executable, done.  Registry? Bah! Installers? Bah!   Its not always possible to do that, but more often than not, these toys are unnecessary.  You can always do a splash screen with a progress bar if your customers require an "installer".    Thankfully windows will tell you where it thinks the program files folder is, so you don't even have to look for it.  I do get the occasional "how you uninstall this" but they accept the shift+delete answer.

[dralarms]

I'd recommend downloading Malware Bytes http://www.malwarebytes.org/ to clean up your PC. You may need to download it from a different PC and put it on a thumbdrive to transfer it over to the infected PC.
 
For Antivirus, I use Microsoft's free Security Essentials. I've seen reports that it is not the absolute best antivirus, but I've been quite happy with it. You can't argue with the price. Plus, it is not bloated with all the crap that comes with Norton. It's just an Antivirus and does not use a ton of system resources.
 
Another trick of mine is to use virtual machines. I have a Win7 Vm running on my desktop. I've configured it so that the virtual hard drive is non-persistent. In other words, when the VM is powered down, any changes that were made to the VM while it was powered up are forgotten. It goes back to exactly the way the VM was when I powered it on. That way, if I get a virus, just rebooting the VM cleans it all up. Once a month I set the disks to persistent and install patches, then set the disk back to non-persistent. I use VMware's free VM Player application to run my VM's. You can even download free, and already installed and configured VM's in O/S' like Linux. Just download and run the VM. If it gets crapped up, delete it and download a fresh copy.

Please explain this

[jgradyc]

If you can, ditch windows entirely and go to Linux.

 

I've been using computers since 1981 and the Tandy TRS 80.  After leaving the TRS80, I moved to DOS and then eventually to windows. (I owned a couple of Macs in the past 10 years but didn't like them.) But after upgrading to Windows 8 in Oct, 2012, it made everything harder to do.  I put up with it for 2 months and then replaced Windows with Linux Mint 14.

 

I've since loaded Linux on four computers. It's faster, less hassles, and virus free.  No more annoying slow-downs while the virus software checks a website or download.

 

It's been 10 months and I've had no problems with any of the four computers... three with Linux Mint 14 and one with Linux Mint 15. I'm typing this on a Linux OS laptop right now.

 

EDITED: Oh, and it's blazing fast on my old Dell that's... guessing... 8 years old.

Edited October 19, 2013 by jgradyc

[K191145]

Anyone got an opinion about Kaspersky? I've used it for 2 years because i'm a cheap ***. It has caught and stopped a few things over the years for me.

[Sam1]

Here's the latest VB100.  The higher and to the right the program is, the better it is:

 

[analog_kidd]

Please explain this

 

I use the free VMware Player application and I use it to host several VM's on my desktop machine. Of course the desktop (physical) machine is subject to malware, and I do use MS Security Essentials on it, but I never go anywhere on the web, or install anything even slightly fishy on my physical machine, and I've never gotten a virus on it. I always install shareware or go randomly surfing on one of the virtual machines. If they get hosed up, no big deal, my physical desktop is safe.

 

With VMware Player, when you create a new VM, there is a .VMX file that goes along with it that is full of all kinds of settings for the VM. This is a text file that you can open in Notepad. It's not there by default, so you have to add a new line: 

         scsi0:0.mode = "independent-nonpersistent"

to the file, somewhere near the top. When the VM starts up it reads this file to see how it should configure itself. It reads the line I mentioned and that tells the VM to not keep any changes made to the virtual hard drive once it is powered off. I think the Player creates another file that it uses to store any changes made to the disk while the VM is powered on. Its all done under the covers and you'll never see anything different within the VM while it is running. So, if you install anything, be it shareware, malware, patches, or anything, it is all added to this temporary disk. When the VM is powered off, it erases the temporary disk, and all that is left is the original disk, completely unchanged. So all those programs, patches, malware, etc that were installed are just wiped away. If you boot the VM up again, it is exactly the way it was the last time you booted it up.

 

Once a month or so, I power off the VM, put a # in front of that line I mentioned above, save the file and boot the VM up. the "#" acts as a comment indicator in the file, so that line is ignored at VM bootup. Now the VM is going to remember any changes to the drive. This is when I install patches, or if there is a piece of software that I really trust that I want to install. Get everything installed, reboot once or twice for good measure and power the VM off and remove the "#" from the file. Now it's ready to be booted up again and set to forget any new changes.

 

Keep in mind that it erases all changes using this method, so it's not a good option for creating important files you want to save forever, or setting up Outlook to download emails that you want to keep. They will all be lost the next time you power off the VM. I do use the VM to download files and check them out. If they are legit, you can simply drag the files from the VM to a folder on the physical machine, where you can keep them forever.

 

If you have the extra space on your PC, you can also just create a nice clean VM and get it all set up just the way you want it, and then make a copy of it. Leave the original powered down and only use the copy. If the copy gets hosed up, just delete it and make a new copy from the original.