Win32/RAMNIT.A Anyone? - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Wow. I had no idea.. /sarcasm.

Quoted text here. Click to load it

What software do you use for the backup? Are you storing the backup on
read only media or a hard drive that could fail for any reason?
 
Quoted text here. Click to load it

I've encountered a few of those in my time as well.... I enjoy the work
they provide me tho. Tell me something, John, as a PROFESSIONAL, have
you written any of the tools you use for cleanup; or do you use the
work others have written, such as myself, David lipman and many others?



--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?

On 7/31/2010 4:21 PM, Dustin wrote:
Quoted text here. Click to load it


      I will either use Acronis' or Paragon's backup software
depending on the situation.

Quoted text here. Click to load it

     You mean WORM(Write Once/Read Many) media don't you? That
media can fail also. No media is perfect. I store the backup on
business or enterprise grade HDs and will transfer to other
media if the customer wants that backup. If it's a large backup
they will have to pay me for it. Tell me what software and
hardware would you use to backup your customer's HD before you
start removing malware?

Quoted text here. Click to load it

      Me too. I especially get a kick out of the ones who don't
do backups and leave various screws out.

Quoted text here. Click to load it

      For the record, I'm not trying to get into some pissing
contest. I was just making a suggestion as to how to fix the
problem laid out in the OP.

       I use software others have written. I'm not a software
engineer. I'm a professional computer repair person. I find that
competence in one profession such as software engineering
doesn't translate into something else like tech support. I've
been repairing computers for close to 25 years and have learned
a lot. One thing I've learned is a backup saves a lot of trouble
and allows for different approaches to be tried.

       So tell me what products have you and David Lipman
written and where can I check them out?


John





Re: Win32/RAMNIT.A Anyone?


Quoted text here. Click to load it

I haven't heard the acronym WORM in years... Damn, you have been around
a long time. :) I was thinking of cd-r or perhaps dvd-r material.

It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we had
at the time. I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups of the
registry or important files. besides, I wrote several utilities to
assist me in verifying various windows dll/exe files were still intact
and okay for reuse.

We would typically reserve cloning drives for hardware failure signs.
Although, a customer could have us clone a drive for a malware issue if
they so desired. By default, we always copied docs, favorites, emails
etc before doing anything... But, you know, different places have
different policies.

Why do you spend the additional time to clone an entire drive for a
malware removal job?

Quoted text here. Click to load it

Or, use the wrong screws and strip one of the drives :)
 
Quoted text here. Click to load it

I understand. It just seemed as if you were being a wiseass towards
David, from my POV. I didn't personally see any need in doing that. We
can all be professional and civil here.

Quoted text here. Click to load it

Well, a backup is a good way of having an escape route should something
go wrong. :) From a software aspect tho, I haven't really encountered
much malware that would justify the time I spent on imaging the drive
first. I wasn't in charge of billing tho, so that may have played a
part in that.
 
Quoted text here. Click to load it

I've written all kinds of old utility style apps, as you've been around
so long you might know a few of them.. Cmoscon, encode, delock, and
various others. If your into crypto/security, you might even know the
old dos file/freespace wiping app called NuKE and/or possibly CryptX.

In more recent times, I developed an antimalware scanner (that's why I
found your description on how they worked amusing. hehehe) called
BugHunter. I did a stint as a malware researcher for an app called
Malwarebytes antimalware..

Like yourself, I've been repairing pcs professionally for over 15 years
now; you have ten years on me, but I have programming skills on you.
*g*.

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?

On 8/1/2010 8:24 AM, Dustin wrote:
Quoted text here. Click to load it

       It would be OK for DVD-R if the backup is small. But
swapping 20 or more DVDs is a pain.

Quoted text here. Click to load it

       I rarely use Ghost these days, it used to be the only
thing I ever used.


Quoted text here. Click to load it

      Yea that's good for you, but when you're working for
someone else and they have important data they want to save, I
will backup. Most of the time the customer doesn't have a
backup. A lot of times the customer has a HD that's five or six
years old and they really need a backup done. Then there are the
times when I'm working for a young person and they don't want a
backup they just want the drive wiped and they want the OS
installed.

Quoted text here. Click to load it

     I work mostly with home users and small businesses and a
lot of times they have personal stuff they want to save. So I'll
do a quick backup of that data and then I'll do the full backup.
Sometimes they just want a reinstall. There are times when they
tell me not to backup because the data isn't important. In
David's response he seems worried about saving data so I
wondered why he wouldn't backup.

Quoted text here. Click to load it

     It doesn't take that long most of the time and it's a lot
safer for the user's data. In most cases it actually takes
longer to install, upgrade and reinstall software for the
customer. Most of the time I backup less than 150GB.

Quoted text here. Click to load it

     David was being a wiseass himself and I can understand why
he didn't respond. He seemed worried about losing data by simply
removing the system restore points so I naturally wondered why,
a backup can solve this problem. I guess he realized it was a
good idea so then he got snippy.

Quoted text here. Click to load it

     I don't work for any company I work freelance. Like I said
most backups are small and usually take from 20 minutes to a
couple of hours. I don't charge by the hour I charge by the job.

Quoted text here. Click to load it

     I've heard of some of those.

Quoted text here. Click to load it

          I don't know why you would find it funny because a
virus writer will use anything to hide a virus. What smarter way
is to hide them in each and every folder in "system volume
information"? I do believe that what the system had was a
variant of the Virtumonde trojan. If you did research on malware
then you know virus writers will take existing malware and
modify it. I found one thing to be true in the world of malware,
NOBODY knows everything about every malware variant out there.
You can believe me or not, it doesn't matter.

John

Re: Win32/RAMNIT.A Anyone?

John Slade wrote:
Quoted text here. Click to load it

You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?

There is school of thought that suggests that once a computer has been
compromised, one can never be *certain* that it is clean - and that it
is always best to re-install the operating system ...... on a formatted
hard disk, wiping out all partitions first.

I'm just a user - but that's how I think too! ;-)

--
Dave - I've enjoyed reviewing John's posts!

Re: Win32/RAMNIT.A Anyone?



~BD~ forgot to add the link showing support for his view!

http://technet.microsoft.com/en-us/library/cc512587.aspx

Re: Win32/RAMNIT.A Anyone?





~BD~ wrote:
Quoted text here. Click to load it

Finally, you clipped all the crap!!!  Yippee!!!
Buffalo



Re: Win32/RAMNIT.A Anyone?



On 8/1/2010 3:21 PM, Buffalo wrote:
Quoted text here. Click to load it

      I was thinking the same exact thing.

John


Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

He added a qualifier here:

"If you have a system that has been completely compromised, the only thing
you can do is to flatten the system (reformat the system disk) and rebuild
it from scratch (reinstall Windows and your applications)."

I can agree with that. The thing is, what do you consider to be a compromise
and what do you consider to be a complete compromise?

If I discover a downloader downloaded some adware, I might just remove the
adware. If it downloaded some various and sundry other malware then the
"unknown" factor becomes prevalent - and flatten and rebuild becomes the
best route. A known trojan application for fake-AV scareware probably
doesn't require such drastic measures. If I figure the ingress vector was a,
since patched, vulnerability exploit worm, I wouldn't just automatically
assume that hackers have also used that exploits zero-day window to increase
the "unknown" factor - I would just address the worm.

Not that he's wrong, a healthy paranoia is a good security asset. The value
of the protected resource figures in heavily as well.



Re: Win32/RAMNIT.A Anyone?


Quoted text here. Click to load it

Does it matter that much, BD? Do you feel I haven't been honest with
the fellow and so you need to remind persons of that aspect?
 
Quoted text here. Click to load it

That school of thought does exist, yes. I don't subscribe to it tho.
 


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?



On 8/1/2010 2:46 PM, ~BD~ wrote:
Quoted text here. Click to load it

     I didn't know Dustin Cook existed until he responded for
you. But I've been reading some in alt.comp.viruses and I find
it well...interesting... If he wrote viruses then he more than
anyone should know that what I said happened is indeed possible.

Quoted text here. Click to load it

         That school of thought is pretty common but I've found
that the vast majority of infected systems can be saved without
reformatting and installing. It all depends on what the malware
is and how much damage has been done. If formatting every
infected HD at the sign of malware, very little data would be
saved unless you backup important data.

Quoted text here. Click to load it

      I'm a user and I find that backups save me a lot of
trouble. I know my HD will fail. As a repair tech, I know my
customer's HD will fail so I backup. Some of my customers want
to save the data so I backup before I remove malware. Some don't
care and ask me to format and install.

      I've been reading some in alt.comp.virus and it's pretty
amusing.... I'm starting to understand more and more why I'm
getting the responses I'm getting... ;)

John


Re: Win32/RAMNIT.A Anyone?




[...]

Quoted text here. Click to load it


Because he understands true viruses, he knows that they don't need to hide
themselves in folders.

I don't think he would have said what he said if you had said worms, or
malware, instead of viruses.

Some malware sorta infests the "System Volume Information" folder - what
actually happens is that when the AV requests deletion of a detected malware
file, the OS makes a copy and stores it there just in case you didn't
*really* want it deleted.



Re: Win32/RAMNIT.A Anyone?





| [...]

Quoted text here. Click to load it


| Because he understands true viruses, he knows that they don't need to hide
| themselves in folders.

| I don't think he would have said what he said if you had said worms, or
| malware, instead of viruses.

| Some malware sorta infests the "System Volume Information" folder - what
| actually happens is that when the AV requests deletion of a detected malware
| file, the OS makes a copy and stores it there just in case you didn't
| *really* want it deleted.


It doesn't really have to do with an anti malware application deleting a file.
That the
Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle
Bin.

In this case the OS will take executable binaries and other OS related files and
place
copies in the System Restore Cache.  All I have to do is download and EXE or DLL
and it
will be in the cache and reference the location of where it was in the OS.  And
it doesn't
really infest the "System Volume Information\_restore" folder.  It lays dormant
in there
until the user decides to restore a break point.  Then it will take the
executable binary
and other OS related files and place them back in the original location thus
reviving them
from dormancy.  However malware is not know to "hide" itself in "System Volume
Information" while operating within the OS.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



On 8/1/2010 7:13 PM, David H. Lipman wrote:
Quoted text here. Click to load it

      As far as you know, no malware writer used that method.
Nobody knows everything.

John


Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

Now, you're just being silly.



Re: Win32/RAMNIT.A Anyone?



On 8/1/2010 6:57 PM, FromTheRafters wrote:
Quoted text here. Click to load it

      Well "virus" is a generic term these days. I was talking
about worms and/or trojans, I was using "virus" as a generic
term. I guess that clears it up.

John


Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

virus isn't a generic term, then or now. As a professional, I think it
unwise of you to generalize what might be ailing the patient.

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?



On 8/2/2010 11:27 AM, Dustin wrote:
Quoted text here. Click to load it

    "Virus" is both a generic term and a specific term. Why do
you think they call the software used to clean trojans and
worms, "Anti-Virus" software? I'm sure you don't think that they
only clean viruses and leave trojans and worms alone. It's all a
matter of semantics. Just about all of the major anti-malware
vendors have products that they call Anti-Virus. This is because
it just stuck. You're a professional and you don't know this?

John


Re: Win32/RAMNIT.A Anyone?




[...]

Quoted text here. Click to load it

Generally, they call it antimalware unless it is also effective against
viruses and worms (which are self-replicators). If it is effective
against viruses, they call it an antivirus. Antivirus programs can also
detect some non-replicating malware.

Quoted text here. Click to load it

Of course it is, but semantics shouldn't be a dismissive word. The
meanings of words are *important* to effective communications.

Quoted text here. Click to load it

We all know this, and we don't like it one bit. The fact remains that
viruses are a special case requiring more than what many antimalware
applications are equipped to handle.




Re: Win32/RAMNIT.A Anyone?





| [...]

Quoted text here. Click to load it

| Generally, they call it antimalware unless it is also effective against
| viruses and worms (which are self-replicators). If it is effective
| against viruses, they call it an antivirus. Antivirus programs can also
| detect some non-replicating malware.

Quoted text here. Click to load it

| Of course it is, but semantics shouldn't be a dismissive word. The
| meanings of words are *important* to effective communications.

Quoted text here. Click to load it

| We all know this, and we don't like it one bit. The fact remains that
| viruses are a special case requiring more than what many antimalware
| applications are equipped to handle.



Eactly and is why Malwarebytes' Anti Malware (MBAM) is not an "anti virus"
product.  MBAM
can NOT remove viral code such as Virut and (in this thread) Ramnit from a file
that has
prepended, inserted or appended its code to the binary.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline