Win32/RAMNIT.A Anyone? - Page 7

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

In addition to being an auto-distribution method for other code, being
self-replicating affords them the opportunity to change their appearance
with every iteration (self-polymorphism). In this way one beast can
result in a large number of cryptographic hashes. In addition to that,
the code is often inserted inside the program files of other programs
thus making detection (and hash matching) even more difficult. They are
not unique in being polymorphic as polymorphism in other distribution
methods such as hosting malware on a server can be achieved by
server-side code that changes their appearance with each download.

So, they are not unique in having the ability to change their
appearance, and they are not unique in their ability to self-replicate
because computer worms, bacteria, and rabbits are also self-replicating
code examples.

So, I felt that *rather unique* was the best choice of wording IMO.



Re: Win32/RAMNIT.A Anyone?



FromTheRafters wrote:
Quoted text here. Click to load it

Not a point to argue about - I accept your choice, FTR :)

Re: Win32/RAMNIT.A Anyone?



On 8/4/2010 4:29 PM, RJK wrote:
Quoted text here. Click to load it


       LOL. The same thing happens to me. Do you think every
time a customer does that I tell them, "It's not a virus! It's a
trojan!" I'll tell them eventually what the malware was that
caused the problem but I'll never be condescending to them like
some other "professionals" out there.

John


Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

It's not worth it. They don't care, and might not even be capable of
understanding the difference.

Quoted text here. Click to load it

That's a good idea, it doesn't pay to alienate customers.



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Theres your odd attitude again. What makes you think I wasn't working
for someone else when I did those things? Obviously since I didn't own
the shop, I was working for someone else.

Btw, What certifications do you presently hold? I'm just lowly
A+/network+ (back when that stupid thing was still considered worth the
paper it's printed on). Are you MCSE?

I completely understand the backup scenarios..


Quoted text here. Click to load it

I see. It's the corp customers who can be.. a bit, on the anal side at
times. At the end of the day tho, you do whatever customer wants.
 
Quoted text here. Click to load it

I'm just wondering what you mean by safer for the users data then I
guess. If it's a malware issue, the users data itself shouldn't be
affected much if at all; it's the applications and little.. extras that
may be of concern.
 
Quoted text here. Click to load it

Well, along with potentially good dlls you might want to use to avoid
having to reinstall; comes several stages of the systems registry
hives. All valuable if your into recovering the system, as opposed to
wiping and starting over. I see no reason to obliterate the restore
points right away; They still contain potentially useful data to me.

What seperates some professionals from others is the ability to restore
the system without resorting to wiping and reloading as really, anybody
could do that. In many cases, not all, but many, you don't have to wipe
and reload the entire system to get rid of the malware.

Could you imagine, reloading the system to get rid of antivirusxp2010?
You'd agree, that would be an incompetent action to take?
Quoted text here. Click to load it

Ahh, well.. I worked for one shop for just over a decade.. had some
prior real world experience from other shops voc and what I did as a
kiddo... I'll do the freelance thing when it's necessary, but I don't
halfass the job. Like I said, I've been doing this ten years or so less
than you and have yet to lose anyones data; providing they called me in
time...
Quoted text here. Click to load it

Well, I found it funny from the point of view of a former virus writer
turned whitehat. Does that make any sense to you?

Why would I spend the time to hide a virus in a folder, when I could
choose files? You could just delete me if I stored myself in a folder
in a binary format alone. If I reside in your files instead, I'm alot
harder to deal with.

I know some virus writers have used existing code and modified that
yes. However, the majority of the crap I've seen passing for malware
these days typically isn't actually viral in nature. A virus is no
accident, ya see.

It's entirely possible the individual does have a virut varient, I
haven't seen the sample to confirm or deny that. Based only on what Ant
has written up about it tho, doesn't seem to indicate virut; but
something possibly forked from the same original codebase.

How as a virus would I be able to hide if you examined the drive from a
system that didn't start off of it? It's a rhetorical question... :)


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?




< snip >

Quoted text here. Click to load it

| Well, I found it funny from the point of view of a former virus writer
| turned whitehat. Does that make any sense to you?

| Why would I spend the time to hide a virus in a folder, when I could
| choose files? You could just delete me if I stored myself in a folder
| in a binary format alone. If I reside in your files instead, I'm alot
| harder to deal with.

| I know some virus writers have used existing code and modified that
| yes. However, the majority of the crap I've seen passing for malware
| these days typically isn't actually viral in nature. A virus is no
| accident, ya see.

| It's entirely possible the individual does have a virut varient, I
| haven't seen the sample to confirm or deny that. Based only on what Ant
| has written up about it tho, doesn't seem to indicate virut; but
| something possibly forked from the same original codebase.

| How as a virus would I be able to hide if you examined the drive from a
| system that didn't start off of it? It's a rhetorical question... :)


The important aspect is one of NTFS permissions.  More than just the average
malware can't
access "system volume information" and certainly NOT the Vundo family (including
Virtumone
adware).


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



On 8/1/2010 4:09 PM, David H. Lipman wrote:
Quoted text here. Click to load it

      As far as you know...

John



Re: Win32/RAMNIT.A Anyone?




| On 8/1/2010 4:09 PM, David H. Lipman wrote:

Quoted text here. Click to load it










|       As far as you know...

And I *know* a lot.  It is known for hooking into IE through BHO and Winlogon
via
Winlogon\Notify and more recently via the Local Security Authority Subsystem
Service.  And
I know its intial infection vector was through Java Exploits.  I remember when
they first
hit and I have seen the tools that were used to erradicate up to and including
MBAM.  You
read where Dustin was an employee of Malwarebytes.  Dustin and I were both
employee
Malware Researchers for Malwarebytes  :-)

{ BTW: I also know I spelled Virtumonde wrong :-) }


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



On 8/1/2010 6:54 PM, David H. Lipman wrote:
Quoted text here. Click to load it

     That's all well and good but as you know there are strains
of trojans and worms that are unknown. It may or may not have
been Virtumonde or a version of it, it very well may have been
some other malware that dropped Virtumonde. I'm sure you know
there is malware out there that will drop multiple trojans and
worms on a system. But whatever it was, I was never afraid to do
what it took to get rid of it. That's why I make a backup before
I clean badly infected systems.

      I can tell you this, after I got rid of all the system
restore points, some malware looked for files in the restore
folders and couldn't find them. I got the popup saying the files
were not found in that directory. I did a final scan and when I
removed the malware this time it stayed gone. The system ran
with no problems until the teenager put something else on it
months later.

John

Re: Win32/RAMNIT.A Anyone?





|      That's all well and good but as you know there are strains
| of trojans and worms that are unknown. It may or may not have
| been Virtumonde or a version of it, it very well may have been
| some other malware that dropped Virtumonde. I'm sure you know
| there is malware out there that will drop multiple trojans and
| worms on a system. But whatever it was, I was never afraid to do
| what it took to get rid of it. That's why I make a backup before
| I clean badly infected systems.

|       I can tell you this, after I got rid of all the system
| restore points, some malware looked for files in the restore
| folders and couldn't find them. I got the popup saying the files
| were not found in that directory. I did a final scan and when I
| removed the malware this time it stayed gone. The system ran
| with no problems until the teenager put something else on it
| months later.

I agree, there are "...strains of trojans and worms that are unknown."
However there is a relatively finite capability that they employ.  Usually one
repeats the
success of another and builds upon that success.  What becomes new is not what
they do
within the file system, it is what they do in the Registry or employing
different
programmng techniques and Kernel constructs.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



On 8/1/2010 3:04 PM, Dustin wrote:
Quoted text here. Click to load it

       Well you made it sound like you were doing it for yourself.

Quoted text here. Click to load it

       I took courses and wound up teaching an A+ class. A+ is a
good place to start for someone looking to get certified for
work at some company that requires that cert. I view the MCSE
certification as pretty much a money making scam. I look at MCSE
certifications as a joke in many cases because some courses just
teach people how to pass the certification test. I took a long
MSCE certification course but I never needed to be certified as
I went into business for myself. I found most of the things
covered was knowledge I already had. I also found that many MSCE
"certified" people don't know a lot. Well they do know how to
pass that test!

      I don't need any of those certifications, it's a waste of
money.


Quoted text here. Click to load it

       It's not JUST the malware issue, I already explained that
often HDs I work on are pretty old. Also when you start cleaning
files the system may not boot, data may be destroyed. There are
lots of reasons to backup and that's what I learned over the years.

Quoted text here. Click to load it

       You may or may not have to delete restore points. It
depends on the particular malware.

Quoted text here. Click to load it

     Yea that's why I find making a backup allows me to make a
mistake if removing the malware causes the installation to be
trashed and it does happen.

Quoted text here. Click to load it

     I've removed that particular infection before and didn't
need to reinstall anything.


Quoted text here. Click to load it


       Well you could chose particular files in the restore
point folders, you could tell it to create a restore point and
infect the system files. The advantage is the malware scanner
will not clean it because it's a read only folder by default.

Quoted text here. Click to load it

       All I remember is that the many restore points were all
infected with the same malware. Restore points that were there
before the malware was installed by the user. The malware was in
some pirated software that was installed a couple of days before
I was called.

John



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

My boss paid for the tests, it just cost me some driving time. As I've
been doing the computer thing since the trash80 series was actually new
and hot stuff to some, I didn't really need to study for the exam.
While tandy's computers were proprietary in nature, they had some
things in common with cp/m and later dos machines. Besides, it beat
tracing a grounding problem on an AT mainboard keyboard port. <G>

The shop I worked at actually fixed problems, we didn't ship to
manufacturer or sell you a new mainboard if components could be
replaced cheaper and still bring the system back to it's original self.
None of us were afraid of soldering pencils or precision electronics,
everyone at the shop had a background in it.

So, as a professional with years on me, do you replace boards or
actually get down and dirty with them?

Quoted text here. Click to load it

I would tend to agree with that statement, based on the future
technicians who will eventually be replacing me. :)
 
Quoted text here. Click to load it

It looks nice on paper, tho. :) I like you didn't bother to fork out
the 2grand for the MCSE certs, I watched a friend of mine who knew next
to nothing about computers; get MCSE inside of 3 months time. So, yea,
I'm in complete agreement with you about them. Lots of reading, a very
small amount of practice in the LAN I configured for him, and walla;
MCSE certified; but doesn't know his ass from a hole in the ground.
 
Quoted text here. Click to load it

True, plenty of reasons to backup and I certainly don't disagree with
one who is strict with a decent backup policy; I just don't really see
the need to do it for a malware removal job alone.
 
Quoted text here. Click to load it

I know of no malware which would force me to toss an entire restore
point. I can just go into the folder from another system and do what
needs to be done; without endangering said system.
 
Quoted text here. Click to load it

Be careful and take your time. Safety first and all that. :)
 
Quoted text here. Click to load it

Hmm. I'm guessing you don't know how the restore functions in windows
actually works. I'll clue you in.. If I so much as edit a
sys/dll/com/exe file in the windows folders a restore point is
automatically created so long as system restore is turned on. That
restore point will backup the file before my changes are finalized on
disk. Unless, I override system restore and do it directly.

The folder itself isn't exactly read-only by permissions alone, again,
the resident system restore dlls keep you out; but you can still scan
inside with it running if you do low level calls.

Quoted text here. Click to load it

I don't suppose you kept a sample for analysis?
--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?



On 8/2/2010 11:41 AM, Dustin wrote:
Quoted text here. Click to load it

      I got my start in electronics and have a background in
that too. I took college courses in electronics and am no
stranger to repairing circuit boards. I'm no stranger to
soldering irons. Well that's what we called them. I used to
repair TVs, radios and such years ago.

Quoted text here. Click to load it

    When I need to repair a blown component like a bad sound
card, video card or controller card, I replace it. I haven't
needed to repair an actual circuit board for at least 15 years.
The last component level repairs I did for a computer was
replacing burned out components on my old Amiga computer's
motherboard. But I gave up on all that stuff, just not worth the
hassle any more especially with these newer multilayer boards
with tiny components and surface mounted chips. It can be done
but it's usually not worth it.

Quoted text here. Click to load it

       MCSE is pretty useless in my current repair field.
However it's good to learn if you take a proper course such as a
computer science course at a college. I took a three-month MSCE
course and found I had already learned most of the stuff on my own.


Quoted text here. Click to load it

     I used Bitdefender's bootable CD to remove malware from the
restore point files and it did not solve the problem. I rebooted
and the malware was written there again. Only when I turned off
system restore and when I rebooted, I got a popup stating that
it couldn't find a file in the system restore folders that were
deleted. Then I did a final scan and the malware was gone,
system fixed.

Quoted text here. Click to load it

       I know how system restore works and I'm 100% sure it can
be exploited by malware writers.

Quoted text here. Click to load it

      No. I just clean them I don't study them. I do this sort
of thing a lot and don't really keep track of each piece of
malware I remove. I remove scores and hundreds of trojans and
worms from systems. I probably still have the scan log though if
I find it I'll post it here. This was more than a year ago when
I removed it.

John

Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Odd. I'm familiar with soldering irons as well as pencils, and we
typically use the pencils for detail work that the iron generates too
much heat for. Irons aren't good for changing out small transistors,
IC's or caps due to the risk of damage, and especially these days with
a pile of components nearby the one that has to be replaced; a pencil
is the only way to safely do it. Lower wattage, less heat.

I got my start outside of my house reparing neighborhood tvs, vcrs,
etc; but I was something like 9 or 10 years old doing that stuff. I
enjoyed it, and I didn't burn anything up that wasn't mine.

Quoted text here. Click to load it

So you haven't seen the leaking capacitor issue in your time
professionally repairing PCs? If you have, did you upsell your client
instead of replacing the caps? You can find them pretty cheap, in 50-
100 packs; enough to do several boards...

Quoted text here. Click to load it

You don't work with laptops much eh? They're bad about breaking the
power connector on the mainboard. In those cases, what do you do?
 
Quoted text here. Click to load it

I see no reason to take a college course for material I already know
likely better than the instructor. Nothing beats hands on real world
experience.
 
Quoted text here. Click to load it

If the malware was written back when you rebooted, you missed something
that was being given a chance to run when windows was booted normally.

Quoted text here. Click to load it

Again, thats on you for missing the file in the first place... Nobody
said you couldn't store a file in the system restore folder, in fact
you can. Seriously, professional to professional, you should have done
a more thorough check when you booted from a clean disc; and I don't
mean a bootable scanner disc, I mean a clean disc work environment: In
the future, I suggest you give a BartPE disc a try. It's like being in
windows, on cd. You can use console functions if your comfortable (I'm
home in console myself) or windows explorer style. Either way, it gives
you a full view of the contents of the hard disk; and you can come/go
to the system restore folder as you please, no protections preventing
you access will you find.

A file sitting in the root of system restore should NOT ever be
overlooked by a professional. you should notice something like that,
you should be looking for something like that just as you would random
named dlls present in the windows\system32 folder.

I'm not trying to talk down to you or anything like that, so don't
misunderstand me. Alright? I'm just stating some tips for you for
future work with malware.

Quoted text here. Click to load it

Lemme rephrase myself, I understand how system restore works from the
end user Point of view; which would include yourself as your not a
programmer... And that of the programmer point of view. the way I
explained system restore is how it works behind the screen. What you
don't see as you don't read code, ok?

And what I described is indeed one way to exploit system restore to
your own advantage, by forcing it to do exactly what it's designed to
do. However, you can't claim the system restore folder itself is
infected if a binary file is placed there with a hidden/system
attribute set and you miss it when you boot clean.  The folder itself
still isn't infected. It's no different than leaving the binary in the
\windows folder and setting the runkey to it, vs the system restore
folder. The only advantage the malware has by residing in system
restore instead is that windows by default will protect it somewhat
from users trying to mess with that folder contents under normal
conditions. That is the ONLY advantage you get as a malware executable
choosing that location over another; The OS will make some effort to
protect you as a side effect of keeping users from getting themselves
in trouble.

System restore has been well documented and all exploit avenues have
been fully covered in all kinds of various worms, viruses and trojans
at some point or another. Again, the only advantage you have from the
virus point of view is os protection from the user touching you via
normal methods. That doesn't mean you've infected system restore,
you're just abusing windows a little bit.
 
Quoted text here. Click to load it

I see..


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?





Quoted text here. Click to load it

It might be a regionalism, or a Britishism/Americanism. In over 20 years
I've never used, or heard used, "soldering pencil" in a lab in the U.S.,
although I am familiar with the term. It's always been "soldering iron",
whether a giant thing to solder heavy cables, or a tool suited to tiny
ICs and SMT parts. Metcals are generally the best I've seen for small
devices; they put a high temperature (typically 600 to 700F) into a very
very small area very quickly (80W output).

Steve

--
steve <at> w0x0f <dot> com
"Life should not be a journey to the grave with the intention of
arriving safely in an attractive and well preserved body, but rather to
skid in sideways, chocolate in one hand, sidecar in the other, body thoroughly
used up, totally worn out and screaming "WOO HOO what a ride!"

Re: Win32/RAMNIT.A Anyone?



On 8/3/2010 9:57 AM, Steve Fenwick wrote:
Quoted text here. Click to load it

      Yea I've always used "soldering iron" as well no matter
the size.

John

Re: Win32/RAMNIT.A Anyone?





Steve Fenwick wrote:
Quoted text here. Click to load it

C'mon, you never heard of a soldering pen?
Buffalo



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

I've heard the term, but never used by me or techs in a lab.

Steve

--
steve <at> w0x0f <dot> com
"Life should not be a journey to the grave with the intention of
arriving safely in an attractive and well preserved body, but rather to
skid in sideways, chocolate in one hand, sidecar in the other, body thoroughly
used up, totally worn out and screaming "WOO HOO what a ride!"

Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

80watts output would burn an IC up on a wave soldered board...

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ."  - author unknown.

Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Nope. Use it all the time that way. Melts the solder super-fast, keeps
the leads from getting hot. Try one if you get a chance.

Steve

--
steve <at> w0x0f <dot> com
"Life should not be a journey to the grave with the intention of
arriving safely in an attractive and well preserved body, but rather to
skid in sideways, chocolate in one hand, sidecar in the other, body thoroughly
used up, totally worn out and screaming "WOO HOO what a ride!"

Site Timeline