Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Warns Users About Active Malware Infection

CmdrTaco posted more than 2 years ago | from the hooray-i'm-clean dept.

Google 80

dinscott writes "Google has begun notifying its users that a particular piece of malware is installed on their computers by showing a big yellow notification above their search results. The warning begun popping up yesterday, and does so only for users whose computers have been infected by a particular strain of malware that hijacks search results in order to drive users towards websites that use pay-per-click schemes."

cancel ×

80 comments

Sorry! There are no comments related to the filter you selected.

Good for Google! (1)

For a Free Internet (1594621) | more than 2 years ago | (#36822180)

I was once the victim of an Italian virus attack and it was a bejeezus of a chore to clean up after that one!

The campaign for a Free Internet says: block Italy and its nefarious agents off our Internet! The Internetbelongs to the American People, our President, our Constitution and our God! Not Italian islamocommunist hackers!

Re:Good for Google! (1, Offtopic)

PopeRatzo (965947) | more than 2 years ago | (#36822598)

I was once the victim of an Italian virus attack and it was a bejeezus of a chore to clean up after that one!

I got a virus when I was in France and it took three shots of penicillin to clean one that up.

Now that I think about it, the girl who gave me the virus had hairier than average legs, so she might have been Italian... I'm not saying she had hairy legs, but she had dandruff on her shoes.

Re:Good for Google! (1)

operagost (62405) | more than 2 years ago | (#36822928)

You think viruses can be eradicated with antibiotics. That explains a lot about the quality of your posts.

Re:Good for Google! (1)

PopeRatzo (965947) | more than 2 years ago | (#36823570)

You think viruses can be eradicated with antibiotics. That explains a lot about the quality of your posts.

I knew there had to be some explanation.

So, does that mean that gonorrhea is not caused by a virus? Or is it syphilis? Gee, the things you learn on Slashdot. Amazing the level of sexual knowledge among a segment of the population that has only had sex with plush wookie dolls.

 

Re:Good for Google! (0)

Anonymous Coward | more than 2 years ago | (#36824784)

Both gonorrhea and syphilis are bacterial infections. He was merely pointing out that you originally mentioned using antibiotics with a virus. (Yes, the poster was a bit snarky about it.)

Re:Good for Google! (1)

operagost (62405) | more than 2 years ago | (#36825574)

When you find yourself in a hole, first you must stop digging. BTW... I'm married.

Re:Good for Google! (0)

Anonymous Coward | more than 2 years ago | (#36826878)

That wasn't dandruff on her shoes. That was the blizzard of a drying yeast infection. You should've built a snowman.

Proxy (5, Insightful)

mwvdlee (775178) | more than 2 years ago | (#36822222)

The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.

Re:Proxy (1)

Intron (870560) | more than 2 years ago | (#36822230)

I'm sure this will start an arms race with the malware writers, but I still wouldn't bet against Google.

Re:Proxy (1)

alex67500 (1609333) | more than 2 years ago | (#36822502)

Same here. As much as they don't want to "Do no evil", they're also pretty fond of their advertising revenue, which this malware is cutting them from. Somehow, I believe Googl-iath wins this one and David goes home with a sore head.

Re:Proxy (0)

Anonymous Coward | more than 2 years ago | (#36823064)

David has far more slings and stones than even Googl-iath can ever hope to effectively crush.

Re:Proxy (1)

macshit (157376) | more than 2 years ago | (#36823852)

I'm sure this will start an arms race with the malware writers, but I still wouldn't bet against Google.

Indeed. Spam filtering of course started a similar arms race, but gmail spam filtering has become so good that spam long ago ceased to be an issue for me -- it's been months since I've seen a false negative or false positive (yes I do still check the spam folder sometimes, out of lingering habit), and my email address is all over the place.

Malware is probably a stickier issue of course, but as you say, it's always risky to bet against Google...

Re:Proxy (0)

Anonymous Coward | more than 2 years ago | (#36826014)

This "arms race" has been going on for years. We (not just google) take every opportunity we get to deal any blow we can to malicious software and it's authors, whether that's writing an IDS signature, submitting samples to VT and AV vendors, taking down a C&C server, removing co.cc from search results, or just writing a blog about a threat to raise awareness.

Thanks

Re:Proxy (1)

jamesh (87723) | more than 2 years ago | (#36822302)

The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.

It's just another leap in the perpetual game of leapfrog...

I do like the idea though.

Re:Proxy (0)

Anonymous Coward | more than 2 years ago | (#36822562)

unless it add it via complex javascripting, rooted in the basic function so to be a mess to remove without damaging the page

Re:Proxy (1)

KiloByte (825081) | more than 2 years ago | (#36823322)

It's trivial to remove javascript, and losing Instant is hardly noticeable. For Google, I'd try randomizing the page and the warning, so the proxy has a hard time parsing it. Change the randomization algorithm once in a while, too.

Re:Proxy (1)

gnick (1211984) | more than 2 years ago | (#36823752)

If it's being routed through a proxy, they don't even have to identify the warning. They just have to glean the results, adjust them to their liking, and recreate a reasonably google-like results page. I'm surprised the warnings ever got through in the first place.

Re:Proxy (1)

KiloByte (825081) | more than 2 years ago | (#36825066)

No matter if you blacklist or whitelist parts to pass to the client, you still need to parse the page well enough. Randomizing the page might make it hard enough for the fuckhats to implement the parsing, and when they do, Google can make a small change to throw them off again.

Re:Proxy (1)

madhatter256 (443326) | more than 2 years ago | (#36822310)

Well it's not that easy, there is usually a virus/trojan that changes you back the proxy service once you disable it. So, you'll have to run some good antimalware scans.

You also want to check your lmhost file, too, and do a full DNS flush on the infected PC.

Re:Proxy (1)

nedlohs (1335013) | more than 2 years ago | (#36822510)

Which is completely irrelevant to the guys running the malware itself updating their proxy to filter the warning message out.

Re:Proxy (1)

maxume (22995) | more than 2 years ago | (#36822556)

You really expect him to read your comment with comprehension turned on?

Re:Proxy (0)

Anonymous Coward | more than 2 years ago | (#36822924)

Wow. People don't know what they're talking about here....

Easy enough to solve (1)

davidwr (791652) | more than 2 years ago | (#36823276)

Simply don't return any valid URLs in the results if Google detects a poison proxy.

Even better, have all the URLs be http://www.microsoft.com/security/default.aspx [microsoft.com] or even better http://en.wikipedia.org/wiki/Linux [wikipedia.org] or to be slightly evil^H^H^H^H self-serving http://www.google.com/chromebook/ [google.com] .

Facepalm (1)

Bratmon (1649855) | more than 2 years ago | (#36824176)

The whole point is that the proxy removes Google's results entirely.

A friend of mine had this last week (1)

Nursie (632944) | more than 2 years ago | (#36822268)

Nothing seemed to detect it or get rid of it, so she ended up reinstalling the whole OS. It doesn't sound like a particularly new idea, redirecting search, but the proxy aspect might be I suppose.

Re:A friend of mine had this last week (1)

elfprince13 (1521333) | more than 2 years ago | (#36822322)

I haven't run into an infection yet that can't be gotten rid of with the Sysinternals suite. Usually takes me less than a half hour of work.

Re:A friend of mine had this last week (1)

Nursie (632944) | more than 2 years ago | (#36822388)

While that's useful information to me, that wouldn't have helped her, as she's not a geek and was receiving remote advice from people via facebook...

Re:A friend of mine had this last week (1)

Bing Tsher E (943915) | more than 2 years ago | (#36822542)

Was she a victim of the malware, then, or a victim of her own design?

Re:A friend of mine had this last week (0)

Anonymous Coward | more than 2 years ago | (#36822566)

Yes to the latter, which leads to yes to the former.

Re:A friend of mine had this last week (0)

Anonymous Coward | more than 2 years ago | (#36822394)

I haven't run into an infection yet that can't be gotten rid of with the Sysinternals suite. Usually takes me less than a half hour of work.

You trust a machine that's been compromised?

Re:A friend of mine had this last week (1)

Servaas (1050156) | more than 2 years ago | (#36822546)

Indeed, I torch them everytime a worm or virus pops up.

Re:A friend of mine had this last week (1)

JamesTRexx (675890) | more than 2 years ago | (#36824518)

We do the same thing here at our shop. Well.., not so much torch but reinstall. :-)
It's not so much that we couldn't get rid of a virus, but it's an insurance against claims that the machine wasn't clean when the customer gets it back.
It also takes away any worry from the customer about infected files left behind on the drive.

Re:A friend of mine had this last week (1)

kaizendojo (956951) | more than 2 years ago | (#36822584)

I've run into this type of malware/scareware with clients and friends, and I've had a lot of success with the program "Unhackme" by Greatis Software link [greatis.com] . It's been pretty effective on malware and root kits and is reasonably priced, not to mention quick. It also works to prevent further infections by protecting the boot sector area.

Full disclosure - while I am a fan and recommend the program to others, I have no connection with the company or devs. Just trying to help.

Re:A friend of mine had this last week (1)

i kan reed (749298) | more than 2 years ago | (#36822734)

1. Boot to safe mode
2. Purge all autoruns.
3. Reboot to normal mode.

Cleaning a windows PC without malware tools is usually really easy, except in the case of rootkits. This approach has the side effect of removing crap-ware installed by manufacturers.

Re:A friend of mine had this last week (1)

Riceballsan (816702) | more than 2 years ago | (#36823068)

That works on 80% of non-rootkit assisted virus, you still have to factor in the 20% that can, A. Launch in safe mode, B. attach itself to other programs you are inevitably going to open, rather then entirely relying on startup, and that isn't even factoring in the very much increased rate of rootkit based infections as of late.

Re:A friend of mine had this last week (1)

GIL_Dude (850471) | more than 2 years ago | (#36824012)

True, for the rest you simply boot to Windows PE from a USB Key or DVD and mount the host machine's registry and remove the offending entries (typically in services or the typical "run" keys. You can also delete the executables from the file system. Obviously the more experience you have doing this the easier it is to identify what to remove. If the machine is running BitLocker you will need the recovery key to use this method, but as long as you have the key it works fine.

Re:A friend of mine had this last week (1)

Qzukk (229616) | more than 2 years ago | (#36825252)

Seems like I'm running across more and more stuff that hides in the Task Scheduler's "At log on" tasklist. Not many people seem to think to look there, and it doesn't appear to show up in a registry search (unless its one of those {21232f5a1-0b51-521... keys, instead of "task scheduler").

Re:A friend of mine had this last week (1)

_0xd0ad (1974778) | more than 2 years ago | (#36825500)

Task Scheduler tasks are files with a .job extension saved in C:\WINDOWS\TASKS.

Re:A friend of mine had this last week (1)

asdf7890 (1518587) | more than 2 years ago | (#36824656)

Some of my family manage to get infections regularly. I've stopped doing even this three step process as I'm tired of trying to educate them to be careful. First I'll try the built in "system restore" feature and if that doesn't work (either because the restore points don't go back far enough, or we'd need to go too far back to be useful anyway, because the malware has managed to infect the restore point data too, or because it is rootkit aided (or similar) and gets around system restore that way) it is a boot sector wipe and full OS reinstall I make them explicitly state that they've got a backup of their important data before they hand me the machine, of course.

It is amazing how much more careful people become when they know the only fix is likely to be a refresh which means reinstalling all their games and crap afterwards.

Re:A friend of mine had this last week (1)

Anonymous Coward | more than 2 years ago | (#36823054)

The malware adds entries into your HOSTS file.
(C:\windows\system32\drivers\etc\hosts)
You'll have to take ownership of the file.
(properties / security / advanced / owner)
Then edit it in notepad to remove the offending redirects.

The hosts file works like a static DNS look up table.
[hostname] [ip]
google.com 133.7.3.57

Re:A friend of mine had this last week (1)

stephathome (1862868) | more than 2 years ago | (#36823126)

My husband's computer had a virus along these lines a year or two ago, hijacking Google results, and that thing was tough to get rid of. Not a single malware scanner found it. I simply noticed because he complained his computer wasn't working right, and the usual scanner wasn't fixing it for him. Neither was any other scanner I tried, and I tried a bunch. Not one so much as detected it, but the changed search results showed that something was going on. I had to do a reinstall on his computer too.

Found it his computer probably got infected because he kept going back to a site his scanner warned him was infected, and he'd ignored the warning. *headdesk* I think he knows better than to make that mistake again, but there are reasons why I don't like him using my computer. You'd think the previous discussions we'd had about malware would be enough... I hope he finally has that lesson down.

Going to have to keep that Sysinternals suite mentioned elsewhere in mind. He's not the only problem child in the family, although I have most relatives pretty well trained now.

Re:A friend of mine had this last week (1)

Abstrackt (609015) | more than 2 years ago | (#36823580)

Found it his computer probably got infected because he kept going back to a site his scanner warned him was infected, and he'd ignored the warning. *headdesk*

Hey, if it wasn't for people like that half of us wouldn't have jobs! ;)

(I'm a strong advocate for user education and attempt to do so every time I fix someone's system but I also have no qualms about taking their money when they ignore my advice time and time again)

Re:A friend of mine had this last week (1)

stephathome (1862868) | more than 2 years ago | (#36829272)

Too true. Especially if you don't learn after an infection or so, paying someone to fix it is just what you deserve. Malware's out there. Be ready to deal with it.

Awesome! (4, Insightful)

abigsmurf (919188) | more than 2 years ago | (#36822288)

I bet Malware authors are already copying these messages in order to trick people into installing scareware.

Re:Awesome! (0)

Anonymous Coward | more than 2 years ago | (#36823010)

Yeah, I was hesitant to even open this page. It just *sounds* like a scam.

Re:Awesome! (1)

locallyunscene (1000523) | more than 2 years ago | (#36826048)

I wish they had picked different wording. It's exactly the same as the pop ups you shouldn't click on.

Scour (0)

Anonymous Coward | more than 2 years ago | (#36822344)

This typically was referred to as the "Scour" virus. The current definitions of Malwarbytes will nuke it pretty well.

Same as before. (4, Informative)

poofmeisterp (650750) | more than 2 years ago | (#36822382)

Flashback, man.

This is almost 100% the same as the last piece of malware I was asked to remove from three peoples' machines over the course of a couple of months.

It was such a pain in the butt because I spent an hour manually cleaning the registry while using a live CD, looking for the newest modified-time files on the machine, looking for installed "Oh-I'm-so-cool" applications, browser extensions, system libs, etc etc etc.....

In the end, I find out that it was cleaned off after my first registry run key deletion session, but the damn proxy was set in both Mozilla and IE to a remote IP. Now, Proxy is one of the first things I check with there's ad-based or redirectional malware reported.

What's next?

Re:Same as before. (1)

Anonymous Coward | more than 2 years ago | (#36822658)

I've cleaned the same proxy off machines myself.

Then one of those machines got hit again, I figured it was the same thing - but all my fixes were still setup. Turned out it was a bogus firefox extension with a real-looking name that was doing all the redirection.

Somewhere in there there is a human proxy/redirect joke ...

Re:Same as before. (1)

andytrevino (943397) | more than 2 years ago | (#36823968)

The proxy setting will show up - and can be removed with 2 clicks - in a HijackThis [antivirus.com] report. While Trend Micro bought it and supposedly has changed something (not sure what...) HJT remains a useful tool for anyone combating malware and ransomware.

The Firefox extension AC replied about will show up in a log from ComboFix [bleepingcomputer.com] though CFX won't remove the proxy by itself at this point -- perusing a ComboFix log features loads of information about a system and its infections.

Re:Same as before. (1)

TheEnigmaticToad (2011680) | more than 2 years ago | (#36824390)

Manually? UMAD?!?! HiJackThis is woefully out of date, don't bother with it. Use one of these: 1. http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/ [geekstogo.com] 2. ComboFix - You'll have to enroll in a school to get the in-depth guide 3. AVZ - Includes a really powerful scripting ability. Each of the

Like those fake warnings we tell people to close? (0, Troll)

wadeal (884828) | more than 2 years ago | (#36822426)

You mean exactly what creators of Malware do today to scare users into installing malicious software??? We've tried to train users for YEARS to instantly close anything saying they have a virus (any infection is reported silently back to us by the AV). This is beyond a joke by Google. Yet another thing no one asked for, they didn't ask the community if they wanted it. After having to install software restrictions to block Chrome, Google Toolbar, Google Sidebar (wtf), Google Desktop Search as well as locking down IE to stop Google changing preferences I have to say this may be the arrogant fuck up that makes us look at blocking Google completely.

Re:Like those fake warnings we tell people to clos (0)

nedlohs (1335013) | more than 2 years ago | (#36822544)

I'm google is terrified of you blocking them and will now pass all their interfaces changes and feature changes to you for approval.

Re:Like those fake warnings we tell people to clos (1)

Bing Tsher E (943915) | more than 2 years ago | (#36822564)

I have to say this may be the arrogant fuck up that makes us look at blocking Google completely.

No, you're wrong. You will be the arrogant fuck up that blocks Google from your 'users.'

Just sayin'.

Re:Like those fake warnings we tell people to clos (1)

poofmeisterp (650750) | more than 2 years ago | (#36822602)

What in the heck does this complaint you have about Google have to do with the issue at hand?

Google opted to notify people when requests to them are coming from a malware-based proxy server as a nice tip to let people know when they should check their machine out.

They're not selling anything, they're not pushing you toward anything. They're just notifying you that something known-to-be-bad is happening.

Re:Like those fake warnings we tell people to clos (1)

wadeal (884828) | more than 2 years ago | (#36822720)

What in the heck does this complaint you have about Google have to do with the issue at hand?

That currently the Malware creators use very similar tactics to infect users (Popups advising the user is infected, Pages that look exactly like a Windows desktop with an infection popup etc). Users are told to close anything saying they have an infection for this reason.

That they didn't ask anyone if they even wanted this new "feature" like all the feature's they force down people throats (Preview, iGoogle Sidebar etc).

Re:Like those fake warnings we tell people to clos (1)

poofmeisterp (650750) | more than 2 years ago | (#36823078)

Ahhhh... Poor notification. Gotcha.

First thing that hits me is:

1. If you don't tell the proxy malware asses about it, people will get a nifty notification and it will open the eyes of a few not-so-smart ones.
2. If you DO tell people you're doing it, the proxy malware idiots will craft new malware and work around it using new IPs -or- just come up with a new method.

In the end, it's better that Google do nothing and let nature run its course on this. It will anyway. :)

Re:Like those fake warnings we tell people to clos (1)

Anonymous Coward | more than 2 years ago | (#36822644)

Clicking on the message to close it (clicking at all) is usually going to deliver the same payload as clicking "OK" --- them being simple image links to sites that will install something via an exploit, hell even seeing the fake warning could mean you're already infected (this stuff gets injected into pages via compromised ad providers, they can just as well embed a pdf/flash zero day and skip the 'clicking' step entirely).

Re:Like those fake warnings we tell people to clos (2)

wadeal (884828) | more than 2 years ago | (#36822810)

The message we try to give to users is close it, if you're not comfortable then call us (we do helpdesk support) and we'll jump on remotely and check for any infection.

Yes you're right, they're are plenty of times an infection can't be avoided, but there are time when it can be simply by hitting the X in the top right corner.

Re:Like those fake warnings we tell people to clos (0)

Anonymous Coward | more than 2 years ago | (#36822708)

After having to install software restrictions to block Chrome,

Why would you block this or any browser?

Remind me not to come work for your company

Re:Like those fake warnings we tell people to clos (2)

wadeal (884828) | more than 2 years ago | (#36822882)

Shared PCs used by Nurses (We support primarily aged care computer systems) to enter data into whatever software or browser based solution the customer use. There's definitely a need for control of what software is installed. But due to other users that require more access (Lifestyle, Managers) and a few lazy customers that refuse to move to individual accounts we have to basically allow most content through and block installation of any software (Yes we should be using a solution like SteadyState or DeepFreeze but that hasn't happened for various reasons) using policy.

Re:Like those fake warnings we tell people to clos (0)

Anonymous Coward | more than 2 years ago | (#36822724)

Google doesn't run banner ads on its pages, so yes, any banner ad on their site should be an immediate warning that either you're infected with something, or Google got hacked. Guess which is more likely.

Re:Like those fake warnings we tell people to clos (1)

Riceballsan (816702) | more than 2 years ago | (#36823200)

Well playing devil's advocate here, you could be infected by a lesser payload. Say a virus is in 2 parts, 1. weak part that installs at user level, with user access rights, installs itself simply by loading an infected page etc... but lacks the ability to take admin rights on a system, Part 2. Master rootkit, requires user to grant admin rights for it to get in and dig deep. even with no admin rights, part 1 still has the power to run your browser through a proxy, and inject itself onto webpages as well as block filter and control what pages you go to. In other words part 1 could inject an advertisement onto the version of google you see, give you a link to a "trusted" provider, even make that "trusted" provider show up as norton, microsoft, google or whatever they feel like in the address bar for you, and 95% of users would give whatever program they are getting admin rights to install.

Re:Like those fake warnings we tell people to clos (0)

Anonymous Coward | more than 2 years ago | (#36822828)

You're talking about IE and Google is the fuck up? bwahaha. You slay me, sir.

Re:Like those fake warnings we tell people to clos (1)

wadeal (884828) | more than 2 years ago | (#36822942)

What I'm not talking about is what's the better browser. I use Chrome half the time, I love it. But for a corporate environment with many users sharing PCs and you require management of hundred's of PCs you use IE.

Re:Like those fake warnings we tell people to clos (1)

MadMaverick9 (1470565) | more than 2 years ago | (#36824776)

http://www.google.com/apps/intl/en/business/chromebrowser.html [google.com]

Easy administration

Deploy Chrome across your organization using the MSI installer. Control updates and customize your Chrome deployment with support for managed group policy and authentication protocols.

Re:Like those fake warnings we tell people to clos (0)

Anonymous Coward | more than 2 years ago | (#36823698)

must...block...most..secure..browser...

You use IE6?

"Yet another thing no one asked for, they didn't ask the community if they wanted it" Wanted what? You mean to know your computer is infected? You're right, I should never ask for someone to help. Screw open source. /sarcasm

Maybe you want Google to call people instead of notifying them via their browser? But really, what is your "better" way to notify the user that they have an infection? Don't say "don't", because not every home user has an IT office that manages their computer for them.

Strange brew that's also good for you (-1)

Anonymous Coward | more than 2 years ago | (#36822664)

That would be home made Kombucha.

The search results (except yahoo) were mauled by paid placement schemes long ago, before the terroristic malware was even unannounced.

Friday Night VIrus Fight (3, Informative)

Matt.Battey (1741550) | more than 2 years ago | (#36822962)

I picked up that strain on my desktop PC Friday night. Weirdest thing. It started out by popping up a window (that I thought was Windows Defender) indicating I had a trojan. Might have even have been from Defender, it would close right away... Anyway, I started with safe-mode boot, Ad-Aware and Spybot, no dice. I ended up installing Norton Network Security, and it couldn't find it. I had to run Norton Power Eraser. Crazy. A commercial virus scanner that can't find viruses.

It installs itself in the MBR as a root kit, the proxy may even be local on the pc, downloaded on start-up.

Re:Friday Night VIrus Fight (0)

Anonymous Coward | more than 2 years ago | (#36828642)

It's no great surprise that AdAware and SSD failed you; time has passed them by. Of course, Norton AV products have been total trashware for over a decade now, ditto Symantec and McAffee - they are so bad that they qualify as malware in and of themselves.

Next time try malwarebytes, then remove whatever AV software you have and install Avast. Find the well hidden "boot time scan" tool in Avast, activate it, and boot the system. Malwarebytes is the "default" malware scanner de jour for repair techs, and Avast has displaced AVG as the antivirus tool of choice.

Blow it out using Recovery Console (0)

Anonymous Coward | more than 2 years ago | (#36829398)

Fixmbr command to reset your MBR$ to a valid one that's not infected/infested!

So - boot up via CD/DVD of the Windows install media, which is read-only, & refresh the bootsector...

NOW, if this thing's like "the indestructable rookit/botnet" was?

You MAY wish to:

1.) Patrol the list of installed drivers &/or services via the Recovery Console's listsvc command (using GOOGLE or BING if need be for ones you don't know "offhand" (bogus ones usually don't have a descriptive field though in the listsvc outputs (some valid ones are that way too though, so... be aware of that much also))).

2.) Then, once you find the bogus driver, IF there is one (such as hello_tt.sys)? Shut it down via the disable command (which shuts down services AND DRIVERS from loading).

3.) Reboot to RC again on DVD/CD Windows install media (read only inviolate is why)

4.) Refresh the bootsector them (once the rootkit MBR$ & protective driver are gone) & use fixmbr for a new bootsector (and then, all SHOULD be "ok").

* Provided that the driver itself does NOT protect the registry area that disable affects (because it does NOT take effect until next bootup & if a driver for a rootkit's designed to not only protect the bootsector, but also the registry load area for said bogus driver too).

APK

P.S.=> Again, to stress the proper order for this:

In the case of an MBR$ originated rootkit protected by a driver, you have to do this order for it to work:

---

1.) Bootup via Windows install media from DVD/CD (read only inviolate environs, so you have a valid bootsector)

2.) Do the listsvc "patrolling/scanning"

3.) Execute disable vs. any bogus drivers once verified thus (or, if you don't get a VALID KNOWN RESULT).

4.) Reboot to Recovery Console again

5.) Use the fixmbr command to refresh the HDD's bootsector with a valid one

---

* DONE!

... apk

Also, IF this thing uses a "patched .sys" (0)

Anonymous Coward | more than 3 years ago | (#36833228)

"Trojan-Driver" file, & you can determine WHICH ONE it is first of course?

(Usually that'd be atapi.sys or disk.sys because of the nature of what they do, disk or CD/DVD oriented I/O)

You can then use the COPY command from Recovery Console to OVERWRITE replace the bogus one either from drivers from the OEM install Windows media on CD/DVD, or, from a copy of an updated real driver from MS on a CD copy you made... per instructions below!

(Don't worry - Drivers do NOT PAGE THEMSELVES once in memory, like ordinary executables do (which is WHY folks see Windows paging still, even IF no pagefile.sys is present when monitoring for paging activities))

Thus, it should not be "locked vs. access" @ that point - that is, unless it has been programmed to PROTECT ITSELF vs. overwrite, or protecting not only say, the bogus MBR$, but also its registry driver init. areas... this will make them pretty much, TRULY, "indestructable, imo!

Anyhow/anyways - You can copy clean drivers, from 2 places:

---

1.) The Windows Installation media itself (again, which is read only inviolate), because it has the ORIGINAL OEM versions of these files

or

2.) Better still, extracting the newest models out of Service Pack patch files that have the updated ones placing them onto another CD for overwrite replacement of bogus patched trojan drivers - yes, you CAN do this, because the RC allows for default access to the CD/DVD, %SystemRoot%/%WinDir% by default - & you can set that to be more folders via secpol.msc/gpedit.msc also

---

* And, "there ya go"... as far as even defeating bogusly trojan driver file patch based rootkits too!

Between THIS here, and my last post here before this one:

http://it.slashdot.org/comments.pl?sid=2338764&cid=36829398 [slashdot.org]

You SHOULD be "all set" vs. rootkits & how to combat them, & with tools you already own too (bonus)!

(Again - The ONLY fear(s) I have are trojan rootkit drivers that protects registry driver loads/initializations areas, &/or protecting themselves from overwrite)

However - I haven't seen that, not YET @ least, but... if it happens? "HOUSTON WE HAVE A PROBLEM!" (& it's "nuke it from orbit" @ that point quite possibly!)

APK

P.S.=> Yes - The Service Pack updates files can be opened with WinRar for example, OR, they often have "switches" that allow for in-place extraction - then, copy/burn them to 2nd extra CD for the task @ hand here!

(This IS the "preferred route", again, as it is read only inviolate)

So - @ that point, you can use the Recovery Console COPY command to replace any "bogusly patched" trojan driver files!

... apk

Re:Friday Night VIrus Fight (0)

Anonymous Coward | more than 3 years ago | (#36833436)

Crazy. A commercial virus scanner that can't find viruses.

Not crazy, very normal. The problem is that good AV products get noticed by malware authors. So when they get root over your system, they'll look for McAfee, Norton, Panda, AVG, etc. and either disable them or use some type of partial-sandboxing to escape detection.

And just FYI, the best way to go about removal is to boot to a Live Linux CD. That way you're running a known clean OS, and can do all your scans on the infected HDD or fix what you want without worrying about the malware just reverting everything you fixed.

Note: I would recommend a windows CD for people who don't use linux or can't find the right tools, but I don't know of any such flavor of windows and don't care to see if one exists. What you're looking for is an OS that can be burned onto a write-once CD or DVD, and does not require an install.

Windows Recovery Console tools do it (0)

Anonymous Coward | more than 3 years ago | (#36833704)

From the Windows installation media (a read-only environs):

---

RC Bootup & fixmbr to refresh MBR$ (master boot record & bootsector):

http://it.slashdot.org/comments.pl?sid=2338764&cid=36829398 [slashdot.org]

&/or

Method for patching "bogus trojan driver files" as well (IF this method is employed as well in combination with the above):

http://it.slashdot.org/comments.pl?sid=2338764&cid=36833228 [slashdot.org]

---

That's in response to your reply here:

"Note: I would recommend a windows CD for people who don't use linux or can't find the right tools, but I don't know of any such flavor of windows and don't care to see if one exists. What you're looking for is an OS that can be burned onto a write-once CD or DVD, and does not require an install." - by Anonymous Coward on Thursday July 21, @08:37AM (#36833436)

The ONLY problem w/ using Linux?

Is IF you have to redo the bootsector &/or MBR$ for Windows, especially Windows VISTA/7/Server 2008, + if needed, driver replacement AFTER identifying the "bogus trojan possible culprit"...

I.E.-> I am NOT 100% sure Linux will work on the new bootsector & boot format (no boot.ini) on the newer Windows types is all... correct me here IF necessary, I can always learn a new thing too!

---

ANYHOW/ANYWAYS:

In fact, I used the 1st URL's tactics vs. "the indestructible rootkit" a few weeks ago, & it works!

http://it.slashdot.org/comments.pl?sid=2282088&cid=36621818 [slashdot.org]

---

So - Would your suggestion, using a Linux distro, work?

Possibly... just a bit more hassles due to identification of possible culprit/suspects, IF it is an "MBR$ protecting rootkit" variant that uses drivers to do so

AND

Not sure here IF Linux's tools will work as bcedit does for the most modern Windows types, VISTA onwards is all!

---

* "Blended-Threat" rootkits/botnets, running in both Ring 0/RPL 0/KernelMode + Ring 3/RPL 3/Usermode, suck...

(Imo @ least? Well - They're the WORST TYPE to get rid of, especially if you have to non-destructively... but, it IS doable! You just have to understand HOW they work is all, like any problem, in order to manage, control, OR DESTROY it?? You have to understand its mechanics, first!)

APK

P.S.=> Those methods will work, & yes, I've used them myself, for non-destructive removal of rootkits!

Now - To "mop up" ANY ring3/rpl3/usermode malware they may "haul in" also, which the "indestructible rootkit/botnet" did for example?

Well... ProcessExplorer works!

(With DLL view mode pane enabled, to see if any running processes or services are bogus, as well as being "hooked" via bogus lib/dll injections)

See - because once you "knock-the-chocolate" out of the rootkit running in Ring 0/RPL 0/kernelmode?? Nothing can deceive ProcessExplorer (via API call intercepts), & IT CAN SEE INTO ANYTHING IN USERMODE!

Yes, even a program loaded into memory - an almost "in-memory disassembly/dump" is possible too...

Yes - it's a "never fail" tool vs. signatures-based antivirus programs when their ID & remove methods fail or don't exist... (& their heuristics too, which do get "false positives" also @ times + are NOT set "on by default" or "to-the-max" by default usually either))

... apk

Strange brew that's also good for you (0)

Anonymous Coward | more than 2 years ago | (#36823166)

That would be home made Kombucha.

The search results (except yahoo) were mauled by paid placement schemes long ago, before the terroristic redirecting malware was even thought of. thanks for the 'warning' anyway?

I seem to be infected with something like this (1)

scharkalvin (72228) | more than 2 years ago | (#36824008)

When I click on a Google search result I usually don't get there anymore, and my antivirus software (malware bytes) reports that it blocked an outgoing request to a website and gives the IP address. Sometimes I'm redirected without malwarebytes blocking the request and end up in another search engine. Once it was Bing!
Malwarebytes can't seem to remove WTF is going on. Oh and I don't get a Google popup either.

Re:I seem to be infected with something like this (0)

Anonymous Coward | more than 2 years ago | (#36826602)

lol, windows users.

So, basically, you're saying something like "Oh... I seem to have a similar type of gangrene on my leg: it even seems to display the same type of rainbow-colored pus and everything", while not realizing that you should probably fix the problem, rather than talk about it on slashdot.

You do know that malware often steals passwords and stuff, right?

Even more helpful would be... (1)

s31523 (926314) | more than 2 years ago | (#36824242)

A link to a tool or instructions on how to remove the darn thing! I have been hit by some form of google re-direct twice and the last time I just gave up an re-formatted the hard-drive (it was due for a clean Windowz install anyway).

I have this! (0)

Anonymous Coward | more than 2 years ago | (#36826704)

I HAVE THIS! I have been using the secure one, encrpted.google.com, because every time i searched for something, it took me to another website, something completely unrelated to my search.

I tried going to google, but i didn't see the warning. does anyone know where they send you if you click on the link?

TDSS rootkit (0)

Anonymous Coward | more than 2 years ago | (#36828388)

kaspersky has a nice cleaner for the google redirect - variant of the TDSS rootkit...it's in the MBR and causes a LOT of headaches

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?