Win32/RAMNIT.A Anyone?
in [Viruses]
|
From: Dustin on 1 Aug 2010 18:05 ~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote in news:toGdnU4lcMazdsjRnZ2dnUVZ8hidnZ2d(a)bt.com: > John Slade wrote: >> On 8/1/2010 8:24 AM, Dustin wrote: >>> John Slade<hhitman86(a)pacbell.net> wrote in >>> news:i32s10$653$1(a)news.eternal-september.org: >>> >>>> On 7/31/2010 4:21 PM, Dustin wrote: >>>>> John Slade<hhitman86(a)pacbell.net> wrote in >>>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad: >>>>> >>>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote: >>>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>>>> >>>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote: >>>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>>>> >>>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote: >>>>>>> >>>> >>>>> >>>>>> You should know there is malware out there that will >>>>>> trash the registry and it's backup. It will require some sort >>>>>> of reinstall to get the system back working. I found it very >>>>>> rare that I need to do a full reformat and reinstall because of >>>>>> malware. Some malware will also corrupt system files and when >>>>>> you remove them with scanners, it will make the installation >>>>>> unbootable. This is yet another reason professionals will make >>>>>> a backup if possible before removing infections. >>>>> >>>>> What software do you use for the backup? >>>> >>>> I will either use Acronis' or Paragon's backup software >>>> depending on the situation. >>>> >>>>> Are you storing the backup on >>>>> read only media or a hard drive that could fail for any reason? >>>> >>>> You mean WORM(Write Once/Read Many) media don't you? That >>>> media can fail also. No media is perfect. I store the backup on >>>> business or enterprise grade HDs and will transfer to other >>>> media if the customer wants that backup. If it's a large backup >>>> they will have to pay me for it. Tell me what software and >>>> hardware would you use to backup your customer's HD before you >>>> start removing malware? >>> >>> I haven't heard the acronym WORM in years... Damn, you have been >>> around a long time. :) I was thinking of cd-r or perhaps dvd-r >>> material. >> >> It would be OK for DVD-R if the backup is small. But swapping 20 or >> more DVDs is a pain. >> >>> >>> It depends. When I was working at a computer shop; I'd either use >>> norton ghost corp edition or the hardware drive cloning device we >>> had at the time. >> >> I rarely use Ghost these days, it used to be the only thing I ever >> used. >> >> >>> I really didn't see much point in cloning a malware drive >>> for malware removal; I wasn't stupid enough to trash my backups of >>> the registry or important files. besides, I wrote several >>> utilities to assist me in verifying various windows dll/exe files >>> were still intact and okay for reuse. >>> >> >> Yea that's good for you, but when you're working for someone else >> and they have important data they want to save, I will backup. Most >> of the time the customer doesn't have a backup. A lot of times the >> customer has a HD that's five or six years old and they really need >> a backup done. Then there are the times when I'm working for a >> young person and they don't want a backup they just want the drive >> wiped and they want the OS installed. >> >>> We would typically reserve cloning drives for hardware failure >>> signs. Although, a customer could have us clone a drive for a >>> malware issue if they so desired. By default, we always copied >>> docs, favorites, emails etc before doing anything... But, you >>> know, different places have different policies. >> >> I work mostly with home users and small businesses and a lot of >> times they have personal stuff they want to save. So I'll do a >> quick backup of that data and then I'll do the full backup. >> Sometimes they just want a reinstall. There are times when they >> tell me not to backup because the data isn't important. In David's >> response he seems worried about saving data so I wondered why he >> wouldn't backup. >> >>> >>> Why do you spend the additional time to clone an entire drive for >>> a malware removal job? >> >> It doesn't take that long most of the time and it's a lot safer for >> the user's data. In most cases it actually takes longer to install, >> upgrade and reinstall software for the customer. Most of the time I >> backup less than 150GB. >> >>> >>>>> >>>>>> I know there are a lot of fly-by-night computer repair >>>>>> people who are just there to do a quick fix and get paid, I >>>>>> find myself cleaning up after a lot of them. >>>>> >>>>> I've encountered a few of those in my time as well.... I enjoy >>>>> the work they provide me tho. >>>> >>>> Me too. I especially get a kick out of the ones who don't >>>> do backups and leave various screws out. >>> >>> Or, use the wrong screws and strip one of the drives :) >>> >>>>> Tell me something, John, as a PROFESSIONAL, have >>>>> you written any of the tools you use for cleanup; or do you use >>>>> the work others have written, such as myself, David lipman and >>>>> many others? >>>>> >>>> >>>> For the record, I'm not trying to get into some pissing >>>> contest. I was just making a suggestion as to how to fix the >>>> problem laid out in the OP. >>> >>> I understand. It just seemed as if you were being a wiseass >>> towards David, from my POV. I didn't personally see any need in >>> doing that. We can all be professional and civil here. >> >> David was being a wiseass himself and I can understand why he >> didn't respond. He seemed worried about losing data by simply >> removing the system restore points so I naturally wondered why, a >> backup can solve this problem. I guess he realized it was a good >> idea so then he got snippy. >> >>> >>>> I use software others have written. I'm not a software >>>> engineer. I'm a professional computer repair person. I find that >>>> competence in one profession such as software engineering >>>> doesn't translate into something else like tech support. I've >>>> been repairing computers for close to 25 years and have learned >>>> a lot. One thing I've learned is a backup saves a lot of trouble >>>> and allows for different approaches to be tried. >>> >>> Well, a backup is a good way of having an escape route should >>> something go wrong. :) From a software aspect tho, I haven't >>> really encountered much malware that would justify the time I >>> spent on imaging the drive first. I wasn't in charge of billing >>> tho, so that may have played a part in that. >> >> I don't work for any company I work freelance. Like I said most >> backups are small and usually take from 20 minutes to a couple of >> hours. I don't charge by the hour I charge by the job. >> >>> >>>> So tell me what products have you and David Lipman >>>> written and where can I check them out? >>> >>> I've written all kinds of old utility style apps, as you've been >>> around so long you might know a few of them.. Cmoscon, encode, >>> delock, and various others. If your into crypto/security, you >>> might even know the old dos file/freespace wiping app called NuKE >>> and/or possibly CryptX. >>> >> >> I've heard of some of those. >> >>> In more recent times, I developed an antimalware scanner (that's >>> why I found your description on how they worked amusing. hehehe) >>> called BugHunter. I did a stint as a malware researcher for an app >>> called Malwarebytes antimalware.. >>> >> >> I don't know why you would find it funny because a virus writer >> will use anything to hide a virus. What smarter way is to hide them >> in each and every folder in "system volume information"? I do >> believe that what the system had was a variant of the Virtumonde >> trojan. If you did research on malware then you know virus writers >> will take existing malware and modify it. I found one thing to be >> true in the world of malware, NOBODY knows everything about every >> malware variant out there. You can believe me or not, it doesn't >> matter. >> >> John > > You do appreciate that Dustin Cook was once a virus writer himself, > don't you, John? Does it matter that much, BD? Do you feel I haven't been honest with the fellow and so you need to remind persons of that aspect? > There is school of thought that suggests that once a computer has > been compromised, one can never be *certain* that it is clean - and > that it is always best to re-install the operating system ...... on > a formatted hard disk, wiping out all partitions first. That school of thought does exist, yes. I don't subscribe to it tho. -- "I like your Christ. I don't like your Christians. They are so unlike your Christ." - author unknown.
From: Dustin on 1 Aug 2010 18:11 ASCII <me2(a)privacy.net> wrote in news:4c56ecb9.3069546(a)EDCBIC: > ~BD~ wrote: >> >>You do appreciate that Dustin Cook was once a virus writer himself, >>don't you, John? > > Your use of the word "was" suggests that he indeed did once fall > into that category, and further that he no longer does. Can you prove otherwise? > Is that assumption based upon acceptance of his statements offered > in a forum in which he himself has admitted to lying? You don't have to accept my statements, just find one virus after the year 2000 that you can link to me and you win. Or, option B, accept the fact you won't be able to do that because I haven't written anything virus related since Irok. Your choice. Either way, I still win. -- "I like your Christ. I don't like your Christians. They are so unlike your Christ." - author unknown.
From: David H. Lipman on 1 Aug 2010 19:03 From: "Dustin" <bughunter.dustin(a)gmail.com> | That school of thought does exist, yes. I don't subscribe to it tho. It does exist. However first you perform a Cost Benefit Analysis (CBA). -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: "FromTheRafters" erratic on 1 Aug 2010 20:38 "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message news:toGdnUklcMbUccjRnZ2dnUVZ8hgAAAAA(a)bt.com... > ~BD~ forgot to add the link showing support for his view! > > http://technet.microsoft.com/en-us/library/cc512587.aspx He added a qualifier here: "If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications)." I can agree with that. The thing is, what do you consider to be a compromise and what do you consider to be a complete compromise? If I discover a downloader downloaded some adware, I might just remove the adware. If it downloaded some various and sundry other malware then the "unknown" factor becomes prevalent - and flatten and rebuild becomes the best route. A known trojan application for fake-AV scareware probably doesn't require such drastic measures. If I figure the ingress vector was a, since patched, vulnerability exploit worm, I wouldn't just automatically assume that hackers have also used that exploits zero-day window to increase the "unknown" factor - I would just address the worm. Not that he's wrong, a healthy paranoia is a good security asset. The value of the protected resource figures in heavily as well.
From: John Slade on 1 Aug 2010 20:45
On 8/1/2010 2:46 PM, ~BD~ wrote: > John Slade wrote: >> On 8/1/2010 8:24 AM, Dustin wrote: >>> John Slade<hhitman86(a)pacbell.net> wrote in >>> news:i32s10$653$1(a)news.eternal-september.org: >>> >>>> On 7/31/2010 4:21 PM, Dustin wrote: >>>>> John Slade<hhitman86(a)pacbell.net> wrote in >>>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad: >>>>> >>>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote: >>>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>>>> >>>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote: >>>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net> >>>>>>> >>>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote: >>>>>>> >>>> >>>>> > >>> In more recent times, I developed an antimalware scanner (that's why I >>> found your description on how they worked amusing. hehehe) called >>> BugHunter. I did a stint as a malware researcher for an app called >>> Malwarebytes antimalware.. >>> >> >> I don't know why you would find it funny because a virus writer will use >> anything to hide a virus. What smarter way is to hide them in each and >> every folder in "system volume information"? I do believe that what the >> system had was a variant of the Virtumonde trojan. If you did research >> on malware then you know virus writers will take existing malware and >> modify it. I found one thing to be true in the world of malware, NOBODY >> knows everything about every malware variant out there. You can believe >> me or not, it doesn't matter. >> >> John > > You do appreciate that Dustin Cook was once a virus writer himself, > don't you, John? > I didn't know Dustin Cook existed until he responded for you. But I've been reading some in alt.comp.viruses and I find it well...interesting... If he wrote viruses then he more than anyone should know that what I said happened is indeed possible. > There is school of thought that suggests that once a computer has been > compromised, one can never be *certain* that it is clean - and that it > is always best to re-install the operating system ...... on a formatted > hard disk, wiping out all partitions first. That school of thought is pretty common but I've found that the vast majority of infected systems can be saved without reformatting and installing. It all depends on what the malware is and how much damage has been done. If formatting every infected HD at the sign of malware, very little data would be saved unless you backup important data. > > I'm just a user - but that's how I think too! ;-) > I'm a user and I find that backups save me a lot of trouble. I know my HD will fail. As a repair tech, I know my customer's HD will fail so I backup. Some of my customers want to save the data so I backup before I remove malware. Some don't care and ask me to format and install. I've been reading some in alt.comp.virus and it's pretty amusing.... I'm starting to understand more and more why I'm getting the responses I'm getting... ;) John |