Windows XP hijack

Started by Hans Manhave, October 05, 2011, 03:53:16 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Robin Deatherage

Quote from: Mark on October 11, 2011, 04:34:40 PM
Quote from: Robin Deatherage on October 11, 2011, 04:32:01 PM
I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up.

How are people getting this stuff these days?  I must just be lucky here.
Well the user who got this infection claimed she was trying to go to a grocery store website to get the phone number of the bakery and then "all of a sudden" strange things started happening.  My guess is she typed it incorrectly and then clicked on something she shouldn't have.  You probably have things locked down tighter than I do or your users are more careful than mine. 
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

Quote from: Robin Deatherage on October 12, 2011, 08:44:30 AM
You probably have things locked down tighter than I do or your users are more careful than mine.

I do use a layered approach -- meaning I'm not just using one thing to protect me.  Do you at least use the free version of OpenDNS as your DNS forwarders?  I think that helps a little.  the paid version woudl probably help a lot, lol.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Billy Welsh

Quote from: Jeff Zylstra on October 07, 2011, 03:34:22 PM
Quote from: Billy Welsh on October 07, 2011, 02:53:53 PM
You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.

SCARY - Apparently they did not do a very good job of physically securing this network.  While they say it did not affect operations, it sure could have.  And some of these puppies are carrying missiles!

http://www.myfoxny.com/dpp/news/military-computer-virus-wasnt-directed-at-drones-20111012-apx
Billy Welsh
Director of Accounting
LCMC Health

Jeff Zylstra

Quote from: Billy Welsh on October 13, 2011, 09:47:46 AM
Quote from: Jeff Zylstra on October 07, 2011, 03:34:22 PM
Quote from: Billy Welsh on October 07, 2011, 02:53:53 PM
You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.

SCARY - Apparently they did not do a very good job of physically securing this network.  While they say it did not affect operations, it sure could have.  And some of these puppies are carrying missiles!

http://www.myfoxny.com/dpp/news/military-computer-virus-wasnt-directed-at-drones-20111012-apx

I'm guessing that some dude plugged his memory stick into an unhealthy playstation and infected the whole network.   I hope they keep investigating this. 
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

Quote from: Jeff Zylstra on October 13, 2011, 10:10:51 AM
I'm guessing that some dude plugged his memory stick into an unhealthy playstation and infected the whole network.   I hope they keep investigating this.

They were operating against policy and using removable drives to transport video and other data between machines.  They probably did use imaging once they finally decided to rebuild everything.  In fact, I bet that they WERE using imaging but the image they were using was infected, so they had to break down and build a new one.

Base images are awesome to have.  Creating them though, is at the bottom of my fun list.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Agreed, Mark.  I never go through the hassle of automating the new image.  I've found it much easier to just go through all of the Windows new installation questions than to program everything to automatically fill in domain names, etc....

I thought that I read somewhere that this was the proscribed method of transporting and sharing surveillance and reconnaissance videos.  If that were the case, you'd think that something like an Iron Stick would be used, and that the auto run features would be disabled along with registry hacks to block auto runs.  If I know about that stuff, you'd think that they would know about it too!
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

I was actually picturing removable drive bays.  Not sure why, but that's just what I pictured.  Basically, where the whole hard drive slides out and the user essentially takes their computer with them.

It's almost like virtual desktops, the sneaker net way. lol  But who knows, maybe it was just a WD Passport.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Quote from: Mark on October 13, 2011, 12:20:28 PM
I was actually picturing removable drive bays.  Not sure why, but that's just what I pictured.  Basically, where the whole hard drive slides out and the user essentially takes their computer with them.

It's almost like virtual desktops, the sneaker net way. lol  But who knows, maybe it was just a WD Passport.

I'm sure that we will never know since how they do things going forward will probably be more classified, if it isn't already.  Hopefully this will bring about change.  I'd hate to see a Predator missile fly over my house headed for Wisconsin.  ;)
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Lance Bateman

The "fun" part - apparently the video from the drones is not secured, can be captured with a $23 piece of equipment!  Ah me, the joys of not having experts set this up.  When they worked on setting up the Navy/Marine Corp Intranet - of course it was lowest bid, and even then Congress delayed funding so long most of the initially hired staff (I was one) found other work.

Per Marines I've talked to (many), it still doesn't work well.

Bob

That was 2 years ago Lance.  Since then it's been encrypted after being embarrassed by militants picking up the video feed.  :)

Jim Jensen

Quote from: Bob Connor on October 14, 2011, 11:13:12 AM
That was 2 years ago Lance.  Since then it's been encrypted after being embarrassed by militants picking up the video feed.  :)

I just heard the other day that they are still getting the new equipment spread all around and that there are still unsecured signals until they replace every transmitter and receiver. I have no corroborating info to validate, but have no reason to question it, either.
Jim Jensen
CIC, CEO, CIO, COO, CFO, Producer, CSR, Claims Handler, janitor....whatever else.
Jensen Ford Insurance
Indianapolis

Lance Bateman

Jim's got the current status - still in the process of updating things, and they still haven't removed the malware fully - in fact they are trying to work around it right now.

The NMCI project - well, I think it's basically 9 years behind so far???

Bob

Talking two different issues..  Malware that got on drones (which had no impact other than embarrassment) recent news and militants using simple child monitors and catching video stream which is old news.

I get my military news email almost daily..  Full of stories before they hit the press.  Next one I get I'll share the link.  Interesting stories from around the world and video clips that will keep you visiting.  :)

That said I do believe in what Jim said that not completely done yet but I suspect the ones in use today sure are.  :)

Donna Syroid

So friends back to one of the questions.  How are these virsus getting into our systems.  One thing mentioned is that someone accidently typed the wrong url.  What are some other ways?  What about a marketing rep putting their USB disk in our machine to open something.  The same one that he just took from another agency office.  Is there a list of things to avoid that we can give to our users?

Lance Bateman

1. Don't allow anything that has been used outside (pc, drives, etc.) to be hooked in to the system without first being scanned by AV.

2. Be sure you have something blocking suspect sites you don't want.

3. Caution all that if they get a site that doesn't look like what they want, back out and make sure they put in the address correctly.  For instance, Denny's has one for a customer survey they are doing at www.dennyslistens.com, but if you put in www.dennylistens.com instead you get a whole different site.