|
|
#1
January 30th, 2009, 11:21 PM
|
|||
|
|||
New rogue (MS 2009)
The new rouge application thats been going around. I was infected by it a few seconds ago, while virtualizing. Any who, i ran the app sand boxed with sandboxie, and it still managed to get across, perhaps a mistake on my behalf. But yea, keep an eye out.
|
|
#2
January 31st, 2009, 04:17 AM
|
||||
|
||||
|
Re: New rouge (MS 2009)
I have 5 different installers for MS AnitiSpyware 2009 and all of them will only partly install sandboxed before the below error shows up.
Dregs do remain in the sandbox but a simple delete contents gets rid of everything with no breaches at all. Quote:
__________________
Bestest Freebies - Lean, Mean and Clean!  Sandboxie, Buster Sandbox Analyser, Returnil, MS Virtual PC 2007, Ghost Images
|
|
#3
January 31st, 2009, 04:19 AM
|
|||
|
|||
|
Re: New rouge (MS 2009)
Is it a full name of it? MS 2009?
__________________
DefenseWall HIPS developer. www.softsphere.com |
|
#4
January 31st, 2009, 04:21 AM
|
||||
|
||||
|
Re: New rouge (MS 2009)
Quote:
Looks so; http://www.spywareremove.com/removeM...yware2009.html
__________________
Mac OS X |
|
#5
January 31st, 2009, 07:29 AM
|
||||
|
||||
|
Re: New rouge (MS 2009)
There's a whole mess of crap (rogues) out there.........
http://malwaredatabase.net/blog/ http://www.malwarebytes.org/roguenet.php http://www.malwarebytes.org/forums/i...p?showforum=30
__________________
"What a long, strange trip it's been" |
|
#6
January 31st, 2009, 07:36 AM
|
||||
|
||||
|
Re: New rouge (MS 2009)
Quote:
We have been tracking it since earliar this week,it is being imported by a fake codec install(tubeviewer.exe)but is also travelling with a Z-bot on those installs. http://threatexpert.com/report.aspx?...eb375ab0d3b34e If you would like source urls then drop me a pm 
__________________
Ade Gill Malwarebytes Researcher |
|
#7
February 1st, 2009, 12:45 AM
|
|||
|
|||
|
Re: New rouge (MS 2009)
On Vista SP1, I let MAS 2009 install virtualized with Sandboxie and get the same results as Franklin. On XP SP3, the virtualized install will complete normally. I see, however, zero file system and registry leakage (verified by Malware Defender and other means). When I terminate the virtualized session (IE + the virtualized child processes the install spawned), MAS 2009 is gone. My Sandboxie settings are out-of-the-box default.
Nick Last edited by nick s : February 1st, 2009 at 02:43 AM. |
|
#8
February 1st, 2009, 07:11 AM
|
||||
|
||||
|
Re: New rouge (MS 2009)
just tick the damn checkbox to drop rights and nothing will ever be installed...
not that hard,my nephew could understand it over the phone,not exactly rocket science.
__________________
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe" |
|
#9
February 1st, 2009, 07:38 AM
|
|||
|
|||
|
Re: New rouge (MS 2009)
OK, so it's rogue, but is it as good as CyberDefender Ad/Spyware-Sponsored Internet Security with the picture of a naked woman for the Immunize PC icon? Has to have some good points! We are so critical of malware; were it not for that, why would we be here?
 Dave |
|
#10
February 1st, 2009, 10:38 AM
|
||||
|
||||
|
Re: New rouge (MS 2009)
Hmm not that i have had chance to play with Sandboxie but i have one question to thoes more informed on its operations.
Dose it prevent the Z-bot component from actively harvesting password's/logins etc and phoning home the data to the mothership? Bear in mind Z-bot clears cache's locally and subsequently all login's/passwords re-entered are then collected by it.The collected data is then transmitted back home to the bad guys 
__________________
Ade Gill Malwarebytes Researcher |
|
#11
February 1st, 2009, 10:56 AM
|
|||
|
|||
|
Re: New rouge (MS 2009)
If your sandbox is configured to only launch certain apps, it shouldn't run in the first place. IMHO, that is the best way of preventing crap from leaking outside the sandbox.
__________________
Windows 7 Ultimate 32-bit - UAC: Enabled - AppLocker: Disabled - Hardware-DEP: Enabled
Realtime: Prevx 3.0 On-demand: Hitman Pro + Malwarebytes' Anti-Malware + Sandboxie Backup: Windows Backup |
|
#12
February 1st, 2009, 11:06 AM
|
|||
|
|||
|
Re: New rouge (MS 2009)
Quote:
not an answer, but a question. would z-bot hijack a process for transmitting the stolen data, or use it's own created process for that chore? would a decent firewall prevent the transmission, or at least flag it? Mike |
|
#13
February 1st, 2009, 11:39 AM
|
||||
|
||||
|
Re: New rouge (MS 2009)
Quote:
Yes it injects itself into winlogon.exe and from there into many core system process's.From there it can utilize thoes process's to do its dirtywork. A good firewall will catch the the outbound traffic if its not preconfigured to allow M$ process's by default but then again even if a new alert is generated that would be for the M$ executable name and not the trojan file by its name. HTH 
__________________
Ade Gill Malwarebytes Researcher |
|
#14
February 1st, 2009, 12:18 PM
|
|||
|
|||
|
Re: New rouge (MS 2009)
Quote:
Under: Restrictions-> Internet access, only programs listed by file name are allowed Internet acces, so for example: iexplore.exe and/or firefox.exe are listed. These programs could also be forced to run in the sandbox, so based on this info, would the trojan be prevented from transmitting out? fcukdat, you mention it injects itself into core processes; could those files be affected? |
|
#15
February 1st, 2009, 12:52 PM
|
||||
|
||||
|
Re: New rouge (MS 2009)
Yes it has been seen to inject itself into iexplore.exe process so yes it could manipulate it under normal circumstances.
My original question was how it would behave in a sandbox'ed enviroment.
__________________
Ade Gill Malwarebytes Researcher |
|
#16
February 1st, 2009, 12:59 PM
|
|||
|
|||
|
Re: New rouge (MS 2009)
Would an Anti Executable stop this from installing / running rather than trying to stop it with a sandbox?
|
|
#17
February 1st, 2009, 03:16 PM
|
|||
|
|||
|
Re: New rogue (MS 2009)
No, since none of the attacks seem have been the result of a drive-by download. However, some victims don't give many details, and would seem to imply that the infection happened without doing anything:
http://removal-tool.blogspot.com/200...emoval-as.html Quote:
Two ways of becoming victimized have been reported by security analysts as: http://www.xp-vista.com/spyware-remo...ntispyware2009 Quote:
Quote:
The same with the second method, where the user is redirected to a malicious website which generates popups with dire warnings that your computer is infected with worse than rats. Again, if the user agrees to install, the user will turn off Anti-execution security protection in order to permit the installation. These fake animated scans depend on javascript being enabled. Once the deceptive scan starts, it can be difficult to back out. Here is one from an earlier Antivirus 2009 exploit: http://www.urs2.net/rsj/computing/tests/winantivir2009/ Prevention from these rogue products is simply to have a firm policy in place never install anything that you didn't go looking for (Brian Krebs tip). Also, not to pay any attention to popup results from a scanner other than your own while online. If in doubt, disconnect from the internet and and scan with your own Antivirus product. ---- rich Last edited by Rmus : February 1st, 2009 at 04:38 PM. |
|
#18
February 1st, 2009, 03:45 PM
|
||||
|
||||
|
Re: New rouge (MS 2009)
Quote:
__________________
MalwareDefender / CFP, GesWall, KeyScrambler - all under the umbrella of Comodo Time Machine Transition to Ubuntu with NO SECURITY SOFTWARE however VirtualBox is a great fun. I am waiting for a pop up HIPS for Ubuntu! 
|
|
#19
February 1st, 2009, 03:46 PM
|
|||
|
|||
|
Re: New rouge (MS 2009)
Quote:
yes it does, and thanks. Prevx Edge knocked 'em on their a$$. Mike |
|
#20
February 1st, 2009, 03:49 PM
|
||||
|
||||
|
Re: New rouge (MS 2009)
Quote:
__________________
MalwareDefender / CFP, GesWall, KeyScrambler - all under the umbrella of Comodo Time Machine Transition to Ubuntu with NO SECURITY SOFTWARE however VirtualBox is a great fun. I am waiting for a pop up HIPS for Ubuntu!
|
|
#21
February 1st, 2009, 03:52 PM
|
|||
|
|||
|
Re: New rogue (MS 2009)
Quote:
good strategy, however, in my case with this infection, Antivir bugged the butter out of me with block/quarantee pop-ups as i was attempting to install this malcode. the second infection i had access to Avira didn't 'know' a thing about it. Prevx Edge pulled the rug out from both. Mike |
|
#23
February 1st, 2009, 04:47 PM
|
|||
|
|||
|
Re: New rogue (MS 2009)
Quote:
Mike, Out of interest, what heuristic settings were you using on Edge? |
|
#24
February 1st, 2009, 06:41 PM
|
|||
|
|||
|
Re: New rogue (MS 2009)
Quote:
Edge did not initially flag on it's executible (the first one i downloaded), so i wanted to see if Edges behavural analysis capabilities would kick in. also i was told if left to "fester" this infection would download rootkits, and other malcode. again i wanted to see first hand how Edge responded to this. all this btw done sandboxed, with Defensewall rights restrictions, under the blanket of Shadowdefender, with a newly created Image waiting in the wings....just in case.  Mike |
|
#25
February 1st, 2009, 06:55 PM
|
|||
|
|||
|
Re: New rogue (MS 2009)
Quote:
http://www.postimage.org/image.php?v=Pq10Xc0J well not what i hoped to accomplish, but there is the answer.  i felt (according to the Edge Help file), that i met the criteria of an infrequent software installer (of course that is an arbitrary standard), so this setting is a good balance for me between protection and FP's. hope this helps. Mike |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
