Win7 Ultimate x64 Free NOD32 business x64 I visited a website today using IE9 (eset staff can pm me for a link) and got delivered a payload somehow - I didn't bother to analyse how. the trojan disabled nod32, and installed it's user mode exe c:\program files (x86)\lp\1cc.exe. nod32 detected the trojan trying to access the web and blocked those attempts. It also detected the trojan exe itself (after it had executed), but not before the trojan had broken nod32. nod32 still appeared to "work", but I received the "application protocols will not function" error, I believe the software had tampered with the eset driver at this stage. I managed to remove the user mode portion of the trojan by suspending the process in procexp, then deleting it, but I couldn't be sure at that stage, that a kernel mode payload hadn't been delivered, so I took it off the web, flashed the bios, reformatted, and that was that. I think it's worth someone from eset taking a look at the virus, I haven't had this happen in a long time.
If you still have a sample of this payload (or better yet, the URL itself should be sufficient), it would be really helpful for our virus lab to get a look at this and work on getting the issue resolved. http://kb.eset.com/esetkb/index?page=content&id=SOLN141&ref=wsf
It's not a vulnerability. Once malware is run with admin rights, it can do virtually anything, no matter what security solution is installed. If the malware is still undetected (otherwise ESET wouldn't have allowed it to execute unless you had the signature db outdated or protection disabled), submit it to ESET for perusal.
I've got to disagree Marcos. NOD32 was up to date, im sure of that. I didn't click any links, or run any malware myself, the exe managed to download itself, and run itself without any user intervention other than opening the web page, it also managed to manipulate/break the eset driver - either directly (im assuming your IRPs are encrypted or protected in some form) so im guessing it was through the registry or direct file manipulation rather than an IRP to stop the driver. It had to do something fairly nifty to break the filter driver - thats what i found a bit hard to swallow. If i'd run an exe and it had done that - I would have deserved everything i'd gotten. thanks dwomack - i've sent them/you the url
Ok, but even having security software up to date does not guarantee 100% protection against threats. What level of UAC do you use to minimize the risk of infection?
I'm actually more interested to know if the URL in question exploited a bug in IE9? Also, to be able to disable Nod32, it had to execute itself as an administrator. This also begs questions like: Was it an exploit making use of privilege escalation? Also, were you running as an administrator (UAC disabled)? If you were, and you only use an antimalware application, then you're asking for trouble.
Sorry to hear that. Is you OS up to date with it's patches? Also what about your browser plug-in, Java & Flash?
Great questions. It's very important to keep track of outdated applications. Using something like Secunia PSI is a great way to keep up.
yes everything is up to date, all patched e.t.c e.t.c the killer is probably that uac was off, but having said that, i'd also be interested to know the exploit that allowed a page visit with no clicks to silently download, extract, install, and run a payload. It's all been reformatted and sorted now, and I took the machine off the web as soon as the popups started flying so i'm not too worried, there must be a buffer overrun exploit in IE9 or something.
Hello, blin, do you use the HIPS of NOD32? The best protection is obtained with the the setting "Interactive mode " (to use after "Learning mode"). Warning: the setting "Learning mode" can only be used with a PC without infection. A HIPS is only a tool to protect your computer, not to find infections. You should also know, after the learning period, what you need to block or allow. See for yourself if you can do that.