VIRUS-DTV-UPDATE (READ ME)

Fri Dec 09, 2011 4:48 pm » by **Chronicnerd**

Posting this so users can have a direct link and not have to dig for this information:

Actually,

I was hit both at work and home...

Unfortunately, there are a few issues here:

1.) It is a ZBOT Trojan... this one comes up as ZBOT!GENY or ZBOTGENY~ or any offshot from that likeness.
2.) It is *brand new*, as in the binary image of this trojan infection is not known by almost all repositories regarding "digital infections"... well until yesterday it wasn't.
3.) It is a *SMART* trojan virus...and when I mean *SMART*... this was *NOT* some kid or backwoods hacker...this is *VERY* well done...as in the person who implanted this specifically targeted this website and its clients...visitors. (will go into some of the things I have been tracking since yesterday around 7ish in the morning)
4.) It dumps user information to some IP addresses that end up in various places located in EUROPE. When I mean user information...not this site folks...and I will get into this in a bit.
5.) It spreads to *known* system executables as well as looks over network drives and tries to identify *known* common executables as well as things like MSI (installer) files and will wrap a *spoof* launch header onto it...so...as an example...you decide to be *smart* and/or were *smart* and had backups of your data and common install files located...oh say on a NAS drive...yeah...clean install...you start to install your applications... *pow*...you get it again.

The Nasty Part:
This is a *VERY* sophisticated piece of work. It has several proxy servers that dish up templates for specific types of logins...such as banks...trading accounts (i.e. fidelity, etrade, etc)... and the like.
When I say *VERY* sophisticated...as an example...if you login to say...your online banking (Chase, Bank of America, etc). It will wait for your to fully login and then use an IFRAME window (main site goes a little dim) and a window *FORMATED SPECIFICALLY FOR THE THEME OF THE SITE* will pop up and ask for a BUNCH of information claiming they are the bank and just "tightening up their security".

DO NOT FILL OUT OR GIVE OUT ANY INFORMATION TO ANY POPUP AND/OR OVERLAY WHEN YOU LOGIN TO A SITE THAT FALLS INTO THE ABOVE CATEGORY WITHOUT *FIRST* CALLING THE SERVICE AND READING EXACTLY WHAT IT SAYS TO A REPRESENTATIVE OF SAID SERVICE!!!!

How I caught the binary and the headaches it has caused me in the past 24 hours:
At work I helped design our server architecture (although it isn't what I do specifically) and decided to virtualize everything for many purposes. The primary reason being that it allows for easy backup of the entire OS as a full disk image and you can fully utilize a server by running multiple "virtual servers" on one box. The ancillary but now I am thinking *primary* reason in my book as I move forward...is that in the event some major viral infection took place I could simply restore our images from a day or two prior to the estimated time of infection to be 100% sure.

What I ended up seeing was that the virus had made its way into a good number of one of our file servers that hosted "installation files" for various tools and utilities common to my work place. My workstation was always running in a virtualized instance with remoteFX through one of the Hyper-V servers that hosted some virtual workstations...not all people at my workplace had this setup...but luckily the majority of them did not get *hit* as they don't *FREQUENT THIS SITE*... and yes... it came directly from this site.

The virus is more than likely not the owners' fault...per say... as it actually embedded itself inside their ADVERTISING...which belongs to a different group who evidently has *NO CLUE* what they are doing regarding security. Their advertisements *CRAWL* with malware evidently.

So, long story short this "trojan virus" will install itself via several different mechanisms, some through exposed codecs...some through the "click here" to continue...some through those annoying "invisible" popups that were offscreen and would start playing some form of "movie"...I think you guys know what I am talking about...you would click a couple of posts in new tabs...and then start hearing a movie playing...like an advertisement...but see no advertisement. I had noticed this awhile back and just thought :"what a crappy advertisement group"...and figured it was a bug.

Well, it wasn't... it was evidently a group of hackers (which I will tell you who I think they are in a second) that were "testing the waters"... seeing if anyone at the advertisement group would notice...and obviously they didn't...and why I am saying they are *CLUELESS* or just don't care (again...not the site owners' but the advertisement group this site was using...which...if you notice...isn't it odd the advertisements have just "stopped"?).

So...what I did was create a "virtual environment" that was closed off from all resources and reloaded an image prior to the day I got infected... which was Wednesday of this week (the 7th). Sure enough the little binary went to work and was busy infecting all sorts of things... I managed to get several samples of the binary and have submitted them to Microsoft's viral infection group (MS Security Essentials and/or MS End Point Security division) who are updating their tables as well as moving this infection up to the proper groups/authorities that are looking into the sources of where this thing came from.

Anyway, I have the convenience of having multiple pipes coming into my work place...so...I decided to play "follow the white rabbit"... and traced their packets through a packet sniffer and Microsoft Forefront Threat Management Gateway to figure out who I was going to have to kill for trying to screw with not only my personal account information... but my company's information (we deal with specific types of data that require relatively high levels of security)...

I am sure you want IPs... but as I said I have moved this whole thing to the "proper groups" who are now looking into the folks responsible for doing this shit. What I will say is that it looks like the "dumps" of information as well as the "pulls" have come from several locations which appear to be forms of "proxy" servers that then hop to another server which hosts the "fake info popup pages". The cute part was that I managed to enter information that *wasn't* correct for one of the services that I use for financial purposes (not saying which because some of the folks who did this actually have accounts here on this very site). The data was dumped...yet again...to a EUROPE location...but this was more "direct"...although I am sure it is a panzy/temp server that was compromised by this group as they seem to love to piggy back on other peoples shit.

Either case, this looks to be the work of... you ready for this?

Anonymous

Yeah... evidently there were some people who didn't like what was being said on this site... and they decided to "deep six" it... as in sick a bunch of hardcore hackers on it to not just "hack" the site... but screw with everyone on it...as in...make everyone's life miserable...empty bank accounts...pull funds from IRAs or the like... and put an end to not only this site....but most everyone on the site...as in leave a bad taste in everyones' mouth enough to make them "think twice" before being part of a community of this "type"...

Either case, this was something that looks to be started back around June of this year. The images/binaries were actually compiled using a specific compiler that, unknown to many people, actually logs a hash key into the image in order to track things just like this. So, someone somewhere will be getting a nice visit by some friendly men to talk to them about their "SkillZ0rZ"... and then putting them in a very small room for a decade or two to think about what they have done. Information logged was their originating IP, provider IP, machine ID, as well as other information that will make it pretty simple to figure out who the person was who actually hit the "compile" button while constructing this shit.

Either case, I would recommend backing up only your DATA... completely erasing your hard drive... better yet...buy a new hard drive... re-install your OS... re-download any software you might use (i.e. don't even think about using those "backups" of things like Firefox install or the like... more than likely if it was on a NAS and you are in a small network environment...and you have the NAS drive mapped and it was on between the 6th and today....and you hit this site....both it and your computer are infected).

If you think you got "tight security"...then I would highly recommend downloading MICROSOFT SECURITY ESSENTIALS. I will not post a link here, because it just doesn't make sense...google it...verify you are downloading DIRECTLY FROM MICROSOFT...and do a FULL system scan....which will take awhile.

So... this would be the steps:
1.) Download Microsoft Security Essentials FROM MICROSOFT...no CNET...no other location!
2.) Install it and let it update... you should get a relatively new update (like yesterday or it will be out today or tomorrow) which will be able to fully identify this virus/trojan.
3.) Once MS Security Essentials has updated...unplug your computer from the network.
4.) Run a full scan on your computer...depending upon how many files...this could take upwards of 10-15 hours...again...depends upon how many files... if you got less than 1TB then shouldn't take more than a few hours.
5.) If you see something like : ZBOT GEN Y (with any number of characters inbetween) then you got hit... and it would be *highly* recommended that you pretty much clean out both your computer and NAS.

I am not saying just go delete everything.
I am not saying that everyone got infected.
If you are not sure what to do and you are infected... turn your computer off... and either find a friend or family member who knows more about this stuff and can help you only extract DATA...from the drive...
I only *suggest* getting a new drive because it does appear to have the footprint of a "rootkit" trojan and does look like it can open ports typical for both sending and receiving information.

First step... Security Essentials... most other virus detection software will not see this for awhile...and this might very well be a "targeted" virus/trojan (as I suspect)... so it might not be a "wide spread" and not on many other virus protection group's list as having to be "immediately updated"... MS is very aware of this specific event and ~should~ be updating their MSE virus/malware definitions.

Either case, I cannot say what the owners of the site will be doing regarding their advertisements as this looks to be a directly focused attack on the site using the avertisement groups *POOR* security and evidently *CLUELESS* IT folks...who up until yesterday evening had no idea they had been comprimised.

Finally, if you are part of the "scout" group for the Anonymous Tards...you evidently don't realize how many SOFTWARE GIANTS you have pissed off in the past six months...who have already made many adjustments to their compilers...OSs... as well as how information is tagged...

After all... the majority of you guys (Anonymous Tards) are young...don't know that hacking existed before you were born...and there are *some* of us "old guys" who actually helped write the book on hacking.

I hear jail isn't so bad...well... here in America that is... not sure how some of those European countries handle jails...but hey... once you are in jail... you truly will just be some "anonymous" person caught up in a political game...which is the difference between yourselves and say...some of us "older" folks...who have the wisdom to know the difference between right and wrong.

Cheers!

-CN

Looks like they are on it (man I like Microsoft...they really are cool peeps):
Definitions Created on: 12/9/2011 at 4:51 AM
Virus definition version: 1.117.718.0
Spyware definition version: 1.117.718.0

So, Miscorosft Security Essentials looks to have the updated definitions already available....

Its free... Mircosoft owns the OS...and they have what I would say are the best if not the very top of the best Tech guys on this planet... IT to Programming... and they work 24 hours a day (rotate between offices around the globe)...

Again...not posting a link here just for security purposes... download directly from Microsoft...

Cheers,

-CN

Fri Dec 09, 2011 4:57 pm » by **Thruster**

Thanks for that, Chronicnerd.

:cheers:

Fri Dec 09, 2011 5:06 pm » by **Shaggietrip**

Thank you CN.

I will get it now and see what happens. I have been hacked before when I used to run a server on hotline. Also been hit by other things in the past. So wiping HDD and getting new ones is nothing new to me. The biggest pain in the arse is getting all the sofwarz installed and getting back to were I was. Frikkin days of work. Guess I will run the MS Essentials and see what happens.

Thank you for the post.

:cheers:

Fri Dec 09, 2011 5:37 pm » by **The57ironman**

chronicnerd :pray:

so....

just because we didn't pick up anything with a virus scan doesn't mean we don't have an infection..?

i never click links from someone i don't have trust in ...and never click the ads...

i hit the ''back 'to page' button'' and got past the big ad....

i might have clicked on that ad where it said ''click here to continue to the site'' once though ...

would this infect people ''we'' send sh*t to..?

i know a little bit about hardware...and nothing about programming or software

i may be old , but not very stupid :mrgreen:

Fri Dec 09, 2011 5:40 pm » by **Spock**

Fri Dec 09, 2011 5:50 pm » by **Shaggietrip**

the57ironman wrote::pray: chronicnerd

so....

just because we didn't pick up anything with a virus scan doesn't mean we don't have an infection..?

i never click links from someone i don't have trust in ...and never click the ads...

i hit the ''back 'to page' button'' and got past the big ad....

i might have clicked on that ad where it said ''click here to continue to the site'' once though ...

would this infect people ''we'' send sh*t to..?

i know a little bit about hardware...and nothing about programming or software

i may be old , but not very stupid

I did same thing. I am unable to install the MS essentials for reasons of my own. If you do install MS Essentials Iron let me know what you come up with. I did run several scans with other softwarz but came up clean.

:cheers:

Fri Dec 09, 2011 6:02 pm » by **The57ironman**

shaggietrip wrote:
the57ironman wrote::pray: chronicnerd

so....

just because we didn't pick up anything with a virus scan doesn't mean we don't have an infection..?

i never click links from someone i don't have trust in ...and never click the ads...

i hit the ''back 'to page' button'' and got past the big ad....

i might have clicked on that ad where it said ''click here to continue to the site'' once though ...

would this infect people ''we'' send sh*t to..?

i know a little bit about hardware...and nothing about programming or software

i may be old , but not very stupid

I did same thing. I am unable to install the MS essentials for reasons of my own. If you do install MS Essentials Iron let me know what you come up with. I did run several scans with other softwarz but came up clean.

i'm waiting :roll:

for my ''tech'' guy to get back to me... :sleep:

Fri Dec 09, 2011 6:18 pm » by **Troll2rocks**

As I said in a previous post, remove system backs ups and... oh screw it, only so many times I can write the same thing lol.

PS, I knew one of my posts ruffled a few feathers a month back. I even received threats.

Here it is again...

Yes anonymous contains some really talented and angry hackers, also more cautious and guided voices, it is also by the nature of the mechanism with which it operates, prone to anyone who wants to wield a computer in any way good or bad.

The vast majority of the Anonymous (Legion) are nothing more than students and children, who are not smart enough to cover their tracks or even realise the lengths to which the kind of actions they take, will affect them personally. Mexico and the whole Zetas kidnapping fiasco should be a lesson to those who are not capable enough to achieve the goals set out and in the process actually keep themselves "Anonymous".

(Note to any online fire child, if you have information, that is of political or high significance, leak it before those who gain to lose know you have it)

Nothing so far has achieved any good whatsoever, nothing valuable or significant has been released unless used as a threat against those who catch the incompetent members.

Anonymous actually started I believe, as a split off from Wikileaks, along with another few other information leaking sites branching off from Wikileaks, the core members were more radical than were wanted for a public perception, or so the story goes.

The idea being bring together the masses and connect all hackers who want to use their talents as part of a collective assault against high profile targets, which in the process would gain notoriety for the (Legion) however, the results as of yet have not been great, however the brand has grown and more and more bedroom keyjockeys are joining in from around the world, they even set up sectors in all major societies such as Mexico, Spain, UK, etc etc, each part of a collective but with perhaps different goals, and different morals.

The random concoction of skill sets that anonymous has, varies greatly. Those with intelligence and a greater and better understanding of social climates and the do's and do not's of information technology, do not post YouTube videos threatening Israel and they do not issue statements threatening Sony.

The people that get things done, you never see, or hear about, they do not mingle on the Dark net and organise hits, they are the hit.

The vast amount of the Anonymous Legion may have no idea what is actually happening, I believe there are a very few core members, from very impressive backgrounds, who may be wielding the collective in ways that are yet to be realised. They do not mingle with them and they do not talk about intent or even promote their work (which is understandable). However they founded it, and work in conjunction with its effects.

So bear that in mind, I would look at Anonymous as an inspirational platform from which one day, something impressive will grow, but for the time being, it may be good intentions and the will and determination of a core few who are keeping it alive. By actually doing things that are not reported or even widely known about except by the core few. Yet, anyway.

Just imagine what you can do with an army to distract and focus attention ?

Shhhhhhhhhhh

concerning-the-anonymous-cyber-legion-t62380.html?hilit=Anonymous

Now also I would like to state that anonymous are a not a legion, they are not even heavily connected, they are simply a collection of sub groups cyber warriors and bedroom key jockeys, all with different goals morals and ethics. Anonymous could be a name given to the whole collection of hackers/crackers/scripters/infiltrators/fillers/etc etc

This kind of nonsense comes from the juvenile drunkard collection that like to cause problems "to people" rather than the apparent goal of principles set out when Anonymous was first announced, which was "corporate corruption". These actions are usually the work of either a group trying to gain profit, or a lone sad case that finds joy in causing people heartache and misery.

These tactics fall into the, " I'm a prick " category.

PPS, Anonymous also has some seriously good hackers and think tanks that are trying to achieve good things, you never hear of those though.

Fri Dec 09, 2011 6:28 pm » by **Marduk2012**

never had these problems ure talkin aboot!

:think:

im wondering if this is an american only event?

Fri Dec 09, 2011 8:27 pm » by **Newearthman**

So worst case senario is what?

1. All my info stored on my computer or used on other websites is known by the hackers and I could end up losing money from my bank account.

2. My computer will slowly become un-useable and I will have to throw it away.

3. I will infect other computers my sending info like an email.