• Welcome to Valhalla Legends Archive.
 

Help please, I think I'm trojanned!

Started by brew, April 18, 2007, 07:03 PM

Previous topic - Next topic

Newby

The funniest part is it happened to brew. heh heh heh.
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

brew

Quote from: Skywing on April 20, 2007, 02:54 PM
No way to know for sure without reverse engineering the particular piece of malware in question.
Exactly why I am interested in reverse engineering this malware.
7 posts ago...
Quote
Does anyone know how to Un-pack a PE32 file with UPX packers? I would love to reverse engineer this, and see if I missed cleaning up anything...
Unpacking the "quarentined" files is what I should focus on first-- Then I would be able to disassemble and reverse engineer it.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Newby

First you should make sure UPX was the original packer. :P
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

brew

I'm 100% confident it was UPX packed.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Newby

Then get UPX (upx.sf.net) and unpack it?
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

rabbit

Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

Newby

Quote from: rabbit on April 20, 2007, 10:44 PM
Quote from: Newby on April 20, 2007, 08:54 PM
Then get UPX (upx.sf.net) and unpack it?
That's too logical.

Shit, I forgot we were dealing with brew.
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

iago

Quote from: MyndFyre[vL] on April 20, 2007, 12:43 PM
...virii...
Sorry to throw this even more off-topic, but....... the proper pluralization of virus is viruses, not virii: http://en.wikipedia.org/wiki/Plural_of_virus#Use_of_the_form_virii
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


brew

#23
That article is somewhat inaccurate:
Quote
The form viri might also be incorrect in Latin. The ending -i is normally used for masculine nouns, not neuter ones such as virus, although there are exceptions such as humus -"soil" which is feminine and vulgus -"crowd" which is neuter; moreover, viri (albeit with a short i in the first syllable) is the plural of vir, and means "men."
Uh... if virus was neuter, wouldn't it have the ending -um? Therefore it'd be virum. And the plural form of 2nd declention nom neuter nouns is "o", therefore the correct plural of "virum" would be "viro".
Although the romans apparently screwed up the ending of "virus", which is acually neuter, one may still note the nom. singular ending is "i", making the entire word "viri", which is translated as "toxins". "viri", as the article claims, would be the plural of "man", however this isn't so. "vir" is a word which does not exist in the latin language. Instead, the correct word for "man" is "vīr" (note the macron over the i) and thus, the plural of "man" is "vīri". (It is also notable that the gen. singular form ending of m/f second declention nouns is also -ī)
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

rabbit

You're retarded.  Stop trying to play smart.
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

Kp

Quote from: brew on April 18, 2007, 08:09 PM
Quote from: Grok on April 18, 2007, 07:45 PM
After you've patched your machine, create a non-privileged user which doesn't have install permissions.  Always browse the internet from this low privilege account.  No matter what page you visit, it'll never have permission to install anything locally.

Switching to a low permission account every time one needs to browse the internet seems like a hassle. Also, low privliaged accounts are still able to run executable files, and it would just replace and restart an essential windows process being run as a system task, then would have system privilages (correct me if I'm wrong about that at all).

So do not switch when you want to browse.  Instead, run as an unprivileged user except in those rare cases where you need privilege (for example, installing a software update).  This is better anyway, since then you are running unprivileged when interacting with your e-mail program, chat servers, etc.

Low privileged accounts can run executables, but if you are using XPPro, you could use a Software Restriction Policy to deny the ability to execute anything in the most likely places malware will land.  You could also set a Deny Execute as Myndfyre suggested, but that would be part of a DACL that sufficiently advanced malware could change before it tries to execute a helper process.

An invader can only replace a system process if that process runs one or more files that are modifiable by the invader.  If you are running as an unprivileged user, there should not be any such processes that you can modify.  Since the invader will be running as you (barring use of a privilege escalation exploit), it should be similarly curbed.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

brew

#26
Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.
And by the way, thank you for the intelligent post.

Quote
You're retarded.  Stop trying to play smart.
Immature. Please quit trolling.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

rabbit

That wasn't a troll, it was a direct response to your "I know Latin" rant (which you're wrong about, there was no macron in the Latin lingual system).
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

Barabajagal

Rabbit, I took a few years of latin in high school,and it is vīr, not vir.

rabbit

I also took 4 years of Latin.  The macron is used in teaching Latin because it helps forming sounds, but ancient Latin didn't have a macron, or even a lower case, actually.  Anyway, my point is, it's vir, a regular 3rd declension masculine noun, and virus, a regular 2nd declension masculine noun.
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

|