+ Reply to Thread
Results 1 to 5 of 5

Thread: Malware advice

  1. Sith Lord SephStorm's Avatar
    Join Date
    Dec 2009
    Location
    Atlanta, GA
    Posts
    1,707

    Certifications
    GPEN, GCIH, SFCP, CPT, CEH, QND
    #1

    Default Malware advice

    Non cert but security related. Got hit with Exploit:JS/Blacole today. Completely unexpected, wasnt even using the computer most of the day but w/e. Long story short, I got hit did full scans with MSE and MBAM. MSE detected the code in my internet files folders (ie and ff) and when I attempted to launch IE. I removed the files and reviewed my services file, and addons for both browsers disabled what I found (for some reason ie doesnt include a remove option for toolbars and extentions, just a disable...) anyway. I thought I was good to go but shortly after launching ie got the flag again.

    So my first instinct is to format and reinstall. I may do that but I am interested in a few things maybe you guys can help with. First, based on what I saw on the MS database it looks like this is an exploit kit. Is that correct? How are these kits usually delivered? Being that this doesnt not appear to be outside of the browser, is it reasonably safe to backup changed files since my last backup? And finally, is anyone aware of any software that will remove this kit? MSE doesnot obviously remove the complete infection.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member ipchain's Avatar
    Join Date
    Nov 2006
    Posts
    290

    Certifications
    <- do not define you.
    #2
    I would start by looking at this post: ISC Diary | Problem with Microsoft Antivirus regarding malware from google website

    If you are indeed infected with Malware, check this other post out: Found Exploit:JS/Blacole now computer virtually unusable - Page 2.

    When analyzing Malware I would normally look at how the computer is behaving, but I would do it in a controlled environment without access to the internet. I would then give the piece of malware what it desires and see how it behaves.For example, if it is attempting to contact wyz dot net I would modify my hosts file and point it to my own machine. I would then start apache and look at its behavior again...this is called 'behavioral analysis', but you can also try to reverse engineer the executable if you have it.

    Process Explorer and Process Monitor are very useful tools when analyzing Malware. Let us know how it goes...
    Reply With Quote Quote  

  4. Senior Member afcyung's Avatar
    Join Date
    Nov 2010
    Posts
    205

    Certifications
    Security+, CISSP
    #3
    Reply With Quote Quote  

  5. Sith Lord SephStorm's Avatar
    Join Date
    Dec 2009
    Location
    Atlanta, GA
    Posts
    1,707

    Certifications
    GPEN, GCIH, SFCP, CPT, CEH, QND
    #4
    Quote Originally Posted by ipchain View Post
    I would start by looking at this post: ISC Diary | Problem with Microsoft Antivirus regarding malware from google website

    If you are indeed infected with Malware, check this other post out: Found Exploit:JS/Blacole now computer virtually unusable - Page 2.

    When analyzing Malware I would normally look at how the computer is behaving, but I would do it in a controlled environment without access to the internet. I would then give the piece of malware what it desires and see how it behaves.For example, if it is attempting to contact wyz dot net I would modify my hosts file and point it to my own machine. I would then start apache and look at its behavior again...this is called 'behavioral analysis', but you can also try to reverse engineer the executable if you have it.

    Process Explorer and Process Monitor are very useful tools when analyzing Malware. Let us know how it goes...
    Thank you for the ISC link. I indeed was getting the popup when I went to the google website. I updated MSE and do not seem to be having any issues. I suppose the real test will be whenever I restart my system, as the real blacole is supposed to be rough. In any case, after the original removal I looked at my traffic in WS while not connected, and connected to the internet. didnt see anything that immediately stuck out. I think I will check out PE and PM though, just because I havent used them before.
    Reply With Quote Quote  

  6. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #5
    Malware in your browser cache folder came from a site you visited with the browser. Browsers do not share cache folders, so you know which browser pulled it in. Most Malware requires Javascript, so a plug in like NoScript for FF, and ScriptNo in Chome, go a long way to preventing Malware deliveries.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks