One Site + 3 Minutes = System Destruction

This forum is for testing I do with various security settings and tools. Infection infiltration, security lock down among other things. Currently XP Home-w\SP 2 installed

Moderators: Admin Team, Moderators

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

One Site + 3 Minutes = System Destruction

Postby TeMerc » Tue Oct 31, 2006 12:41 am

Well late last week I was off on a malware mission. The objective:
Get me some new nasties.

Nothing too odd or unusual there. I have been doing it most weekends for a while now. Always fun and interesting to see infections pop up and fester, new processes springing to life, firewall alerts from some of those new files, no doubt calling for 're-enforcements'.

Had everything in place:
  • all removal tools and scanning apps all updated
  • resident anti-virus off as well as any 'active' monitors, save WinPatrol. It gives me a good idea of what's happening and makes it easy for me to record some events, time wise.
  • InCtrl5 recorded my 'start point' for the install
  • all non-essential applications disabled from starting, pop up blockers disabled as well along with all firewall and Net settings at their lowest levels
Had a nice fresh list of sites, provided by everyones fav malware historian, Webhelper

Off I went. Selected a url, copied and pasted into the address bar and was brought to a page which said the site was being developed and would be ready soon. Well aware that this is a ploy by many of the scumbags who host these sites to trick users, I just sat and stared at the screen, waiting. Mind you, the sites url was not any sort of malware 'looking' site. It's name was generic, for the Halloween season.

It didn't take long, first a redirect(page never did display), then some file downloads, Scotty starts to bark. ZA starts with alerts about files wanting to get out to the Net. Scotty barks a few more times....ZA pops up a few more alerts. I'm on a roll now. Scotty is barking every 5 seconds or so, and ZA is about matching that with its own alerts for files wanting out.

OOpps.....no more task manager......opppss.....there goes Process Explorer.......Scotty still barking......ZA needs a pop up blocker!!

Uh oh, Scotty is quite......are we done? No, wait...........Scotty is gone, disabled and not shown in the task bar............wait, what taskbar? That's gone.

Screen is frozen, but oddly enough, the mouse pointer can be moved about. Partial windows from Scotty and ZA are viewable, but not really active. All this taking place in about 2-3 minutes.

Ok, I wait about another 2 minutes, once it has quieted down. I figure, ok time to reboot and see what we have collected. Many of the files were well known. BraveSentry was the rogue du jour that day.

I push in the power button, hold for approx. 5-7 seconds, reboot process starts. Box gets to the 'Windows is starting' screen......"click'.......reboots......hmmmm. Ok, lets see what happens now. Box gets to the 'Windows is starting' screen......"click'.......reboots......Box gets to the 'Windows is starting' screen......"click'.......reboots......Box gets to the 'Windows is starting' screen......"click'.......reboots.......

((O grgr =+\

What's going on I think. Ok, lets power off and give 'safe mode' a shot. Reboot, press F8, get safe mode selection screen, select safe mode, box gets to the 'Windows is starting' screen......"click'.......reboots.....Box gets to the 'Windows is starting' screen......"click'.......reboots....... <?>

Ok, lets get back and try safe mode w\command prompt......Box gets to the 'Windows is starting' screen......"click'.......reboots......Box gets to the 'Windows is starting' screen......"click'.......reboots...... ?>!

Safe mode with Networking, last known good configuration, nada, nuttin, zilch.

Only does this:
Box gets to the 'Windows is starting' screen......"click'.......reboots......Box gets to the 'Windows is starting' screen......"click'.......reboots......Box gets to the 'Windows is starting' screen......"click'.......reboots......

grgr <?> ((O :twisted:

Ok, so after consulting with Blender, we figure lets try the XP recovery console. We get there try some commands to try and figure out whats gone wrong. Check list of services, nothing odd there. Noticed that in sys32 folder, where usually many system files reside along with back up folder i386 is gone. No where to be found. So, after poking around some more, we conclude the best thing is a repair of XP.

This essentially replaces many if not all of the system files leaving most of your data intact.

Go thru the process, takes a little while, I get no errors of any type, proceed to boot up after I'm told the repair has been completed and:
Box gets to the 'Windows is starting' screen......"click'.......reboots......Box gets to the 'Windows is starting' screen......"click'.......reboots......Box gets to the 'Windows is starting' screen......"click'.......reboots......

Then I even got an odd error, odd only in that it happened once:
ntoskrnl.exe file is corrupt or missing

I proceed with what appears to be the most likely fix,and that does not work, or does it? It errors out, saying that the floppy\disk is not inserted. Well, we know that can't be it, because we just repaired XP.

So, I then began to poke around the sys 32 folder to see what was there. Ohhh boyyyy....what a mess. At least 25-30 files were all known nasties and that's excluding the multiple of a couple.

Another oddity, while the search in RC found all of the files below, a renaming of said files, in an attempt to perhaps reboot the OS generated a 'file not found or does not exist' error.

Here is a list, along with some links, makes a fun read.
Well, so needless to say a reformat was in order.

The lesson learned from all this kids:
  • Never go onto the Net without being fully patched up. Most of the severe damage was run thru known exploits in the OS.
  • Always have a good firewall or be behind the extra precaution of hiding behind a router.
  • Always run updated anti-virus. I'm quite certain, seeing as most of these were relatively known malwares, a decent av would have prevented most of the installs.
  • And the biggest lesson learned: Never run testing on anything short of a 'throw away system'
rofl

Well I'm ready for another go round. Lets see what happens next weekend. Hopefully nothing as bad as this, but you never know, and thats why it's always good to have a layered approach to Net surfing.
Image

Blender
MS-MVP
MS-MVP
Posts: 61
Joined: Sat Jan 29, 2005 2:01 am
Location: Ontario, Canada
Contact:

Postby Blender » Tue Oct 31, 2006 11:39 pm

Well TeMerc;

If you really wanted to take care of it easy like...
If you could get the box booted up..(keep trying) all ya gotta do is right click the C:\ drive in "my computer" and choose "Format"! :lol:

The option is right there all this time!

heh!..and here we are going through all that mumbo-jumbo with the xp cd....

Go figure!

Ummmm...wait a minuite....darn thing don't work. :(
Windows gives some silly error about the drive being in use or something like that...

<<SIGH>>...lol

disclaimer:just kidding, inside joke
Never Give Up!

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Tue Oct 31, 2006 11:40 pm

Blender wrote:Well TeMerc;

If you really wanted to take care of it easy like...
If you could get the box booted up..(keep trying) all ya gotta do is right click the C:\ drive in "my computer" and choose "Format"! :lol:

The option is right there all this time!

heh!..and here we are going through all that mumbo-jumbo with the xp cd....

Go figure!

Ummmm...wait a minuite....darn thing don't work. :(
Windows gives some silly error about the drive being in use or something like that...

<<SIGH>>...lol

Wow, live and learn.......I'll have to go back to that site and see if the box gets trashed again, and try that method.

You're a genius!!
Image

Blender
MS-MVP
MS-MVP
Posts: 61
Joined: Sat Jan 29, 2005 2:01 am
Location: Ontario, Canada
Contact:

Postby Blender » Tue Oct 31, 2006 11:49 pm

Really TeMerc...

You should "Practice what you preach" and watch where you are surfing!! :|

It is not nice running around those XXX sites and looking for cracked software! Shame on ya! :twisted:
Never Give Up!

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Postby MysteryFCM » Wed Nov 01, 2006 8:02 am

hehe :twisted:
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Feb 02, 2007 8:24 pm

How Long Does It Take To Catch A Computer Virus?
Would you believe only 8 seconds?

By Clive Maxfield
Feb 1, 2007

I just read an incredibly scary article on the British Broadcasting Corporation (BBC) website in the UK on Computer Viruses.

As described in this article, reformed ex-hacker, Jacques Erasmus, demonstrated just how dangerous things have gotten these days. Basically they took a Windows XP computer and connected the poor little scamp to the Internet without providing it with a firewall or any anti-virus software.

This brings to mind an image of staking a goat in the middle of a field and waiting for the wolves to come (or the dinosaurs in the case of the movie Jurassic Park). So how long did it take for the wolves (viruses) to attack? Days? Hours? Minutes?

In fact, after only 8 seconds, the unsuspecting little rascal was undergoing the machine equivalent of being turned into a "Pod person from the planet Mars!" First, it was hit by Sasser, one of the fastest spreading worms on the Internet. Then it started downloading strange programs from mysterious internet addresses. Then it started looking for other machines to infect.

Within five minutes, the little rapscallion was running so many malicious programs that it was running totally choked up and its CPU was 100% occupied performing virus-related tasks.

nwz Information Week
Tom wrote:HA! I say, my system was crushed in far quicker time.
Image

User avatar
hewee
COU Update Specialist
COU Update Specialist
Posts: 124
Joined: Sat Feb 18, 2006 7:38 pm
Contact:

Postby hewee » Wed Feb 07, 2007 3:32 pm

Wow after only 8 seconds.

That is why I say get your downloads like firewall, AV, Anti spyware etc downloaded and burn to a CD before doing a reintall of windows.

Then make sure you can not get online and then install windows.
Then install your Anti this and Anti that programs and your firewall.

Then get online and update these programs first because it takes less time.

Now go to MS update and get the ton of updates.

Even better do it with a router and hosts file too from the start.

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Wed Feb 07, 2007 4:08 pm

You have to realize tho, they did this on a system with weak defenses so who knows if they were running any firewall or anything.

At least when I did my run I gave some specifics, which really makes difference IMHO.

And also for my run, once I pasted the URL I got hit faster than seconds, it was immediate and the a slow crawl for 3 minutes before the thing just gave up the ghost.
Image

User avatar
hewee
COU Update Specialist
COU Update Specialist
Posts: 124
Joined: Sat Feb 18, 2006 7:38 pm
Contact:

Postby hewee » Thu Feb 08, 2007 4:13 pm

It said no firewall or AV was used in the test.

I know of techs that know better who have install a new OS and goofed up by going to MS Update first and get into trouble because they are not protected right to get online.


Return to “TeMerc Test Box”

Who is online

Users browsing this forum: No registered users and 2 guests