I saw this one last week
One of my co-workers got this crap on his PC last week. The rogue DHCP server drove me nuts until I figured out what was happening and shut down the infected PC. Bastards!
One of the most notorious rootkits has just acquired a self-propagating mechanism that could allow it to spread to new victims, a security researcher has warned. A new version of the TDSS rootkit, which also goes by the names Alureon and TDL4, is able to infect new machines using two separate methods, Kaspersky Lab researcher …
"The second method is to spread over local area networks by creating a rogue DHCP server and waiting for attached machines to request an IP address. When the malware finds a request, it responds with a valid address on the LAN and an address to a malicious DNS server under the control of the rootkit authors. The DNS server then redirects the targeted machine to malicious webpages." ...... That is the covert, back door, underground approach to executing renegade regal rogue code. For the boldly going, brash, gate-crashing version with full post modern transparency, there is the zerodaily front door bell ring suite of options with many a simpler and more complicated and sophisticated hammer to break open the nut, as was earlier shared and Registered ..... "Just out of a matter of professional and personal interest, who is the prime contractor/supplier of virtual and/or virtuous armaments to the UK? And what is their email address? Any idea, or is that something they have to make up yet and then hide away lest anyone contact them and send them a carefully crafted little package/bit packet which renders their services and systems exposed and fully compromised and practically useless/virtually incompetent?
It is hard not to think of anything which may be presently stood up and drawing any funding at all, being nothing other than another model of yore gravy train trying to protect old establishments and systems rather than ensuring that new ones are failsafe created and future proofed against SMART IP Promotions/Programs/Pogroms/Pirates/Privateers." .... which has no reply, ergo is not false, and is UKGBNI open to/for Virtual Attack and/or Provision of Future Lead Business with Real SMART Shenanigans?
Round Table Great Games stuff, with definitely no nonsense? Imagine it's true, ..... what a to do, eh?
Either you're very prepared or this thing can't be killed with 1 program alone, but several instead.
We just had something at home that destroyed my moms bootmngr - oblitterating their pc and tried to infect my laptop through the network.
Suffice to say that winpatrol stopped it.
Luckily im paranoid and have combined winpatrol, avg, spybot and malwarebytes.
The same PrevX who deliberately and covertly infected 22,000 PCs with malware... helped by the BBC's Spencer Kelly... and a bunch of Ukrainian criminals... using TV licence payer's cash to grease their palms?
The same PrevX who can't explain how they managed to 'uninstall' the same infection from all of the machines they infected, or compensated those they couldn't recover?
So does this mean there's new 'rootkit/worms' exposé episode of BBC Click in production?
Im sending BBC (and whatever hack reporter it was) a huge bill for the 6 and a half hours of time lost in the middle of the day I had to spend cleaning this thing off my laptop two weeks ago.
And if they dont feel like paying out, the reporter in question had better hope they don't set foot in the US or a country that will extradite to the US. Im dead serious about this, I was logged onto the NIPRnet (Army Knowledge Online specifically) when my computer went down. When you're connected to the NIPRnet, SIPRnet, or JWICS, you're a US Government information system. And last time I checked, the Army, Department of Defense, and FBI tend to frown upon bovine feces like this.
Anyway, if anyone else has to deal with this, it really really sucks. The rootkit itsself had to be cleaned with 4 programs, it installed a Trojan that was difficult to detect as well, and required a fifth program to detect and remove. Of the commercial or publicly available tools out there, only Kaspersky managed to detect it, and they're the only ones who had a removal tool that worked.
It made the mistake of corrupting a driver that I could override driver signature enforcement on, so fixing it was relatively simple when I isolated what it was, but it was a real pain. I'd be more than happy to inflict some back if it indeed is some sort of stupid "documentary".
"And if they dont feel like paying out, the reporter in question had better hope they don't set foot in the US or a country that will extradite to the US. Im dead serious about this, I was logged onto the NIPRnet (Army Knowledge Online specifically) when my computer went down. When you're connected to the NIPRnet, SIPRnet, or JWICS, you're a US Government information system. And last time I checked, the Army, Department of Defense, and FBI tend to frown upon bovine feces like this." .... FrankAlphaXII Posted Sunday 5th June 2011 07:58 GMT
There's the problem child identified, FrankAlphaXII, by your very goodself. A Dynamic Network Application with Sub-Prime Plugins/Input Values. Whatever else can you expect whenever you facilitate such low level feeder intelligence access to high level gathering seed information systems ...... "When you're connected to the NIPRnet, SIPRnet, or JWICS, you're a US Government information system."
And quite why the Army, Department of Defense, and FBI would provide such a crapper of a system whenever they, last time I checked, tend to frown upon bovine feces like this, tells you that their Base Algorithm for Security and Defense with an Advanced Intelligence Network Infrastructure, is shot to pieces/crack hacked/as watertight as a sieve and would need to be completely remodelled .... a new system built from the ground up, for presently is the no defense against the zeroday attack parameter.
Without such a radical move, which in other words would be a shutting down and dismantling of Internal Bullshit Management systems, is more and more deeply pervasive catastrophic grief, inevitable and unstoppable.
Ps. That information and intelligence is free. And you are heartily encouraged to share it widely for there is no cost involved/no fee charged. But the info and intel needed to build ... Requisite Desirable FailSafe Secured Dynamic Systems .... is MkUltraSensitive Proprietary Private Pirate Intellectual Property which is not for Sale and Transfer but can easily be Bought on a License as Expensive or as Cheap as would be Relative to One's Needs, with All Due Regard and Consideration of Universal Supply to Meet Global Demand in ITs Future Feeds and Source Seeds.
And very conveniently, is St Moritz hosting a party this week, and you will surely find out a lot more about everything associated with such Novel Development Applications, and which is not classified and known only on a strictly need to know basis.
And the reason for that strictly need to know secrecy thing is beautifully summed up by Jack Nicholson, who said it best in reply whenever he was asked for the truth in the movie "A Few Good Men" ...... "You can't handle the truth." ...... for it is the destroyer of all evil and a fearsome weapon to behold and wield in hearts and minds and hands which are unprepared for its Awesome Invisible Might.
1) RKill to shut down malicious processes (as best it can).
RogueKiller is another good process-stopper (note: the web page is in French).
2) Malwarebytes' Anti-Malware to remove the crud from the PC.
3) TDSSKiller to remove the rootkit.
I just set my DNS to 220.127.116.11. That way it doesn't matter if there's a rogue DHCP server talking to my machines.
And oh, did I mention I'm probably not vulnerable to these exploits, worms or this rootkit anyways? Why? Because I'm running Windows 98 (second edition), fortified with KernelEx win-NT API enhancements.
Connecting any NT-based OS to the internet = fail. Lookup Internet Survival Time.
Kaspersky doesn't mention if TDSS is making the rogue outbound DNS connection on port 53.
If so then firewall rules whitelisting DNS servers will interrupt the dropper mechanism.
Though I wouldn't be surprised if this has been anticipated and they are using 80 like everything else that doesn't want to be filtered.
Biting the hand that feeds IT © 1998–2021