Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: Dyre spambot ???

  1. #21
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    I think this is going to be hit and miss trying to find and remove this infection

    https://support.microsoft.com/en-us/kb/972034
    follow the above link to clean host files.

    ~~

    let's set browsers back to default

    Instructions on how to backup your Favourites/Bookmarks and other data can be found below.


    ~~
    Proceed with the reset once done.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  2. #22
    Junior Member Midge's Avatar
    Join Date
    Nov 2016
    Location
    Gold Coast Australia
    Posts
    16

    Default

    Hi Juliet, sorry I had some minor surgery so been out of action for a couple of days, back now and bit stunned, I went to do the daily delist this morning and I got a different message about the infection, It has always said I had a dyre bot but today I got this......


    IP Address 101.184.209.254 is not listed in the CBL.

    It was previously listed, but was removed at 2016-12-02 20:55 GMT (5 minutes ago)

    At the time of removal, this was the explanation for this listing:

    The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.

    Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (such as ssh or sshd) or a shared library (such as libkeyutils.so) used by SSH.

    Ebury infected hosts are used for criminal activities, such as sending out spam emails or hosting exploit kits.

    How are these detected? Login credentials harvested by Ebury from SSH connections from/to your system were seen being sent to a dropzone server for the malware.

    Further information can be found in CERT-Bund: Ebury SSH Rootkit. We recommend that you follow all of their instructions very carefully.

    One of our correspondant's noted that (on CentOS) an infected libkeyutils.so was around 35K bytes in size, where as the correct one is around 1K. So, one quick check is to find the file (under /lib) and examine the size. If it's much over 1-2K, reinstall it (eg: "yum reinstall keyutils-libs" on CentOS) and see if it changes.

    This has far more detail. Note that it demonstrates that the rootkit even changes RPM checksums, so a RPM verify will not work.

    EVEN IF you cannot find libkeyutils.so, or it is the right size, ebury is probably still present in a substituted ssh, sshd or some other related file.





    What do I do from here???? have you had any experience with this problem.... Midge

  3. #23
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    What do I do from here???? have you had any experience with this problem.... Midge
    I have not had any experience with this and I'm afraid that from what I am reading now, we're in trouble.

    When we first started I read that most have to reformat from this infection but, I had high hopes we could find it and wipe it out but now, I see now we're at the end of the road of what we can do.
    We did remove tid bits here and there but it's not enough and again from what I'm reading....you can't trust this computer now.


    https://www.cert-bund.de/ebury-faq
    If your system is infected with Ebury, it has been root-level compromised and can no longer be trusted. The attackers have probably changed security-related system settings or installed additional malware. Therefore we highly recommend re-installing the operating system instead of trying to clean it up.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  4. #24
    Junior Member Midge's Avatar
    Join Date
    Nov 2016
    Location
    Gold Coast Australia
    Posts
    16

    Default

    Totally agree Juliet, I am on the phone to my provider but suspect complete wipe is the only answer I will let you know how i get on as a courtesy many thanks mate

  5. #25
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Your welcome
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  6. #26
    Junior Member Midge's Avatar
    Join Date
    Nov 2016
    Location
    Gold Coast Australia
    Posts
    16

    Default

    Juliet just for your info... the more I read the info about the virus it appeared to me that my provider had the problem not me... I am with Telstra which is by far the biggest internet provider in Australia they have about 80 percent of the market and 100 percent of the wires... They told me they are having a nightmare with 558 error messages and cant figure out why... I mentioned the info I had and it was like the penny dropped... they have their experts checking it out but I think we might have stumbled onto why they and some of their customers are in this insidious position.. I am supposed to ring them back on Monday evening our time... Could be an interesting call... I will let you know...

  7. #27
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Oh yes please do

    The write up states that it came in from an infected server/host so it could very well be their problem but, I sure do hope they did backups from their end and had them stored offset the servers they use for their customers.
    Could be a nightmare they never dreamed of.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  8. #28
    Junior Member Midge's Avatar
    Join Date
    Nov 2016
    Location
    Gold Coast Australia
    Posts
    16

    Default

    Juliet I am waiting to hear back from my provider tonight, however I am getting different reasons for being listed every time I check, this is the last one from this morning does it shed any more light on the drama..
    Attached Images Attached Images

  9. #29
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    I read it's possible it locates itself in the Master boot record or in the Volume boot record of a computer. This is the worse place imaginable to have an infection if this is indeed where and whats happening.

    Trying to find the most recent version of the infection...(If I did) was it locates in your router from your IP?, this is a big guess.

    Let's try a couple of things.

    Reset your router again...
    turn it off, and turn the computer off.

    Turn the router back on and turn the computer back on.
    ~~~~~
    Then, I found a couple things that might help then again might not.

    http://support.eset.com/kb3471/?viewlocale=en_US
    The above link claims to have a tool (ESET Rovnix Cleaner tool) that will remove this infection or an older version,,can't tell exactly

    The below link is where an infection of this type was removed(3 years ago) with a tool used called TDSSKiller that I have used in the past but not on Windows 10
    https://www.bleepingcomputer.com/for...ovnixgena-but/

    If you would like to try this tool we can but, Since I'm not sure how compatible it is with Windows 10, I want you to create a restore point first in case something doesn't go quite right.
    https://support.microsoft.com/en-us/...-restore-point

    ~~

    Download the latest version of TDSSKiller from here and save it to your Desktop.


    or from the below link

    http://www.bleepingcomputer.com/down...sskiller/dl/4/



    • Doubleclick on TDSSKiller.exe to run the application

    • Then click on Change parameters.


    • Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
    • Click the Start Scan button.

    • If a suspicious object is detected, the default action will be Skip, click on Continue.


    • If malicious objects are found, they will show in the Scan results and offer three (3) options.
    • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    • Get the report by selecting Reports


    • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    Please copy and paste its contents on your next reply.



    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  10. #30
    Junior Member Midge's Avatar
    Join Date
    Nov 2016
    Location
    Gold Coast Australia
    Posts
    16

    Default

    Hi Juliet I created the restore point and ran the ESET rovnix detector without success here is the report the other one wouldn't let me copy the report but it also found nothing... it gets stranger by the day


    [2016.12.07 17:22:38.013] - Begin
    [2016.12.07 17:22:38.013] -
    [2016.12.07 17:22:38.013] - ....................................
    [2016.12.07 17:22:38.013] - ..::::::::::::::::::....................
    [2016.12.07 17:22:38.013] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Rovnix
    [2016.12.07 17:22:38.013] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.1.0.2
    [2016.12.07 17:22:38.013] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Nov 24 2014
    [2016.12.07 17:22:38.013] - .::EE:::::::::::::SS:.EE..........TT......
    [2016.12.07 17:22:38.013] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
    [2016.12.07 17:22:38.028] - ..::::::::::::::::::.................... 1992-2013. All rights reserved.
    [2016.12.07 17:22:38.028] - ....................................
    [2016.12.07 17:22:38.028] -
    [2016.12.07 17:22:38.028] - --------------------------------------------------------------------------------
    [2016.12.07 17:22:38.028] -
    [2016.12.07 17:22:38.028] - INFO: OS: 6.2.9200 SP0
    [2016.12.07 17:22:38.028] - INFO: Product Type: Workstation
    [2016.12.07 17:22:38.028] - INFO: WoW64: True
    [2016.12.07 17:22:38.028] - INFO: Machine guid: 93D0CB18-CF8A-40B5-8495-33309A7E98C7
    [2016.12.07 17:22:38.028] -
    [2016.12.07 17:22:38.044] - INFO: Scanning for system infection...
    [2016.12.07 17:22:38.044] - --------------------------------------------------------------------------------
    [2016.12.07 17:22:38.044] -
    [2016.12.07 17:22:38.044] - INFO: INF_PASI3 - 0x00000000...
    [2016.12.07 17:22:38.044] - INFO: ESET Cleaner Service initialized successfully.
    [2016.12.07 17:22:38.044] -
    [2016.12.07 17:22:38.044] - --------------------------------------------------------------------------------
    [2016.12.07 17:22:38.044] - INFO: Checking active infection...
    [2016.12.07 17:22:38.044] -
    [2016.12.07 17:22:38.044] - INFO: INF_PASGSH2 - 0x00000000...
    [2016.12.07 17:22:38.044] - INFO: INF_PASGSH3 - 0x00000000...
    [2016.12.07 17:22:38.044] - --------------------------------------------------------------------------------
    [2016.12.07 17:22:38.044] - INFO: Checking inactive infection...
    [2016.12.07 17:22:38.044] -
    [2016.12.07 17:22:38.060] - INFO: CHECKING DISK NO - 0 | TYPE - 7 | SIZE - 0x575466EF(698GB)
    [2016.12.07 17:22:38.075] - INFO: EFI detected...
    [2016.12.07 17:22:38.075] - INFO: -> PARTITION NO - 0 | TYPE - 0xEE | BOOTABLE - False | STARTING LBA - 0x00000001 | SIZE - 0xFFFFFFFF (2047GB)
    [2016.12.07 17:22:38.075] -
    [2016.12.07 17:22:38.107] - INFO: 00000001: passed...
    [2016.12.07 17:22:38.107] -
    [2016.12.07 17:22:38.107] - INFO: INF_DIDBD02...
    [2016.12.07 17:22:38.122] - INFO: CHECKING DISK NO - 1 | TYPE - 7 | SIZE - 0x74706DAF(931GB)
    [2016.12.07 17:22:38.497] - INFO: -> PARTITION NO - 0 | TYPE - 0x07 | BOOTABLE - False | STARTING LBA - 0x00000800 | SIZE - 0x74705800 (931GB)
    [2016.12.07 17:22:38.497] -
    [2016.12.07 17:22:38.513] - INFO: 00000001: passed...
    [2016.12.07 17:22:38.513] -
    [2016.12.07 17:22:38.513] - INFO: INF_DIDBD02...
    [2016.12.07 17:22:38.513] - --------------------------------------------------------------------------------
    [2016.12.07 17:22:38.513] - INFO: Win32/Rovnix not found

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •