Re: Ex-Brother-in-Laws infected PC and possible trouble

they will most likely be using aproxy - probably some haxored pc running windows.

Re: Ex-Brother-in-Laws infected PC and possible trouble

It's your baby now, hope you like trips to hell. If all his files have been encrypted by the malware, you can't even copy them elsewhere! Well, you can, but w/o the decrypt keys, they may as well be empty.

They're gonna be all set up and hardened long before they start scamming/pushing, so even if you think you've found an "in," the IP could be spoofed/proxied for all you know.

Here's the deal: That shit got on there thru some third party script/banner/whatever, that merely used the system as whitespace to "advertise" their numbah. As typical with social engineering, they prey on the stimulus-response. He called the number, probably gave them a code that tied the event back to them; a means for them to "customize" the crap he was "convinced" to download. Sheepishly, he took it; what is this, discount week at jiffy lube?

Now, by his own actions, he's in over his head.


I hope this sinks in for anyone else reading: Use a hosts file!

Coming up on 2016, it's just plain STUPID not to!

For anyone foolish enough not to run a hosts file, you kill the power at the first sign of the time-delayed droppers! Then, wipe cache/temp/etc. Like any of that needs repeating...


Wouldn't be surprised. That thing downloaded could be just that! Sort of how microshit does P2P on any computer to help "update" (infect) others, and "spread the love."

Re: Ex-Brother-in-Laws infected PC and possible trouble

I agree, they probably will be running some sort of proxy. However, perhaps they own the proxy or if I could get into the proxy, I could look through the logs and find their real IP addresses...

Re: Ex-Brother-in-Laws infected PC and possible trouble

I believe I'm familiar with the scam he fell victim too. I've seen it on maybe three or four customers PCs and I know a couple computer suave people who had friends / acquaintances who also fell victim. Typically, there's two variants, perhaps ran by the same scam artists. The first one, they call you saying you have a virus and need you to go to a website to remove it. Generally, they claim to be Microsoft.

The second one, the one that my ex-Brother-in-Law fell for, you go to a website, a pop-up appears, it looks like a blue-screen of death. It doesn't look like a pop-up, although it is. If you simply close the browser using CTRL-ALT-DEL or maybe ALT-F4 or just shut it down and restart, you're fine. The window gives you a number to call, claiming it's a Microsoft number and they'll fix it for free. When you call, they get your e-mail address, phone number and address. Then they instruct you on how to go to a website. You go there, download some trojan, and when you run it, they connect to your PC. They lock you out of everything, including the registry. At this point, they say in order to fix it, they need something like 200$. I knew a person who gave them credit card number, social security number, address, banking info, etc. Everything they asked for to "prove" his identity.

My ex-Brother-in-Law was smart enough to shut it down when they connected to his PC. I told him to bring it in. I doubt any files are encrypted. Albeit there are viruses that can and do encrypt your file system, the few variants that I've dealt with, with this virus, weren't that sophisticated.

Generally, when ever I come across any infected PC, I simply hook the hard drive up to my Linux box, copy the data off, saved passwords, bookmarks, etc and just format, reinstall. I've found once your PC is infected, even if you have an AV or program like Anti-Malware Bytes, there's really no way to be certain there isn't something lurking behind. Rootkits seem to be extremely hard to remove. I've tried, just for fun, to remove one. Got one removed once but could never get internet back on the machine. No matter what I did, the IP stack was gone. Had to format and reinstall.

One last thing, I believe once he downloaded what they told him too and when he installed it, they actually go through your PC. Probably using some sort of script, to grab saved passwords, etc. I really hate people like that, that take advantage of other people. Thought it'd be fun to just try and mess with them a little.

Re: Ex-Brother-in-Laws infected PC and possible trouble

Wouldn't they still need a real IP address in order to receive any information from the infected PC back to their servers? When I say real IP address, I mean to include proxy addresses as well. I know you can spoof your IP address, inject custom packets into the network, etc, but without a real IP address, data could never be returned to the sender, correct? It'd be kinda pointless, being one-way-only. Less you where just trying to get in and then had a dropper or something install software that connects back to a real IP, IRC server, etc. Right?

Re: Ex-Brother-in-Laws infected PC and possible trouble

you or them can get a real or more-real i.p. just by using a UDP ping.
dont underestimate the number of ways you can both manipulate and work around the routing.

Re: Ex-Brother-in-Laws infected PC and possible trouble

With hundreds if not thousands of domains registered daily for nefarious purposes using a host file is pretty much a waste of time, sure it will stop some bit definately not all. Far better to follow the advice of security professionals and secure your browser and stay fully patched and updated.

Mayware tends to communicates with a server somewhere, means the criminals behind it can push other software out to "their" computers. Whilst you might be able to find that maybe but I doubt you'll be able to find who is controlling it.

It will be interesting to see if its real or fake crypto malware.

Re: Ex-Brother-in-Laws infected PC and possible trouble

disable flash
disable java bytecode

if your using windows and they still have it after the IE5 incidents - disable active-x etc.

Re: Ex-Brother-in-Laws infected PC and possible trouble

No script, Ghostery, an ad blocker and click to run flash. And i wouldn't use IE.
And don't be an admin, be a user.

Re: Ex-Brother-in-Laws infected PC and possible trouble

Yeah, hostfiles don't really provide the security that they used to. In Linux, there's distros you can use to setup a PC as a firewall and I've seen software that inspects in the packets for known attacks. Perhaps the software also searches the incoming packets for known malware / viruses. You know, block the shit before it hits the local client rather than at the actually client. I'm sure Windows has a similar feature.

Re: Ex-Brother-in-Laws infected PC and possible trouble

I want to say I got a white letter from Java saying that they actually recommend not installing it on PCs unless absolutely necessary and then only enabling it when it needs to be used, then disabling it right after. Seems with every security fix they where coming out with, they'd find or it'd create a bunch more vulnerabilities. So many devices use Java, just not PCs. A good example is Blu-Ray players. I believe a lot of them are rootable because of some Java exploit. I don't know if they just reverse the byte code to source and find a vulnerability in the code or if they are actually exploiting Java itself.

Re: Ex-Brother-in-Laws infected PC and possible trouble

There was some Malware that a person was exploring. He ran it in a virtual machine and watched the traffic from the virtual machine's NIC to the main PC (having the main PC disconnected from the network). He noticed it was trying to connect to an IRC server and then post an IP address and some other info, maybe usernames or something to a channel. Using a sniffer, he was able to grab the username and password to the channel. He logged in and said something to the one user there. I don't remember what it was. Something like this is the FBI, we're tracking your IP address, do not disconnect (or maybe something totally different). Anyway, the kid thought it was one of his friends messing around with him and when he realized it wasn't, the channel and the guy was gone! I thought that was kinda cool.

Re: Ex-Brother-in-Laws infected PC and possible trouble

ive gone after the scammers before. Amazon AWS as a proxy, or googles cloud hosting thing.

Re: Ex-Brother-in-Laws infected PC and possible trouble

Smoothwall, monowall or pfsense are all good Linux firewalls.
Software to do packet inspection is not cheap and certainly not a Windows feature.
Even so with the thousands of differing types of malware released daily it would still need the signatures to compare against.

Re: Ex-Brother-in-Laws infected PC and possible trouble

Are you saying you've used Amazon AWS or Google's Cloud Hosting thing to hide your IP or they used it? I'm afraid if I try using something like that, if the Amazon servers are in my country, my government could get it and prosecute (if they cared). When I was 14 or 15, I was exploring a Unix type of machine. I didn't mean any harm or anything, but the owner detected my exploration and thought I was a hacker from Cornell (we live maybe 50 miles away or so). Needless to say, she reported me to C.E.R.T. (Computer Emergency Response Team). I believe they were part of the FBI. I got in a lot of trouble but when she found out my age and everything, she dropped all the charges. My parents wouldn't let me use a PC for a full year after that. It really sucked. She was real nice and said next time I want to explore, I might want to contact the owner first and let them know so my actions weren't considered malicious.

Re: Ex-Brother-in-Laws infected PC and possible trouble

I thought for sure, with all the money Microsoft was making, they'd have a stateful packet inspection firewall that they provided with the OS. Just about every Linux distro comes with one for free, iptables. And yeah, maybe a combination of stuff could be used, a signature database that everyone has access too (ie, McAfee, Norton, open-source programs, etc) and then some sort of heuristic type detection. I know Norton for Windows has been working on some heuristic type detection stuff. A lot of false positives though I guess.

Re: Ex-Brother-in-Laws infected PC and possible trouble

Deep packet inspection is expensive enterprise stuff, and the antivirus companies all have their own databases. That way they can claim they are better that their competitors.

Far better to follow basic common security practices. And certainly don't hand your PC to the bad guys.

Re: Ex-Brother-in-Laws infected PC and possible trouble

a number of ISP's run deep-packet inspection on all traffic.
unfortunatly they are only interested in gathering data for the government about everybody.
Virgin runs atleast 2 NARUS units in the fucked-up u.k.

that's the joke here, the governments are the real terrorists or they could use all the shit we pay for to fix things.
for example the ISP's could pinpoint and stop most viruses and port attacks.
they could also provide the courts with a copy of hillary's emails in and out of her server(s)

Re: Ex-Brother-in-Laws infected PC and possible trouble

When I was stationed at Camp Geiger, when I was in the USMC, we had two networks. A secure network for sensitive data and the regular network. I didn't have access to the secure network but I did to the main one. My friend and I ran a portscan on the IPs connected to that network and what we found was astonishing! So many of the PCs where infected with backdoors. Back Orifice was a popular one back then I believe. I just wish I had a chance to run it on the secure network. I reported it to my Sergeant and he didn't do anything. Said he was afraid my friend and I would get in trouble for running the scan in the first place.