Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Debating Chamber > Security

Reply
 
Thread Tools Display Modes
Old 23. Sep 2017, 12:32 PM   #31 (permalink)
Senior Member
 
satrow's Avatar
 
Join Date: Mar 2012
Posts: 104
Default

From what I can tell, the current estimate of those infected by the targeted secondary payload is likely to be some 2-300 machines, all belonging to (or connecting from the networks of) the 20(?) companies listed. Total connections to the infected server was likely to have been in the region of 3,000,000 machines (though I'm unsure whether these include any running x64 Windows = total connections vs. x86 only = susceptible to the initial infection).

The secondary infection also seems to include some 'file-less' elements - would these even survive a shutdown/restart if the infected files/remnants have been removed?

So, those secondary infected machines, even all machines from those listed companies that connected to that server during the latter part of August through the 16th(?) of September, would need to be flattened and rebuilt - but I'm yet to be convinced that a wipe/reinstall is needed for those non-company x86 machines that only had the initial infection.

The Certificate used was valid but stolen to patch into the modified .exe and wasn't itself infected, it was used as camouflage to bypass security software because most (maybe all) A/Vs don't check an executable with a valid signature...
satrow is online now   Reply With Quote
Old 23. Sep 2017, 02:16 PM   #32 (permalink)
Senior Member
 
Join Date: May 2010
Posts: 502
Default

Quote:
because most (maybe all) A/Vs don't check an executable with a valid signature...
Really??
Are you sure you are not confusing this with the flag that the AV puts there to say it has already been checked (in the current environment).
Most AVs do use a flag to save rechecking if nothing has changed, but if you "touch" the file in any way it will be rechecked.
Burn-IT is online now   Reply With Quote
Old 23. Sep 2017, 02:49 PM   #33 (permalink)
Senior Member
 
deya's Avatar
 
Join Date: Oct 2009
Location: UK
Posts: 1,286
Default

To be sure, if you still have CCleaner installed, and even if you're running the 64bit version, and you've done over the top installs of CCleaner it may be an idea to check the 'Previous Versions'.

Program Files - CCleaner; right click on the top one of the two listed .exe's - select Properties - then the Previous Versions tab. If there's something in there, scan it.

If there is a previous version in there it could be infected with Backdoor:Win32/Floxif

Still not 100% convinced that 64bit versions are totally free of this.
deya is online now   Reply With Quote
Old 23. Sep 2017, 06:42 PM   #34 (permalink)
Senior Member
 
satrow's Avatar
 
Join Date: Mar 2012
Posts: 104
Default

Quote:
Originally Posted by Burn-IT View Post
Really??
Are you sure you are not confusing this with the flag that the AV puts there to say it has already been checked (in the current environment).
Most AVs do use a flag to save rechecking if nothing has changed, but if you "touch" the file in any way it will be rechecked.
I may be , but doesn't security software check for the existence of a verified Digital Signature/Security Certificate as part of the initial check on Run/Execute of an installer or new or updated file?

An infected exe remained undetected by anything for four weeks with all the attention of modern AVs, Security and Cloud suites, firewalls, HIPS/anti-exploit software, heuristics and associated telemetry uploads. It's not like it was a rare software with just a handful of downloads.

Does Talos have something new and radical in their latest Beta, or have they gone back to scratch and are checking everything instead of trying to tune their current software for speed and low-impact?

Whatever the reasons, it must be excellent publicity for them and something of a wake up call for the other security software devs, eh?
satrow is online now   Reply With Quote
Old 24. Sep 2017, 02:13 PM   #35 (permalink)
Senior Member
 
Join Date: May 2010
Posts: 502
Default

They may well have just flagged everything as new until it has been checked by the latest release.
I would really expect ALL updated versions of security software to do this as a matter of course, but many may skip it "because it takes too long and the user might get upset".

Last edited by Burn-IT; 24. Sep 2017 at 02:41 PM.
Burn-IT is online now   Reply With Quote
Old 25. Sep 2017, 05:33 PM   #36 (permalink)
Senior Member
 
deya's Avatar
 
Join Date: Oct 2009
Location: UK
Posts: 1,286
Default

New analysis from the Avast Threat Labs;

https://blog.avast.com/additional-in...urity-incident
deya is online now   Reply With Quote
Old 25. Sep 2017, 07:11 PM   #37 (permalink)
Senior Member
 
Join Date: Feb 2009
Location: Wales, UK
Posts: 1,174
Default

Quote:
Originally Posted by deya View Post
New analysis from the Avast Threat Labs;

https://blog.avast.com/additional-in...urity-incident
Thanks.... an interesting read!
Sope is online now   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 11:50 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, vBulletin Solutions, Inc.