Dealing with the ransomware trojan

[waddler8 10]

Waddler, resident SF expert, can you please help?

I'm a bit slow to the party L00b, seeing as it's sorted, but - forum search? (Post #5)

http://www.sheffieldforum.co.uk/showthread.php?p=9427494#post9427494

 

no clue where from

Exploit? Check Java, Adobe Reader & Flash.

 

http://blog.malwarebytes.org/intelligence/2013/01/cta-unpatched-java-exploit-in-the-wild/

[L00b 441]

I'm a bit slow to the party L00b, seeing as it's sorted, but - forum search? (Post #5)

http://www.sheffieldforum.co.uk/showthread.php?p=9427494#post9427494

egg mask duly plastered

Exploit? Check Java, Adobe Reader & Flash.

 

http://blog.malwarebytes.org/intelligence/2013/01/cta-unpatched-java-exploit-in-the-wild/

possible, though java not installed, reader up to date & flash not installed either, with all IE activex etc. plug-ins disabled or to request perm first - and no browsing or Pc activity for any of these tonight (just outlook, ms word &IE, 3 sites mentioned, that's it). will have a check, still.

[waddler8 10]

They're the most targeted ones but there could be other possibilities. Other plug-ins are less targeted but still have vulnerabilities from time to time. Think media players & others - QuickTime, VLC etc.

 

---------- Post added 12-03-2013 at 00:29 ----------

 

...flash not installed either...

 

...and no browsing or Pc activity for any of these tonight (just outlook, ms word &IE, 3 sites mentioned, that's it). will have a check, still.

 

Do, & check there's definitely no flash because there's been flash exploits using word docs very recently.

 

http://xforce.iss.net/xforce/xfdb/81866

[L00b 441]

Don't use QT/not installed. Last used VLC yesterday, though but that was a local file, not streaming.

 

iTunes seemed to get its knickers in a twist yesterday after I plugged my iPad in, which I found odd-never had as much as a hiccup since day one. Had to task mgr-kill it and restart it. But that was a one-off and mid-afternoon, no 'weirdies' since until tonight...

 

Re. Word, good suggestion. I received a newer word-version doc tonight from a client, word (2003) imported it fine and there are some (non-flash) graphics embedded in. Though that was a good 2 hrs before the trojan kicked in...

 

It would be a bit rich if that was the source, though: it's from a professional "anti-malware for mobiles" developing outfit!

Edited March 12, 2013 by L00b

[waddler8 10]

Last used VLC yesterday, though but that was a local file, not streaming.

 

It wouldn't matter so long as the plugin is enabled in your browser (although you note they're not)

 

If you visit a compromised site (even one displaying a rogue banner ad), you'd be silently re-directed to a domain hosting an exploit pack where various exploit code would run - chances are you'd not even know this was happening at all untill it was too late - depending on configuration.

 

Sophos noted a lot of otherwise legit sites being compromised just the other day. http://nakedsecurity.sophos.com/2013/03/05/rogue-apache-modules-iframe-blackhole-exploit-kit/

[L00b 441]

Not VLC as it's not enabled as a plug-in (i never allow apps to load plug-ins, or toolbars during installs & such other bloatware)...you could say my browsing is very, erm, 'austere' or, well, 'minimalist'

 

Would the trojan 'start' right away on loading the page/banner? As if that's the case, and much as it pains me to post it, it can only have been an SF banner - that is all I'd had open (1 tab only in browser, as well) for a good 10 to 20 mins before the hijack kicked off. I mean, exactly per the OP, I was literally mid-typing a reply on SF when the thing kicked off

Edited March 12, 2013 by L00b

[waddler8 10]

Well it's just conjecture at the moment anyway. It'd be hard to pinpoint the exact source.

 

But possibly not straight away, no. Banner ad's can be rotated too so you may not see the rogue one straight away anyway - untill you refreshed the page or opened another.

 

Then the redirect has to take place... the exploit code has to run... the dropper download & then execute the main payload... It can take just seconds but could take longer.

 

EDIT: If it was on here though, I'd expect others to be complaining too.

 

---------- Post added 12-03-2013 at 01:21 ----------

 

eBay looks a more promising contender.

 

http://www.google.com/safebrowsing/diagnostic?site=eBay.co.uk

Edited March 12, 2013 by waddler8

[stereolab 10]

A good reason to start using Firefox with No Script installed!

[melthebell 863]

Downloading 'new' stuff to get rid of malware always makes me nervous, Marx. Generally I will avoid, and only use as a very last/extreme resort.

 

I did find the links melthebell was on about in the first reply with my iPad, but they just looked like the usual fake help 'fakeware' and a potential source for compounding the problem rather than solve it.

 

Still swear by mbam and hijackthis, besides not venturing into unsalubrious areas of the Web.

thats what i thought, ive not tried the program but the links looked ok, and marx independently said hes used it and it worked, exactly as they said...on usb pen

[stereolab 10]

HitmanPro is legit - its really good - very similar to MBAM

 

If you download it, don't activate the trial until you need it to remove something - you can use the scanner for free, then activate if you need it to get rid of anything with the trial.

 

http://download.cnet.com/HitmanPro-3-32-bit/3000-2239_4-10895604.html

[swarfendor437 14]

For a complete arsenal - and not just security:

 

http://www.hiren.info/pages/bootcd