Forensics: “Unknown Flash Movie Virus”

(((FORENSICS~BUILD)))

Forensics: “Unknown Flash Movie Virus”

For a friend….

ESTIMATE: Embedded Flash Movie Malware Payload
NOTE: Possible Network Attack Associated – Botnet/Botmaster
SEE: Common Types of Network Attacks – TechNet – Microsoft
http://technet.microsoft.com/en-us/library/cc959354.aspx
(According to payload that executed, spoofed PC Identity apparent, unsuccessful)

DEVICE: Windows Vista HP (Home Premium) SP2 (Service Pack 2, Fully Patched) / IE9 (Internet Explorer Version 9) – on Home Network / Microsoft Security Essentials installed/running.

SYMPTOMOLOGY:
Viewing Flash Movie in embedded webpage player. Best description from user was sudden turbulence of browser and disconnection and system crashings and then the WGA (Windows Genuine Advantage) panel pop up on restart identifying PC as an illegitimate copy of Windows was running. Connectivity was not further possible.

SUSPENDED FORENSICS:
A full payload forensics was suspended citing any in-the-wild attack or proof-of-concept – and is not being posted publicly. Operating System was reinstalled to Factory Fresh – wiping the disk – now fully patched to current operation.
HISTORY: New virus first to infect Macromedia Flash (January 8, 2002)
http://news.cnet.com/New-virus-first-to-infect-Macromedia-Flash/2100-1023_3-803829.html

SYNOPSIS:
Apparently malware payload (not just a virus) executed on Windows Vista HP SP2 / IE9 while viewing flash movie in an embedded player at website. This was the only affected computer on a Home Network with other computers unaffected. Other peripherals and router were not affected. This may constitute as specific targeting of the IP via Network Attack. It seems possible a botnet infection was unsuccessful as connectivity was destroyed, yet the operating system was spoofed and identified as now a pirated copy of Windows via WGA technologies apparently. There were no ransomware activities observed http://en.wikipedia.org/wiki/Ransomware_(malware) …thus the spoofing of the Windows OS (operating system) itself as now a pirate copy indicates the WGA notification window/panel was valid and not a fake shell as some ransomware scam. Note it is possible it was simply a targeted payload to simply destroy the system from further use as the intended malware malicious intent.

DIAGNOSIS:
Apparent multi-malware payload executed through infected flash movie possibly originating from Apple/Mac computer as possibly an iFrame Movie.

iFrame (video format)
http://en.wikipedia.org/wiki/IFrame_(video_format)

Universally and historically Apple/Mac users are in ‘caveman’ days as not using antimalware. Recently things have changed, as infections have increased dramatically in infancy for this operating system. Linux even more so, their users are now told it is “polite” to use antivirus to protect uploading or exchanging any Windows infecting files from a Linux computer that do not affect Linux – but will infect Windows PCs. Newer Community guidelines. Years ago…..

Microsoft JPEG Vulnerability and the Six New Content Security Requirements
http://whitepapers.silicon.com/0,39024759,60129423p-39000575q,00.htm
In November 2004, a critical Microsoft security vulnerability (MS04-028) was discovered which could allow attackers to embed malicious code inside JPEG image files. Until that time, JPEG image files were considered immune to attack. To effectively deal with this vulnerability, security and IT professionals need to incorporate six new and critical content security requirements into their networks.

…..so that this is the idea with an infected flash movie. Simply visiting a website with the infected picture (JPEG) would infect the unprotected PC. Same with infected flash files is apparent here as source of infection.

NOTE…. Was a novice user and is believed there were possible additional clicks not mentioned possible that caused the malware payload execution.

REMEDY:
With a multi-malware payload as opposed to just a virus, the operating system was reinstalled / restored to Factory Fresh condition – wiping the disk first of all data. A much higher quality paid subscription antimalware product was installed and absolutely recommended! Note that Microsoft Security Essentials was the installed and active protection on the PC…. HOWEVER:

Is Microsoft Security Essentials adequate protection?
http://bluecollarpc.us/2013/04/21/is-microsoft-security-essentials-adequate-protection/
Review: Microsoft Security Essentials
http://www.expertreviews.co.uk/software/1295698/microsoft-security-essentials
Microsoft Security Essentials bombs AV-TEST, loses certification
http://www.geek.com/articles/geek-pick/microsoft-security-essentials-bombs-av-test-loses-certification-20121129/
Microsoft Security Essentials Fails Tests, Loses Antivirus Certificate
http://www.bit-tech.net/news/bits/2013/01/17/ms-security-av-test/1
Microsoft Security Essentials fails AV-TEST again
http://www.bit-tech.net/news/bits/2013/01/17/ms-security-av-test/1
Microsoft fights back on antivirus certification fail, claims malware tests …
http://www.zdnet.com/microsoft-fights-back-on-antivirus-certification-fail-claims-malware-tests-arent-realistic-7000009998/

PLEASE REVIEW THE FOLLOWING INFORMATION AND RECOMMENDATIONS….

How to Fix a Flash Virus | eHow.com
http://www.ehow.com/how_5998536_fix-flash-virus.html

Adobe Flash
http://en.wikipedia.org/wiki/Adobe_Flash

SWF (ShockWave Flash)
http://en.wikipedia.org/wiki/SWF

What Is a Flash Cookie?
http://www.ehow.com/info_10020896_flash-cookie.html

Can Flash Extensions Be Harmful?
http://www.ehow.com/info_12229878_can-flash-extensions-harmful.html

How to Check & Uninstall Flash Cookies
http://www.ehow.com/how_5943906_check-uninstall-flash-cookies.html

How to Clear Macromedia Flash Shared Objects
http://www.ehow.com/how_6182429_clear-macromedia-flash-shared-objects.html

Website Storage Settings panel
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

Visit the Adobe Flash Player Settings Manager http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html

It is recommended to be aggressive here and deny all actually, especially noting that nefarious hackers break into microphones and webcams to spy. If having trouble after choosing to block all from being stored on computer go back and make adjustments. Any ‘faster’ use of allowing storage is antiquated and ancient as pertaining to 56K Dial Up years and years ago – as the vast majority have switched to broadband/dsl where available – not quite everywhere though (rural etc).

WEBMASTER BLUECOLLARPC.US
http://bluecollarpc.us/

The BlueCollarPC.US (and former domain extensions) has always been a free Community Help Site and here is a mock severe billing if able to work from an official PC Repair Shop…… LOL

————

JOB BILL / TICKET #001

# Bench Charge………………….$75.00

# Forensics Basic / Suspended…….$25.00
(Normally $150.00 with full reporting)
Discounted!

# Reinstall Factory Fresh Windows…$50.00
…Discounted !

# Fully Patched and Reinstalled
softwares, 18 hours (Vista SP2)….$100.00

TOTAL ……..$250.00

Advertisements

DNSCHanger Malware Removal – Notes Show All (Internet goes dark March 8)

DNSCHanger Malware Removal – Notes Show All (Internet goes dark March 8)

BELOW IS MOST OF WHAT THE AVIRA TOOL IS DOING WITH A CLICK ….

Tool available for those affected by the DNS-Changer
http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199

The Truth About the March 8 Internet Doomsday
http://www.pcworld.com/article/250296/the_truth_about_the_march_8_internet_doomsday.html#tk.nl_spx_t_cbintro

US-CERT Current Activity – DNSChanger Malware
http://www.us-cert.gov/current/index.html
http://www.us-cert.gov/current/index.html#operation_ghost_click_malware

Hi all….. one area that is common with this area of malware changes is malware getting into the PC and changing “Hosts Files” for a redirect usually to more malicious websites for nefarious reasons. There are more key words for search such as “IP Spoofing” and “DNS Cache Poisoning” ….

http://www.webopedia.com/TERM/I/IP_spoofing.html
http://en.wikipedia.org/wiki/DNS_cache_poisoning

This is off the cuff but from years of experience with the “badware” as it is sometimes called for a universal term covering all and all they do. I am throwing an educated guess at the payload involved and may even involve some variants or residuals on individual basis per handfuls here and there of hundreds to thousands of personal computers. A Botherder or Botmaster is a Command and Control console type arrangement the culprit (s ) runs and attempts clandestine contact to infected computers that can go into the millions – but to partially set some aside to test out how their malware payload is holding up against detection. They may have purposely infected the handfuls with variants of the payload in an attempt to resurrect the whole episode all over again. They (cyber criminals) have become very, very sophisticated anymore. Any phrase like “doomsday” today can actually be no exaggeration anymore.

The measures taken here by the FBI et al are unprecedented and on the scale of “State Sanctioned”. It has been obviously a measure not only to attempt correction and for protection of all infected computers and their users private data – but to keep internet commerce itself alive, as the loss of millions would obviously have a large effect.

I admittedly only perform some amateur forensics and would need probably days upon days upon days to do a write up for full manual removal and correction of an affected system. I most likely could find the actual payload, as there are handfuls of company online search engines for just that. But, if one has a little savvy and wants to attempt further manual removal of the malware to avoid cost at a PC Repair Shop – here are some tips. Mind you, in this case a Shop will obviously advise to reinstall Windows after completely wiping (erasing) the disk first – a common automatic procedure with a Windows CD/DVD or if you have made an Emergency CD Repair CD/DVD. (I would advise do NOT hit “Repair” but go ahead and back up all files first you wish to save and the completely reinstall Windows and THEN also scan the backed up files for malware before reinstalling to the PC now in Factory Fresh condition. )

REVIEW THIS FOR HOSTS FILES….
Blocking Unwanted Parasites with a Hosts File
http://winhelp2002.mvps.org/hosts.htm
(In other words in this area you are looking for how to Restore your Hosts
Files before infection that changed them.)

How can I reset the Hosts file back to the default?
http://support.microsoft.com/kb/972034
MICROSOFT FIX IT TOOL ***** HOSTS FILES

ALSO….
How to reset Internet Protocol (TCP/IP)
http://support.microsoft.com/kb/299357

A Point of Entry and Attack is the firewall that may even have been circumvented.
Tunneling to circumvent firewall policy
http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall_policy
You may want to uninstall it and clean up left over files and registry
entries (Registry Cleaner) … Here is about the best and indeed they have finally released a free home version ….
PowerTools Lite 2011 [Genuine Freeware]
– The Freeware Registry and System Cleaner
http://www.macecraft.com/powertoolslite2011/
(Which is of course by the famous jv16 PowerTools – by far the top recommended for a decade, about. )

YUCK… one more area to review….

TCP reset attack
From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/TCP_reset_attack

Bottom line….Above was posted for review, and hastily, if there are still problems and if need be to mention in the event of a necessary trip to the PC Repair Shop. Attempt recommended Avira Tool in these emails as advised. Check out the US CERT links if needed or as double check after Avira clean up – there is a link for detection at the FBI sight for anyone fearing infection I believe. (Avira has consistently had one of the best detection/blocking/removal ratings for years – visit VirusTotal).

AS I SUSPECTED THERE ARE MANY VARIANTS …… LIST (omg There are 23 variants presently ! ! ! – (Absolutely a Shop will advise to reinstall Windows without batting an eye)

*COMPUTER ASSOCIATES*
SOURCE / ONLINE SEARCH ENGINE AND TYPE IN “DNSChanger” as malware payload
look up…
CA Spyware Information Center (Search Engine)
http://www3.ca.com/securityadvisor/pest/
CA Spyware Information Center search engine (ComputerAssociates, makers of
PestPatrol and many security wares)
(*Malware search engine look up is top right)

SEARCH RESULTS: (hot links at results link for each below)
http://www.ca.com/us/search/default.aspx?q=dnschanger&sk=findthreat&backUrl=http%3A%2F%2Fwww.ca.com%2Fus%2Fspyware.aspx
1 DNSChanger B – CA Technologies Quick View
Description: DNSChanger B
Size: 36 KBDate: 01/09/20072 DNSChanger P – CA Technologies Quick View

Description: DNSChanger P
Size: 36 KBDate: 02/22/20123 DNSChanger P – CA Quick View

Description: DNSChanger P
Size: 50 KBDate: 11/20/20094 DNSChanger G – CA Technologies Quick View

Description: DNSChanger G
Size: 37 KBDate: 02/19/20125 DNSChanger C – CA Technologies Quick View

Description: DNSChanger C
Size: 36 KBDate: 04/19/20076 DNSChanger S – CA Technologies Quick View

Description: DNSChanger S
Size: 36 KBDate: 02/22/20127 DNSChanger U – CA Technologies Quick View

Description: DNSChanger U
Size: 36 KBDate: 01/29/20108 DNSChanger T – CA Technologies Quick View

Description: DNSChanger T
Size: 36 KBDate: 01/29/20109 DNSChanger M – CA Technologies Quick View

Description: DNSChanger M
Size: 36 KBDate: 02/21/201210 DNSChanger L – CA Technologies Quick View

Description: DNSChanger L
Size: 36 KBDate: 07/17/200911 DNSChanger – CA Technologies Quick View

Description: DNSChanger
Size: 36 KBDate: 06/14/200612 DNSChanger r – CA Technologies Quick View

Description: DNSChanger r
Size: 36 KBDate: 02/21/201213 DNSChanger I – CA Technologies Quick View

Description: DNSChanger I
Size: 36 KBDate: 02/20/201214 DNSChanger azf – CA Technologies Quick View

Description: DNSChanger azf
Size: 36 KBDate: 02/20/201215 DNSChanger H – CA Technologies Quick View

Description: DNSChanger H
Size: 36 KBDate: 02/19/201216 DNSChanger E – CA Technologies Quick View

Description: DNSChanger E
Size: 37 KBDate: 11/26/200717 DNSChanger D – CA Technologies Quick View

Description: DNSChanger D
Size: 37 KBDate: 02/19/201218 DNSChanger k – CA Technologies Quick View

Description: DNSChanger k
Size: 36 KBDate: 08/04/200819 DNSChanger A – CA Technologies Quick View

Description: DNSChanger A
Size: 36 KBDate: 07/29/200820 DNSChanger ayy – CA Technologies Quick View

Description: DNSChanger ayy
Size: 36 KBDate: 02/05/201221 DNSChanger arn – CA Technologies Quick View

Description: DNSChanger arn
Size: 36 KBDate: 03/11/200822 DNSChanger aum – CA Technologies Quick View

Description: DNSChanger aum
Size: 36 KBDate: 03/11/200823 DNSChanger F – CA Technologies Quick View

Description: DNSChanger F
Size: 37 KBDate: 02/19/2012
——–>

BASIC PAYLOAD…..
DNSChanger
Date Published:
Wednesday, June 14, 2006
Alias
W32/Backdoor.KGE [F-Prot Antivirus]
Overall Risk : HIGH
Category
Trojan: Any program with a hidden intent. Trojans are one of the leading
causes of breaking into machines. If you pull down a program from a chat
room, new group, or even from unsolicited e-mail, then the program is likely
trojaned with some subversive purpose. The word Trojan can be used as a
verb: To trojan a program is to add subversive functionality to an existing
program. For example, a trojaned login program might be programmed to accept
a certain password for any user’s account that the hacker can use to log
back into the system at any time. Rootkits often contain a suite of such
trojaned programs.
Date of Origin
date of origin: Variants from September, 2009 to September, 2009
Operation
DNSChanger: at least DNSChangerKB
Files:
[tn]dnschanger.exe
2701526
hgqhp.exe
kdrgh.exe
virtue_7884154
kdrgh.exe
hgqhp.exe
[tn]dnschanger.exe

WEBMASTER / http://www.bluecollarpc.us/

PS – a quality real time protection antimalware installed no doubt would have blocked this infection and variants to date. Cyber Crime Units have about the rest of all information needed no doubt by now with professional forensics performed.

 

%d bloggers like this: