It is currently Thu Mar 28, 2024 3:08 pm

All times are UTC - 8 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Wed Aug 17, 2016 8:32 am 
Offline

Joined: Wed Aug 17, 2016 7:31 am
Posts: 4
Hello,

I got the retro virus, too. But not via a ClassicShell-Download on fosshub, but via a SMplayer download on the same day at fosshub, too. I should have seen that there was something wrong with the file: It had just 35 kB (compared to about 35 MB as normal).

The restore process of my computer was much, much harder than the usual ways which are currently known because I run a laptop with a special SSD/HDD combination which is seen as one drive (from Lenovo, called RapidDrive). I finally restored the disk combination successfully (yesterday) after several days of research by using a very special Windows Rescue Environment which "knew" about this SSD/HDD by means of an already injected driver.

But that's not the point. What I am still thinking about is: How could I prevent such a damage in future? Of course, I could check the file sizes, or I could check the correct certificates. But that's not enough. On 8/3/2016 I was tired and still sitting in front of my laptop trying to find a good video player which have no problems to play a special video format. Of course I had not in my mind that I could get some malicious malware when I downloaded the well known player SMplayer. Of course I installed it ASAP without even noticing the elevation window. This is mainly an automatic process when it is near midnight and I know the software before.

So, there is some other mechanism needed. Some guard in the background, some piece of software which checks that there is something wrong with a malware program like this. It's not normal for a program to modify a MBR... Normally, one thinks of antivirus software at this point. Surely it would be interesting if those antivirus tools would have been prevented the infection of the MBR. Did anybody of the victims had such a tool? (I had no antivirus tool in the background running.)

And beside the antivirus tools like Kasperski etc. exist some other tools which claim to detect malware with the help of heuristic means. (I like this concept). I found one of those tools some months ago (Anti-Exploit from malwarebytes.com), but I didn't have time yet to test it.

Nevertheless it's difficult to prepare a test environment for these tools because normally one's lacking the right piece of malware (should be very young and dangerous!). If I had a copy of the infected smplayer left on my computer I would have taken it and test it with these tools in a virtual machine. But unfortunately I deleted the malware immediately after installing (because it had no function at all...) with Shift-Delete and installed some other video players immediately afterwards. There is nothing left on my harddisk from this retro virus, I checked double with some rescue software like Recuva. No chance.

So, if anybody still owns a copy of this malware it would be nice if he could test those tools in a virtual machine wether they prevent the destroying of the MBR. Of course I would be a voluntary, too.

Thorsten


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 17, 2016 8:56 am 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5333
You can find an infected copy of Classic Shell here: http://www.mediafire.com/download/n7gti ... fected.exe

Notice to everybody: Do not download this file unless you know exactly what you are doing! This file contains malware, not Classic Shell. It is here only so you can find ways to defeat such malware in the future by experimenting in safe isolated environment like a virtual machine.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 17, 2016 9:32 am 
Offline

Joined: Wed Aug 17, 2016 7:31 am
Posts: 4
This link is not valid anymore. (Probably it's better...)

Any suggestions concerning my question on how to prevent against such attacks?


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 17, 2016 9:39 am 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5333
The link is valid, but probably your browser rejects it because it is infected. When I have time I'll try to zip the file or find other way to work around the blocks.

The only advice I can give you is to always check the digital signature and don't accept UAC prompts with unknown publisher. That's what UAC is for. If you accept, then the program runs as admin and owns your machine. Even if AV software can detect tinkering with the MBR, there is no way to know if it is legitimate or not.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 17, 2016 10:21 am 
Offline

Joined: Wed Aug 17, 2016 7:31 am
Posts: 4
Ivo wrote:
The link is valid, but probably your browser rejects it because it is infected.

I think I would notice if Chrome blocks something. But Mediafire says:
"File Blocked for Violation. The file you requested has been blocked for a violation of ourTerms of Service."

Ok, I will observe the elevation window with more concentration. But many (good) software tools have not certificates at all. E.g. SMplayer... So this method would not have been helped.

Thorsten


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 17, 2016 10:56 am 
Offline
User avatar

Joined: Thu Jan 03, 2013 12:38 am
Posts: 5374
You can open Local Security Policy (secpol.msc) -> Local Policy -> Security Options. Enable the setting: "User Account Control: Only elevate executables that are signed and validated". Once enabled, only signed EXEs are allowed by Windows to elevate. Others will fail with the error message: "A referral was returned from the server."

This will provide you with pretty good security as no app besides the ones that are either digitally signed will be able to run on your PC. Without admin privileges, the damage that malware can cause is limited.

This method is not without its flaws. Many useful apps are not signed so you will be unable to run those which require admin permissions. Some programs like file copy utilities or shell extensions need to self-elevate and cannot be run manually or from the command line. You will not be able to run such rare programs but the tradeoff is that your Windows system will be highly secure.

You can run such unsigned apps that require admin permissions using Windows Task Scheduler: http://winaero.com/blog/open-any-progra ... ac-prompt/

_________________
Links to some general topics:

Compare Start Menus

Read the Search box usage guide.

I am a Windows enthusiast and helped a little with Classic Shell's testing and usability/UX feedback.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 17, 2016 11:39 am 
Offline

Joined: Wed Aug 17, 2016 7:31 am
Posts: 4
Gaurav wrote:
You can open Local Security Policy (secpol.msc) -> Local Policy -> Security Options. Enable the setting: "User Account Control: Only elevate executables that are signed and validated". Once enabled, only signed EXEs are allowed by Windows to elevate. Others will fail with the error message: "A referral was returned from the server."

This will provide you with pretty good security as no app besides the ones that are either digitally signed will be able to run on your PC. Without admin privileges, the damage that malware can cause is limited.

This method is not without its flaws. Many useful apps are not signed so you will be unable to run those which require admin permissions. Some programs like file copy utilities or shell extensions need to self-elevate and cannot be run manually or from the command line. You will not be able to run such rare programs but the tradeoff is that your Windows system will be highly secure.

You can run such unsigned apps that require admin permissions using Windows Task Scheduler: http://winaero.com/blog/open-any-progra ... ac-prompt/

Thanks for the hint. I could imagine to enable this setting on my productive systems. The drawbacks are perhaps fewer than the advantage of being relative safe.

Thorsten


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group, Almsamim WYSIWYG Classic Shell © 2010-2016, Ivo Beltchev.
All right reserved.