Jump to content

blackdove83

Honorary Members
 View Profile  See their activity

  • Posts

    155

  • Joined

  • Last visited

 Content Type 

Everything posted by blackdove83

  1. blackdove83
    True but what im thinking is this. These guys try to trick people into downloading and paying for the rogue. Im not worried about that because it relies on user interaction to fall for it. I am worried about anything else that whatever opened the window to the rogues landing page might have installed, like a banking trojan for example. Fake antiviruses dont scare me. The browser opening despite browser java being disabled scares me. Invincea and the other researchers dont mention if anything comes down with the rogue and opens a back door. For those who avoid thr fake antivirus maybe they have a different payload? Thats why im still concerned.
  2. blackdove83
    http://blog.0x3a.com/post/75474731248/analysis-of-the-tritax-fakeav-family-their-active Sorry when i paste links from my phone it goes to the top of the post. What you just stated is why im here asking experts. I do all of what you juat said and have java disabled in the browser. I also dont trust anything i cant verify or think that software gives me 100% protection. My mistake was using skype which is supposedly safe. I wouldnt expect to get infected from hotmail.com any more than skype but it seems like skype isnt very safe because of its ads. Im just trying to find out if the attack can or did install anything despite the rogue needimg user interaction to infect.
  3. blackdove83
    https://forums.malwarebytes.org/index.php?showtopic=141588 can an expert tell me if the things detected in step 6 are a result of the fake antivirus popup or something separate?
  4. blackdove83
    I got mine through a skype ad. Considering invinceas capabilities i think theyd know if the code that opens the window dropped something else. Still scared me badly. A bunch of forums are sreving the malicious ad too.
  5. blackdove83
    Does malwarebytes detect the fake antivirus and remove it? Can mbam or mbae block browsers from opening a window without user interaction?
  6. blackdove83
    No other things rang any bells. I've come across a lot of other information about this particular attack, since then, including a code analysis. http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/ I don't know programming or coding at all really, so maybe someone who does can take a look at that and tell me what it means. However, it appears that the attack depends on a user installing the fake antivirus, so people who didn't hopefully aren't infected with anything. I'm pretty paranoid about security, and I have Malwarebytes Pro, and MBAE(although I was using version 0.09.5.0250 at the time) and the icon wasn't showing, but mbae was running in task manager.
  7. blackdove83
    Some other people have been as well. I finally found some detailed information on this. https://www.youtube.com/watch?v=MDSn_PezapUhttp://arstechnica.com/security/2014/02/what-a-fake-antivirus-attack-on-a-trusted-website-looks-like/http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/ This is the same popup as the one that we've gotten through Skype, and there is an analysis of some of the code in that last link. However, I'm not entirely sure that it's exactly the same as the Skype ad, since this came from a website. It looks like social engineering, but I'm still concerned that something may be in our computers.
  8. blackdove83
    http://www.av-test.org/en/home/ a good place to start. I think most people on here will agree that a multi layered approach is best. Anti exploit for browsers, good heuristic antivirus and MBAM for 0 day malware. I occasionally run Malwarebytes antirootkit and Adwcleaner by Xplode as well. I love MBAM Pro so i bought it. Avira free is decent and doesnt slow things down. F-Secure as well as Mikko Hyponnens policy of not whitelisting 'special' malware like some other antiviruses have been known to sets it apart. Keep in mind the country of origin and their policies when choosing a program that has access to your system like an antivirus does. Im sure ill get some hate for saying that but whatever.
  9. blackdove83
    Well it seems like an ad provider thats not just affiliated with skype is affected. What do you mean about googling the dllhosts? It doesnt give me any info about it. Any experts know if more than one dllhost at startup or in EMET is normal? If anyone can get the code and analyze it please ler us know. I posted links to the attackers IP and info about the fake popup including a screenshot of it.
  10. blackdove83
    Ok, I hate posting after myself, but I just noticed something else that's rather interesting. I set up EMET, and had to reboot to apply the changes. When I booted, there were a couple "dllhost" processes running in task manager, that then disappeared as Windows completed booting. I opened EMET to see all the listed applications, and there are three dllhost's listed upon opening EMET, which the bottom two give an error saying "is not a valid executable" when you right click and attempt to configure them in EMET. They then disappear from the list without clicking refresh. Maybe this is something advanced?
  11. blackdove83
    Believe me, I've been building computers for a long time, I know how hard it is to infect a BIOS and where and what it is. I doubt this is that kind of advanced issue, but this is still freaking me out. We've got a bunch of people getting directed to a webpage with NO user interaction. Here's another with the DDS, which hasn't been addressed yet. I'm going to wait and see what happens with the other people who've got the same issue, and check around to see if anyone has managed to capture and analyze the code being executed here. This could be something worth serious scrutiny, and we have all the links that should be necessary to figure out what this is. https://forums.malwarebytes.org/index.php?showtopic=141588
  12. blackdove83
    Yeah, there's stuff that can get into the BIOS and into HDD controllers, but I doubt this is that sophisticated. People with this same issue have posted their dds log. I suspect that we'll be seeing a lot more of this popping up since it seems to be delivered through Skype, although a lot of googling lead me to some people on "Smoked Meat Forum"(a BBQ forum lol) discussing how their ads have been compromised as well. https://forums.malwarebytes.org/index.php?showtopic=141567
  13. blackdove83
    I wonder if one of the experts could go to the links on one of their virtual machines, and figure out which ad causes the window to open, and exactly what code is executed by it? I'm no malware hunter myself. If it's something really terrible disguised to look like a rather harmless social engineering attack, I'll probably trash the HDD and install a new one, even if it's cleanable. I just installed EMET as someone recommended on here. I haven't quite figured out how to use it yet, but I'm working on it.
  14. blackdove83
    http://ip-address-lookup-v4.com/ip/212.83.155.47 Not sure but these attacks seem to also have links to this IP in france as well as the netherlands.
  15. blackdove83
    We also have several people on both this forum, skype forums and reddit discussing how a browser window gets opened with no user interaction and goes to that page screenshotted in the link. What worries me is not that some random server in the Netherlands is hosting malware with some link to France, but what may have been deployed by it, since it seems to have made it past heuristic scanners like MBAM and behavioral analysis like MBAE. ALL of the users have said that they have clean scans. Are any experts able to identify the code that would have executed to open the window or test to see if there was a payload in the webpage?
  16. blackdove83
    https://forums.malwarebytes.org/index.php?showtopic=141588 https://forums.malwarebytes.org/index.php?showtopic=141567 Sorry to post twice in a row but I dont see an edit feature And I'm currently on my phone. Here are two more users with apparently the same issue and apparently clean scans.
  17. blackdove83
    http://urlquery.net/report.php?id=9200380here is a link with more info on the attack the OP and I experienced. With regard to Skype, I was referring to how it opens links from within Microsoft and apparently makes it really easy to get user communications after they changed their infrastructure. I know thats true of all big tech companies that aren't voluntarily shutting down but thats a different topic.
  18. blackdove83
    http://arstechnica.com/security/2013/05/think-your-skype-messages-get-end-to-end-encryption-think-again/Sorry David its not FUD. Skype apparently serves up malware in ads, but it also opens links you send to supposedly check them for malware. They open your https links since they already have all the plaintext, but I guess they're too busy checking what users say to actually check their own ads for malware. Its certain that Skype is pretty insecure and since it goes through supernodes its no longer really P2P. I dont communicate with anyone in China or Moldova and MBAM blocks tons of incoming attempts from IP addresses in both places. Supernodes in Moldova or China? Sure lol.
  19. blackdove83
    Skype basically became malware when Microsoft bought it. If you look through your MBAM logs, you'll see how many malicious incoming attempts it blocks from Skype. The only thing I use it for is screen sharing, as it's free and works reasonably well. I guess I can't even do that anymore. My Nvidia display drivers just crashed and recovered a few minutes ago, so I'm getting more and more suspicious of my computer now(although it could have been Planetside 2 being a piece of junk. Just about ready to smash the hard drive and install a new one though.
  20. blackdove83
    What does that mean about the Java unpacker? I have MBAM Pro with heuristics and filesystem integrity checking enabled, as well as MBAE installed, Java disabled in browsers, and I got no warnings from any of them. I am still worried that there was some sophisticated payload in there that was designed to look like a standard rogue antivirus. Hopefully I'm just being paranoid. Has someone done an in depth analysis of the code?
  21. blackdove83
    Thanks for the reply. Hopefully it was just social engineering and I don't need to throw my hard drive away. My reason for wondering if it involved an exploit, is that the window opened itself up without me clicking anything. I picked up a Skype call(to screen share and help him fix an issue on his PC ironically), and somehow it managed to open a window. I'm really not into coding or software much, so I don't know what it takes for a program to open up a window like that. People have been reporting that they were AFK and came back to find the same window open, so it must be happening automatically when a specific ad loads.
  22. blackdove83
    I read the FAQ, and I know that the tray icon sometimes doesn't show up. It still shows up in task manager, but when I try to end task, it says "access denied" and won't allow me to close it, and re-open it. My question is: when this happens, am I still protected? Have I been protected? I'm concerned, because I didn't have the tray icon, but I had this happen to me last night: https://forums.malwarebytes.org/index.php?showtopic=141539 (not my thread) Skype had an infected ad, and it managed to open an Internet Explorer tab, but before I clicked any of the obvious rogue fake antivirus, I went into task manager and ended iexplore.exe. Then I followed the procedure I always read on here: MBAM, MBAR and Adwcleaner by Xplode. Everything comes back clean. 0 blocked exploit attempts in MBAE, but I know that I was directed to a malicious site.
  23. blackdove83
    I'm in Florida, and I got it.
  24. blackdove83
    I saw the ad, which is why I'm still worried. I hope someone can analyze the ad and the site and figure out what was in it, so it can be detected if it did indeed deploy. I need to know if I can still trust my PC.
  25. blackdove83
    Yes, this is definitely related to Skype, and I had the same thing. Did MBAM and MBAR scan, had MBAE running, and everything comes up clean. I closed Internet Explorer, without clicking anything. I am curious if this delivered an undetectable payload to our PC's or if it's an unsophisticated attack, that depends on clicking it. Any chance someone can analyze that site?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.