Jump to content

malware targeting malwarebytes


afrin

Recommended Posts

To start with the bad news i use rollback rx so i recovered before taking an infected snapshot, but i'm pretty sure i'll get the infection again very soon.

Usually i woudn't do this, but i needed the pc for work and i couldn't keep the infection as it's the host OS and not on VM and also did not have the time to make a dd.

 

The unindetified / for now / malware is using Mozilla Firefox update to infect .. Mitigation DEP was trigered and 'stopped' by hitmanpro.alert yesterday.

it was someting like : 1.Firefox 2. Update 3. Userinit ... So that was the expoit attempt.. no websites visited no nothing so i guess MITM attack is pushing fake updates / finfisher anyone /

I thought the attack was a missfire, but i guess it was successful. So my guess is that BOF is just part of the expoit method and it fallbacks on other if not successful.

When infected the malware KILLS / the application is giving error and closes / :

Malwarebytes Home Premium ( 2.1.8.1057 )

Malwarebytes Anti-exploit Premium ( 1.07.1.1015 )

Hitmanpro.alert 3.0.48 build 196 ( Trial )

 

The part with killing so nasty anti-malware products is what i don't get - the attack vector and exploitation is very interesting and elegant and then something so loud and clear ... I'm not a malware researcher and i

need some help if i can get the infection again so we can study it, i am a developer and i can follow instructions and if someone out there is interested and i can get it again i will provide all the info available.

 

btw Bitdefender Total Security 2015 was still runing but not detecting attack or infection.

 

Just now a notification that Firefox update 40.2 is availabe just poped / i turned off the auto update after recovery / i will update and see if this is the attack vector and if i get infected again and post more information.

 

Please moderate this post to a proper section, Thanks.

Link to post
Share on other sites

  • Staff

Hi afrin, welcome to the forum.

 

Its quite normal for malware to disable security software. They typically target the most effective security software before attempting to download further malware or perform certain actions that might be detected by the security software.

 

Btw moving your post to the Questions sub-forum.

Link to post
Share on other sites

This is the firefox update that is downloaded.

I've checked the updates in the Mozilla repo.. partial is 4,324Kb and complete is 48,493Kb.. but it's possible that the update is customized. Can someone unpack the mar and check the files to see if something funny is coming from there. Thanks.

Link to post
Share on other sites

No MAR files upload here i guess, and it's a packed file already ...

Unpacked mirror : s000.tinyupload.com/index.php?file_id=20856962177473140273

 

7z packed attached

Edited by pbust
No attachment of suspicious files here please
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.