Jump to content

Recommended Posts

hey, ive been wondering is it possible for me to learn how to read combofix and rootkit logs? I mean im not going to be an expert over night but if i do learn i could try to help out couldnt i? Or if not, just give some assistance?

anyways it all looks really interesting. So where cani learn to read and understand logs?

Link to post
Share on other sites

Greetings :)

This info should be helpful, it's taken from our own Groups authorized to help with HJT logs topic:

If you're interested in helping others with removal of Malware please visit one of the sites below to sign up for a training school.

The following are websites who host training facilities: United Network of Instructors and Trained Eliminators

They teach you how to use ComboFix, GMER and all the other more advanced tools (and a whole lot more) to research and remove malware.

Link to post
Share on other sites

They're actually pretty well known within the online security community, as for why they look like Malwarebytes, I'm guessing it's because many of them also use IPB, the software we use for our forum (which is also quite popular with many forums).

Link to post
Share on other sites

Depending on the school, it generally takes at least 6 months, if not more, to graduate.

The volunteers who work in the malware removal forum have gone through training at one of those schools.

Link to post
Share on other sites

Hey, sometimes on google i like to use the imfeelinglucky button, but i realised lately its not so good as it leads to bad reputation websites that have a red or orange circle on my WOT WEB OF TRUST addon for firefox.

So i was reading this

http://forums.malwarebytes.org/index.php?showtopic=9365

and it says here

Most of these drive-by attempts will be thwarted if you keep your Windows updated and your internet browser secured (see below). Nevertheless, it is very important only to visit web sites that are trustworthy and reputable.

but how do we block viruses from drive by thingy? I mean i have a antivirus (Microsoft security essential) and a firewall (comodo free) and have spywareblaser updated etc... but what about these types of websites? Is it possible to block these?

Link to post
Share on other sites

but how do we block viruses from drive by thingy? I mean i have a antivirus (Microsoft security essential) and a firewall (comodo free) and have spywareblaser updated etc... but what about these types of websites? Is it possible to block these?

Malwarebytes' paid version blocks a lot of dodgy websites.

Link to post
Share on other sites

Malwarebytes' Anti-Malware PRO also has Malicious Website Blocking that prevents connections to or from your computer to known malicious IP addresses, that means no program on your system, browser included, would be able to connect to a malicious website serving up drive-by downloads as long as it is in our block list.

Link to post
Share on other sites

All of those type of programs should be only used as a guideline, including WOT. No such thing as perfect but using a good AV, Mbam pro, an updated browser, and perhaps a hosts file along with common sense is the best defense.

Link to post
Share on other sites

@otherguyx - another suggestion would be to use an antimalware dns server like http://clearclouddns.com/ or http://www.comodo.com/secure-dns/

These are free services with easy to follow instructions to get set up. At Minotaur, we check every sample we process against several of these services and graph out the comparisons of each: http://minotauranalysis.com/stats/dnscheck.aspx - right now, clearcloud has the overall highest detection rate, or at least the highest denial rate. If you want to check out a domain manually against all services at once, you can use this page: http://minotauranalysis.com/tools/dnscheck.aspx

If you want to do the same for site reputation services, http://www.urlvoid.com/ will let you check against a bunch of services all at once including site advisor, safeweb, google, and a ton more.

Link to post
Share on other sites

Oh ok, but they were all completely different, one about joining a school,. one about how to avoid viruses from drive bys, ALSO, i dont think of these questions at once, i just come across them from research etc... for example i thought of the school thing a day before i learned about drive by websites.

Link to post
Share on other sites

ok i have a question now, actually 2

1) That voidurl thing doesnt work, for example a very malichouse website such as www.uninstall-spyware.com (DONT GO ON IT) is fulla viruses, its rated deep red on my wot scale, however its rated clean by nearly everything in that voidurl thing.

2) Which should i use, opendns, cleancloud, comodo? I been on open dns for ages.

Right now for open dns im on this. i have checked

Malware/Botnet Protection

When certain Internet-scale botnets are discovered or particularly malicious malware hits, we offer protection to all our users so that as many people as possible can be protected from the threat. At this time, this feature blocks the Conficker virus and the Internet Explorer Zero Day Exploit, and is continually expanded to include other types of malicious sites.

and

Phishing Protection

By enabling phishing protection, you’ll protect everyone on your network from known phishing sites using the best data available.

but not

Suspicious Responses

Block internal IP addresses

When enabled, DNS responses containing IP addresses listed in RFC1918 will be filtered out. This helps to prevent DNS Rebinding attacks. For example, if badstuff.attacker.com points to 192.168.1.1, this option would filter out that response.

The three blocks of IP addresses filtered in responses are:

10.0.0.0 - 10.255.255.255 (10/8)

172.16.0.0 - 172.31.255.255 (172.16/12)

192.168.0.0 - 192.168.255.255 (192.168/16)

should i check the last one and enable it?

Link to post
Share on other sites

dude why is minatourus website rated yellow/orange on my wot scale? is this a drive-by website! i already had someone do the same on my hijackthis thread, he put a link to a bad reputation website!

Edited by AdvancedSetup
removed innapropriate language
Link to post
Share on other sites

@otherguyx - the yellow rating is probably due to the fact we have full URLs to malware in the list pages. I had to have symantec re-review the site for that reason a while back. It is a security research site, not a drive-by site.

As for urlvoid, their purpose is to aggregate all those services for a consensus opinion as to whether a site is bad or not. No single service can know every bad URL out there, and most are based on just what they've seen. One way to use urlvoid would be to take a warning about a site if any single service calls it bad, but it could also be a false positive. Again, that's why they use so many.

As for which DNS service, I know a lot of people happy with clearcloud, and not very many false positive blocks. Again, it is not a magic bullet. There is no magic bullet to protect you from every possible form of malicious code.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.