[olug] Fwd: [10.17.2016 34620193] Compromised Computer Notification from Cox Communications
Rob Townley
rob.townley at gmail.com
Mon Oct 17 22:47:06 CDT 2016
This type of malware is a good reason to regularly verify your account
balance on the web with a telephone call to the bank or a paper statement.
Yes Kevin, could have been as simple as an infected USB stick that was
plugged-in during a power reset. Infect the PC and then keep booting
"normally".
Otherwise, the malware running on Win7 x64 systems bypassed signed drivers
via the print spooler service and then manipulated atapi.sys.
On Oct 17, 2016 8:02 PM, "Kevin" <sharpestmarble at gmail.com> wrote:
> Interesting wordplay on the term rootkit, but accurately describes what
> goes on. Not a bad idea, to have it go after the MBR. Then virtualize the
> entire desired OS, so if anything comes in on a specified port, it can act
> on it. Also means the bootkit can watch for the normal OS trying to open
> that port, and re-program its own port, such as allowing it to happen, but
> at the same time sending its own "I'm no longer at this port, but at this
> other port instead" message to whatever command-and-control server it wants.
>
> On Mon, Oct 17, 2016 at 6:56 PM, Rob Townley <rob.townley at gmail.com>
> wrote:
>
>> Kaspersky describes a bootkit:
>>
>> "A *bootkit* is a type of malware that infects the Master Boot Record
>> (MBR). This infection method allows the malicious program to be executed
>> before the operating system boots". Aug 28, 2013
>>
>> On Oct 17, 2016 6:52 PM, "Rob Townley" <rob.townley at gmail.com> wrote:
>>
>> Any virtual windows machines?
>> Guest WiFi users running Windows?
>> Laptop borrowed from work?
>>
>> On Oct 17, 2016 4:10 PM, "Justin Reiners" <justin at hotlinesinc.com> wrote:
>>
>> Joesph,
>>
>>
>> FYI, when I was hacked years ago, they created a hidden user, make sure
>> you
>> check /etc/passwd, and do a netstat -tulpn to see if there are any
>> unrecognized services running. What services does your infected box run?
>> are they running OK?
>>
>> feel free to contact me directly if you need any help with it.
>>
>> On Mon, Oct 17, 2016 at 4:05 PM, Joseph Gulizia <joseph.gulizia at gmail.com
>> >
>> wrote:
>>
>> > Thanks. I'll give it a shot.
>> >
>> > Joe
>> >
>> > On Mon, Oct 17, 2016 at 4:04 PM, Justin Reiners <justin at hotlinesinc.com
>> >
>> > wrote:
>> >
>> > > Joseph,
>> > >
>> > > rkhunter works well. its in the ubuntu repo
>> > >
>> > >
>> > > On Mon, Oct 17, 2016 at 4:02 PM, Joseph Gulizia <
>> > joseph.gulizia at gmail.com>
>> > > wrote:
>> > >
>> > > > Lou,
>> > > >
>> > > > These all appear to be Windows only fixes. I AM not running
>> Windows.
>> > I
>> > > > have heard that rootkits can get on Linux systems, I want to know
>> how
>> > to
>> > > > remove from them if need be.
>> > > >
>> > > > On Mon, Oct 17, 2016 at 1:34 PM, Lou Duchez <lou at paprikash.com>
>> wrote:
>> > > >
>> > > > > The good news about malware these days is, their goal isn't to
>> break
>> > > your
>> > > > > computer, just to hijack it. That means it may be fixable.
>> > > > >
>> > > > > I recommend:
>> > > > >
>> > > > > 1) Disconnect the offending (Windows, presumably) computer from
>> the
>> > > > > Internet.
>> > > > >
>> > > > > 2) Download VIPRE Rescue onto a flash drive on another computer:
>> > > > >
>> > > > > https://www.vipreantivirus.com/support.aspx#vp-Rescue
>> > > > >
>> > > > > 3) Take the flash drive to the compromised computer and try to
>> > > disinfect
>> > > > > it.
>> > > > >
>> > > > > I haven't done battle with rootkits in a few years, but let VIPRE
>> > > Rescue
>> > > > > take a crack at it. If it can do its thing, and then a second
>> scan
>> > > comes
>> > > > > back clean, you may well be fixed.
>> > > > >
>> > > > >
>> > > > > Also, a good utility to have is HiJackThis, a utility to let you
>> see
>> > > what
>> > > > > Windows is loading up, and more importantly you can tell Windows
>> what
>> > > to
>> > > > > stop loading:
>> > > > >
>> > > > > https://sourceforge.net/projects/hjt/
>> > > > >
>> > > > >
>> > > > >
>> > > > > Got one of these emails today. First one ever.
>> > > > >>
>> > > > >> Called Cox they said it's not spam.
>> > > > >>
>> > > > >> Interesting.
>> > > > >>
>> > > > >> Joe
>> > > > >>
>> > > > >> ---------- Forwarded message ----------
>> > > > >> From: Cox Customer Safety <abuse at cox.net>
>> > > > >> Date: Mon, Oct 17, 2016 at 8:52 AM
>> > > > >> Subject: [10.17.2016 34620193] Compromised Computer Notification
>> > from
>> > > > Cox
>> > > > >> Communications
>> > > > >> To: Me
>> > > > >>
>> > > > >>
>> > > > >> Dear Subscriber,
>> > > > >>
>> > > > >> Cox has identified that one or more of the computers in your home
>> > may
>> > > be
>> > > > >> infected with the Alureon / TDSS Virus.
>> > > > >>
>> > > > >> Viruses can take control of your PC and gather your personal
>> > > information
>> > > > >> such as passwords and credit card numbers, putting your data at
>> risk
>> > > > >>
>> > > > >> The following FREE security tools could help you detect and
>> remove
>> > > > >> infections from your systems:
>> > > > >> The Microsoft Safety Scanner
>> > > > >> http://www.microsoft.com/security/scanner/
>> > > > >>
>> > > > >> Norton Power Eraser
>> > > > >> http://security.symantec.com/nbrt/npe.aspx
>> > > > >>
>> > > > >> Cox Security Suite Plus powered by McAfee is included FREE with
>> your
>> > > Cox
>> > > > >> High Speed Internet service. This software can be used to help
>> > > protect
>> > > > >> up-to 5 devices in your home, including Windows and Mac OS
>> > computers,
>> > > > and
>> > > > >> Android and Apple tablets and smartphones.
>> > > > >> To get started, simply browse to www.cox.com/securitysuite and
>> > login
>> > > > with
>> > > > >> your Cox primary User ID and Password.
>> > > > >> If you already have an Anti-virus solution installed, you should
>> > refer
>> > > > to
>> > > > >> your software manual before installing the Cox Security Suite.
>> > > > >>
>> > > > >> If you need additional support, Cox offers premium technical
>> support
>> > > at
>> > > > >> reasonable rates.
>> > > > >> Visit Cox Tech Solutions at https://secure.coxtechsolutions.com/
>> or
>> > > > call
>> > > > >> 877.TEC.SOLV (832.7658) to get started.
>> > > > >>
>> > > > >> If you would like additional information on the Alureon / TDSS
>> > Virus:
>> > > > >> http://www.microsoft.com/security/portal/threat/
>> > > > >> encyclopedia/Entry.aspx?Name=Virus%3aWin32%2fAlureon.H
>> > > > >>
>> > > > >> If you have any questions regarding this matter, you may call Cox
>> > > > Customer
>> > > > >> Safety at 800-753-6085.
>> > > > >>
>> > > > >> Regards,
>> > > > >>
>> > > > >> Cox Customer Safety
>> > > > >> _______________________________________________
>> > > > >> OLUG mailing list
>> > > > >> OLUG at olug.org
>> > > > >> https://lists.olug.org/mailman/listinfo/olug
>> > > > >>
>> > > > >
>> > > > >
>> > > > > _______________________________________________
>> > > > > OLUG mailing list
>> > > > > OLUG at olug.org
>> > > > > https://lists.olug.org/mailman/listinfo/olug
>> > > > >
>> > > > _______________________________________________
>> > > > OLUG mailing list
>> > > > OLUG at olug.org
>> > > > https://lists.olug.org/mailman/listinfo/olug
>> > > >
>> > > _______________________________________________
>> > > OLUG mailing list
>> > > OLUG at olug.org
>> > > https://lists.olug.org/mailman/listinfo/olug
>> > >
>> > _______________________________________________
>> > OLUG mailing list
>> > OLUG at olug.org
>> > https://lists.olug.org/mailman/listinfo/olug
>> >
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
>
>
More information about the OLUG
mailing list