Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Pete Sass
  Where is Pete Sass?
 Marathon, Ontario
 Canada
 Pete Sass
 Tags
Subject: Virus/Trojans
Thread ID: 365285 Message ID: 365285 # Views: 95 # Ratings: 0
Version: Not Applicable Category: Off-topic
Date: Sunday, December 23, 2012 10:12:46 PM         
   


Hi Foxitians,

Just a wondering you some of you system folks are dealing with the on-slot of
RootKit and RansomWare infections?

Some of the RootKits I have recently been involved with are:
Rootkit.Boot.Pihar.c and the . . .
Trojan0Access.
and the . . .
RansomWare "Ukash".

Also, in the past 2 weeks got around 15 computers into my shop with the Trojan0Acess RootKit.

In the worst case scenario a couple of these have gotten into the MBR of the client's hard drive.

Even after deleting the partition and reformatting, the Virus/Trojan rootkit still comes back
after a couple of re-boots.

Even after restoring the MBR on the hard drive some of these still come back. I have tested
this with Acronis and performed a full MBR restore and still after 2-3 reboots the RootKit
infection manifests itself again.

So in a couple of cases thus far I have had to replace the physical hard drive and reinstall
the OS clean. I was not able to eliminate these kinds of Trojan/Virus' in a couple of cases.

This is getting rather "scarry" for a computer service company like mine.

I am starting to think back in the old days where we were able to go into debug and perform a
low level format of a hard drive. With the new SATA drives this is not an option, so we are
really facing a big issue here my friends.

I am not sure where all of this is going, but in the past 2 weeks I have dealt with 15 computers
infected with very hard to remove "RootKit" infections.

Today I am dealing with a client's Exchange server totally down AND infected with:
Rootkit.Boot.Pihar.c
Trojan0Access
and the Ukash ransom Trojan.
In this case there were over 1,000 infections detected.

After 3 hours of trying do get rid of these infection, I have decided to rebuild this
Exchange server from scatch after 3 hours of tring to eraticate the infections!

I removing all the partitions and reformatting the hard drives did not fix the issue.
I had to replace the OS boot hard drive completely!

I would sure like to meet up with one of the folks that created these infections to see
what in fact they did to add code right into the hard drive Master Boot Record.

This is being done at a very low level indeed and these folks know what they are doing
probably in 100% low-level assembly to target the Intel processor detected.

These infections are getting past MacAfee Entereprise, Norton Enterprise and AVG Server
Enterprise Editions.

Needless to say the cost of something like this is a lot for any client to swallow!

The omly thing I can offer in defence to this kind of infection is my main file server
and web server back at my shop are running under Unix.

Hard to get a client to move off to a linux/unix OS for sure and the main issue is interal
IT departmental training!

Jikes ... what a day!

Pete "the IceMan", from the Great White North of Canada.
www.marathongriffincomputers.com
Home of the Canadian and US download for Chen's VFP C++ Compiler
http://www.marathongriffincomputers.com/VFP-C++-Compiler.html

ENTIRE THREAD

Virus/Trojans Posted by Pete Sass @ 12/23/2012 10:12:46 PM
RE: Virus/Trojans Posted by Jun Tangunan @ 12/24/2012 1:53:12 AM
RE: Virus/Trojans Posted by Pete Sass @ 12/24/2012 4:29:41 PM
RE: Virus/Trojans Posted by Rick Hodgin @ 12/24/2012 8:49:38 PM
RE: Virus/Trojans Posted by tushar @ 12/25/2012 5:46:46 AM
RE: Virus/Trojans Posted by Pete Sass @ 12/25/2012 8:29:55 PM