itman
-
Posts
12,244 -
Joined
-
Last visited
-
Days Won
322
Posts posted by itman
-
-
A good example of sc.exe malicious use is the "Honeybee" malware that has attacked S.E. Asia humanitarian aid organizations in the past. Honeybee is delivered via malicious macro in a Word document.
Note: if you open the McAfee article reference, Eset HTTPS filter will throw an alert. Appears it is detecting some example code on the web page as malware -EDIT- the below .bat scripts is what Eset is detecting
. I had to repost them as a .png attachment:
QuoteThe batch files involved in the attack modify the system service COMSysApp to load the malicious ipnet.dll. The contents of the batch files vary depending on the OS (x64 vs x86):
The batch files perform these tasks:
•Stop the service COMSysApp
•Configure the service to autostart (to set up persistence on the system)
•Modify registry keys to launch the DLL using svchost.exe
•Specify the malicious DLL path to be loaded into the svchost process.
•Immediately restart the service
•Remove the batch files to reduce the fingerprint on the systemIPNet.dll runs as a service under svchost.exe.
The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll using:
cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLLAll the following capabilities described are implemented by the malicious service DLL implant unless specified.
-
Another way the attacker could have created the service is using reg.exe which will allow for direct modification of the registry. It can also be run remotely if the remote registry service is running on the target device. Ref.: https://attack.mitre.org/techniques/T1112/ .
-
3 minutes ago, kamiran.asia said:
A Service with a Dll injector "FunctionRPCHelper.dll" that inject svchost.exe
Looks like I was right in my assumption.
I would still perform forensics in hope of discovering what was able to create the Win service. Look for traces of script execution; most likely PowerShell, using sc.exe. Ref.: https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe .
-
4 hours ago, kamiran.asia said:
Also the ESET Log Collector for "Threat Detection" is uploaded here :
FYI - advise you delete that log from web sharing site you uploaded it to. Or, alternatively password protect it or secure it by some other means.
For future reference, post all future log requests to the forum; only Eset mods have access to these. Or, PM them to the requestor as an attachment.
-
Appears to me, the clients got nailed by a true 0-day malware. Also, it appears Eset created a new signature for this bugger, Win64/Vools.P.
It is encouraging that Eset was still able to detect it via AMS using a prior variant DNA signature.
BTW - what was the source of the svchost.exe injection?
-
I am not sure SysRescue will scan the UEFI. According to this: https://support.eset.com/kb3509/?locale=en_US&viewlocale=en_US , it only scans boot sectors. Appears to me you will have to use an Eset installed product to scan UEFI.
-EDIT- You can give Eset's Online Scanner- installed version, a shot and see it has a setting to scan the UEFI: https://support.eset.com/kb2921/?locale=en_US&viewlocale=en_US
-
1 hour ago, tommy456 said:
but the latest version is now causing a cosmetic bug in WIN7, fortunately it's only cosmetic as such as far as i'm able to tell
Your screen shot shows you have no Internet connectivity. Reboot your PC and see Internet connectivity now exists.
-
Since the malware is being detected in svchost.exe, my best guess the malware has created a service in the registry and set it to start at boot time. If you can find the service, it most likely have an .exe associated with it. When you find the malicious service besides deleting it, the .exe should also be removed.
Another possibility is the malware is injecting one of the running svchost.exe processes since Eset is detecting the malware via AMS. The older OS versions are vulnerable to svchost.exe injection methods. This type of attack would require another .exe or script running at boot time to perform the activity. So registry autorun keys and Win program startup directories will need to be reviewed for any suspicious entries.
-
1 hour ago, AGH1965 said:
Unfortunately Microsoft's definition of system activity has nothing to do with CPU load or HDD activity. Windows looks at mouse and keyboard activity. Unless you move the mouse or press keys every now and then, Windows will put the system to sleep. See the feature requests from @zeromido and myself here: link
Yeah, forgot about that.
There are a few third party software utilities that basically "fake out" Windows activity monitoring and employ their own timers to control sleep activity. Can't vouch for any since I never used them.
Appears best solution for evening scanning as the OP is doing is just disable sleep mode prior to running the on-demand scan since PC will shutdown after scan completion. Then reenabling sleep mode at boot time.
-
1 hour ago, Karly said:
I'm assuming that the computer goes to sleep before the scan finishes.
Your device should only be entering sleep mode when there has been no system activity for a specified period of time. The default Window setting is one hour. As such, the device should not be entering sleep mode until the Eset scan is completed. Since you have specified that Eset shutdown the device after the scan has been completed, sleep mode activation is not applicable.
To verify if your Win sleep mode is properly functioning, temporarily set the Win sleep mode time interval to 5 mins.. Then start your on demand scan w/shutdown option. After 5 to 10 mins. or so if the scan is still running, we can rule out sleep mode beginning a factor. You can cancel the on demand scan and reset Win sleep mode time back to its initial setting.
-
If none of the network devices have been patched against the SMBv1 vulnerability, the first mitigation step must be to apply the appropriate patch to all devices.
It appears the source of the attack is unknown at this point. Without the source being identified, the attacker will in all likelihood perform a subsequent attack against the network nullifying all previous virus infection removal efforts.
-
3 hours ago, TomasP said:
The landing page you're seeing is hosted on the server, so everybody has the new design on it already.
Thanks for the feedback. Would suggest Eset post an announcement when a change to GUI related components are made. Especially in regards to B&PP since many are sensitive to any changes in that area possibly due to the malware.
-
Are you referring to MS17-010: https://support.microsoft.com/en-us/help/4012598/title which was patch for SMBv1 on Win Server 2008 OS?
-
Will Eset scan if the limited admin user is signed out but the computer is still powered up?
-
On 3/17/2019 at 1:17 PM, sootsnoot said:
Apparently the myfiosgateway.com site is specially recognized by the router itself and doesn't cause internet access, it just gets mapped to https://192.168.1.1. But of course the browser complains about the lack of connection security because of the self-signed certificate. So I follow the browser-specific steps to go to the site anyway. But when I do that, I just get back to the page saying the connection is not secure.
I did a little experiment and connected to my router via https and experienced the same behavior. As far as I am aware of, all connections to the router's admin GUI have to be made via http except in your case it appears.
Try this. Refer to the below screen shot and add the IP address for your router, 192.168.1.1, to the excluded address for Eset's Protocol Filtering. This should eliminate any interference by Eset in your connection the router.
-
Screen shot of the what you are observing please.
-
22 minutes ago, TomasP said:
Thanks, will check with the development team.
Appears to me that perhaps the beta update ended up in a production pico update. So I guess we need another pico update to restore things back to they were previously?
-
11 minutes ago, TomasP said:
Can you please send me an output of ESET Log Collector via a private message?
Log sent.
-
3 minutes ago, AGH1965 said:
You reported that your scheduler started a scan one hour too early. Are you sure it started the scan one hour too early or could it also be that the scheduler started the scan 23 hours after the previous scan?
In that posting I was referring to the default Log Maintenance scan. And it is running correctly now at its scheduled scan time. Note that the missed scan option for this event is ASAP.
Try this. Set your missed scan time to 1 hour. See if the scan runs at boot time if your PC is powered off at the scheduled scan time.
-
9 minutes ago, TomasP said:
Can you please reboot the PC, then check the module version and the design of the respective screens?
Rebooted. Everything remains as I previously described including the release version.
BTW - I am not an Eset insider unless someone enrolled me as such w/o my consent.
-
2 hours ago, timse201 said:
Hello,
This is an insider post. Yes, the design was changed today (module version 1147).
To clarify, this was a production update and not a pre-release update? I don't have pre-release updates enabled.
Also my BP&P module is 1146 dated 3/1/2019.
-
For consistency, should not the browser redirected web page also not show the same BP&P layout?
-
9 minutes ago, Marcos said:
Announced by TomasP here:
The content isn't showing.
-
Win 10 x(64) 1809, Eset IS 12.1.31.
When I just clicked on B&PP desktop icon, I see the following screen in IE11. It wasn't this way previously.
. I had to repost them as a .png attachment:
Error Message Protocol filtering problem
in ESET NOD32 Antivirus
Posted
Post a screen shot of the actual Eset alert please.
The first thing that needs to be determined is what application is trying to import a root CA certificate. From the message posted, it appears something is trying to update Eset's root CA certificate in the Windows root CA certificate store.