Jump to content


Most Valued Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by itman

  1. If this is the port 8880 block rule I recommended, did you move it to the top of the firewall rule set? If this activity stops after doing so, its safe to assume it must be related to a previous firewall rule you created.
  2. Also it appears the poster in the other thread fixed the issue by installing Internet Security. So you might want to take a look at your existing user created firewall rules as a possible source for this activity.
  3. If the blocks are occurring when your browser is open, check for like entries in Eset's Filtered websites log. Otherwise, check for entries in the Detections log.
  4. Until this is resolved, I recommend creating an Eset firewall rule to block any outbound TCP traffic to remote port 8880. Appears that is the port the backdoor is using. Also set Logging severity to "Warning" for a while. The log events created will point to the process attempting the outbound connection. Post a few of those event log entries for forum review.
  5. The only ones I am aware if is eamsi.dll errors showing up in Code Integrity log. Also Eset per se does not create entries in the Win Event logs.
  6. If Eset protection has been fully disabled, it therefore can't be the reason you can't access your router GUI settings via browser interface.
  7. Open Eset GUI. Then open Setup -> Internet Protection -> E-mail client protection. Change the Action setting to one of the other available options per the below screen shot:
  8. Run the Eset uninstaller again in Win safe mode mode. This time append the the /force parameter; e.g. ESETUnistaller.exe /force Ensure a space exists prior to the /force parameter. https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool
  9. Based on what I am reading here about IPMI: https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface , the real question is if Eset compatible with this system configuration? I have my doubts it is.
  10. As I see it, there's a security issue here regardless of the Eset factor: https://techspirited.com/what-is-jnlp-file-how-to-open-it
  11. It should also be noted that Python scripts can be run from PowerShell. In the PyLocky incident linked above, it used a legit installer to install Python. Ref.: https://ridicurious.com/2018/03/30/powershell-scripting-guide-to-python-part1/
  12. I guess it's also time to talk a bit why conventional AV products have problems detecting Python based malware other than by signature methods. Python is an interpretive language. That is it uses an interpreter process to run its code. Windows facilitates this by loading the Python engine into a visualized container. The problem is that only the OS has access to this container. This also in effect nullifies AV sandbox heuristic analysis of Python based executable's since they in effect won't run in a conventional sandbox environment. Ditto for any other post execution methods such as memory scanning and the like. Appears to me AV's have to come up with a way to extract the associated Python script from the executable while sandbox. Then come up with a way to unmask packed, encrypted, or obfuscated scripts outside of current AMSI script examination methods to detect suspicious/malicious code usage. Until this can be accomplished, the Python .exe should be de facto deemed suspicious, given an obfuscated code alert message, and quarantined. I for one have long held to the assumption that an unknown process containing like masked script code is in the majority of cases malicious.
  13. I use AT&T - POP3S and AOL - IMAPS in my Thunderbird e-mail client with Eset e-mail scanning enabled w/o any issues. Ensure that the "Enable email protection by client plugins" setting remains enabled as shown in the below screen shot. Although your e-mail client is not one one listed as supported, Eset will still scan IMAPS and POP3S traffic upon download from your e-mail servers. Disabling the Enable email protection setting in effect stops Eset from scanning SSL/TLS encrypted e-mail. Additionally, you might have to add Eset's root certificate to your e-mail client's equivalent root CA certificate store if it is not present there. Suspect this might be the case since your e-mail client, Claws, is one I have never heard of.
  14. Here's a book, 'Creating a Ransomware With Python', in .pdf format for those wanting to get into the "nitty gritty": https://hakin9.org/product/creating-a-ransomware-with-python/
  15. Looks like someone just made things a lot easier for Python based ransomware: https://github.com/sithis993/Crypter#builder
  16. It also should be noted that this technique is not new. PyLocky ransomware employed similar methods: https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/
  17. Also before anyone gets real excited about this, it was pointed out in the comments section of original linked malwaretips.com reference that Win 10 native SmartScreen will trigger on attempted execution since the process is unknown, unsigned, and definitely not a Win Store download.
  18. The prototype for this POC comes out of a posting on malwaretips .com: https://malwaretips.com/threads/macdefender-test-2-trojan-ransomware.98294/#post-857972 . Someone discovered that using 7-zip's main process, 7z.exe, can be used to perform nasty stuff. It also slips by a lot of AV's because it is a trusted process.
  19. https://github.com/jabbalaci/PythonEXE https://realpython.com/pyinstaller-python/ The bottom line here is the Python engine components are not malicious, the embedded script most certainly can be. And "bet your booties" that the script will be packed, encrypted, or obfuscated in such a way that it won't fully decode until executed. Win AMSI also is basically worthless against stand alone Python scripts since it doesn't by default analyze them.
  20. Actually, I have brought up this issue previously. That is python runtime can be bundled with malicious script into an .exe. My statement at the time was that python runtime bundled in such a way should be at least be flagged as suspicious activity. I didn't get any Eset response at that time and doubt you will get one now.
  21. Do you have Chrome Sync enabled? If so, read this: https://forums.malwarebytes.com/topic/258886-chrome-secure-preferences-detection-always-returns/
  22. Verify that Chrome is set as your default browser per this posting: https://forum.eset.com/topic/23480-about-eset-banking-payment-protection/?do=findComment&comment=113593
  • Create New...