Jump to content

Ransomware using ESET graphics (was: Government backdoor in NOD32?)


Guest DustWolf
 Share

Recommended Posts

Guest DustWolf

Hello,

 

Is it true that NOD32 contains a backdoor for the government to install rootkits on the computer?

 

I have a computer in for repair that displays a government webpage on bootup (full screen), which has a NOD32 logo and "supported and enabled by"  written next to it. As I check the computer, it clearly has a rootkit installed. NOD32 was functioning normally and detected nothing the whole time.

 

Say what?

Edited by Aryeh Goretsky
adjusted topic to match thread
Link to comment
Share on other sites

  • Administrators

Of course the official installers signed by ESET do not contain any malware. If you've come across a suspicious installer or application purporting to have been made by ESET, please submit it to us as per the instructions here for further analysis.

Link to comment
Share on other sites

The installer was downloaded off of your website and has been working fine for years (as well as on all the other computers we have).

Link to comment
Share on other sites

Good day DustWolf,

 

As a long time loyal customer; i just wanted to drop in and add an extra bit of encouragement to submit pictures and samples please.

Let ESET take down and trace who ever is purporting to be them, and also attaching their logo to malware.

This could have grave consequences on stocks and business.

 

It makes me grind my teeth someone has possibly created what you speak of.

 

Thank you Dustwolf, and a big thanks to reporting and sharing.

 

 

*** Also if that is a FBI / Moneypak virus. updated VSD of ESET will remove. Sit at desktop for 10 minutes with internet LAN cable connected, so ESET can obtain any new updates, then try restarting the machine.

Edited by Arakasi
Link to comment
Share on other sites

Hello,

 

Not sure how to post an image here, so here's a link:

hxxp://pritisni.ctrl-alt-del.si/slikce/nod32%20malware.jpg

 

I have masked out the personally identifiable information, but sufficive to say the page contains everything down to a shot of the user trough the webcam.

 

 

Good day DustWolf,

 

As a long time loyal customer; i just wanted to drop in and add an extra bit of encouragement to submit pictures and samples please.

Let ESET take down and trace who ever is purporting to be them, and also attaching their logo to malware.

This could have grave consequences on stocks and business.

 

It makes me grind my teeth someone has possibly created what you speak of.

 

Thank you Dustwolf, and a big thanks to reporting and sharing.

 

 

*** Also if that is a FBI / Moneypak virus. updated VSD of ESET will remove. Sit at desktop for 10 minutes with internet LAN cable connected, so ESET can obtain any new updates, then try restarting the machine.

 

Link to comment
Share on other sites

Am currently runnin the good ol russian rootkit-unhooker. When I gather more information about what exactly the rootkit is made of, I'll let you know.

Link to comment
Share on other sites

That is definitely a modified or fake virus / picture / or similar; as you can see " NO ESET LOGO "

as i have attached the " real " genuine picture of what that virus looks like.

 

Its a very simple virus to clean.

 

Boot to safemode, show hidden files and folders, and you will find the executables and javascript files on C:\ - C:\programdata - and even in %userprofile%\ appdata\local & roaming

etc.

Should be able to reboot after manual deletion.

 

Some variants will block safemode, at that point pull the drive.

 

See attached:

post-1101-0-38725000-1378287231_thumb.png

Edited by Arakasi
Link to comment
Share on other sites

Hello,

 

Where is that image from? I will try this cleanup procedure, but rather than deleting I will try to use the ESET quarantine so that I can upload the files. It is also possible the rootkit is obscuring them. Will see. Worst case scenario I will try to move the files and note their original locations.

 

This computer uses windows XP.

 

 

That is definitely a modified or fake virus / picture / or similar; as you can see " NO ESET LOGO "

as i have attached the " real " genuine picture of what that virus looks like.

 

Its a very simple virus to clean.

 

Boot to safemode, show hidden files and folders, and you will find the executables and javascript files on C:\ - C:\programdata - and even in %userprofile%\ appdata\local & roaming

etc.

Should be able to reboot after manual deletion.

 

Some variants will block safemode, at that point pull the drive.

 

See attached:

 

Link to comment
Share on other sites

  • ESET Moderators

Hello,

 

That is a screenshot from a computer infected by some kind of "lock screen" malware (also known as ransomware). 

 

From the screenshot you provided, it could be Win32/TrojanDownloader.Nymain, which uses the same web page template.  Or, at least, it was using it when ESET's researchers wrote this blog article on it last week. 

 

If you scroll down to the bottom, you will see a screenshot with a similar message, except it is in English and referencing the FBI since it was done on a computer in the US, instead of wherever the one from that screenshot is (Slovenia, maybe?).  At the bottom, you will notice over a dozen images from anti-malware companies, including a few that are no longer in business.

 

So, to sum up.  No ESET rootkit, just a piece of ransomware that appears to have stolen some of ESET's graphics.

 

Regards,

 

Aryeh Goretsky

Link to comment
Share on other sites

Okay, however it still seems to be a new variant. I haven't found anything useful in any existing resources, but will keep this thread updated.

Link to comment
Share on other sites

I feel this thread title should be changed to something less scary/misleading for both old and new members coming here.  :blink:

Edited by SweX
Link to comment
Share on other sites

  • Administrators

It is apparently ransomware displaying a fake warning to scare the user and to get him or her to pay money to remove the screen lock. If ESET was updating properly before you encountered this infection, the following procedure should clean it out completely:

- restart the computer

- wait at least 5 minutes after the system starts up and the screen locks

- restart the computer

The ransomware should be cleaned then. I'd also recommend installing the latest v7 beta which turned out to be very stable and provides superior protection against new born malware especially thanks to the advanced memory scanner and exploit blocker.

Link to comment
Share on other sites

 

Hello,

Done.

Regards,

Aryeh Goretsky

 

I feel this thread title should be changed to something less scary/misleading for both old and new members coming here.  :blink:

 

Great, Thanks Aryeh :)

Link to comment
Share on other sites

  • 2 weeks later...

Hello,

 

Is it true that NOD32 contains a backdoor for the government to install rootkits on the computer?

 

Can we get an official reply from ESET that ESET products do not contain governmental backdoors (for any government)? While I can see several moderator responses, nobody actually answered the question and said that there was definitely not a backdoor for governmental use. Saying that it does not contain malware is great and expected, but if a backdoor existed, it would not be considered "malware" by the people who wrote it.

 

With all the "governmental spying" issues in the news these days. It would be good to have some peace of mind with ESET products.  

Edited by rockshox
Link to comment
Share on other sites

  • Administrators

Of course, no prestigious antivirus vendor includes malicious files in their products. Doing so would badly damage their reputation and it would be the end of business for such a company.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...