infections which can survive a reinstall of Windows

Haydon said:

Let's discuss, I like to know more about Frankenstein viruses

Click to expand...

They look like this....

A welcome relief from malware paranoia is the Wood Nymph. Sometimes, the snow covers only part of her most feminine feature

(I want some of whatever these guys are smokin!!!)

Wikipedia's 'Timeline of computer viruses and worms' (that was mentioned earlier) only goes to 2017 with only 1 listing in 2018, 1 listing in 2019 and zero listings in the years thereafter. Are we in for good times?

SlicEnDicE said:

Not even this is enough. Low level format of the full disk is needed to ensure that also all the nastiest bugs are gone.

Rootkits are very nasty too, only way to get rid of those is to either replace the chip or re-flash it. Some rootkits does so much damage that it is best to replace your whole computer. Luckily those are very rare.

Click to expand...

Why would one need to replace the whole computer? Isn't replacing the drives all that is necessary? Is there someplace else rootkits can hide?

@MisterEd Read the whole thread including links > get the goosebumps

Haydon said:

Wikipedia's 'Timeline of computer viruses and worms' (that was mentioned earlier) only goes to 2017 with only 1 listing in 2018, 1 listing in 2019 and zero listings in the years thereafter. Are we in for good times?

Timeline of computer viruses and worms - Wikipedia

en.wikipedia.org

Click to expand...

Naw... just lazy Wikipedia editors.



We all have things we like to keep,
Pictures, files and old receipts.
Remember, lest you get in deep,
The bad guys never sleep.
Yeah. The bad guys never sleep.

Ghot said:

Naw... just lazy Wikipedia editors.

We all have things we like to keep,
Pictures, files and old receipts.
Remember, lest you get in deep,
The bad guys never sleep.
Yeah. The bad guys never sleep.

Click to expand...

That would be out of character for Wikipedia's culture, the editor groups are a bunch of enthusiastic experts.

IMHO the technical hurdles are getting more and more difficult for malware authors > bad actors rely more and more on social engineering tricks with logos taken from official sites, better English, etc.

The topic of this thread is about (technical) malware of a different kind, though.

Haydon said:

the technical hurdles are getting more and more difficult

Click to expand...

Yep. For Wikipedia gnomes as well.

Ghot said:

Yep. For Wikipedia gnomes as well.

View attachment 48569

Click to expand...

Well, not nearly so, don't you think?

Writing about novel malware is not nearly as difficult as writing novel malware.

MisterEd said:

Is there someplace else rootkits can hide?

Click to expand...

GPU-firmware, soundcard-firmware, BIOS and any other chip in your computer that is writable.

Back when I was young and crazy-er, I got one in an optical drive. Took me a while to figure that one out.
My bootable backup software was on a CD at the time. So every time I restored from a backup... it came back.

No, I don't scan backups. I'm not as paranoid as a lot of people. I do regularly use a password manager, use scanning tools, use double realtime protection, and practice safe web habits, but not all the other stuff that seems to be of so much concern to others here. I store absolutely nothing on my systems that would be of much use to any hacker. At some point, one has to accept that in today's world no one is 100% safe if one chooses to use a computer at all. If a user doesn't accept it, it will drive them crazy.

Hi Folks

Found this site by searching for solutions to a nasty hack as THIS is a great discussion !! A club i belong to someone clicked and sent it all over the network and by then it was too late ! i had vpn'ed in and now from 1 pc , 4 more were infected and God only knows how many others . Trying to isolate , built a firewall over the past few months as I scanned/searched malware from every company and they all said you are clean ! My pc has become somewhat of a honeypot with no info on it !
Using remote connections that I somehow have not completely figured out how but the tools were terminal server and PowerShell ( Always concerned about key stroke stuff as well )as they destroyed 4 rebuilds . Each attack I saw how they got in , chased evidence of so many false positives like process after process to no avail. Since September I must have built over 200 entries in the firewall until I found they broke in after every online suggestion, registry change , SAM takeover , changing the registry settings locking the pc accounts and rendering it useless as i had to rebuild etc. Hardened pretty good right now with PowerShell remote disabled and term svc remote the same way ( blocked some ports as well )! So what i found was they somehow downloaded a worm and are real stealthy ! Replaced all my tv boxes ( FIOS) and was hoping to use cr 1000 FIOS router in bridger mode but too many problems setting it up ! Using rdp/IPV6 UDP methods they start some sort of a session on my pc ands call home. Cannot find how this is started Saturday mornings on my pc ! I took the ethernet cable out and they used the wifi adapter ! When you restart/shutdown - someone is using your pc remotely ! Came back in and found changes to the pc ... So now hopefully , and I say that loosely , having them blocked in or out with MS Defender Norton and Malwarebytes running , Tried Sophos but no help , and installed firewall ,I turned my attention to my pc again and am done using the recovery partition or windows clean restore as I found that it does NOT remove ALL files (clean drive completely ). I will be trying a Windows 11 Pro disk restore via dvd and will wipe the drive first and perform a clean install , I also tried resetting the bios twice and no good ! Every company out there tells you how to protect but it blew right thru all of my previous hardening ... If it is in memory then this should at least tell me to look at the hardware !

Thx

Regards

Merlin02131

@merlin02131 i am at a loss for words ...............................

@merlin02131 Have you been able to identify the malware?

Good Morning Guys

No as that is the mission and it is pretty stealthy as well ! searched processors / event viewer for hits after turning on certain audit functions ! I have reached out to some wrong sources and now am concentrating more on a Windows 11 pro path of eradication after blocking outbound and inbound ports protocols etc. . I will be trying different methods of hoping this is contained on the PC/hard drive/SSD somewhere as I saw traffic from my tv set top boxes but could not prove it was a root or infected somehow unfortunately ! HP Pavillion Desktop TP01-2XXX with an AMD Ryzen 7 5700G processor . My guess is it may be in the recovery drive partition or the UEFI partition. If not in the memory - ugh brand new pc as well !

@merlin02131 Seek help at BleepingComputer

Any piece of software that can get into the CMOS chips can potentially wreak havoc. Places are for example the CMOS that stores TOD clock as that's by definition "writeable", HDD / SSD I/O cache or controller areas, graphic cards etc.

However these are comparatively rare these days. The safest way (for 99% of domestic users) is simply to run any program (stand alone program - don't run from within the OS ) which either writes x'00' to every writeable area on the drive or even random hex digits --note needs to be written to every physical cluster on the device. This will get rid of "typical viruses and malware" - not root kits etc though.

I think domestic users should be more worried about being scammed rather than having to deal with nasty viruses these days. WD is perfectly good enough to keep typical malware away.

A piece of malware only needs enough space to be able to load another program -- e.g a typical boot loader loads a simple command probably from hardware which then branches to the address it's loaded from the hardware command - and then that loads and executes the "malware". - Called "Bootstrapping" - which is what any boot loader does too. So there's enough writeable space in the TOD chip to write a tiny boot strap loader !!!! -- I can't do it but 'Im sure there's plenty who can.



Cheers
jimbo

Yea been reaching out to a few orgs as first step is to retrieve more evidence like logs and traces using wireshark the autoruns program , processor chasing pids etc. and see if I can id anything except the obvious connections etc. I tried Sophos and was not happy with their tools as most could not give me some basic info ! I have used bleeping but will get more involved as I chase the operating system now ! Thx for the tips Haydon and Jimbo - I ran all sorts of malware with no luck , Avast, Norton , Malwarebytes, and had no luck ! My guess is its a fileless malware but will search on ! This Saturday I am setting up to capture the entry as it seems that this tries to call home Saturday around 10 and 11 am. Hopefully I'll be able to see it in action using rdp and trying to call home !