Wednesday, May 29, 2013

RUBY IN A BOX, CALLED A SERVER


Not quite as catchy as "Ruby in the sky with diamonds" but I only spent about 10 seconds coming up with it. "Ruby on Rails" is popular for setting up web applications and used quite a bit. A critical hole was found, and they sent a patch out in January but apparently an unknown percentage of  server administrators failed to apply it. These un-patched servers have been attacked and are now part of a larger botnet system which could distribute malware to your computer at home. The full article about it is HERE.

US WEAPONS DESIGNS VIEWED BY CHINESE HACKERS

If you watch the nightly world news then you've probably already heard about this. If you haven't, you can read about it HERE.

HOW DID I FIX THE FBI VIRUS?

I've received more than a few emails related to this and while it worked for me it may not work for you due to the number of variations out "In the Wild". Briefly, you have to be prepared BEFORE you get infected. Use one of your USB sticks or go buy one and put some popular utilities on it, occasionally updating them (once a week, download updated versions).

Scenario: You wake up, turn on the computer, or if it's always "ON" you go to your usual website or two when BAM!!! up comes the FBI warning screen and you can't do much after that.

In my scenario Safe Mode, Safe Mode w/Networking, Last Known Good Configuration did not work. the PC would go through it's processes and come up to the logon screen. I'd type the password and as soon as it looked like I was going to get into it, the screen reverted back to the logon screen and shutdown the computer. Some variations will let you it if you don't have the network cable plugged into the computer so I tried that and found out I didn't have one of those variations.

Last SAFE MODE chance was "Safe Mode Command Prompt". This, once you log in, brings you to an all black DOS looking screen and usually puts you in c:\windows\system32 [ed. - yes Matilda, brush up on your MS-Dos commands].


*NOTE - Before doing any of these I had already inserted my utility USB stick

Not knowing this persons computer I had no idea what drive letter it would assign it. With HP computers it's even worse because all of those convenient media reader slots are assigned drive letters, so I began at "E". It wasn't to long until I found my USB stick on "J" and made sure I could read it. Briefly here are the steps:
  • At c:\windows\system32 type cd\j
  • J:\ is now on the screen
  • I typed DIR (to view directory) and saw that all my files were still there. I have a folder called DOS with some of the utilities on the USB stick, so they are in one easy place to get to them.
  • At J:\ I typed "cd dos" and now it was J:\DOS
  • Another DIR to verify what I had in there and chose MBAR (a beta utility from the makers of Malwarebytes), so I typed "mbar" and the program opened up, I was able to update it via the Internet and started a scan.
  • Next, I typed "cleantempfiles" and the temporary file remover went into action (many types of malware hide in temp files). The computer I was working on was fairly new, fast and had a lot of memory so I knew I could run another program.
  • At the DOS-like prompt I typed "Hitmanpro64" and Hitman opened and I updated it and started a scan.
  • Next I typed "autoruns". This program/utility is pretty good for letting you have access to some of the registry in a GUI format. If you see something suspicious, I'd advise to just un-check the box - don't delete it.
  • MBAR and Hitmanpro64 both found a variety of things including a rootkit, MBAR found what I believe to be the FBI virus because the file was called trojan.ransomware.
  • In autoruns I saw a file that was set to load each time the computer booted. It had no description or publisher and the name of the file was something like 88872854444777299.exe [I un-checked this one].
  • With the others finished and ready to reboot in order to finalize the removal I clicked reboot on one of them and let them do their thing.
  • On reboot, I still went into safe mode only not command prompt but safe-mode w/networking. I was able to log in, didn't get the FBI screen and was able to get to the Internet via Internet Explorer.
  • Next: Shutdown/Restart (into normal mode)
  • Everything was like it should be, but I ran MBAR one more time (it came up clean), then ran Malwarebytes (Full scan) which also came up clean.
  • Last, but never least I deleted all of the previous restore points because they were infected as well, and created a new one labeled "After FBI virus removal 052513".
So, now you know what I did. Will it work the next time I come across it? dunno. There are so many variants of this I stand a good chance of it not working - but, it's worth a shot.

Thanks for your emails -

Regards,
Brian
E-mail: ME

No comments:

Post a Comment