27,394 Infected Files

Pyro Pilots Lounge. For all topics *not* covered in other DBB forums.

Moderators: fliptw, roid

Post Reply
User avatar
TigerRaptor
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2694
Joined: Tue Feb 01, 2000 6:00 am

27,394 Infected Files

Post by TigerRaptor »

Scary isn't it!

http://remove-malware.com/client-notes/ ... cted-files

This guy had the right idea and reformatted that machine. I don't think any one in their right mind would tackle an infection that large.
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16138
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: 27,394 Infected Files

Post by Krom »

Giving up without a fight? I bet I could have removed them all without having to format the system.
User avatar
Ferno
DBB Commie Anarchist Thug
DBB Commie Anarchist Thug
Posts: 15163
Joined: Fri Nov 20, 1998 3:01 am

Re: 27,394 Infected Files

Post by Ferno »

well, it's either spend more than half the day removing them, or do a system restore.
User avatar
Isaac
DBB Artist
DBB Artist
Posts: 7737
Joined: Mon Aug 01, 2005 8:47 am
Location: 🍕

Re: 27,394 Infected Files

Post by Isaac »

I wont judge. My approach:
[insert windows problem here]? Reformat!
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-★ ·:*¨༺꧁༺ :E ༻꧂༻¨*:·.★-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
User avatar
TigerRaptor
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2694
Joined: Tue Feb 01, 2000 6:00 am

Re: 27,394 Infected Files

Post by TigerRaptor »

I guess Krom lost his mind. :P

I'll skip details since you are familiar with things like that. But why put the effort into something that large?
User avatar
Isaac
DBB Artist
DBB Artist
Posts: 7737
Joined: Mon Aug 01, 2005 8:47 am
Location: 🍕

Re: 27,394 Infected Files

Post by Isaac »

New service pack available? Reformat!
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-★ ·:*¨༺꧁༺ :E ༻꧂༻¨*:·.★-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16138
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: 27,394 Infected Files

Post by Krom »

TigerRaptorFX wrote:I guess Krom lost his mind. :P

I'll skip details since you are familiar with things like that. But why put the effort into something that large?
Why do people climb mountains? :P
User avatar
fliptw
DBB DemiGod
DBB DemiGod
Posts: 6459
Joined: Sat Oct 24, 1998 2:01 am
Location: Calgary Alberta Canada

Re: 27,394 Infected Files

Post by fliptw »

those are the 27K that where detectable, I wouldn't be surprised in the process of removing all the infections you'd need to do a OS re-install.
User avatar
Krom
DBB Database Master
DBB Database Master
Posts: 16138
Joined: Sun Nov 29, 1998 3:01 am
Location: Camping the energy center. BTW, did you know you can have up to 100 characters in this location box?
Contact:

Re: 27,394 Infected Files

Post by Krom »

No doubt even after removal there would be enough residual damage to the registry/system that you would have to format anyway. It'd just be entertaining to see how many and how effectively you could clean the system first. Just showing 27,000 infected files doesn't really say how many unique infections there are, it could be only a few dozen unique infections and the rest are all duplicates.

I love a good challenge and it isn't the numbers of infections that matter, its the quality; 27,000 normal infections could easily require less effort to remove than just one well crafted infection.
User avatar
Jeff250
DBB Master
DBB Master
Posts: 6539
Joined: Sun Sep 05, 1999 2:01 am
Location: ❄️❄️❄️

Re: 27,394 Infected Files

Post by Jeff250 »

I hope you aren't being paid by the hour. ;)
User avatar
Duper
DBB Master
DBB Master
Posts: 9214
Joined: Thu Nov 22, 2001 3:01 am
Location: Beaverton, Oregon USA

Re: 27,394 Infected Files

Post by Duper »

I'm with Krom on this one. The thing is, that 90% of that can be nuke immediately. (most likely). It's that last 10% that will be a challenge. There is probably only one or two bugs in there that will be difficult to near impossible to get rid of... depending how thoroughly it re-propagates itself. But, it would be interesting to see how far you could get.

I actually helped clean up a mess like this a couple years back a LAN. The guys system was so infected, it was a wonder that it even started up. It took a little over 2 hours and several reboots. After the initial (successful) sweep,things moved along fairly well. He had over 12K infections. :?
User avatar
Isaac
DBB Artist
DBB Artist
Posts: 7737
Joined: Mon Aug 01, 2005 8:47 am
Location: 🍕

Re: 27,394 Infected Files

Post by Isaac »

How effective would it be to boot into a Linux live disk and use clamav to clear out viruses and back up data? I'd still reformat, but I'd try to clean and rescue some stuff before doing that.

I have clamav, though the only virus it ever found was the test virus I downloaded.
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-★ ·:*¨༺꧁༺ :E ༻꧂༻¨*:·.★-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
User avatar
TigerRaptor
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2694
Joined: Tue Feb 01, 2000 6:00 am

Re: 27,394 Infected Files

Post by TigerRaptor »

Krom wrote:Why do people climb mountains? :P
To hug the mountain, to envelop that mountain, and to make love to the mountain.
Isaac wrote:How effective would it be to boot into a Linux live disk and use clamav to clear out viruses and back up data? I'd still reformat, but I'd try to clean and rescue some stuff before doing that.

I have clamav, though the only virus it ever found was the test virus I downloaded.
Clam blows. I all most want to say it is obsolete with its poor detection rate. There are far better choices that can be downloaded for free.
User avatar
fliptw
DBB DemiGod
DBB DemiGod
Posts: 6459
Joined: Sat Oct 24, 1998 2:01 am
Location: Calgary Alberta Canada

Re: 27,394 Infected Files

Post by fliptw »

yeah, clamav is piss-poor.
User avatar
Ferno
DBB Commie Anarchist Thug
DBB Commie Anarchist Thug
Posts: 15163
Joined: Fri Nov 20, 1998 3:01 am

Re: 27,394 Infected Files

Post by Ferno »

Duper wrote:I actually helped clean up a mess like this a couple years back a LAN. The guys system was so infected, it was a wonder that it even started up. It took a little over 2 hours and several reboots. After the initial (successful) sweep,things moved along fairly well. He had over 12K infections. :?

Nowadays it's much easier to clean out an infected machine. My key to doing this fast is; if a recent image isn't available, use a rescue CD on a USB thumbstick. Since they work by seeing the drive as an attached unit instead of an OS drive, it takes about an hour tops and no reboots are involved.
User avatar
Isaac
DBB Artist
DBB Artist
Posts: 7737
Joined: Mon Aug 01, 2005 8:47 am
Location: 🍕

Re: 27,394 Infected Files

Post by Isaac »

TigerRaptorFX wrote:
Krom wrote:Why do people climb mountains? :P
To hug the mountain, to envelop that mountain, and to make love to the mountain.
Isaac wrote:How effective would it be to boot into a Linux live disk and use clamav to clear out viruses and back up data? I'd still reformat, but I'd try to clean and rescue some stuff before doing that.

I have clamav, though the only virus it ever found was the test virus I downloaded.
Clam blows. I all most want to say it is obsolete with its poor detection rate. There are far better choices that can be downloaded for free.
I'm trying to find proof of this. The only article I found was saying Clamav outperforms Norton and McAffee for detection. Regardless, clamav seems to be the only good option for linux users wanting to scan windows computers through the command line. I haven't tried avg's linux version yet.
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-★ ·:*¨༺꧁༺ :E ༻꧂༻¨*:·.★-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
User avatar
snoopy
DBB Benefactor
DBB Benefactor
Posts: 4435
Joined: Thu Sep 02, 1999 2:01 am

Re: 27,394 Infected Files

Post by snoopy »

I'm curious about this, too. All I know is clam found some infections from about 5 years ago that were missed back then by my windows antivirus. I don't remember what I had back then.
Arch Linux x86-64, Openbox
"We'll just set a new course for that empty region over there, near that blackish, holeish thing. " Zapp Brannigan
User avatar
Isaac
DBB Artist
DBB Artist
Posts: 7737
Joined: Mon Aug 01, 2005 8:47 am
Location: 🍕

Re: 27,394 Infected Files

Post by Isaac »

Clamav doesn't have the whole "scan every thing you do while you do it" feature. It might be the same for Windows. And this might be the reason Windows users don't like it. Linux users don't need this feature; "scan on demand" is more appropriate for us.
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-★ ·:*¨༺꧁༺ :E ༻꧂༻¨*:·.★-⎽__⎽-⎻⎺⎺⎻-⎽__⎽--⎻⎺⎺⎻-
❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉❉⊱•═•⊰❉⊱•═•⊰❉⊱•═•⊰❉
User avatar
TigerRaptor
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2694
Joined: Tue Feb 01, 2000 6:00 am

Re: 27,394 Infected Files

Post by TigerRaptor »

Here are 60 zero day threats I just downloaded and scanned with the following below. Clam against the popular on-demand scanners used today. Sorry to say Spybot didn't detect any thing. Since clam does a crap job on Windows. Do you think clam will do any better on a linux system? Even McAfee and Norton will put it to shame.

Clamav
Image

SUPERAntiSpyware
Image

Malwarebytes
Image

Emsisoft emergency kit aka A Squared
Image

Hitman Pro
Image

If you want see it up front for your self. PM me and I tell you where to find live malware samples. Just remember to test it in a virtual machine.
User avatar
Jeff250
DBB Master
DBB Master
Posts: 6539
Joined: Sun Sep 05, 1999 2:01 am
Location: ❄️❄️❄️

Re: 27,394 Infected Files

Post by Jeff250 »

How can they be zero-day threats if antivirus programs are detecting them? :P
User avatar
snoopy
DBB Benefactor
DBB Benefactor
Posts: 4435
Joined: Thu Sep 02, 1999 2:01 am

Re: 27,394 Infected Files

Post by snoopy »

Clam won't be any better in Linux.

For course, in Linux you aren't executing windows code, so clam's scanning for windows infections isn't directly protecting your computer.

I believe you now that Clam isn't very good.
Arch Linux x86-64, Openbox
"We'll just set a new course for that empty region over there, near that blackish, holeish thing. " Zapp Brannigan
User avatar
TigerRaptor
DBB Fleet Admiral
DBB Fleet Admiral
Posts: 2694
Joined: Tue Feb 01, 2000 6:00 am

Re: 27,394 Infected Files

Post by TigerRaptor »

Jeff250 wrote:How can they be zero-day threats if antivirus programs are detecting them? :P
Ok threats released in the last 24 hours.:P It is very common for it to be called that among the malware community.
User avatar
Jeff250
DBB Master
DBB Master
Posts: 6539
Joined: Sun Sep 05, 1999 2:01 am
Location: ❄️❄️❄️

Re: 27,394 Infected Files

Post by Jeff250 »

Is that a practical threat model? Are most viruses that people encounter only 24 hours old?
User avatar
Sirius
DBB Master
DBB Master
Posts: 5616
Joined: Fri May 28, 1999 2:01 am
Location: Bellevue, WA
Contact:

Re: 27,394 Infected Files

Post by Sirius »

"Zero-day" can refer to two different things: something that exploits an unpatched vulnerability, or a previously unknown virus... though I'm guessing this is the latter category. Regardless, it is possible for AV programs to detect unknown viruses in various ways... I would guess similarity to existing known viruses and risky behaviours might be warning flags.

Most infections don't come from new viruses though, no. The majority of people who get hit are using unpatched software and/or outdated virus definitions for that reason.
Post Reply