Malware advice
SephStorm
Member Posts: 1,731 ■■■■■■■□□□
Non cert but security related. Got hit with Exploit:JS/Blacole today. Completely unexpected, wasnt even using the computer most of the day but w/e. Long story short, I got hit did full scans with MSE and MBAM. MSE detected the code in my internet files folders (ie and ff) and when I attempted to launch IE. I removed the files and reviewed my services file, and addons for both browsers disabled what I found (for some reason ie doesnt include a remove option for toolbars and extentions, just a disable...) anyway. I thought I was good to go but shortly after launching ie got the flag again.
So my first instinct is to format and reinstall. I may do that but I am interested in a few things maybe you guys can help with. First, based on what I saw on the MS database it looks like this is an exploit kit. Is that correct? How are these kits usually delivered? Being that this doesnt not appear to be outside of the browser, is it reasonably safe to backup changed files since my last backup? And finally, is anyone aware of any software that will remove this kit? MSE doesnot obviously remove the complete infection.
So my first instinct is to format and reinstall. I may do that but I am interested in a few things maybe you guys can help with. First, based on what I saw on the MS database it looks like this is an exploit kit. Is that correct? How are these kits usually delivered? Being that this doesnt not appear to be outside of the browser, is it reasonably safe to backup changed files since my last backup? And finally, is anyone aware of any software that will remove this kit? MSE doesnot obviously remove the complete infection.
Comments
-
ipchain Member Posts: 297I would start by looking at this post: ISC Diary | Problem with Microsoft Antivirus regarding malware from google website
If you are indeed infected with Malware, check this other post out: Found Exploit:JS/Blacole now computer virtually unusable - Page 2.
When analyzing Malware I would normally look at how the computer is behaving, but I would do it in a controlled environment without access to the internet. I would then give the piece of malware what it desires and see how it behaves.For example, if it is attempting to contact wyz dot net I would modify my hosts file and point it to my own machine. I would then start apache and look at its behavior again...this is called 'behavioral analysis', but you can also try to reverse engineer the executable if you have it.
Process Explorer and Process Monitor are very useful tools when analyzing Malware. Let us know how it goes...Every day hurts, the last one kills. -
afcyung Member Posts: 212This thread might have your answers. Encyclopedia entry: Exploit:JS/Blacole.BW - Learn more about malware - Microsoft Malware Protection Center
-
SephStorm Member Posts: 1,731 ■■■■■■■□□□I would start by looking at this post: ISC Diary | Problem with Microsoft Antivirus regarding malware from google website
If you are indeed infected with Malware, check this other post out: Found Exploit:JS/Blacole now computer virtually unusable - Page 2.
When analyzing Malware I would normally look at how the computer is behaving, but I would do it in a controlled environment without access to the internet. I would then give the piece of malware what it desires and see how it behaves.For example, if it is attempting to contact wyz dot net I would modify my hosts file and point it to my own machine. I would then start apache and look at its behavior again...this is called 'behavioral analysis', but you can also try to reverse engineer the executable if you have it.
Process Explorer and Process Monitor are very useful tools when analyzing Malware. Let us know how it goes...
Thank you for the ISC link. I indeed was getting the popup when I went to the google website. I updated MSE and do not seem to be having any issues. I suppose the real test will be whenever I restart my system, as the real blacole is supposed to be rough. In any case, after the original removal I looked at my traffic in WS while not connected, and connected to the internet. didnt see anything that immediately stuck out. I think I will check out PE and PM though, just because I havent used them before. -
JDMurray Admin Posts: 13,101 AdminMalware in your browser cache folder came from a site you visited with the browser. Browsers do not share cache folders, so you know which browser pulled it in. Most Malware requires Javascript, so a plug in like NoScript for FF, and ScriptNo in Chome, go a long way to preventing Malware deliveries.