Domain: jayloden.com
Stories and comments across the archive that link to jayloden.com.
Comments · 20
-
and it will only get worse
I've been dealing with AIM viruses since 2003 (I run AIMFix, an IM-specific virus removal tool), and I've watched them grow exponentially. On top of that, the attack methods have become infinitely more sophisticated. Where it used to be a userland executable, usually an exe, it moved to
.pif and .scr files. It started with the usual "Run" entry in the registry, then started to mess around with the shell settings, winlogon settings, services, and legacy win.ini items. The latest variants are actually including code from various rootkits (mostly the FU rootkit) to hide themselves from memory and the registry.
My prediction is that these will only grow worse as time goes on. It's far too easy to include even more sophisticated rootkit technology in with the worm code, IM is getting ever more popular, and it's effective, plain and simple. Something about the IM format makes it both easy to mimic real "conversation" ("hey, check out these pics of me drunk at New Years!"), and somehow less suspicious than similar messages sent via email.
As far as I'm concerned, rootkits are going to become the norm for Windows worms/viruses within a year or two. why bother with a simple executable that's easy to find and kill when you could make your code invisible to the running system? Frankly, I have no idea what the next step becomes for those of us writing anti-virus tools and cleaning programs. Bootable CDs that can verify the system? I don't pretend to have the answer just yet, but I can say with confidence that we'll be seeing more of this as time goes on, and I sincerely hope that the AV companies can step up to the plate in time. -
Fix for this AIM virus
If you're an AIM user and went and got this virus, AIMFix from jayloden.com should take care of it for you.
While you're at it, try reporting the link you downloaded the virus from so it can stop being distributed. Remember, e-mail viruses include infected attachments, while IM viruses just link off to a website creating a single point of failure. -
Re:AIMFix removes these
Dammit slashdot...that link was supposed to be http://jayloden.com/aimfix.htm
If you want the binary only: http://jayloden.com/AIMFix.exe -
Re:AIMFix removes these
Dammit slashdot...that link was supposed to be http://jayloden.com/aimfix.htm
If you want the binary only: http://jayloden.com/AIMFix.exe -
AIMFix removes these
I wrote and maintain a free AIM / IM specific antivirus tool called AIMFix that removes these two worms in several variations. I've been working with this stuff since 2003 (AIMFix is used by dozens of Universities as part of official cleaning procedure and recommendations, see the users page for details). In particular, these two worms have been eating all of my free time for the last three or four days with several variants and some new behavior (installing as services only, rather than registry keys all over the place, etc). They're also hiding as Windows filenames, but in different directories, like C:\Windows\svchost.exe (instead of system32), C:\Windows\taskmgr.exe, etc.
It is so incredibly weird seeing these stories in the media. I've been so deep into researching them and writing updates to AIMFix to keep abreast of everything that it comes as a total surprise to see a media outlet cover them. I've gotten countless emails from people who got hit by these two worms, and I've become quite familiar with the symptoms over the past few days, yet at the same time I'm uniquely ignorant of the rest of the story (the AI aspect, etc) because I only end up dealing with the nitty gritty that happens on the symptoms and removal level. Go figure.
-Jay -
Re:chkconfig vs update-rc.d
Glad to see I'm not the only one interested in this. I actually looked at writing a clone tool for Debian based systems for both chkconfig and the "service" command from RedHat. I got as far as creating the service clone: http://jayloden.com/service_clone.htm but I didnt get to the chkconfig yet. Now that you've reminded me I may have to mess around with this again.
I haven't played with the tools the other replies mentioned (though I plan to now), so I can't comment on them, but it's definitely not a bad idea to clone the RedHat toolset, since it allows familiar ground for a lot of people used to RH environments, and I think chkconfig is reasonably intuitive and easy to use, to boot.
-Jay -
Re:IM worms go undetected
Thanks for the plug
:)
I've been somewhat disappointed with how badly the mainstream antivirus companies have handled most of the IM outbreaks. There are vunerable clients out there, mass spreading worms that install rootkits, disable AV programs and Internet Explorer, and through it all I feel like the AV companies are barely even there.
I'm not an antivirus expert, and I'm not a programming genius by any means. The guys at Symantec and McAfee and F-Prot et al are trained to deal with this stuff. They have the best tools and the best brains to throw at removing this malware. I'm just zis guy, you know? I've learned a hell of a lot in the past couple years by maintaining AIMFix, and I'll keep doing it as long as there's a need for it, but it never hurts to have some help!
I'm more than glad to keep doing what I do as long as it's helping people out there, but at the rate things are going these worms are simply going to get too hard for me to remove, much like CoolWebSearch was for Merijn and CWShredder. I welcome the opportunity to learn new things and become a better programmer, certainly, but I'd also love to see the major AV companies get in the game and start laying out the smackdown on these malware authors, since they have the resources to do it, and I just have a few spare hours a week to throw at them.
On a related topic, to all Slashdot readers:
If you run into any new virus variants, have information you'd like to share, or if you're a Win32 programming guru (C++) interested in helping out, feel free to shoot me a note through the contact form on my site.
-Jay -
IM worms go undetected
i think a bigger part of the problem, and hopefully this will open their eyes, is that thus far, the big anti-virus companies (symantec and mcafee) will not include IM worms in their definitions. this means that even if you have the most up-to-date windows security patches, and the most up-to-date anti-virus software, you can still be infected by the IM worm. i don't understand why they won't include them as they are, in my opinion, just as dangerous and propogate on their own just like normal email viruses. i deal with the "AIM virus" on a near-daily basis. i keep sending people to download AIMFix. this guy is getting some serious hits to his site, and he's not getting paid for it... these are real viruses, since the definition of a virus is that it gets onto your computer and propogates on it's own. this just doesn't use traditional means (email, network ports). even if you uninstall instant messenger, it's still there waiting to send itself to everyone on yoru buddy list.
-
Re:Incredibly easy to detect and remove...
No problem, glad to help
:) You're more than welcome. By the way, if you run into a new variant that AIMFix misses, contact me through my contact form and send me a HijackThis log from the infected machine and I'll be happy to try and get some updates out for you. -Jay -
Re:Incredibly easy to detect and remove...
This story has had me rather bemused for some time now...I've had lockx.exe in the AIMFix removal definitions for quite a while. I haven't looked in my cvs log for AIMFix to check, but I'd guesstimate somewhere around a month. Maybe I need to start doing press releases
:)
I wrote a journal post recently about some of the experiences I had with other AIM-based rootkit infections, as well. The nastiest one I've seen so far has been pokapoka/elitebar, which is an enormous pain in the rear to remove (also closely related to lockx). As far as I know, the only way (without using a boot disk) to remove this crap is to boot into Safe Mode, run AIMFix - or manually remove any known virus/worm files - and then delete the entire C:\Windows\etb directory, which is where PokaPoka and Elitebar sticks its infector files. I maintain a Safe Mode instructions page for helping end users get into Safe Mode as well, which is often helpful.
I've been working to remove AIM viruses since 2003, and my software, AIMFix, is used by Universities and individuals all over the country. See the users page if you're interested in who uses AIMFix (that I know of, at least). I've seen this stuff progress from simple exe files that run at startup to rootkits that are almost impossible to remove for most normal users. I switched to Linux for all my computer needs in 2004, but I've continued to maintain AIMFix. It's now cross-compiled with mingw for Win32 platforms on my Linux box, and I use VMWare for testing and analysis. I keep doing it simply because it helps so many people. I'd rather not have to take my free time and spend it hunting down virus variants, and answering email, but it's worth it to help people out here and there.
-Jay -
Re:Incredibly easy to detect and remove...
This story has had me rather bemused for some time now...I've had lockx.exe in the AIMFix removal definitions for quite a while. I haven't looked in my cvs log for AIMFix to check, but I'd guesstimate somewhere around a month. Maybe I need to start doing press releases
:)
I wrote a journal post recently about some of the experiences I had with other AIM-based rootkit infections, as well. The nastiest one I've seen so far has been pokapoka/elitebar, which is an enormous pain in the rear to remove (also closely related to lockx). As far as I know, the only way (without using a boot disk) to remove this crap is to boot into Safe Mode, run AIMFix - or manually remove any known virus/worm files - and then delete the entire C:\Windows\etb directory, which is where PokaPoka and Elitebar sticks its infector files. I maintain a Safe Mode instructions page for helping end users get into Safe Mode as well, which is often helpful.
I've been working to remove AIM viruses since 2003, and my software, AIMFix, is used by Universities and individuals all over the country. See the users page if you're interested in who uses AIMFix (that I know of, at least). I've seen this stuff progress from simple exe files that run at startup to rootkits that are almost impossible to remove for most normal users. I switched to Linux for all my computer needs in 2004, but I've continued to maintain AIMFix. It's now cross-compiled with mingw for Win32 platforms on my Linux box, and I use VMWare for testing and analysis. I keep doing it simply because it helps so many people. I'd rather not have to take my free time and spend it hunting down virus variants, and answering email, but it's worth it to help people out here and there.
-Jay -
Re:Incredibly easy to detect and remove...
This story has had me rather bemused for some time now...I've had lockx.exe in the AIMFix removal definitions for quite a while. I haven't looked in my cvs log for AIMFix to check, but I'd guesstimate somewhere around a month. Maybe I need to start doing press releases
:)
I wrote a journal post recently about some of the experiences I had with other AIM-based rootkit infections, as well. The nastiest one I've seen so far has been pokapoka/elitebar, which is an enormous pain in the rear to remove (also closely related to lockx). As far as I know, the only way (without using a boot disk) to remove this crap is to boot into Safe Mode, run AIMFix - or manually remove any known virus/worm files - and then delete the entire C:\Windows\etb directory, which is where PokaPoka and Elitebar sticks its infector files. I maintain a Safe Mode instructions page for helping end users get into Safe Mode as well, which is often helpful.
I've been working to remove AIM viruses since 2003, and my software, AIMFix, is used by Universities and individuals all over the country. See the users page if you're interested in who uses AIMFix (that I know of, at least). I've seen this stuff progress from simple exe files that run at startup to rootkits that are almost impossible to remove for most normal users. I switched to Linux for all my computer needs in 2004, but I've continued to maintain AIMFix. It's now cross-compiled with mingw for Win32 platforms on my Linux box, and I use VMWare for testing and analysis. I keep doing it simply because it helps so many people. I'd rather not have to take my free time and spend it hunting down virus variants, and answering email, but it's worth it to help people out here and there.
-Jay -
How to remove it. The answer.
http://www.jayloden.com/VirusClean.htm
This tool is updated almost daily. 100% effective, I can vouch for it. You can become infected if you click the link on non-AIM clients, but it won't spread to everyone else on your buddylist. -
AurorafixMaybe this will help you in the future, or somebody else here.
A buddy of mine runs a virus removal site, and has a tool to remove Aurora specifically: Aurorafix.
-
AurorafixMaybe this will help you in the future, or somebody else here.
A buddy of mine runs a virus removal site, and has a tool to remove Aurora specifically: Aurorafix.
-
Have to agree, as a virus/worm removal writer
I spend my spare time making a virus/worm removal tool for viruses and worms that affect AOL Instant Messenger, and I definitely agree, they've gotten a LOT more sophisticated. I'm no antivirus expert, I've just been working with this particular area of viruses since 2003, so I've seen them progress over time. It used to be a simple executable in the root of the drive, or in the system directory, and a "Run" entry in the registry.
Now these things screw with the shell setting for Windows, add themselves to the win.ini and system.ini registry entries and run themselves as services, drivers, etc. Even more annoying, they're copying the names of real windows files now, but dropping into different directories - like find.exe but in the Windows directory instead of System32. They create multiple copies of executables that run from every autorun entry they can find, and recreate each other. They communicate with IRC, they steal passwords and usernames to AIM accounts, and in at least a few cases I've found WinPCap and other sniffing or trojan tools installed as well.
For many months, updating the AIM virus removal tool I maintain was a matter of a few seconds of updates. Then one weekend it turned into several hours of creating new functions and sections of code to handle all these new variants.
The best I can figure, it's script kiddies or zombie botnet operators just running canned and packaged code, because after the first variant appears, a hundred more follow within a few weeks, using the same techniques or filenames. Generally, the purpose of these worms tends to be to download and install spyware - bringing in income through referral programs - and then leave the system open as part of a botnet.
Lately, these techniques are being combined with common exploits on vulnerable websites, especially ones with some of the recent PHP vulnerabilities. Again, it's like botnet-in-a-can, grab some scripts and some code, change a few filenames or urls, and let 'er rip. It's certainly not getting any easier to put in the time to update the removal tool, that's for sure.
-Jay
http://jayloden.com/aimfix.htm -
Re:Screenshot?
On a more serious note, the site does have some problems when viewed by links/lynx - the navigation is totally invisible to a text based browser, or a screen reader used by a disabled person.
see http://jayloden.com/scottleonard.png for a screenshot of what you'd get in a text based browser.
This is the problem with jscript DHTML menus, they're no good if you intend compatibility with accessibility standards or text browsing.
-Jay -
Re:Disable Greasemonkey
I must agree...I've got 1920x1200 resolution right now, which is normally ridiculous for me - I prefer something like 1280x1024 - but with my current video card and monitor, that's the only non-weird setting I can use.
Subsequently, the site looks very odd and appears to have rendering problems (missing navigation links, etc).
I can sympathize totally with the desire for the site to look the way you designed it...I've spent hours and hours and hours doing this on the sites I work on, trying to make sure they look the way I intended them to, even if the person uses really big fonts, etc.
I once tried to force font sizes, etc. But eventually I came to the conclusion that people are determined to do bizarre things, like view the site on an 800x600 resolution with font size set on LARGEST for IE (maybe some new glasses are in order?), etc. So now I take the approach of designing the site to look pretty much the same no matter how absurd (from a designers point of view) your font choices or screen size. I have http://philambdaupsilon.org/ and http://jayloden.com/ both set up to work this way at the moment (at least I hope so, I can't test everything!).
I still cringe to think that someone would be viewing my site so bizarrely, but I've given up on trying to prevent it. I just try to make sure the site degrades gracefull if viewed with text browsers, huge resolution, tiny fonts, huge fonts, etc.
-Jay -
Re:20 minutes??
Thought it wont necessarily help with Sasser, if you get a blaster or similar type of RPC attack, you can bring up the Run box and type in "shutdown -a" and it will prevent the machine from being rebooted by blaster or welchia or the like.
I used this at work all the time to get the patch installed so we could clean and patch the PCs.
Another suggestion, albeit an obvious one, is to put the most essential stuff on a USB drive or mini CD, and just slap on those before you do plug in the network. I made a "SasserAssassin" tool (in C++) that just killed and deleted any running Sasser copies and then applied the patch from MS. (only limitation is it wont delete system restore copies of it)
Anyone is welcome to download a copy of it at http://jayloden.com/SasserAssasinXP.exe or http://jayloden.com/SasserAssassin2000.exe (pick your OS version, obviously) if it helps you out.
This is how I always worked with computers at my university. There's no need to go through the hassle of downloading all the updates to CD, since all you really need are the major ones. In addition, there is http://autopatcher.com which handles that for you pretty nicely, including some extra goodies. Hope some of this info helps.
-Jay
note: just in case, I've got a backup copy of SasserAssassin located at http://elon.edu/student/jaleman/SasserAssassinXP.e xe and http://elon.edu/student/jaleman/SasserAssassin2000 .exe -
Re:20 minutes??
Thought it wont necessarily help with Sasser, if you get a blaster or similar type of RPC attack, you can bring up the Run box and type in "shutdown -a" and it will prevent the machine from being rebooted by blaster or welchia or the like.
I used this at work all the time to get the patch installed so we could clean and patch the PCs.
Another suggestion, albeit an obvious one, is to put the most essential stuff on a USB drive or mini CD, and just slap on those before you do plug in the network. I made a "SasserAssassin" tool (in C++) that just killed and deleted any running Sasser copies and then applied the patch from MS. (only limitation is it wont delete system restore copies of it)
Anyone is welcome to download a copy of it at http://jayloden.com/SasserAssasinXP.exe or http://jayloden.com/SasserAssassin2000.exe (pick your OS version, obviously) if it helps you out.
This is how I always worked with computers at my university. There's no need to go through the hassle of downloading all the updates to CD, since all you really need are the major ones. In addition, there is http://autopatcher.com which handles that for you pretty nicely, including some extra goodies. Hope some of this info helps.
-Jay
note: just in case, I've got a backup copy of SasserAssassin located at http://elon.edu/student/jaleman/SasserAssassinXP.e xe and http://elon.edu/student/jaleman/SasserAssassin2000 .exe