1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brand Spanking New BlackHat Virus ... Own Up!

Discussion in 'BlackHat Lounge' started by jammie, Jul 24, 2009.

  1. jammie

    jammie Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 24, 2008
    Messages:
    773
    Likes Received:
    453
    Right,

    Well some of you may come to notice iexplorer.exe opening up in the background, playing tv/radio sounds etc. or random results on google/yahoo/bing etc. being redirected to random sites.

    You've got a brand new blackhat virus!

    Someone, and someone pretty smart (so i'm guessing someone here) is using an exploit to open an a link pointing to a affiliate link on fulldotfind (affiliate id 139, using subid "test" for tracking).

    Basically, it's using an exploit through Java. You'll have to uninstall all old versions of JRE (java runtime environment) and make sure only the latest is installed.

    It's rootkitted do it's a pain in the arse to remove. Won't let you run AV's/spybot/hijackthis/anti-malware etc. but you simply rename them to anything like "hi.exe" etc.etc. to run them.

    Easiest way to remove is to read through these threads online:

    Code:
    hxxp://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/361996-malware-disables-spyware-redirects-fulldotfind.html#post2055459
    
    hxxp://www.d-a-l.com/help/spyware-adware-viruses-hijackthis-logs/60115-resolved-many-problems-cant-open.html
    
    hxxp://forum.sysinternals.com/forum_posts.asp?TID=17629&PN=1
    
    you'll need combo-fix, anti-malware+updates and maybe some others.

    Usually i'd applaud the developer for their ingenuinty and actually infecting me, but in this case i won't as i do java development and i'm required to have a lot of diff RE's on my machine for compliance testing.

    Hope this helps a few people out! I know it threw me as i had no initial way of finding out what it was (had to setup my own proxy so i could see requests being passed from IE - pain in the ass).

    Laters!
     
    • Thanks Thanks x 1