[27073] in resnet
Re: Trojan DNS Changer Virus
daemon@ATHENA.MIT.EDU (Doughty, Marc)
Fri Dec 2 13:56:27 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=bcaec520f6f7081cdf04b32071b5
Message-ID: <CAEPWjzt3zVtw2XP5zaxd-tVuLWAUFWBDi==ogrsEE-px+ECVew@mail.gmail.com>
Date: Fri, 2 Dec 2011 13:50:23 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Doughty, Marc" <marc_doughty@brown.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CACGRg4eR1hwfx2eGEuPEDZkG2NW2D0V2Z-HXF=Q-c9FBX9=aSg@mail.gmail.com>
--bcaec520f6f7081cdf04b32071b5
Content-Type: text/plain; charset=ISO-8859-1
Greetings,
Isn't it just a lot easier and less labor-intensive to have boot disks
rather than running anti-virus, then anti-spyware, then anti-rootkit sweeps?
If anyone wants to try it, I posted a script to this list on Nov 22nd that
pulls the latest Security Sweep from Microsoft and executes it in 'search
and destroy' mode. You'll need a BartPE or WinPE disk with 512MB of
'scratch' space.
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way
vessel."
On Fri, Dec 2, 2011 at 1:36 PM, Rachel Boutilier <rboutili@macalester.edu>wrote:
> We run TDSSKiller <http://support.kaspersky.com/faq/?qid=208283363> on
> any machine that comes in with an infection nowadays. It seems like it
> does a pretty good job of detecting rootkits.
>
> Rachel
>
> Rachel Boutilier
> Client Services Consultant
> Macalester College ITS
> (651)696-6507
> rboutili@macalester.edu
>
>
>
>
> On Fri, Dec 2, 2011 at 12:25 PM, Jeff Kell <jeff-kell@utc.edu> wrote:
>
>> On 12/2/2011 12:59 PM, Doughty, Marc wrote:
>>
>> I've personally seen two machines with 'undetectable' malware in the last
>> few weeks. Undetectable inside the booted system (even running Forefront
>> and Symantec), but clearly visible from a boot disk.
>>
>>
>> The DNS Changer was often included in TDSS payload packages. TDSS is
>> very prolific at hiding and restoring itself.
>>
>> Jeff
>> ___________________________________________________ You are subscribed
>> to the ResNet-L mailing list.
>>
>> To subscribe, unsubscribe or search the archives, go to
>> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>>
>
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec520f6f7081cdf04b32071b5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Greetings,<br>=A0=A0=A0=A0 Isn't it just a lot easier and less labor-in=
tensive to have boot disks rather than running anti-virus, then anti-spywar=
e, then anti-rootkit sweeps?<br><br>If anyone wants to try it, I posted a s=
cript to this list on Nov 22nd that pulls the latest Security Sweep from Mi=
crosoft and executes it in 'search and destroy' mode. You'll ne=
ed a BartPE or WinPE disk with 512MB of 'scratch' space.<br clear=
=3D"all">
<br>- Marc Doughty<br>"If you aren't sure who is the give-way vess=
el, you are the give-way vessel."<br>
<br><br><div class=3D"gmail_quote">On Fri, Dec 2, 2011 at 1:36 PM, Rachel B=
outilier <span dir=3D"ltr"><<a href=3D"mailto:rboutili@macalester.edu">r=
boutili@macalester.edu</a>></span> wrote:<br><blockquote class=3D"gmail_=
quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1=
ex;">
We run <a href=3D"http://support.kaspersky.com/faq/?qid=3D208283363" target=
=3D"_blank">TDSSKiller</a> on any machine that comes in with an infection n=
owadays.=A0 It seems like it does a pretty good job of detecting rootkits.<=
br><br>
Rachel<span class=3D"HOEnZb"><font color=3D"#888888"><br><br clear=3D"all">
Rachel Boutilier <br>Client Services Consultant<br>Macalester College ITS<b=
r><a href=3D"tel:%28651%29696-6507" value=3D"+16516966507" target=3D"_blank=
">(651)696-6507</a><br><a href=3D"mailto:rboutili@macalester.edu" target=3D=
"_blank">rboutili@macalester.edu</a></font></span><div class=3D"HOEnZb">
<div class=3D"h5"><br><br>
<br><br><div class=3D"gmail_quote">On Fri, Dec 2, 2011 at 12:25 PM, Jeff Ke=
ll <span dir=3D"ltr"><<a href=3D"mailto:jeff-kell@utc.edu" target=3D"_bl=
ank">jeff-kell@utc.edu</a>></span> wrote:<br><blockquote class=3D"gmail_=
quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1=
ex">
=20
=20
=20
<div bgcolor=3D"#FFFFFF" text=3D"#000000"><div>
On 12/2/2011 12:59 PM, Doughty, Marc wrote:
<blockquote type=3D"cite">
=20
I've personally seen two machines with 'undetectable' mal=
ware in
the last few weeks. Undetectable inside the booted system (even
running Forefront and Symantec), but clearly visible from a boot
disk.<br>
</blockquote>
<br></div>
The DNS Changer was often included in TDSS payload packages.=A0 TDSS
is very prolific at hiding and restoring itself.<br><font color=3D"#888=
888">
<br>
Jeff<br>
</font></div><div><div></div><div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></div></div></blockquote></div><br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></div></div></blockquote></div><br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--bcaec520f6f7081cdf04b32071b5--
