Website may have bit me; now scans are too fast
I have multiple PCs running W-7 with F-Secure, Malwarebytes Pro and Malwarebytes Anti-Exploit free.
Everything was running fine on PC1, but then I looked for statistical information and looked at one website. At the bottom was a link which read "stats.bls.gov" which appeared to be safe. I could have sworn I cut-and-pasted it rather than clicking on it, but maybe my OpSec was lax. The webpage which popped up was "stats.bls.gov.com" which immediately alerted me that I had been hijacked. I did not click on any links on that page. I killed the browser (IE11) and started MBAM. The color of the GUI was not green, telling me that something was wrong. I looked through the settings and noticed that Malicious Website Protection was OFF. I turned MWP back on.
I checked "stats.bls.gov.com" with VirusTotal and it indicated no problems.
F-Secure gave no visual warnings. I ran a full system scan with it. It said nothing was found but it only ran for about 10 seconds. Normally a full system scan takes maybe five minutes (this is an SSD).
Then I started a full custom scan with MBAM including rootkits. It ran for 22 seconds and then stopped with the Nothing Found message. I rebooted and tried to scan again. Same result.
I rebooted into Safe Mode and ran a full custom MBAM scan including rootkits. It ran for 15 minutes which is as expected. Nothing was found. I rebooted in normal mode and ran another full custom scan: 22 seconds. Then I ran a threat scan which took two and a half minutes. Full custom scans will not complete.
I scanned the system using Microsoft Windows Defender Offline, but it found nothing on a full custom scan.
It would have been nice if I could have scanned using F-Secure in Safe Mode, hint, hint.
On another, identical system, F-Secure and MBAM scans take the usual time. Something has happened. The fact that F-Secure and MBAM scanners are quick is bothersome.
Any comments before I wipe the disk and start again?
Comments
-
Hello,
Just some suggestions.... which close to be "just random" (because - it's can be anything):
-> If you indeed met trouble-page, where was... for example... exploit-pack for any browser.
So... potentially it can be already with result on your system.
-> Scan can be start more speedy.... potentially... if malicious things able to "kill" /system/-rights for protection-service processes.
You can to check - if F-Secure Scan-process during launch have System rights or something like that.
If not -> Scanner not able to scan most part of system -> will be speedy.
Some kind of block or "re-check" rights, which have protection-software.
-> If you want to check it more.... and you want to use F-Secure, for example, as safe-mode.
You able to get F-Secure Rescue CD -> if it still active and work (probably yes). Will be scan with F-Secure bases under Knoppix (Linux / Debian-based).
-> Also you able to check something, which certainly can to detect other things.... like example -> Nod32 Online Scanner -> it's can be helpful time to time.
-> MBAM, which installed on system - previously.. was potentially risk - just because too vulnerable.
Not sure.. how it with new versions , but maybe without changes
You can to try - reinstall it. For example.
-> Less steps for check by "common online scanners' - which potentially can to detect something (but it will be just "double-work") -> HitmanPro scanner like trial-time scan (for understand... need your system help or not).
-> Disable network connection your system (where trouble) and check some common places for potentially troubles (maybe you able to get something suspicious by your steps). Any folders, settings for DNS/Firewall/Network, hosts, other.
-
Simon wrote: "Would it be worth trying F-Secure's Online Scanner?"
Great suggestion. I just did. The scan took less than one minutes which does not seem possible for a complete W-7 installation, even on an SSD. No malware was found. But the most interesting part came after the scan completed where Online Scanner told me "No security application installed."
Then I opened the regular F-Secure GUI and confirmed that Deepguard and everything else is set to "ON."
So the malware has disabled my regular F-Secure protection, but does not allow it to blink in orange, screaming pink, or whatever color Finns use to indicate a problem.
-
"F-Secure Scan-process during launch have System rights or something like that"
Online Scanner required UAC permission. I saw nothing strange in Task Manager. But I understand your point that the malware probably changed permissions of the scanners.
"You able to get F-Secure Rescue CD"
That's not quite as convenient as Safe Mode, but it just costs a cdrom. Good suggestion.
"MBAM, which installed on system - previously.. was potentially risk - just because too vulnerable"
I'm not sure what you mean here. This was a relatively new (install one month ago) PC, built by me. I had F-Secure, MBAM, and MBAE installed before I saw the bad website. Given what happened, I do not think much of MBAE. I think I will switch to EMET.
Unless F-Secure wants to see some files for research, I'm going to wipe this system soon. It just gets stranger with time.
-
I guess it's possible that something may have screwed with Windows Security Centre. What's it's reporting in Action Centre under Security?
Next steps I would suggest are (not necessarily in this order):
- Reinstall F-Secure
- Try another online scanner, such as Kaspersky. There's a few handy tools here:
http://support.kaspersky.co.uk/viruses/utility -
Simon, I forgot to mention before that sometime when I was trying to determine what was wrong, I saw an error message regarding Windows Security Center. I cannot remember if it was MBAM or F-Secure, but probably the former. Right now, Control Panel says that everything is okay.
Kaspersky ran a full system scan, but found no malware. It did, however, inform me that I have no anti-virus protection. The scan only took a minute or two, so I think the malware short-circuited it as well.
I think I got hit by a zero-day. I feel so special.
As I said before, unless F-Secure support contacts me, I will wipe the disk soon. I tried to send an email to support, but the webpage to do so is broken.
-
Hello,
"Online Scanner required UAC permission. I saw nothing strange in Task Manager. But I understand your point that the malware probably changed permissions of the scanners."
F-Secure Online Scanner probably can be ignored by malicious items, which just use "list" for block known security-applications.
Any Online Scanners good with that points - that they not so often can be "filtered" by malicious software.
But... here I mean just common regular scan-process by F-Secure IS during "Full Scan", for example.
And current point can be related not always with malicious things.
It's can be by Malware Anti-exploit, for example (?!) or other "default"-settings and etc.
Potentially if it malicious break system -> here should be blocked any connection with known "security" websites too. But maybe not always and here any other tricks around "default system"-changes, which not prevented by F-Secure (or MBAM) -> because here all valid and "design"-actions, but created not safe situation. Also it can be just changed around "folder-access-settings" or other...
------------------------------------------------------------------------------------------------------
"You able to get F-Secure Rescue CD"
Yes, it not Safe Mode - but I created current one.. because as you noted.. F-Secure not able to work by Safe Mode (and good.. because if your system goes to crash by security-software... you not able to launch Safe Mode).
But same realization with "databases/signatures" by F-Secure -> can be F-Secure Rescue CD - which can be some kind of good check too.
If it something like most trouble rootkits... probably here just need tool for rootkits and any other steps around checking. Which anyway can be not always helpful by Safe Mode too.
------------------------------------------------------------------------------------------------------
"I'm not sure what you mean here. This was a relatively new (install one month ago) PC, built by me. I had F-Secure, MBAM, and MBAE installed before I saw the bad website. Given what happened, I do not think much of MBAE. I think I will switch to EMET"
I mean... that previous version of MBAM (not new Two-version, which I not sure.. same or not) have one of troubles:
Any malicious/viruses can to create "broken" status for MBAM and it will be like all other "viruses" too
OR simply.. break MBAM without any addition steps for "block/prevent" -> simply it will be already not work.
And just for normal work - requried reinstall it.
It's mean -> you meet something malicious and previously... MBAM can be vulnerable for that malicious actions.
And after that - MBAM already without any helpful-features. All of them - broken.
And yes... Here I ignored potentially troubles around MBAM/MBAE and F-Secure/Other security software / System (which can be... for my opinion).... and "quality" of new version.
------------
I also created private-letter for you.... with addition words around.
-
Ukko pointed out that MBAE may be the problem. I was already leaning toward removing it on all of my PCs, but now I have done so. EMET causes strange results sometimes, so it is not impossible that MBAE also does so.
I am wiping the disk and reinstalling Windows. Thanks to Ukko and Simon for their help.
-
Some notes after reading this thread:
- OnlineScanner does not do full scans. It's more like a "Threat scan" in MBAM, but quicker.
- You could check Event Viewer in Windows for any new strange errors.
- You could try System Restore (as a last option if you decide to wipe the disk)
Your browser problems could perhaps be caused by the "infection". Have you tried from another PC to try and submit a support request for example?
If it was me I would wipe the disk. I recently saw a video from a guy trying to get clean from an infection. He had to use more than 10 products to get clean. Basically when one product missed to detect something, some of the others picked it up etc. So only the combination of all products could clean it.
Some other thoughts:
Do you have UAC set to maximum?
Do you have Protected Mode or Enhanced Protected Mode(64-bit) on in IE?
Enabled ActiveX filtering in IE?
Why use IE on sites you do not know when I know you have set up extra protection in FF with NoScript etc?
You have a better layered protection than most others but if you raise it even more I suggest you think of adding an additional layer like http://sandboxie.com/
-
About wipe/reinstall-things - it's most powerful step, because each other steps... can to fix some part of troubles, but not always able to fix all of them. Here also can be not enough using various software/tools.
Just because it's can be so "low-level" tricks by malicious actions... that able to fix just "not common steps".
Like if "malicious alternative data streams" previously able to fix by "recovery mode" with "just trying to copy-suspicious-file" - after which will be "mistake" and nothing happened, but trouble fixed.
And other things, when enough just "fix MBR" by default steps.
But for all of them - need to understand and be known - which trouble have system and where. Or potentially know it.
-------------------------------------
here strange if payload-website (or hack/vulnerability by valid website - if it valid) was with active exploits for Internet Explorer 11 (if it was with enough-basic level of security)....
probably just for addons/plugins or other part of them like flash.
And here also able to get exploit for Firefox
-
I am posting a follow-up in case anyone reads this thread.
The system I complained about was wiped and reinstalled. Everything is back to normal, naturally. But I had another system similar to the first: W-7, MBAE, MBAM, and F-Secure. I did not want to wipe it and reinstall, so I merely uninstalled MBAE. Afterward, I started to notice similar problems, i.e. scans finishing far too quickly. Ukko suggested that I also uninstall MBAM and reinstall it. I did that on my second system. F-Secure and MBAM are working normally now. My conclusion is that MBAE is flaky and somehow affects MBAM, forcing a reinstall of it too. I am not sorry I wiped and reinstalled the first system, as I was able to clean everything off, but I wonder if it was overkill for my problem.
Somehow I missed the comment by NikK before. I will answer his questions because he is always helpful. Normally I use Firefox with NoScript to surf the Internet, but somehow I used IE; I will not make that mistake again. I have ActiveX filtering activated, but I turn it off my regular ID when I want to watch video (which is what I was doing before). I use Enhanced Protected Mode set all the time, which sometimes cause problems with websites. UAC is set to default, which appears to be the maximum. I will look at Sandboxie now (I think maybe NikK suggested that to me before, but I forgot).
-
-
Thanks for the follow-up. Overkill or not, why take a chance?! I would've wiped it too just to be safe
The default UAC setting is not the maximum setting. Maximum = Always notify. Default = Notify me only when apps try to make changes to my computer.
And IE's Active-X filtering (just to explain it to others) is a per website setting. On sites you trust you can turn it off to use Flash Player to watch videos, install/run programs etc. On any other sites Active-X objects will be automatically blocked, unless you turn it off for that specific website. (a circle in the top right of the IE address field)
Perhaps MBAE was part of the reason for the problems. Anyway, regarding IE there were a lot of vulnerabilities patched on last patch tuesday, only a few days before you got hit. And as often described with such vulnerabilities: "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user"
BTW, Microsoft's recommendation for unpatched zero-days is (besides EMET) to set the security level for the Internet Zone to High which will disable javascript, active-x etc. Much like how NoScript works for FF.
I have the Internet Zone set to High all the time + Block All Cookies, because I use the concept of Trusted Sites which is set to Medium-High. It's a great protection but can be difficult to set up for some websites. For example to get this community to work with all required javascript I have to allow *.f-secure.com + fsecured.i.lithium.com I use F12 Developer Tools in IE to get help on this but I would only recommend it to advanced users.
If I need to enable javascript or plugins on other sites I launch a browser through Sandboxie.
-
NikK, wiping and reinstalling Windows is easy for me because I have done it many times for myself and others. The only difficult part is having to activate Windows via Microsoft's telephone service. Usually I am sent to the automated system, but sometimes it requires speaking with people who do not speak English very well. I cannot imagine being a non-native English speaker and doing that.
I must admit, I am too lazy to save Active-X filtering settings for individual websites. Maybe some day. Right now I keep it on and only turn it off when certain websites need it. For example, Radio Swisss Classic, a classical music website, requires it to start Windows Media Player. But after I start it, I turn it back on. In my opinion, Microsoft should turn it on by default for admin logons.
I have never manually set UAC, yet it remains at the maximum setting. It must be some other setting which forces that.
I really think MBAE was the problem. I was only using the free version so I lost nothing except my time, but I would be annoyed if I had paid money and it broke. As you might know, EMET also can be difficult. Many people refuse to use it because it refuses to allow certain programs to start. I think it really shows just how complicated and convoluted Microsoft software is.
-
Regarding the wiping/reinstalling/activation you could give Windows Backup & Restore a try. No problem with the activation as long as you restore from a System Image created after the activation. When a new system is up and configured I do 2 things:
1. Create a System Repair Disc
2. Create a System Image (preferably to an external USB hard drive - NTFS formatted)
These options are available from the Windows Control Panel - Backup and Restore. And the Restore System Image process has an option to format and repartition disks, so you don't have to worry about wiping it.
Besides taking regular backups of documents etc I create a new System Image a few times per year so in case of a disaster I still have a fairly recent image.
Note: Backups to a USB3 drive requires the drive to be connected to a USB2 port to work when booting from a System Repair Disc, making a restore process slow.
Screenshots:
http://www.howtogeek.com/howto/7702/restoring-windows-7-from-an-image-backup/
@Blackcat has recommended some alternatives to Windows Backup here, that he says are faster and more stable:
http://community.f-secure.com/t5/Security/Security-products-that/m-p/36449/highlight/true#M6679