Rick's b.log - 2010/07/04
You are 3.142.53.68, pleased to meet you!
|
Rick's b.log - 2010/07/04 |
| It is the 29th of April 2024 You are 3.142.53.68, pleased to meet you! |
|
mailto: blog -at- heyrick -dot- eu
Anybody come across something like this?
I know it is notoriously difficult to detect a rootkit from within the infected machine, and I still cannot be 100% certain; however it seems odd that such a message would pop up. What kind of stealthy crim advertises their presence?!?
So my current thinking is it is most likely that somebody, somehow, managed to get a message to pop up. But I only have 50% confidence in that. Nothing seems amiss, but that could well be the point... Or... Maybe it was a genuine attack designed to kill the MBR and destroy the partitioning information, only my computer uses the EFI system, not MBR... Who can say? It's been through a power cycle so I know that much is alright.
Virus? Rootkit? Or bad joke?
I was idly looking at stuff on YouTube when a little alert box popped up saying:
Your computer is f***ed. You can thank <name> for this devastation.
Only, without the profanity-edit. At least, that's how I remembered it. Zero-day attack? Avast didn't notice anything. SuperAntiSpyware only picked up a few tracking cookies that were probably BeefTACO fakes. HitManPro gave a clean bill of health, and ComboFix only deleted my old Notepad (called "notepadx.exe" as the real Notepad.exe is actually MetaPad).
It also seems odd that such a thing might use YouTube as a vector. Videos are reencoded, possibly because of the issues surrounding Flash. In addition, the website layout is fairly minimal and well controlled. Hiding something there, I'd have thought, would be difficult. And it would need to reside within YouTube itself, else NoScript would have blocked it.
Rob O'Donnell, 5th July 2010, 16:04
Oh, and you really should read El Reg before you panic :-)
http://www.theregister.co.uk/2010/07/05/youtube_xss_chaos/Rick, 5th July 2010, 16:21
So it was just some dopey scripting message? Phew!
I do run with NoScript, but YouTube has permission - kinda doesn't work well without! Luckily if the payload (if any?) was off-site, it will have been blocked.
I *did* read El Reg, but note the article referred was posted at 9am, about three hours after my scans were completed, and some 16-odd hours after this b.log posting.
Useful, anyway, to prompt me to give my system the once over. Not what I planned to do on a Sunday, but never mind.
Thanks, Rob, for the quick response.Rob, 5th July 2010, 17:53 Rick, 5th July 2010, 18:43
This is actually a generic virus warning, with AlDelay scoring in the heuristics. I wiped the file (just in case), but AlDelay is actually a program that waits for 15 seconds before running Alarm proper - this being an attempt to get Alarm to show up correctly on the system tray [this is a known bug in XP - see http://winhlp.com/node/16]. Avast thought it was trojan-like. Fair dues. ☺
Other than that, all checked out okay. Phew!
| © 2010 Rick Murray |
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted. RIPA notice: No consent is given for interception of page transmission. |