This is why your weekly scan should be of all files, not just executables. Sure, it takes a long time (6hrs on my laptop), but it would find crap like this.
Security researchers have spied malware that stashes a copy of itself in a Windows help file to ensure victim computers remain infected. The trojan, dubbed Muster.e by anti-virus provider McAfee, infects a Windows file called imepaden.hlp so it stores the main components of the malware in encrypted form. In the event the …
"In the event the installed malware is removed, the secret payload is decrypted into an executable file called upgraderUI.exe and run by a companion installation file that automatically runs as a Windows service."
Taking that quote at face value, we have *two* executable files in the chain. One is (presumably) permanently running and was presumably missed by the scanner both when it most recently loaded and when it was originally written to your disk. The second is called UpgraderUI.exe and is presumably also missed by the scanner.
Asking *this* scanner to peruse the help file really isn't going to improve matters.
McAfee seems surprised. Where the hell has McAfee been all these years?
"This is hiding in plain site," said Craig Schmugar, a threat researcher at McAfee Labs. "The help file trick is pretty new to us. Usually on the client, we don't see this very often."
Am I reading this right? Is McAfee really saying that they are not used to viruses being stored in non-executable files?
Are you going to tell me that the method this virus is using is somewhat neat and a new trick to Mc Afee? Viruses have been obfuscating themselves for years in all sorts of files, big deal.
What he's really saying is that anti-virus software cheats. When scans are done, they are normally only done on executable files, exe, scr etc. to speed up the scan.
Well, it's about time ALL AV software defaulted to scanning ALL files including those without an extent.
Anyone who does not scan every file--executable or not--is a damn fool. No wonder I've not used McAfee for years.
Me old Mum has been running Slackware exclusively for well over a year. My Great Aunt, for over 6 months. My Wife can't remember the last time she booted into the XP side of her machine. My primary desktop has been Slackware for almost 15 years, with (mainly) BSD on the servers. Our businesses are running just fine, TYVM.
Please tell me more about lack of useful applications; clearly I must be doing something wrong ...
"The help file trick is pretty new to us. Usually on the client, we don't see this very often."
if its NEW, then you have NEVER seen it.... !!!!
if you dont see it very often, you have admitted to seeing it in the past, so it cant be new, you muppet.
or maybe he meant he usually sees it on the cloud & servers, not the client !!! LOL
"No doubt it's also perplexed its share of users who for the life of them can't figure out how their PCs keep getting reinfected."
Given Windows has 99.9% of all known malware, the answer to that is so obvious to any reader of El Reg. The penguin, or a Mac, is a good start, and learning how to use the damned thing without admin privileges and without saying "yes" to every dumb web borne suggestion that oozes its way in to view...
Yes, I know a lot of folk have no option but windows, but then you can have a VM and if its gets stuffed, simple wipe and copy from a backup. Few minutes down (not hours or days of re-install, license, patch, configure, etc) and a fresh bit of Redmond meat for the viruses to start over again with.
Correct figure is around 99.9% from here:
(OK Apple fanbois have a smug snigger)
Can you name 10 such applications that are Windows-only? I guess a few CAD programs are, but for most users you can get most tasks done on Mac or LINUX just fine (thinks: web browsing, email, IM, photo editing, word processing). Have I missed some 'killer app' here?
I don't see where's the news. The machine has a compromised service running, and the antivirus doesn't remove it. Of freakin' course the virus will get reinstalled. I think viruses doing this have been around forever. Why would it make a difference if the executable is encrypted somewhere on the HDD? A malicious service could get it from anywhere it wants, up to and including from the 'net.
Oh, and please can the pointless "Windows vs. any-OS-with-an-X" crap.
> In the event the installed malware is removed, the secret payload is decrypted into an executable file called upgraderUI.exe and run by a companion installation file that automatically runs as a Windows service ..
What other process does the decrypting and runs the executable and why doesn't the AV software pick it up.
The service executible just decrypts the virus from within the help file if the original virus is deleted. That is all it does, thus nothing would get flagged by a heuristics-type scan. A virus definition scan may pick it up if they thought of checking if a helper service was installed in addition to the actual virus, but it looks like an oversight.
As for the hidden virus, no virus scanner can remove it because it is encrypted (presumably with a key generated upon infection), and thus not something that can be described by a "virus definition." They best they could do would be to check the .hlp file for any non-standard info (hashes of all versions of the file perhaps?) and simply quarantine it if it fails. Granted, now they know, they should check for the service exe and quarantine the .hlp if one if this virus is found. But that's just sensical, and what would an antivirus be (especially McAfee) if they did something that made sense?
....is a waste of time. Just reimage it. Takes about 20 mins. Problem solved. Doesn't matter how `clever` they are then.
Well - unless they manage to write the code to some NVRAM chip or BIOS or something. Then you're fucked. But TBH if anyone of that calibre is specifically after you you're fucked anyway ;)
Biting the hand that feeds IT © 1998–2019