I had a infected device on the network so i took all the machines besides the router offline and reinstalled the operating system from a clean copy and then scanned each one after bringing them back online without internet once i thought they were all clean i brought them back on the network applied updates downloaded and configured my firewall setup the DNS servers applied full disk encryption once again created new limited user accounts and setup new passwords and emails and setup my antivirus software i also configured automatic updates for both the operating system and antivirus i am also starting to monitor network requests is there anyway my network can get reinfected? Could the router serve malware? If so how could i detect if the router is serving malware and remove it? One more question related to Android security let’s say i have a Android phone and i click on a malicious website and download malware and i boot the phone into recovery and reset the phone could the phone still be infected some how? If so how do i detect the infection and remove it? Also how can i better secure my computers/phones and the network in general
I have a question,
There is a difference between dynamic malware detection using automata and family behavior – graph?
I think that they are both relying on API function calls but I don’t understand if there is any major difference between them.
Please help me,
if you’re not sure what I’m talking about:
automata – https://www.researchgate.net/publication/309710040_Detecting_Malicious_Behaviors_of_Software_through_Analysis_of_API_Sequence_k-grams
family behavior – graph – https://drive.google.com/open?id=1dOZ80FcaBiDHRDW4kusdxXGZw2C9aXfK
of course, they are free
first one – just click on Request full-text and it will download the pdf files. the second one is google drive link.
So, just a single windows host attached to the router and a virtual machine running on it. No shared folders or clipboard. Just testing your average malware.
Note that this question talks about just a single PC connected to a router, without any fancy file sharing enabled via network (It can have stuff like torrents and download managers, but not anything like a shared folder in the network).
I go to conferences and a number of the stalls have free bluetooth earbuds and headsets.
If I pair them with an Android device, is it possible for them to infect the phone with a virus?
I have read some other posts which talked about security of the bluetooth connection to the device. However I am worried more about the possibility of malware on the headphone and the malware being transmitted to the Android phone (Android 9.0).
Would appreciate any thoughts on whether this would be easy for someone to do or is fairly difficult.
I was searching this site for questions on Emotet and I was kind of baffled when nothing was on here. So the title is kind of self explanatory. See this question as an attempt to “complete” the content this page.
How does the current iteration of Emotet work?
Bonus question: How can I disinfect a Windows machine of it?
(windows 8.1 user)
A few months ago I downloaded binaries from: https://github.com/noahp/srlua-mingw
They had 2 exe files in the folder: srlua.exe and glue.exe. I had been unable to compile srlua from the original github posting for srlua, so I used the srlua.exe from the binary and the glue.exe which I compiled on my own. I was able to use the tools successfully. The only issue was I received a few positives (1-2) when scanning the various files via virustotal, but that was expected given they are programs that compile lua code into .exe (i.e. c compilers get flagged alot on virustotal).
Skip ahead to today, I needed to use the program again. But because srlua.exe deletes itself (glues itself) to the created .exe, I needed another copy. I found the old zip for the binary in my recycle bin so I restored. I then proceeded to try and get the code to work again, but couldn’t get it to work. I then proceeded to use “just” the files in the binary’s zip srlua.exe and glue.exe (the ones in link above), and was able to create the .exe but not get them to run either. When opening the created .exe it said they were unrecognized filetypes. So again: 2 months ago, I didn’t use both files from the zip, but I did this time.
I then received a notification from my antivirus that “malware detected on pc”. It linked specifically to srlua.exe. I deleted the srlua.exe, and then followed the ‘disinfection’ protocols kasperky presented to me. I had never seen this prompt before and I couldn’t tell if it had detected anything real or was just presenting safety options. The only thing of worry it presented to me was that it detected an unknown program/code running at pc start.
I followed all their suggestions, and restarted the computer as they told me to. I then scanned the .zip file that had the binaries in it, on virus total. The database version showed its fine, I rescanned though and it turned over 50% positive. I then downloaded malewarebytes and ran that, and it picked up a registry key in an old divx player folder, I’m guessing that’s unrelated, and it picked up the zip folder from my downloads and the ones in my trashbin. I quarantined the zip in my downloads folder, I’ll delete later if necessary, and deleted the others.
I then went to the github page. I’m really bad at understanding github, but it says last commit was 4 years ago…and as stated I downloaded this zip 2 months ago originally. I then went to grab the zip file again, but was blocked by kasperky citing: Access denied Object URL: https://codeload.github.com/noahp/srlua-mingw/zip/master Reason: the object is infected by P2P-Worm.Win32.Palevo.ikpc
This was not there when I downloaded 2 months ago. This is all new. I messaged github, and am waiting for reply, however I am unsure of how github works and if I’m messaging the right place (they only had an abuse and harassment section). This raises questions like: Was the file infected while on the github servers…why is it still there on the site if everything is now flagged by all the antivirus as malware…etc..
My main concern though is: Was I likely infected? And how can I tell if I’m still infected? How would I even know? The antiviruses, when I look at the reports from kapersky and malewarebytes, don’t tell me anything other than that srlua.exe and the .zip it came from are positive. Wouldn’t there be more to report if it was actually malware?
The last backup I have is from months ago, and the backup was made after my use of the program back then. So the backup technically is of a pc that used the supposedly infected srlua.exe with the not infected glue.exe I compiled myself. It’s undesirable to backup to that point. And there’s the potential even that could be infected. I’d assume it’s unlikely that a perpetrator designed it so you needed to use both the srlua.exe and glue.exe from the zip to infect the pc.
I have not experienced any odd behaviour on my pc. But I have no idea what a pc with malware does or doesn’t do, or what else can be checked outside of scans.
The process for using srlua.exe and glue.exe, from the link, is in cmd prompt (windows user) to:
glue srlua.exe prong.lua prong.exe
where prong is the code file’s name. I’m assuming running this command is the same as opening the .exe and anything could happen if it is actually infected.
Dear Security Experts,
I starting out in Malware Research / Malware Analysis. I am reading a book Practical Guide to Malware Analysis, which touches this in 2nd chapter, before approaching Dynamical Analysis (malware detonation). However, it mentions 2 options for Virtualization approach.
One is to set Network Adapter to Host-Only. That way it should isolate VM from Network, but still have access to it via Host – not sure though how that works though.
They mention a multi VM setup where one VM is set for Services and other for Analysis and both are joined to same Custom VMNet.
My problem is that there are no step-by-step instructions on how to do this, so I am hopping to get answers here. My most curious questions is: Is setting Network Adapter to Host-Only the only thing to do to isolate the VM for Malware Analysis? Because many sites I googled mention just this (and also taking snapshots etc.).
Has your WordPress Website been hacked? & your hosting provider suspended your hosting account due to malware attack? 1. WordPress Site Clean Backup 2. Cleaning for Virus or Malware 3. Fix hacked WordPress websites. 4. Scan and remove all malware or malicious codes 5. Remove “This site may be hacked.” message from google search 6. Backdoor, Phishing Scripts & SEO Spam Removal Blacklist removal 7. Installation and configuration of anti malware software 8. Restore Defaced WP Site 9. Installation of WP Security Plugin 10. Virus and Malware Scanning which includes suspicious codes injections in PHP files Disable the WordPress Theme & Plugin Editor 11.Redirecting pages to unwanted sites
I know that traditionally a malware signature is a pattern of bytes in a program. While reading Joxean Koret and Elias Bachaalany’s “Antivirus Hacker’s Handbook” I saw that the authors categorized the use of call-graphs and flow-graphs in malware detection as forms of signature-based detection.
Is it accepted that call-graphs and flow-graphs could be considered signatures? If so then what is the general definition of a malware signature?