Help ATS with a contribution via PayPal:
learn more

Meet 'Rakshasa,' The Malware Infection Designed To Be Undetectable And Incurable

page: 2
18
<< 1    3  4 >>

log in

join

posted on Jul, 27 2012 @ 05:07 PM
link   

Originally posted by visualmiscreant
reply to post by The X
 

Wow. Seems like it would have been better not to echo the progress bar when they designed this. Unless perhaps they needed this to "diagnose" newly infected machinery....


it is odd that there is a visual indicator to the progress of it, but, if they have designed it to bind to the code of the ramdisk as it is being made, them maybe it is something the OS would do automatically as it shows its progress.
I don't know, this is just what i have learnt after having to deal with nearly two years of intruder hassles, and never being able to properly secure my box.
I was ready to tear my hair out.




posted on Jul, 27 2012 @ 05:08 PM
link   
I think I have this on my PC at home. Hell probably all my machines. Thats why I keep spare parts lying around. I can whip a PC up in a few hours and be back online should this thing prove to be more than malware. I don't bank online and don't use credit cards or debit cards. I would never make a purchase online with my own PC.

Regardless I can live with it if all it does is spy on me. I am used to that. I just don't want it to fry my hardware. Like burning out my power supply or something.

If it does exist, with time it will spread to every PC.
edit on 27-7-2012 by BIHOTZ because: (no reason given)



posted on Jul, 27 2012 @ 05:10 PM
link   
Well I do appreciate all the replies to my questions. I also appreciate the original post. I agree that questionable habits are to be avoided as well. I was just trying to figure out what to do when they stop supporting XP. Seriously, looks as though the MacPup distro is my favorite; mostly because of the enlightenment desktop. Hopefully, I'll be able to get some more memory between now and then to have more options...



posted on Jul, 27 2012 @ 05:13 PM
link   
reply to post by VoidHawk
 


I suggest you read the paper the researcher is submitting... he seems to be saying that this technique would involve using nonvolatile ram dedicated to peripherals and such. Me not being any kind of expert hampers my ability to make the case as I am sure the author of the paper could.



posted on Jul, 27 2012 @ 05:18 PM
link   

Originally posted by grey580
I'm skeptical.

And in any case. Nothing is undetectable.
The Malware would be sending out network traffic to communicate with a C&C server.
And that would mean there's a way to detect the traffic and nullify communication with that C&C server.



This was the strangest thing, it bound itself to the internal ipv6 loopback that the main program uses to initiate all the various windows services on boot.
Incredibly clever, and, using peerblock it is possible to see a constant multicast session in progress, i tried disabling ipv6 using a microsoft "Fixit" everything except the loopback, which the pc needs to boot, and thusly making disabling ipv6 absolutely useless, because you cant start your computer if you disable ALL ipv6, which is necessary to shut it up.

It is almost as though this virus was being thought about before win 7 was released, some incredibly talented coder must have had a brainwave and got his game together.

There are a whole host of things i don't understand about this virus, but something very akin to the OP's virus, is in the wild, and thriving due to people willingly allowing a patch to be written to their bios.
edit on 27-7-2012 by The X because: (no reason given)



posted on Jul, 27 2012 @ 05:33 PM
link   

Originally posted by Maxmars
reply to post by VoidHawk
 


I suggest you read the paper the researcher is submitting... he seems to be saying that this technique would involve using nonvolatile ram dedicated to peripherals and such. Me not being any kind of expert hampers my ability to make the case as I am sure the author of the paper could.



Peripherals these days do come with more nv ram, so yes I'll agree there is a theoreticle possibility, but its so easy for antivirus to check it out.
I confess I hadn't read the paper, I will do so now



posted on Jul, 27 2012 @ 05:45 PM
link   
hmmm, another one of those..... and I see people just complaining about windows....

do you know, any computer with a firewire connector can be infected without even knowing??? (And that applies especially to YOU, the APPLE guys!!!!). I am not going to go into any details, but if you google it, especially a site from NZ, you will get more details.

Ok, changed my mind, here is the info... You can take it from there.
Firewire hack

Bottom line is, if you have a computer, it is vulnerable. (if you have an internet-enabled TV, router, PS3, XBOX, iPhone, iPad, Android phone, etc, it can be infected too.) You have to take your chances, and think that what are the chances that you will be infected.

Furthermore, what makes you sure there is not some backdoor in the firmware all of your devices?????

The onliest way you can be totally free from infection, is to disconnect everything you have from the internet, disconnect your phone from the GSM network, heck, disconnect yourself from contact with everybody else.

edit on 27/7/2012 by Hellhound604 because: (no reason given)



posted on Jul, 27 2012 @ 05:51 PM
link   
One other thing i forgot to mention was a load of registry settings were being adjusted always back to the same settings, it looked like remote differential compression was being used to reconfigure your box to the previous state it was in before the clean install.
Im not kidding, it is very hard to kill, i think the payload was around 50kb (this was the size of the file written on the first sector of the hard drive after a format and it appeared on reboot,), and active from the bios upwards.



posted on Jul, 27 2012 @ 06:45 PM
link   
reply to post by The X
 


So if im understanding you correctly no one else is saying that the windows patch you are talking about ( i assume is the Daz loader ) is infecting machines except you?

Im not saying you are wrong its just if there is other information out there about the DAZ loader or similar windows loader programs containing an advanced BIOS resident virus installed through patching SLIC tables then i would very much like to read it.



posted on Jul, 27 2012 @ 07:25 PM
link   

Originally posted by The X
One other thing i forgot to mention was a load of registry settings were being adjusted always back to the same settings, it looked like remote differential compression was being used to reconfigure your box to the previous state it was in before the clean install.
Im not kidding, it is very hard to kill, i think the payload was around 50kb (this was the size of the file written on the first sector of the hard drive after a format and it appeared on reboot,), and active from the bios upwards.


Seems a way to offset the virus would be to design a anti virus thet forces the registry to remain as you set it. over riding the virus changes. there has to be a way to force the registry to remain set.



posted on Jul, 27 2012 @ 07:32 PM
link   
As long as you keep your computer secure with a firewall and anti-virus and do not visit questionable websites or run questionable programs then you should be fine. The Intel spokesman was correct in that your computer needs to be compromised in the first place for it to install or you need to install hardware that's infected. So don't.

Also this has nothing to do with daz loader.

Also new motherboards use UEFI instead of BIOS. UEFI has cryptography and new systems will shortly ship with secure boot. Apparently it is more secure but I don't know the details.
edit on 27/7/12 by C0bzz because: (no reason given)



posted on Jul, 27 2012 @ 07:45 PM
link   
reply to post by BIHOTZ
 


Credit card fraud online is less common than in real life.....



posted on Jul, 27 2012 @ 07:45 PM
link   

Originally posted by C0bzz
As long as you keep your computer secure with a firewall and anti-virus and do not visit questionable websites or run questionable programs then you should be fine. The Intel spokesman was correct in that your computer needs to be compromised in the first place for it to install or you need to install hardware that's infected. So don't.

Also this has nothing to do with daz loader.

Also new motherboards use UEFI instead of BIOS. Apparently it is more secure but I don't know the details.
edit on 27/7/12 by C0bzz because: (no reason given)


Well the DAZ loader writes slic tables

from MydigitalLife :

The application itself injects a SLIC (System Licensed Internal Code) into your system before Windows boots; this is what fools Windows into thinking it's genuine.


That works with the old BIOS and UEFI



posted on Jul, 27 2012 @ 07:58 PM
link   
reply to post by PhoenixOD
 


I just thought of something. Coudn't microsoft Introduce soemthing similiar to STEAM verification to its SLIC? As in in checks itself against microsoft official site and if its different notify you and or force a new BIOS tha over rides admin rights protection?



posted on Jul, 27 2012 @ 08:08 PM
link   
reply to post by PhoenixOD
 


Yes, but it doesn't permanently modify the BIOS, rather it runs every time the system is booted. So once you format then it should be gone. iirc, some early Vista cracks did require you to flash the actual BIOS,
edit on 27/7/12 by C0bzz because: (no reason given)



posted on Jul, 27 2012 @ 08:09 PM
link   
ok ive been researching this for the last hr as its not anything ive ever really come across before.

Now im not 100% on this just yet but from what i can tell so far the danger comes from not having a BIOS (in whatever flavor) with a pre installed SLIC 2.1. If you do have a pre-installed SLIC 2.1 then the load program just installs a certificate and serial otherwise it creates a SLIC emulation and this is where the trojan can hide out.

It also seems that people have been dissecting the 'official' windows boot loaders and they are saying they are safe while some pirated ones are not.

Theres a couple of us looking into this right now lol

edit on 27-7-2012 by PhoenixOD because: (no reason given)



posted on Jul, 27 2012 @ 08:14 PM
link   
reply to post by yuppa
 


Thats a good question.

Maybe thats just to invasive. If they are not already doing it then there has to be a reason why.



posted on Jul, 27 2012 @ 08:18 PM
link   
reply to post by Maxmars
 


Dear X, MM, ATS Readers, Writers,

Like one of our posters stated, WHY in the world would one try to "invent" this type of "bug"?? Keeping the techy psychopaths busy are we now??? lol

Well, IF and when Big Brother decides to kill the net, you can bet yer bippy it will be something along the lines of this hellish "invention"... LOVELY!!

Well, thanks for the info X, S&F for the heads up alone.. sigh... I guess something like this was bound to show up as they keep getting more and more devious with these viruses and etc..

Pravdaseeker
edit on 27-7-2012 by pravdaseeker because: typos



posted on Jul, 27 2012 @ 08:20 PM
link   
reply to post by fnpmitchreturns
 


He's better off doing a low-level format to wipe the boot sector on his harddrive.



posted on Jul, 27 2012 @ 08:21 PM
link   
reply to post by Maxmars
 

Does this support or hurt Micro$ insistence that the switch to the secure-boot with Win8 is more secure?





new topics

top topics



 
18
<< 1    3  4 >>

log in

join


Help ATS Recover with your Donation.
read more: Help ATS Recover With Your Contribution