Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware protection 360


  • Please log in to reply
3 replies to this topic

#1 davidsec

davidsec

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 07 November 2014 - 06:08 PM

I came across this malware today at work and i think what it does is create a fiddler proxy to intercept the ssl certicates.

 

I noticed the work citrix ssl certicate had DO_NOT_TRUST in the issuer field. On firther investigation it looks like it was intercepting the ssl certicate and replacing it with a remote fiddler proxy, essentially saving all the login and passwords during ssl sessions. I gathered this from the status messages that was seen during the login process.


Edited by Chris Cosgrove, 07 November 2014 - 06:53 PM.
Moved to General Security


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:38 AM

Posted 07 November 2014 - 09:46 PM

MalwareProtection360 Analysis = Potentially Unwanted Program (PUP)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 BSI

BSI

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 06 February 2015 - 12:04 PM

Well I was going to start a new topic but I see you have already started one on malware infections and Fiddler Web Debugging software.  In the past month I have run across this on two computers I have worked on that is infected heavily with adware.  Both times adware was mainly affecting users when they were using Google Chrome web browser.  In one of those cases the malware had installed the dev version of the Chrome browser.  The other thing I noticed was that in both cases adware tasks had been added to the systems as well as in one case they had hidden adware with the related database in a folder called Microsoft that looked legit but was in a location there is not a Microsoft folder.  The tasks and folder had to be removed manually because tools did not find them.  To get started on the adware removal process I found it was best to remve the personal certificates that were usually related to adware sites and then remove the Fiddler root certificates.  In neither of the cases was Fiddler installed where you could find it under programs and features or anywhere else.  I had to go into the registry and remove the Fiddler Core key and subkey.  Also, one of the systems was a Windows 7 system and another was Windows 8.1.

 

Usually adware is not that hard to remove but these two systems seem to show that that is changing.  My reason for posting is has anyone else run into to this type of adware/malware setup and do you have any further insight?  I have searched the internet and not found a lot regarding this issue.  Am interested in learning more about this method of adware.

 

Thanks,



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:38 AM

Posted 06 February 2015 - 12:14 PM


One characteristic of PUPs and other junkware is that they insert themselves (components) into various areas throughout a computer's operation system to include browsers, hidden folders and windows registry making it more difficult to remove. As such it is not uncommon for security scanners to detect numerous files, folders and registry settings after repeated scans are performed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users