If your computer is infected with a virus (or you suspect it is), it is important to follow 4 rules:

In advance, there is no need to rush and make unusual decisions. As it seems, “look once, change once” - ill-considered actions can lead not only to the loss of some files, which could be confirmed, but also to re-infection of the computer.

Tim, no less, one thing can happen but Vikonana is not safe - you need to turn on the computer so that the virus does not continue its work. All information that has been identified as being infected and disinfected the computer should be deleted only after restarting the computer from the protected diskette containing the operating system. In this case, the files are corrupted and only the “emergency” floppy disks that were stolen from the record are saved. Failure to comply with this rule can lead to very important consequences, fragments of an infected OS, or launching programs from an infected disk on a computer can activate a virus, and if there is a virus, cleaning the computer will be completely free, and the fragments will be removed. The system may prevent further infections of disks and programs.

If you do not have sufficient information and knowledge to clean your computer, ask more knowledgeable colleagues for help or contact the facists.

Prevention against virus infection

1). Copying information and sharing access:

It would be a bad idea if necessary to obtain archived and master copies of program packages and data that you are using. Before archiving data, you should thoroughly check whether it is infected with a virus. It is also important to copy the service information of your disk, such as the non-volatile memory of the computer, onto a floppy disk.

Copies and updates of such information can be accessed through the Rescue program of Norton Utilities.

2). Set the record protection on the archive floppy disks. You should not engage in unlicensed or illegal copies of software from other computers. There might be a virus there.

3). All data that you receive must be checked for viruses, especially files “obtained” from the Internet.

4). It is necessary to prepare a package in advance that will update on floppy disks with write protection.

5). For an hour of casual work not related to computer upgrades, you can turn on the floppy disk. This will prevent you from becoming infected with a dangerous virus.

6). Vikorist programs - filters for early detection of viruses.

7). Periodically check the disk with programs such as AVP and Dr. Web for identifying possible failures in defense.

8). Update the database of anti-virus programs (AVP costs 8-10 dollars).

And smut - do not allow dubious hackers to access the computer.

5. List of Wikipedia Literature

1. Petrov M.Z., “Computer viruses”, M.: 2002.

2. Figurnov V.E. IBM PC for koristuvach. Short course", Infra-M.: 2001r.

3. Starkov V.A. “Personal computer manual”, M.: 2000 rub.

4. Bezrukov N. N. “Computer virology”: evidence. kerivnitstvo 1991

If a text message appears on your computer stating that the files are encrypted, then do not rush to panic. What are the signs of file encryption? The original extension is changed to *.vault, *.xtbl, * [email protected] _XO101 etc. It is not possible to open the files - a key is required, which can be obtained by sending the sheet to the specified address.

Are your files encrypted?

The computer acquired a virus, which blocked access to information. Antivirus programs often miss them, because the program is based on an innocent, costless encryption utility. The virus itself will be very difficult, but serious problems may arise if the information is decrypted.

Technical support from Kaspersky Lab, Dr.Web and other leading companies that are engaged in the development of anti-virus software, according to the data of the correspondents to decrypt the data, it is reported that this for a pleasant hour it’s impossible. There are a number of programs that can pick up the code, but they will only work with previously infected viruses. If you have encountered a new modification, then the chances of updating your access to information are extremely low.

How does an encryption virus get onto a computer?

In 90% of cases, the virus is activated by the virus on the computer, revealing invisible leaves. After that, a message with a provocative subject will arrive by e-mail - “Daily order before the trial”, “Procurement for a loan”, “Information about the tax inspectorate” etc. In the middle of the fake sheet there is an inlay, after securing it, the encryptor sends it to the computer and begins to gradually block access to the files.

Encryption is not required during the meeting, so it takes an hour for investigators to remove the virus before all information is encrypted. You can find a nasty script using the cleaning utilities Dr.Web CureIt, Kaspersky Internet Security and Malwarebytes Antimalware.

Methods for updating files

If the system is protected on the computer, then after the encrypting virus there is a chance to return the files to normal, vikorist and shadow copies of the files. Encryptors always try to remove them, otherwise they are not able to work through the administrator's responsibility.

Updated latest version:

To save older versions, you need to turn off system protection.

Important: the system protection may be turned on until the encryptor appears, after which we will no longer be able to help.

1. Reveal the power of "Computer".
2. From the menu, select “System protection”.
   
3. Go to drive C and click “Adjust”.
4. Select updated settings and latest file versions. Suspend your changes by pressing the “Ok” button.

If you started logging in before a virus appeared that encrypts files, then after cleaning your computer of the corrupt code, you will have a good chance of updating the information.

A wiki for special utilities

Kaspersky Lab has prepared a number of utilities that help to open encrypted files after a virus has been removed. The first decryptor I tried and tested was Kaspersky RectorDecryptor.

1. Download the program from the official Kaspersky Lab website.
2. After launching the utility, click “Start verification”. Enter the path to any encrypted file.

If the bad program has not changed the file extension, then to decrypt it you need to save them to a separate folder. Like the RectorDecryptor utility, download two more programs from the official Kaspersky website - XoristDecryptor and RakhniDecryptor.

The remaining utility from Kaspersky Lab is called Ransomware Decryptor. It helps to decrypt files after the CoinVault virus, which is not yet equal to the extensions on the Runet, otherwise it can easily replace other Trojans.

As a rule, most pentests are carried out using a very simple scheme. Initially, with the help of social engineering, access to the target middle or surrounding area will be ensured, and then contamination will be carried out using technical means. Variations of the attack can be different, call it a classic pentest - a fusion of technical parts and social engineering in different proportions. A little bit of a classic pentest lies in the fact that it is necessary to “test” that very test and then move on to the next stage. If it were possible to automate the process of searching for a weak link and further exploiting it, this could speed up the pentesting process and significantly increase the final chances of success.

WARNING!

All information is provided for informational purposes only. Neither the author nor the editors bear responsibility for any possible harm resulting from the materials of this article.

Based on the statistics provided by antivirus companies, about 30% of computer users do not use antiviruses, they simply turn them on or do not update the databases. Based on this, we can confirm that even the average statistical company will have a large group of people who are even careless about information security, and, in their own way, these people themselves are worthless flax for carrying out an attack. In addition, any functioning system can be susceptible to the influx of a whole series of shock factors that can also quickly paralyze the security system:

• the settings of the proxy server failed, so the anti-virus database was not updated;
• The antivirus license term has expired, and the continuation of the service is not yet in order;
• The failure of the robots made it impossible to remotely unzip the files, through which all the security guards were forced to copy documents to a flash drive and unzip them in another section.

All you have to do is turn on reality, and you can add a dozen more options for its development. In summary, it can be confirmed that even the average statistical organization has potentially unreliable security guards and sometimes there are situations that can destroy the basic work and paralyze the hist. Therefore, if you hit the right place at the right time, the attack will be successful.

In reality, the task is being brought to the forefront: it means that at the moment it has become one of the fallout conditions, which has led to a decrease in security, and after this, this situation has become a camouflage and an attack will inevitably be launched.

In fact, the task comes down to knowing the person who is giving up on safety, and why not get a flash drive for him?

Many virus writers have already fallen in love with flash drives, because they allow you to easily and quickly infect computers and inject the simplest USB virus with little chance of success. The boom of autorun viruses that hit in 2008 has not changed its momentum five years later; moreover, USB viruses have become even more rude and are no longer aware of their presence. And at the same time, the flash drive was infected - this is a universal indicator of writing in the power supply of elementary IB. For example, if you take ten flash drives from different people, then, predictably, three or four of them will have viruses on their flash drives. If you take flash drives from a few people again in a week, then two or three will lose the virus. Based on this, you can confirm that on computers that work with this flash drive, you shouldn’t apply the simplest protection either for any reason, or it doesn’t work at all. In this way, if you expand the most common virus, which is successfully detected by all antiviruses, only among a large group of people, then it will be possible to infect a large number of computers, first of all it will be detected o. And if your computers do not protect you, then you may be deprived of valuable data for a long time.

Implementation

On the next computer, to which flash drives are periodically connected, a special program is installed that runs the algorithm. When you connect a flash drive, the program starts to show that it is infected. Since it is not possible to cover all the diversity of USB viruses, it is sensible to use a heuristic approach to identify infections based on the following criteria:

• presence of the autorun.inf file;
• RHS file attributes;
• minimum size of a suspect file;
• file system is not NTFS;
• Existence of the folder containing autorun.inf;
• visibility of shortcut files.

If the flash drive is infected, the program writes it to the database using the serial number and hash of the suspected file. If, after a few days, the flash drive is reconnected to your computer (and also appears again) and suspicious files are lost on it, then it is infected with our “virus”; If the suspect file is not lost, the program removes the serial number of the flash drive from the database. If a new computer is infected, the virus remembers the serial number of the motherboard flash drive and does not infect or analyze it, so that it will not be seen in the future that the owner of the flash drive is “undermined.”

To retrieve the serial number, we will write a function based on the GetVolumeInformation API:

String GetFlashSerial(AnsiString DriveLetter) ( DWORD NotUsed; DWORD VolumeFlags; char VolumeInfo; DWORD VolumeSerialNumber; Used, &VolumeFlags, NULL , 0); String S; return S.sprintf("%X", VolumeSerialNumber); )

Please note that the GetFlashSerial function does not retrieve a static unique device identifier, but rather the volume serial number. This number is indicated by a typed number and, as a rule, changes immediately when the device is formatted. For our purposes, it is sufficient to have only the serial number of the flash drive, the fragments of the hard-wired connection are not stored, and the formatting is transferred to the outside with limited information, in fact, matching the formatted flash drive to the new one.

Now let's move on to the implementation of the heuristics themselves.

Bool IsItABadFlash(AnsiString DriveLetter) ( DWORD NotUsed; char drive_fat; DWORD VolumeFlags; char VolumeInfo; DWORD VolumeSerialNumber; meSerialNumber, &NotUsed, &VolumeFlags, drive_fat, sizeof(drive_fat)), bool badflash=false; = GetFileAttributes(AnsiString(DriveLetter + ":\\autorun.inf").c_str()); if (!badflash) ( TSearchRec sr; FindFirst(DriveLetter+":\\*.lnk", faAnyFile, sr); int filep=sr.Name.LastDelimiter("."); filep-1); if (DirectoryExists(DriveLetter+":\\"+filebez)) ( DWORD dwAttrs = GetFileAttributes(AnsiString(DriveLetter+":\\"+filebez).c_str()); if ((dwAttrs & FILE_ATTRIBUTE_SYSTEM) (dwAttrs & FILE_ATTRIBUTE_HIDDEN)) (badflash = true; ) ) ) return badflash; )

The algorithm for the heuristic function is quite simple. We currently support all devices with the NTFS file system and do not include the autorun.inf file. As a rule, all flash drives are designed to use the FAT32 file system (formerly FAT and even more recently exFAT), and some system administrators or other IT specialists format them using the NTFS system for their own use. x consumption We don’t need “reasonable people”, we immediately turn them off. The next step is to check the autorun.inf file for the “request” and “system” attributes. The autorun.inf file may be located in a legitimate program, but if its attributes are present, it can be fairly certain that the flash drive is infected with a virus.

Nowadays, a lot of virus writers have started to exploit the autorun.inf file to infect machines. There are several reasons: first of all, perhaps all antiviruses and computers enable the autorun option; Alternatively, there may be a number of viruses on the computer that exploit the new extension method, and one of them will rewrite the file in its own way. Therefore, the method of infection through the creation of shortcuts and the acquisition of original folders is becoming increasingly common. In order not to lose this flash drive without due care, we check the presence of the shortcut file and the presence of a folder with the same name in the root of the volume. If the folder also has the attributes “accessible” and “system”, then this flash drive is marked as infected.

Of course, heuristics have their own limitations and nuances, so the sense should be carefully analyzed to a specific task, but in our opinion it is possible to confirm its correctness with 100% certainty.

If everything is clear with the heuristic analysis of the flash drive, then with the “infections” there are possible nuances. For example, you can simply overwrite the old virus with ours without any amendments to the autorun.inf file, files, shortcuts, etc. Thus, our “virus” loses control on a new computer, but it is better to create an old copy of the virus and save it in the same catalogue, so that it will grow a little. If for any reason there is an antivirus on another computer, then it is possible to detect an old virus, it appears that Koristuvachev is ahead of the curve about the successful reduction of threats - and thereby ensure the peace of mind of the Koristuvach, and our virus for to lose incomparable.

In addition, in the latest issue of “Hacker” we also wrote about the problems of DLL hijacking in various software and about its effective implementation. Because it is transferred that on flash drives there can be programs such as password managers or portable versions of different software, then there is a sense of vicorization of this data and thereby expanding the range of operating machines and the value of extracting data for pentesting.

Before speaking, it’s never too late to worry about flash drives becoming infected. For example, if the IB department is tasked with simply periodically monitoring the spyware for the presence of “untrustworthy people,” then it makes more sense to install this program on a number of machines and simply write down the serial numbers of the flash drives and then create free file for collecting statistics. Tim himself does not need to literally search all the spyware devices, and in this way the confidentiality of the data on the flash drives is preserved, and based on the extracted data, one can also judge the possibility of infection of the home computers of clients and countries. IB in general. Indeed, as we have already written before, if the system is susceptible to sudden factors and non-exclusions, the risk of threats will appear.

Testing

Having flared up the program, which is clearly in line with the scale of the measure, over the years we have been withdrawing promotional tributes. More than 20% of all connected flash drives were infected with some kind of virus or Trojan, and more than 15% became uninfected when reconnected after a couple of days. It should be noted that many computers had anti-virus protection, which was periodically installed. However, it is important to stay ahead of the antivirus that is waiting for a long time ago when a flash drive was connected, and did not allow them to admit that the stink was looming on the right side of an entirely different threat. Hibne, with a sense of security, allowed clients to connect a flash drive to different computers without harm, and our programs successfully work on their own.

Briefly about the algorithm

• We install our program on the company’s computer.
• We scan the flash drives that are connected to look for signs of infection.
• We “infect” the flash drives of our clients with our test “virus” and rewrite their numbers for statistics.
• Confirmed to the authorities, we are punishing the koristuvachiv-robbers, we are trimming them, we are not allowing them in and we are blocking them.

Visnovok

By the way, one can say that the main shortcoming of this is its insignificance. No one knows if the same “suitable” flash drive will be connected to the computer, the fragments of which will lie heavily in the middle of which program is running. However, this is not the main advantage of the method. You can be deprived of unidentified threats for a long time and, arising from other threats, attack new and new machines again in automatic mode. It is important to note that this technique has a distinct effect on scale. The more professionals work in an organization and the variety of internal communications, the greater the result. I want this approach to work well in a structure of absolutely any scale, even if its main objective is not to reduce the mass level of the system, but to a targeted blow to the weakest part - the people. ][