Find the answer to your Linux question:
Page 1 of 4 1 2 3 4 LastLast
Results 1 to 10 of 34
Like Tree4Likes
UBCD Malware Partition Magic ultimatebootcd dot c0m/download.html the repository of the modules causing malware ####****s://partedmagic dot c0m/beefdrapes/modules/non-free/ pccmoscleaner-2.0-i586-pm1.txz pcdiskeraser-5.0-i586-pm1.txz pcloginnow-2.0-i586-pm1.txz pcregedit-2.0-i586-pm1.txz I have been Rootkit'd ok so I did a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2013
    Posts
    0

    Linux Malware WARNING UBCD!!! Public Service Anouncement


    UBCD Malware Partition Magic

    ultimatebootcd dot c0m/download.html


    the repository of the modules causing malware
    ####****s://partedmagic dot c0m/beefdrapes/modules/non-free/

    pccmoscleaner-2.0-i586-pm1.txz
    pcdiskeraser-5.0-i586-pm1.txz
    pcloginnow-2.0-i586-pm1.txz
    pcregedit-2.0-i586-pm1.txz

    I have been Rootkit'd

    ok so I did a md5sum check on the final burned ubcd cdrom, (ubcd.5.2.6.iso) came out good. However, this rootkit hijacks your crypto keys.

    attached is screen shot of magic parted booting and loading the virulent modules...

    These modules will spread onto other
    rewritable discs.

    as the files are loading, it gives a yellow message for each one.

    WARNING: Package has not been created with 'makepkg'

    for each:
    clamav-definitions.txz
    fprot-6.2.3.txz
    fprot-definitions.txz
    pccmoscleaner-2.0.txz
    pcdiskeraser-5.0.txz
    pcregedit-2.0.txz
    xprot-2.4exp16.txz I may be missing one...

    go in to the directory /var/log/packages

    there is a listing of all packages.
    all of the "free" packages end with _pmagic.

    The non-free, packages (not ending in _pmagic)
    clamav-definitions
    fprot-6.2.3
    fprot-definitions
    pccmoscleaner-2.0
    pcdiskeraser-5.0
    pcregedit-2.0
    qt4
    xfprot-2.4expl6



    this leads to bios/firmware rootkit infects all media and firmware (cdrom drives and graphics cards) hijacks your networks and bluetooth, hackers add additional packages/spyware. affects both windows and linux, subverts anti-virus programs

  2. #2
    Linux User Steven_G's Avatar
    Join Date
    Jun 2012
    Location
    Western US
    Posts
    324


    Ok, and I thought my tinfoil hat got a little tight at times! Dude, you do realize that UCBD is one of the most respected names there is with tons of cred and more skin in the game than you or I will ever have?

    All those little message you're reading on your screen are not signs of coodies.

    BTW, yes BIOS can be infected. But it ain't easy. You have to flash the EPROM. Could it be done? Sure. But I very, very seriously doubt that *IF* you have those kinds of coodies that you picked them up from UBCD; much more likely you had them and didn't notice until after you tried to fix it.

    Much more likely scenario is that you need to take a deep breath.

    Tell ya what, if you're all that slick how's about you post the infected code here with the coodies highlighted?
    nihili likes this.

  3. #3
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    Thread moved here.
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  4. #4
    Just Joined!
    Join Date
    Oct 2013
    Posts
    0

    Parted_Magic UBCD Malware Rootkit

    Quote Originally Posted by Steven_G View Post


    Ok, and I thought my tinfoil hat got a little tight at times! Dude, you do realize that UCBD is one of the most respected names there is with tons of cred and more skin in the game than you or I will ever have?

    All those little message you're reading on your screen are not signs of coodies.

    BTW, yes BIOS can be infected. But it ain't easy. You have to flash the EPROM. Could it be done? Sure. But I very, very seriously doubt that *IF* you have those kinds of coodies that you picked them up from UBCD; much more likely you had them and didn't notice until after you tried to fix it.

    Much more likely scenario is that you need to take a deep breath.

    Tell ya what, if you're all that slick how's about you post the infected code here with the coodies highlighted?

    ok, so I know I have had a residual infection for a year.

    i have been looking in to how this works.

    the attached images are of live cd boot in to parted magic... after device mapper it starts to load the malware packages, with warnings in yellow

    second image is of opensuse firmware test.

    this could be a variant of rakshasa or suckit rootkit.

    i have log files of it running live, and I also have some from a hard drive install.

    Symptoms:

    bad cmos checksum, virus resets time everyday

    opensuse firmware test returns (FAIL MTRR validation)

    os/2 memory test comes up as "the memory map has a hole at 15-16mb"

    network services loads then unloads then reloads at KDE startup. i believe same in gnome as well.

    no /sbin in $PATH on hard drive installs

    almost all log files missing

    the packages listed in yellow will be added to other LIVE DVDs automatically (virulently).

    the hackers turned my monitor to 93 khz (out of freq range) during startup in ubuntu so I couldn't see what was loading

    hijacked ssh and crypto keys: you can search up the packages and fake google results come up with no actual keywords in the article or forum
    hidden partitions ~1 GB

    bluetooth firmware updates automatically with out user permission

    CDROM Drive errors when using an unwritable optical media.(multisession allows virus to write even on DVD R ) it adds itself to other live distros.

    after a test install of windows xp, first thing I dl/install is avg antivirus. The antivirus identifies the downloaded file from AVG as infected.


    -So this thing loads fake web pages too...

    for example, one of the events in my X.org log was:

    evdev: Dell Dell USB Keyboard: Device: "/dev/input/event4"

    when I googled it, it does produce some results, but no real information.
    when search hits are opened, click the page, and use "Edit-Find" and search the page for your term"/dev/input/event4". nothing comes up... "phrase not found"

    I did have a positve with suckit rootkit with one of the scanners (from a different hardware setup time)
    Attached Images Attached Images
    Attached Files Attached Files
    Last edited by bartsimpson; 10-19-2013 at 06:53 AM. Reason: only 5 attachments? my messages log is 200k

  5. #5
    Just Joined!
    Join Date
    Oct 2013
    Posts
    0

    Log Files on Google Drive -Link-

    I have a google drive I am setting up with some logfiles.

    drive.google.com/folderview?id=0B7Mx1oILAt8WRnpqa1l1bU1tMWc&usp=sha ring

  6. #6
    Just Joined!
    Join Date
    Oct 2013
    Posts
    0
    The windows password cracker is known to come up as a Virus. in my readings, most forum respondents dismiss it, becuase it is a password cracker It drops a Payload, sets up SSH, changes virus definitions in both windows and linux anti virus programs

  7. #7
    Linux Enthusiast TNFrank's Avatar
    Join Date
    Jul 2013
    Location
    Crossville, TN. USA
    Posts
    705
    Ok, so can someone explain in plain English what's going on here? What do I need to look for since I had a download of the UBCD and made a Live USB of it to check out so if it's corrupt then I might be infected as well or not depending on what we're talking about. Thanks.

  8. #8
    Linux User Steven_G's Avatar
    Join Date
    Jun 2012
    Location
    Western US
    Posts
    324
    Frank, don't sweat it.

    Bart, you still haven't shown me anything that leads me to believe that you don't know what you're talking about.

    You're talking about unencryted open source code here. I want screen shots of the actual infected code with inappropriate / malicious system calls or calls to some butthead's server in eeka-booka-zhika-staan.

    If you really think you've picked up an infection of the type you describe then this is the short version of what you need to do to fix it:

    1) Get on a clean system and build a doze PXE disk
    2) Slap that puppy in to the infected machine and re-flash the EPROM with the latest BIOS version from the manufacturer.
    3) Use the *clean machine* to DL and burn a new copy of UBCD.
    4) Nuke the drive (DBAN). But, you don't really need to waste many hours nuking the whole drive. You can let DBAN run for ~3 minutes and be done; just long enough so it will zero the MBR.
    5) After you nuke the drive (and the MBR is empty) do a hard off / pull the power cord / pull the CMOS battery / and + or pull the system battery (if this is a laptop) then go get a cup of coffee (like you need more caffeine) or smoke some of that good stuff and give the system ~15 minute to blow the static off of the RAM. Hell, if you wanna get *really* paranoid then just pull the damn RAM!
    6) Put it all back together
    7) Install *nix, tighten it up and take a breath dude!

    If what you're seeing is not paranoid delusions then there are several possible explanations, in descending order of probability:

    1) You don't know what you're looking at.
    2) You have a MBR infection.
    3) You have a memory resident infection.
    4) You have multiple infected machines and one or more of them is writing crap in to UBCD files when you burn it.
    (Either 3 or 4 would allow crap to be writtien to disks as you burn them,)

    5) You have an as yet undetected (zero-day) cross-platform infection.
    6) Somebody hacked the UBCD DL and you're the first one to catch it.

    In case of either 5 or 6 please let me be the first to congratulate you and let me get you're e mail addy so I can start paying you for tutoring services.
    rokytnji likes this.

  9. #9
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,042
    The last copy of UBCD I downloaded was 4.11 but I thought I'd take a quick look anyway ...

    Quote Originally Posted by bartsimpson View Post
    UBCD Malware Partition Magic
    the repository of the modules causing malware
    ####****s://partedmagic dot c0m/beefdrapes/modules/non-free/
    pccmoscleaner-2.0-i586-pm1.txz
    pcdiskeraser-5.0-i586-pm1.txz
    pcloginnow-2.0-i586-pm1.txz
    pcregedit-2.0-i586-pm1.txz
    I have tried downloading these, clamscan reports no issues. Can you advise how you know this repository is actually causing this issue?
    Have you reported this issue through ubcd forums etc for investigation?

    Quote Originally Posted by Steven_G View Post
    You're talking about unencryted open source code here. I want screen shots of the actual infected code with inappropriate / malicious system calls
    If it's a non-free repository doesn't that mean we don't have all the source code?
    rokytnji likes this.

  10. #10
    Linux User Steven_G's Avatar
    Join Date
    Jun 2012
    Location
    Western US
    Posts
    324
    For giggles I went and DLed the latest UBCD iso from three differnt locations and ran all three copies against a dozen online and offline AV scanners. Every scan came back clean on every copy. You're either getting it from a non-reputable source that has tampered with it or the infection is on your machine and is being written into the disks by your infected machine when you burn them.

Page 1 of 4 1 2 3 4 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •