Results 1 to 10 of 34
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 10-19-2013 #1
- Join Date
- Oct 2013
Linux Malware WARNING UBCD!!! Public Service Anouncement
ultimatebootcd dot c0m/download.html
the repository of the modules causing malware
####****s://partedmagic dot c0m/beefdrapes/modules/non-free/
I have been Rootkit'd
ok so I did a md5sum check on the final burned ubcd cdrom, (ubcd.5.2.6.iso) came out good. However, this rootkit hijacks your crypto keys.
attached is screen shot of magic parted booting and loading the virulent modules...
These modules will spread onto other
as the files are loading, it gives a yellow message for each one.
WARNING: Package has not been created with 'makepkg'
xprot-2.4exp16.txz I may be missing one...
go in to the directory /var/log/packages
there is a listing of all packages.
all of the "free" packages end with _pmagic.
The non-free, packages (not ending in _pmagic)
this leads to bios/firmware rootkit infects all media and firmware (cdrom drives and graphics cards) hijacks your networks and bluetooth, hackers add additional packages/spyware. affects both windows and linux, subverts anti-virus programs
- 10-19-2013 #2
Ok, and I thought my tinfoil hat got a little tight at times! Dude, you do realize that UCBD is one of the most respected names there is with tons of cred and more skin in the game than you or I will ever have?
All those little message you're reading on your screen are not signs of coodies.
BTW, yes BIOS can be infected. But it ain't easy. You have to flash the EPROM. Could it be done? Sure. But I very, very seriously doubt that *IF* you have those kinds of coodies that you picked them up from UBCD; much more likely you had them and didn't notice until after you tried to fix it.
Much more likely scenario is that you need to take a deep breath.
Tell ya what, if you're all that slick how's about you post the infected code here with the coodies highlighted?
- 10-19-2013 #3
- 10-19-2013 #4
- Join Date
- Oct 2013
Parted_Magic UBCD Malware Rootkit
ok, so I know I have had a residual infection for a year.
i have been looking in to how this works.
the attached images are of live cd boot in to parted magic... after device mapper it starts to load the malware packages, with warnings in yellow
second image is of opensuse firmware test.
this could be a variant of rakshasa or suckit rootkit.
i have log files of it running live, and I also have some from a hard drive install.
bad cmos checksum, virus resets time everyday
opensuse firmware test returns (FAIL MTRR validation)
os/2 memory test comes up as "the memory map has a hole at 15-16mb"
network services loads then unloads then reloads at KDE startup. i believe same in gnome as well.
no /sbin in $PATH on hard drive installs
almost all log files missing
the packages listed in yellow will be added to other LIVE DVDs automatically (virulently).
the hackers turned my monitor to 93 khz (out of freq range) during startup in ubuntu so I couldn't see what was loading
hijacked ssh and crypto keys: you can search up the packages and fake google results come up with no actual keywords in the article or forum
hidden partitions ~1 GB
bluetooth firmware updates automatically with out user permission
CDROM Drive errors when using an unwritable optical media.(multisession allows virus to write even on DVD R ) it adds itself to other live distros.
after a test install of windows xp, first thing I dl/install is avg antivirus. The antivirus identifies the downloaded file from AVG as infected.
-So this thing loads fake web pages too...
for example, one of the events in my X.org log was:
evdev: Dell Dell USB Keyboard: Device: "/dev/input/event4"
when I googled it, it does produce some results, but no real information.
when search hits are opened, click the page, and use "Edit-Find" and search the page for your term"/dev/input/event4". nothing comes up... "phrase not found"
I did have a positve with suckit rootkit with one of the scanners (from a different hardware setup time)
Last edited by bartsimpson; 10-19-2013 at 06:53 AM. Reason: only 5 attachments? my messages log is 200k
- 10-19-2013 #5
- Join Date
- Oct 2013
Log Files on Google Drive -Link-
I have a google drive I am setting up with some logfiles.
- 10-19-2013 #6
- Join Date
- Oct 2013
The windows password cracker is known to come up as a Virus. in my readings, most forum respondents dismiss it, becuase it is a password cracker It drops a Payload, sets up SSH, changes virus definitions in both windows and linux anti virus programs
- 10-20-2013 #7
Ok, so can someone explain in plain English what's going on here? What do I need to look for since I had a download of the UBCD and made a Live USB of it to check out so if it's corrupt then I might be infected as well or not depending on what we're talking about. Thanks.
- 10-20-2013 #8
Frank, don't sweat it.
Bart, you still haven't shown me anything that leads me to believe that you don't know what you're talking about.
You're talking about unencryted open source code here. I want screen shots of the actual infected code with inappropriate / malicious system calls or calls to some butthead's server in eeka-booka-zhika-staan.
If you really think you've picked up an infection of the type you describe then this is the short version of what you need to do to fix it:
1) Get on a clean system and build a doze PXE disk
2) Slap that puppy in to the infected machine and re-flash the EPROM with the latest BIOS version from the manufacturer.
3) Use the *clean machine* to DL and burn a new copy of UBCD.
4) Nuke the drive (DBAN). But, you don't really need to waste many hours nuking the whole drive. You can let DBAN run for ~3 minutes and be done; just long enough so it will zero the MBR.
5) After you nuke the drive (and the MBR is empty) do a hard off / pull the power cord / pull the CMOS battery / and + or pull the system battery (if this is a laptop) then go get a cup of coffee (like you need more caffeine) or smoke some of that good stuff and give the system ~15 minute to blow the static off of the RAM. Hell, if you wanna get *really* paranoid then just pull the damn RAM!
6) Put it all back together
7) Install *nix, tighten it up and take a breath dude!
If what you're seeing is not paranoid delusions then there are several possible explanations, in descending order of probability:
1) You don't know what you're looking at.
2) You have a MBR infection.
3) You have a memory resident infection.
4) You have multiple infected machines and one or more of them is writing crap in to UBCD files when you burn it.
(Either 3 or 4 would allow crap to be writtien to disks as you burn them,)
5) You have an as yet undetected (zero-day) cross-platform infection.
6) Somebody hacked the UBCD DL and you're the first one to catch it.
In case of either 5 or 6 please let me be the first to congratulate you and let me get you're e mail addy so I can start paying you for tutoring services.
- 10-20-2013 #9
The last copy of UBCD I downloaded was 4.11 but I thought I'd take a quick look anyway ...
Have you reported this issue through ubcd forums etc for investigation?
- 10-21-2013 #10
For giggles I went and DLed the latest UBCD iso from three differnt locations and ran all three copies against a dozen online and offline AV scanners. Every scan came back clean on every copy. You're either getting it from a non-reputable source that has tampered with it or the infection is on your machine and is being written into the disks by your infected machine when you burn them.