Broadband Tech > Security > Security > Beware of Combofix - contains infected file

reply to Smokey Bear

Re: Beware of Combofix - contains infected file

reply to Smokey Bear
Noted: A Query of MS MMPC yields:
»www.microsoft.com/security/porta···y=Sality

reply to therube

quote:

---

SHA256 Hashes of known affected versions are:

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

---

quote:

---

Added hashes of the known affected version to first post. Hashes can be found below as well:

SHA256:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

---

»www.bleepingcomputer.com/forums/···431.html

(Now we need an SHA256 to MD5 converter .)

So presumably what I had gotten earlier, 1 day prior, is OK.
(It came from Softpedia, though I notified them of this issue so don't know if they're still hosting or not?)

The file, which I scanned earlier at VT, was the one with checksums:
SHA256:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

I did post those checksums in my previous post in this thread, along with the results at VT at that moment, and with the alert by NOD32.
I wasn't at that moment the first one who had scanned it there.

reply to Jrb2
Postings by Grinler at BleepingComputer:
»www.bleepingcomputer.com/forums/···431.html

quote:

---

ComboFix is now live, clean, and available to download from its normal links.

---

quote:

---

I would avoid ComboFix until you have confirmed your computer is not infected with Sality. Ironically, CF will quarantine Sality infected files, other than OS files, if they are found.

---

I downloaded the same file you did, the signatures (MD5 and SHA256) match. I scanned the file with both Webroot and MalwareBytes AntiMalware using the latest definitions, no infection found.

»www.virustotal.com/file/a1ed6bc7···9592743/
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)

From Grinler:

quote:

---

ComboFix is now live, clean, and available to download from its normal links.

---

reply to Jrb2
Combofix: a cocktail of infective factors
• »blog.eset.com/2013/02/01/combofi···-factors

That was a good blog. It can never be said enough that users should NOT use sites like download.com to get applications but should always go to the vendor's site as that is where it is least likely one will get infected from a tainted download. Plus, as the blog points out, the official host site/vendor's site will react very rapidly if made aware of a problem, whereas, mirror sites may not...especially those that mirror without permission. If users would stop using sites like download.com maybe sites like it would disappear which would be good.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Your welcome for the ESET Blog entry, it was well thought-out and well penned.
Also see from Bill P of Win Patrol:
»billpstudios.blogspot.ca/2012/10···are.html

reply to Jrb2
A new ESET Blog blog entry on combofix.
»blog.eset.com/2013/02/05/combofi···e-to-use

Very well written & said.
Here, here, Goretsky!

I think you mean "hear, hear".

reply to Jrb2
ESET's blog said:

BleepingComputers, upon notification, immediately pulled the infected executables and shortly after that, “sUBs” issued an apology and an explanation. In short, the combination of being overly busy working for a good cause and a faulty mouse issuing a double-click rather than a single click while looking at malware in an infected archive triggered the infection of his system. It is true but unhelpful to state that malware should never be looked at and handled on a production system as it only takes a minor mistake as this one to cause an infection on production software..