Topic 'Beware of Combofix - contains infected file' in forum 'Security' - dslreports.com

Re: Beware of Combofix - contains infected file

Thu, 07 Feb 2013 15:01:38 EDT

Tuulilapsi posted : ESET's blog said:

BleepingComputers, upon notification, immediately pulled the infected executables and shortly after that, “sUBs” issued an apology and an explanation. In short, the combination of being overly busy working for a good cause and a faulty mouse issuing a double-click rather than a single click while looking at malware in an infected archive triggered the infection of his system. It is true but unhelpful to state that malware should never be looked at and handled on a production system as it only takes a minor mistake as this one to cause an infection on production software..

Production systems are indeed not the best place to mess around with malware samples.
--
Limited User Accounts.
Software Restriction Policies.

Re: Beware of Combofix - contains infected file

Tue, 05 Feb 2013 21:39:29 EDT

EGeezer posted :

said by Mele20:

I think you mean "hear, hear". :D

Unless he's inviting Goretsky over for a congratulatory beer :D
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.

Re: Beware of Combofix - contains infected file

Tue, 05 Feb 2013 20:16:34 EDT

Mele20 posted : I think you mean "hear, hear". :D

Re: Beware of Combofix - contains infected file

Tue, 05 Feb 2013 19:00:21 EDT

therube posted : Very well written & said.
Here, here, Goretsky!

Re: Beware of Combofix - contains infected file

Tue, 05 Feb 2013 17:31:42 EDT

siljaline posted : A new ESET Blog blog entry on combofix.
»blog.eset.com/2013/02/05/combofi···e-to-use

Re: Beware of Combofix - contains infected file

Fri, 01 Feb 2013 21:10:42 EDT

siljaline posted : Your welcome for the ESET Blog entry, it was well thought-out and well penned.
Also see from Bill P of Win Patrol:
»billpstudios.blogspot.ca/2012/10···are.html

Re: Beware of Combofix - contains infected file

Fri, 01 Feb 2013 21:00:01 EDT

Mele20 posted : That was a good blog. It can never be said enough that users should NOT use sites like download.com to get applications but should always go to the vendor's site as that is where it is least likely one will get infected from a tainted download. Plus, as the blog points out, the official host site/vendor's site will react very rapidly if made aware of a problem, whereas, mirror sites may not...especially those that mirror without permission. If users would stop using sites like download.com maybe sites like it would disappear which would be good.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Beware of Combofix - contains infected file

Fri, 01 Feb 2013 20:43:00 EDT

siljaline posted : Combofix: a cocktail of infective factors
• »blog.eset.com/2013/02/01/combofi···-factors

Re: Beware of Combofix - contains infected file

Wed, 30 Jan 2013 21:50:16 EDT

TheJoker posted : From Grinler:

quote:
ComboFix is now live, clean, and available to download from its normal links.

»www.bleepingcomputer.com/forums/···_2962394
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010

Re: Beware of Combofix - contains infected file

Wed, 30 Jan 2013 19:43:28 EDT

trparky posted : I downloaded the same file you did, the signatures (MD5 and SHA256) match. I scanned the file with both Webroot and MalwareBytes AntiMalware using the latest definitions, no infection found.

»www.virustotal.com/file/a1ed6bc7···9592743/
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)

Re: Beware of Combofix - contains infected file

Wed, 30 Jan 2013 16:27:54 EDT

Jrb2 posted : Postings by Grinler at BleepingComputer:
»www.bleepingcomputer.com/forums/···431.html

quote:
ComboFix is now live, clean, and available to download from its normal links.

On a question whether Combofix would deal with the Sality infection:

quote:
I would avoid ComboFix until you have confirmed your computer is not infected with Sality. Ironically, CF will quarantine Sality infected files, other than OS files, if they are found.

About the version I downloaded from BleepingComputer about an half hour ago:

ComboFix.exe

Version 13.1.30.4

SHA256: a1ed6bc74db51c219c08d6126d7de5c60570b2f76c60ce602bf602096d2f85a1
MD5: 4f973e9d3fdaeb5347243e8e169714e7

VT:
2/45

AntiVir TR/Crypt.XPACK.Gen
Jiangmin Trojan/JmGenGeneric.boe

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 20:03:03 EDT

Jrb2 posted : The file, which I scanned earlier at VT, was the one with checksums:
SHA256:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

I did post those checksums in my previous post in this thread, along with the results at VT at that moment, and with the alert by NOD32.
I wasn't at that moment the first one who had scanned it there.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 19:40:05 EDT

therube posted :

quote:
SHA256 Hashes of known affected versions are:

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

quote:
Added hashes of the known affected version to first post. Hashes can be found below as well:

SHA256:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
MD5: c71b0515ef1200755ae61a5c4c9e8a86

»www.bleepingcomputer.com/forums/···431.html

(Now we need an SHA256 to MD5 converter ;-).)

So presumably what I had gotten earlier, 1 day prior, is OK.
(It came from Softpedia, though I notified them of this issue so don't know if they're still hosting or not?)

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 18:10:31 EDT

siljaline posted : Noted: A Query of MS MMPC yields:
»www.microsoft.com/security/porta···y=Sality

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 16:37:27 EDT

siljaline posted : That would be a fair assumtion that other A/V vendors do.
Since I loan a hand with ESET support, the link I provided was an example. Additionally, some here run ESET A/V.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 16:23:23 EDT

Smokey Bear posted :

said by siljaline:
ESET users have some level of protection from Sality

Most other vendors offer protection too, it's not just ESET.
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone�s going to think you�re a moron.
»bit.ly/V5mACB - How-To: Destroying a faulty keyboard

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 14:32:25 EDT

siljaline posted : fwiw, Jrb2 :D

ESET users have some level of protection from Sality

I hope that an uninfected version of combofix is made available soon.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 12:46:45 EDT

Grinler posted : Waiting on this information from the developer. At the same time, if you scan your current version and it shows clean in virustotal then you are good to go.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 12:45:24 EDT

therube posted : Sure would be nice if they posted a hash of the infected version.
And better yet if they also posted hashes for their prior, known good versions.

(So like is my 1-28 version good or bad, or have I lucked out by a few hours?)

If mine is good, then maybe I could use Combofix to fix Combofix ;-).

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 12:44:03 EDT

Grinler posted : The affected file was not nircmd. It was a different file unfortunately.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 12:39:48 EDT

therube posted : What version & size of nircmd.exe ?

In what I have (Combofix.exe), both firefox.exe.VIR & iexplore.exe.VIR (both lower case, the .VIR added by me) are 256,000 bytes (& are exactly the same, chameleons if you will) but neither compare in any way to any nircmd.exe that I have?

VirusTotal (1 / 46) iexplore.exe.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 11:59:47 EDT

therube posted : A 28th Jan version gives this md5 hash:

0f6d28a70471051c4c7785335acba626

And oddly, VirusTotal only shows 1 / 46 for it: ComboFix_13-01-28.01.exe

Edit to include SHA265 hash (that's like 256+9 for good luck):

SHA256: 361548f74415a41f00d5345b3e3c489b3282b302c0c51266880eda586db01a12

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 11:56:25 EDT

Jrb2 posted : Two posts at BleepingComputer:

1.
»www.bleepingcomputer.com/forums/···407.html

By Grinler:

quote:
The download has been pulled since earlier this morning as sUBs investigates the reports. At this time, I unfortunately do not have any other information for anyone.

Stay tuned.

2.
»www.bleepingcomputer.com/forums/···431.html

By Grinler
Information about ComboFix being infected and what you should do

quote:
Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix downloaded after 2am EST, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 11:17:29 EDT

alien8 posted : I downloaded Combofix on the 23rd Jan, from the mirror and
it's got this md5 hash:

2D928456F2238FBB9C06F173691B0B83

So, look like the new version got put there since 23rd??
--
»sanesecurity.blogspot.com/

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 10:52:26 EDT

therube posted :

quote:
IExplorer.exe file is Nircmd.exe(renamed)

Why would they do that, unless to act like a chameleon?

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 10:41:00 EDT

TheJoker posted : And I notified sUBs this morning just in case.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 10:23:57 EDT

trog posted : From wilders:

said by Blade Z :
Hello,

Just letting you know that the mirror at Bleeping Computer has been deactivated until this gets sorted out. So that should go a ways towards minimizing the exposure.

A big thanks to Marcos as it was this thread that first alerted our staff to the issue.

~Blade
Bleeping Computer Forum Administrator

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 08:55:34 EDT

dandelion posted : This is almost unheard of. Did this happen just on that site or to the entire program?

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 08:51:51 EDT

Robotics posted : All I can say is wow!

How the hell did this happen? Is anyone saying yet?

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 08:45:22 EDT

Jrb2 posted : Thread at BleepingComputer forum:
»www.bleepingcomputer.com/forums/···407.html

No official responce yet there.

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 08:00:15 EDT

Jrb2 posted : Scanned at VirusTotal:
30/45

Agnitum Win32.Sality.BL 20130128
AhnLab-V3 - 20130129
AntiVir W32/Sality.AT 20130129
Antiy-AVL - 20130129
Avast Win32:Sality 20130129
AVG Win32/Sality 20130129
BitDefender Win32.Sality.3 20130129
ByteHero - 20130123
CAT-QuickHeal W32.Sality.U 20130129
ClamAV - 20130129
Commtouch W32/Sality.gen2 20130129
Comodo Virus.Win32.Sality.Gen 20130129
DrWeb Win32.Sector.22 20130129
Emsisoft Win32.Sality.3 (B) 20130129
eSafe - 20130127
ESET-NOD32 Win32/Sality.NBA 20130129
F-Prot W32/Sality.gen2 20130129
Fortinet - 20130129
GData Win32.Sality.3 20130129
Ikarus Virus.Win32.Sality 20130129
Jiangmin Trojan/JmGenGeneric.boe 20121221
K7AntiVirus Virus 20130128
Kaspersky Virus.Win32.Sality.gen 20130129
Kingsoft - 20130121
Malwarebytes - 20130129
McAfee W32/Sality.gen.z 20130129
McAfee-GW-Edition - 20130129
Microsoft Virus:Win32/Sality.AT 20130129
MicroWorld-eScan Win32.Sality.3 20130129
NANO-Antivirus Virus.Win32.Sality.beygb 20130129
Norman Sality.ZGZ 20130129
nProtect Win32.Sality.3 20130129
Panda W32/Sality.AA 20130128
PCTools - 20130129
Rising Win32.KUKU.ky 20130129
Sophos Mal/Sality-D 20130129
SUPERAntiSpyware - 20130129
Symantec - 20130129
TheHacker - 20130128
TotalDefense - 20130129
TrendMicro PE_SALITY.RL-O 20130129
TrendMicro-HouseCall PE_SALITY.RL-O 20130129
VBA32 Virus.Win32.Sality.bakc 20130129
VIPRE Virus.Win32.Sality.at (v) 20130129
ViRobot - 20130129

SHA256: 4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333

MD5: c71b0515ef1200755ae61a5c4c9e8a86

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 07:56:47 EDT

Jrb2 posted : Downloaded from BleepingComputer.
Eset (NOD32) warning: see screenshot

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 07:46:29 EDT

anon posted : Unsure where Eset got their installer from but the official Combofix download link is at Bleepingcomputer.

The IExplorer.exe file is Nircmd.exe(renamed) with MD5 753BC16326FEE4A421ACB636CCD602F4

VT report would not say Sality for that file as its 3 year old legitimate tool.
»www.virustotal.com/file/24ca5ceb···nalysis/

Re: Beware of Combofix - contains infected file

Tue, 29 Jan 2013 07:17:22 EDT

norwegian posted : April 1st isn't here yet? :)

Wow, no one is bulletproof then?

Beware of Combofix - contains infected file

Tue, 29 Jan 2013 06:55:00 EDT

Jrb2 posted : Warning by Marcos at the ESET forum:
»www.wilderssecurity.com/showthre···t=340693

Quote:
We have discovered that the current installer of Combofix contains iexplore.exe infected with the Sality virus. It's pretty well detected by other vendors as well.
We do not recommend downloading and using it until the author remedies the issue.