Dirk works at an Iranian nuclear lab?
IT guy checks to see if PC is virus-free, with virus-ridden USB stick
Welcome again to On-Call, our weekly therapy session for readers who need to share terrible memories of jobs gone horribly, horribly, wrong. This week, meet “Dirk” who we imagine is carrying quite an emotional load because he's witnessed some horrors created by truly dull-witted users. Take, for example, the crew his IT team …
COMMENTS
-
Friday 10th February 2017 08:15 GMT Anonymous South African Coward
Ahh, cryptolocker.
Had an user once whose son managed to infect her laptop. Then tried to clean it up, and made it only worse.
Over a weekend.
Come monday, said user arrived at work, and despite the clear warning on her laptop's monitor (encrypted files, ransom etc etc) she plugged her laptop into the LAN.
Luckily I enforced some rigorous security practices (such as segregation of data between departments) so her department was the only one affected.
A quick delete and restore, and her department's data was restored. Not so her laptop. I tried to uninstall/remove crytpolocker, then decided to toss the whole hard drive, get a new one and install Windows from scratch rather.
-
-
Friday 10th February 2017 10:57 GMT Anonymous Coward
Punishment? Yeah, right!
What happens in some places if
(1) A manager is stupid enough to get themselves deliberately infected with malware, or
(2) A manager demands admin rights on his laptop, turns off all security (including passwords) and prompt loses it?
If you said "They get fired", I'd like to know what drugs you're on.
If you said "They get a bollocking", I'd like to know how many units of alcohol you consume per day.
If you said "They just get a shiny new laptop", I'll sympathise with you.
-
Friday 10th February 2017 13:36 GMT Anonymous Coward
Re: Punishment? Yeah, right!
"If you said "They get a bollocking", I'd like to know how many units of alcohol you consume per day."
At that point 1 unit, however I found this to be a very career limiting manoeuvre (even though said user, took company data home on a usb stick, worked on company data on a machine with no AV, demanded the USB stick be unblocked after the AV had a panic and spammed us).
Anon for obvious reasons
-
-
-
-
-
Saturday 11th February 2017 09:58 GMT Kiwi
Re: seriously??
If the malware in question hid itself in the boot sector somehow and you couldn't tell for absolute certain that you got rid of it, it's not necessarily a bad option. Hard drives cost peanuts compared to the time spent by people.
Must be great to work in a massive coporate with a ton of spare IT cash.
For many SMBs, HD's are quite expensive still - at least here in NZ (where you're looking at $NZ80-100 for a cheap 1Tb laptop drive, maybe under $150 for a 2tb Desktop (I don't have the spare funds for drive space atm so not looking at prices).
Is there any way a virus could survive creating a new partition table on the drive? (assuming of course you're using a *nix machine or suitable boot disk). Takes seconds to create a new partition layout.
-
Sunday 12th February 2017 00:54 GMT the hatter
Re: seriously??
And how does that NZ$80-120 compare to your hourly rate, given that trying to disinfect and verify it's gone is something you can spend a long time on ? Even in a small company if you can show the person with the chequebook that it's clearly saving money, they should either scare up the cash, or you should look to find somewhere who will be able to pay the next payroll.
Also, yes, the possibility of the drive firmware being tampered with by a virus is now non-zero, so nothing you do through the SATA interface can be trusted absolutely, including reflashing the drive's firmware.
-
Tuesday 14th February 2017 05:08 GMT Kiwi
Re: seriously??
And how does that NZ$80-120 compare to your hourly rate, given that trying to disinfect and verify it's gone is something you can spend a long time on ?
Since you're going to be re-imaging the machine anyway, the time is actually nil. It takes moments to re-write the partition table, and unless you wish to go to the effort of running recovery tools, creating a new table effectively wipes all data on the drive.
Even in a small company if you can show the person with the chequebook that it's clearly saving money, they should either scare up the cash, or you should look to find somewhere who will be able to pay the next payroll.
Seems you picked an appropriate name, since you seem to be quite mad. Do you know what "SMB" is? Well, most commonly they're <u>SMALL</u> businesses of 1-5 people, though I'm not sure what qualifies as "medium". As such, they often have only one person involved anyway. How is that person going to complain to whoever handles the payroll, stand in front of a mirror?
As to quitting a perfectly good job because they won't buy a new HDD when the old is perfectly OK, do you not know what the job markets are like for most of the world especially IT these days?
You might need to spend some time elsewhere - like in the real world for example - before you speak to much on such subjects.
Also, yes, the possibility of the drive firmware being tampered with by a virus is now non-zero, so nothing you do through the SATA interface can be trusted absolutely, including reflashing the drive's firmware.
Given that, and your statement that the drive should be replaced because you cannot trust it once it's had an infection, how often do you think we should replace the drives? Hourly? Every 10 minutes? As soon as they're flashed they're untrustworthy? Because there's no way of knowing if a drive is OK after all. Maybe the manufacturer has an as-yet undiscovered issue. Maybe there's something somewhere else on my network that I haven't yet spotted (I don't have the time to be hunting it and as you say I cannot be sure even when I really am sure)? Maybe someone infected a HDD at MS and their updates are now malware [no comments on the obvious redundancy!]? Maybe some new (or old) driveby in a popular website that is yet undetected - perhaps just reading this comment you've stumbled on a drive-by infecting El Reg that has now infected your drive's firmware. Better replace it just in case.
Or is my over-stressed coffee-lacking day taking it's toll on me today?
-
-
Monday 3rd April 2017 21:35 GMT Dajve_Bloke
Re: seriously??
If you're looking at putting terabyte drives in laptops or desktops I would respectfully say you're doing it wrong. The amount of storage in a local machine should be big enough for the OS, and a few spare gig for when the user can't be connected to the mothership and needs to bugger about on some word docs and administrivia.
Give the users multi tera locally and they'll fill it with stuff, that isn't properly backed up and you're only storing up problems for yourself.
Have yourself a netBeer anyway, it's a long fucking way until POETS day.
-
-
-
Friday 10th February 2017 09:44 GMT Baldy50
True!
A cleanup job on a PC can take way longer than a re-install, it's the gazillion of updates you know the useless user ain't going to do after sorting the machine out that P's me right off.
Noticed updates are far more frequent than ever now! Ubuntu base and pretty much anything installed, even progs not even on the approved repository.
OK, it might slow your machine down for a bit but, you guys/gals know the score, do the updates as soon as possible, they just keep on clicking 'Later'.
Dban it? Toss the drive! Only if it was a needed upgrade, size/speed etc, a friend couldn't believe it when I just snapped the drive platter in front of him, thought they were metal.
-
Friday 10th February 2017 14:11 GMT big_D
Re: True! @Baldy50
We use standard images. A new PC is up and running (with all standard software installed) and fully patched in an hour or so. The images are re-done every few months, so that only a handful of patches need to be applied, once the image has been copied onto the PC.
The old HD goes in the cupboard and waits to see if a decrypter tool becomes available at some point.
-
-
Friday 10th February 2017 14:15 GMT Anonymous Coward
At one IT company, the directors had their own NAS, IT wasn't allowed any access and it wasn't allowed in the backup process, because the admins might be able to see what data was on the NAS through the backups.
Paranoia? You bet!
So, one director accidentally clicks on a cryptolocker email... Luckily all of the production drives were intact, but it gobbled his hard drive and the directors only NAS...
-
-
Friday 10th February 2017 08:32 GMT GlenP
Not work but...
I acquired a less than year old decent Dell laptop from a friend. He'd managed to acquire malware, then the people he took it to managed to add plenty more. He gave up, bought a new one and I got the old one. It still took me nearly a day to actually get to the point where I could wipe and low level format the HD (prices as they are now I'd just trash it, they weren't so cheap then). Fortunately no networks were involved but if he'd talked to me first I could have saved him a lot of money. The laptop did a couple of years service for me then a few more for another friend!
-
-
Friday 10th February 2017 09:24 GMT rhydian
Re: Not work but...
Back in my younger days I'd always try and "rescue" a near-dead Windows install rather than nuke from orbit, but these days unless there's some vital software where the user doesn't have the install media or licence keys any more its a case of erase and rebuild. The only offputting issue is the number of windows updates a new PC needs...
-
Friday 10th February 2017 10:26 GMT jason 7
Re: Not work but...
Yeah rebuild from scratch is the best option but as you say, so many customers have that "special" edition of Adobe Creative suite or some work software that the license key is nowhere to be found and that isnt an option.
Not to mention the idiots that don't connect to an Exchange server but for some reason have a over complex and huge Outlook setup with 90GB of mail across 9 accounts of which half haven't got the password to hand anymore.
I have almost screamed in some users faces when they pull the old "well why should I know all this stuff?" -
"YOU HAVE TO TAKE RESPONSIBILITY FOR SOME OF THIS FFS!"
-
Saturday 11th February 2017 00:33 GMT soaklord
Re: Not work but...
I disagree. I ran the North American customer support team for a top 5 antivirus company for years and we got to the point where we could extract the malware 100% of the time. This then meant we had a sample for analysis to improve the product. If you just format and move on, you haven't done anything to increase your overall security, you have removed a symptom not a problem. Users will be users. If you instead get the AV company you trust to protect the computer involved and get them a sample of the infection, you are likely to increase the security of all your users by default. Of course, the company I worked for offered free support for customers and we worked hard to get a sample on every infected computer we worked on.
-
Saturday 11th February 2017 14:13 GMT Anonymous Coward
Re: Not work but... (@soaklord)
Sorry, you lost me at "the AV company you trust".
Tolerate, maybe. Consider a marginally-acceptable compromise between a. just installing several pieces of malware to save time and b. underclocking the CPU to about 2Hz to simulate the performance still available while running AV, sure. Monitor closely to ensure the latest update didn't go straight to "b", insist on an Adobe or JRE install as a drive-by during updates, or open a massive attack surface in the AV suite itself, absolutely.
Granted, a few of these don't apply to a centrally-managed corporate AV platform, but if that's all you have to deal with, congratulations.
Trust is earned. I think the term you're looking for is "disgust". Very close pronunciation, I can see the confusion.
-
-
-
-
-
-
-
Tuesday 14th February 2017 05:12 GMT Kiwi
Re: Not work but...
True, but Ive never come across a laptop that takes more than an hour to completely dissemble...
Even faster with a decent axe. Much more satisfying too.
Though, a functional re-assembly may be a bit harder and take a hell of a lot longer. Then again, the person who can re-assemble a laptop after axe-based disassembly will have a hugely satisfying result. And something bordering on God-like powers. Or at least patience.
-
-
Friday 10th February 2017 18:49 GMT jelabarre59
Re: Not work but...
Not all laptops have easily accessible hard drives, even these days. :/
Exactly. The in-laws gave my wife their old laptop, and I would have just pulled their HDD and put in a fresh one to to a clean install, except Dell decided to insert it into a wormhole somewhere in the bowels of the machine. Decided it was quicker to rsync the entire drive to a USB external (even at USB 2.0 speed) than to try to dismantle the sucker.
-
-
-
-
Friday 10th February 2017 18:33 GMT The IT Ghost
Re: Not work but...
In fairness, poster did say that the startup options had been disabled. So booting from a CD/USB may have required some...persuasion.
Haven't run across the "disable startup options" trick yet, only seen the Gen I and II ransomwares thus far. And one scareware that merely claimed the files were encrypted and hoped for panic payment.
-
Friday 10th February 2017 21:37 GMT Anonymous Coward
Re: Not work but...
"Which part of that took the most time?"
* Boot from linux bootable CD/USB
There are so many brain dead UEFI systems out there that will boot and boot and boot into windows before you can finally get them to go into setup to change the boot option, a couple i've only been able to change by going through the windows recovery options. I am seeing less of this these days (ya!)
-
Monday 13th February 2017 00:51 GMT Anonymous Coward
Re: Not work but...
In the OP's defense I would like to cite the Toshiba Satellite Pro, which tends to throw a major league hissy fit and prevent access to the BIOS menu when it sees something it doesn't like. I know this because I just spent a few hours trying to get to the BIOS to reinstall Windows on a new HDD. No more Toshibas are now permitted in the Ajob household.
-
-
Friday 10th February 2017 09:02 GMT mr_souter_Working
a certain Scottish Council
a few months ago, 3 times in the space of 2 weeks, same sets of users each time, despite organisation wide emails advising them not to open the attachments, not to make the PDF that suddenly opened in Word a trusted file, and not to enable the macros in that file.............. cryptolocker variant emailed in (the mail filter was seemingly unable to block it, and the proxy was unable to stop the download of the malware payload). after the second time, they listened to me and we imposed file level filtering to prevent the creation of the encrypted files. the third time, all that happened was a single computer was infected, which was promptly rebuilt. i've since left to join a different company, where the internal IT and the project management explains oh so many things.........................................
-
Friday 10th February 2017 12:16 GMT phuzz
Re: a certain Scottish Council
You can use Group Policy to disable all macros in Office.
Sure, Bob in accounts will be upset because the single Excel 97 spreadsheet that he uses for his custom reports uses all manner of ill advised macros in order to produce a report that nobody even looks at any more, but fuck Bob.
-
Friday 10th February 2017 09:06 GMT Anonymous Coward
I use to work as a tech in the education department
I was once sent to a primary school because the Headteacher had critical documents on her laptop and she could no longer access them - obviously no backup on the server because *sigh* "she wanted to ensure the documents were kept confidential" anyway that's a side point. A little background - she's one of the better headteachers to deal with, relaxed, an easy smile and frankly she's easy on the eye. Now before anyone throws around "sexist pigdog" at me, the females in the department use to play rock/paper/scissors when deciding who got the jobs with some of our computing teachers (yes seriously!) so everyone had their favourites.
At 9am on Monday morning I'm sat in her office whilst she goes to cover one of the classes, I fire the laptop up with a linux live CD, start browsing the user folders and within moments realise it's riddled with adware, there are shortcuts for porn sites all over the place, basically it's a complete state. I grab her documents off the desktop and onto a portable usb drive, check the contents of folders - yup more porn links and the occasional clip (that I'll probably keep and look at later - come on guys we all do it)
When she comes back in I've already re-imaged the PC and am in the process of scanning the documents with an updated AV product etc. Nothing else found. Then I ask the obvious - Did she let anyone else use her PC at the weekend?
No
Are you sure?
Yes, I live alone, why?
and that's me sweating, how to explain to a very attractive woman, in her mid 40 that her porn browsing habits got her machine riddled with viruses, adware and PUPs?
I quickly explain the AV was out of date and scarper, like a true IT professional.
-
Friday 10th February 2017 10:43 GMT Anonymous Coward
Re: I use to work as a tech in the education department
"and that's me sweating, how to explain to a very attractive woman, in her mid 40 that her porn browsing habits got her machine riddled with viruses, adware and PUPs?"
If my home connection is every put under detailed scrutiny I am going to have a hard time explaining some of the material that gets accessed. Some things just aren't going to be believed when you say "It wasn't me, it was my wife"...and I'm not easily shocked.
-
-
Friday 10th February 2017 11:11 GMT Anonymous Coward
Re: I use to work as a tech in the education department
Alternatives? Linux - in many cases people are confused by which one to go for and not aware of the plethora of reviews etc online.
Mac - Some people love it, others hate it. Personally I'm a bit of both as someone who spent years fixing them.
Whether we like it or not Windows is the most commonly supported OS, in my time in IT (work in IT security now) linux simply wasn't used by most IT staff. Even these days I know 80%+ my own IT department have probably never so much as booted off a linux live CD.
End users typically are dictated to, either by the "must procure via IT" route or simply by the virtue of getting no support at all if they don't toe the line.
-
-
Friday 10th February 2017 12:32 GMT Alan Brown
Re: I use to work as a tech in the education department
"and that's me sweating, how to explain to a very attractive woman, in her mid 40 that her porn browsing habits got her machine riddled with viruses, adware and PUPs?"
If she's browsing porn sites then you don't need to be sweating it.
Been there, done that, had a chat about how lots of them are trojan horses and if you're going to spend time trawling these sites you need to use scriptblockers etc etc.
People are people. As long as you don't play "prude" it's relatively easy.
I get more flak for my lectures to people who've been told not to open XYZ attachments and do it anyway or disable the antivirus that's wraning the file is infected "because it might contain something important" (in one case, twice). Such people go to the end of the queue. Once it's clear that they don't listen, the lesson usually only sinks in if they get a large bill or maximum inconvenience.
Some people really don't like being told they're the reason that 30 other staff can't do any work at an effective cost of £1000 per person per day.
As for C-level staff or other manglement: Form a good relationship with the company accountant and/or finances dept. When this kind of thing happens, have a chat and explain the costs/inconvenience/losses. You'd be amazed how fast they can school the most stubborn lusers.
-
Friday 10th February 2017 12:57 GMT JimboSmith
Re: I use to work as a tech in the education department
I worked for a company where we ended up infected by one of those outlook loving viruses that spread by just opening the email. So after someone had opened an infected email sent by someone they knew and trusted (who had also been infected) it spread like wildfire through the office because everyone opening one was then emailing everyone else with it. It got sent to everyone at the parent company as well which made us popular. The only good news on that front was they were using Novel Groupwise at the time and that meant it didn't affect them. So IT support basically said everyone down tools please and leave your computers on. Some people used the time to have meetings, some went out for an early lunch, some went to the pub (my team), some went to sleep etc.
By the end of the day the IT support staff have worked from one end of the office to the other cleaning the infected machines and removing all traces of this thing. Fast forward a few months and we've got a summer intern in the building doing some work. We'd set up an account years ago for the use of the interns whilst they were there so that they didn't have to have have one with their names attached. They were also told no personal email (less chance of smut or viruses) on that as it will be used by other people after they've left. So first day of new intern and there's a small induction session including fire procedures, evacuation routes and general health & safety stuff etc. That ended at 11am and it wasn't five minutes later after they've opened their email that the familiar messages start popping into peoples mailboxes. They'd cleaned all the machines but not all the mailboxes. Someone who'd worked out what would happen next made a break for the pub at the sight of the first mail appearing. He was very disappointed when he was called back before he could order the first pint. No one was now dumb enough (oh alright someone else had but it had only got their machine) to open the emails and it was dealt with swiftly.
-
Friday 10th February 2017 13:09 GMT Anonymous Coward
Re: I use to work as a tech in the education department
I know someone who visits such sites because 'Er Indoors' actually travels a lot for business so he has free time on his hands so to speak and no sweet loving for many days at a time. I suggested that he bought himself a second hand Android tablet cheaply and consumes that way to safeguard the home computer. If the tablet is infected there's no major problems as it wasn't very expensive and easily replaceable. He's disabled the cameras (again at my suggestion) with some black electrical tape so no chance of being snapped by a malicious download. He also doesn't tell his wife about the existence of that tablet!
-
Friday 10th February 2017 21:12 GMT Anonymous Coward
Re: I use to work as a tech in the education department
Brilliantly a family member suggested I go round and have a look at a computer belonging to a friend of a friend back in the days of dial up. The lady I met told me she was concerned that her (son 10-11yrs old from memory) was viewing porn on the family computer. She'd discounted her daughter so it had to be her son. She told me that she'd clicked on Internet Explorer one morning and found it was still open and there was a topless woman on the website offering a tour of the site.
She wanted proof it was him so she could confront and scold her male offspring. Well whoever it was doing this was smutty surfing was deleting the browser history and there was only IE on the machine. So digging a bit deeper I looked at the .dat file and was surprised to find that there was only one smutty site surfed before 9pm and only one page. After nine however there was tons of them covering a "broad range" of interests.
I asked when the son went to bed and he was never up past 8pm so wasn't him. The daughter stayed up later but not past 9pm so I told her that she could discount the kids. Her daughter came in to use the computer and admitted that she'd clicked on an altavista link days earlier that had looked innocuous but wasn't. I said she would need to talk to whoever used the computer after the children had gone to bed. She said "Oh I wish you could be here when my husband gets home he's going to get such a bollocking." I then had to explain how she could present this discovery to her nearest and dearest so that he couldn't get out of it. We also did a virus scan and thankfully it was clean.
-
-
-
Friday 10th February 2017 09:12 GMT Anonymous Coward
First days of a new job
This was 1998, new job. So far, I never had worked on a Windows PC, only various Unix workstations ... I of course hated (still today) Windows.
3rd day of this new job, my Win98 PC got infected by a virus, which knocked out the AV. One day lost due to that. Feck you, Windows.
-
Friday 10th February 2017 09:20 GMT EddieD
Petards.
Back in the 80s I shared a flat with a guy doing PhD on computer viruses. He took a floppy down to the Atari lab to copy some software for our own machine, and managed to infect the entire lab with a virus.
The lab manager was very unimpressed.
Ah well, at least we got given some good anti-virus software and he got material for his thesis.
-
Friday 10th February 2017 19:55 GMT The IT Ghost
Re: Petards.
Not a virus, but IT fellow at a place where I was contracting had come up with a plan...insert a DVD that had just enough on it to boot the machine, format the C: drive, link up to the network and pull down the a disc image (This was the mid 90s, this was pretty clever by the standards of the time). Infected desktop? Pop the disc in, reboot, and watch the magic.
He gets everyone gathered for his big demo. Hooks his laptop to a projector, adjust the image just so, pops the desktop imaging disc in, reboots...and at about 2% of the format, goes int a blind panic realizing the desktop image disc didn't have the network drivers for his laptop.
Oops.
Unfortunately, he hadn't gotten around to working on the laptop imaging project yet, so did was stuck doing his recovery the hard way.
-
-
-
Friday 10th February 2017 10:24 GMT POKE 649,0
Re: NImda and Kleez
aaah Nimda... getting all nostalgic here.
Also remember Blaster/Welchia virus when I worked at a large UK based PC Retailer in their "PC Clinic"... As soon as you switched a new XP PC on and put it on the internet straight out of the box it would pick up Blaster.
Couple of cases of Crypto here recently which we managed to defeat... But the biggest outbreak I've witnessed here was Pinkslip back in 2011 I think. That was caused by a USB stick being plugged into a laptop Down Under and it managed to screw up lots of stuff globally. That went on for weeks.
Going back to my retail days though I did love a good virus infection tbh, and used to enjoy manual removals. Used to set our AV...F-Prot back then to detect only and was a great learning experience rifling through the OS.
Aaah the good old days!!!
-
-
Friday 10th February 2017 17:42 GMT Sandtitz
Re: NImda and Kleez @d3vy
"Yeah, Similar story - phone support - trying to talk users through downloading the hotfix whilst having a command prompt open ready to type "SHUTDOWN -A" repeatedly was hilarious."
That would have been the extra hard way of doing things.
I just instructed users to turn on the built-in firewall in XP.
-
-
-
Tuesday 18th July 2017 14:28 GMT onceuponatime
Re: NImda and Kleez
I got bored and reloaded my desktop back in the blaster days. Decided to see how long it would take it to get infected (since at that point I knew how to remove it manually) and it took approximately 23 seconds on a 56k dial up connection. I was impressed and at the time amused. Took 5 minutes to clean but still. :)
-
-
Friday 10th February 2017 10:51 GMT Anonymous Coward
Been there, done that!
Was given a floppy disk to install a remote monitoring client on company PC's and part way through someone complained of a non bootable machine. Continued with task and then several more were in that position. Retraced steps and yup, all had the monitoring client installed. Didn't take long to realise the disk had previously been infected and not formatted before use (though formatting may not have made a difference).
-
Friday 10th February 2017 11:08 GMT Chris King
Some men just want to watch the world burn...
I once had to deal with an infected laptop, where the user knew a download was likely to be infected (cracked software), but he still wanted to see what happened if he clicked on it anyway.
He'd also turned off the AV because (his words) "it got in my way".
Icon says it all.
-
Friday 10th February 2017 14:57 GMT DropBear
Re: Some men just want to watch the world burn...
To be fair, they totally DO get in one's way; to the point where I didn't even bother installing any of them on my current system - the mere thought of the incessant HDD thrashing every time I move the mouse was driving me insane. I'm still looking for anything that's strictly ___on demand only___ and isn't Malwarebytes or ClamAV but there just isn't anything else that will actually refrain from "shielding" my system in 127 different ways worming their way into everything from unskippable boot scans to network filtering to host files to proxying mail, active 24/7 even when everything is nominally off. Ad blocking (and not clicking on stupid stuff) worked so far, but I'm looking to sidestep to Mint soon anyway and I do have working long-term backups.
-
-
Tuesday 14th February 2017 17:24 GMT imaginarynumber
Re: Some men just want to watch the world burn...
"The vast majority of cracks flag false positives on anti-virus softwares. I've never had a single issue with cracks, and each one triggered the anti virus."
Agreed.
I suspect that Adobe/MS/whoever pay the AV firms to flag crack and serial number generators as being malware.
Much like they refused to flag and remove the porn/gambling related Micro Bill System hi-jackware. In the early days, the AV vendors were worried that flagging it would result in them being sued by MBS (AKA Platte Media).
From memory, the only off the shelf AV package that would remove MBS was the paid for version of Prevx.
-
-
-
Friday 10th February 2017 12:15 GMT Anonymous Coward
Just yesterday..
Just yesterday.. user sends in a suspect email to the help desk. Bright spark n00b IT helpdesk employee decides to download the ZIP attachment, expand it, then double-click on the attached HTML file. Boom.
As it happens, it had some difficulty working out the payload. Helpdesk guy nicely side-stepped a whole load of analysis by just opening the damned file.
-
Friday 10th February 2017 12:54 GMT DNTP
It's going to be a bad day...
...when the first email you see Monday morning is an innocuous little thing from the director, asking "I have a file I can't open on my personal laptop, the extension is .osiris."
Hey, if they want to pay me for a couple of easy hours to do a nuke, reinstall, and backup restore, instead of my more difficult actual job... they're the management.
-
Friday 10th February 2017 14:10 GMT Anonymous Coward
No problems here
I worked in the Philippines when the ILOVEYOU "virus" hit. It originated there and was more of a cunning mindhack than the originators could have imagined. SOOO many single women HOPING the boss secretly had the hots for them. And then it went global. At least it was just a nuisance and not something deadly. Days of innocence!
We had strict policies against password sharing, and one CXO who thought, rightly, as it turned out, that he could do whatever he liked. Network scans found file-sharing software installed by his son on his laptop TWICE (Limewire etc.) He got away with it both times, despite fairly serious penalties for more junior people for policy breaches, because the CEO couldn't understand it and didn't want to deal with it. If you're a big enough jerk you can get away with things because others don't want to pick a fight. It applies on the boards of banks too (see: RBS).
-
Friday 10th February 2017 14:46 GMT tiggity
Re: No problems here
Ah, ILY
I remember a place I worked and a programmer being stupid enough to open that.
Caused great amusement as he was a rabid Christian.
Rest of us could not decide on most likely reason he had opened it:
a) That's the sort of happy clappy type messages evangelical god botherers send each other
b) He secretly wanted a bit on the side
c) He was just stupid
d) Roll your own combinations of the above
-
-
Friday 10th February 2017 16:36 GMT 2Fat2Bald
I've worked in a place (several years back) where they had a strictly enforced security policy. If IT reported someone for doing something against the rules, they got fired. No ifs, buts, maybes or excuses. The rules were sensible things like not using personal email on work computers, no USB devices and so on. When there was a virus infection we had to write a report, apportioning blame where necessary. The company realised that the information was their lifeblood and if some daft git brought their personal computer into the office, plugged it in and it infected the network the loss of time, confidence, and money could be far worse than stuff for which you'd expect to be fired (like torching the building). Everyone watched a video on this on the first day, and signed a piece of paper agreeing to the policy. IT were given some discretion on whether to offer advice or report stuff - depending on how egregious and intentional the transgression was.
You know how often we did this? - virtually never. Because people knew it wasn't worth the risk. Seeing one-or-two colleagues a year (of several thousand) marched out of the building by security made sure people didn't take the mick. If IT came down and said "Look - you can't plug that into your computer" - they listened. Breaking the rules wasn't a "silly computer thing", it was your job. And a friendly warning from IT was sure to be listened to as the next one would be from Security and rather less friendly.
Even quite senior managers respected security protocols and used to come to IT to ask advice and permission before doing things that might impact network security. Sometimes the answer was no, but more often it was "Yes" or "Yes, but you need to do it like this..." or "Oh, we know a much better way of this this - let me show you".
-
Saturday 11th February 2017 00:47 GMT Anonymous Coward
Not a new problem
I remember, back in the day, I was working for a company known usually by a 3-letter acronym, when our department received (from a client usually known by a 4-letter acronym) a CD-ROM whose contents consisted almost entirely of malware. Despite the proper and prominent labelling on the CD, my boss had put it into his machine and I spotted him reading from a file with the name READ-THIS-OR-DIE.doc . I had to ask him whether he had browsed any other file on the CD-ROM, and then I had to suggest that doing so would be a very bad idea...
-
Saturday 11th February 2017 04:51 GMT Anonymous Coward
SCADA infecting the office LAN
I had the opposite problem to the OP with SCADA. I was doing some fault finding on a substation control system and had to collect logs of the servers (running a mutilated version of XP). When I put the USB stick into my work laptop back in the office the AV software had a panic attack (no virus actually ran). Shortly followed by an incoming call from the IT security people.
On closer investigation it turned out all the substation control PCs had viruses and a few even had keygens and cracks that were used in the commissioning/construction process by the OEM. And these were supplied from a VERY well-known vendor that did the construction in a first-world country. Linux-based AV boot-CDs and HDD imaging tools saved the day.
And to add insult to the injury the OEM specifically said there would be no warranty if AV was installed on the server because it tended to break the unorthodox mangled version of XP they used (they somehow trapped Ctrl-Alt-Del, and it would only work if logged into SCADA with admin rights).
[Anon since the substations are still up and running ... goodness knows how]
-
Sunday 12th February 2017 04:40 GMT Conundrum1885
Re. Nuke and Pave
I have resorted to such extreme measures before, because there really *are* horrors which are some unholy hybrid of such magnitude that they can survive even a zerofill (tried it from DOS boot disk even) and manifest as consistent patterns of slow (50msec) sectors when doing a diagnostic read.
Conclusion: this has to be the nastiest malware EVER because just putting it in my previously working test machine hosed the BIOS and eventually caused vertical lines and a total memory failure (tm)
that didn't work even when RAM, CPU and every other removable part was changed :-( :-(
I've also had a variant of this eat pendrives, possibly the same malware because the affected units blink and flicker their status LED almost in an organic pattern.
All of them use the same chipset (PL23xx) and possibly this happened at the factory because they never worked right.
Removing the Flash chips made no difference so its clearly in the controller, if anyone wants them please PM me. (darnstadium)