New Multi-OS/CPU aware virus broke through virtualbox. For a reason.FYI

FYI (all)
Dear sir (RMS @ GNU),
my apologies. That e-mail concerned the embedding (secretly) of personal information during the make process of certain gnu software but there's a new developent and I'm extremely mad : I have been looking for ways to de-obscurify certain (gnu) Make processes. During my search I found a certain GITHUB repo that provided a way to do that. It was not "AO" but another... In reality it was a virus and/or a magic trigger that broke and destroyed All my systems in a manner of 2 hours or so.
It's a special case, methods used are not mentioned anywhere on internet. This one is multi-os aware and broke through a running virtualbox installation (I suppose via I/O hooks exploits yet unknown ). Both host and guest gets destroyed, independant of OS!
from what I have seen:
- the maker has somehow trojaned the Freedesktop.org desktop-daemon- input dbus helper software to gain and maintain root via init. Virtually everydebian based is thereby vulrenable.
- the maker has found a new way (unknown to every antivirus software) to gain Admin acces to windows system via lowlevel IO and/or abused "signed drivers" - and mmaps itselfs there to propagate..
- the virus broke through running virtualbox installations (latest installation, new installations, old VDI's) and they got all destroyed, first guest and hours or days later both host and guest installations.... also new.
- the virus injects itself on every network IF / download / and propagates on installation (triggered) within the virtualbox installation. This happens on the host too, but hours later.
- it eventually kills every document on every OS by spawning hundreds of processes to kill documents (overwrite, move, symlink)
The strange thing about this, is that GNU sources / software like the sourcecode for GLIBC and GCC was left alone! Because of that and the mentioning of GNU on that repo I contacted GNU. On my windows system there was even a special message "Thanks to Freedesktop and embedded Ruby".
The virus was obviously not meant for worldwide propagation but to target a certain audience (I suppose people like me), it's been engineered beyond belief and I triggered it somehow. In order to clean my system I tried a ISO/USB boot from AVG (linux based.) I booted from that USB and it got infected upon scanning... amazing.!!
Anyhow.. sorry to have bothered you.
Regards,
To microsoft: Windows : is trojaned via virtualbox Usb I/O and/or other lowlevel I/O trickery. Obviously new methods are used, hard to reproduce and I can only mention a few details : virtualbox breakage like this is not yet mentioned anywhere and no admin priviledges are needed to reproduce. this "virus" has no signature known to clamav/kaspersky/mssc/avg/macafee. New exploits are obviously used, unknown and/or used in a similar manner. Microsoft should investigate this on their own.
To FreeDesktop DBUS daemon: has been abused (and this darn thing is used in many debian based INIT scripts etc, in order to gain and maintain root (or worse). There was a note left on my system "thanks to freedesktop and embedded...": every Linux instance, new or old (2.6 to 3.2xxx was infected immediately). FreeDesktop: I *** your** because similar trickery is mentioned since 2009.
To certain people at Debian: thanks for not taking me seriously or even understand what you are doing. Clueless.
To Oracle: Every HOST that mounts an infected VDI, gets infected immediately upon boot. Or the other way around: upon scanning the filesystem. The scanning OS itself gets trojaned (reproduced via multiple USB installations/Gpart ISO, AVG iso) and gets destroyed . Even within virtualbox ..... the ISO grows to hunderds of gigs. Virtually. I suppose it's hooked via USB transport to gain accces over keyboard and mouse. In fact it doent matter what OS is used, the killing process is "universal" because it happens within the hooked kernelspace.
To reproduce : I cannot give much details and its hard to traceback or reconstuct the order of events but I wanted to look for a way to de-obscurify a certain gnu-make process (in particular a piece of GNU software (for ..keys) from which I suspected to embed privacy information about the user and this software is used on virtually every OS and in many software packages as building block. And I certainly found one. I guess some magic 0xUL that passed my system or action I did -triggered this OS independant chainreaction or "OSkiller" process. I should have suspected this.. well. Even github trickery was (AB)used ~/.git / gitprocesses are used for some reason because every new download got the "make" process treatment instantly. Tricks to use parts of sha1 signatures (actually the gitters identification. Some people are aware of these methods and are abusing this system, not to "watermark" but to pull off this kind of work?
The result: all my virtual Linux / Freebsd VDI/VMDK installations were completely destroyed within a manner of minutes and later the host (windows7, regular update cycle, well maintained and secured) too. It was hard to traceback and/or/try forensics because the host got infected too -- obviously no way to sandbox. (maybe I'm not clever enough). Mounting from another OS is killing that OS too. Amazing. The reason I wanted to traceback or mount a certain partition was because it contained my work on my research. I had backups (even incremental) of some instances and they all got destroyed too (unaware of the systemhooks that were luring for the magic).
Reproducable? Yes. But hard to pull off and therefore I suppose this "virus" is not meant to propagate worldwide but targetted at a certain audience. The maker(s) has/have deep profound knowledge of windows internals, virtualbox exploits,, linux exploits, methods not seen by any anti-vir software I got running. It means there's a whole bunch of multi-os exploits, application exploits, not used or mentioned anywhere, bundled in a well prepared trap for anyone who gets the magic. I still have the infected VDI's. cannot tell if they are completely destroyed because I dare not mount it in ANY way. (I tried virtually every way possible!!!!!). Forensics could do some work on the raw material.
Here's a brief list of software that must have already been trojaned / to kill the running OS's (on host/guest) of a target:
- "nonfree" linux-firmware. Certain IO/dev (dbus?) userspace layers (linux)
- linux or windows virtualbox guest addition(s): CERTAIN debian updates (* triggers the killing process). Especially the RE-make of IO kernelmods process caused a chainreaction in one case. The maker(s) did some magic there because one should assume that KERNEL code is well maintained (like Theo.d.r. does :-) )
- (gnu) remake processes of kernel mods (RT/Pre-emt) -> guest additions. I could only reproduce this a few times because my host got killed.
- github trickery....
- techniques: callbacks via IO hooks on both HID and available network devices and injects itself via sockets (because every download was infected)
- I suppose no known shellcode was used or not recognised. Every virusscanner that I got running got killed and infected upon scan, both windows and linux based, clamav and AVG mssc, macafee, kaspersky etc etc. Even a simple mount gets a host killed. Amazing.
and all of this must have been "packaged" for a special occasion? Its profoundly layered, multi-disciplined and networked (I guess there are more related triggers to this network) and this OS killer must have been ready or "waiting" for months, none of the exploits I've witnessed are mentioned on internet or have been used on seperate occasions (except for the dbus trickery: there have been rumors but no real actions by ubuntu or debian etc etc). All these multi-cpu/os/software exploits (means transports) events that happened on my systems, both metal and virtual, are not mentioned anywhere or seperately used on other occasions or else someone would have mentioned it? Even the slightest kernel breakage or trojaned kernel in this respect should gained prestige for certain w/b hat hackers. This is beyond belief. The guest/host breakage is amazing, multi-os and the killer does its work profoundly.
- so oracle can deal with this virtualbox breakage from host to guest and vice versa
- linus gets his multi-OS io / kernelspace breakage, kills of every mount or gets triggered by even mmapping.
- microsoft no idea.... no blame this should have been recognised within the security framework, but there's obviously not yet a signature known.
I don't know if I should call this a virus. It uses virus-like techniques but on so many levels happening at once. I dont think oracle or microsoft or linux / freebsd /solaris is targetted. It looks like a well contained (only propagating on the host/guest, even socks are targetted only at localhost) - trap, the killing process is very persistant and for a reason. If this was used in a network-propagating carrier virus it should raise a Major worldwide alert. I think this unknown network of suddenly revealed exploits are means to immediatly shutdown/completely kill the running system(s) of a certain audience (like me). It's like a network and eventually a killswitch, a "destroyer" which I happened to trigger while I was investigating some things concerning privacy issues (in fact building blocks for signing of public keys). This message should raise some questions.
And about that github repo. It's not AO.
Thats all folks.
0X

We would really like to debug your problem but the provided information is not sufficient and very hard to parse. A few questions:
- Which version of VirtualBox are you using?
- What host systems did you use to test, only Windows 7 or also other systems?
- Did you try to use an infected .vdi disk with a fresh installation of VirtualBox on a fresh host?
- Which guest is affected (exact version please)?
- You report that even your host will be infected (breaking through from a VirtualBox guest to a host). Did you do scan your host for viruses before you started your guest so you can be 100% sure that your host was clean before it was infected by the guest?
- When scanning the infected system with a Linux-based virus scanner: Did the scan report any problems? If so, which? And did you consider to use a virus scanner on a read-only boot medium? In the latter case it is impossible that the virus scanner gets infected.
I would appreciate if you could answer these questions, there could be more questions once I have the answers to these. But please, try to be precise and short when answering the questions.

Similar Messages

  • HT201407 new iphone 5 and 4 year old macbook, and for some reason my computer says a later version of itunes is required to use iphone to sync.  updated most recent version possible and still can not sync to iphone.

    new iphone 5 and 4 year old macbook, and for some reason my computer says a later version of iTunes is required.  So, i went to ITunes and found i have the latest version availble at this time.  iTunes say phone can not be synced because it requires a version of 10.7 or greater?

    iPhone 5 requires OS X 10.6.8 & iTunes 10.7 or greater. I suspect you're running Leopard, 10.5.8, correct? If so, you will first have to update your OS, then iTunes in order to sync your phone.

  • I downloaded a new tv series on the computer, when a new episode needs to be downloaded I can't for some reason get it on my iPad when it's synced

    I downloaded a new tv series on the computer, when a new episode needs to be downloaded I can't for some reason get it on my iPad when it's synced

    Do you have enough storage space on your iPad?
    How much space is used by your Other? You may be able to reduce.
    How Do I Get Rid Of The “Other” Data Stored On My iPad Or iPhone?
    http://tinyurl.com/85w6xwn
    How to Remove “Other” Data from iPhone, iPad and iPod Touch
    http://www.igeeksblog.com/how-to-remove-other-data-from-iphone/
    With an iOS device, the “Other” space in iTunes is used to store things like documents, settings, caches, and a few other important items. If you sync lots of documents to apps like GoodReader, DropCopy, or anything else that reads external files, your storage use can skyrocket. With iOS 5/6/7, you can see exactly which applications are taking up the most space. Just head to Settings > General > Usage, and tap the button labeled Show All Apps. The storage section will show you the app and how much storage space it is taking up. Tap on the app name to get a description of the additional storage space being used by the app’s documents and data. You can remove the storage-hogging application and all of its data directly from this screen, or manually remove the data by opening the app. Some applications, especially those designed by Apple, will allow you to remove stored data by swiping from left to right on the item to reveal a Delete button.
    What is “Other” and What Can I Do About It?
    https://discussions.apple.com/docs/DOC-5142
    iPhone or iPad Ran Out of Storage Space? Here’s How to Make Space Available Quickly
    http://osxdaily.com/2012/06/02/iphone-ipad-ran-out-of-available-storage-space-ho w-to-fix-quick/
    6 Tips to Free Up Tons of Storage Space on iPad, iPhone, and iPod Touch
    http://osxdaily.com/2012/04/24/6-tips-free-up-storage-space-ipad-iphone-ipod-tou ch/
    Also,
    How to Clear Message/iMessage Cache on iPhone & iPad And Reclaim Lots of Free Space
    http://www.igeeksblog.com/how-to-clear-message-imessage-cache-on-iphone-ipad/
     Cheers, Tom

  • I'm getting a not-quite crash in which I lose ability to interact with the window at all. Is there any way to fix the problem itself? All I can do is an inconvenient "fix" in which I open a new window, and it works in the second window for some reason.

    I'm experiencing a not-quite-crash every time I attempt to open firefox on my new computer. What happens is that the menu bar (which I prefer to have visible instead of that orange single-button menu) has all the letters on it turn gray, and I lose my ability to click anywhere on the page, including to close it. If I attempt to close the page via the taskbar it doesn't let me. It does, however, let me open new windows via the taskbar which don't have the same problem, which allows for an easy-but-inconvenient fix. I've tried it out and it does not have the same problem in Safe Mode. As a result of not being a "true" crash I can't give a crash ID, so you won't be able to trace it that way, sorry.

    ''Problem:'' For whatever reason, NoScript is stopping Runescape Community Toolbar from working properly which freezes your first Firefox window.
    ''Fix:'' Uninstall the toolbar. Disable NoScript. Install the toolbar. Add your RS account to it and make sure it works, then Enable NoScript again.
    EDIT: Posted a fix earlier that was wrong. Corrected to the right one, sorry ^_^ Answer was on Runescape Forums.

  • On a new computer , i have money in my itunes account, for security reasons itjunes is asking me questions i never answered ?

    i AVE ACCOUNT AND MONEY IN ACCOUNT , APPLE STORE WON'T LET ME PURCHASE, BECASUE I'M ON A NEW COMPUTER ?

    Click here for information. If you can't get the answers emailed to you for some reason, contact the iTunes Store staff via the link in that article.
    (78056)

  • Macbook Pro CPU system usage up to 98% for no reason

    Hi
    I really hope someone can help me out here as I am really lost at the moment. This is my first post so I apologise in advance in case I posted in the wrong forum.
    I updated my Macbook Pro (late 07 model) last week with 10.5.7 and smc 1.3 (software update not combo). My MBP has 4GB ram, all previous updates installed without any hitches and no new programs installed.
    Ever since then I have been having trouble with my MBP, mainly it would get really sluggish after one hour (almost to the second, no kidding, I timed it). I use Activity Monitor and Console to see what's hogging the machine can see that the CPU system usage goes to 95%+ while no new activities/programs have been launched.
    I tried many 'remedies' such as reinstalled the update using the combo download, disabled spotlight, disabled mobileme, reset smc/pram, turned off screen sharing and all to no avail.
    I reside in Asia bought my MBP here and therefore don't get to call Apple and ask their technicians and the two advises I got from the dealers here are (1) I am now a proud owner of a MBP brick and (2) I might get a chance to 'resurrect' it when there's a smc 1.4 update.
    Any help is appreciated.
    Thanks.
    It then gets

    Yes you are right. I did not ask AM to 'Show All Processes' just 'My Processes'. After reading your post I restarted my MBP, started AM straight away, chose 'Show All Processes' and waited... Sure enough, the most likely 'culprit' is 'AgentDaemon'.
    After some googling I found that it maybe related to a program called 'Network Magic' which I have been using for a year and a half and survived previous system upgrades by Apple.
    I shall look for a way to safely and cleanly remove this program from my system.
    Thank you very much for your help.
    Cheers.
    Message was edited by: lombarb

  • So..this is new to me. my apple id has been disabled for some reason..it's not cool how i can't install apps or even update them.. i've tried to already reset my password and that doesn't help..can someone whose had the same issue help? please?

    so, just read the title, there's not much that i can say about this..it ****** me off. who else has had this problem..should i just sell it and buy a new one..or is it because of the update? I'd appreciate the help and maybe some step by step instructions on how to get it working if you guys wouldn't mind.. thanks

    contact itunes support

  • Hi, i ve just brought a new pc ,we have transferred all our files but for some reason my daughters litunes library works , but mine does nt , its there but you cant play any songs from my list. my nano is older than my daughters. can anyone help?

    hi, just brought a new pc i have transferred all the files, but cannot access my itunes library to play music on the pc, its on the pc , but it wont let me play music. my daughters library works though, but she has a newer model than mine. how can i access my old library? at the moment the pc says all i can do sync my ipod , but that means clearing my songs and having my daughters library imported to my i pod thus losing my songs. is there anything i can do to restore my library?

    iPod Nano: Multiple Users- Single iTunes

  • T420: CPU periodically switches to lowest speed for no reason

    Hi there,
    I noticed a strange thing to my T420 - when SpeedStep is enabled CPU switches to lowest speed periodically which immediately affects performance. It switches to lowest speed even when CPU is at 100%. Then after few minutes it comes back to normal.
    Anyone knows what why this could be?
    Here is a screenshot of resource monitor:
    Thanks,
    Igor.
    Solved!
    Go to Solution.

    It maybe throttling due to heat. Typically, when the CPU reaches 85 degrees Celsius, it will start to turn off Turbo Boost or go to its lowest frequency.
    Use a monitoring software like real temp and follow the settings below. The log text file is located on the same folder as the real temp program. Stress the CPU and see what temperature does the frequency drop.
    Lenovo Y470: i7-2670QM | 8 GB DDR3 1333 MHz RAM | Nvidia GeForce GT 550M | 500 GB 7200 RPM Seagate HDD | ASUS PCE-AC56 802.11ac Network Adapter | Windows 7 Professional 64-bit

  • New Multi-Border Rectangle auto shape makes it easy to mock up HTML-style borders

    The new Multi-Border Rectangle auto shape is now available for download: http://bit.ly/exP1pJ
    CSS allows a different width and color to be applied to the border on  each side of an HTML element, but Fireworks' rectangles are limited to a  single border color and thickness.  The Multi-Border Rectangle auto  shape addresses this limitation, making it easy to mock up HTML-style  borders.

    Nice one John!

  • If i jailbroke my ipad 3 (the new ipad) and the android lockscreen broke froze so i remote wiped it, and it is stuck what do i do?

    if i jailbroke my ipad 3 (the new ipad) and the android lockscreen broke froze so i remote wiped it, and it is stuck what do i do?

    "IF" you have not jailbroken, then please do not.
    Jailbreak voids your warranty.  Apple will refuse all help, even out-of-warranty replacements when it crashes.  Thei forum will not help you with jailbreak devices.  Your device becomes unstable and catches viruses.  You cannot always restore to pre-jailbreak.
    I hope that "if" means you have not done it yet.

  • Firefox won't open, error msg = can't find profile; deleted all app.data to rid new Win 7 Total Security virus - tried both v 4.0 & v 3.6 (now no error msg either). Can't open profile manager, can't open safe mode. pls help

    My mother's computer was infected with the new "Win 7 Total Security" virus (apparently a fake antivirus program) - corrupted real av. To remove, we followed online advice to delete everything in AppData, for all programs, plus some other stuff. We moved it all to a flashdrive for safety, but after successfully removing virus, likewise cleaned & reformatted flashdrive. This apparently deleted Firefox profile(s), and after uninstalling & reinstalling, Firefox still won't open - I can't create a new profile. With v 4.0, I get an error message about not being able to find the profile. Found advice on how to open profile manager, but it won't open. Found reference to version 4 dispensing with profile manager, so tried installing version 3.6 again; still won't open, still can't open profile manager, but now no error message at all.

    THANX for the reply cor-el. I've never had a problem using just "firefox -p", but i did use the full path like you advised after i read the profile manager article here before i posted my question. Unfortunately it didn't work. I've backed up all 3 profiles from the "%appdata% profile" file, and also from my remaining main profile that i'm on right now. I decided i'm going to uninstall ff3.6.28 & upgrade to "firefox 11" this weekend and hopefully create the other 2 profiles along with my main one. I do like in the newer versions of FF the tabs on top like googles chrome because it gives you more room on the page. I also like some other features too, but the main reason i kept my old version both times is because the newer versions didn't seem to load pages any faster than version 3.6.28. I'm not going to worry about some themes/personas not being compatible with ff11. I'll find some new ones. I think when i tried "ff9" awhile back along with my current version, i just deleted the shortcut that the article said to create on the desktop and still had all 3 profiles & no problems like i have now. In case your curious, the article on how to create more than one version of firefox at the same time was on the site "Dottech.org>[How To] Tip: Install multiple versions of Firefox to test before upgrading to latest release". It works but i obviously did something different this time that caused this problem. THANX again for your time/help, i do appreciate it.

  • How do I transfer all photos and music from my old iphone 3gs to new iphone 4s? I have a new laptop because the old one broke and so do not have non camera roll photos or music stored anywhere apart from the iphone 3gs and cannot update io5 on the iphone

    How do I transfer all photos and music from my old iphone 3gs to new iphone 4s? I have a new laptop because the old one broke and so do not have non camera roll photos or music stored anywhere apart from the iphone 3gs and cannot update io5 on the iphone 3gs without erasibng everything. i need help!!!

    Syncing to a new iTunes library or computer will erase your phone. Only if you back up manually before syncing, you can restore your device from that backup again. A manual backup does not include the sync process.
    Do this:
    Disable autosync in iTunes, connect your phone to your new computer and right click on it in the device list and choose backup. iTunes will backup your device without syncing.
    Transfer your purchases the same way, choosing "transfer purchases" this time.
    When you connect your phone for the first time, all media content will be erased. But you can restore your settings and app data from your manual backup afterwards.
    Don't forget to set up at least one contact and event on your new computer to be able to merge calendars and contacts when you sync the iPhone for the first time.
    Music is one way only, from the computer to your device, unless you bought the songs in itunes and transferred your purchases.
    There is 3rd party software out there, but not supported by Apple, see this thread: http://discussions.apple.com/thread.jspa?threadID=2013615&tstart=0
    About backups and what's saved:iTunes: About iOS backups
    How to back up and restore:http://support.apple.com/kb/HT1414
    How to download apps for free again:http://support.apple.com/kb/HT2519
    Saving other data is also described here. How to back up your data and set up as a new device

  • I have insurance through apple for my iPhone 4. Last night my phone was stolen. Am I covered under insurance to get a new phone? And how much will it cost? Second- what should I do about it? I don't know if I should shut down the phone or what?

    I have insurance through apple for my iPhone 4. Last night my phone was stolen. Am I covered under insurance to get a new phone? And how much will it cost? Second- what should I do about it? I don't know if I should shut down the phone or what in case my iPhone is able to be located or what not?

    Jonryan21 wrote:
    I have insurance through apple for my iPhone 4.
    No, you simply do not.  Apple does not sell insurance.
    Apple offers an Extended Warranty called AppleCare.
    Warranties doe not cover lost or stolen devices.  Buy a new one.

  • Passing multi value parameter to the Drill through report

    Hi
    I have two reports say Report A and Report B.
    Both reports using same parameters.
    I am Navigating from Report A to Report B using Jump to Report option.
    Now when I pass multiple parameter to the Report B it only displays first parameter results.
    In report B I have parameter multi value select to true.
    I would like to know if its possible or not to pass multi value parameter in drill through report?
    I would appreciate if someone can help me here.
    Regards
    Amit

    Yes you can pass multi value parameters to a drill through report.
    It works similar to multi value parameters for subreports, which is discussed in detail in this thread: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=163803&SiteID=1
    -- Robert

Maybe you are looking for

  • Time machine multiple macs sharing one HD via Wifi

    I need help with time machine app. I would like to use one external hd for multiple macs to backup with time machine. I read about different method, the one that I think is better for me is to sharing the HD on a network. I have one Imac and two macb

  • Fed up with Lack on BT Infinity !

    I have now been waiting a year since I switched from Talk Talk to BT to get Infinity I went ahead by looking at the website and that said it was due end of September 2013 so I though I would take a chance to go ahead with joining BT . I have waited p

  • Compiling form data: how to add FDF data?

    Hi there I've created a PDF form and am testing the distribution and compilation process. I created the form in Acrobat. I suspect most of the end users will have Reader, so after having distributed it through the Acrobat wizard (to myself) I filled

  • Can you change the tab order in Muse forms?

    Can you change the tab order in Muse forms?

  • How can i get the elapsedtime of query some record?

    i write a program with dbxml,if i want to know a query uses how much time,what should i do? thanks for help~