As you can probably tell by now, I love social engineering. Social engineering is the first, easiest, and one of the most popular ways of gaining access to anyone's personal belongings. Simple trust and conversation can create a comfortable enough situation for someone to offer up their house, without actually thinking about it.
Now if you look at the image above you can see one of the more recent malicious attacks that has taken foot around the world, its not as active as it was a year or two ago, but still exists. This was, the FBI "MoneyPak" virus. A virus so sinister that it... did nothing to your personal information. It bricked your computer, but didn't actually ruin your life. You didn't lose files, you didn't lose programs, you didn't lose your pretty pictures, you just lost access to your computer. Obviously the latter sounds far worse than not losing access to your computer.
With any zero day exploit, there was nothing from symantec, webroot, eset, or any other major brands in the antivirus world to solve it, or even protect against it. It would simply get on your system, and it happened thousands, if not millions of times. Just out of nowhere this lovely thing took up your whole screen and... you were out of a computer. And in recent iterations of it, this virus even reboots safe mode before it can even load, rendering disinfection tactics useless. This is easily beatable, I'll get back to that in a minute, instead lets focus on the bigger picture, what its supposed to do.
This thing pops up on your screen, tells you that you've be caught with pornographic content of a nefarious variety, and terrorist activities, you must pay a $200 fine OR go to jail for YEARS! Preying on those who out of fear think they've been hacked, and their computer has been used as a centralized hub for malevolent humans all around the world, you better go get your money and give it to them for $200 or YOUR LIFE!
Many people are going to look at this and freak out, what and why is this happening to me? Look at it, that's legit, it even has a seal from the FBI with an FBI email address. Sadly though, there are so many tell tale signs this is just a farce. First off the FBI isn't going to infect your computer with a virus, or lock it down because the suspect you of a crime, that's unconstitutional and unethical. If the FBI wants to arrest you for something, guess what you're going to be arrested. Secondly, a green dot card? Seriously the US government is going to fine you using an untraceable credit card number? That's without a doubt fishy, and hell its stupid as well, they'll request payment via a check with an addressed to a US agency, or via a real credit card number. Finally its $200? Would anyone really believe they can get away with associating with terrorist organizations for only $200? That punishment sure as hell doesn't match the crime.
I bring all this up because this bug hit a workstation in my office recently (yes despite my grammatical travesties I am actually a IT professional.) It was in my remote office and the associate who worked down in that office was familiar with this bug, and tried to remove it through means that have worked for him in the past. He booted to safe mode, nothing it would reboot. He booted to safe mode with command prompt, nothing it would reboot. Unplugged from the network, called me up, and I had to make a day trip to fix the issues. This thing seemed unbeatable, and yes I know restoring to an image would have been my best solution, but due to time I couldn't exactly do that. Our network speeds result in over 6 hours of install time to get it back to a usable state, and we had no backup units.
What was there to do? I may have to take the machine, reformat it from my primary office, and bring it back down. It seemed like such a waste of time. Until I hit our every famous Ctrl + Alt + Delete, it blocked access to the task manager, but it did allow me to do one special trick that just kind of happened by mistake. It has deleted all restore points, so I was going to try booting to some install media to attempt to repair, in the CTRL + Alt + Delete screen I hit reboot, it began to kill everything and had the "killing program now, force close, cancel." Um... it closed the MoneyPak virus during the initial stage of rebooting. I clicked cancel.
The computer was in functional working state, it had a pretty notorious bug on it, but it was working. Time to pull out my flash drive of curing and plug it in, start loading up softwares in a rush, but MoneyPak was still doing its thing, blocking every damn thing I tried. What else can I do? Computer works, but the virus blocks installing new programs, I can't reboot in safe mode.
New command for your new to IT, msconfig. The Microsoft Configuration tool, Start ► Run ► msconfig ► enter. And you gain access to this pretty little bugger.
Diagnostic mode. This pretty little son of a gun will boot windows normally BUT turn off ALL unnecessary start up programs. Symantec won't load, adobe updater won't load, Java won't load, NOTHING will load, other than the Operating system. By using diagnostic mode, you're not going through safe mode which is going to give you a boot loop, and you're not going into full fledged Windows that's going to block any access. Instead you get full fledged windows that's running at a no frills added approach, the virus doesn't do ANYTHING since, it doesn't detect safe mode in the system files, and its not running since the start-up has blocked it.
Let me tell you, diagnostic mode is one of the best tools when trying to find problematic programs, and this time it saved my butt so bad. After booting to diagnostic mode, I loaded ComboFix, RogueKiller, TDSSKiller, ADWCleaner, MalwareBytes and Junkware Removal Tool. Ran all five over a half hour period, and fully demolished this virus and its spread across the system.
After one final firm reboot, the system health is back to flawless. Sure I know I can't be 100% certain I took care of everything due to the fact I didn't do a complete reformat of the OS, but hell I'm pretty damn certain I nuked the son of a gun.
MoneyPak is a tricky bug, reformatting is and always will be the best solution to guarantee your system is clean and sound, but if you want to gain access to your files at home first, save those pictures from your beach vacation and such, this is your best option. Furthermore if something seems way too fishy, something seems off, just the slightest bit of "wtf", don't trust it. I hope this tutorial and tale will help someone out there with ridding this devious bug from their system.
Until next time, be safe my goblins.
Blogger Comment
Facebook Comment