It look a long time but after going back and forth with name.com support, I am happy to report that MainRepo is down for now due to them spreading malware. They will likely be back under a different (or the same?) domain soon, but good news is that the existing malware will stop working for now as it relies on the domain to receive commands to execute on your device as part of the botnet.
Essentially they need to find a new domain host that is fine with them hosting malware, I'm not sure if there are any.
Now is a good time to scan your device with iSecureOS (repo: https://isecureos.idevicecentral.com/repo).
EDIT: unfortunately they're online again (as expected), this time using reg.ru as their domain host
I don't plan on actually destroying a computer, i'm just curious as to how it can be achieved through software instead of straight up smashing it.
As some of you know, I am the creator of iSecureOS, an iOS Security application with a basic anti-malware component for iOS devices that are jailbroken.
iSecureOS is successfully able to detect the malware and remove it, but this wasn't exactly a happy day for the pirate repo.
They've now updated their malware to tweak iSecureOS so that their malware isn't scanned anymore. This is the danger of installing tweaks from pirate sources and sources you don't trust. They can do anything with your device.
So what's next?
iSecureOS has already been updated to detect their tweaking in memory and to prevent it anyways. But this is a cat and mouse game so consider yourselves warned.
I will release the update later today which will defeat their malicious tweak, but I am 100% sure they won't stop here so for those of you who do pirate (you know who you are, I am not here to judge) do the following:
And stop using the pirate repo in the cause. Their malware is evolving and so should our defenses.
As of the next update, iSecureOS gets a new module called HADES whose sole purpose is to assess integrity and block any sort of tweak injection / dylib injection into iSecureOS, for obvious reasons.
UPDATE: Aaron has clarified to me that I am allowed to mention the repo in this context. It's MainRepo, a pirate repo that nowadays also spreads malware.
~ GeoSn0w (@FCE365)
I really hated these apps also getting rid of eclipse since I don’t need it for classes now.
before I explain I want to say that I have already tried all the methods provided in the stickied thread about removing malware trojans. Rkill, adwcleaner, hitmanpro and malwarebytes - all to no avail. Everytime I restart the pc and scan it again, boom the malware is back. I move it to quarantine, restart, scan, and boom it's back. The quarantine vault is just the same 5 file names being duplicated. I've done this 5 times and now have 25 files in quarantine, all the same name. I've tried deleting them with malwarebytes and restarting, all without luck. It just keeps coming back.
I've noticed random searches open up in my tabs. Randomly my edge will also come out with an error when I don't even open it or use it ever and says : Windows cannot access this path. You may not have permission to access file"
I have no idea what to do, i even downloaded processexplorer to find the name of this process running in the background that keeps redownloading these trojans and can't find it. It's even causing games to freeze within minutes of booting them up.
EDIT: Sometimes even chrome won’t open and I’ll get an error “failed to load extension” and the specified manifest file path is the Trojan
EDIT 2: Issue is FIXED! Thank you guys all for your wonderful and helpful responses. You guys are the best!!
With transaction going live in a few days and exchanges showing a real price for the coin, we should also expect a wave of scammers, malware, dubious exchanges and so on.
Chia looks like it has a lot of momentum right now and you can be sure that with success will also come a lot of shady business. It is inevitable that there are going to be scammy people hoping on the bandwagon. So hold on to your hat, don't trust people blindly and – most importantly – keep your keys secure.
Hello, I'm not sure if this is the right place to ask about this, but I don't know what to do anymore.
Recently the IMVU client got a new update after a long time and after that, my antivirus has been corrupting the file since it's flagged as potential malware. I scanned with different antivirus, also malware scanners and they all came to the same conclusion flagging it as potentially malicious.
So I contacted the official support for the game (twice now) and they were rather rude and incompetent, telling me they couldn't give me any reason as of why it is happening because the antivirus was the one to blame, so they asked me to turn off my antivirus and windows firewall to install the software. I insisted it was completely crazy to expose my computer that way to something flagged as malicious and their only answer was telling me to trust them because the antivirus was just starting a chain of lies on them (they literally just said this)
My mother has been an user for nearly 8 years and it never happened, it's really saddening that the official support of a software gives this sort of "solutions" for their users.
Now my question is... Why could this be happening? Could a company send a virus or keylogger through an official update?
I'm interested in mining Monero, but when I tried to download XMRig, chrome blocked the download saying it was unsafe. I eventually downloaded it through Vivaldi, but it makes me wonder, what is it that makes Chrome see XMRig as a threat?
you might think nobody gets fooled by him but i see comments from people who ran it in the comment section
Just got the following email from QNAP...
Release date: May 13, 2021
Security ID: QSA-21-16
CVE identifier: CVE-2020-36198
Affected products: QNAP NAS running Malware Remover 4.x
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.
We have already fixed the issue in the following versions:
QNAP NAS running Malware Remover 3.x are not affected.
Now I must be worried about your black box security tool that has lousy logging and poor notifications? How about this... CLASS ACTION LAWSUIT..... This is getting insane and it's time for a wallet check.
It seems the invention of this first of its kind tool has triggered a back and forth war between malware developers and the single anti virus developer.
While it was great for pirates to have this tool at first, I feel it’ll lead to people engineering more and more advanced and stealthy malware.
Previously, malware devs would make something sloppy and if you were smart, you could clean up your phone and move on. It would affect the masses of pirates that were novices, but could never go under the radar for everyone.
This move has pushed for innovation in malware and more complex trickery than just installing a secondary deb.
What are people’s thoughts on this and am I wrong? If so, how?
This is not intended as an attack on the iSecure devs, it’s a great piece of work. Just an interesting turn of events
We have received a small number of reports of malware targeting SABnzbd instances that are exposed to the internet without username/password protection.
A script will be downloaded by the attacker and then added as a post-processing script, which will run a coin miner.
The NZB's used for these attacks are listed here.
The script also seems valid as a NZBGet post-processing script, so maybe it is also trying to target those.
Note that we show orange warnings in the SABnzbd-interface if users expose their system to the network (and thus potentially the internet) without username/password.... Maybe I should make those warnings red. 🙃
I don't know that this is guaranteed but like many I woke up this morning to read the news. I don't have ports forwarded and to my knowledge I wasn't using HBS 3 but sure enough, it was running and I got hit. Lesson Learned there I guess.
Anyway... I read over on Bleeping Computer an article on this and in the comments were some very helpful hints I thought I would spread wider : Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices (bleepingcomputer.com)
Basically it says to SSH into your box and run a command that shows you the log of 7Zip because in that log is the password they used to encrypt your stuff.
Valianthor's method which worked for many (but not me):
Try this command: cd /usr/local/sbin; printf '#!/bin/sh \necho [email protected]\necho [email protected]>>/mnt/HDA_ROOT/7z.log\nsleep 60000' > 7z.sh; chmod +x 7z.sh; mv 7z 7z.bak; mv 7z.sh 7z; the encryption key would be stored in /mnt/HDA_ROOT/7z.log which you can then use to decrypt
I had updated all apps, QTS and rebooted before I read this and it didn't work for me but reading down there's a comment from keg415 that did work for me:
rebooting the QNAP should restore the original /usr/local/sbin/7z executable, which Malware Remover will then rename to 7z.orig and install the 7z wrapper script. The command: more "`getcfg MalwareRemover Install_Path -f /etc/config/qpkg.conf`/7z.log"
Massive props to those in the community helping those of us naïve enough to trust QNAP.
Now I guess I'm spending my weekend writing a script to trawl through the directory structure unencrypting this stuff!
Hello, I'm still pretty new to the Cybersec-field, but already fascinated by viruses, spyware, worms etc. I'm trying to get a better understanding of the topic, and because I couldn't find much on Youtube/Google, I'd appreciate if someone could point me in the right direction to some ressources/infos Thanks
Edit: Okay, this has been quite the haul. I'm left with a lot of ends to pick up on. Thanks again to everyone who left a response and helped me along! Take care
I just received this notice from Malware Remover on two QNAP devices in different parts of the country.
Malware Remover: Removed the detected malware: MR2102
Both devices are have outside port forwarding disabled, admin username disabled, with 2FA enabled. Myqnapcloud was enabled.
Anyone else receive this notice or find any information on MR2102? Google has failed me.
Update 4/26/21 - Looks like they sent the warning out again to everyone this morning as part of a malware remover update. It's not an indication of actually having the qlocker malware. Which is good! But frustrating and panic-inducing for sure.
Really curious if there ever has been a linux distro that was made for something like that. I can't really find much info on the subject either. Mainly just posts asking "is linux secure" or "can linux get malware" which is not what I'm looking for.
Edit: To be more specific; Malicious to the end user in a sense that the creators of that distro purposely included a keylogger or a rootkit or something of the like.
Toda vez que eu abria o login do hotmail ou mercado livre (sim, especificamente nesses sites aparecia um pop-up (obviamente falso) pra eu colocar meus dados, eu, malandro que sou (leia com a voz do Boça) já desconfiei logo do que se tratava. Spammei dados falsos nas credenciais, logo, recebo a seguinte mensagem:
"Dados Incorreto , Digite Novamente" Sim, escrito desse jeitinho maravilhoso que não denuncia sua natureza falsa.
Foi aí que tive plena certeza da putaria, pois eu estava impossibilitado de tirar o mouse da janela, não conseguia fechar, dar alt-f4 ou nada do tipo.
Passei todo tipo de scan, HitmanPRO, Malwarebytes, RKill, adwcleaner, e nada de obter sucesso. Fui obrigado a formatar o computador, felizmente documentos importantes estavam no onedrive e não perdi nada demais.
Se fosse outro tipo de usuário mais leigo, por exemplo o meu pai, colocaria os dados facilmente sem nem desconfiar de golpe. A pergunta é, como eu peguei essa porra? Eu não faço a menor idéia de como peguei ou de como ele resistiu a tantos processos. Fica aí o alerta pra alguém que se depare com a praga.