We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Trojan Strathclyde Police
Options
Comments
-
My son's computer was infected with this yesterday. Aside from the fact he'd done nothing wrong, it was easy to spot that it was fake (spelling mistakes etc). So, using my own PC, I downloaded Malwarebytes anti malware (free) onto a memory stick then booted his computer into safe mode (by repeatedly pressing F8 during startup), installed Malwarebytes from the memory stick and ran the program. I did a full scan and it quickly found the offending files and removed them. The PC, which is brand new and supposedly protected by McAfee Security (fully updated), is fine now thankfully. Having looked online, I see this is becoming a big problem. I did come across the below article from the bbc, in which Strathclyde police say that anyone experiencing this problem should report it to their local police.
http://www.bbc.co.uk/news/uk-scotland-glasgow-west-159108190 -
I'm getting quite a few computers in that are infected with this.. Wiltshire Police even put this on twitter the other day.
I know of a couple of people who have been so worried that they've taken their laptops to the police station.Andy - Salisbury, Wiltshire.0 -
QuackQuack wrote: »
Currently attacks aimed at the core of domestic gateway routers running Busybox (A Linux-esque executable) have increased and I've seen units with malware (and backdoors) dropped into them that spoof DNS and intercept web traffic.
...and how on earth we all mean't to find/protect against this sort of thing (other than changing the password of the router)- or how did you find it.
I have always wondered about router software security tbh seeing as it is seemingly unchecked by the AV programs and the PC user has very little access into the router and its software. The fact that firmware upgrade are possible indicated to me that malicious code could be inserted wheras if it was in a read only non changeable fixed memory it would be impossible.0 -
ChiefGrasscutter wrote: »...and how on earth we all mean't to find/protect against this sort of thing (other than changing the password of the router)- or how did you find it.
I have always wondered about router software security tbh seeing as it is seemingly unchecked by the AV programs and the PC user has very little access into the router and its software. The fact that firmware upgrade are possible indicated to me that malicious code could be inserted wheras if it was in a read only non changeable fixed memory it would be impossible.
It's right to be bothered about it. I've seen a number of attacks ranging in sophistication. I won't go into too much technical detail as I'll bore people, but a few points and a few examples:
1: Configuration changes such as altered DNS servers and static routes added. These are lame and simple attacks to carry out and the results can be devastating.
It may come as no major surprise that the majority of attacks occur because attackers go looking for low hanging fruit. This ranges from routers with administration possible remotely from the WAN side of the router. Naturally leaving the default username and password in place for the device is suicidal in combination with having any WAN side access open - It does not matter if it is WEB/HTTP, TELNET, SSH or FTP. Always change passwords and make them as long and complex as possible. Tools like Hydra can rapidly perform brute force attacks against any services open to the outside world and if you happen to have anything open to the outside world, password complexity is all that is holding them back.
Mitigation: make sure all administration services are LAN side only and make passwords long and complex. On some devices this is not easy as the service provider leaves certain ports or services open/running for their own convenience. Replacement of such devices may be the best option.
2: CSRF - this is nasty and increasingly common and many devices are vulnerable to differing levels. Here is the scenario, you've blocked remote access so an attacker can't get at your router web interface, right? A simple, harmless demo. For many users, if you click on this link: http://192.168.1.1 it will pop up a login page for your router (there are variations, but it's the most common). Where it gets nasty is if that router fails to log you out in a reasonable time. An attacker can craft more onto that URL to start changing things. This type of attack does not necessarily need you to click a link - javascript on a page can fire it off automatically in the background on load. This can even be crafted to auto-login using 'admin/admin' or other combinations - hence even if you've blocked external access, leaving default passwords is never a good plan.
Mitigation: Always physically log out of your router. Make sure your home router logs you out quickly if you forget. Don't save logins for routers in your browsers password keeper. Basically, If you are able to log into your router, shut your browser, come back to it an hour later and be taken straight into a menu without being challenged for a password, you've potentially got a nasty problem.
[uhum, helo older Draytek's and Linksys]
3: Guest and Service accounts - very helpfully some manufacturers have devices out there with guest accounts that, believe it or not, allow you to change settings and upload new firmwares! I've physically seen a number of Zoom devices seriously compromised beyond repair where a hacker has got in using the guest/guest account and made changes to the underlying Busybox Linux. The changes are typically targeting DNS hijacking and web traffic interception.
Mitigation: Check for and disable guest/service accounts. If you can't disable them, make the passwords long and complex. Typically these features are not well documented.
4: LOGGING IS YOUR FRIEND!
Make sure you check the logs on your router and look for login attempts or changes. If you can, setting up a syslog server and having your router log to it is useful (if it has the facility), that way if someone does get in to your router and clear the log to cover their tracks, it won't clear the remote syslog and you'll be able to see what has happened to some extent. The usefulness depends on the quality of the logging the router gives.
5: Wireless & DSL settings can be used against you!
A router that can be accessed for read only, no changes possible is still useful to the hacker. Your ISP login may contain your phone number or default ISP account details which may enable an attacke to log in to your ISP's customer portal and impersonate you, possibly stealing personal and financial data. Your wireless station name may be able to nail you thanks to war drivers and sites like wiggle.com. Your wireless pass phrase may be a common password you use.
Mitigation: There is not much you can do about the format your ISP gives you for your login name, but if you get to chose the password make sure it is nothing like any other password you use. With your wireless make sure your PSK is long and nothing like anything else you use. Change your station name often to thwart war drivers. Adding '_noscan' to your station name is supposed to make Google opt you out of their (B)SSID database when they next drive round your neighbourhood scanning and photographing.
These basic points can help, but it's not an exhaustive list - just the basics.
I don't like to name names, but I would urge TalkTalk customers to be extra vigilant. Despite their spin on being 'secure', a cursory scan of any of their ranges will quickly find loads of Huawei devices with default logins, customer phone numbers as logins and rapidly changeable routes and DNS servers. You'll often hear that TalkTalk users have had problems with DNS and had to change the servers allocated in their router because they have stopped working. What you won't hear so loudly is this can often be POST ATTACK, that is months after an attacker got into a router and changed the settings to point to their own dodgy, poisoned DNS servers. The plug gets pulled on these and all name resolution stops for the unwitting TalkTalk customer. I would add it does happen to other providers, but TalkTalk did have an amazing amount of 'low hanging fruit' hanging off their IP ranges - it was something else.
I'd like to add a bit regarding IP CCTV Camera and home NAS boxes - many of which are open to the Internet unwittingly - but I'll save that for another topic on another day.
In the mean time you can scan what is open in a number or ways. Either using the basic scan at Shields Up: https://www.grc.com
This tends to miss quite a bit, so you can also find out your public IP using something like what's my ip: http://www.whatsmyip.org/
Then do a remote stealth NMAP check on it with this tool: http://nmap-online.com/ Use the custom option -sS -PN -T4 1.2.3.4 [where 1.2.3.4 is your public IP address]
Hope this rambling, long, boring post is useful to someone. Apologies for any grammar or spelling gremlins that may have crept in.0 -
I meant to also add, consider setting your clients networking needs up statically. (IP, subnet mask, gateway and DNS) - rather than letting your routers DHCP server do the job.
I'm sure everyone knows, but Google's public DNS servers are currently secure, fast and free:
8.8.8.8
8.8.4.40 -
A very interesting an informative 2 posts from 'QuackQuack'
Thank you indeed for taking the time to write it all down for us0 -
For those that don't like Google for any reason, there is also OpenDNS.
https://www.opendns.com
There are some additional features like parental controls that you can optionally enable at the DNS level.
Their servers are:- 208.67.222.222
- 208.67.220.220
0 -
can anyone help - this has popped up on my laptop.
I have restarted in safe mode and followed the instructions given at start of thread - RUN MSCONFIG - startup. But I do not know what item I need to delete.
I have also tried turning on Windows security but it won't let me.0 -
If you experience the problem with this horrible virus (also known as Metropolitan Police virus) the good solution for you has been recently developed. It is totally free and does not require any download of anti-virus software. The instructions given here are quite simple and should help you get rid of this ransomware.
deletevirus.net/metropolitan-police-service-and-strathclyde-police-virus0 -
thunderbird wrote: »can anyone help - this has popped up on my laptop.
I have restarted in safe mode and followed the instructions given at start of thread - RUN MSCONFIG - startup. But I do not know what item I need to delete.
I have also tried turning on Windows security but it won't let me.
If youve managed to get into SAFE MODE WITH NETWORKING and your unsure what to remove then try skipping the process
Go into SMWN
Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM QUICK SCAN then click SCAN
Remove everything thats found (needs to be ticked)
Post the COMPLETE log here AFTER youve deleted everything it finds
Then do the exact same but run a FULL scan
Download CCLEANER
http://www.filehippo.com/download_ccleaner
Goto TOOLS and START UP and select SAVE TO TEXT FILE (Bottom right). Post that text file here:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599.1K Mortgages, Homes & Bills
- 177K Life & Family
- 257.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards