- Dec 12, 2016
- 1,143
How I got infected last time thread
- Thread starter Soulbound
- Start date
Stenographers
Level 2
- Nov 11, 2022
- 49
Lets be honest - this kind of thing happens to everyone. Even the most security conscious of us have fallen prey. I accidentally ransomware'd my home computer. I had a sample of the malware and was going to rename it from a .exe to something else so I couldn't accidentally double click it, well yeah I went and double clicked it when trying to do that and then had to do a wipe / restore. This was 2015 when I was still learning basic good habits when it comes to security research like "use a sandboxed system for handling samples" lol.
- Jun 24, 2016
- 2,391
Hi everybody, funny how you see a new thread of mine after some time and it's a story of how I suffered what I thought I'd never suffer again, since I've been malware free for more than a decade. I'm sharing this with you to let you know, and specially let novice users how careful we must be, since it's not even hard to get infected.
Today I commited a mistake. One single mistake, that costed me an infection, even when I thought I was truly protected. May this be a lesson for everybody, that if you, the user, are not careful enough, there will not be enough software to protect you.
HOW IT STARTED
I had to download a specific software today. Since the version I needed to install wasn't on the official site anymore, I headed to a Youtube video that would let me download it via Mediafire or MEGA.
I clicked the video, made a quick check of it, checked comments to see what users said about this download, and since everything was positive, I downloaded the file.
I launched the executable file, and after some seconds, nothing happened. That's when I knew something was wrong. I immediately opened Process Explorer and Task Manager to see any possible suspicious process, and before these two even open, my theory became a reality.
Norton detected suspicious activity too. But here's the catch. Norton didn't detect the malware process. What we're seeing up there is Norton Intrusion Prevention System, which is basically like a firewall. It scans network traffic for attack signatures, such as social threats and outbound attacks, that identify attempts to exploit vulnerabilities in your operating system or in a program that you use.
And here's the other catch. The malware was still active in my system. and we had a loop. The malware process was a type of trojan that steals all the system's stored passwords. It was when this malware tried to contact home that Norton realised this was supicious activity and realised what was going on. But here are three problems:
RESOLUTION AND CONCLUSSION
Yup, probably guessed right.
Long story short; malware neutralized, no information stolen and day saved.
Once this was over, I headed to the Youtube video where I downloaded the file, and realised the mistake I had made: everything was fake.
Hopefully this is a lesson for everybody, most specially for me, that mistakes can be made and can cost us a lot. Luckily, I was spared to live some years more.
Also, after the semi-failure I saw today in Norton's protection, I might be re-thinking my comeback to Kaspersky.
Today I commited a mistake. One single mistake, that costed me an infection, even when I thought I was truly protected. May this be a lesson for everybody, that if you, the user, are not careful enough, there will not be enough software to protect you.
HOW IT STARTED
I had to download a specific software today. Since the version I needed to install wasn't on the official site anymore, I headed to a Youtube video that would let me download it via Mediafire or MEGA.
I clicked the video, made a quick check of it, checked comments to see what users said about this download, and since everything was positive, I downloaded the file.
- Norton Antivirus didn't pop when downloaded, so the first test was done.
- A right click context scan didn't show malware, so second test was done.
- I decided not to upload the file to VirusTotal, since Norton came clean and Youtube comments were positive.
I launched the executable file, and after some seconds, nothing happened. That's when I knew something was wrong. I immediately opened Process Explorer and Task Manager to see any possible suspicious process, and before these two even open, my theory became a reality.
Norton detected suspicious activity too. But here's the catch. Norton didn't detect the malware process. What we're seeing up there is Norton Intrusion Prevention System, which is basically like a firewall. It scans network traffic for attack signatures, such as social threats and outbound attacks, that identify attempts to exploit vulnerabilities in your operating system or in a program that you use.
And here's the other catch. The malware was still active in my system. and we had a loop. The malware process was a type of trojan that steals all the system's stored passwords. It was when this malware tried to contact home that Norton realised this was supicious activity and realised what was going on. But here are three problems:
- Norton wasn't smart enough to quarantine the file calling constantly home
- Each network connection malware tried to do was blocked, but malware was still active
- Neither Norton's "smart" or full scan were able to detect the malware, even when it was triggering Norton's IPS
RESOLUTION AND CONCLUSSION
Yup, probably guessed right.
Long story short; malware neutralized, no information stolen and day saved.
Once this was over, I headed to the Youtube video where I downloaded the file, and realised the mistake I had made: everything was fake.
- Unknown author
- Literally posted 6 hours ago and already had 47 comments
- Video title was in spanish and all coments in english
- All comments were positive and posted at literally the same time
Hopefully this is a lesson for everybody, most specially for me, that mistakes can be made and can cost us a lot. Luckily, I was spared to live some years more.
Also, after the semi-failure I saw today in Norton's protection, I might be re-thinking my comeback to Kaspersky.
- May 26, 2014
- 1,339
A pity, I hope that no important data of yours was leaked, I believe that Norton's firewall was able to block at least this part of the attack.
Unfortunately even the most experienced members, enthusiasts and security professionals can be victims of attacks, as happened for example with Jim Browning, a legend in exposing scam tactics who ended up falling for one.
About Norton, I'm using it at the moment because it's incredibly light, practically zero impact on PC activities and especially on browsing, but I confess that I don't feel as protected as when I use Kaspersky, Bitdefender or even ESET.
Unfortunately even the most experienced members, enthusiasts and security professionals can be victims of attacks, as happened for example with Jim Browning, a legend in exposing scam tactics who ended up falling for one.
About Norton, I'm using it at the moment because it's incredibly light, practically zero impact on PC activities and especially on browsing, but I confess that I don't feel as protected as when I use Kaspersky, Bitdefender or even ESET.
- Jun 24, 2016
- 2,391
That's literally me. I've been using it (Norton) for probably less than a year now, and I've fallen in love with how light and efficient it is. But I do not feel as protected as with Kaspersky, basically because it lacks an Application Control module. And after today, I am even more worried. This is literally the only time the Behaviour Blocker should've popped up (since I never commited a mistake like this) and it didn't... at all. Yes, maybe it 1/100 and the other 99 attacks would've been blocked, but the very first opportunity it had, it failed. Sad....
- Mar 29, 2018
- 6,756
I'm guessing VS wouldn't have stopped it, since your operating assumption was that the file was safe, you would have allowed it? Or would it have ?
- Jan 8, 2011
- 22,293
Any more details about the malware strain you contracted?
System Infected: Redline Stealer Activity 2
Pretty self explanatory, Redline or some other kind of info-stealer, like VIDAR or Racoon/Recordbreaker.
- Mar 16, 2019
- 3,555
A silly mistake, but it happens to the best of us.
I very often test products against this type of malware targeted to home users that can be found on Google search, YouTube Search and torrent sites.
From what I have seen,
ESET detects 9/10 of these files by signature/heuristic and on some rare occasions by the local ML/Augur detection prior to execution. The others after execution.
Avast detects 7/10 by signatures prior to execution. Some after execution and saw it missing two last month but not recently. Maybe it has improved.
Norton 2/10 by signatures prior to execution. Sometimes detects payloads which stops the attack or via IPS via like yours with Redline stealer activity or backdoor activity in case of backdoor samples. So I think the data remains safe.
Microsoft Defender detects 0/10 by signatures prior to execution even a week later but after execution detects payloads and end up protecting the system 9/10 times.
Bitdefender and Kaspersky on average 0/10 by signatures prior to execution when the sample is new. Bitdefender detects all I tested pretty quickly after execution by behavior. Sometimes it doesn't delete the main sample file, sometimes it does.
Kaspersky detects by behavior at a slightly later stage but prior to any data getting stolen and always perform a perfect cleanup.
These malware are changed almost every day with new C2C servers to communicate. But the behavior remains similar mostly. Norton should have found something by now to detect the activity by their BB aka SONAR.
I very often test products against this type of malware targeted to home users that can be found on Google search, YouTube Search and torrent sites.
From what I have seen,
ESET detects 9/10 of these files by signature/heuristic and on some rare occasions by the local ML/Augur detection prior to execution. The others after execution.
Avast detects 7/10 by signatures prior to execution. Some after execution and saw it missing two last month but not recently. Maybe it has improved.
Norton 2/10 by signatures prior to execution. Sometimes detects payloads which stops the attack or via IPS via like yours with Redline stealer activity or backdoor activity in case of backdoor samples. So I think the data remains safe.
Microsoft Defender detects 0/10 by signatures prior to execution even a week later but after execution detects payloads and end up protecting the system 9/10 times.
Bitdefender and Kaspersky on average 0/10 by signatures prior to execution when the sample is new. Bitdefender detects all I tested pretty quickly after execution by behavior. Sometimes it doesn't delete the main sample file, sometimes it does.
Kaspersky detects by behavior at a slightly later stage but prior to any data getting stolen and always perform a perfect cleanup.
These malware are changed almost every day with new C2C servers to communicate. But the behavior remains similar mostly. Norton should have found something by now to detect the activity by their BB aka SONAR.
- May 26, 2014
- 1,339
Interesting, which of these products in your tests do you like more? ESET seems to be the one with the best signatures/heuristics as expected ...
- Oct 6, 2021
- 155
How ironic, last week I got infected with Kaspersky Free installed on my system, no alert, only after a few hours I found out that I was infected, unfortunately there is no 100% antivirus 
- Feb 25, 2017
- 2,412
Glad that in the end everything worked out well. Still, Youtube is the worst option to download software from. I'm sure you have learned from that mistake tho.
- Jan 8, 2011
- 22,293
I am unfamiliar with this stain, can you go more in-depth? Are they common with modified versions of official apps? Who is most likely to be targeted?
- Feb 25, 2017
- 2,412
Redline stealer or other stealer malware are probably one of the most common malware families these days. They steal your stored cookies and other browser data like passwords (If saved in the browser). Best way to mitigate the risk is to store passwords in a password manager and also delete cookies on browser exit.
One more link:
RedLine: self-spreading stealer targets gamers on YouTube
Thanks to @RoboMan I was able to take a quick look at the malicious installer. And as many times before their approach is to enlarge the file size by adding data without any function. The file size is above 600mb so it's not possible to upload the file to VirusTotal or other malware analysis platforms anyway. At least not if you don't reduce the file size with an HexEditor for example. Here a little bit more detailed explanation:
Poisoned CCleaner search results spread information-stealing malware
Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report...
malwaretips.com
Last edited:
Youtube downloads ? Noooooooo... 
Mistakes happen all the time, we humans are not robots.
? Noooooooo... Mistakes happen all the time, we humans are not robots.
- Apr 17, 2021
- 440
A typical Redline Stealer malware. Fake crack. It is distributed via YouTube. This type of malware is usually 700 mb in size to evade detection.
In my opinion, I find Norton won’t do a deeper analysis on this kind of malware. Instead, it simply blocks by hash, which is quite ineffective.
Kaspersky, F-Secure and ESET can protect you from this kind of “over-compressed” malware.
In conclusion, I won’t recommend Norton to anyone, since its technology is outdated.
In my opinion, I find Norton won’t do a deeper analysis on this kind of malware. Instead, it simply blocks by hash, which is quite ineffective.
Kaspersky, F-Secure and ESET can protect you from this kind of “over-compressed” malware.
In conclusion, I won’t recommend Norton to anyone, since its technology is outdated.
Andrezj
Level 6
- Nov 21, 2022
- 249
redline stealer is malware as a service on dark web, the platform can produce a redline stealer executables of various types
it is a highly successful and profitable malware: RedLine Stealer (Malware Family)
redline stealer has been disquised as fake cracks, warez, gaming modules, even fake ccleaner crack and microsoft updates
the main method of distribution is social engineering through various web, youtube, email, and malicious office doc campaigns
users that want to use stuff, as is the case in this incident
covid emails with links that downloaded redline
redline stealer has been distributed thgrough facebook
it has been distributed through onedrive, google drive, and other cloud hosted links
the youtube campaign has targeted gamers and it has been a very effective campaign
the email campaign was a spray attack, so unknowledgeable or not security conscious are most susceptible
there was a malicious office document campaign where unsuspecting users opened the document and the macro downloaded and ran the initial redline stealer
redline stealer has been around for 2 years, it has evolved technically, that various campaigns used every method possible to get users to infect their systems
I told everybody countless times that Norton was trash. It made my PC infected last time.
Norton can be good in tests but in reality, it can miss simple malwares that ever other AV can detect and Norton had signature for them (but still missed). It's very inconsistent
Norton can be good in tests but in reality, it can miss simple malwares that ever other AV can detect and Norton had signature for them (but still missed). It's very inconsistent
- Dec 29, 2014
- 1,712
Hello everyone.
I don't know of an event I know was malware, but I did have an episode recently when I installed Windscribe. I have a 50 GB data account, but I had stopped using the account. Got an e-mail from Windscribe, so decided to try it again. Less than a week later someone hacked my main e-mail account. Windscribe was the only thing that had been changed on the system recently, so I changed the password for the e-mail and uninstalled Windscribe. That was a couple of weeks ago, and no further issue so far
Interestingly, recently I got hit by a large amount of spam in the inbox of the same e-mail account. It was ads and unrelated to the password change, but I consider these type of e-mails phishing (using trademarks etc.). I sent a message to Microsoft explaining how the e-mail addresses were different for dozens of e-mails from the same sender. Because of the different e-mail addresses issue I couldn't just create a rule and auto reroute them. So I found the option and asked Microsoft if they could please reroute these e-mails on their end to junk or deleted messages. To my surprise, within three days the e-mails completely ceased. I guess the plea I made to MS worked. I was surprised, especially since I am not paying for Outlook.
I don't know of an event I know was malware, but I did have an episode recently when I installed Windscribe. I have a 50 GB data account, but I had stopped using the account. Got an e-mail from Windscribe, so decided to try it again. Less than a week later someone hacked my main e-mail account. Windscribe was the only thing that had been changed on the system recently, so I changed the password for the e-mail and uninstalled Windscribe. That was a couple of weeks ago, and no further issue so far
Interestingly, recently I got hit by a large amount of spam in the inbox of the same e-mail account. It was ads and unrelated to the password change, but I consider these type of e-mails phishing (using trademarks etc.). I sent a message to Microsoft explaining how the e-mail addresses were different for dozens of e-mails from the same sender. Because of the different e-mail addresses issue I couldn't just create a rule and auto reroute them. So I found the option and asked Microsoft if they could please reroute these e-mails on their end to junk or deleted messages. To my surprise, within three days the e-mails completely ceased. I guess the plea I made to MS worked. I was surprised, especially since I am not paying for Outlook.
- Mar 29, 2018
- 6,756
Similar threads
- Locked
