Solved Persistent malware in Edge
-
@gjacobse said in Persistent malware in Edge:
@scottalanmiller said in Persistent malware in Edge:
The obvious business decision is... re-image and move on. It's likely infected and at risk. For learning, that's a different story. Although the best lesson is normally to just re-image and move on
Sadly I agree with @scottalanmiller - Edge is just garbage,.. IMO - Firefox and Chrome are better with uBlock.
I completely agree. I talked with the client and they are going back to Chrome (I prefer Firefox, but to each their own). So the client isn't so worried about Edge working, now it's just a learning point with Edge since they don't need their computer for the rest of the day.
-
Probably one of the biggest reasons I want to learn why, is I've had to argue with a lot of bosses about why I reimage rather than just fix the application.
My reasons are always the same:
*There is a clear infection. Fixing the application doesn't resolve how deep it could go, scans may not reveal everything. It's questionable.
*Reimaging with MDT/WDS, SCCM, FOG, etc... takes about 30 minutes (faster if you have it really well configured). Why would I spend even a second figuring it out, when I could hit 3 buttons and walk away for 30 mins?
But, that aside. Still a learning opportunity of why the application acts the way it does and how I can resolve such a small issue. My guess is that it's something that has actually been written to the registry. But it should still be something in AppData/ProgramData that then goes out and references a registry entry. Because if there was nothing in AppData, then the registry entry would be a stale item that does nothing, and even gets removed by CCleaner.
-
@BBigford said in Persistent malware in Edge:
Probably one of the biggest reasons I want to learn why, is I've had to argue with a lot of bosses about why I reimage rather than just fix the application.
How does learning that help with the bosses not understand business basics of cost and risk?
-
@BBigford said in Persistent malware in Edge:
*Reimaging with MDT/WDS, SCCM, FOG, etc... takes about 30 minutes (faster if you have it really well configured). Why would I spend even a second figuring it out, when I could hit 3 buttons and walk away for 30 mins?
Don't leave it there.... restate it like this.
"Why would I spend even a second figuring it out, when I could hit 3 buttons and walk away for 30 mins and save the company loads of money for sure, while also being certain to have solved the problem rather than taking an unnecessary risk and put the company in danger of having it's data stolen for no reason?"
You can also add "basic best practice for both IT and business."
-
@BBigford said in Persistent malware in Edge:
But, that aside. Still a learning opportunity of why the application acts the way it does and how I can resolve such a small issue.
No infection is "such a small issue." Sure, it might be small, but unless you know everything about it (and if you did, it would be fixed already) you don't know if the issue is small, or just the symptom.
-
What is the FULL path of the URL that it is going to?
-
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
Probably one of the biggest reasons I want to learn why, is I've had to argue with a lot of bosses about why I reimage rather than just fix the application.
How does learning that help with the bosses not understand business basics of cost and risk?
It could help me understand what is getting changed, so that could give me more insight as to the severity of the infection. But, as you've already pointed out, that is pointless to the argument.
The biggest reason I want to learn this, is if I don't understand something, the not knowing drives me crazy.
-
@scottalanmiller said in Persistent malware in Edge:
What is the FULL path of the URL that it is going to?
-
@BBigford said in Persistent malware in Edge:
It could help me understand what is getting changed, so that could give me more insight as to the severity of the infection.
If you know this is just for learning, then yes. If you are doing this in a business, no. You can never be totally certain that you know the depth of an infection, only the depth of one part. A deep infection might masquerade as a shallow one to trick you into thinking you were able to fix it, for example. Or a multi-part infection might have you feel confident in having found one part and not another.
There is no certain fix to a compromised system. This is a fundamental rule of IT security. You can never be sure without rolling back or re-imaging. Any perceived security or fix is smoke and mirrors, you can never be certain enough to put back into production. The advantages of figuring out what happened are myths. What you know is that you no longer know the system and there is only one path back to a know state.
-
@BBigford said in Persistent malware in Edge:
Look in the command line in the quicklaunch shortcut for Edge. Possible that it is hidden in there. Try launching Edge from the command line directly, I bet it works. It's the shortcut that is the issue.
-
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
Look in the command line in the quicklaunch shortcut for Edge. Possible that it is hidden in there. Try launching Edge from the command line directly, I bet it works. It's the shortcut that is the issue.
Genius!
-
@BBigford it worked?
-
In a situation like this, while I still recommend re-imaging, things like the full URL are important because these attacks are not random (for all intents and purposes) but very targeted. So the URL is the most important part of determining what attack it is.
-
@scottalanmiller said in Persistent malware in Edge:
@BBigford it worked?
Sure did. So there is something infected about the link in the taskbar specifically. That's pretty interesting.
-
@scottalanmiller said in Persistent malware in Edge:
In a situation like this, while I still recommend re-imaging, things like the full URL are important because these attacks are not random (for all intents and purposes) but very targeted. So the URL is the most important part of determining what attack it is.
I agree. Re-imaging would be best. Can you expand on what you mean with specific URLs? Do you mean determining its intent, like if it is redirecting you to a "Microsoft Support" site, vs. just hijacking your search session, etc?
-
@BBigford said in Persistent malware in Edge:
Can you expand on what you mean with specific URLs? Do you mean determining its intent, like if it is redirecting you to a "Microsoft Support" site, vs. just hijacking your search session, etc?
Yes, in your original post you were looking for generic Edge hijacks and intentionally blocking including the URL information of where it was going. But it was always going to the same URL. That there was an issue with Windows, Edge, hijacking or anything else was trivial compared to the importance of the URL. Why did you mention the URL but never just copy and paste it completely?
The reason that you didn't find the fix was that you were looking for very generic information about infections, rather than the one specific piece of info that you had - the URL. The URL was very unique to the infection. Knowing the URL took us straight to the answer.
-
It's hard to say in a generic situation which pieces of information will matter, but including more info rather than less is good. But in this situation, I was able to guess that the URL was the needed piece of the puzzle.
We see this in WordPress infections regularly. Any given infection or attack will have a fingerprint - often it's behaviour. In this case, the behaviour was to go to a specific link (that probably generates revenue, that's the reason for the attack). By knowing who is making the money, you can tell how they likely did it.
-
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
Can you expand on what you mean with specific URLs? Do you mean determining its intent, like if it is redirecting you to a "Microsoft Support" site, vs. just hijacking your search session, etc?
Yes, in your original post you were looking for generic Edge hijacks and intentionally blocking including the URL information of where it was going. But it was always going to the same URL. That there was an issue with Windows, Edge, hijacking or anything else was trivial compared to the importance of the URL. Why did you mention the URL but never just copy and paste it completely?
The reason that you didn't find the fix was that you were looking for very generic information about infections, rather than the one specific piece of info that you had - the URL. The URL was very unique to the infection. Knowing the URL took us straight to the answer.
What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?
-
@BBigford said in Persistent malware in Edge:
What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?
It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.
-
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?
It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.
Ah, ok.