This is probably not the right community but I haven’t found a better one.
So I watched a video from Seytonic where he mentiond that some malware creates a windows link with the name of the usb on a usb. So I checked my usb because I remembered that I had to click 2 times on my usb to opened it. I found a link that contained cmd.exe and a name of a file next to it. Upload to the virustotal showed Raspberry Roblin worm.
I use Linux but my familly uses windows so I will have to go through all familly computers and remove the worm. Where can I find info how to remove this specific worm - Raspberry Roblin? On google I found a description about how the worm works but not specific files it creates and how to remove it.
The first page that shows up is microsoft.com and it says that windows defender detects the worm, but clearly it doesnt.
Edit: The worm was on one computer and it did not have windows defender installed. Seems like malware removed it and also disabled automatic updates. I installed MalwareBytes and sucessfully removed the worm :)
Same thing happened to RFK Jr
This was funny, but ugh - I hate when U.S. politics creeps into my tech discussions.
we’ve found the early bird.
Would you love your USB if it was a worm?
Yes.
What if it didn’t exist? Would you still love your USB then?
Try to clean your USB stick. Remove the worm and maybe use a cloth to remove the dirt.
In other words, wipe the USB stick.
I would use a microwave to kill any worms / eggs still remaining, just in case.
Rubbing alcohol should work in a pinch.
Better use a biologic solution. Put the usb outside with some seeds nearby to attract birds that should eat it
Better use a biologic solution. Put the usb outside with some seeds nearby to attract birds that should eat it
Try C-band UV Lamp instead.
At the end of the day, if nothing help’s, kill it with fire.
Do you want to see something cool? See: https://www.youtube.com/watch?v=Uf4Ux4SlyT4
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=Uf4Ux4SlyT4
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
My bad. I was almost injecting another worm.
I’ll clean all USB sticks the house, just to be sure.
yea microwave all your sticks in your house at full power for 15 minutes.
Then mix bleach with ammonia
(Don’t actually do this as it generates chorine gas which is quiet deadly and unpleasant)
(what did you say? I can’t read or ty.e mani 93
Lisan al ghaieb!!!
I’ll also toss this hat into the ring - sysmon this is essentially a logging tool thats a bit better/nicer than the windows default, and categorizes all logs into very neat buckets that will make watching out for strange shit much much easier.
Sysmon is part of the sysinternals suite (vetted by the community + microsoft, which is sayin somethin lol) and you can make use this as the config file to use (Uses industry-standard MITRE Att&ck framework) which you can then use to correlate to more threats/malware authors/malware artifacts if you really wanna get your hands dirty/have some fun
To level set, Microsoft owns SysInternals, and has since 2006. None of it is “community vetted”, to me that implies FOSS or something.
Why would “community vetted” imply FOSS?
Microsoft has a massive community of users and sysinternals is highly regarded amongst amateur and professional users alike. The term “community vetted” makes perfect sense in this context.
Yeah, I use SysInternals stuff every day. Neither myself nor the community has vetted SysInternals tools any more than they have vetted outlook, teams, or word. Unless I’m misunderstanding the meaning of vetted.
Vetting in a program/application context as I understand it is that the code has been vetted, which can only be done by the community at large if the source code is provided. Just like with a person, vetting is doing an actual background check, where as vouching for someone is just one person telling a second person that a third person is chill or something.
Removed by mod
You could just do a Windows defender offline scan.
Removed by mod
Yeah I didn’t say it was perfect but does happen to be baked it
Edit: turns out there are brainwormed redditors out here. Ignore their downvotes and you will be fine following advice.
https://en.wikipedia.org/wiki/Eugene_Kaspersky
Yeah… No. Pick any other reputable company.
Kaspersky is one of many Russian “oligarchs”
Removed by mod
Any serious security expert is not a Russophobe
Categorically wrong. One of the core focuses many security experts care about IS government overreach/interference. Governments are one of the leading pressures for software vulnerabilities/backdoors. Doesn’t matter that it’s Russian, because this isn’t a “Russophobe” stance. However, Russian and Chinese interference is usually on a much larger scale than other countries and typically has a much higher amount of scrutiny than other countries because of this fact. Due to those countries policies it’s hard to trust code that comes out of either country.
https://www.cnet.com/news/privacy/kaspersky-lab-russian-hacking-us-government-national-security-faq/
“The case against Kaspersky Lab is overwhelming,” Sen. Jeanne Shaheen, a Democrat from New Hampshire, said in a statement. “The strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented.”
Isn’t it funny that many other Anti-viruses don’t seem to have these issues?
Case and point from other countries on the government pressure argument.
https://www.wired.com/story/australia-encryption-law-global-impact/
https://www.atlasobscura.com/articles/a-brief-history-of-the-nsa-attempting-to-insert-backdoors-into-encrypted-data
https://www.bloomberg.com/features/2021-supermicro/Many countries have these issues documented when interference happen. You know which ones don’t? The ones that you lemmy.ml shills usually defend. That’s not because they’re not doing it by the way.
Damn… And you’re a mod here? Anyone know of another community that is privacy focused and isn’t on lemmy.ml? A mod that doesn’t understand that closed source software with known ties to government entities is a problem.
Hell this isn’t even a “Dumb American” stance either (forget that I hold an eastern EU citizenship). https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations_of_Russian_government_ties has a whole section of “Concerns raised by other governments”. Virtually all of the EU also has this concern with Kaspersky. Additional countries included… It’s at the very least ODD that a company has such ties to a government. And the sheer PARANOIA that all “serious security experts” hold would immediately bar most of them from using the software due to that fact alone.
Hell it’s even typical for a security professional to outright block ALL Russian and Chinese internet traffic for their platform. Just because it’s not worth the effort to deal with those countries and all the risks that come with them. But right! This must be “Russophobe” and no “serious security expert” has a problem. You’re full of it dude(tte).
You are not one of those serious security people.
News to me… I guess I should turn in my CISO position. Who’s going to tell the R1 college that I taught at for years? All those thousands of students, many of which still reach out to me regularly and have made it quite far in industry?.. Hmm… Oh and it’s not an “appeal to fallacy” or any other logical fallacy when it’s me defending my own status from a bullshit claim.
Edit: for any non-admin 3rd parties wondering who downvoted me… 100% of those votes at the moment is lemmy.ml or lemmygrad.ml. Take with that what you will. To me that screams “How dare you talk facts about the motherland” vibes.
Edit2: Oh they also edited their post to seem more normal… Their original post said
Any serious security expert is not a Russophobe and regards Kaspersky as the best commercial tool provider for malware analysis, based on merit and not on nationality. You are not one of them. I do not trust Bitdefender, Norton, McAfee and other western companies with CIA backdooring, and since CIA does use metadata to kill people (just like Yemen or Palestine), it is a clear cut choice.
So basically ANY software not Russian, you seem to not trust. Claim it’s on merit… But only point out nationality. Don’t you find that odd that Russia can’t do no harm either? Even though other companies do not have as clear cut ties to their governments?
Activitypub is open by nature, kbin users can see everything that I’ve published.
Yes, we know how Activitypub and kbin/mbin work.
There’s no abuse happening here.
Others seem to disagree.
Nor is my instance just one person/user.
My sincerest apologies: three user instance 🙄
Others seem to disagree.
That’s fine. You/them can disagree all you want. Just realize that they’re using it too. I just disagree with the default Lemmy stance that users can’t see something that everyone else on the fediverse(including moderators and admin on any federated instance) can. And if they want to defederate me for that. I’m not sure I care. I’ve been defederated from one instance so far… it’s not been a major loss and definitely doesn’t weigh on my conscience at all.
My sincerest apologies: three user instance 🙄
I have no interest in disclosing how many users are using my instance. They can post things if they want. That’s up to them. Many are just lurkers though.
Removed by mod
This nonsense is largely invented by Democrats and people at Washington
Didn’t know my own analytics is Democrat/Washington run. I guess I should go yell at the people OPNsense (Suricata), WAZUH, and Crowdsec. They must be injecting false notifications about my networks being targetted by shit from Russia and Chinese owned IP space!
Yes I edited the post, but you also seem to abuse powers as an admin of your one man instance to see unedited content.
It’s an abuse of power to read the post that’s sent to my email? Well shit! Even for a moderator you seem to not even understand how lemmy works. Let me enlighten you. I got an email with your post in it because you responded to me. What an abuse of Administrative power! Forget that 100% of activitypub network is openly published and thus viewable by anyone… Ooops.
Lmfao… you reported my post… and likely blocked/“moderated” it on your instance. Don’t really care. To the point though, when 100% of downvotes on a comment is strictly from lemmy.ml or lemmygrad.ml instances. Yes, you’re shills, not a single opposing opinion between you. No discourse. No actual thought process occurring. Just “Russia/China good, rest world bad”. No nuance at all.
You also failed to address your stance that you published. Why is it that every other platform you originally listed was a problem where Kaspersky isn’t?
Removed by mod
And that includes a lot of the netsec people who see this stuff.
Wait a second! I though NO serious security people are Russophobe? Are you changing your story now?
Your own little vote charter shows one dbzer0 user upvoting as well
You have the evaluation backwards… Outside people are coming to different consensuses based on opinions and experiences that’s normal… It’s lemmy.ml and lemmygrad.ml that don’t. I would EXPECT that results were mixed, but for your instance it never is. You seem to have missed the point.
What if China and Russia started treating .us or .ca or such domains like this and demonise countries?
They literally do. Have you not heard of the great firewall? The vast majority of the internet is unusable to China… and requires a VPN to access anything. Hell, I’d say the lemmy.ml and lemmygrad.ml instances acting as hiveminds downvoting anything critical of Russia/China is also evidence of this. It’s OKAY to be critical of a government.
It is you people who project the hate you possess onto others, and you even manage to be proud of it like an absolute idiot with no merit based judgement capabilities.
Not even close. I evaluate everything as I see it. You seem to be making a lot of assumptions here. Kaspersky has strong ties to the Russian government that is sufficient to warrant any “serious security” person to evaluate a different solution.
I did not fail. It is too clear to me how you are parroting US propaganda, even quoting a Democrat (Russia hater party) about it.
Yet bitdefender is a problem… And you can’t address why Kaspersky would be any different… Talk about parroting.
What room is there for reasoning with a crow like you, shitting everywhere happily?
Crows (Corvid family) are the smart birds… You mean pigeon.
Edit: Actually come to think of it? Why the ravenous defense of Kaspersky at all? It’s just an anti-virus software no? Why does me disagreeing with the use of Kaspersky in this instance warrant “makes you look like the worst slurs I could summon for an incompetent clown.” Don’t you see how unreasonable you look? How you look like a frothing lunatic?
So we now who is on Lemmy.ml, got it
I think this is poor form, and I won’t be surprised or sad if your one-person instance gets defederated by other instances for this kind of behavior.
Activitypub information is public by design. Kbin users for instance can see this information openly. There’s nothing poor form here. My instance also isn’t 1 user. But whatever floats your boat.
Edit: It’s also well known…
https://kbin.social/m/lemmy@lemmy.ml/t/77983/Interesting-difference-from-Reddit-Upvotes-Downvotes-are-not-anonymous
https://old.reddit.com/r/RedditAlternatives/comments/14s1qki/psa_your_lemmy_activities_including_votes_are/
https://a.lemmy.world/lemmy.world/post/142436As I said, we know all of this. You’re just repeating yourself.
I’m sorry, where did I repeat anything?
This would be the first time in this thread I’ve said anything about it.
If “we all know this” then why state “I think this is poor form”?
Who’s de-federating kbin then? Nobody? Well then…
RFKJr can take it in, he’s got a free slot
Doesn’t virus total display a list of the AV software it triggered?
I generally use Malware Bytes on windows but I don’t know if it’s effective against that particular virus.
Yes it does but I haven’t checked whichones do end whichones don’t. But half of them do, thats important.
Have you run a full scan using Windows Defender?
Can you confirm that the worm is actually running?
AV software may remove the installed worm from the system, but not from the drive.
Probably a good idea to reformat the USB drive
PS. if all else fails, nuke and pave (reinstall the computers in your household, including your linux machine)
You should do this offline, as in, quarantine the situation.
Windows defender also has an offline scan mode which may be of use here - hard to say, dunno if they ever dropped a rootkit or any other av-dodging/persistence mechanisms
Time to switch to Linux (joking)
And here I was under the impression that using USB storage for anything else than installing operating systems was a thing of the past.
NVMe in a USB enclosure makes a pretty rad backup target a couple of times a week. The whole job is over and done in <2 minutes.
Yes, that’s true but I’m no longer doing that. Everything sync to the NAS using Syncthing that in turn is set with file versioning and weekly snapshots.
Ventoy is very useful for diagnostics too
And rEFInd, GParted Live… SystemRescueCd.
Out of curiosity, what do you use to transfer files between computers?
sftp.
SCP or a share on a NAS, personally.
Not everyone can afford a NAS
You can pick up old PCs for free-$50 that’ll suffice for a nas.
Maybe you can, but most people don’t have the money or the time. Check your privilege.
You dont need a Nas to transfer files over your local network
But where do you store them? My computer isn’t big enough for videos. Thats where cheap USB drives come-in
HDDs are cheap.
Not as cheap as USB drives
Personally, most stuff is in cloud storage. For local stuff I use syncthing.
But for the average person, I’d expect using iCloud, Google Drive, Onedrive, or Dropbox and then creating a shareable link for the other person.
I also can’t remember the last time I used a USB drive for anything other than installing an OS.
If I want to quickly share something from my phone, I use NGINX in Termux with autoindex enabled.
No need for anything else than browser on client-side.
Actually, on Play store there’s also a simple GUI app called “Simple HTTP server”, but NGINX feels fancier.Just a tip if you want to try this:
By default, error logs are kept. One source of errors is interface suddenly disappearing (i.e. your phone got disconnected from network). This error will be logged as quickly as it can be.
What happened (when this occurred)? I found my phone stuck in bootloop. The error log filled internal storage to the last byte causing Android system to crash and unable to reboot, which it tried again, again, again,… Bootloop. I just found my pocket suddenly feeling unreasonably hot.
In my case, forcing it into recovery, turning it off from there and retrying boot up freed 17MB from somewhere, allowing the phone to boot up.
Alternative to that would be a hard reset.Sounds crazy, but any app could fill the internal storage like that.
SMB (NAS), Syncthing, FileBrowser, snapdrop.net, email and sometimes public cloud services…
Syncthing is used if it is not a one time transfer. LocalSend is mainly for one time transfer. LocalSend needs things to be in the same network. The same WiFi router is enough. Syncthing can send files over the internet also.
There are browser based alternatives like ShareDrop . These tools are not as reliable as Syncthing and LocalSend, especially when it comes to single large files (more than a few GBs), like ISOs.
For one time transfer over the internet, another handy tool is Croc . This one also suffers from the large file related issues.
If I want to quickly share something from my phone, I use NGINX in Termux with autoindex enabled.
No need for anything else than browser on client-side.
Actually, on Play store there’s also a simple GUI app called “Simple HTTP server”, but NGINX feels fancier.Just a tip if you want to try this:
By default, error logs are kept. One source of errors is interface suddenly disappearing (i.e. your phone got disconnected from network). This error will be logged as quickly as it can be.
What happened (when this occurred)? I found my phone stuck in bootloop. The error log filled internal storage to the last byte causing Android system to crash and unable to reboot, which it tried again, again, again,… Bootloop. I just found my pocket suddenly feeling unreasonably hot.
In my case, forcing it into recovery, turning it off from there and retrying boot up freed 17MB from somewhere, allowing the phone to boot up.
Alternative to that would be a hard reset.Sounds crazy, but any app could fill the internal storage like that.
Localsend
Wut. Its where I store photos and videos
That’s not a good practice as USBs aren’t designed for long term storage. Maybe build some sort of NAS.
Lol any kind of flash storage suffers from degradation over time, it doesn’t matter whether you attach a computer to it or not
All the time, right now copying 400 MB onto one as an eBook Calibre library backup.
Here’s probably all the info you could ever need:
https://redcanary.com/blog/threat-intelligence/raspberry-robin/
Next, you need to get your systems scanned and cleaned. Malware bytes is likely enough, but I always recommend BitDefender. Their efficacy rates are always fantastic, and they have been leading the industry for several years now. Download the AV on a clean system, put on clean flash drive, and install that way.
Last, you’re gonna need to reset your passwords. Yes, I know that’s toxic af. But this is the reality and why we always need to be veeeery careful with what we do. This worm communicates with a c2 server which means it can update itself which makes detection hard, and it also means that, at one point it may have been spying on your activity (and it likely was if not continues to)
This stuff happens, don’t beat yourself up too much. Live and learn
Thank you for the link, it will help for sure!
I (not me but my family) always used just default Windows Defender but I heard good things about Malware bytes and BitDefender, I’ll checked them out.
Windows defender along with a system hardener (like hard_configurator) can actually be quite insanely strong, especially since windows defender starts working and blocking stuff long before non-system apps, which can be a big boon. This approach is also free (if you have windows) which seems to fit your needs!
I’d start with a offline scan.
If possible wipe the drive from Linux and reinstall Windows. Be mindful of any files as documents and other files can sometimes hide things. Make sure you reset all passwords as well. Start with email passwords and then go up from there.
Bitdefender usually goes on sale too - check for coupon codes, don’t pay full price. Plus you get like 5 devices with your license IIRC. Worth a shot
Oh it’s paid… I would rather install Linux, I don’t pay even for Windows.
And you got what you paid for, no?
I believe there is a free version as well but don’t think just because you’re installing Linux that you’re somehow safer.
There was just a package that was essentially socially engineered into by a hacker, who then had full access to everyone’s shit.
All because a GitHub author was pressured into letting them contribute to code. Mac/Apple are no different and starting to be more and more vulnerable as the “security by obscurity” wears off.
Free tools are fine and well, but that stuff is done for free. Including maintainence and everything else. In times like these, ain’t nobody got time for that anymore. People need to make a living and you will see degradation in the products thusly
I didn’t downvote you, but I think you’re assuming waaaay too much about OP’s life circumstances. For al we know, he’s an Argentinian teenage girl with an allowance, or a Vietnamese retired fisherman with no life savings.
Could be. However, the point stands, you’re gonna get what you pay for in the end. Not trying to be a dick ofc, but that’s the reality.
There are some well performing options that are free, but they are limited, and not too common imo
If anyone does have some good options, feel free to share as I may be unaware of them and think learning about them would be neat
if you’re changing all your passwords and switching to Linux anyway consider using a free software local password manager like KeepassXC, I use it along with syncthing and it’s great
The malware probably turned of defender. Try an offline scan
Actualy the malware somehow deleted windows defender and disabled automatic updates. I install MalwareBytes and run full scan and removed it.