Jump to content



Photo

Combofix has been infected with Sality! Do Not use!


  • Please log in to reply
14 replies to this topic

#1 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 30 January 2013 - 00:13

Combofix has been infected with Sality! Do Not use!!!!

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

SHA256 Hashes of known affected versions are:

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8


In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

The steps we suggest you take to make sure your computer is not infected are:<p>



http://www.bleepingc...opic483431.html


#2 Colin McGregor

Colin McGregor

    Neowinian Senior

  • Joined: 02-September 11
  • Location: Ontario, Canada
  • OS: Windows 8 x64, Gentoo x64 Sometimes
  • Phone: Samsung Ativ S WP8

Posted 30 January 2013 - 00:15

Isn't combofix a virus remover? LOL

#3 +Brando212

Brando212

    Causer of disasters

  • Tech Issues Solved: 10
  • Joined: 15-April 10
  • Location: right behind you
  • OS: OS X Mavricks, Windows 7/8.1 Pro
  • Phone: Sony Xperia ZL

Posted 30 January 2013 - 00:16

well ****.

at least he was fairly quick to react and take it down as soon as he found out. i wonder how that could have happened though

#4 +fusi0n

fusi0n

    The Crazy One

  • Tech Issues Solved: 1
  • Joined: 08-July 04
  • OS: OSX 10.9
  • Phone: iPhone 5S 64GB

Posted 30 January 2013 - 00:19

Thanks for the heads up!

#5 Roxkis

Roxkis

    Neowinian

  • Joined: 10-May 08

Posted 30 January 2013 - 00:25

Just downloaded and used combo fix yesterday. Also scanned with MSE, Malwarebytes, and Spybot afterwards. None of the scans picked up anything but i'm scanning with ESET's Online Scanner now just in case.

Thanks for the heads up warwagon.

#6 farmeunit

farmeunit

    The other white meat.

  • Tech Issues Solved: 2
  • Joined: 05-May 03
  • Location: Branson, MO USA

Posted 30 January 2013 - 00:42

Just downloaded and used combo fix yesterday. Also scanned with MSE, Malwarebytes, and Spybot afterwards. None of the scans picked up anything but i'm scanning with ESET's Online Scanner now just in case.

Thanks for the heads up warwagon.


Luckily, you got it before the infection if you downloaded yesterday.

#7 Raa

Raa

    Resident something-or-rather

  • Tech Issues Solved: 2
  • Joined: 03-April 02
  • Location: NSW, Australia

Posted 30 January 2013 - 00:52

I can't remember when I last used this. Seemed to cause more problems than it fixed.
Well, at least someone's onto the problem^

#8 Charisma

Charisma

    e-1337-ist

  • Joined: 02-May 10
  • Location: Galactic Sector ZZ9 Plural Z Alpha

Posted 30 January 2013 - 00:59

Wow, that's crazy. Thanks for the heads-up, warwagon.

#9 Roxkis

Roxkis

    Neowinian

  • Joined: 10-May 08

Posted 30 January 2013 - 01:42

Luckily, you got it before the infection if you downloaded yesterday.

Yeah but it seems I'm infected anyhow.
Posted Image

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.

#10 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 30 January 2013 - 01:49

Yeah but it seems I'm infected anyhow.
Posted Image

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.


Those might not be infections per say, just the exploit files left over in your java cache folder. What are the locations of those files?

#11 soldier1st

soldier1st

    Software Tester/Tech/Linux Lover

  • Tech Issues Solved: 1
  • Joined: 21-December 03
  • Location: Guess Where
  • OS: Windows 7,Android,Linux Mint
  • Phone: HTC Incredible S

Posted 01 February 2013 - 03:16

Those might not be infections per say, just the exploit files left over in your java cache folder. What are the locations of those files?

He should turn off java's temp file option. I used to see those exploit names on users pc's, but since i turn off the temp file option, i haven't seen those appear.

#12 Marshall

Marshall

    ▇ ▂ ▃ ▁ ▁ ▅

  • Tech Issues Solved: 4
  • Joined: 22-June 03
  • Location: USA
  • OS: Windows 7

Posted 01 February 2013 - 03:28

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.


Quote from BleepingComputer Admin:

ComboFix is now live, clean, and available to download from its normal links.



They have it sorted apparently, the executable is now live again at BleepingComputer.

Read More Here

#13 +Audien

Audien

    Software Eng.

  • Joined: 30-December 03
  • Location: Seattle, WA
  • OS: Windows 8.1/Mac OSX
  • Phone: iPhone 5S

Posted 01 February 2013 - 03:47

I'm guessing this was an unsigned executable? Time to get a code signing certificate.

#14 +goretsky

goretsky

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 12-March 04
  • Location: Southern California

Posted 01 February 2013 - 07:06

Hello,

I am unsure of how that might have helped in this particular situation. From what I understand of the issue, it was the build machine that was infected.

Regards,

Aryeh Goretsky

#15 HawkMan

HawkMan

    Badass Viking

  • Tech Issues Solved: 3
  • Joined: 31-August 04
  • Location: Norway

Posted 01 February 2013 - 07:44

Yeah but it seems I'm infected anyhow.
Posted Image

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.


That's not sality, trust me :)I cleaned a few computers from it, and it's specifically say w32 something sality. it'll also start writing stuff to any USB stick you put in it.

The only tool that managed to get rid of it was the Kaspersky sality killer, followed by the Sality remover which I believe is form AVG based on the logo.

I'm guessing this was an unsigned executable? Time to get a code signing certificate.


Thing is, if you had an infected combofix, it didn't actually run, it'd just give an error that it was invalid, but sality would still infect since it had taken over the exe, but combofix itself wouldn't run with the infected file.

Good thing they got it fixed anyway, since it's the absolute best tool to clean computers.

the computer I cleaned g in with sality got it from somewhere else though, since that person wouldn't know a virus cleaner if it slapped her in the face. over 600 infected files, a lot of them sality, but also a whole bunch of other stuff.

be warned that sality does appear to somehow get through even with autplay off. if you're cleaning. Her computer will need a full recovery though, hopefully it doesn't infect the recovery partition.



Click here to login or here to register to remove this ad, it's free!