this post was submitted on 13 May 2024
182 points (96.0% liked)

Privacy

31981 readers
256 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
182
submitted 6 months ago* (last edited 6 months ago) by [email protected] to c/[email protected]
 

This is probably not the right community but I haven't found a better one.

So I watched a video from Seytonic where he mentiond that some malware creates a windows link with the name of the usb on a usb. So I checked my usb because I remembered that I had to click 2 times on my usb to opened it. I found a link that contained cmd.exe and a name of a file next to it. Upload to the virustotal showed Raspberry Roblin worm.

I use Linux but my familly uses windows so I will have to go through all familly computers and remove the worm. Where can I find info how to remove this specific worm - Raspberry Roblin? On google I found a description about how the worm works but not specific files it creates and how to remove it.

The first page that shows up is microsoft.com and it says that windows defender detects the worm, but clearly it doesnt.

Edit: The worm was on one computer and it did not have windows defender installed. Seems like malware removed it and also disabled automatic updates. I installed MalwareBytes and sucessfully removed the worm :)

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 109 points 6 months ago (1 children)

Here’s probably all the info you could ever need:

https://redcanary.com/blog/threat-intelligence/raspberry-robin/

Next, you need to get your systems scanned and cleaned. Malware bytes is likely enough, but I always recommend BitDefender. Their efficacy rates are always fantastic, and they have been leading the industry for several years now. Download the AV on a clean system, put on clean flash drive, and install that way.

Last, you’re gonna need to reset your passwords. Yes, I know that’s toxic af. But this is the reality and why we always need to be veeeery careful with what we do. This worm communicates with a c2 server which means it can update itself which makes detection hard, and it also means that, at one point it may have been spying on your activity (and it likely was if not continues to)

This stuff happens, don’t beat yourself up too much. Live and learn

[–] [email protected] 14 points 6 months ago (2 children)

Thank you for the link, it will help for sure!

I (not me but my family) always used just default Windows Defender but I heard good things about Malware bytes and BitDefender, I'll checked them out.

[–] [email protected] 9 points 6 months ago (1 children)

Bitdefender usually goes on sale too - check for coupon codes, don't pay full price. Plus you get like 5 devices with your license IIRC. Worth a shot

[–] [email protected] 6 points 6 months ago (4 children)

Oh it's paid... I would rather install Linux, I don't pay even for Windows.

[–] [email protected] 3 points 6 months ago

if you're changing all your passwords and switching to Linux anyway consider using a free software local password manager like KeepassXC, I use it along with syncthing and it's great

load more comments (3 replies)
load more comments (1 replies)
[–] [email protected] 104 points 6 months ago (3 children)

Try to clean your USB stick. Remove the worm and maybe use a cloth to remove the dirt.

[–] [email protected] 45 points 6 months ago (4 children)

I would use a microwave to kill any worms / eggs still remaining, just in case.

[–] [email protected] 17 points 6 months ago (2 children)

Rubbing alcohol should work in a pinch.

[–] [email protected] 9 points 6 months ago

Better use a biologic solution. Put the usb outside with some seeds nearby to attract birds that should eat it

load more comments (1 replies)
[–] [email protected] 6 points 6 months ago (1 children)

Try C-band UV Lamp instead.

[–] [email protected] 3 points 6 months ago (4 children)

At the end of the day, if nothing help's, kill it with fire.

load more comments (4 replies)
load more comments (2 replies)
[–] [email protected] 11 points 6 months ago (1 children)

I'll clean all USB sticks the house, just to be sure.

[–] [email protected] 8 points 6 months ago (1 children)

yea microwave all your sticks in your house at full power for 15 minutes.

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago) (1 children)

Then mix bleach with ammonia

(Don't actually do this as it generates chorine gas which is quiet deadly and unpleasant)

load more comments (1 replies)
[–] [email protected] 4 points 6 months ago (1 children)

In other words, wipe the USB stick.

load more comments (1 replies)
[–] [email protected] 52 points 6 months ago (1 children)

Same thing happened to RFK Jr

load more comments (1 replies)
[–] [email protected] 47 points 6 months ago (3 children)

Would you love your USB if it was a worm?

[–] [email protected] 7 points 6 months ago

What if it didn't exist? Would you still love your USB then?

load more comments (2 replies)
[–] ohwhatfollyisman 38 points 6 months ago

we've found the early bird.

[–] [email protected] 12 points 6 months ago

Lisan al ghaieb!!!

[–] techognito 11 points 6 months ago (2 children)

Have you run a full scan using Windows Defender?

Can you confirm that the worm is actually running?

AV software may remove the installed worm from the system, but not from the drive.

Probably a good idea to reformat the USB drive

PS. if all else fails, nuke and pave (reinstall the computers in your household, including your linux machine)

You should do this offline, as in, quarantine the situation.

[–] [email protected] 5 points 6 months ago

Windows defender also has an offline scan mode which may be of use here - hard to say, dunno if they ever dropped a rootkit or any other av-dodging/persistence mechanisms

[–] [email protected] 3 points 6 months ago (1 children)

Time to switch to Linux (joking)

load more comments (1 replies)
[–] [email protected] 8 points 6 months ago (1 children)

I'll also toss this hat into the ring - sysmon this is essentially a logging tool thats a bit better/nicer than the windows default, and categorizes all logs into very neat buckets that will make watching out for strange shit much much easier.

Sysmon is part of the sysinternals suite (vetted by the community + microsoft, which is sayin somethin lol) and you can make use this as the config file to use (Uses industry-standard MITRE Att&ck framework) which you can then use to correlate to more threats/malware authors/malware artifacts if you really wanna get your hands dirty/have some fun

[–] [email protected] 5 points 6 months ago (1 children)

To level set, Microsoft owns SysInternals, and has since 2006. None of it is “community vetted”, to me that implies FOSS or something.

[–] [email protected] 7 points 6 months ago* (last edited 6 months ago) (1 children)

Why would "community vetted" imply FOSS?

Microsoft has a massive community of users and sysinternals is highly regarded amongst amateur and professional users alike. The term "community vetted" makes perfect sense in this context.

[–] [email protected] 5 points 6 months ago

Yeah, I use SysInternals stuff every day. Neither myself nor the community has vetted SysInternals tools any more than they have vetted outlook, teams, or word. Unless I’m misunderstanding the meaning of vetted.

Vetting in a program/application context as I understand it is that the code has been vetted, which can only be done by the community at large if the source code is provided. Just like with a person, vetting is doing an actual background check, where as vouching for someone is just one person telling a second person that a third person is chill or something.

[–] [email protected] 6 points 6 months ago (1 children)

The malware probably turned of defender. Try an offline scan

[–] [email protected] 5 points 6 months ago

Actualy the malware somehow deleted windows defender and disabled automatic updates. I install MalwareBytes and run full scan and removed it.

[–] sramder 6 points 6 months ago (1 children)

Doesn’t virus total display a list of the AV software it triggered?

I generally use Malware Bytes on windows but I don’t know if it’s effective against that particular virus.

[–] [email protected] 3 points 6 months ago (1 children)

Yes it does but I haven't checked whichones do end whichones don't. But half of them do, thats important.

load more comments (1 replies)
[–] TCB13 5 points 6 months ago (5 children)

And here I was under the impression that using USB storage for anything else than installing operating systems was a thing of the past.

[–] DharkStare 13 points 6 months ago (7 children)

Out of curiosity, what do you use to transfer files between computers?

[–] [email protected] 12 points 6 months ago (1 children)

SCP or a share on a NAS, personally.

[–] [email protected] 3 points 6 months ago (5 children)

Not everyone can afford a NAS

[–] [email protected] 4 points 6 months ago (3 children)

You dont need a Nas to transfer files over your local network

load more comments (3 replies)
load more comments (4 replies)
[–] [email protected] 11 points 6 months ago (1 children)

Personally, most stuff is in cloud storage. For local stuff I use syncthing.

But for the average person, I'd expect using iCloud, Google Drive, Onedrive, or Dropbox and then creating a shareable link for the other person.

I also can't remember the last time I used a USB drive for anything other than installing an OS.

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago)

Deleted: Replied to wrong comment

[–] TCB13 5 points 6 months ago* (last edited 6 months ago)

SMB (NAS), Syncthing, FileBrowser, snapdrop.net, email and sometimes public cloud services...

[–] [email protected] 5 points 6 months ago

Syncthing and LocalSend.

Syncthing is used if it is not a one time transfer. LocalSend is mainly for one time transfer. LocalSend needs things to be in the same network. The same WiFi router is enough. Syncthing can send files over the internet also.

There are browser based alternatives like ShareDrop . These tools are not as reliable as Syncthing and LocalSend, especially when it comes to single large files (more than a few GBs), like ISOs.

For one time transfer over the internet, another handy tool is Croc . This one also suffers from the large file related issues.

[–] [email protected] 3 points 6 months ago
load more comments (2 replies)
[–] [email protected] 5 points 6 months ago (1 children)

Ventoy is very useful for diagnostics too

load more comments (1 replies)
[–] seaQueue 5 points 6 months ago (1 children)

NVMe in a USB enclosure makes a pretty rad backup target a couple of times a week. The whole job is over and done in <2 minutes.

[–] TCB13 3 points 6 months ago

Yes, that's true but I'm no longer doing that. Everything sync to the NAS using Syncthing that in turn is set with file versioning and weekly snapshots.

[–] [email protected] 4 points 6 months ago

All the time, right now copying 400 MB onto one as an eBook Calibre library backup.

[–] [email protected] 3 points 6 months ago (3 children)

Wut. Its where I store photos and videos

load more comments (3 replies)
[–] BeatTakeshi 3 points 6 months ago

RFKJr can take it in, he's got a free slot

load more comments
view more: next ›