• Acer revo r1600 from newegg came with a keylogger!
    21 replies, posted
My friend bought a acer revo for $200 off newegg, when we first boot it up it had usual bloatware like any brand computer. I connect my flashdrive which had some programs like ccleaner and mse, when I got home I connected it to my computer which was running ubuntu and I noticed a folder with random characters set as hidden. I looked in it and found a autorun.ini file and a .exe file. I ran it on virustotal and it found nothing, then I ran it on a sandbox and found out it was sending packets to a IRC channel. I deleted it, connect my blank flashdrive to the acer and it did it again. We didn't do anything to the acer when I first booted it up, and my flashdrive was clean before I connected it to the acer. I reported the files to ESET to take a look at it. I reinstalled the acer to windows 7.
What was the IRC Channel called?
There is a program called Viper that is very good at rooting spyware and malware. Get the fre trial and run a deep scan.
damn you acer!
If you'd like to PM me a copy of the files you find, I can take a look at figure out what it's doing (and maybe indulge in a spot of what may end up being botnet hunting).
Use malwarebytes anti-malware. Also the virus could hide in one of those hidden boot partition (all the laptops with bloatware (acer/asus etc) have such partition. Its used to restore the laptop if it fails. Anyway, its pretty hard to make those drives "normal" so you could consider buying a new HDD. Or try to scan those partitions.
[QUOTE=Cornelisjuh;25787322]Use malwarebytes anti-malware. Also the virus could hide in one of those hidden boot partition (all the laptops with bloatware (acer/asus etc) have such partition. Its used to restore the laptop if it fails. Anyway, its pretty hard to make those drives "normal" so you could consider buying a new HDD. Or try to scan those partitions.[/QUOTE]It's hard to make the drive "normal?" How about, delete all partitions. Problem solved.
[QUOTE=Hexxeh;25787313]If you'd like to PM me a copy of the files you find, I can take a look at figure out what it's doing (and maybe indulge in a spot of what may end up being botnet hunting).[/QUOTE] I reformatted it to windows 7, it still haves the restore partition and I can see if I can get the files out of that.
Complain to the manufacturer and newegg.
And it seems more likely that you used that flash drive on a previous computer that had a keylogger, and then you plugged it into the acer, infecting that.
:iiam:
[QUOTE=TehWhale;25792003]And it seems more likely that you used that flash drive on a previous computer that had a keylogger, and then you plugged it into the acer, infecting that.[/QUOTE] That is a possibility, but having rogue software packaged with consumer products has happened quite a few times in the past. IIRC there was a McDonalds USB stick that came with malware/spyware of some kind, and I know there are other examples of it too. [url]http://crave.cnet.co.uk/digitalmusic/mcdonalds-free-trojan-would-you-like-malware-with-that-49284415/[/url]
Don't forget Sony's bout with rootkits...it's entirely possible that Acer did that to "improve customer experience." Or, as stated previously, you had an infected USB stick and just noticed it after infecting your Acer.
if it was sending to an Acer server, I would believe it was from Acer, to a random IRC channel? 90% likely it was allready on there
[QUOTE={ABK}AbbySciuto;25797039]Don't forget Sony's bout with rootkits...it's entirely possible that Acer did that to "improve customer experience."[/QUOTE] If Acer did it, they'd probably use HTTP POST or a custom protocol rather than IRC.
[QUOTE=gparent;25805634]If Acer did it, they'd probably use HTTP POST or a custom protocol rather than IRC.[/QUOTE] Thats kinda what I said there.
My old Packard Bell PC came pre-installed with something similar I believe. Whenever I reinstall it with the repair disks it came with (I had no OS disk back then) it would install a keylogger/ Trojan type malware according to Avast! Kind of strange really. Might have just been something to report the PC as active to them, but why they need that I do not know.
[QUOTE={ABK}AbbySciuto;25797039]Don't forget Sony's bout with rootkits...it's entirely possible that Acer did that to "improve customer experience." Or, as stated previously, you had an infected USB stick and just noticed it after infecting your Acer.[/QUOTE] I was reformatting a client of mine's Dell laptop, and I downloaded a driver for it from the Dell website which turned out to be one of the nastiest rootkits I've ever seen. The second it ran, it opened a backdoor and started downloading and installing a version of that fake AV "Windows Antivirus 20xx" and several other viruses, keyloggers, etc. I managed to shut it down before it started trying to propagate through my network. I'd suspect a disgruntled employee or something, but having a rootkit or virus of some sort on a new OEM machine wouldn't surprise me, which is why I always nuke new machines I get and reinstall everything from known good sources.
[QUOTE=nekosune;25806650]Thats kinda what I said there.[/QUOTE] Good job I guess?
[QUOTE=Hexxeh;25787313]and maybe indulge in a spot of what may end up being botnet hunting[/QUOTE] Haha I've done that a few times after trapping unencrypted (and usually horribly coded) botnet servers. It's always fun to dump the strings for the irc channel and logins, join the irc channel, and say hi to the owner.
You can never be too careful these days. And still some people think they are ok without any protection.
[QUOTE=LiquiD;25831080]You can never be too careful these days. And still some people think they are ok without any protection.[/QUOTE] These people also get unwanted pregnancy.
Sorry, you need to Log In to post a reply to this thread.