TVs. Consoles. Projectors and accessories. Technologies. Digital TV

Insider information. Recovering files after a ransomware virus Fallout 4 Institute walkthrough virus

After the quest will begin Walkthrough Closed Institution Fallout 4. This is your first time at the Institute. If you work for any faction, you also need to complete its task along the way. For the Minutemen and the Brotherhood of Steel - upload a virus to the terminal. For the Underground - convey a message to the Patriot.

Father

Once inside the building, you will hear a voice that will introduce itself as Father. He will invite you to look around. Take the elevator. After leaving it and walking around a bit, you will find a room with a boy named Sean. After the conversation, it will become clear that this is not your son, but a synth. The head of the institute, the real Sean, will also come here. The years have not been kind to him, because 60 years have passed since the abduction!

Sometimes there is a bug in the quest Closed Institution - the conversation with the boy does not start. When faced with a problem, enter console command tcl. This way you can walk through the glass wall, talk and exit. Disable passing through obstacles using the same command.

Scientists

Sean will invite you to meet and talk with Institute scientists:

  1. engineer Ellie Fillmore;
  2. Biosciences Department Head Clayton Holdren;
  3. head of robot control department Justin Ayo;
  4. Dr. Madison Lee.

Lee modifies your Pip-Boy so that you can now freely leave the Fallout 4 closed facility and return here using fast travel. A new marker will become available on the map.

Return to the Father and talk again. He will offer to work for the Institute and give a quest Detention.

When your computer is infected with a virus (or you suspect it), it is important to follow 4 rules:

First of all, there is no need to rush and make rash decisions. As they say, “measure twice, cut once” - ill-considered actions can lead not only to the loss of some files that could be recovered, but also to re-infection of the computer.

However, one action that must be taken immediately is to turn off the computer to prevent the virus from continuing its work. All actions to detect the type of infection and treat the computer should be performed only after rebooting the computer from a write-protected “emergency” floppy disk with the operating system. In this case, you should use executable files located only on write-protected “emergency” floppy disks. Failure to comply with this rule can lead to very serious consequences, since when loading the OS or running a program from an infected disk, a virus may be activated in the computer, and if the virus is running, treating the computer will be pointless, since it will be accompanied by further infection of disks and programs.

If you do not have sufficient experience and knowledge to treat your computer, ask more experienced colleagues or even specialists for help.

Prevention against virus infection

1). Copying information and access control:

It would be a good idea to have and, if necessary, update archival and reference copies of the software packages and data you use. Before archiving data, it is advisable to check it for viruses. It is also advisable to copy service information of your disk, such as about the computer’s non-volatile memory, onto floppy disks.

Copying and restoring such information can be done using the Rescue program software package Norton Utilities.

2). Write protection should be installed on archival floppy disks. You should not engage in unlicensed or illegal copying of software from other computers. They may have a virus.

3). All data coming from outside should be checked for viruses, especially files “downloaded” from the Internet.

4). It is necessary to prepare a recovery package on write-protected floppy disks in advance.

5). For normal work not related to restoring your computer, you should disable booting from a floppy disk. This will prevent boot virus infection.

6). Use filter programs for early detection of viruses.

7). Periodically check the disk with programs like AVP or Dr. Web to detect possible defense failures.

8). Update your antivirus program database (AVP does this in 8-10 minutes).

And most importantly, do not allow dubious users to access your computer.

5. List of used literature

1. Petrov M. S., “Computer viruses”, M.: 2002.

2. Figurnov V.E. “IBM PC for the user. Short course", Infra-M.: 2001.

3. Starkov V.A. “The ABC of a personal computer”, M.: 2000.

4. Bezrukov N. N. “Computer virology”: reference book. 1991 manual

As a rule, most pentests are carried out according to a fairly simple scheme. First, using social engineering access to the target environment or its individual link is provided, and then it is infected technical means. Variations of the attack can be different, but usually a classic pentest is a fusion of technical parts and social engineering in various proportions. The disadvantage of a classic pentest is that you need to “grope” for that same employee and then move on to the next stage. If it were possible to automate the process of finding a weak link and its further exploitation, this could speed up the pentesting process and significantly increase the final chances of success.

WARNING!

All information is provided for informational purposes only. Neither the author nor the editors are responsible for any possible harm caused by the materials of this article.

According to well-known statistics provided by antivirus companies, about 30% of users do not use antiviruses, simply disable them or do not update the database. Based on this, it can be argued that in any average company there is a certain group of people who are very dismissive of information security, and, in turn, it is these people who are advisable to use to carry out an attack. In addition, any functioning system can be influenced by a number of random factors, which can also temporarily paralyze the security system:

  • the proxy server settings were lost, which is why the anti-virus databases were not updated;
  • The antivirus license expired, and the management did not take care of its renewal in time;
  • A network failure made it impossible to remotely print files, which is why all employees were forced to copy documents onto a flash drive and print them in another department.

You just need to turn on your imagination, and you can add a dozen more options for the development of events. Summarizing what has been said, it can be argued that in any average organization there are potentially unreliable employees and sometimes circumstances arise that can disrupt the usual work and paralyze protection. Therefore, if you hit in the right place in right time, then the attack will be successful.

In fact, the task boils down to the following: to determine that one of the random events has occurred at the moment, which led to a decrease in security, and then use this situation as a disguise and carry out an attack unnoticed.

In fact, the task comes down to finding a person who neglects security, and why not use flash drives for this?

Many virus writers are very fond of flash media, as they make it easy and quick to infect computers, and even the most basic USB virus has a good chance of success. The boom of autorun viruses, which occurred in 2008, has not slowed down five years later; moreover, USB viruses have become even bolder and sometimes do not even hide their presence. And at the same time, an infected flash drive is a universal indicator of its owner’s literacy in basic information security. For example, if you collect ten flash drives from different people, then probably three or four of them will have viruses on their flash drives. If a week later we take the flash drives from these people again, then two or three will still have viruses. Based on this, it can be argued that the computers that are used from this flash drive do not have even the most basic protection, or for some reason it is disabled or does not work at all. Thus, even if you distribute the most ordinary virus, which is successfully detected by all antiviruses, only among this group of people, it will be able to infect a large number of computers before it is detected. And since these computers do not have protection, then it will also be able to remain operational for a long time.


Implementation

On a specific computer to which flash drives are periodically connected, install special program, working according to the following algorithm. When you connect another flash drive, the program tries to determine whether it is infected. Since it is impossible to take into account the entire variety of USB viruses, it makes sense to use a heuristic approach to determining infection based on the following criteria:

  • presence of the autorun.inf file;
  • RHS file attributes;
  • small size suspicious file;
  • file system is not NTFS;
  • absence of a folder named autorun.inf;
  • presence of shortcut files.

If this flash drive is infected, the program writes it to the database indicating the serial number and hash of the suspicious file. If after a few days the flash drive is reconnected to this computer (and this almost always happens) and there are still suspicious files on it, then it is infected with our “virus”; if there is no suspicious file left, the program deletes the serial number of this flash drive from the database. When does it become infected? new computer, the virus remembers the serial number of the mother’s flash drive and never infects or analyzes it, so as not to give itself away after a while if the owner of the flash drive “gets wiser.”

To obtain the serial number, we will write the following function based on the GetVolumeInformation API:

String GetFlashSerial(AnsiString DriveLetter) ( DWORD NotUsed; DWORD VolumeFlags; char VolumeInfo; DWORD VolumeSerialNumber; GetVolumeInformation(AnsiString(DriveLetter + ":\\").c_str() , NULL, sizeof(VolumeInfo), &VolumeSerialNumber, &NotUsed, &VolumeFlags, NULL , 0); String S; return S.sprintf("%X", VolumeSerialNumber); )

It should be noted that the GetFlashSerial function does not receive a static unique device identifier, but only the volume serial number. This number is set random number and, as a rule, changes every time the device is formatted. For our purposes, only the serial number of the flash drive is sufficient, since the task of hard binding is not necessary, and formatting implies the complete destruction of information, in fact equating the formatted flash drive with a new one.

Now let's move on to implementing the heuristic itself.

Bool IsItABadFlash(AnsiString DriveLetter) ( DWORD NotUsed; char drive_fat; DWORD VolumeFlags; char VolumeInfo; DWORD VolumeSerialNumber; GetVolumeInformation(AnsiString(DriveLetter + ":\\").c_str() , NULL, sizeof(VolumeInfo), &VolumeSerialNumber, &NotUsed, &VolumeFlags, drive_fat, sizeof(drive_fat)); bool badflash=false; if ((String(drive_fat)!="NTFS") && (FileExists(DriveLetter + ":\\autorun.inf"))) ( DWORD dwAttrs; dwAttrs = GetFileAttributes(AnsiString(DriveLetter + ":\ \autorun.inf").c_str()); if ((dwAttrs & FILE_ATTRIBUTE_SYSTEM) && (dwAttrs & FILE_ATTRIBUTE_HIDDEN) && (dwAttrs & FILE_ATTRIBUTE_READONLY)) ( badflash = true; ) ) if (!badflash) ( TSearchRec sr; FindFirst(DriveLetter+":\\*.lnk", faAnyFile, sr); int filep=sr.Name.LastDelimiter("."); AnsiString filebez=sr.Name.SubString(1, filep-1); if (DirectoryExists(DriveLetter+":\\"+filebez)) ( DWORD dwAttrs = GetFileAttributes(AnsiString(DriveLetter+":\\"+filebez).c_str()); if ((dwAttrs & FILE_ATTRIBUTE_SYSTEM) && (dwAttrs & FILE_ATTRIBUTE_HIDDEN)) ( badflash = true; ) ) ) return badflash; )

The heuristic function algorithm is quite simple. First we filter out all devices with file system NTFS and those that do not contain an autorun.inf file. As a rule, all flash drives come with the FAT32 file system by default (less often FAT and even less often exFAT), but sometimes system administrators or other IT department employees format them in NTFS system for your needs. We don’t need “clever people”; we immediately exclude them. The next step is to check the autorun.inf file for the “hidden” and “system” attributes. The autorun.inf file may belong to a completely legitimate program, but if these attributes are present in it, then it is very likely that the flash drive is infected with a virus.

Nowadays, many virus writers are less likely to use the autorun.inf file to infect machines. There are several reasons: firstly, almost all antiviruses or users disable the autorun option; secondly, there may be several viruses on a computer that use the same method of distribution, and each of them overwrites the file in its own way. Therefore, the method of infection through creating shortcuts and hiding the original folders began to be used more and more often. In order not to leave these flash drives unattended, we check for the presence of a shortcut file and the presence of a folder with the same name in the root of the volume. If the folder also has the “hidden” and “system” attributes, then we mark this flash drive as infected.

Of course, heuristics have their own errors and nuances, so it makes sense to carefully work them out for a specific task, but in our case we can confirm with 100% probability that they are correct.

If everything is generally clear with the heuristic analysis of a flash drive, then with “infection” nuances are possible. For example, you can simply overwrite the old virus with ours without any amendments to the autorun.inf file, files, shortcuts, etc. Thus, our “virus” will gain control on the new computer, but first it’s better to also do old copy virus and save it in the same directory with a slightly different name. If for some reason an antivirus is running on another computer, it will detect the old virus, remove it, give the user a warning that the threat has been successfully destroyed - and thereby provide a false sense of security to the user, and our “virus” will go unnoticed.

In addition, in the December issue of Hacker, we also wrote about DLL hijacking vulnerabilities in various software and its effective use. Therefore, if it is assumed that flash drives may contain programs such as password managers or portable versions of various software, then it makes sense to exploit this vulnerability and thereby expand the range of affected machines and the value of the obtained data for pentesting.

By the way, it doesn’t always make sense to resort to infecting flash drives. For example, if the information security department is tasked with simply periodically monitoring employees for the presence of “unreliable people,” then it would be wiser to set this program on several machines and just record serial numbers flash drives and creation time malicious file to collect statistics. Thus, there is no need to literally search all employees, and at the same time, the confidentiality of the data on flash drives is maintained, and based on the data obtained, one can also judge possible infection users’ home computers and the state of information security in general. After all, as we wrote earlier, any system is subject to random factors and the risk of threats cannot be excluded.


Testing

Having deployed the program in a relatively medium-sized network, within a week we received quite eloquent data. More than 20% of all connected flash drives were infected with some kind of virus or Trojan, and more than 15% were still infected when reconnected a couple of days later. It should also be noted that many computers had antivirus protection, who periodically performed her duties. However, the usual indifference to the pop-up antivirus warning that users have long been accustomed to when connecting a flash drive did not allow them to assume that they were dealing with a completely different threat. A false sense of security allowed users to connect a flash drive to various computers, and our program can successfully do its job.


Briefly about the algorithm

  • We install our program on computers in the company.
  • We scan connected flash drives for signs of infection.
  • We “infect” users’ flash drives with our test “virus” or rewrite their numbers for statistics.
  • We report to the authorities, punish rogue users, keep them, don’t let them in, and ban them.

Conclusion

To sum it up, we can say that the main disadvantage of this method is its uncertainty. No one knows exactly when the “suitable” flash drive will be connected to the computer, since it highly depends on the environment in which the program is deployed. However, this drawback does not detract from the main advantage of the method. You can go unnoticed for a very long time and, dissolving among other threats, hit more and more new vehicles completely in automatic mode. It is easy to see that this technique has a certain effect of scale. The more employees work in an organization and the more diverse internal communications, the greater the result. Although this approach will work perfectly in a structure of absolutely any scale, because its main task is not a massive defeat of the system, but a targeted blow to the weakest link - the person. ][

How to complete the quest “Closed Institution.” This is the last quest from the main plot, after which you will have to make a choice on which side to take.

Step into the signal interceptor that we have collected in and wait for the device to teleport you to the Institute. cannot enter the Institute, they remain outside and join you when you go outside.

You got to the “Institute”, and it seems the search for your son is almost complete. As soon as you teleport and look around the unusual surroundings of new shiny things, a voice will address you over the speakerphone. He will say that he has been waiting for you for a long time and will offer to use the elevator at the end of the room. At this moment the quest “Closed Institution” will begin.

The elevator is in front. Take advantage of it. As you move, you will hear a voice that will tell you about the “Institute”. When the elevator doors open, walk forward along the corridor to the next elevator. Use it. Finally, you will come to a room where there is a room with a glass section in which a boy is sitting with his back to you. Start a conversation with him. When you ask about the “Father”, the dialogue will end and the head of the “Institute” will appear, who will turn off the boy, who turned out to be a synth. Talk to "Father" - that's what he calls himself.

The “father” will tell you that he is your son, that he grieves over the death of his mother, who, but does not remember this moment, since he was a baby. You can say that this is nonsense and demand an explanation of what is happening. Listen to your son, this is really him. You will learn everything about the synths, the research being carried out, the history of the Institute and the reasons for everything that happened to you. At the end of the conversation, “Father” will invite you to join the Institute. Accept his offer to explore the entire complex.

“Father” will invite you to communicate with the four main scientists of the Institute, who are in charge of different areas of development. First, go into the room behind him and go up the stairs. There you will find a bathtub containing hairpins and anti-radin. In general, the Institute is full of all sorts of goodies - from brand new things that can be disassembled into junk for crafting, to first aid kits with stimulants and antiradin.

Return to the room where you saw the boy. Go through the door opposite "Father's" room and go down the stairs. On the bottom floor you will find Dr. Ellie Fillmore (she has yellow clothes), talk to her. After this, look around and you will see a synth behind the counter selling armor, weapons and other useful items.

Purchase the necessary supplies and go to the heart of the Institute, from where you can easily get to any wing of the complex. Have you seen green trees in Fallout 4? Here they are.

Now head to the Bioscience Department and look for Dr. Holden. She has green clothes. Talk to her, and when you hear everything you wanted, end the conversation. In this department you should pay attention to the terminal with high level protection, leading to Virgil's old laboratory. Here you can also find a regular terminal where interesting records are stored.

After that, go to the higher systems department. To avoid getting lost, follow the marker and find Dr. Lee. She has blue clothes. The Doctor will install a special chip in your Pip-Boy, which will allow you to freely teleport to the Institute. Remember this doctor if you play on the side of the Brotherhood of Steel.

After meeting all the managers, return to “Father” and the quest “Closed Institution” will be completed. Now you can easily navigate to the Institute through the Pip-Boy. You will also receive the first task from the “Institute” called “Detention”.

Now you need to complete the task of scanning the Institute's network, if you have not done so previously. The task was given to you by the technician of the faction to whom you gave the drawings for building the teleport in the previous chapter of the walkthrough. Find the nearest terminal, download the holotape into it and start scanning. Once the process is complete, collect the data. It doesn’t matter to whom you give this data - at any time you can transfer it to .

Now you can go to one more place, but this is not necessary. Remember when we completed , Virgil asked us to get the FEV virus serum from his old laboratory? To do this, you need to get into the closed part of the Institute, which is located in the bioscience department. The laboratory can be accessed either through a terminal with a very high level of hacking, or through an easier door in the adjacent storage rooms. There is nothing particularly interesting inside the laboratory: there are many turrets and dead cats, there is an assault gun, and there are modifications for weapons in the warehouse.

When you pick up the serum in the laboratory, take it to Virgil so that he can become human again. After giving the medicine, check back in a few days. After Virgil recovers, you can take whatever you want from his cave-laboratory. Although there is nothing special to take there, we promised to help him...

Viruses can be of two types:

1. Fake - the name and icon of some well-known application are used, but inside there is only malicious code. Most viruses are of this type.

2. Trojan horse- malicious code is added to a normal application, which works together with the application.

What viruses can do

1. Steal money from a SIM card: call or send SMS to paid numbers until the SIM card runs out of money.

2. Steal information: send passwords from online banks, data bank cards or personal files to scammers who send messages with viral links to numbers from your address book on your behalf.

3. Block the normal operation of the device: display a ransomware banner that prevents you from using the device.

4. Use the power of your device: show hidden ads or mine cryptocurrencies.

How viruses get onto a smartphone or tablet

Fraudsters disguise viruses as harmless applications and files: browsers, players, games, navigators, books, antiviruses. Then they distribute them:

1. On sites for adults, sites with hacked applications and pirated films, torrent trackers, etc.

For example, you are looking for some game or program on the Internet, and you end up on a forum. Someone left the necessary link, and everyone unanimously thanks him.

In fact, the forum and commentators are not real.

Or go to a site with pirated films and TV series, a message appears. It says that the smartphone/tablet is infected with viruses or that some program is very outdated. It even happens that the device begins to vibrate or make strange sounds.

In fact, this is not the case and everything is fine with the device.

2. By SMS, MMS and email

As a rule, these are SMS from “girls from dating sites”, from free classifieds sites, letters from “notaries from Germany”, messages about winning the lottery.

Be careful, there are no miracles. In most cases these are scammers.

All such messages have a common goal - to get you to click on a link so that the virus will download to your device.

How viruses infect a smartphone or tablet

For the virus to start working, it is not enough to download it - you also need to install it. Viruses are usually downloaded to the Download folder and look like setup files applications with the “apk” extension.

If you click on a virus, a list of permissions will appear. Permissions are the actions that an application will be able to perform after installation.

If you click “Install”, the virus will install and start working.

How to distinguish a virus from a normal application

Most viruses are written by non-professionals who want to quickly and easily special problems with the law to get money. Therefore, the standard signs of such viruses are permissions to send messages or calls. When such a virus is installed, it will begin quietly sending SMS or calling paid numbers.

Let's compare real applications and viruses. Dr.Web Antivirus:

Permissions of the original antivirus from Play Store

Permissions of a virus that pretends to be an antivirus

Yandex Navigator:

Permissions of the original navigator from the Play Store

Permissions of a virus that pretends to be a navigator

A game Talking Tom 2:

Permissions of the original game Volume 2 from the Play Store

Permissions of the virus that pretends to be a game Volume 2

Of course, not all applications that request access to calls and messages are viruses. And not all viruses request access to paid features.

If scammers want to film with your camera, you will need access to the camera and the Internet.
If your files are needed, they will ask for access to memory and the Internet.
If they want to block the screen with a banner, they will ask for administrator rights.
And some viruses even know how to hide permissions during installation.

It is difficult to identify a well-made virus - you either need to look at the source code of the application, or install the virus on the device, remove logs from it (incident log) and understand them. Fortunately, such viruses are rare. More often than not, two guidelines will be useful to you:

If an application was downloaded from an unknown site and requests access to paid functions, it is a virus in 99% of cases.

How to protect your smartphone or tablet from viruses

1. Install applications only from the Play Store and choose them seriously

It is very difficult for an untrained person to distinguish a virus from a normal application. To protect users, Google has created a special catalog with applications - Play Market.

Before adding an application to the Play Store, Google checks whether it contains malicious code. Users who download apps from the Play Store are more protected than those who download apps from different sites and forums. But remember that nothing is completely safe, so choose apps seriously: read permissions carefully and look at ratings.

2. Do not click on unknown links in SMS, MMS or mail

Fraudsters have even learned to fake numbers and addresses Email, so messages with viral links may also come from your friends.

3. Do not root your device or install unofficial firmware

If the device is rooted, the virus will be able to register itself in system applications and then only a complete flashing of the device can remove it.

4. Disable auto-receive MMS on your device

Fraudsters can automatically download viruses to your device via MMS. This is due to vulnerabilities in the Stagefright library.

To disable MMS auto-download, select: Messages → Options → Settings → (Advanced) → MMS → Auto-receive (Auto-download) → Disable.

5. Do not activate the “Autopayment” banking service (automatic replenishment of the balance of a telephone number when it drops to a certain amount)

If your device suddenly gets infected with a virus that sends SMS to paid numbers, the SIM card balance will be replenished until the money on the card runs out. Messages from the bank are usually blocked.

Tip: To receive messages from banks and other important senders, buy a separate number that no one will know and a simple phone number.

How to understand that a virus has appeared on your smartphone or tablet

There are no clear signs; it all depends on the virus. Some are noticeable immediately after installation (a banner appears and access to the device is blocked), others may for a long time don't give yourself away. In most cases, the signs are:

  • Large bills for SMS or calls appear;
  • A banner appears demanding that you pay the scammers, which prevents you from using the device;
  • Unfamiliar programs appear;
  • The battery starts to drain very quickly;
  • Internet traffic is quickly consumed by incomprehensible applications;
  • The device starts to slow down a lot.

How to remove a virus if the menu opens

How to remove a virus if the menu does not open (banner ransomware)

If a ransomware banner appears on the screen and prevents you from using the device:

    Do not transfer money to scammers - they still won’t unlock your device.

    Remove the SIM card to prevent money from being debited from your account.

    Boot your device into safe mode.

    If the banner in safe mode disappears, disable administrator rights for all applications.

    If the banner does not disappear, go to step No. 11.

    View all installed applications and remove those unknown to you.

    Reboot your device. The device will boot in normal mode, there should be no banner.

    If the banner appears after a reboot, go to step No. 11.

    Download an antivirus you trust over Wi-Fi from the Play Store.

    The design of viruses and the operating mechanisms of antiviruses change daily, so it is impossible to recommend any specific antivirus. Focus on other users' ratings and reviews. According to the author, good antiviruses are: Eset, Kaspersky and Dr. Web.

    Scan your device with an antivirus and remove any viruses found.

    Uninstall the antivirus that you installed.

    Download another antivirus and check your device again.

    If the previous options do not help, reset your device.

    If you cannot cope with the virus yourself, contact service center Samsung.

Do you need an antivirus on Android?

If you are a novice user and are not confident in your abilities, you need it. But only one.

If you use your device carefully and follow safety rules, you don’t have to install an antivirus.



Share with friends:
Related publications