Malware Post Mortem

It seems that my infected PC was nobbled by something new.  To me this is a particularly worrying event because I’m quite careful about what I do online, and I don’t rely on hardware and software to keep my PCs safe, I also use my noggin.

After scanning the other PCs on my network it seems that it was just the one that had the problem.  It became infected while I was away from the PC at about 1.10 am on Friday according to the timestamps on the approx 20 items it left on my PC.  And that’s what’s worrying me.

I wasn’t doing anything with that PC, and according to my browser history, I hadn’t visited any sites I’d consider unsecure.

But the following morning, I turned the monitor on the PC, and it was at the login screen.  That immediately set my alarm bells going as I leave that PC logged in and running jobs when I walk away from it – I reboot every so often when it gets a bit sluggish, but I never leave it logged out.

It’s also behind a hardware firewall.

When I realised what had happened and saw the pop-up in the system tray inviting me to download some additional software to infect my machine under the guise of protecting it, I started to take a closer look.  I’ve already mentioned the typos in the balloon pop-up – here’s the full text for you.

Your computer is infected!

Window has detected spyware infection!

It is recomended to use special antispyware tools to pervent data loss.Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware!

There are actually THREE typos – “Window” instead of “Windows”, “recomended” instead of “recommended” and “pervent” instead of “prevent”.

At first I couldn’t do a thing about it.  AVG had been disabled by the malware, and I couldn’t browse to anywhere with that PC initially, but after a reboot I could get to any site apart from the sites where I could check up on what was going on and download software to remove it.

If I pinged any of the unreachable domains, they were all showing as 127.0.0.1, ie loopback to my local PC.

I couldn’t see any unusual processes running in Task Manager, but I know that there are lots of tasks that you can’t see in Task Manager as Windows hides them.  Bad idea Microsoft.

I went to another PC, plugged a USB memory stick into it, did a search and downloaded some software.  I first grabbed the latest version of AVG, then Malwarebytes Anti-Malware, then SpyBot Search and Destroy 1.60 and finally a trial version of something called Security Task Manager.  I might buy this as I was quite impressed with it.

(I couldn’t get Malwarebytes Anti-Malware from their site and it still remains unreachable to me, but I grabbed it from Download.com here – http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html.  The same applies to Security Task Manager which I got from here – http://www.download.com/Security-Task-Manager/3000-2094_4-10246545.html)

This is what I did.

#1 – I used the trial version of Security Task Manager to find and terminate the hidden processes that Windows Task Manager doesn’t display to get my PC back into a usable state.  This allowed me access to all the security related websites.

#2 – Next I used regedit (Start-Run-regedit) and searched through my registry to look for the names of the two processes and deleted them so they wouldn’t start up again if I had to reboot my PC.  (Afterwards I realised I could have just used msconfig but you don’t always think of the easiest methods sometimes.)

#3 – Then I installed the new version of Spybot Search and Destroy as it appeared I didn’t have it installed (although I thought I did), and ran a scan with that which cleaned a couple of things up.  I also let the “teatimer” resident process install itself which monitors registry entries, but I’ll likely disable that once I’m certain I’m clean.

#4 – Next I used Malwarebytes Anti-Malware for the first stab at cleaning up, and that found about 17 or so bits of code, all installed at about 1.10 am on Friday.  I wasn’t even at my PC at that time, so that’s a bit worrying unless I was already infected and a task was waiting for the PC to stop being used to install all the other bad stuff.

#5 – Finally I grabbed the latest version of AVG 8 after uninstalling AVG 7.5 which had been completely broken by whatever bits of software were now on this PC.  That scan has so far found 2 bits of js in the Opera cache and an adware trojan in the IE cache.  I’m not convinced that this is where it all started though – there was nothing unusual in my browsing on Thursday, and I don’t believe I even used Opera or IE that day.

It’s all a bit annoying as I’m so bloody careful.  All my other PCs are clean, as I’ve checked them all thoroughly.

Only the one PC that I mainly use has had this problem.  If you get this kind of issue, hopefully you can use this info to clean your PC up rather than have to reformat it.  I was actually expecting to have to do a reformat and re-install, but I was pleasantly surprised to find it wasn’t necessary.

From knowing I was infected to having researched and cleaned everything up took me approximately 3 hours.  Then another 4 hours to do a complete system scan with AVG which checked every file and has continued to find “threats” for another 36 hours as my system has tried to access system restore points to put back files which AVG had removed…

As each one has appeared, I’ve told AVG to delete them.  It’s now been 12 hours without finding any more of these “threat” files, so that could be the end of it.  I hope…

I won’t mention the names of the two new items of malware that have only appeared since about the 20th October, as I’m worried it will bring attention to my own site here.  The reason is I find it suspicious that two of the key sites that have software that has been instrumental in me fixing this are still currently unreachable.

It’s not just from this PC or network either – I’ve tried accessing both sites using the free version of Megaproxy – and that can’t connect either.  It could be that both sites are currently sustaining a DDOS attack to prevent people from finding out about and downloading the software they need to fix their PCs during these crucial “early days” of being spread and taking a grip world wide.

Call me a chicken, but the last thing I want is to attract the attention of individuals who will DDOS this site too.  Maybe in a couple of weeks or so I’ll update this entry with the name of the malware and its helper file.

-Frank Haywood

Posted by Frank Haywood

2 comments

Tom Brownsword

Frank,

Check the contents of your lmhosts and hosts file (should be in c:\windows\system32\drivers\etc). There may be some entries in it that are preventing you from connecting to some of those security sites.

Your system will check this file first before trying to use DNS to resolve a host name to an IP address. You mentioned 127.0.0.1 in your blog post, which is known as the loopback address (on your local computer); it’s a common trick to put entries in these files for web sites you don’t really want to visit. In fact, some protection systems take advantage of this fact to prevent you from visiting suspected malicious sites.

For example, if I didn’t ever want to visit abcxyz123456.com, I’d add this to that file:

abcxyz123456.com 127.0.0.1

And any traffic for that web site would simply get sent back to my own computer’s loopback address, where it would die (unless I was running a web server at that address).

So it’s possible that there are entries in one of those files that is re-routing the traffic for those security sites.

Feel free to shoot me an email if this doesn’t make sense or if you want to know more (and my professional curiosity would love to know the names of the malware!).

HTH,
Tom

Frank Haywood

Hi Tom,

Thanks for explaining that so clearly.

It was actually the first place I looked. 😉

But it was clean. It turns out that one of the malicious processes was intercepting all DNS requests and modifying them directly. When I terminated all the bad stuff I was able to access all the sites that were set to loopback to me previously.

I used the bit of software in #1 above to find the hidden processes and terminate them.

-Frank