OK, folks, I promised to update you on the situation of the guys who get hit with something (MyKings, Sodinokibi, etc.) every
couple of months.
So, gather 'round the fire, kids, it's story time.
The story has a happy ending this time but is not without some funny moments...
couple of months.
So, gather 'round the fire, kids, it's story time.
The story has a happy ending this time but is not without some funny moments...
We had an agreement with their boss to drive with his car to my home address at 10:30 on Saturday and to drive me to their premises, because it's quite far away (one-hour commute for me) and I don't have a car.
At 10:00 he calls me and tells me with a happy voice that their sysadmin has solved the problem and there is no need for me to come.
Joy! "What was the problem?", imprudently ask I out of idle curiosity.
"Oh, it was some kind of attack but he stopped it."
Joy! "What was the problem?", imprudently ask I out of idle curiosity.
"Oh, it was some kind of attack but he stopped it."
Ahem. Having had four run-ins with the said sysadmin, in at least two of which his own machine was infected, I hope you'll forgive me for being a tad skeptical about his attack-stopping superpowers.
I enjoy having a nice weekend just like the next person, but my sense of duty prevails and I politely suggest that maybe, just maybe, it might be a good idea for me to take a look-see. Just in case, you know. He might have slipped and omitted some unimportant detail or something.
Fine. The boss agrees to come and to pick me up. Despite having my address, a smart phone, and Google maps, he manages not only not to find my home but also to get lost, so he calls me again.
Fortunately, he tells me that he's at some kind of kindergarten and I know exactly where this is (it's two blocks away from where I live), so I tell him to stay put; I'll come and find him. I do and off we go.
We meet a gruff sysadmin who isn't terribly happy for having been dragged to work on a Saturday (I can relate!) instead of being left to fix some problem that his car has. He has solved the computer problem, so what's all this fuss about?!
Being unhealthily curious, I ask him what the problem was. Oh, some computer was infected with Trojan and was DDoS-ing the Internet connection.
Not everybody is a computer virus expert and having the bad luck of being the only one on the scene, I try to explain him that "Trojan" is just a type of malware, so could he please tell me which particular Trojan it was?
Because, I am ashamed to admit, I can't remember off the top of my head one that DDoSes one's Internet connection.
"I don't remember", says the sysadmin. No problem, it's understandable - malware names are weird and sometimes hard to remember. Perhaps we could check the logs?
"I don't remember", says the sysadmin. No problem, it's understandable - malware names are weird and sometimes hard to remember. Perhaps we could check the logs?
Logs? What logs? Apparently he hasn't thought that the AV program might be logging stuff. I assure him that every AV program can do that, and many do it by default. Which AV program is it, BTW?
Its AVG Free. Just about everyone is using that here, mostly because it's free and they don't have money. It's certainly not the worst AV program around (I'm looking at you, ClamAV), but the better ones cost money. Also, I'm pretty confident that it can log stuff.
Oh, and while we're on the way, how did you manage to solve the problem? Did the AV program remove the malware or something?
Uhm, he just kept disconnecting computers until the attacks stopped.
I stop in my tracks, too. So, you didn't remove the malware? Some PCs are still off-line? Incidentally, those that some people urgently need for some kind of end-of-year report. Including the one the boss uses.
I stop in my tracks, too. So, you didn't remove the malware? Some PCs are still off-line? Incidentally, those that some people urgently need for some kind of end-of-year report. Including the one the boss uses.
Apparently, the sysadmin has studied the Art of Attack Stopping at the fine School of Internet Memes. 
So, ah, forgive me for being so bold to ask, but what were you planning to do with these machines?
Well, when people come to work on Monday, they should clean them up.
I guess disinfecting machines is beneath the stuff that sysadmins do. At least this sysadmin.
Well, when people come to work on Monday, they should clean them up.
I guess disinfecting machines is beneath the stuff that sysadmins do. At least this sysadmin.
OK, since I'm here anyway, and since I just happen to be a malware expert (woe is me), perhaps I could save some time of their owners by examining and cleaning them myself today, right?
Guess so.
Guess so.
We go to machine #1. It is, of course, off-line - but is turned on. Apparently, it's turned off so rarely, that her user doesn't remember the password. Thankfully, the user appears, because she needs to do some urgent work on that late end-of-year report.
We tell her the "good" news and she assures us that she has the password written down somewhere.
Wait a sec, says I, don't you need to enter this password every time you log in from home via Remote Desktop?
Wait a sec, says I, don't you need to enter this password every time you log in from home via Remote Desktop?
Oh, she isn't using Remote Desktop. She's using Team Viewer. It's much more secure, quips the sysadmin, because the connection goes through the servers of the company-producer and the password is alphanumeric.
Whatever.
Whatever.
I whip my flash drive full of malware fighting tools and start examining the machine. Malware usually wants to be persistent, so I start with Sysinternals' Autoruns. After five minutes of careful examination of the report I don't see anything suspicious.
A few missing files, a few unsigned executables, but nothing obviously bad. WTF?
Maybe it's something exceptionally clever that runs only from memory, or stealths the persistence hooks in the Registry? I try Kaspersky's TDSSKill - it's pretty good at finding stealth rootkits. It finds nothing.
WTF?!
WTF?!
OK, but the AV found something, right? OK, let's initiate w full scan. While we're waiting for it to finish (it takes quite a while), the sysadmin happily informs me that he saw the AV report on some other machine, not here.
Oookay...
Oookay...
But since we're scanning anyway, let's wait for it to finish.
The scanning ends. Nothing found, except that it complains about not having been updated for a while (which we can't do, because the PC's Internet connection is off) and a few nags about buying the full version. WTF?
The scanning ends. Nothing found, except that it complains about not having been updated for a while (which we can't do, because the PC's Internet connection is off) and a few nags about buying the full version. WTF?
OK, I'm always reluctant to pronounce a machine as being 100% malware-free, but I am ready to admit that if there is malware on it, it's smarter than me and that's quite something.
So, I ask the sysadmin to re-connect it to the Internet to see what happens.
So, I ask the sysadmin to re-connect it to the Internet to see what happens.
This is a slow process - he has to find a ladder and dig into some connections in the hallway. After a while, the tray icon shows that the machine now has Internet connection.
However, both ping and the browser take exception of the tray icon's opinion, because neither of them can reach anything - not even Google. In fact, ping can't even resolve Google's IP address. A DNS problem, perhaps?
What is worse, all the other machines in the building (that were never disconnected) again experience connectivity problems.
The network is being flooded, claims the sysadmin. OK, how about some more specific information? Could you please check the traffic logs and tell me which machine (internal IP) floods the network and over what port?
No can do.
No can do.
Why not?!
We don't have a network, says the sysadmin. Every PC connects to a router, which is connected to the Internet.
Ah, right, I should have remembered that from the last time; besides our Lab has the same setup.
We don't have a network, says the sysadmin. Every PC connects to a router, which is connected to the Internet.
Ah, right, I should have remembered that from the last time; besides our Lab has the same setup.
Wait a sec, then if you can't see the traffic, how do you know that the network is flooded?
Well, he apparently runs Speedtest from his own machine and if it shows an exceptionally low speed, it must be because the network is flooded.
The network that they don't have.
Well, he apparently runs Speedtest from his own machine and if it shows an exceptionally low speed, it must be because the network is flooded.
The network that they don't have.
OK, somebody must be seeing the traffic, no? Let's call the ISP.
We already did that yesterday, says the sysadmin.
And? (The suspense is killing me.)
There is no traffic, said the ISP. You must be having some cable problem somewhere.
We already did that yesterday, says the sysadmin.
And? (The suspense is killing me.)
There is no traffic, said the ISP. You must be having some cable problem somewhere.
Well, if we disconnect the machine I've been examining, the Internet connection of everybody else works just fine, so it can't be a cable problem between the building and the ISP.
A hardware problem, perhaps? A DNS problem? A noisy (faulty) network card? Two machines were given the same IP address?
No to the latter, says the sysadmin, I'm assigning static internal IPs to each machine.
No to the latter, says the sysadmin, I'm assigning static internal IPs to each machine.
"Maybe it's the other machine?", helpfully suggests the machine owner.
I look at her dumbfounded. What other machine?
Oh, there is another machine somewhere here, buried under some paperwork. She almost never uses it but it's turned on.
I look at her dumbfounded. What other machine?
Oh, there is another machine somewhere here, buried under some paperwork. She almost never uses it but it's turned on.
The two machines connect to a switch, which then connects to the router.
OK, let's do an experiment. Disconnect that machine from the switch and re-enable the Internet connection. Same problem - everything stops working. OK, so it's not the other machine.
OK, let's do an experiment. Disconnect that machine from the switch and re-enable the Internet connection. Same problem - everything stops working. OK, so it's not the other machine.
Just a wild thought - let's check the switch as well? Disconnect the main machine from it and connect it directly to the router, then re-enable the Internet connection.
We do and - hooray! - everything works. The machine has Internet connection and so does everybody else.
It was the fucking switch!!!
It was the fucking switch!!!
OK, OK, problem #1 solved.
But, remember, the machines in 3 other rooms are still disconnected, because the sysadmin couldn't figure out which one of the 4 was causing the problem and he said the AV program reported something on one of them.
Let's move to problem #2.
But, remember, the machines in 3 other rooms are still disconnected, because the sysadmin couldn't figure out which one of the 4 was causing the problem and he said the AV program reported something on one of them.
Let's move to problem #2.
Problem #2 is in Accounting.
Wait a sec, you have an infected machine in Accounting?! Do you *want* your salaries ransomwared?
Oh, not a problem, they regularly back up to the cloud.
Ooookay...
We'll burn that bridge when we come to it. Let's see problem #2.
Wait a sec, you have an infected machine in Accounting?! Do you *want* your salaries ransomwared?
Oh, not a problem, they regularly back up to the cloud.
Ooookay...
We'll burn that bridge when we come to it. Let's see problem #2.
At this point the sysadmin proudly informs me that he has written a script that runs at boot time on each of the machines in Accounting (there are 4 of them). The script uses the scanner to run a full scan on the whole machine.
It takes about an hour, so when people come to work, they turn on their machine and go for a coffee and a chat for an hour, 'coz no work can be done on their machines until the scanning finishes, so Windows can start.
I kindly inform him that scheduled on-demand scans are usually a waste of time and money and have been obsolete since the early '90. If the AV can detect the malware, the on-access scanner will stop it. If it can't, the on-demand scan won't find it, either.
The only times when on-demand scanning makes sense are:
1) When installing the AV on a new machine, to make sure it's clean.
2) When you have reasons to suspect that the machine is infected, but the AV which originally missed the malware has been updated and can now detect it.
1) When installing the AV on a new machine, to make sure it's clean.
2) When you have reasons to suspect that the machine is infected, but the AV which originally missed the malware has been updated and can now detect it.
3) When the on-access scanner's scanning engine is inferior to the scanning engine of the on-demand scanner.
(Spoiler, the times when this was the case died with MS-DOS.)
(Spoiler, the times when this was the case died with MS-DOS.)
Better safe than sorry, stubbornly insists the sysadmin. Well, it's not my time wasted, so I let it be.
Actually, it *is* my time wasted, 'coz we find all the 4 machines off and have to wait until they boot and run the stupid scan. But at least I get to see the detection report.
Actually, it *is* my time wasted, 'coz we find all the 4 machines off and have to wait until they boot and run the stupid scan. But at least I get to see the detection report.
Machine #1 is pronounced malware-free. However, as Windows loads, we get a small message box, informing us that some startup program could not be found.
"What is this?", ask I.
Oh, it's just some cadaver of a program that's not been uninstalled properly, says the sysadmin.
"What is this?", ask I.
Oh, it's just some cadaver of a program that's not been uninstalled properly, says the sysadmin.
Since I hate messy shit, I fire up Autoruns, find the key trying to run the missing program, and disable it. I also inspect the report for other signs of malware persistence but find nothing suspicious.
Still, I have a nagging feeling...
Still, I have a nagging feeling...
You see, how often do you have a legitimate WMI script started from a Run key, with the script residing in
C:\Users\<user>\Temp\temp\XXXX\Video.3gp
?
Still, since the file is not there, I can't inspect it and keep my suspicions for myself.
C:\Users\<user>\Temp\temp\XXXX\Video.3gp
?
Still, since the file is not there, I can't inspect it and keep my suspicions for myself.
Machines #2 and #3 finish the stupid boot scan, start windows, I inspect them for malware persistence, and pronounce them malware-free.
Machine #4 - not so much.
The stupid boot-time scan finds malware in 4 files there. They all reside in directories
C:\Users\<user>\Temp\temp\<four_uppercase_characters>
and all have names that suggest video or image files, with a second extension like LNK.
The stupid boot-time scan finds malware in 4 files there. They all reside in directories
C:\Users\<user>\Temp\temp\<four_uppercase_characters>
and all have names that suggest video or image files, with a second extension like LNK.
My nagging feelings rarely deceive me.
According to AVG, the malware is "VBS:Agent-Q [Trj]" which means literally nothing besides the fact that this is the small downloader stage of some malware.
"Yeah, that's the thing", says the sysadmin.
(Thank you, Captain Obvious.)
"I remove it but it keeps re-appearing."
This is bad. It suggests that there is undetected malware somewhere on the machine that re-creates these files.
(Thank you, Captain Obvious.)
"I remove it but it keeps re-appearing."
This is bad. It suggests that there is undetected malware somewhere on the machine that re-creates these files.
So, I start digging. Autoruns - nothing. TDSSKill - nothing. ProcessHacker - nothing. I can't find anything on the machine that shows the machine as being infected, besides the presence of these 4 files.
Then I remember that just because somebody tells you something doesn't necessarily mean that it is true.
He's been removing these things regularly but they keep re-appearing? Evidence, please.
So, I look at the directory timestamps.
He's been removing these things regularly but they keep re-appearing? Evidence, please.
So, I look at the directory timestamps.
You see, on Windows, it's easy to fake the timestamp of a file. Of a directory - not so much.
There is an API that lets you set any of the 3 file timestamps (creation, modification, access) to anything you want. But it requires a handle of an opened file.
There is an API that lets you set any of the 3 file timestamps (creation, modification, access) to anything you want. But it requires a handle of an opened file.
Unlike Unix-like OSes, on Windows you can't open a directory as you would open a file, so this API doesn't work on directories. You can patch the disk at a sector level, which in the case of NTFS is horrendously difficult.
Or you could change the system time before modifying the directory contents - but this requires admin access.
Not impossible, but most malware doesn't bother, so a directory timestamp is a pretty good indication of when some file (e.g., malware) was last put in (or removed from) this directory.
In our case the timestamp is from April 20, 2018. So much for "regularly removing them".
In our case the timestamp is from April 20, 2018. So much for "regularly removing them".
Basically, two years ago at least two of the four machines were infected with something and then improperly disinfected - with different levels of impropriety. But they aren't infected now, which I guess is good news.
BTW, as AVG is performing the stupid boot scan, it prominently displays at the top of the screen the path to the file where it logs the results. You just need a competent observer to notice it - but AVG does not deliver those as part of their product; have to hire them yourself.
I spend another half an hour inspecting cases #3 and #4 in two other rooms (the boss' and the scientific secretary's) and pronounce them malware-free. The Internet is working and there are no infected machines, yay!
We're calling this one a success.
We're calling this one a success.
On the way back I have a chat with the boss and stress the importance of having competent system administration to prevent malware attacks. I tell him that the machines should be connected together, so that they can be administered from a central point.
Make sure they are updated, AV is running, monitor the logs for suspicious behavior - that sort of thing.
I also make sure to stress that if this is done but not properly (and left unmonitoried) the result can easily be *worse* than it is now, because it means that an attacker who gets foothold on one machine can pwn the whole network.
No, I can't sell you an AV that will do the protection for you. No, you can't pay somebody to set this up and then abandon it, hoping that it will keep working. You need a competent sysadmin who can build AND maintain this setup.
The current sysadmin wants to buy some 2 Gb router that costs 3,000 euros (which they can't afford) and route all the traffic through it (where it can be monitored), instead of the current situation where everybody connects to the Internet individually.
I explain the boss that such a setup will be better than the current Wild West situation, but not as good as the scenario I have described and that I can't decide for him whether it will be "more than 3,000 euros better".
At this point he delivers me to my home and we bid each other goodbye.
I'm sure we'll see each other again in a couple of months. I wonder what would be the problem then and whether I'd be able to help...
THE END?
I'm sure we'll see each other again in a couple of months. I wonder what would be the problem then and whether I'd be able to help...
THE END?
