Our first big infection

By John Viega
November 24, 2008 | Comments: 4

At 7:30 eastern this morning, one of my brothers called to tell me that he is, "being attacked by hackers. My computer has hackers on it, and over 100 viruses, spywares and password stealing Trojans, and I don't even know what all those things are. It says click here to scan now, I guess I should do it?"

Ugh, no!!! He was about to fall prey to a common scam. He did have some bad stuff on his computer (his existing anti-virus had indeed failed him), but it was trying to get him to pay to remove itself and a bunch of phantom viruses that didn't really exist.

This is typical "rogue anti-virus" software. Another family member called me with a similar problem maybe 6 months ago. All I could tell him at the time was to try other vendors products in hopes that one would work, or to re-install his whole system if nothing worked out. Figuring out what was infecting him and removing it was just going to be too much time lost, not just because of lack of tools, but also because he lives hundreds of miles from me, and it would be too much work even just to talk him through setting up remote desktop so I can log in and figure stuff out for him.

But this time, it was different. At the end of last week, my company went into private beta for a new kind of anti-virus technology. We basically collect data about programs automatically from our user-base and analyze it centrally to mark what is good and bad. Before my brother, we'd had a few dozen people actively testing the product for us to see how robust the software itself is. With this extremely limited userbase, we have only seen right around 30K unique executable files so far (we expect to get into the millions once we have a large user base).

Prior to this morning, our automation had found only 19 different pieces of malware on our customers' systems (all instances subsequently removed). They were all easy things to pick out, mainly adware and spyware from the company that goes under many names, like Zango, Hotbar and 180solutions. Those guys are in a murky grey area... they can make a legal argument for what they're doing , even if that argument may have some holes. But at the end of the day, their business practices are highly deceptive, and people never want their software. But, they are insanely widespread.

My brother's problem probably wasn't trying to steal his financial data, but it sure was making his machine unusable, mainly because of the flashing alerts and windows that try to stay on top.

The first thing I did was pointed him at our software. He installed it, then I asked him to run a full file scan, which looks in detail at every bit of executable content on his system. We found several pieces of malware on his machine, such as:


  • \Program Files\avirtrssoftware\AVIRTR.EXE

  • \Program Files\webmediaviewer\QTTASK.EXE

  • \Program Files\webmediaviewer\HPMON.EXE

  • \Program Files\webmediaviewer\HPMUN.DLL

  • \Windows\system32\UMHZWL.DLL


The first executable had a product name and vendor associated with it, "AntivirusTrigger Software" and "AntivirusTrigger Company". Of course, their software wasn't digitally signed (though stuff from companies like Zango usually is).

These three exes (and the associated DLLs) are all from a single infection. From the path information above, it seems he probably installed the malware himself in the guise of downloading a media viewer to look at something on the Internet. This is a common way for systems to get infected.

It was satisfying to catch the infection, but very often traditional anti-virus only catches part of an infection, not the whole thing, and you basically still have the same bad stuff running. As our software was cleaning up his infection, I wanted to make sure there was nothing bad left.

So, I asked him for his license key. He gave it to me, then I queried our database, and asked it to show me every executable on his machine that our database didn't know for sure was good, and didn't know for sure was bad. Since he'd just scanned his entire drive, and we hadn't yet pruned the logs for all those queries, I could recover that info, given his license key.

I was shocked that there wasn't much we hadn't seen:


  • \Program Files\SafeNet ProtectDrive\STORAGEENCRYPTIONSERVICE.EXE

  • \Program Files\SafeNet ProtectDrive\PDENCODER.EXE

  • \Program Files\SafeNet ProtectDrive\PDTRAYICON.EXE

  • \Program Files\SafeNet ProtectDrive\CLIENTDM.EXE

  • \Program Files\SafeNet ProtectDrive\CHKCRYP.EXE

  • \%AppData%\SMILEBOXTRAY.EXE

  • \Windows\temp\G7RQMM7S.DLL


Note that the %AppData% path up there is a generic path representation--we remove anything user specific from path data.

For those few things we hadn't seen before, it took us a minute on the phone to resolve. I know the SafeNet ProtectDrive hard disk encryption product well, and he confirmed that his company had put it on the machine. And he told me that other program was a scrapbooking utility that he used. It took me a minute on Google to get enough data to convince myself the vendor is legitimate.

The final item I was pretty certain was part of the malware that just hadn't shown any bad behavior in the short time it was executing. I manually tagged it as bad.

So, everything looked pretty good. We also scanned for rootkits that could be hiding in the kernel, but found nothing. If there was any residual infection, that's where it would be hiding.

Tonight, I'll inventory whether any executables ran on his machine that aren't on our good list, and I'll look to see if there are any new executables created that aren't on our good list. If that goes well, I'll give him a clean bill of health.

But, the amazing thing to me is how dirt simple the response process has been. It took less than 15 minutes of my time spread over a few hours. In that time spent, I helped him find and download the product, I reviewed information about a few programs our system hadn't seen before and did a bit of research using Google. At the end of it all, I was pretty confident that nothing on his machine was going to cause problems. Anybody with access to our backend could have done what I did in about the same amount of time.

That's an amazing thing. I've seen plenty of people pay the big Nerd Herd-style help desk companies $100+ for malware removal services, which seem to involve primarily just running a big-name AV scan. Several times, I've seen the machine come back, and there's still malware on it. The people working at help desk companies typically don't have any way to know for sure if all the malware is gone, because the products they use just tell them what's bad.

Even if our software had caught nothing, it wouldn't have taken me long to inventory the "unknown" software on his machine and lock it down or delete it. And, I didn't need to be there in person.

If only everybody's AV experience were like this (though, it was still quite scary and traumatic for my poor brother). With better program reputation data through widespread (and automatic) data sharing, maybe we'll be able to make that the case. It's a much better way than just cataloging the bad stuff, the way traditional antivirus does.


You might also be interested in:

4 Comments

Would have been nice to finish reading your article but O'Reilly has ads pasted over the text.

@L.A. Weber,

What browser are you using? In Firefox and Safari this looks fine. I'm only seeing the book ads at the bottom of the article and some other recommendations in the sidebar.

Cut your brother some slack. You should know that viruses create folders named in ways that are unrelated to how they were acquired.

The assumption always seems to be that the user clicked on something to cause the infection. A remote code execution exploit is more likely by far.

CK,

Fair point, though I do believe from conversations with him that he probably did download a codec to see some internet meme.

Thanks,

John

News Topics

Recommended for You

Got a Question?