It was a Friday evening in December last year. I’d just got in from work, fed the cat, made myself a nice cup of coffee and settled down in front of the PC to catch up on the usual Friday evening internet entertainments: Bob the Angry Flower and the B3ta newsletter.
Chuckles all round, until I clicked one of the B3ta links to an apparently hilarious site, which loaded normally at first, but then appeared to kick Adobe Reader into action. A few seconds later I found that my browser was completely unresponsive. Strange.
Not that strange, though. I use Mozilla SeaMonkey as my main browser at home out of sheer dogged contrariness and I’m used to it occasionally going into a flat spin, especially when it encounters too many Flash ads on a single page. However, the unbidden appearance of Reader seemed a little suspicious and the sudden wild thrashing of the hard drive was a bit worrying as well.
I hit [CTRL]+[ALT]+[DEL], waited what seemed like an age for the Task Manager to appear, then finally gave up, held the power button down for five seconds and restarted.
Damn and Blaster
Like, I imagine, most of us, I take the security of my PC reasonably seriously but I don’t obsess over it. I’ve had this PC since 2003 and before last year it had been compromised approximately once, in the days before SP2 happened and the firewall didn’t start by default on a new connection.
My broadband got switched on at my new house, I set it up and within five minutes I had the Blaster worm spewing pop-ups at me and trying to shut my PC down. Annoying, but easily fixed.
Since then I’ve taken sensible precautions, but nothing over the top. I ran ZoneAlarm for a while until I got SP2 and switched to the Windows Firewall, I use AVG antivirus and my PC sits behind a firewalled router rather than the nasty USB modem that originally came with my broadband package. Nothing spectacular, but it does the trick.
Evil twin
Or at least it did until that fateful evening in December. The PC restarted happily enough, but paranoia had started to creep in, so I figured it wouldn’t hurt to have a little peek under the bonnet to check that everything was in order.
I hit [CTRL]+ [ALT]+[DEL] again to bring up the Task Manager and had a scan through what was running. Everything looked normal enough until I spotted something called JimMcCauley.exe, which I was reasonably sure I’d never noticed before.
I ran a search for it and found it nestled in my Windows/System32 folder, where I discovered that it had been created only five minutes previously. Not a good sign. I tried to stop the process, but the process refused to be stopped.
Uh-oh
Next, I launched a command line window and ran Netstat. I love Netstat – it gives you a list of all the internet connections you have open and is very handy for telling you if something’s talking to somewhere it shouldn’t be.
I was expecting to find maybe one or two slightly suspicious connections. What I got was about a billion connections to Russian mailservers. Oh, shit. I yanked the network cable and panicked for a bit.
Action stations
The problem with this sort of infection is that, even if you’re reasonably careful about what you run and where you go online, there’s still a strong likelihood that sooner or later you’re going to get hit by something really unpleasant and that, when it happens, you’re going to be completely unprepared for it.
You can have all the antivirus you want; the AV people are still fighting a running battle against endlessly inventive dickheads who’ll regularly get the upper hand in their ongoing quest to steal control of your PC.
One day you’ll get unlucky and a shiny new piece of malware will sail through your antivirus without so much as a second thought – and I can guarantee that you absolutely won’t have the tools you need to deal with it at hand.
So, I restarted in Safe Mode and ran a full AVG scan. It took over an hour and pulled up a few files for removal – files that it hadn’t prevented from landing on my system in the first place, I might add. Once that was done I ran Microsoft’s Malicious Software Removal tool, which had some good news and some bad news for me.
The good news was that it identified the culprit in reasonably short order. The bad news was that it couldn’t actually do anything about it. Malicious Software Removal Tool? Malicious Software Identification and Removal If You’re Lucky Tool, more like.
Then I had a brilliant idea – why not just run System Restore and roll the PC back to its blissful, uninfected state of a few days ago? A truly awesome idea, I’m sure you’ll agree – or it was until I discovered that where there should have been a smorgasbord of restore points to choose from, there was nothing. This evil little bit of code had trashed them all.
Bigger guns
By now it was about two hours down the line and I was getting a bit cross. Everything in my limited antiviral arsenal had failed me and I still had a PC that was quarantined off from the rest of the world.
So, to my number one tip for dealing with viral armageddon: always make sure that you have a spare PC handy, because you’re going to need it. And, with at least a name to pin on my special new malware chum, I got out the laptop and started researching.
I quickly discovered that the generally recommended course of action in this situation is to format your hard disk and then burn your PC just to be on the safe side. This seemed a little extreme, but thankfully there were other options on offer, the most promising of which was Malwarebytes Anti-Malware.
I downloaded it, copied it onto a flash drive and over to the PC, where I ran it – only to discover that it insisted on downloading an update. To hell with it; I was getting tired and seriously annoyed by now, so I plugged the network cable back in and let it get on with updating itself.
Only it couldn’t connect. It turns out that whoever coded my infestation had anticipated this particular move and was blocking access to the Malwarebytes site. You have to respect that kind of sheer malevolent ingenuity, don’t you? I mean, I’d still happily waterboard the culprits, but I’d respect them at the same time.
However, what they didn’t anticipate was me finding Google’s cached version of the page, where the latest update lived, nabbing it from there and then applying it manually, so perhaps a little less respect is due. Patch applied, I pulled the network cable out again, set Malwarebytes to work and had some dinner.
By the time I returned to my desk, Malwarebytes had done a lot of cleaning and appeared to have caught and cleaned everything. Everything, that is, except for our old friend, the indestructible JimMcCauley.exe.
Deleting locked files
But Malwarebytes had another trick up its sleeve; alongside its standard Sweep and Clear mode, tucked away in its More Tools section was the impressive-sounding FileASSASSIN. FileASSASSIN, I was told, can delete locked files on your system, so I gave it a shot. I pointed it at my evil digital namesake and with a couple of clicks it was assassinated.
Job done? Nearly. Just to be on the safe side, I ran HijackThis and had a quick comb through the registry to check for anything untoward, before restarting and then, to be on the extra safe side, I downloaded Sophos’s Anti-Rootkit app and let it give my PC a good once-over.
Clean as a whistle, as demonstrated when I opened a new command line window, ran Netstat again and found that all those Russian mailserver connections were gone forever. After five hours I finally relaxed and poured myself a very large glass of wine.
Live and don’t learn
So then, what have we learned? Most importantly, don’t ever believe that you’re fully protected. The only truly secure system is one that’s not connected to anything; beyond that you’re taking your chances. And to be honest I’d rather not submit to layer upon layer of unnecessary security, so despite what happened, my settings remain unchanged.
I do, however, have Malwarebytes ready and waiting on my desktop, so I can sleep soundly in the knowledge that should I get hit again sometime in the future… Well, I’ll probably have a new PC by then and I’ll have forgotten to reinstall the software, so I expect I’ll be just as boned. So it goes.
Read the original:
In Depth: How to survive a drive-by malware attack
