I feel like an idiot when I do stuff like this...
I managed to get my work laptop trojan'ed and rootkit'ed yesterday. What I did to cause this was stupid on many levels....
I was looking for the utility software for an old CompUSA 16MB USB thumb drive (yes, that's 16 megabytes). It had some utility software that could set up a separate partition with password protection. The software came on a CD-ROM (which I've since mislaid), and used to be available on CompUSA's web site (which it is no longer, since CompUSA is mostly out of business at this point). Really, I should just take this thumb drive and throw it away, particularly seeing as how I just got four 2 gigabyte thumb drives for free (by redeeming Pepsi Stuff points), and over the last few months I've acquired two 8 gigabyte Sandisk U3 thumb drives, as well as one of the 4 gigabyte model. And I have a one gigabyte Verbatim thumb drive in front of me right now, that already supports password protection (and which I already have the software for). So it's not like I really need a 16 megabyte thumb drive. But it was sort of a matter of principle - as long as I had the thing, I wanted to have the utility software for it too. I'm told that this particular thumb drive, while badged with CompUSA's name, is actually manufactured by a company called FMI (as were many of the items that CompUSA sold that were branded with the CompUSA name). I would go looking on their site for the software, but I can't seem to find the company or any web site associated with them. So I went Googling around looking to see if anyone had this software cached.
I thought I found it, and downloaded it. And I even thought, just before I opened it, "I wonder if I should open this on a test machine?" But my two Windows test machines (that have the Faronics "Deep Freeze" software installed - which is a freakin' amazing product, no matter what happens to those machines, all I have to do is reboot, and poof!, they're back to normal...) are currently disassembled in a heap in my lab due to some ongoing renovations. So I figured, "What could happen? I mean, this is utility software for an obsolete and obscure USB thumb drive, if someone wanted to put some evil software out there, they'd surely not represent it as this."
So I opened it. I knew I had a problem when the thing said "Installing Coolplay" (Coolplay? This is supposed to be USB drive utility software, not a media player...), and I cancelled out of it. But then I started getting pop-ups from Symantec Desktop Firewall, telling me that "Windows Subsystem" was trying to open a network connection to some machine in Latvia (the fact that it was reported as being "Windows Subsystem" means that the thing had inserted itself into the operating system itself, probably via some kind of device driver). And my machine was suddenly using some random DNS servers (also in Latvia...) to look up hosthames, though no such DNS servers were configured into my network settings. And anytime I would search for anything in Google, when I clicked on a search result, it would take me to a random advertising page instead of where I was supposed to go.
I pulled my network connection, went off to another machine, and downloaded my two favorite tools for dealing with such things on Windows - Malwarebytes' Anti-Malware (don't forget to download the updated malware database, too), and ComboFix. Which I stored, yes, on yet another USB thumb drive I happened to have lying around. I've gotten very familiar with the tools that are needed to remove viruses, trojans, and other assorted malware from Windows machines, because it seems that at least once every couple of months, either one of my friends or one of cajdb's friends comes to me with "My computer is acting wierd, can you take a look at it?" - and it almost always turns out that they have some kind of malware infestation on their system....
Running these two tools in turn (and removing a couple of things by hand, which I'd found by Googling around for info about this malware from my phone) disinfected my machine. But it cost me about 2 hours of my time (most of which was spent waiting for the Malwarebytes scanner to run - it takes quite a while). Oh, yeah - and I run Symantec Antivirus Corporate on my system, and it gets updated from a central update server at least once a day, and I always have real-time protection turned on. So you'd think it would have caught this before it even had a chance to install itself. But no, of course not - that would make too much sense. (Even though, for instance, some of the network analysis tools that I need in order to do my actual job, are "quarantined" by Symantec Antivirus any time I try to use them, with no option to un-quarantine - all you can do is delete - because SAV considers them to be "Hacking Tools"...)
All because of trying to locate the software for an obsolete piece of hardware that I should simply throw away.
Of course, now it's even more a matter of principle than before - I'm unlikely to throw it away now, since I've gone through so much trouble now because of it - wouldn't want to waste that investment of time... And I will still try to find this software later - once my test machines are put back together... :-)
I was looking for the utility software for an old CompUSA 16MB USB thumb drive (yes, that's 16 megabytes). It had some utility software that could set up a separate partition with password protection. The software came on a CD-ROM (which I've since mislaid), and used to be available on CompUSA's web site (which it is no longer, since CompUSA is mostly out of business at this point). Really, I should just take this thumb drive and throw it away, particularly seeing as how I just got four 2 gigabyte thumb drives for free (by redeeming Pepsi Stuff points), and over the last few months I've acquired two 8 gigabyte Sandisk U3 thumb drives, as well as one of the 4 gigabyte model. And I have a one gigabyte Verbatim thumb drive in front of me right now, that already supports password protection (and which I already have the software for). So it's not like I really need a 16 megabyte thumb drive. But it was sort of a matter of principle - as long as I had the thing, I wanted to have the utility software for it too. I'm told that this particular thumb drive, while badged with CompUSA's name, is actually manufactured by a company called FMI (as were many of the items that CompUSA sold that were branded with the CompUSA name). I would go looking on their site for the software, but I can't seem to find the company or any web site associated with them. So I went Googling around looking to see if anyone had this software cached.
I thought I found it, and downloaded it. And I even thought, just before I opened it, "I wonder if I should open this on a test machine?" But my two Windows test machines (that have the Faronics "Deep Freeze" software installed - which is a freakin' amazing product, no matter what happens to those machines, all I have to do is reboot, and poof!, they're back to normal...) are currently disassembled in a heap in my lab due to some ongoing renovations. So I figured, "What could happen? I mean, this is utility software for an obsolete and obscure USB thumb drive, if someone wanted to put some evil software out there, they'd surely not represent it as this."
So I opened it. I knew I had a problem when the thing said "Installing Coolplay" (Coolplay? This is supposed to be USB drive utility software, not a media player...), and I cancelled out of it. But then I started getting pop-ups from Symantec Desktop Firewall, telling me that "Windows Subsystem" was trying to open a network connection to some machine in Latvia (the fact that it was reported as being "Windows Subsystem" means that the thing had inserted itself into the operating system itself, probably via some kind of device driver). And my machine was suddenly using some random DNS servers (also in Latvia...) to look up hosthames, though no such DNS servers were configured into my network settings. And anytime I would search for anything in Google, when I clicked on a search result, it would take me to a random advertising page instead of where I was supposed to go.
I pulled my network connection, went off to another machine, and downloaded my two favorite tools for dealing with such things on Windows - Malwarebytes' Anti-Malware (don't forget to download the updated malware database, too), and ComboFix. Which I stored, yes, on yet another USB thumb drive I happened to have lying around. I've gotten very familiar with the tools that are needed to remove viruses, trojans, and other assorted malware from Windows machines, because it seems that at least once every couple of months, either one of my friends or one of cajdb's friends comes to me with "My computer is acting wierd, can you take a look at it?" - and it almost always turns out that they have some kind of malware infestation on their system....
Running these two tools in turn (and removing a couple of things by hand, which I'd found by Googling around for info about this malware from my phone) disinfected my machine. But it cost me about 2 hours of my time (most of which was spent waiting for the Malwarebytes scanner to run - it takes quite a while). Oh, yeah - and I run Symantec Antivirus Corporate on my system, and it gets updated from a central update server at least once a day, and I always have real-time protection turned on. So you'd think it would have caught this before it even had a chance to install itself. But no, of course not - that would make too much sense. (Even though, for instance, some of the network analysis tools that I need in order to do my actual job, are "quarantined" by Symantec Antivirus any time I try to use them, with no option to un-quarantine - all you can do is delete - because SAV considers them to be "Hacking Tools"...)
All because of trying to locate the software for an obsolete piece of hardware that I should simply throw away.
Of course, now it's even more a matter of principle than before - I'm unlikely to throw it away now, since I've gone through so much trouble now because of it - wouldn't want to waste that investment of time... And I will still try to find this software later - once my test machines are put back together... :-)