Dec 31, 2008

Well, it was bound to happen one day – I got a drive-by virus.

A friend of mine was moving an older program from one PC to another and didn’t have the disk any longer and asked me if I still had a copy. No luck there – so, I figured I’d search the net to see if you could buy old copies of the program on the cheap. A few Google searches later had me browsing a couple of link-trawler sites that didn’t provide much useful information.

One site – I believe it was oldapps.com, I really can’t be certain – left me with a little present that I won’t soon forget: a brand spanking new copy of Virtumonde (aka Trojan.Vundo.H).

Unfortunately, that present was left with nary a blip on my screen.  Minding my own business, I suddenly got an authentic Windows message stating that my Windows Firewall was no longer active. You know that sinking feeling you get in your gut when something horrible has just happened and you start to slowly comprehend the far reaching ramifications of what you have just witnessed? Yeah…  I wish I could say that I felt that way and immediately disconnected my PC from the net, but no luck. I was a real Noob, and actually thought, “Dang Microsoft, when are you going to straighten out your crapware once and for all?”.

Seriously, I thought Windows Update had pooped the bed or something…  I simply re-enabled the firewall, and everything was fine. No harm done, right? Ahem…

I kept browsing around, and then got another Windows Security Center message saying that my Virus protection was no longer active…

WTF?

NOW you can queue the sinking feeling…

I dashed under my desk and pulled my Ethernet cord and sat back with a stunned look on my face. I had just been infected.

No email’s with attachments that I executed in noobish haste; no foolishly downloaded software that I simply had to test out;  not even a pop-up stupidly clicked by a mouse-o.

Nada.

All I did was visit the web page for a bit, saw that there was no good information there and then I closed the tab.

30 seconds tops.

INFECTED.

What is the world coming to? I’m a highly trained technical professional, yet my precious system and all its fancy protection was forcibly raped and pillaged in under 30 seconds with a simple web page visit – a page that was visited DIRECTLY from a Google search result…

How is Joe Public’s Grandmother supposed to deal with these bastards?  Good question!

The cleanup wasn’t pretty, but fortunately there IS a happy ending (as far as I can tell…)

First off, AVG Free didn’t mind the ass pounding my machine was being forcibly subjected to – it seemed to just pour itself a neat single-malt and pull up a chair to watch the fun. Normally AVG is a very good virus scanner.  I trusted it.

Secondly, Lavasoft’s Ad-Aware did find the problem, but “Fixing” the issue was a different matter. Reboot, rescan – same results.  The bugger was still there. At least it put a name to my foe – Virtumonde.

Supposedly the removal tool for Virtumonde has been built in to Ad-Aware, but it did nothing at all to resolve the issue. Rather, it erroneously reported that the threat was safely removed, when in fact it really wasn’t. Very helpful.

Thirdly, my hardware firewall and the Windows firewall both did absolutely nothing to stop the attack.

Fourthly, Hijack-This reported nothing out of the ordinary, as Virtumonde apparently uses Explorer hooks – meaning Explorer itself is the bad guy. You just sit there watching Explorer crap all over itself, helpless…

Nothing in the Registry Run section, nothing in Services, no batch files. Nada to grab on to… This bugger even randomly crashes things like Ad-Aware and AVG when you try to scan your machine with them in an attempt to fix the problem. It even pops up a DCOM error message and then gives you 30 seconds before it reboots the machine. Apparently, it really likes its new home.  Nice touch.

Oh, did I mention the 4 or 5 “Virus Scanners” that Virtumonde tries to install over and over again? Yeah, I don’t think I mentioned those yet…

So, exactly how are you supposed to fix something like this? Virtumonde actually blocks access to sites like Trend-Micro and Symantec, so your options are fairly limited. Even booting into Safe Mode didn’t stop the system from getting screwed with. In fact, it was in safe mode that all of the Gay Fetish Porn links started showing up on my desktop. GREAT – that was clearly a step in the right direction.

The ultimate cure? I used a separate PC and a USB Key to download Malwarebytes Anti-Malware installer from Malwarebytes.org. This program really IS like bringing an HK-UMP to a stick fight.

Yet, even this awesome tool took several tries to remove Virtumonde completely.  Malwarebytes did keep reporting different infection issues  after each reboot.  Oddly enough this was strangely comforting, for at least I knew that I was getting somewhere.  Hopefully the light at the end of the tunnel wasn’t an oncoming train. 

Four scans with Malwarebytes later, everything was being reported as clean by several different malware scanners.

Oh, speaking of oddly enough – AVG finally DID decide to register a threat and throw up a flag. What did it catch? The Malwarebytes executable!! No, I’m not kidding. Very helpful AVG. After at least 5 separate Trojans were maliciously installed on my machine one after another with nary a peep from you, suddenly you decide to flag the tool that is actually doing the job that you should have been doing all along!  WTF?

Wow, time to look for a new Virus Scanner… Hey, don’t get me wrong: AVG Free has been great. Powerful stuff, and the price is right. But this last escapade sure has left a bad taste in my mouth. Maybe the Pay-For version would have detected the original infection, but I’m guessing probably not.

The moral of the story?  Apparently, drive-by digital system rape is a “GO”.  Be careful out there, OK?