Imagine this. I am supposed to be some sort of computer genius myself telling people what they should and shouldn't do. Be vigilant for phishing. Don't click on the links in suspicious emails. Make sure you run some sort of anti-virus software. What do I do? Mr. Multi-tasking Know-it-all doesn't pay close attention and clicks on Yes. Yep, just one simple click on Yes and I said yes to Trojan.ZeroAccess, Trojan.Gen.2 and God knows what else. I have found a rootkit in compromised system files. This is where I lean forward, put one elbow on my desk and support my sunken head with the palm on my forehead. Oh boy, I feel a Tylenol moment coming on.
For those of you not quite in the know, phishing is where a malefactor creates a web page which is an exact duplicate of a legitimate web page. This could be for eBay, Amazon or your bank. The idea is to fool you into entering personal data like credit cards or even passwords and then use such information for nefarious purposes. Nefarious? Is that word strong enough to accurately describe the lump you feel in the pit of your stomach when you find out somebody has fraudulently used your credit card or withdrawn funds from your savings account?
This act of phishing is for me something new. About a week ago, I got a pop-up asking me to install an update to Adobe Flash. Having seen updates for Adobe Reader, I didn't have the slightest suspicion this could be fraudulent. As with phishing web pages, everything was done perfectly to mimic the Adobe pop-up dialogue box: the logo, the size, the shape, the language, etc. It was quite an impressive reproduction of the real thing. Without thinking, I said yes, well, I clicked on yes. My Windows 7 security settings means that I am always presented with a popup asking me if I want to run an executable. (S**t! I didn't check the digital signature! *slaps forehead* Idiot!!!) Annoyed by having to do an Adobe update, I said no. However, the popup came back. Do I want to run this executable? I said no again. It came back again. Curious. I kept hitting no but the Run Executable dialogue refused to go away. Odd. Something was wrong but what exactly, I didn't know. I rebooted.
When I came back in, everything seemed to be normal. I shrugged my shoulders and went about my business. Flash forward a week to two days ago. I get the same Adobe Flash Update dialogue but this time I say yes. Okay, I stupidly say yes.
Immediately my Symantec anti-virus doing a live scan kicked in with its pop-up alerting me to a virus. Oh oh. Holy crap. I looked at the quarantined file then realised something had just happened, something really, really bad. Remembering what had taken place a week ago; I had this horrible feeling I had just unleashed the hounds of hell on my laptop.
Sure enough, further investigation showed I now had infected files on my machine. After spending an entire evening using various tools to try and eradicate the infection, I knew I had to step it up a notch.
When I first read a technical paper on this, I was stunned. I didn't know this was possible but now that I know the details, I stand here dumbfounded by the level of technical mastery necessary to put this together.
A rootkit manages to modify core elements of the Windows operating system. When you start your computer, these core elements start before any anti-virus software so the rootkit in attaching itself to these core elements starts before your anti-virus software. From there, the rootkit can control access to your hard drive. Your anti-virus software calls the O.S. to scan your hard drive but the rootkit is now controlling access to the hard drive. The rootkit can now choose to not return either files or folders to the anti-virus software. As a consequence, the anti-virus software never knows about certain files and folders which contain the rootkit so your anti-virus software may tell you that everything is okay when in fact you're infected.
For example, let's say that you have File#1, File#2, and infected File#3. Your anti-virus software tells Windows to give it a list of all files. The rootkit in controlling access to the hard drive returns a list consisting of File#1 and File#2. Yes, it chooses to not return a list with the three files but only two files. Your anti-virus software has no idea that infected File#3 even exists and neither do you!
How do I put this delicately? Okay, I can't. You're f**ked. I suppose it's like gangrene: you have to amputate the limb to save the body. Or in this case, you have to amputate your entire computer system by wiping the hard drive. You do have a backup. Right? Right!?!
I myself did have recourse to another method. AVG, makers of anti-virus software, offer a bootable CD method of tackling the issue of finding and removing rootkits. By booting from a CD, you do not start the operating system on the hard drive. This means AVG is running separately with no interference from the rootkit and has complete unfettered access to the hard drive. In my above example, I said the rootkit could hide access to infected File#3. AVG running freely with no rootkit being active can find that nasty File#3 and get rid of it.
In my case, AVG found that the rootkit had embedded itself in the file "services.exe" which is a core element of the Windows operating system. While AVG does attempt to "clean" infected files, I opted to not take any chances and I erased the file then replaced it with a copy from another computer I knew was not infected. Now I could rest easy that the file was not infected with the rootkit. This may seem extreme but as with my gangrene reference, sometimes a doctor says that it is impossible to remove all of the gangrene and the better thing to do is to amputate the limb. If not, there is always the possibility a little of the infection remains and could once again grow and spread throughout the body.
Me off on another tangent
I told a colleague the other day that a lot of time and effort goes into doing all this. There are years of learning how to program computers, delving into the inner workings of the Windows operating system, and mastering the intricacies of viruses, worms and rootkits. For all the time and effort that goes into this, I would think somebody would be able to go to university, get an MBA, then head to Wall Street to become a trader and really make a killing. Write a virus? Heck, that's peanuts in comparison to the money which can be made legitimately. Ha ha. Hear that? I said legitimately. I'm going to be laughing about that one for years to come. After everything that happened in the 2008 financial crisis, here I am talking about traders on Wall Street using the word legitimately. Sad to say, it was all legitimate. The system which was in place allowed people to get away with doing what they were doing. And oddly enough, if I stretch my comparison, the current state of computers with all their security holes allows nefarious individuals to create viruses, worms, and Trojan horses which exploit the vulnerabilities of said computer systems. It's not a question that stealing my money is bad; it's a question of a system which is imperfect and not one hundred percent secure. Why did you steal my money? Because you can. Some of us, I guess, have that dishonesty gene which suppresses such emotions as goodwill, kindness, and generosity.
Here's a video of me when I found out I had stupidly infected my computer
I'm an idiot. I am a naive, gullible idiot. Now you may say I'm being too hard on myself but if my credit card gets maxed out or my bank account gets cleaned out, I'm going to think I'm not being hard enough on myself. Oh that reminds me. To be on the safe side, I'm going to change my password for my Internet banking. Some viruses record your keystrokes and can pass off all sorts of personal information from your computer including anything you type: your credit card number, you PIN, your password, you name it. If you type it, that virus can record it.
Be vigilant, my friends. You can never be too careful. Heck, I've already decided that when I change my Internet banking password, I'm going to wear a condom. Yep, you can't be too careful.
YouTube video: Uploaded by samuelleofisher on Apr 7, 2007
Psinergy Technology Services – Sep 26/2011
Virus Warning: New Adobe Flash Player upgrade — is a virus!
A new virus that is affecting Firefox and Internet Explorer users is running rampant around the internet and the reason why is that it comes across, or masks itself, as being a *new* Adobe Flash Player upgrade and/or plugin.
The Telegraph – Jun 26/2012
Apple drops virus immunity claim for Macs
Apple has dropped claims on its website that Mac computers do not get viruses, after hundreds of thousands of machines were hijacked by a Trojan.
A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
Wikipedia: Service Control Manager
Service Control Manager (SCM) is a special system process under Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. It is located in %SystemRoot%\System32\services.exe executable. Service processes interact with SCM through a well-defined API, and the same API interface is used internally by the interactive Windows service management tools such as the MMC snap-in Services.msc and the command-line Service Control utility sc.exe.