I learned a nasty lesson yesterday about the dangers of not having the very latest versions of browser plug-ins installed. The irony is that I work for the company that developed the Plug-in. I had installed the Sun (Oracle) JDK / JRE Standard Edition 6 Update 22 which was released only back in October 2010. This includes a Java Plug-In that will allow applets to be invoked from the browser.
Running the current latest version of Firefox (3.6.15) on Windows XP, I opened the top few sites returned from a Google search for UFC 128 title fight video in separate tabs. I was immediately called away to tend to my son, and returned to find my wife in front of the laptop with a multitude of Internet Explorer windows popped-up. I proceeded to chastise her and give her the ‘WTF are you doing’ / ‘What have you done’ spiel – only to be told she hasn’t pressed a key/or button.
I immediately ripped the network cable from the back of the computer, and proceeded to start Task Manager along with a program called TaskInfo (by Iarsn) – and kill any and all processes that didn’t look right. Unfortunately I had recently got a bit lazy/blaze about what runs on my laptop and hadn’t taken too much notice regarding any new drivers/services that were installed (i.e. HP Universal Print Driver / Canon Scanner / OpenVPN network adapter etc). So I was struggling to work out what was legit and what was not.
In the few short minutes I was gone from the computer, the Malware well and truly set its hooks in installing crap such as Offerbox and various browser plug-ins/extensions. My AVG Anti-Virus Free Edition version 2011 unfortunately caught very little of this malware that was being installed.
Fortunately I also had installed on my machine two additional free programs. The first being CCleaner http://www.piriform.com/ccleaner, and the second, a very old version of Unlocker developed by Cedrick Collomb. Unlocker is an extremely useful tool that is capable of releasing various locks on files that are being held by system and application processes. Using CCleaner, I was able to see *some* of the additional startup programs that had been added. Using Unlocker, I was able to delete a lot of malware running, and also delete the “C:\Program Files\Java” directory as well. After removing some of the malware, I ran CCleaner’s Registry Cleaner tool which provided me some locations in the registry that were invalid (pointing to missing shared DLLS/applications paths broken etc). Those entries identified by CCLeaner which corresponded to Malware, gave me a starting point for my manual registry “cleaning”.
I also stumbled in to the Windows “Prefetch” directory that gave me a basic timeline of the crap that got installed on my machine when I was away, and also some other programs to try and identify and delete.
I cleaned and deleted as much as I could, and performed my first reboot (keeping the network cable disconnected). Firing up TaskInfo after the machine started, I could see some rundll32.exe processes that had spawned that were pointing to some weird DLL files in existing legitimate directories. I could see a file named “lusrmgrk.dll” that was both being invoked from the “C:\Windows” and “C:\Program Files\Pidgin” directory. I opened those directories and set the Folder View Model to detailed and enabled display of both “Date Modified” and “Date Created” columns. Sure enough, those files had been created/modified at exactly the time of this malware travesty. I deleted these files using Unlocker’s assitance. There were other strange files in the Windows directory with similar date/times that were listed in the Prefetch folder at around the time of the Malware installation; So those got deleted as well. I initially set about running some MD5 checksums on the files to see if anyone had a similar virus and reported the checksum, but didn’t get any hits. For example, the MD5 of “Lfeboa.exe”, which was 137216 bytes, was “014303FB5CF4F2F8A2EADD5EDD82427B”.
Up until this stage, I had not reconnected the network cable on the infected laptop. The Apple iPad was getting used to search google for md5 checksums and read various malware removal articles. It was at this point, I really hated Apple and what it stood for. Steve Jobs and/or the marketing geniuses at Apple decided the iPad would not need any external storage support (micro SD etc). I can only speculate this is purely self-motivated so that they can get the Apple fanboys to continually upgrade to a newer device with more capacity. What this meant though, is that I had no way of getting a file from the iPad to my infected computer without establishing a network connection (or jail-breaking the device and buying a camera kit). Thankyou Apple.
So the network connection on the PC had to be turned on (very very briefly). I downloaded two apps:
TDSSKiller (an anti-rootkit utility from Kaspersky Lab: http://support.kaspersky.com/faq/?qid=208283363)
Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php )
Malwarebytes needed to be briefly connected to the internet so that it could update its database, but there is a workaround in future for this: See issue #4: http://forums.malwarebytes.org/index.php?showtopic=10138
Having downloaded and installed these, the network connection was yanked and I let the programs do their jobs. Both apps found remaining malware on disk and were able to remove most* traces. I initially did the quick scan with Malwarebytes, but eventually did the full scan which detected an additional malware file.
Upon reboot, I fired up the taskinfo application, but could still see two rundll32.exe processes. However the processes were attempting to load DLLs that were not present on disk. I decided to run the Windows Malicious Software removal tool, but it did not detect anything.
My concern was that there was still some malware on disk that was causing the processes to be initiated.
Taskinfo also provides an option to view the parent process ID of a task. The parent process IDs for the rundll32 processes were pointing to a svchost process. And in particular, “C:\WINDOWS\System32\svchost.exe -k netsvcs”.
See the following article for a description of svchost: http://support.microsoft.com/kb/314056
Basically, Svchost is responsible for starting services at startup. If you were to view task manager, you would see there are a number of svchost processes, each of which is starting services from a particular service group. The “netsvcs” group encompasses some 20 or so services:
One of the services in the group was ultimately triggering the rundll32 processes. I just wasn’t sure how. It could be that a malware service had been added; or maybe an existing legitimate service had been compromised; or maybe an existing service had a dependency on some other service that was compromised etc.
Unfortunately I could not find an easy way to work out which service was triggering the rundll32 processes. So I decided to basically stop them in blocks and restart the computer and try and isolate which service was somehow responsible.
Bingo; Task Scheduler was somehow a part of this! I had read up about Malware creating and scheduling tasks to spawn their evil crap. I had looked in the C:\Windows\Tasks directory, but it was empty. This was from Windows Explorer with all options set to show hidden files. So I was concerned that the Task Scheduler process itself maybe compromised, or a dependant service (Remote Procedure Call).
I decided to do one final check from command prompt supplying the “/ah” option to the “dir” command. Wow; there were some .job files in the directory.
Using the “Xcacls.vbs” tool, http://support.microsoft.com/kb/825751/en-us I was able to give my local administrator user “full control” on the two .job files. Having done this, I was able to change the file permissions so they were no longer hidden etc.
At this point, the tasks became visible from Windows Explorer, and they could be deleted:
A quick reboot, and the processes were no more.
I’ll never know If I’ve removed all the Malware; But one thing is for sure, I’m going to be much more anal when it comes to Browser plug-ins.
And … if you are currently running JDK 1.6.0_23 or older, make sure you upgrade!!!!!!