Saturday, April 27, 2013

Getting back on track...

It's been a few weeks since my last update. Since then, there are finally signs that I can now be cautiously optimistic that the situation has stabilised at last, with the machine in question now under heavily-supervised probation for "non-critical activities".


At the time of the last update, one lingering doubt was whether there were likely to be any obvious rootkits lurking around. After a few days had passed, multiple scans with the existing security checkers were not turning up any new findings - even after a few short windows of intentional (i.e. allowing these checkers to update their signature databases) and unplanned (*ahem*, damned muscle memory!) internet access being enabled. It was time to call in some heavier artillery...

First up was Kaspersky's tdsskiller, which is apparently quite good at picking up common rootkits. Initially I was a bit apprehensive about whether it would pick up anything: I kindof hoped it would - that would mean that at least one (more) culprit had been eliminated, instead of being left wondering if there really wasn't anything or whether there was some something really stealthy - but on the other hand, there's a certain level of reassurance that comes from nothing coming up. The scan was quick. It was much quicker than I had expected, given that many tools so far would often end up going for hours on end, and overall quite a smooth process. It came up clean.

Next up was a second dose of ComboFix. The first time I'd tried to run the thing, it had aborted just a few minutes in (just after unpacking some things and creating leaving a few temp folders lying around), claiming compatability problems. After further investigations, I later found that I had probably been trying to run it the wrong way (TIP: make sure to place in on the desktop instead of running from downloads folder), not to mention that perhaps one of the nasties lurking around was actually stopping it from running. I also found that I'd need a new copy, since the first would be expired as some 2 weeks had passed since I'd downloaded that copy.

Some words of warning about ComboFix:
  1) They do not recommended most computer users to run this themselves. As an automated process that goes from point a to b with barely any need for user input, there's not that much room for selecting the wrong config options and stuffing things up that way. However, the part that does need care is making sure that it didn't clobber any essential settings or quarantined legitimate things, thus breaking the setup. (More on this in a minute)
  2) It is not intended as an "everyday" malware tool. That is, something you'd run regularly on a schedule, like common antivirus scanners. Having run it, I can definitely see why...
  3) If it runs anything like it did on this machine (this second time round), it can genuinely look quite freaky to watch it at work.

Shortly into it's multi-stage scanning processing, it has a step which basically amounts to killing all open processes. One of the things it killed here was explorer.exe, which AFAIK hosts things such as the taskbar and all desktop icons, among other things. Since this particular aspect had never been mentioned anywhere, I could only wonder if explorer.exe had in fact been detected as a compromised/replaced component, automatically deleted, and perhaps unable to be successfully restored afterwards. It hung around these few steps for ages, before finally breezing through everything else, finally dumping a log and displaying a log, and restarting explorer.exe.

Curious to see what had just gone on (and to check out what nasties it had managed to pick up on), I looked through the logs. Beforehand (and during this process), I spent time going through some of the logs I'd seen online for reference for just how bad the situation looked.

After checking on each and every one of the things it'd mentioned, from the looks of things, there were no suspect drivers, executables, or other typically suspicious things in action. However, it did find a few surprising items - namely, two folders in the system32 directory containing a bunch of html files and image assets (with names supposedly suggesting they were used for displaying some navigation controls for tree/toolbar/calendar components) - which it had tagged as viruses. I don't know about you, but these certainly looked suspicious to me too given their location (WTF were these doing there? At worst, the help component of some badly-constructed crap was going to now be broken if I removed them... hehe).

As far as registry stuff goes, it picked up on a host of TortoiseSVN overlay stuff (I'll give it the benefit of the doubt - any further troubles and it'll need a reinstall/cleanout for good measure), removed a few orphaned entries (probably stuff I missed when manually deleting a bunch of stuff to remove unwanted/suspicious crap earlier - there were only 4 of 'em, and 2 related to packages I'd deleted by hand).

Apart from that, it seemed clear.

---

Finally, things were starting to look clear, though disk usage was fluctuating wildly. At the lowest point, things were down to 1.5 gb, where it had been close to 10gb earlier in the week. For the next few days, I watched disk usage religiously as it would creep down towards 2gb, then after a cleanout of temp stuff, it would just back to 4-5gb, before losing a good chunk upon restarting. At one stage, it briefly shot up to 7gb, before plunging back down to 3gb minutes later. Through a bunch of various measures though, it seems for now that I've got it stabilised now around 4.3 gb, with normal steady changes of about .1/.2 gb changes.

Hopefully all this will hold through the coming week and beyond!


---

Assorted Notes:
- The updaters for Google software sure are plentiful and aggressive. While auto-updating software can be both cool, magical, and helpful, it can also be quite alarming to watch the updater services in action - circling around and jumping into action like vultures.

- It's both a blessing and a curse to have had to deal with this infestation. On one hand, it was a good wake up call to review the security of my systems, and also paradoxically help me concentrate on a few current projects while reining in some bad sleep habits. On the other hand, it may in the long run turn out to be bad news for the crackers, given that they've now motivated a computer scientist of certain skill (if I shall say so myself), faced with a block of free time, employed in a teaching position, and dedicated to seeing problems through to thorough conclusions to be annoyed enough about these issues to take a good thorough look into their techniques and start trying to develop long term countermeasures. If this had been a few years earlier, things might have been a bit different...

- "Fun-seeking" script-kiddy crackers should really be redirecting their time and energy towards meaningful pursuits, such as finding cures for cancer, or finding some more efficient + effective algorithms to solve the travelling salesman problem, instead of wasting time and efforts on creating exploits. Not that that is likely to happen... if only they could taste the thrills they desire by engaging in these alternative pursuits ;)

- Being forced to restrict most communications/browsing to a separate device to the main workstation I use for developing/writing stuff has turned out to be quite good productivity wise. While getting around the web on a tablet can still be a bit clumsy (I liken it to trying to get across a football field checkerboard while trying to land only on squares of a particular colour while partially blindfolded, and stuck on a pogo stick with an unreliable spring), it certainly is doable once you nail down a good keyboard app (Hackers' Keyboard) and browser (unlike on desktops, I'd have to go with Chrome here, as FF was just far too buggy/crashy on Android; However, the latest version of Chrome which I updated to a week or 2 ago, has turned out to be far less stable than the previous version I had, as it tends to visually glitch more - unwanted zooming, pixelated blocks of the page appearing in the wrong places and/or flickering, and constantly trying to jump back to the top of page after all content has loaded - as well as hanging while trying to scroll, and needing frequent restarts or else long-press to show tab opening options won't work anymore), and have these configured appropriately (I.e. disable auto-caps on HK, or else it will drive you absolutely mental as it introduces a delay of 1sec after pressing space while in a long form textbox where all keys become capitalised temporarily, which totally messes with you trying to quickly type by forcing you to go back and fix typos).

- On a tablet, the Blogger app is absolute crap. It totally munges any and all line breaks you may insert, leaving everything as a wall of text. Plus, you can't easily insert a jump break (though I've found that manually specifying the relevant HTML comment seems to work). Instead, using the standard web interface works better, though you'll want to put the tablet into vertical mode - even if that means that the keys are smaller and closer together - as otherwise the header crap takes up all vertical space leaving just 2 lines of the textbox visible above the keyboard (and refuses to scroll away, so you can't see enough to see what you are doing). Even then, you'll want to zoom out a bit, otherwise that bloody "Send Feedback" bubble ends up blocking what you are typing on the current/last line, with no way of scrolling up more. Also, last time I checked, img inserting was buggered (album images wouldn't load or refused to be interacted with).

No comments:

Post a Comment