Interesting bit of malware
AlphaTrinity
North Wales, PA
So today at work an end user comes to me saying that when they use Google search, any website that they click on takes them to a different site than what it says. I checked it out and confirmed what they were saying. What was interesting is that I was almost never taken to the same website twice from the same link. If you manually typed the url into the url bar, you could get to desired website without a problem.
I instantly thought malware, so I wanted to start with an antivirus scan to see if anything comes up. I immediately saw that antivirus was never installed on this particular machine (OOPS), so I went ahead and installed it. Installed without any problems, but when I tried to update it to the latest using the manufacturers website (we have an internal antivirus server), the software would try several servers before saying that it cannot find an update server. I tried pinging the antivirus website, and got replies...but they were replies from localhost! If I tried to ping google.com or yahoo.com I would get a valid IP back, but if I tried kaspersky.com or nod32.com it was coming back as localhost. I could ping microsoft.com but not update.microsoft.com. Things were beginning to get interesting.
So I checked the hostfile, figuring maybe this malware might have changed it, but everything was normal. So then I changed the configuration of the antivirus to update through our server, and the update went fine. I ran a full blown scan, and the scan did not come back with anything. At this point I thought this computer might have the Conficker worm on it, even though we are using WSUS and the update that Conficker exploits was approved on every machine. I whipped out the disc one of my co-workers made with a bunch of Conficker tests on it, and ran all of them. The only test that came back with something was the Kaspersky test that fixed a few DNS-related items..I think they called them splices.
Next I booted into safe mode and tried another full test with the antivirus and the Conficker tests, with the same results. At wits end we decided to install Spybot S&D (we don't put Spybot on our machines because it has gotten bloated over the years). I manually updated Spybot with the definition download on the site (April 8th update). I ran Spybot, but the program would not launch. Every time I tried to run it another instance would pop up in task manager, but the software would never actually run. I began to think that whatever worm this machine has was keeping Spybot from running. A quick ping to safer-networking.org (Spybot's website) came back as localhost, telling me that this worm is aware of Spybot as a solution. I thought maybe that Spybot would not launch in Safe Mode, so I booted back to normal, but the same results were still there.
By the time I did all of this it was the end of the day and the user wanted their machine back. They would just continue using it without Google search and watch what usernames, passwords, and customer information they would be using.
Unless somebody has some miracle cure for this malware, I am going to wipe the machine on Friday as I am at wits end. This is by far the most nasty malware I have encountered. Conficker was supposed to be like this, but you would think that at least one of the four to five tests I ran would have caught something. I did the Conficker eye chart thing (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html) and the top-left and top-right pictures were missing.
I know you folks typically ask for a hijack-this log, but I won't have the machine until Friday, when I will be wiping it anyway. If you can think of anything let me know, it will be very much appreciated.
I instantly thought malware, so I wanted to start with an antivirus scan to see if anything comes up. I immediately saw that antivirus was never installed on this particular machine (OOPS), so I went ahead and installed it. Installed without any problems, but when I tried to update it to the latest using the manufacturers website (we have an internal antivirus server), the software would try several servers before saying that it cannot find an update server. I tried pinging the antivirus website, and got replies...but they were replies from localhost! If I tried to ping google.com or yahoo.com I would get a valid IP back, but if I tried kaspersky.com or nod32.com it was coming back as localhost. I could ping microsoft.com but not update.microsoft.com. Things were beginning to get interesting.
So I checked the hostfile, figuring maybe this malware might have changed it, but everything was normal. So then I changed the configuration of the antivirus to update through our server, and the update went fine. I ran a full blown scan, and the scan did not come back with anything. At this point I thought this computer might have the Conficker worm on it, even though we are using WSUS and the update that Conficker exploits was approved on every machine. I whipped out the disc one of my co-workers made with a bunch of Conficker tests on it, and ran all of them. The only test that came back with something was the Kaspersky test that fixed a few DNS-related items..I think they called them splices.
Next I booted into safe mode and tried another full test with the antivirus and the Conficker tests, with the same results. At wits end we decided to install Spybot S&D (we don't put Spybot on our machines because it has gotten bloated over the years). I manually updated Spybot with the definition download on the site (April 8th update). I ran Spybot, but the program would not launch. Every time I tried to run it another instance would pop up in task manager, but the software would never actually run. I began to think that whatever worm this machine has was keeping Spybot from running. A quick ping to safer-networking.org (Spybot's website) came back as localhost, telling me that this worm is aware of Spybot as a solution. I thought maybe that Spybot would not launch in Safe Mode, so I booted back to normal, but the same results were still there.
By the time I did all of this it was the end of the day and the user wanted their machine back. They would just continue using it without Google search and watch what usernames, passwords, and customer information they would be using.
Unless somebody has some miracle cure for this malware, I am going to wipe the machine on Friday as I am at wits end. This is by far the most nasty malware I have encountered. Conficker was supposed to be like this, but you would think that at least one of the four to five tests I ran would have caught something. I did the Conficker eye chart thing (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html) and the top-left and top-right pictures were missing.
I know you folks typically ask for a hijack-this log, but I won't have the machine until Friday, when I will be wiping it anyway. If you can think of anything let me know, it will be very much appreciated.
0