Conficker-like symptoms without detectable infection

[The Dark]

So, just recently my desktop computer decided to start acting wonky - I originally noticed that I couldn't defragment my drives, and then starting spotting other problems. SpyBot S&D won't open. Safer-networking.org won't open. When I get a copy of SpyBot onto a USB, I can't install it. Some Google searches randomly redirect. Yet, I've run the Conficker removers from Symantec, Sunbelt Security, Sophos, and BitDefender Labs, and none of them detected a thing. The Conficker Eye Chart comes up normally - all six pictures load. Maybe it's because it's 2:30 AM here, but I'm not sure how to proceed. Has anyone else observed something similar and been able to fix it?

[Darth Wong]

There seems to be something out there that virus scanners can't pick up at all. My computer is fine, but my son Matthew seemed to get an unidentified virus on his computer. The virus scanner suddenly stopped working, and many competing virus scanners would not install (the installer program would not even start). I tried installing Kaspersky and it installed OK, but it refused to actually run. All software except for virus scanners seemed to start OK, but virus scanners were all inoperative. That pretty much screams "virus infection".

However, here's where it gets strange. I rebooted to Linux (all of the machines in the house are dual-boot) and scanned the Windows partition with ClamAV. Nothing showed up. I tried other scanners as well, and then I even shared the Windows partition via SMB and scanned it from a different Windows machine. Still nothing. This was not a matter of a virus interfering with the scanner; since the results did not change even when booting to an entirely different OS, the virus is simply not known to any of the virus scanners I tried.

I was in no particular mood to figure out how Matthew managed to infect his machine and I'm a "play it safe" kind of guy, so I just nuked Windows and reinstalled it. But there's something running around out there which is invisible to virus scanners. Time to fall back on the "surf the web and answer E-mail from Linux, and use Windows just to play games" computer security policy.

[Resinence]

Likely a new Conficker update or variant (Probably .E), this thing is becoming a serious thorn in the side of the security vendors, since it's a freaking huge botnet now and yet they push new variants extremely quickly even for malware developers. The new E variant reintroduces the spreading code (using MS08-067), but if you already had the C variant then it doesn't matter if your patched. They even used their botnet to DDoS the conficker eyechart down. Imo, they are seriously exposing the flaw in peoples reliance on AV software instead of following proper damn security practices. There is even a 250,000 dollar bounty reward from Microsoft for anyone who manages to discover who the assholes who created it are (and of course it's now been found it's probably from China - it's similar to an older worm from 2001, big surprise there huh?).

If you must run windows (or well, any OS really) things like this evil piece of shit are a good reason to consider a router with a built in firewall (firewall software is generally shit - don't bother). Then again, even people with them seem to always turn on the DMZ because they are too lazy to set up port forwarding for precious bittorrent.

[Ariphaos]

So, just recently my desktop computer decided to start acting wonky - I originally noticed that I couldn't defragment my drives, and then starting spotting other problems. SpyBot S&D won't open. Safer-networking.org won't open. When I get a copy of SpyBot onto a USB, I can't install it. Some Google searches randomly redirect. Yet, I've run the Conficker removers from Symantec, Sunbelt Security, Sophos, and BitDefender Labs, and none of them detected a thing. The Conficker Eye Chart comes up normally - all six pictures load. Maybe it's because it's 2:30 AM here, but I'm not sure how to proceed. Has anyone else observed something similar and been able to fix it?

Yes. Wasn't Conficker, though the recent variant may have such capabilities.

Try renaming the spybot executable before running it and see if that works. You will want to use something more effective like Malwarebytes + Roguefix, however:
http://www.internetinspiration.co.uk/roguefix.htm
http://www.malwarebytes.org/

[phongn]

These viruses often hide in places like NTFS Alternate Data Streams, which is not always readable, and signature-based systems can fail to detect them even normally. There's a lot of money into viruses, probably more than there's money than available to the defenders.

[Steve]

Why so much money available to virus-makers compared to anti-virus groups?

[Ghost Rider]

Why so much money available to virus-makers compared to anti-virus groups?

Mostly because what you can do with personal information. You can sell or use CC numbers and whatever else you grab for far more then selling anti virus software.

[phongn]

Why so much money available to virus-makers compared to anti-virus groups?

Once a computer is infected it can be used as a node in a network to deliver spam, denial-of-service attacks or any number of things. Credit card numbers, social security numbers, bank accounts - all stolen and used.

In short: crime pays.

[Ryan Thunder]

In short: crime pays.

Well, fuck that.

So it came from China, right? Any way to, uh, cut them out of the picture without killing millions of people?

And I'm referring to things like severing their ability to actually use the Internet, through whatever means are avaliable, by the way.

[Alyeska]

In short: crime pays.

Well, fuck that.

So it came from China, right? Any way to, uh, cut them out of the picture without killing millions of people?

Don't act like a moron. You clearly don't know your history on virus and malware programs. Then you go about labeling a country and talking about the only effective means to stop it is murder.

Malware comes from a variety of locations, although Eastern Europe is the largest hotbed of activity. We are talking a dozen countries.

[Ryan Thunder]

In short: crime pays.

Well, fuck that.

So it came from China, right? Any way to, uh, cut them out of the picture without killing millions of people?

Don't act like a moron. You clearly don't know your history on virus and malware programs. Then you go about labeling a country and talking about the only effective means to stop it is murder.

Uh, no. I was specifying otherwise because I realize that often enough my solution is to advocate invasion and/or wide-scale suppression of the offending parties. But this time I'm not, because it would be a horrific bloodbath of unprecedented scale.

Malware comes from a variety of locations, although Eastern Europe is the largest hotbed of activity. We are talking a dozen countries.

What about them, then?

[The Dark]

There seems to be something out there that virus scanners can't pick up at all. My computer is fine, but my son Matthew seemed to get an unidentified virus on his computer. The virus scanner suddenly stopped working, and many competing virus scanners would not install (the installer program would not even start). I tried installing Kaspersky and it installed OK, but it refused to actually run. All software except for virus scanners seemed to start OK, but virus scanners were all inoperative. That pretty much screams "virus infection".

That's the same thing I was thinking, but given how the behavior mirrored the description of Conficker, and that machine hadn't been on since Conficker.E was disseminated, I was confused as hell at why nothing was finding it. Luckily, I've got three clean computers in the house (and the one infected), so it's isolated from the network and (if all else fails) will be nuked prior to being reconnected to the network.

Yes. Wasn't Conficker, though the recent variant may have such capabilities.

Try renaming the spybot executable before running it and see if that works. You will want to use something more effective like Malwarebytes + Roguefix, however:
http://www.internetinspiration.co.uk/roguefix.htm
http://www.malwarebytes.org/

MBAM's FileAssassin was what I needed. When I plugged in my flash drive, I noticed a folder called RECYCLER kept getting automatically loaded onto it. There was a copy of it on the computer as a hidden, write-protected folder on the C drive (not in Program Files). The symbol for it was the recycling bin instead of a folder, and when I axed the file in the folder with FileAssassin, it fixed the Google issue and let SpyBot run again.

[phongn]

So it came from China, right? Any way to, uh, cut them out of the picture without killing millions of people?

And I'm referring to things like severing their ability to actually use the Internet, through whatever means are avaliable, by the way.

I'm feeling generous right now, so, lets say that your proposal to cut off the PRC, Eastern Europe and Russia from the Internet is somehow implemented. What happens then?

FileAssassin was what I needed. When I plugged in my flash drive, I noticed a folder called RECYCLER kept getting automatically loaded onto it. There was a copy of it on the computer as a hidden, write-protected folder on the C drive (not in Program Files). The symbol for it was the recycling bin instead of a folder, and when I axed the file in the folder with FileAssassin, it fixed the Google issue and let SpyBot run again.

Recycler is the recycle bin for that particular volume

[Ryan Thunder]

So it came from China, right? Any way to, uh, cut them out of the picture without killing millions of people?

And I'm referring to things like severing their ability to actually use the Internet, through whatever means are avaliable, by the way.

I'm feeling generous right now, so, lets say that your proposal to cut off the PRC, Eastern Europe and Russia from the Internet is somehow implemented. What happens then?

Well, they'd have to rebuild their botnets from elsewhere. They'd have to run their operation entirely on foreign soil. That makes it a bit easier to catch them, doesn't it?

[phongn]

Well, they'd have to rebuild their botnets from elsewhere. They'd have to run their operation entirely on foreign soil. That makes it a bit easier to catch them, doesn't it?

1. Where are the botnet nodes running? Why would they have to be rebuilt, and even if they did, how difficult would it be?
2. How does it make them easier to catch?

[Ryan Thunder]

Well, they'd have to rebuild their botnets from elsewhere. They'd have to run their operation entirely on foreign soil. That makes it a bit easier to catch them, doesn't it?

1. Where are the botnet nodes running? Why would they have to be rebuilt, and even if they did, how difficult would it be?

Right, right, I guess not.

2. How does it make them easier to catch?

We don't have to ask the PRC/Russians/etc. to please kindly let us go investigate their networks to figure out where the bastards running the show are. Also, if it does turn out to be the PRC/Russians/etc. running the show we can still arrest their agents because we're not looking for them on their territory.

That's what I figured, anyways.

[Chardok]

This is getting scary, man - I mean, people on SDN are generally savvy and stingy dudes when it comes to surfing and security. Granted, the only ones we know of are MAtthew nd Schuyler for right now - but those users' proximity to extraordinarily savvy, aware, and safe websurfers makes all this hit a little close to home - and I must wonder...should I scan my HDD yet again?


On another note - has anyone tried ie8 yet or does anyone know if it addresses security vulnerabilities/other stupid ie-related nonsense from ie7?

[phongn]

We don't have to ask the PRC/Russians/etc. to please kindly let us go investigate their networks to figure out where the bastards running the show are. Also, if it does turn out to be the PRC/Russians/etc. running the show we can still arrest their agents because we're not looking for them on their territory.

You are making a leap that we would even be able to find the persons or organizations running these networks.

This is getting scary, man - I mean, people on SDN are generally savvy and stingy dudes when it comes to surfing and security. Granted, the only ones we know of are MAtthew nd Schuyler for right now - but those users' proximity to extraordinarily savvy, aware, and safe websurfers makes all this hit a little close to home - and I must wonder...should I scan my HDD yet again?

Many pieces of malware are not detectable by current suites of anti-malware software. You should be running regular scans at any rate or using the online scanner.

On another note - has anyone tried ie8 yet or does anyone know if it addresses security vulnerabilities/other stupid ie-related nonsense from ie7?

Yes, it does. It is more secure than IE7, which was more secure than IE6. However, it's not perfectly secure.

[Darth Wong]

This is getting scary, man - I mean, people on SDN are generally savvy and stingy dudes when it comes to surfing and security. Granted, the only ones we know of are MAtthew nd Schuyler for right now - but those users' proximity to extraordinarily savvy, aware, and safe websurfers makes all this hit a little close to home - and I must wonder...should I scan my HDD yet again?

"Proximity" doesn't mean a whole lot. I give Matthew a fair bit of leeway when using his computer, and I'm pretty sure the culprit was a computer game trainer. A lot of those trainer and "No CD" programs are actually delivery vehicles for trojans and viruses.

It's no big deal. It's actually a blessing in disguise because I had an excuse to reinstall Windows on his computer, and he learned an important lesson in security. Now it's all clean, fast, and has the latest versions of everything.

[Terralthra]

Have you considered simply running Cedega/Wine or VirtualBox as a replacement for dual-booting?

[phongn]

Have you considered simply running Cedega/Wine or VirtualBox as a replacement for dual-booting?

For games?

[Terralthra]

Have you considered simply running Cedega/Wine or VirtualBox as a replacement for dual-booting?

For games?

Yes. The only game I've been unable to get to work under Wine or VirtualBox is Allegiance, a game from ten years ago that no one has heard of, and which has measures specifically built into its security system to prevent being played in a virtualized environment. Everything else I've tried has worked with a modicum of effort.

[Darth Wong]

Have you considered simply running Cedega/Wine or VirtualBox as a replacement for dual-booting?

For games?

Yes. The only game I've been unable to get to work under Wine or VirtualBox is Allegiance, a game from ten years ago that no one has heard of, and which has measures specifically built into its security system to prevent being played in a virtualized environment. Everything else I've tried has worked with a modicum of effort.

I don't have a bleeding-edge computer. I don't see why I would want to spare the extra CPU cycles to run games in an emulator from a different OS.

[Solauren]

Ah, the results of a new, GOOD (as in well developed) virus being let lose in the wild.

Reminds me of watching the Dark Avenger + variant (okay, Jerusalem + variants if you want to get picky) out-breaks in the late 80's and early 90's.

Unfortunately, it's gone from 'creating headaches for the man' to big business.

Which is dangerous.

Almost makes me want to dig out a certain CD I have squirreled away and do some reading....

[phongn]

Yes. The only game I've been unable to get to work under Wine or VirtualBox is Allegiance, a game from ten years ago that no one has heard of, and which has measures specifically built into its security system to prevent being played in a virtualized environment. Everything else I've tried has worked with a modicum of effort.

As Mike mentions, there would be a fairly noticeable performance penalty for trying to run games in a virtualized environment, especially when 3D comes into play (nevermind the headaches of 3D under Linux). It's bad enough under host operating systems with decent support and virtualization solutions with real Shader Model passthrough (VMWare)