How I got infected last time thread

Discussion in 'General Security Discussions' started by Soulweave, Mar 25, 2016.

  1. Soulweave

    Soulweave Moderator
    Staff Member Content Creator

    Jan 14, 2015
    1,360
    3,396
    Windows 10
    Kaspersky
    #1 Soulweave, Mar 25, 2016
    Last edited: Mar 25, 2016
    The purpose of this thread is two fold: To share one's experience and to raise user awareness to both members of MT and guests.

    A few days ago, after being in contact with WinPatrol, I decided to test out their WinAntiRansom program against some nasties. I followed their guide for configuration, just to ensure I did not miss anything.

    So I fired up the VM using VirtualBox and because I was moving stuff around, I had a partition from my host mapped to the VM. Once I done moving everything, I unmapped the connection to the D drive in this case and rebooted the VM twice, just to ensure it was fully isolated from Host.

    I then fired up a variant of Tesla. VM was infected, and I was takings screenshots when I noticed that the folder that was previously mapped and unmapped was still mapped. I immediately disconnected the VM and halted the test. Sadly, nearly 70% of the D drive was infected. Sadly, the tesla variant I was testing cannot be decrypted.

    This would be the first time in over 10 years an infection was present in my Host system, albeit partially.

    The damage at first glance wasnt serious since D drive is actually backed up twice on my eHDDs, however a further inspection revealed that I did not backup work material (docx/xlsx files). Those files were gone. Other files were just random wallpapers and archive files.

    The system itself has been isolated from Internet after the incident for 48 hours, so that I could be sure nothing was present/remaining.

    Updated backups have been done, backup setup settings also done and system fully back online.

    Moral of the story: due to a possible bug/glitch with VirtualBox + Human Error on my part, infection spread out to Host, due to a drive from host being mapped on the test VM. So, ensure that VM is fully isolated from Host prior to do any testing and always ensure you have up to date backups.

    I am not ashamed to tell what happened and I do encourage other users to share their stories on their last infection(s).

    Since then I have also retired from doing Malware Testing. I do test security products still but not their prevention/detection features anymore.

    On a side note: I have documented the issue to WinPatrol via email accordingly.

    Thank you in advance for reading and sharing your stories.

    Inkurax
     
    daljeet, Anubis, Golden King and 46 others like this.
  2. BoraMurdar

    BoraMurdar Super Moderator
    Staff Member

    Aug 30, 2012
    5,782
    22,491
    Doctor of medicine
    Serbia
    Windows 10
    Emsisoft
    Education is the most important part of prevention and mistakes can happen to anyone. Thanks for sharing this :cool:
     
  3. Yash Khan

    Yash Khan Level 51

    Oct 22, 2012
    4,055
    8,960
    Shared system here. No infection yet in app 13 years. Sometimes PUP like Ask toolbar that can be easily uninstalled but nothing malicious yet.
     
  4. jamescv7

    jamescv7 Level 61
    Trusted

    Mar 15, 2011
    12,664
    17,723
    Web and FileMaker Developer
    Philippines
    Windows 10
    Microsoft
    Human error is one of the very casual situation even though you prepare it since we forget some important things.

    Myself also nearly engage to a mistake but luckily those threats did not jump on my C Drive (Downloads) since I also engage to connect the shared folder to my system to transfer important files.

    So always be careful on the preparation, as long not too much OCD. (Obsessive Compulsive Disorder) :)
     
  5. Exterminator

    Exterminator Super Moderator
    Staff Member

    Oct 23, 2012
    12,279
    46,652
    USA
    Windows 10
    Kaspersky
    This story is one that all should read!!!!

    This shows that no matter what the users experience level ( in this case @Inkurax is very experienced ) bad things can happen.
    More importantly it goes to show you that playing with malware is no joke and testing malware is never without risk.

    How ironic that we have a couple moderators of the Malware Hub preaching this same scenario until they are blue in the face.
    Their new rules in place to protect members from exactly something like this happening and even then nothing is 100% safe.
    Imagine if this happened on your home PC or your Parents PC with years and years of memories gone in an instant.

    I consider @Inkurax an expert user and if it can happen to him then it can happen to you.

    Before complaining about the new Malware Hub rules please read this story.Then you will realize that @illumination & @Klipsh have implemented these rules with all members (and your families) security in mind.

    Thanks to @Inkurax for sharing this with all the members here at MT!
     
  6. artifice22

    artifice22 New Member

    Apr 11, 2015
    49
    212
    India
    Thank you so much for sharing this, a good lesson to everyone here in this community.
    And as for you admitting to being infected, hats off to you! :D
     
  7. Der.Reisende

    Der.Reisende Level 32
    Trusted AV Tester

    Dec 27, 2014
    2,195
    23,462
    Tax Officer
    Germany
    Windows 10
    Norton
    I can share a similiar story here, although I do not plan to retire from Malware testing any time soon.
    My last (and probably only for years) infection took place on an ShadowDefender equipped environment, at that time I was still using the 30-days trial to see if it's worth it (that was the time the Hub changed from live testing - better said live scanning and SUDing to real malware tests as they are now - and only with a virtualization as additional layer of protection).
    I wanted to try out whether HMP.A (the paid version) and the Premium version of ZAM will be able to protect the system against being infected [my main AV, QTS360 was turned off so not being able to block the infection, Windows UAC and or SmartScreen was ignored to open the file].
    Unfortunately, they were not.
    I ran a harmless looking file (!) out of one of those MalwarePacks shared in the Hub, mentioned a strange process running, but even after 5 minutes, nothing happened, file obviously "broken". Context scan of the file revealed no sign of threat.
    So I decided to fire off both 2nd opinion scanners and leave to do something else while that.
    Luckily I had my system protected by ShadowDefender, as the "broken" file turned out to be a TeslaCrypt variant (the one adding nice .mp3 non-music extensions), not being broken in any way, but doing a great job in encrypting anything. I have to say that those 2nd opinion scanners did detect something malicious then, but it was too late.
    Of course, at that time I had everything backupped and ShadowDefender did a great job "turning back time" so no sign of the file nor the infection could be found after a restart, but that made me even more concious why playing with malware should be done a) at no time unobserved and b) with all possible protection measures.

    With that, you'll have great time at the Hub and bring joice to those Mods.

    EDIT: No offense against HMP(.A) (SurfRight) and Zemana (ZAM), I still use your products with joice and you're doing a great job :)

    EDIT 2: Thanks @Inkurax for sharing your story :)
     
  8. LabZero

    LabZero Guest

    Sorry @Inkurax for what happened.

    About the dangers of dynamic testing we have always expressed the concept that "testing must not damage the users."

    In dynamic testing, samples of malicious code, are introduced into the system with the express purpose of being executed. Ideally the samples are executed in the correct way, as required by the code of the malware. In this way we can have a deeper knowledge of the behavior of the malware/antivirus, but an excessive "information" means to become aware of this danger and the first goal of all of us is the protection of users.
     
  9. AlphaBeta

    AlphaBeta Level 3

    Oct 24, 2015
    113
    441
    vancoveur
    The last time I clearly remember, I had just tried avast 5 that was released the previous day. That was years ago. I liked the new GUI but it was worse back then with the detection rate. It detected a lot of false positives and barely detected the actual malware.
    I wound up corrupting my OS because of a worm on a thumb drive because avast didn't do its job. That was the last time I ever used avast.
     
  10. jamescv7

    jamescv7 Level 61
    Trusted

    Mar 15, 2011
    12,664
    17,723
    Web and FileMaker Developer
    Philippines
    Windows 10
    Microsoft
    Unfortunately many AV's nowadays failed to detect common vector of worms in the Flash drive, which why Mcshield and other few products manage to focus on this.

    For some reason, the code is literally obvious as part of malicious behavior but likely obfuscated for AV's.
     
  11. Andytay70

    Andytay70 Level 13

    Jul 6, 2015
    645
    3,286
    Electricial engineer
    UK
    Windows 10
    Avast
    In this day and age its better to becareful than sorry!
    I made the mistake once of downloading what i thought was a legit piece of software and it cost me dearly.
    Every hard drive was infected!
    But as i get older i'm less inclined to download stuff unless its well known or its an update or upgrade!

    Think twice before clicking that download button!
     
  12. Cohen

    Cohen Level 7

    May 22, 2016
    320
    2,185
    Australia
    Linux
    The last time I was infected was when I was about 11 and had my Aunty's laptop.
    I was really getting into Minecraft mods and found a mod I had been looking for on a random site and downloaded it.
    I ran it (it was a .exe file; the site said it was an installer), then the computer restarted and got a screen like this:
    [​IMG]
    I saw the laptop's webcam on and freaked out, shut the laptop and called my mum. She ended up taking it to a local computer shop that fixed computers and other electronics and had the laptop wiped.
    For a few years after that, my family didn't trust me with downloading things. But now I'm basically the go-to guy in my family and social circle when it comes to fixing electronics, removing viruses, keeping computers clean or helping with basically anything online.
     
  13. DardiM

    DardiM Level 26
    Trusted AV Tester

    May 14, 2016
    1,567
    15,194
    France
    Windows 10
    Kaspersky
    #13 DardiM, Jul 7, 2016
    Last edited: Jan 5, 2017
    My last PC infection (that I remember) was several years ago : a Screen locker that look like the @Cohen's one, pretending to be from French Police Department.
    => My criminal CV grew up in few seconds :cool:

    This was the beginning of this type of malware, so a simple reboot in safe mode and registry modifications removed it.
     
  14. LASER_oneXM

    LASER_oneXM Level 18
    Content Creator

    Feb 4, 2016
    854
    4,441
    university/IT
    Germany / Poland
    Windows 8.1
    Kaspersky
    ... i never was "seriously" infected (in the last about 20 years). My last infection (about 8 months ago) was only a PUP-infection/browser Ad-ware. I installed a program (i think it was a file from softtonic.com) that contained unwanted programs: i dont know how i/who downloaded this file from softtonic.com: i knew softtonic.com is a "dangerous" platform... so i don't know exactly how it could happen... Maybe my girlfriend or my friends downloaded it or i was just drunk again ..... :D I had to "reset" the profiles of both browsers (Firefox and Chrome): since then everything is fine again.....
     
  15. Darlene

    Darlene Level 3

    Aug 14, 2015
    105
    485
    fsociety
    New York
    Got Infected several times when sharing USB's and SD cards for transferring school files and photo's. Most of the time my antivirus caught it but not always ... I really am more careful with borrowing my external devices.
     
  16. simbelmayne

    simbelmayne Level 3

    Jul 4, 2016
    100
    333
    Russia
    @Inkurax
    [​IMG]
    it happens even to the best of us, and it's the very instructive story =)
     
  17. NZRADAR

    NZRADAR Level 3

    Aug 8, 2013
    141
    332
    Security Investigatons
    New Zealand
    Windows 10
    Kaspersky
    The last time a pc of mine got infected was in the slow unreliable dial up days. I think I was using xp and there was a vulnerability in xp that a worm called blaster was infecting pc's with. I remember starting the pc on that day and within 30 seconds of dial up connection being established a message popped up saying I was going to be logged off and from then on it just kept restarting. You never had enough time to get the patch from Microsoft to fix it. I can't remember exactly how I got a fix for that but I think I got the necessary update patch from a friend. I had no understanding in those days of Malware and its capabilities.

    There was also a time long before that in the DOS 6.22 and DR-DOS, Windows 3.11 era when just cause I could read the DOS and Windows manual I thought I was some sort of optimization guru who knew how to get every last bit of speed out a PC, of cause it wasn't my PC little mischievous me he he :rolleyes: it was my Brother in laws pc that I was kindly optimizing while he hard at work and little did he know of the new Autoexec.bat and config.sys win.ini system.ini changes. Well on that machine I was sure later on I had infected it with a most probably fake windows update file I found that super optimized everything, but that's along time back so I'm a bit fuzzy on the detail :oops:.

    In recent history my most sweaty sweaty clammy hands moment was when I was very tired late at night and was just doing some scanning of a malware pack and could just not believe that the antivirus product used at the time was not detecting the malware and I was getting frustrated and kept re scanning just in case a cloud detection came through. Well in my tired rung out state I ended up double clicking a somevirus.exe instead of right click manual scan (On My Main PC) :Dyes you heard me right I was not using a virtual machine shame on me o_O , but you know what... I think I had Malwarebytes Realtime Protection on or "Quickly turned it on" and that's what saved my night from becoming a disaster, as Malwarebytes sprung into action and dealt a death blow to the virus :)

    The lessons for me , never let yourself get to proud about your security manners, Test these dangerous malwarepacks in a virtual machine with great concentration and care , don't forget to turn on Shadow Defender , and If you are tired or under the weather:( and on some meds for what ever reason, just leave the Malware testing for another day, go play a game or go to bed. :):)
     
  18. Trickster

    Trickster Level 14

    Jul 28, 2016
    663
    5,200
    Loving / caring Husband :)
    Europe
    Windows 10
    BullGuard
    Nothing shocking the last couple of years , Some adware here and there. But the xp " spyware " days where different. At that time i was using norton av 2001 and dowloaded a program from Kazaa. Installed it and after reboot my pc went bezerk ; coackroaces where going at it kamasutra style , rederections to porn sites , browser changes and so on. The irony was that i downloaded a cracked version of spyware doctor :) all it took was the very first version of hitmam pro and Spybot Search n destroy to get rid of the naties :D
     
  19. ElectricSheep

    ElectricSheep Level 12

    Aug 31, 2014
    559
    6,645
    Professional Woolly Jumper
    Planet Earth
    Drunk downloading... A big no no as I learned the hard way:eek:
    Had browser hijackers, adwares galore, and plenty of other stuff, most memorably Astromenda cos that was a nightmare to shift (had to use Revo to boot that one out in the end)

    Lesson learned: Don't download when drunk!!:p:p:cool:
     
  20. JHomes

    JHomes Level 6

    Jul 7, 2016
    280
    1,406
    IT
    Dallas
    Windows 10
    AVG
    I was downloading a copy of Space Jam.

    F*** you Bugs Bunny.
     
Loading...
Similar Threads Forum Date
SOLVED Was infected last night. Have ran multiple anti-virus. have farbar log. com surrogate was involved Malware Removal Assistance For Windows Sep 1, 2015
Police Accidentally Give Out Malware Infected Devices Technology News Wednesday at 3:57 AM
SOLVED "Google Chrome Malware Virus Infected rundll32.exe! Please help" same as this persons from 2014 Malware Removal Assistance For Windows Dec 12, 2017