How I got infected last time thread

[Soulbound]

The purpose of this thread is two fold: To share one's experience and to raise user awareness to both members of MT and guests.

A few days ago, after being in contact with WinPatrol, I decided to test out their WinAntiRansom program against some nasties. I followed their guide for configuration, just to ensure I did not miss anything.

So I fired up the VM using VirtualBox and because I was moving stuff around, I had a partition from my host mapped to the VM. Once I done moving everything, I unmapped the connection to the D drive in this case and rebooted the VM twice, just to ensure it was fully isolated from Host.

I then fired up a variant of Tesla. VM was infected, and I was takings screenshots when I noticed that the folder that was previously mapped and unmapped was still mapped. I immediately disconnected the VM and halted the test. Sadly, nearly 70% of the D drive was infected. Sadly, the tesla variant I was testing cannot be decrypted.

This would be the first time in over 10 years an infection was present in my Host system, albeit partially.

The damage at first glance wasnt serious since D drive is actually backed up twice on my eHDDs, however a further inspection revealed that I did not backup work material (docx/xlsx files). Those files were gone. Other files were just random wallpapers and archive files.

The system itself has been isolated from Internet after the incident for 48 hours, so that I could be sure nothing was present/remaining.

Updated backups have been done, backup setup settings also done and system fully back online.

Moral of the story: due to a possible bug/glitch with VirtualBox + Human Error on my part, infection spread out to Host, due to a drive from host being mapped on the test VM. So, ensure that VM is fully isolated from Host prior to do any testing and always ensure you have up to date backups.

I am not ashamed to tell what happened and I do encourage other users to share their stories on their last infection(s).

Since then I have also retired from doing Malware Testing. I do test security products still but not their prevention/detection features anymore.

On a side note: I have documented the issue to WinPatrol via email accordingly.

Thank you in advance for reading and sharing your stories.

Inkurax

 

[BoraMurdar]

Education is the most important part of prevention and mistakes can happen to anyone. Thanks for sharing this

 

[Deleted member 2913]

Shared system here. No infection yet in app 13 years. Sometimes PUP like Ask toolbar that can be easily uninstalled but nothing malicious yet.

 

[jamescv7]

Human error is one of the very casual situation even though you prepare it since we forget some important things.

Myself also nearly engage to a mistake but luckily those threats did not jump on my C Drive (Downloads) since I also engage to connect the shared folder to my system to transfer important files.

So always be careful on the preparation, as long not too much OCD. (Obsessive Compulsive Disorder)

 

[Exterminator]

This story is one that all should read!!!!

This shows that no matter what the users experience level ( in this case @Inkurax is very experienced ) bad things can happen.
More importantly it goes to show you that playing with malware is no joke and testing malware is never without risk.

How ironic that we have a couple moderators of the Malware Hub preaching this same scenario until they are blue in the face.
Their new rules in place to protect members from exactly something like this happening and even then nothing is 100% safe.
Imagine if this happened on your home PC or your Parents PC with years and years of memories gone in an instant.

I consider @Inkurax an expert user and if it can happen to him then it can happen to you.

Before complaining about the new Malware Hub rules please read this story.Then you will realize that @illumination & @Klipsh have implemented these rules with all members (and your families) security in mind.

Thanks to @Inkurax for sharing this with all the members here at MT!

 

[artifice22]

Thank you so much for sharing this, a good lesson to everyone here in this community.
And as for you admitting to being infected, hats off to you!

 

[Der.Reisende]

I can share a similiar story here, although I do not plan to retire from Malware testing any time soon.
My last (and probably only for years) infection took place on an ShadowDefender equipped environment, at that time I was still using the 30-days trial to see if it's worth it (that was the time the Hub changed from live testing - better said live scanning and SUDing to real malware tests as they are now - and only with a virtualization as additional layer of protection).
I wanted to try out whether HMP.A (the paid version) and the Premium version of ZAM will be able to protect the system against being infected [my main AV, QTS360 was turned off so not being able to block the infection, Windows UAC and or SmartScreen was ignored to open the file].
Unfortunately, they were not.
I ran a harmless looking file (!) out of one of those MalwarePacks shared in the Hub, mentioned a strange process running, but even after 5 minutes, nothing happened, file obviously "broken". Context scan of the file revealed no sign of threat.
So I decided to fire off both 2nd opinion scanners and leave to do something else while that.
Luckily I had my system protected by ShadowDefender, as the "broken" file turned out to be a TeslaCrypt variant (the one adding nice .mp3 non-music extensions), not being broken in any way, but doing a great job in encrypting anything. I have to say that those 2nd opinion scanners did detect something malicious then, but it was too late.
Of course, at that time I had everything backupped and ShadowDefender did a great job "turning back time" so no sign of the file nor the infection could be found after a restart, but that made me even more concious why playing with malware should be done a) at no time unobserved and b) with all possible protection measures.

With that, you'll have great time at the Hub and bring joice to those Mods.

EDIT: No offense against HMP(.A) (SurfRight) and Zemana (ZAM), I still use your products with joice and you're doing a great job

EDIT 2: Thanks @Inkurax for sharing your story

 

[LabZero]

Sorry @Inkurax for what happened.

About the dangers of dynamic testing we have always expressed the concept that "testing must not damage the users."

In dynamic testing, samples of malicious code, are introduced into the system with the express purpose of being executed. Ideally the samples are executed in the correct way, as required by the code of the malware. In this way we can have a deeper knowledge of the behavior of the malware/antivirus, but an excessive "information" means to become aware of this danger and the first goal of all of us is the protection of users.

 

[AlphaBeta]

The last time I clearly remember, I had just tried avast 5 that was released the previous day. That was years ago. I liked the new GUI but it was worse back then with the detection rate. It detected a lot of false positives and barely detected the actual malware.
I wound up corrupting my OS because of a worm on a thumb drive because avast didn't do its job. That was the last time I ever used avast.

 

[jamescv7]

I wound up corrupting my OS because of a worm on a thumb drive because avast didn't do its job. That was the last time I ever used avast.

Unfortunately many AV's nowadays failed to detect common vector of worms in the Flash drive, which why Mcshield and other few products manage to focus on this.

For some reason, the code is literally obvious as part of malicious behavior but likely obfuscated for AV's.

 

[Andytay70]

In this day and age its better to becareful than sorry!
I made the mistake once of downloading what i thought was a legit piece of software and it cost me dearly.
Every hard drive was infected!
But as i get older i'm less inclined to download stuff unless its well known or its an update or upgrade!

Think twice before clicking that download button!

 

[Cohen]

The last time I was infected was when I was about 11 and had my Aunty's laptop.
I was really getting into Minecraft mods and found a mod I had been looking for on a random site and downloaded it.
I ran it (it was a .exe file; the site said it was an installer), then the computer restarted and got a screen like this:

Spoiler: picture

I saw the laptop's webcam on and freaked out, shut the laptop and called my mum. She ended up taking it to a local computer shop that fixed computers and other electronics and had the laptop wiped.
For a few years after that, my family didn't trust me with downloading things. But now I'm basically the go-to guy in my family and social circle when it comes to fixing electronics, removing viruses, keeping computers clean or helping with basically anything online.

 

[DardiM]

My last PC infection (that I remember) was several years ago : a Screen locker that look like the @Cohen's one, pretending to be from French Police Department.
=> My criminal CV grew up in few seconds

This was the beginning of this type of malware, so a simple reboot in safe mode and registry modifications removed it.

 

[LASER_oneXM]

... i never was "seriously" infected (in the last about 20 years). My last infection (about 8 months ago) was only a PUP-infection/browser Ad-ware. I installed a program (i think it was a file from softtonic.com) that contained unwanted programs: i dont know how i/who downloaded this file from softtonic.com: i knew softtonic.com is a "dangerous" platform... so i don't know exactly how it could happen... Maybe my girlfriend or my friends downloaded it or i was just drunk again ..... I had to "reset" the profiles of both browsers (Firefox and Chrome): since then everything is fine again.....

 

[Darlene]

Got Infected several times when sharing USB's and SD cards for transferring school files and photo's. Most of the time my antivirus caught it but not always ... I really am more careful with borrowing my external devices.

 

[simbelmayne]

@Inkurax

it happens even to the best of us, and it's the very instructive story =)

 

[NZRADAR]

The last time a pc of mine got infected was in the slow unreliable dial up days. I think I was using xp and there was a vulnerability in xp that a worm called blaster was infecting pc's with. I remember starting the pc on that day and within 30 seconds of dial up connection being established a message popped up saying I was going to be logged off and from then on it just kept restarting. You never had enough time to get the patch from Microsoft to fix it. I can't remember exactly how I got a fix for that but I think I got the necessary update patch from a friend. I had no understanding in those days of Malware and its capabilities.

There was also a time long before that in the DOS 6.22 and DR-DOS, Windows 3.11 era when just cause I could read the DOS and Windows manual I thought I was some sort of optimization guru who knew how to get every last bit of speed out a PC, of cause it wasn't my PC little mischievous me he he it was my Brother in laws pc that I was kindly optimizing while he hard at work and little did he know of the new Autoexec.bat and config.sys win.ini system.ini changes. Well on that machine I was sure later on I had infected it with a most probably fake windows update file I found that super optimized everything, but that's along time back so I'm a bit fuzzy on the detail .

In recent history my most sweaty sweaty clammy hands moment was when I was very tired late at night and was just doing some scanning of a malware pack and could just not believe that the antivirus product used at the time was not detecting the malware and I was getting frustrated and kept re scanning just in case a cloud detection came through. Well in my tired rung out state I ended up double clicking a somevirus.exe instead of right click manual scan (On My Main PC) yes you heard me right I was not using a virtual machine shame on me , but you know what... I think I had Malwarebytes Realtime Protection on or "Quickly turned it on" and that's what saved my night from becoming a disaster, as Malwarebytes sprung into action and dealt a death blow to the virus

The lessons for me , never let yourself get to proud about your security manners, Test these dangerous malwarepacks in a virtual machine with great concentration and care , don't forget to turn on Shadow Defender , and If you are tired or under the weather and on some meds for what ever reason, just leave the Malware testing for another day, go play a game or go to bed.

 

[FrFc1908]

Nothing shocking the last couple of years , Some adware here and there. But the xp " spyware " days where different. At that time i was using norton av 2001 and dowloaded a program from Kazaa. Installed it and after reboot my pc went bezerk ; coackroaces where going at it kamasutra style , rederections to porn sites , browser changes and so on. The irony was that i downloaded a cracked version of spyware doctor all it took was the very first version of hitmam pro and Spybot Search n destroy to get rid of the naties

 

[ElectricSheep]

Drunk downloading... A big no no as I learned the hard way
Had browser hijackers, adwares galore, and plenty of other stuff, most memorably Astromenda cos that was a nightmare to shift (had to use Revo to boot that one out in the end)

Lesson learned: Don't download when drunk!!

 

[JHomes]

I was downloading a copy of Space Jam.

F*** you Bugs Bunny.