How I got infected last time thread

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
Last time was couple years ago my uncle without my permission installed pirated games ,one was bundled with malware into my PC while we celebrated a holiday.
Unfortunately had to reflash /reinstall windows after what happened just in case .
 
  • Like
Reactions: Nevi

Stenographers

Level 2
Nov 11, 2022
48
Lets be honest - this kind of thing happens to everyone. Even the most security conscious of us have fallen prey. I accidentally ransomware'd my home computer. I had a sample of the malware and was going to rename it from a .exe to something else so I couldn't accidentally double click it, well yeah I went and double clicked it when trying to do that and then had to do a wipe / restore. This was 2015 when I was still learning basic good habits when it comes to security research like "use a sandboxed system for handling samples" lol.
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Hi everybody, funny how you see a new thread of mine after some time and it's a story of how I suffered what I thought I'd never suffer again, since I've been malware free for more than a decade. I'm sharing this with you to let you know, and specially let novice users how careful we must be, since it's not even hard to get infected.

Today I commited a mistake. One single mistake, that costed me an infection, even when I thought I was truly protected. May this be a lesson for everybody, that if you, the user, are not careful enough, there will not be enough software to protect you.

HOW IT STARTED

I had to download a specific software today. Since the version I needed to install wasn't on the official site anymore, I headed to a Youtube video that would let me download it via Mediafire or MEGA.
I clicked the video, made a quick check of it, checked comments to see what users said about this download, and since everything was positive, I downloaded the file.
  • Norton Antivirus didn't pop when downloaded, so the first test was done.
  • A right click context scan didn't show malware, so second test was done.
  • I decided not to upload the file to VirusTotal, since Norton came clean and Youtube comments were positive.
THE INFECTION

I launched the executable file, and after some seconds, nothing happened. That's when I knew something was wrong. I immediately opened Process Explorer and Task Manager to see any possible suspicious process, and before these two even open, my theory became a reality.

1671569741156.png


Norton detected suspicious activity too. But here's the catch. Norton didn't detect the malware process. What we're seeing up there is Norton Intrusion Prevention System, which is basically like a firewall. It scans network traffic for attack signatures, such as social threats and outbound attacks, that identify attempts to exploit vulnerabilities in your operating system or in a program that you use.

And here's the other catch. The malware was still active in my system. and we had a loop. The malware process was a type of trojan that steals all the system's stored passwords. It was when this malware tried to contact home that Norton realised this was supicious activity and realised what was going on. But here are three problems:
  1. Norton wasn't smart enough to quarantine the file calling constantly home
  2. Each network connection malware tried to do was blocked, but malware was still active
  3. Neither Norton's "smart" or full scan were able to detect the malware, even when it was triggering Norton's IPS
Wanna guess who did detect it?

RESOLUTION AND CONCLUSSION

Yup, probably guessed right.

1671570252010.png
1671570278820.png


Long story short; malware neutralized, no information stolen and day saved.

Once this was over, I headed to the Youtube video where I downloaded the file, and realised the mistake I had made: everything was fake.
  1. Unknown author
  2. Literally posted 6 hours ago and already had 47 comments
  3. Video title was in spanish and all coments in english
  4. All comments were positive and posted at literally the same time
Yes, the cybercriminal had uploaded a fake video, paid for almost 50 bot comments and I slipped right in. I wasn't careful enough. I might be getting old.

Hopefully this is a lesson for everybody, most specially for me, that mistakes can be made and can cost us a lot. Luckily, I was spared to live some years more.

Also, after the semi-failure I saw today in Norton's protection, I might be re-thinking my comeback to Kaspersky.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
A pity, I hope that no important data of yours was leaked, I believe that Norton's firewall was able to block at least this part of the attack.

Unfortunately even the most experienced members, enthusiasts and security professionals can be victims of attacks, as happened for example with Jim Browning, a legend in exposing scam tactics who ended up falling for one.

About Norton, I'm using it at the moment because it's incredibly light, practically zero impact on PC activities and especially on browsing, but I confess that I don't feel as protected as when I use Kaspersky, Bitdefender or even ESET.
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
About Norton, I'm using it at the moment because it's incredibly light, practically zero impact on PC activities and especially on browsing, but I confess that I don't feel as protected as when I use Kaspersky, Bitdefender or even ESET.
That's literally me. I've been using it (Norton) for probably less than a year now, and I've fallen in love with how light and efficient it is. But I do not feel as protected as with Kaspersky, basically because it lacks an Application Control module. And after today, I am even more worried. This is literally the only time the Behaviour Blocker should've popped up (since I never commited a mistake like this) and it didn't... at all. Yes, maybe it 1/100 and the other 99 attacks would've been blocked, but the very first opportunity it had, it failed. Sad....
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
A silly mistake, but it happens to the best of us.
I very often test products against this type of malware targeted to home users that can be found on Google search, YouTube Search and torrent sites.
From what I have seen,
ESET detects 9/10 of these files by signature/heuristic and on some rare occasions by the local ML/Augur detection prior to execution. The others after execution.
Avast detects 7/10 by signatures prior to execution. Some after execution and saw it missing two last month but not recently. Maybe it has improved.
Norton 2/10 by signatures prior to execution. Sometimes detects payloads which stops the attack or via IPS via like yours with Redline stealer activity or backdoor activity in case of backdoor samples. So I think the data remains safe.
Microsoft Defender detects 0/10 by signatures prior to execution even a week later but after execution detects payloads and end up protecting the system 9/10 times.
Bitdefender and Kaspersky on average 0/10 by signatures prior to execution when the sample is new. Bitdefender detects all I tested pretty quickly after execution by behavior. Sometimes it doesn't delete the main sample file, sometimes it does.
Kaspersky detects by behavior at a slightly later stage but prior to any data getting stolen and always perform a perfect cleanup.
These malware are changed almost every day with new C2C servers to communicate. But the behavior remains similar mostly. Norton should have found something by now to detect the activity by their BB aka SONAR.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
A silly mistake, but it happens to the best of us.
I very often test products against this type of malware targeted to home users that can be found on Google search, YouTube Search and torrent sites.
From what I have seen,
ESET detects 9/10 of these files by signature/heuristic and on some rare occasions by the local ML/Augur detection prior to execution. The others after execution.
Avast detects 7/10 by signatures prior to execution. Some after execution and saw it missing two last month but not recently. Maybe it has improved.
Norton 2/10 by signatures prior to execution. Sometimes detects payloads which stops the attack or via IPS via like yours with Redline stealer activity or backdoor activity in case of backdoor samples. So I think the data remains safe.
Microsoft Defender detects 0/10 by signatures prior to execution even a week later but after execution detects payloads and end up protecting the system 9/10 times.
Bitdefender and Kaspersky on average 0/10 by signatures prior to execution when the sample is new. Bitdefender detects all I tested pretty quickly after execution by behavior. Sometimes it doesn't delete the main sample file, sometimes it does.
Kaspersky detects by behavior at a slightly later stage but prior to any data getting stolen and always perform a perfect cleanup.
These malware are changed almost every day with new C2C servers to communicate. But the behavior remains similar mostly. Norton should have found something by now to detect the activity by their BB aka SONAR.
Interesting, which of these products in your tests do you like more? ESET seems to be the one with the best signatures/heuristics as expected ...
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,479
Hi everybody, funny how you see a new thread of mine after some time and it's a story of how I suffered what I thought I'd never suffer again, since I've been malware free for more than a decade. I'm sharing this with you to let you know, and specially let novice users how careful we must be, since it's not even hard to get infected.

Today I commited a mistake. One single mistake, that costed me an infection, even when I thought I was truly protected. May this be a lesson for everybody, that if you, the user, are not careful enough, there will not be enough software to protect you.

HOW IT STARTED

I had to download a specific software today. Since the version I needed to install wasn't on the official site anymore, I headed to a Youtube video that would let me download it via Mediafire or MEGA.
I clicked the video, made a quick check of it, checked comments to see what users said about this download, and since everything was positive, I downloaded the file.
  • Norton Antivirus didn't pop when downloaded, so the first test was done.
  • A right click context scan didn't show malware, so second test was done.
  • I decided not to upload the file to VirusTotal, since Norton came clean and Youtube comments were positive.
THE INFECTION

I launched the executable file, and after some seconds, nothing happened. That's when I knew something was wrong. I immediately opened Process Explorer and Task Manager to see any possible suspicious process, and before these two even open, my theory became a reality.

View attachment 271441

Norton detected suspicious activity too. But here's the catch. Norton didn't detect the malware process. What we're seeing up there is Norton Intrusion Prevention System, which is basically like a firewall. It scans network traffic for attack signatures, such as social threats and outbound attacks, that identify attempts to exploit vulnerabilities in your operating system or in a program that you use.

And here's the other catch. The malware was still active in my system. and we had a loop. The malware process was a type of trojan that steals all the system's stored passwords. It was when this malware tried to contact home that Norton realised this was supicious activity and realised what was going on. But here are three problems:
  1. Norton wasn't smart enough to quarantine the file calling constantly home
  2. Each network connection malware tried to do was blocked, but malware was still active
  3. Neither Norton's "smart" or full scan were able to detect the malware, even when it was triggering Norton's IPS
Wanna guess who did detect it?

RESOLUTION AND CONCLUSSION

Yup, probably guessed right.

View attachment 271442View attachment 271443

Long story short; malware neutralized, no information stolen and day saved.

Once this was over, I headed to the Youtube video where I downloaded the file, and realised the mistake I had made: everything was fake.
  1. Unknown author
  2. Literally posted 6 hours ago and already had 47 comments
  3. Video title was in spanish and all coments in english
  4. All comments were positive and posted at literally the same time
Yes, the cybercriminal had uploaded a fake video, paid for almost 50 bot comments and I slipped right in. I wasn't careful enough. I might be getting old.

Hopefully this is a lesson for everybody, most specially for me, that mistakes can be made and can cost us a lot. Luckily, I was spared to live some years more.

Also, after the semi-failure I saw today in Norton's protection, I might be re-thinking my comeback to Kaspersky.
Glad that in the end everything worked out well. Still, Youtube is the worst option to download software from. I'm sure you have learned from that mistake tho. :)
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,479
I am unfamiliar with this stain, can you go more in-depth? Are they common with modified versions of official apps? Who is most likely to be targeted?
Redline stealer or other stealer malware are probably one of the most common malware families these days. They steal your stored cookies and other browser data like passwords (If saved in the browser). Best way to mitigate the risk is to store passwords in a password manager and also delete cookies on browser exit.

One more link:

RedLine: self-spreading stealer targets gamers on YouTube

Thanks to @RoboMan I was able to take a quick look at the malicious installer. And as many times before their approach is to enlarge the file size by adding data without any function. The file size is above 600mb so it's not possible to upload the file to VirusTotal or other malware analysis platforms anyway. At least not if you don't reduce the file size with an HexEditor for example. Here a little bit more detailed explanation:

 
Last edited:

Anthony Qian

Level 9
Verified
Well-known
Apr 17, 2021
448
A typical Redline Stealer malware. Fake crack. It is distributed via YouTube. This type of malware is usually 700 mb in size to evade detection.

In my opinion, I find Norton won’t do a deeper analysis on this kind of malware. Instead, it simply blocks by hash, which is quite ineffective.

Kaspersky, F-Secure and ESET can protect you from this kind of “over-compressed” malware.

In conclusion, I won’t recommend Norton to anyone, since its technology is outdated.
 

Andrezj

Level 6
Nov 21, 2022
248
I am unfamiliar with this stain, can you go more in-depth?
redline stealer is malware as a service on dark web, the platform can produce a redline stealer executables of various types
it is a highly successful and profitable malware: RedLine Stealer (Malware Family)
Are they common with modified versions of official apps?
redline stealer has been disquised as fake cracks, warez, gaming modules, even fake ccleaner crack and microsoft updates
the main method of distribution is social engineering through various web, youtube, email, and malicious office doc campaigns
Who is most likely to be targeted?
users that want to use stuff, as is the case in this incident
covid emails with links that downloaded redline
redline stealer has been distributed thgrough facebook
it has been distributed through onedrive, google drive, and other cloud hosted links
the youtube campaign has targeted gamers and it has been a very effective campaign
the email campaign was a spray attack, so unknowledgeable or not security conscious are most susceptible
there was a malicious office document campaign where unsuspecting users opened the document and the macro downloaded and ran the initial redline stealer
redline stealer has been around for 2 years, it has evolved technically, that various campaigns used every method possible to get users to infect their systems
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I told everybody countless times that Norton was trash. It made my PC infected last time.
Norton can be good in tests but in reality, it can miss simple malwares that ever other AV can detect and Norton had signature for them (but still missed). It's very inconsistent
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Hello everyone.

I don't know of an event I know was malware, but I did have an episode recently when I installed Windscribe. I have a 50 GB data account, but I had stopped using the account. Got an e-mail from Windscribe, so decided to try it again. Less than a week later someone hacked my main e-mail account. Windscribe was the only thing that had been changed on the system recently, so I changed the password for the e-mail and uninstalled Windscribe. That was a couple of weeks ago, and no further issue so far 🤞

Interestingly, recently I got hit by a large amount of spam in the inbox of the same e-mail account. It was ads and unrelated to the password change, but I consider these type of e-mails phishing (using trademarks etc.). I sent a message to Microsoft explaining how the e-mail addresses were different for dozens of e-mails from the same sender. Because of the different e-mail addresses issue I couldn't just create a rule and auto reroute them. So I found the option and asked Microsoft if they could please reroute these e-mails on their end to junk or deleted messages. To my surprise, within three days the e-mails completely ceased. I guess the plea I made to MS worked. I was surprised, especially since I am not paying for Outlook.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top