- Dec 19, 2013
- 171
A little over a year ago, I found that my computers had been infected with an advanced type of malware that seemed to be able to jump from PC to PC simply by sitting next to each other. I realize how this sounds and have read many threads across various forums where people have been called all sorts of names and shamed for even raising such matters. Being regarded as paranoid and crazy is the main reason I have so far battled this on my own. I could write a whole lot on what I've documented as supporting evidence with my experience so far, and can provide some interesting reading for those who are unfamiliar with advanced persistent threats, and proof of concepts of how amazingly possible some malware can be transported, where it can reside, and what it is capable of.
After exhausting dozens of security tools, trying to identify and possibly remove the bug, I have so far been unsuccessful in identifying it and unsure of whether I have removed it. I am uncertain if this is something that drills down to firmware level (as unlikely as it may be. It seemed to have transferred via use of hardware in a machine from an infected machine), BIOS level, or MBR level (working much like BIOS infection, a small amount of space is lost as it sections off part of the drive and becomes inaccessible to anything else). After researching and working tirelessly for many months, a new router, many PC's and 2 Mac's later, I pretty much gave up short of a breakdown and physical exhaustion. I pretty much accepted the idea that I am going to have to get used to living with it.
A few months back I found out I had been the victim of identity theft, and about 20 thousand dollars had been issued as credit under my name. This is still under investigation by Interpol as it crosses national boarders, and is unlikely to be solved. There is no other way for the relevant personal information to have been compromised other than being extracted from my secure (so I thought), saved data.
The infection can remain dormant and a machine can appear totally clean for varying periods of time after a fresh install with low level format and cleared CMOS. I am unsure of what triggers it. However, when a PC starts to show signs of infection and virus removal methods are introduced, it seems almost provoked to act responsively by producing blue screens, freezing and locking down the system through policy changes and access control settings. The signs that the infection is present vary between machine and particular build/instal/config. The main indicators are the excessive network activity, continuous ARP requests and logs showing connections between nodes on the network, PC RAM and CPU utilization and overall lag in the system, all consistent with Botnet activity. Then there are all the random issues such as encrypted files, alternative data streams being created, browser problems like pages failing to load and timing out, loosing functionality such as paste function freezing. I have had one PC which 'ate itself alive' (as a good description). After clean install it began filling itself by installing random drivers, it continued until it filled a 40GB hard drive. I watched it in amazement. I have a lot of what has happened recorded on video, simply to prove my story.
For all those who's response is "sure its possible, but highly unlikely to happen to a home user". Yes, I know this... but I work within an IT department at a university, where these types of attacks are most often directed and I have likely transferred it from there. I also have a suspicion that I may have been the intentional recipient of this attack by a colleague I have a grievance with who works in the 'Desktop Security' team for the university and has access to some of the most widely unavailable, unknown malicious code that the university has been the target recipient of. So it is very possible for me to have come in contact with the unlikely.
I do not write all this to receive criticisms and for the non-believers to spray their negative opinions and thoughts at me. To them, my response is "do some research on Advanced persistent Threat Malware". To the Apple worshipers and those who preach the use of alternative platforms such as Unix based/Linux solutions, "you have no idea, research platform independent malware". I do encourage others who have similar experiences to make it known, there is a reason these sophisticated threats are highly neglected and people should know of their existence and the serious reality of them.
I write this merely to explain myself and provide the background on my situation while I ask for support/advice from those more knowledgeable than myself and so they can take into consideration there could be more to scan results that may show nothing further to investigate.
In specific, I have done a clean install on a Toshiba Satellite and this is the focus of my request. After clearing CMOS and a low level format of the HDD, I purposely installed a 32bit version of Windows 7 (as many tools will not run on 64bit), all updates have been completed and only Office 2010 along with a few other applications such as 7zip, Defraggler and a few choice security tools installed which are... NoVirusThanks' EXE Radar, PE Dropper Monitor and File Extension Monitor, Zemana's AntiLogger, and Comodo Internet Security. After the install I have shared no files that have in any way come from/been in contact with any other machines on my network. The laptop has had a wireless only connection to the router where I have set a rule for wireless devices to be isolated, so there should be no communication between wired and wireless devices.
If anybody has made it this far through my post, I am requesting assistance/advice to thoroughly asses the PC in order to determine whether there is any sign indicating that this machine is anything other than clean.
After exhausting dozens of security tools, trying to identify and possibly remove the bug, I have so far been unsuccessful in identifying it and unsure of whether I have removed it. I am uncertain if this is something that drills down to firmware level (as unlikely as it may be. It seemed to have transferred via use of hardware in a machine from an infected machine), BIOS level, or MBR level (working much like BIOS infection, a small amount of space is lost as it sections off part of the drive and becomes inaccessible to anything else). After researching and working tirelessly for many months, a new router, many PC's and 2 Mac's later, I pretty much gave up short of a breakdown and physical exhaustion. I pretty much accepted the idea that I am going to have to get used to living with it.
A few months back I found out I had been the victim of identity theft, and about 20 thousand dollars had been issued as credit under my name. This is still under investigation by Interpol as it crosses national boarders, and is unlikely to be solved. There is no other way for the relevant personal information to have been compromised other than being extracted from my secure (so I thought), saved data.
The infection can remain dormant and a machine can appear totally clean for varying periods of time after a fresh install with low level format and cleared CMOS. I am unsure of what triggers it. However, when a PC starts to show signs of infection and virus removal methods are introduced, it seems almost provoked to act responsively by producing blue screens, freezing and locking down the system through policy changes and access control settings. The signs that the infection is present vary between machine and particular build/instal/config. The main indicators are the excessive network activity, continuous ARP requests and logs showing connections between nodes on the network, PC RAM and CPU utilization and overall lag in the system, all consistent with Botnet activity. Then there are all the random issues such as encrypted files, alternative data streams being created, browser problems like pages failing to load and timing out, loosing functionality such as paste function freezing. I have had one PC which 'ate itself alive' (as a good description). After clean install it began filling itself by installing random drivers, it continued until it filled a 40GB hard drive. I watched it in amazement. I have a lot of what has happened recorded on video, simply to prove my story.
For all those who's response is "sure its possible, but highly unlikely to happen to a home user". Yes, I know this... but I work within an IT department at a university, where these types of attacks are most often directed and I have likely transferred it from there. I also have a suspicion that I may have been the intentional recipient of this attack by a colleague I have a grievance with who works in the 'Desktop Security' team for the university and has access to some of the most widely unavailable, unknown malicious code that the university has been the target recipient of. So it is very possible for me to have come in contact with the unlikely.
I do not write all this to receive criticisms and for the non-believers to spray their negative opinions and thoughts at me. To them, my response is "do some research on Advanced persistent Threat Malware". To the Apple worshipers and those who preach the use of alternative platforms such as Unix based/Linux solutions, "you have no idea, research platform independent malware". I do encourage others who have similar experiences to make it known, there is a reason these sophisticated threats are highly neglected and people should know of their existence and the serious reality of them.
I write this merely to explain myself and provide the background on my situation while I ask for support/advice from those more knowledgeable than myself and so they can take into consideration there could be more to scan results that may show nothing further to investigate.
In specific, I have done a clean install on a Toshiba Satellite and this is the focus of my request. After clearing CMOS and a low level format of the HDD, I purposely installed a 32bit version of Windows 7 (as many tools will not run on 64bit), all updates have been completed and only Office 2010 along with a few other applications such as 7zip, Defraggler and a few choice security tools installed which are... NoVirusThanks' EXE Radar, PE Dropper Monitor and File Extension Monitor, Zemana's AntiLogger, and Comodo Internet Security. After the install I have shared no files that have in any way come from/been in contact with any other machines on my network. The laptop has had a wireless only connection to the router where I have set a rule for wireless devices to be isolated, so there should be no communication between wired and wireless devices.
If anybody has made it this far through my post, I am requesting assistance/advice to thoroughly asses the PC in order to determine whether there is any sign indicating that this machine is anything other than clean.
