Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Have I been RAT'd..?

  • Please log in to reply
4 replies to this topic

#1 Teh_Saccade


  • Members
  • 4 posts
  • Local time:05:57 PM

Posted 14 November 2017 - 08:10 AM


The past few days - perhaps a week - a win10 laptop that is used only for internet, some research collation, hangouts/drive/project management, entertainment (music/video) simple photoshop / illustrator or after effects tasks, VM / kali, occasional offsite for projection, some casual games (standalone or through Steam platform) and comic / epub reader... it has been displaying some strange behaviour.

Due to some .exes being quarantined, I do often not use live protection on this device. Instead choose to run if needed, MWB / FSRT / GMER (which notices rootkit like behaviour in sector 0 of HDD at startup, appears normal, but BSOD, driver IRQ not less than or equal issue during any scan).

The behaviour mostly extends to Firefox (default), in which I will return to the machine to discover a search has been made (or two, often the first has a typo and the second is corrected with safesearch off) and grinds to a halt if it uses more than one or two tabs, but also there have been instances where a character or string of characters has appeared while typing and I know I didn't make that typo.

Chrome and Edge appear fine.

Cursor has moved, windows (esp of images - inside win10 photo display - I am using as study for painting) have suddenly closed without warning.

More alarmingly,over the past few days, there has been some download (does not appear in any browser's download list) of easily available, script-kiddie destructive virus or bloatware / trojan installers.

Luckily, defender has caught these (eg, ..\Downloads\win32.EvilClusterbleep.exe - which is strange, as my browser's default download location is the desktop...) and/or I have spotted the download in progress and disconnected from 'net.


Additionally, the default for MSpaint (to save screenshot to show) is usually desktop - just now, it was system32 directory.

Several scans with various software have detected no virus or spyware active on the machine.
There are no unrecognised processes nor start-ups listed.

I am unsure what to do - I have not been in this situation before.

Any advice or suggestions would be greatly appreciated.

/* additionally, I have been at war with a guy from a BBS or USENET (I forget where, even why...) since the 1990's - attacks trailed off over past several years, but still every year at least one around Christmas time (like a greetings card). We are both alone, no family or reliable friends or partners - I understand perhaps it is difficult for some people at this time of year. Maybe it is a tradition for us now..? But... To use "brickurPC" virus - especially one that is not hand-made - it is not his MO. Therefore, I do not believe it is him. But I do make a lot "friends" like this online... even moreso now the internet is more than bad poetry, messageboards, warez and ascii pron */

BC AdBot (Login to Remove)



#2 Teh_Saccade

  • Topic Starter

  • Members
  • 4 posts
  • Local time:05:57 PM

Posted 14 November 2017 - 08:18 AM


I forgot, the other day, 3 CMD windows opened and ran something that I didn't see after a restart of the laptop.

It feels like it was since this restart that the issues have occoured.


// also - sometimes I leave my door unlocked... but it seems unlikely that anyone would install something manually, considering the local area.

Edited by Teh_Saccade, 14 November 2017 - 08:22 AM.

#3 Teh_Saccade

  • Topic Starter

  • Members
  • 4 posts
  • Local time:05:57 PM

Posted 15 November 2017 - 04:40 AM

Figured it out.

TL;DR - Hola Better Internet VPN extension can be used as attack tool or carrier for payload.

Last night I set a small trap and left the machine running.

Turns out it was a browser proxy extension called Hola Better Internet causing these issues.

Appears to only affect Firefox, as all browsers have this extension - the file exe has a modify date much later than the installation date (there have been no upgrades that I can think of).

The exe did try to open connections to a bunch of sites, incuding GoToAssist (guessing this is how the "RAT" worked) an hour or so before I woke, before trying several times to open a connection to a domain name atracking-auto.appflood, on ports 7763 / 7760.

I use Hola often on vk.com to circumvent country restrictions on my music collection (that I upload from my vinyl or cd's and make into a playlist, to be told I am not allowed to listen to in my country... yet they are find to collect into a youtube playlist in my country... or listen to from cd rips).

So - whatever Holasrv is up to - it is only using the default browser to launch (again) script-kiddie attacks and irritations.

Considering Hola creates a VPN to use for proxy through another user's machine - it might be that the machine that made alterations was not even aware it was infected or that anyone connecting would be delivered the payload.

Looking at who has used my machine as a proxy at the times of these events - it is a static, home IP, according to the maps.

Can confirm that - without the browser connecting to a bunch of sites and then sitting on the appflood - machine operation appears normal.

Will disable the extension and still see if it tries to open up the default browser to make these connections (as the same hola service is active in Chrome), or if it requires removal and reinstall.

Since I'm not spotting anything in the exe that would do this, even thought it has been modified - wondering if it is a case of it has connected to a machine that has exploited the VPN do hide irritation-ware inside Hola, or if it is simply a function of Hola better internet...

Either way - anyone using this extension might want to be wary - It is simple to collect the addresses of any machine that connects using the Hola service and - while the proxy is in use - it might be possible to expoit this to deliver something nasty.

Perhaps it is not the Hola exe itself, and there is another thing that simpy makes use of Hola's permission to do stuff to visit the script-kiddie sites.

If it's the same incoming connection address attempting this three days running - I'll show them how to remotely install ransomware and brick a machine, the proper way.

Still - never considered the vulnerabilities of Hola Better Internet before - it's a script-kiddie's dream. That must've been what I saw once.
Teach me to be lazy and use an extension instead of a real proxy.



Thanks for the assist, guys.

#4 boopme


    To Insanity and Beyond

  • Global Moderator
  • 72,440 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:01:57 PM

Posted 15 November 2017 - 12:49 PM

thanks for posting !!

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Teh_Saccade

  • Topic Starter

  • Members
  • 4 posts
  • Local time:05:57 PM

Posted 16 November 2017 - 08:43 AM

Just to confirm - disabling the extension in the default browser (firefox) meant there were no intrusions or strange behaviours today. The machine is operating as it usually would.

I am still able to use Hola in non-default browsers, such as chrome, as normal - which is where I'd access social media and forums, anyway...

However this method works - it appears to require Hola function enabled in default browser, although I'm not gonna test this:)

Why the person decided to simply do stupid searches and attempt to run virus exe's downloaded off the internet, rather than steal my password list or be patient and wait for an unattended login to online banking or paypal transaction, etc... idk - they must be have been young and/or unimaginative.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users