Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by a VM Virus/Hack with proof


  • This topic is locked This topic is locked
11 replies to this topic

#1 Resonce

Resonce

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 13 December 2017 - 09:15 AM

As the title says, I've discovered that my PC has been exploited through the VM technique or the so called Blue pill if I am right with that. Thankfully however, the attack was totally dependent on Virtualization that disabling it on the motherboard also mitigates the VM attack which allowed me to get into my real system. I can no longer remember if it was me who stupidly turned that feature on or It was enabled through an attack exploiting faulty Intel vulnerability that was discovered just recently and my processor happens to be affected by that, sadly there is still no updates released for my mobo to have the vulnerability fixed.

Regardless, that won't stop me from wanting to know the nature of this attack with great curiosity and thirst for knowledge. With that said, time for me to discuss my discovery.

https://imgur.com/tmEIu0I

As you can see here, I have a bunch of services with unknown sources and alot of them impersonating legitimate windows services of the same name but without the hex code.

https://imgur.com/Pr3orKo

https://imgur.com/eym0wYW

I've tried tinkering with these services through registry and apparently, what's inside my PC is capable of reproducing them. Even if I delete just enough registry entries to prevent the service from functioning, the virus is capable of detecting the status of the service and creating a new registry entry for it if need be. Deleting them is no good so long as the root source exists.

https://imgur.com/dOm9s5o

Above is everything inside the registry entry of one of the services, I noticed that it deliberately copies the description of its legitimate counterpart. Now have a look at the properties of these services, they're all exactly the same and only varies in startup type, not all is on automatic

https://imgur.com/9rqcMD5

https://imgur.com/Db8FHIt

https://imgur.com/cSudxKn

https://imgur.com/tUy6oNq

Runs on a blank user/account, Recovery settings set to persistent service restart, No dependencies, Installs back like magic...

Now if I am told that I am just being a paranoid yet again and that I may be over-thinking things then IDK anymore, that was how I was treated the last time I was here and now I am back to prove that I was right with the fact that my PC was infected upon seeing subtle executions of javascripts while I ain't even doing anything. Credit card info was already compromised and used before this discovery and I am confident that the culprit is this virus.

In the meantime I have kept it disconnected from the internet in order to prevent the possibility of this infection getting worse as I believe my attacker is now alerted due to me breaching out of the Virtual environment

I have attached FRST logs, I gave it a check and surprisingly, the suspicious services don't get listed if whitelist is active for it

Very sneaky and subtle

Because of that, I've made another FRST log that has services whitelist disabled.

I can do more FRST scans and provide files for analysis if need be but not for long...

Attached Files



BC AdBot (Login to Remove)

 


#2 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 17 December 2017 - 02:44 AM

I can't seem to find any edit button so I'm going ahead and tell my additional findings.

 

I asked a friend of mine who also has a Windows 10 to compare our services through System Information and I found out that he too has those services with hex, however there is one different spotted

His services with hex codes are all running on Service type Kernel S...(I wasn't able to see the whole text) while mine is on service type unknown. Because of this I installed my copy of Windows 10 to VMWare Workstation running on Linux and found out that it's pretty much the same. I'm running on Windows 10 Pro and I want to know if this could possible mean that the Windows 10 iso file that I got was compromised before I was able to burn it. Is that even possible in the first place?

 

Second thing I found out was that NETBIOS requests are being sent to me by my work colleague's Laptop despite the fact that he isn't even here presently. We live under the same roof for work so yeah we share the same wi-fi.

I'm starting to think that my attacker/infector is getting a connection to me through a virus inside his laptop and I am not surprised if he does have a virus like that, he's a bloody perv who likes to ye know go through all sorts of R+18 websites sigh*

 

UPDATE:

 

IDK what this is but this ain't no good, some odd device became part of the wifi network and it came from amazon through me, I noticed my browser was suspiciously having 4 connections directly to me/myself/localhost and then all of a sudden this showed up through ESET detecting it:

https://imgur.com/WEotyhM

On a side note, I found out my colleague's MSI laptop was connecting to me all thanks to ESET as well

Now I guess this calls for some extra network security since I don't think I could stop this bloody pain of a colleague from doing all sorts annoyingness.

 

UPDATE2:

 

I've got some solid tracks on my hacker and what he is doing to my PC from the event viewer

 

So with that said, can someone help me analyze these logs?

https://ufile.io/vesyi

Logs up till the 8:07:28 is when my computer is still connected to the Wifi device and internet before the computer had gone to a restart and a long absence of my usage as part of my attempt to discern the activity on my computer
The following logs up till the end after that is when my computer is disconnected from the Wifi device and internet
 
From the looks of it, this attacker of mine prepares the environment then installs a malware that helps him automate things upon startup to make his spying on me much easier

 

all of this happened quite some time after this weird activity involving the network:

https://i.imgur.com/6SsBPXX.png

The MSI computer of my colleague who happens to be absent around that time, had been left on and connected to the wifi. Eventually it made a direct connection to my PC then my browser started to have some weird connections like 4 connections to localhost, and some connection to AWS that brought forth this:

https://i.imgur.com/WEotyhM.png

At this point, I would really appreciate if someone could help me secure my connection to the shared wifi and keep myself safe from the infection.


Edited by Resonce, 17 December 2017 - 09:45 AM.


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 18 December 2017 - 09:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/665482 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 19 December 2017 - 08:00 AM

I don't think I can describe with words what is happening to my PC but there were more connections to me than usual hogging my internet after the events on post 2
Sorry I'm posting this on phone so the logs are here
https://pastebin.com/MNZfpmHN
https://pastebin.com/vV1FMjT7

I'll follow up with logs from my infected colleague's laptop shortly

Also, the windows CD is present so a reformat is possible, my files are safe elsewhere so I can do anything to it

EDIT:
Additional logs
pastebin.com/BXhy4JQB
pastebin.com/z4Kr2d6S

Edited by Resonce, 19 December 2017 - 08:16 AM.


#5 King_Yoshi

King_Yoshi

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 December 2017 - 11:46 AM

Hello Resonce,

My name is King_Yoshi and I will be helping you today.

If at any point you have any comments, questions or concerns, please do not hesitate to post them.

Allow me some time to review your post.

In the meantime please review the following rules.

Basic Rules:

1. First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts.
Please try to match our commitment to you with your patience toward us.
I try to reply as soon as possible. (Typically every 24-48 hours.)

2. Please do not run any tools or take any steps other than those I provide for you.
I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take.
If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.

3. Please perform all steps in the order they are listed, in each set of instructions. Some steps may be a bit complicated.
If things are not clear, be sure to stop and let me know.

4. Please copy and paste all logs into your post, unless directed otherwise.
Please do not re-run any programs I suggest.
If you encounter problems simply stop and tell me.

5. When you post your reply, use the 2ni7laq.jpg button.

6. In the upper right hand corner of the topic you will see the 15n7fnk.jpg button.
Please click on this then choose "Immediate E-Mail notification" and then "Proceed" and you will be sent an email once I have posted a response.

7. If you do not reply to your topic after 3 days I will bump the post. After 5 days of no reply we will assume it has been abandoned and I will close it.

8. When your computer is clean I will alert you of such.
I will also provide for you detailed information about how you can prevent and combat future infections.



#6 King_Yoshi

King_Yoshi

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 December 2017 - 12:01 PM

Lets get some fresh FRST logs.

Since it has been a few days since you last scanned your computer with FRST, would you be so kind as to re-run FRST and put the logs into your next post
(Kindly do not put them on pastebin but instead copy and paste them directly into your reply.)

 

Thank you.

 



#7 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 24 December 2017 - 09:59 AM

Can I ask for some time for the new logs? I've been busy building up a new defense setup and since Thursday. Give me three days, I should be done by then to post new logs in order to confirm that I'm in the safe already since this bloody thing comes back after every reformat I've done in the past.



#8 King_Yoshi

King_Yoshi

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 24 December 2017 - 02:03 PM

Hello Resonce,

 

 

Can I ask for some time for the new logs? I've been busy building up a new defense setup and since Thursday. Give me three days, I should be done by then to post new logs in order to confirm that I'm in the safe already since this bloody thing comes back after every reformat I've done in the past.

Kindly do not make any major changes to the computer since the initial "infection".
This makes detecting and diagnosing the problems more difficult.

 

Please post the logs as soon as you can.

Just keep in mind that once I start working with you, do not take any steps on your own and follow all directions as I post them.



#9 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 27 December 2017 - 10:15 AM

Alright, I will do just that after I have reinstalled my Windows 10

I'm lacking time as of late but I'll keep you posted on my status as much as I can

Sorry for this delay



#10 King_Yoshi

King_Yoshi

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 30 December 2017 - 06:16 PM

Hello Resonce,

Since you are reinstalling the operating system, there is no need to scan the system for infections.
Reinstalling the OS will remove any present infection.

Please keep the following in mind after you finish reinstalling.

 

:step1: Update Your Operating System and Software Up to Date

After you reinstall be sure to download the newest updates for both the Operating system and any applications you are reinstalling.
This way you stop known exploits, reducing the chances of reinfection.

Microsoft has a great Frequently Asked Questions page, regarding this topic.

:step2: Judging by your last few posts I believe you already know this but... Use Antivirus Software

 

Antivirus (or anti-virus) software is used to safeguard a computer from malware, including viruses, computer worms, and Trojan horses. Antivirus software may also remove or prevent spyware and adware, along with other forms of malicious programs.

 

Additionally do not install multiple anti-virus programs, only use one.
It may seem counterintuitive, but by installing multiple they may interfere with one another causing problems.

Here is a great article from Kaspersky on this topic.
Emsisoft: Why it isn’t a good idea to run multiple full antivirus products at the same time
Kaspersky: Why Using Multiple Antivirus Programs is a Bad Idea

Additionally, don't get a anti-virus confused with a anti-malware. You can have both installed simultaneously.
Malwarebytes has a good article explaining this.

 

What’s the difference between antivirus and anti-malware?

Just remember, Antivirus software is not 100% foolproof.

 

:step3: And most importantly... Think Before You Click!
A.) Avoid websites that provide pirated material.
B.) Do not open an email attachment or click on a link, from somebody or a company that you do not know.
C.) Always hover over a link (especially one with a URL shortener) before you click to see where the link is really taking you. If you have to download a file from the Internet, scan it before you run it.



#11 King_Yoshi

King_Yoshi

  • Malware Study Hall Senior
  • 1,361 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 03 January 2018 - 11:17 AM

Hello Resonce,

Are you still with us?
It has been 3 days since I last posted, and have not had a response from yourself.
Kindly respond to this topic in two days.
Otherwise I will have to consider it abandoned, at which point it will be locked.



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,428 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:57 AM

Posted 07 January 2018 - 02:44 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users