As the title says, I've discovered that my PC has been exploited through the VM technique or the so called Blue pill if I am right with that. Thankfully however, the attack was totally dependent on Virtualization that disabling it on the motherboard also mitigates the VM attack which allowed me to get into my real system. I can no longer remember if it was me who stupidly turned that feature on or It was enabled through an attack exploiting faulty Intel vulnerability that was discovered just recently and my processor happens to be affected by that, sadly there is still no updates released for my mobo to have the vulnerability fixed.
Regardless, that won't stop me from wanting to know the nature of this attack with great curiosity and thirst for knowledge. With that said, time for me to discuss my discovery.
As you can see here, I have a bunch of services with unknown sources and alot of them impersonating legitimate windows services of the same name but without the hex code.
I've tried tinkering with these services through registry and apparently, what's inside my PC is capable of reproducing them. Even if I delete just enough registry entries to prevent the service from functioning, the virus is capable of detecting the status of the service and creating a new registry entry for it if need be. Deleting them is no good so long as the root source exists.
Above is everything inside the registry entry of one of the services, I noticed that it deliberately copies the description of its legitimate counterpart. Now have a look at the properties of these services, they're all exactly the same and only varies in startup type, not all is on automatic
Runs on a blank user/account, Recovery settings set to persistent service restart, No dependencies, Installs back like magic...
In the meantime I have kept it disconnected from the internet in order to prevent the possibility of this infection getting worse as I believe my attacker is now alerted due to me breaching out of the Virtual environment
I have attached FRST logs, I gave it a check and surprisingly, the suspicious services don't get listed if whitelist is active for it
Very sneaky and subtle
Because of that, I've made another FRST log that has services whitelist disabled.
I can do more FRST scans and provide files for analysis if need be but not for long...