Oct
15
Viruses — know thy enemy
October 15, 2010 | Leave a Comment
With all the talk in the press about Stuxnet doing the rounds I got a timely reminder last month that good ol’ fashioned nasty rootkit viruses are still around.
UPDATE: 19/10/10 Massive spike in Java attacks according to Microsoft.
It took me over three days but I got rid of ‘Backdoor.Tidserv’ from a Dell Latitude laptop that had been plaguing my XP system for weeks. Symptoms included slow system, churning disk, redirected search results and random ad sites popping up all over my browsing sessions and perhaps most importantly, it prevented my Microsoft update process from running. Indeed, even pointing a browser at windowsupdate.com would result in a message saying server not found . . . To quote Muldoon from Jurassic Park just prior to getting eaten by a Raptor: “Clever girl!”
But the reason I decided to write about this is that if you’ve read up on Stux you’ll know that it only infects a very specific type of target and hey, this might just be the future of viruses so as long as I don’t be writin’ or running no command-control systems for Siemens equipment then I’ve nothing to worry about. Not so. Backdoor.Tidserv is plain nasty and when you spend a lot of time cleaning up your system you are usually left wondering just how and where you got infected. This time it was different ‘cos for once I know exactly how and when it happened.
It was what is called a drive-by download. I was perusing through some Google search results (I think it was Iron Maiden videos) and was on about page #3 or maybe #4 — and here Dear Reader is where the alarm bells shoulda been clanging. I mean, lets face it, who ever goes past page #1 of the Google search results? Never has the law of diminishing returns been so ably demonstrated as by Google’s nether regions . . . once you’re past page #3 you know you’re clicking through sheer idleness and after page #4 you are well and truly into the internet equivalent of ‘Here Be Monsters’. Anyway, like a fool I clicked a link and hit the site.
I knew it was garbage instantly. Popups everywhere, content totally unrelated to what I was after and more naked lassies than Cap d’Ail in August. I hit the back button toot sweet. Alas — I was too late. Dunno how late I was, I would be interested to know if anything could’ve stopped this once I was on the page but as I hit the back button, out of the corner of my eye, down at the bottom left of my XP’s screen I saw something I hadn’t seen since forever:
Yes, good old Sun Microsystem’s (now part of Oracle) Java logo.
Back in the days when coding was my business I had the JDK/JRE installed on my system. When I moved out of IT I kept the laptop and everything that was on it — more fool me because this version of the JDK from around mid-2005 was seriously out of date and had vulnerabilities galore.
Well done to the Ukrainian script kiddie who coded Tidserv — you got me. Naturally I have now updated the JRE but first I had to go through a torturous process of booting up into safe mode and running every kind of malware program there is. Of course I have an anti-virus product — Symantec AV Corp edition — but it found nothing at all, which is a testament to this virus’s stealth capability. Eventually a product called ComboFix found that my pciide.sys file was infected and cleaned it. Interestingly ComboFix (freeware) moved the infected file into a quarantine directory wherupon my Symantec (paid-for product) software immediately detected it . . . this raised a wry smile.
Anyway, the lesson here is stay up-to-date with software and if you do get infected stop using the infected Pc immediately for any sites which require auhtentication like your bank or online shopping . . the thing harvests passwords and IDs.
