Infected

I am pretty rigourous when it comes to safe computing as I travel the internet. I keep special-purpose sandboxes with which I can safely visit unfamiliar web sites and inspect downloaded files. Never do I click on strange links, even going so far as to ensure the link really points to where it says it points, avoided URL shorteners and using a Javascript-disabled browser for peculiar links that I absolutely need to open. Downloads and attachments are at first handled like toxic waste until their contents can be reasonably assured to be exploit-free. Where possible I also avoid software that is most-frequently targeted by hackers and malware.

Imaging my surprise when, recently, several bit of malware, including a backdoor/trojan, infected one of my Windows machines. It was entirely my own fault since, in a rush to get a job done, I opened an unfamiliar site without taking any precautions.

I knew immediately that something had gone terribly wrong, although I wasn't quite certain what had actually occurred. It involved Adobe software and I had gotten complacent about compatibility errors because I was not current to the latest version of Acrobat Reader. It was about an hour later that I knew what had happened and that my day was about to be ruined. Afterward, when I reverse engineered the sequence of events that led to the infection, I was able to discern just how the exploit worked. It's interesting in a way so let me take you on a brief tour of the steps.

1. The server with the news story I wanted to read had been compromised to serve files that contained the malware.
2. The infected file was given a .pdf extension so that it called up the Acrobat Reader browser plug-in to process it.
3. The old version of Acrobat Reader has a security hole that allows remote execution of unvetted code.
4. Several pieces of malware were installed using this security hole, including at least one that it subsequently downloaded from a server that hosted malware.
5. The malware started running and phoning home, doing who knows what. I stopped this immediately by stopping the processes and disconnecting from the internet. Unfortunately, the malware kept starting up again. This is pretty typical.

The malware was clumsily built, which made it easier to deal with using only manual techniques. First, it corrupted Acrobat Reader to the extent that it would not run at all, except to restart two malware processes. I would have expected it to not call such blatant attention to itself. Second, one bit of malware attempted to run as System but did not have a digital signature that would pass Microsoft's most basic security checks. This is really, really amateurish.

It took a bit of digging, but it was possible to find and excise most of the malware component using nothing other than file searches. Where I hit a wall was with inside that pit of obscurity, the Windows registry. I knew the malware was still hiding in there, able to reactivate itself, but I could do little with the regedit tool without special knowledge. This step required one of those freeware tools for finding and surgically removing malware from the registry.

One tool that is absolutely useless in this regard is Microsoft's own MSRT software (Malicious Software Removal Tool). Never in my experience has MSRT found malware on my computers; it can identity only a small number of malware variants, and seemingly never those that are actually circulating.

In any event, the malware tool I selected had no trouble finding and repairing every infected registry entry, and even located an infected file that my own efforts had missed. That PC once again has a clean bill of health and is humming along ever so quietly, undisturbed by uninvited software.

It just goes to show that even someone with software expertise and safe computing practices can fall victim to malware. The many benefits of the internet are not enjoyed without continued vigilance against its bad actors.