When it comes to virus and malware in general, not much surprises me anymore. Which will put things in perspective when I say what I saw recently impressed me. A lot.
A client contacted me because a computer had gone through a virus infection and AFTER it was seemingly removed, the computer was very slow. I looked into it, and looked into it. There was something off, but all my usual scanners were not detecting anything major. And THEN, almost by accident, a major outness came into view.
Several programs, legit programs, were behaving oddly. Very oddly. When I finally got to the bottom of it, my jaw had dropped. Somebody had subverted the computer and turned it into a “bot”, meaning it was being used by other people, a lot of people, without the consent of the owner. That in itself was not surprising – it happens every day.
But what was surprising was the method used to infect the computer and carry out its subversion. It was so covert, so devilishly brilliant, that it fooled all current scanners I threw at it. And it almost escaped me while using advanced manual detection tools. Almost, fortunately, but that was a first. Never seen anything like it, ever.
It was so bad that it was one of the few occasions where I recommended re-installing the computer’s operating system from scratch. It was the only way to make absolutely sure no part of the infection remained.
I created a copy of the original hard drive to play with the infection afterwards in a controlled environment, and learn from it.
As part of the handling I put in place a better security system based on my model, and hopefully that will close the door to the possibility of it ever happening again.