0

Ok. Hang on to your hats! This is going to sound crazy but I have been attacked by some crazy hacker malware. I believe it started out as a file-less attack on my Widoze 10 Home partition and spread from there. The crazy thing is that it seemed to anticipate, or predict, my moves and to be always one step ahead of me. I noticed that I was infected when the system time changed, then file dates and events in the event viewer were set to future or past dates, not like yesterday or last week, but 2125 and the 1960's. I scheduled a task to open a cmd window when certain things happened and that kept getting triggered by Windows PowerShell opening and running devious scripts as background processes. NOT my scripts! Then temp files started being written and accessed by mystery processes that did not show up in the Task Manager.

So, what does all this have to do with Ubuntu you ask? Let me tell you. Feeling like "I got this," I immediately made Antivirus Rescue boot USB's and Ubuntu Live USB's on what was thought to be a clean PC. I scanned with 4-5 different antiviruse programs (yes, I tried Clamav too) no help - both PC's came up clean time after time, but the malware's presence and effects were obvious. The thing that killed me is that after booting into the Live Ubuntu a couple of times things on the "read only" USB stick were being changed. One boot would be fine, then on the next boot from that Live USB the keyboard would not send any input to the terminal on screen. I booted immediately again using a different Live USB - problem gone. I checked the suspect USB with clamav and it showed "OK" on all files. Then I booted from the suspect "clean" USB and it was ok again.

I am way out of my league here. This is some serious malware that seems to be file-less, infects BIOS/UEFI, Windows, Linux, and boot records and other dark partitions and spaces of /dev/sdx's.

The Questions - I have never experienced any program that could/would attack a linux boot Live system USB. How does this happen and is there any way I can recover from this and make a "safe" Live USB boot device no it never happens again? Also, can I clean and use the current "suspect" live system USB to install Ubuntu on my /dev/sdx without fear that I am installing a corrupted and infected system? Unfortunately, clamav has been no help and the virus blocks it's updates when the system is running. One time it simply deleted the sources file and chmod'ed all the permissions in /var/lib/clamav related to the clam. Right now I have two dead, infected computers, two "suspect" infected Live USB's, and one infected Windows ISO install USB. Is there any way I can install any OS at this point and if so how? I have no other computers and if I did, how do I cure BIOS, MBR/UEFI, Partitions, and Live USB's as my only installation media? Can I boot with infected media and install cleanly from an online source? --help! Thanks for reading my nightmare, and thanks in advance for any suggestions or advice you may offer!

Christopher
  • 11
  • 1
    If what you think happen did, the only response is full nuke of hardware. Clamav is nice, but not anywhere near the best, need better. Would check hardware health and power surges/drops. – crip659 Feb 04 '21 at 22:29
  • Can see this link and have a friend with clean computer make a USB, but don't touch his/hers computer again once you get USB. https://askubuntu.com/questions/855491/is-there-an-ubuntu-sanity-check-for-malware?rq=1 – crip659 Feb 04 '21 at 23:16
  • That makes sense. I'm afraid that the new usb will just get infected as soon as it is mounted. Ubuntu live automounts on usb insertion and I think stays mounted when live runs. Is there any way to make the new live write proof? Like there is no way to write to it, not one byte? I feel like I almost need the live OS encrypted and only let files run that match a key of some sort. – Christopher Feb 05 '21 at 00:41
  • Not quite sure, the live version is for people to try without installing OS. As long as you do not add persistence to USB, then anything done to it gets remove by next booting(the idea anyway). If you have malware attacking live USB and still there after a reboot, then your only choice is a full nuke option to your hardware. Have wood chipper handy? Would think hardware/electrical defect more believable. Try a few anti-malware sticks for Win 10 first, very, very few malware will infect Windows and Linux(maybe one ransomeware?), unless NSA is after you – crip659 Feb 05 '21 at 00:57
  • Lol. Wood chipper :) don't tempt me. You may be on to something with the NSA comment though. I don't think I am of interest to the NSA, but the way this attack moved and its sophistication makes me think that I was deliberately targeted. Every counter move I made the malware was right on top of me blocking and disrupting my attempts to stop it. I've never seen anything like it except from the hydra hacker group and like you said maybe the FBI or NSA. I have a few more forensic tactics I can try to I'd the attacker but they seem to be in my network and have a solid comnd and control tool – Christopher Feb 05 '21 at 03:01
  • Router itself could infected and passing on malware, if multi-able computers becoming infected. Just an idea, still think it is more hardware/power defect. Power surges can do strange things to electronics. – crip659 Feb 05 '21 at 14:09
  • Is this a wind up ? – hatterman Feb 10 '21 at 20:41

1 Answers1

1

Finally had to contact and hire a security specialist to secure my network and to find and eradicate the problems. Here's what we found. Router was indeed infected and needed to be re-flashed and reset to defaults and then with max security options set (firewall, port closures, etc). Also, 2 of the 4 laptops had BIOS level viruses for both Windows and Linux, 4 of 5 Androids were infected and needed Factory resets, one android seems to be deeply infected even after multiple Factory resets - it will be going the way of the garbage. One work laptop was infected and got re-flashed, wiped and reinstalled. The coauth.exe virus was found in a place related to that laptop. So, in short someone screwed me badly. I admit that I joked with my specialist about whether we could "hack them back" and start screwing with their hard and software. That would be a fun time . . . "Oh no, my PowerShell script isn't working" - the hacker might say.

So, for the record, here's what happened. I was infected by several trojans (one was Brave_Updater.exe, and another coauth.exe) and these delivered scripts for a file-less attack in Windows that disabled Windows Defender during a Windows 10 install and went on to use hidden runs of "PowerShell" and "Command Prompt" to spread the infection. On reboot it would write code to BIOS that would infect the next OS or USB that loaded Windows or Linux. Finally, it would phone home frequently to get C&C instructions from the hacker. What a pain in the ass. I tend to believe in karma and hacker you got a screwing coming - enjoy prison, don't drop the soap . . . on second thought, go ahead and drop it, you've earned it. Fin.

Christopher
  • 11