Mal-War: The Smell of VMondo

Posted by Ace on April 28th, 2009 filed in letters from Ace

“It took Louis and Chmeee pulling together to open Teela’s jaws where they were locked in Chmeee’s throat.  ‘She let her instincts fight for her,’ Chmeee gasped.  ‘Not her mind.  You were right, she fought to lose.  Kdapt help me if she had fought to win.’”

–  Larry Niven, The Ringworld Engineers

Speaking of viruses…

My primary computer got its sorry ass temporarily pwned by Virtumonde, aka Virtumondo, aka VMondo, aka Vundo, aka the Trojan-downloading, DLL-propagating, pop-up spewing, Internet search-redirecting malware from Hell.  If you’ve never heard of this beast or locked horns with it, count yourself fortunate.  If you have, my condolences.  I licked it, thanks to some timely assistance from a variety of friends, most notably Pigbristles, who blew an entire night plus riding shotgun through G-Mail chat on a laptop I had set up as an auxiliary.  But it was a haul, to be sure.  To nail it we had to (over a couple of days):

  1. Boot the system into Safe Mode, and sweep with Spybot Search and Destroy for an initial identification of infected files.
  2. Have SpyBot S&D fix the files it could.
  3. Open up the registry manually with regedit, drill down and delete the .dll files that Spybot couldn’t.
  4. Search the C:\WINDOWS\SYSTEM32 folder via the Command Prompt with wildcard strings, to identify hidden instances of infected .dlls, such as .dll_old.
  5. Boot to System Recovery mode off the original Windows XP installation CD to delete those instances.
  6. Reopen the registry with regedit and delete commands to run infected .dlls at boot that had been inserted by the virus into the Run folders.
  7. Virus check the whole system with AVG 8.0 Free, and have it expunge what it found (infected Temporary Internet Files and System Restore checkpoints).
  8. Use the SysInternals Process Explorer to check the various running processes and make sure than none of them were infection-related.
  9. Scan the system with Trend Micro’s Hijack This to pick up all the leftover fragments and orphaned pieces and sweep them into the dustbin.

We did not have to use combofix.exe, which is widely discussed in the various forums associated with Virtumonde infections as one of the biggest guns in the anti-Vundo arsenal.  But then, we also apparently got off easy:  the particular strain of VM we were dealing with did not prevent me from booting my system into Safe Mode, or prevent me from using regedit, or hide in the rootkits, all of which other strains of VM have been known to do.  (There was some circumstantial evidence that it was jacking the Windows Task Manager to hide its tracks, but we couldn’t confirm that.  We also never got to see any instances of it diverting my Google searches for info on how to kill it, which it has also been known to do, as all of my research was conducted on other, non-infected computers.)

If you want to know where the infection came from, our best guess is that it came from my visiting a hijacked or hacked forum on the Internet;  there was only one instance of Temporary Internet File infection, and it was a .php file modded to serve as a Trojan horse downloader.   If you want to know how it managed to get past my system’s defenses in the first place, well that’s easy:  I let it.  When the problems began, AVG was the first program to ping;  it IDed the file in play as infected.  I told it to heal the file and continued working.  Only a few seconds later, Spybot pinged, telling me that something was trying to change the registry.  Since I had just told AVG to heal the infected file, I idiotically assumed that it was AVG trying to make the change and OKed it.  I now know that it wasn’t AVG;  it was the malware, starting the assault.  Live and learn…

I do not endorse the creation of viruses and malware or their distribution in any way (go use all that energy to cure cancer or something, instead of being Shiva the Destructor!)  That having been said though, I have to concede that the damn thing has a certain perverse beauty to it.  It’s very good at what it does, in some very clever ways, the same sorts of ways that I might come up with were I to decide that bending other people’s computers to my whim was a profitable enterprise.  And the fight to get rid of it was intellectually involving:  an earnest detective game with very pragmatic stakes, where I never felt so far ahead that I could rest on my laurels, nor so far behind that it wasn’t possible for me to catch up and win.  There was very much a sense of learning the foe as we went along-  starting to understand what it did and how, beginning to recognize its conventions (the sub-title of this entry was typed by me during the chat, in reference to the fact that Virtumonde names all of its created .dlls with 8-character randomized strings:  junomode.dll, vitukanj.dll, etc.)  It was satisfying to win, and to learn something that might be of use in the future.

Given the choice, though, of course, I’d prefer not to have to.

My fervent (if belated) thanks to Allgood, Church99, Opsimath and Orchidwile, all of whom took time out of their schedules to offer the aforementioned assistance.


3 Responses to “Mal-War: The Smell of VMondo”

  1. Yoko Says:

    Egads.

    I’m liking your ever-changing subtitle, by the way.

  2. Ace Says:

    Cool. (I assume you mean the one on the site banner and not the subtitles under each entry.)

  3. Church Says:

    Well fought!

    Not sure that I helped much at all!
    (especially as compared with our brave companion PB!)

    Glad that you are back with us amonst the land of the digital.