5

The story...

As a group of rookie security researchers who deal with malwares, viruses etc., me and my team-mates sometimes do commit mistakes in handling the binaries. And so, I ended up infecting my own pen drive with one of the malware binaries I was dealing with- Sality.

Without realizing that my pen drive is infected, I used it in my own system. Fortunately enough, my Anti-virus could catch the infection. And I thought I was safe. But today morning I saw my AV Avast crying loudly about Sality infections....that too, oddly enough, in my Dropbox's .dropbox.cache folder.

For those who do not know about the .dropopx.cache folder, please have a look here.

What I tried...

I have tried a lot of things to get rid of the infection or to get rid of the files themselves. First, I scanned the infected folder with my AV and got rid of the files. But they came back when Dropbox re-synced.

Next, I did a full system scan with Kaspersky's Sality killer and removed the infected files. But they were again back when Dropbox re-synced, and again my AV started crying.

shift+DELing the files doesn't help too, since they will still come back when I re-sync. I know this should not be happening as per the link I gave above, but it does happen!.

An important point to note here that our entire group uses Dropbox to share stuff amongst each other. So there is a possibility that someone else amongst us also got there system infected, and that is why cleaning my system is not helping me. But the fact that the cache folder has the infection makes me feel that infection is from my own system (not very sure here though...)

A snapshot of Avast's logs, for your convenience:

enter image description here

The simple question...

What on earth should I do now?? The whole purose of keeping all my work in Dropbox was to keep it safe from system failures etc. If that itself has caught infection, I am doooooomed :(

p.s: I cannot possibly nuke it from orbit...else my Supervisor will nuke me!!!

Community
  • 1
pnp
  • 1,818
  • 2
  • 26
  • 42

1 Answers1

7

You're not doomed, everything is gonna be okay.

  1. Pause Dropbox sync on all of the devices associated with this account.

  2. Turn off all of the devices that have Dropbox installed and associated with that account, and any other device that you know/suspect they're infected.

  3. Now that you know your files are okay on Dropbox, nuke all of the systems you've just turned off.

  4. On a machine that you 99.9% trust its integrity, install the Anti-Virus product capable of detecting/cleaning Sality out of executable files.

  5. On that machine, install Dropbox and associate it with your account. Watch as your Anti-Virus detect/clean the virus from the files.

  6. If there were no infections, you're done. If there were infections and the Anti-Virus wasn't able to clean them, wait until all the files are synced and then reboot in safe mode and use Win32/Sality Remover (from AVG) and SalityKiller (from Kaspersky) to do a final sweeping.

A coupe of notes:

  • Infected files on your Dropbox will not magically infect your new clean system unless you run them somehow.

  • If you have the option, it's better to restore all your files to a previous version using Dropbox website instead of syncing and cleaning. (it all depends on the age of your infection and whether you have Dropbox Packrat activated)

Adi
  • 43,808
  • 16
  • 135
  • 167