SwiftlyTilting: usability, reusability

Friday, June 30, 2006

I got owned by BraveSentry

I wrote this up a few months ago when my machine was infected with BraveSentry.. since then I’ve been able to get my machine back to normal without having to reinstall windows, but it did require me to reinstall SP2 to get my network settings completely back to normal and restore NAT. I intended to document everything needed to restore my machine but unfortunately I didn’t write everything down, so I present this incomplete post as-is in case it is useful to someone. :)

Last night while I was out of the house, my server machine was infected with BraveSentry and a host of trojans. I returned home and noticed my internet was dow, so I checked the server. It was sending out 100s of spam emails, saturating the connection to the point nothing else could be used.

Since the machine was practically unusable, I rebooted. On loading, by background had gone black and an malware warning appeard in the lower right. A program I had never heard of, let alone installed, BraveSentry, was scanning my computer, telling me I had tons of viruses and I needed to buy the product to get rid of them. Yeah right.

Immediately I open the taskbar to kill BraveSentry and check to see if any other programs are running. The Task Manager has been disabled by your adminstrator. WTF. I go online to try to look up help on how clean my computer, and as soon as I log on my computer becomes a zombie spammer again. Reboot.

I was eventally able to clean out my system by checking all of the various places used to start programs on loading, such as HKCU\System\Software\Microsoft\Windows\CurrentVersion\Run and all similar paths. There was also malware in my system.ini file.

One piece of malware actually seemed to add itself the instant i removed it.. for that one I ended up removing it and then quickly turning off the computer. probably not the best idea in the world but it worked.

Once I deleted all the malware, somehow my internet coonection was also removed. I set up a new connection and went online. My first stop was one of those online virus scan sites. But every time i tried to go one, I was redirected to my local server’s 404 page, meaning the sites had been redirected thru my hosts file. Checking the hosts file, it had been completely replaced with a new file. All anti virus sites were blocked, and certain bank sites were redirected.

Editing the hosts file, I was finally able to run a virus scan, where a number of trojans and other malware were found. I also ran an extensive scan from ewido in safe mode, finding even more problems.

Intellectual Plunger

Ok well, it was actually intellectually plunger but hey, you can’t ask for perfection from spam bots and their random subject line generators all the time ;)

Tuesday, June 27, 2006

My Darpa Protozoa

A few months ago, I started receiving a good deal of spam with randomly generated subject lines. Most of them aren’t really all that interesting and just sound like random words strung together. But sometimes I do get a bit of spam with a funny or interesting title. Today I received a bit of mail with the headline: Slushy Siphon. Sounds like a good band name or something.

I recall the first randomly generated spam title that really stuck in my mind: “My Darpa Protozoa”. Darpa is of course the Defense Advanced Research Projects Agency, and it is within this agency that the Internet, originally called DarpaNet was born. A protozoa is of course a basic form of life. I imagine that the spam was generated via an Internet virus that has commandeered a machine and turned it into a zombie spammer.. in other words, it has been infected with a Darpa Protozoa :D Perhaps the email was a cry for help.

Validate XHTML | Word Press