Thursday, June 20, 2013

Possible Malware Infection on Home System

So, I've a potential malware infection on a host within my home LAN.  It is a Windows 7 system.  Before anyone ridicules the choice of Windows, let it be known that it is rather easy to secure a Windows system from a lot of malware.  Really.  And in my line of work, I've seen many non-Windows systems compromised, so my view is entirely different than the typical *nix zealots out there.  If you aren't already aware, I tend to be highly objective when it comes to OS ideology.  I'm not going to be open to discuss things if the first shared thought is, "why are you using Windows?"  I'm not for the "down with the man" mentality.

Now, about this issue.  Here are the current symptoms:

McAfee AV is installed.  It was found to not be running when I first began to investigate.  I reactivated it last night, did a quick scan (no issues detected) and then did a full scan (no issues detected).

I also ran MalwareBytes.  It didn't find anything other than some cookies that it suggested to be removed (I removed them).

I also ran both AdAware and Spybot: Search and Destroy.  Both found some spyware-related things that I removed.  They didn't find anything with high severity.

I also ran the MS malicious software removal tool (it didn't detect any issues).

I did all this yesterday evening and finished around 8PM.

I also have Snort sniffing traffic on the LAN.  It is detecting some rather weird traffic.  It is seeing the Win7 system trying to communicate with a Linux host on port 137 (the Linux host is refusing the attempts).  Also, if I do a tcpdump to see any traffic coming from the Win7 machine, I see the Win7 machine connecting to each Linux server on the LAN on port 80.  What's odd about that is that it seems to have focused purely on the Linux machines, and each and every machine it connects to actually has Apache running.  I've seen no service scans (or any other scans).

This morning, I decided to check the Snort logs and saw that the activity stopped occurring after my "fix" last night, but that it started up again at 2:44AM this morning.  When I checked the Win7 host, McAfee wasn't running.  I couldn't restart it (it was unresponsive).  I did another MWB scan, which didn't detect anything.  I checked the system logs and didn't see anything other than a lot of DNS errors (that may be indicative of anti-antivirus activity).  I then went to the McAfee AV home page to get a status of my system and saw that the status was, "This device needs to be online to get the latest protection updates."  Weird, especially since I've no indication that the system isn't online.

I decided to search the McAfee pages to see what solutions they offer (free solutions).  Right off the bat, I saw that the only thing they offer is a $90 removal service...WTH.  Their product let the machine get compromised, then they want to charge an additional $90 for removal (and no other free offerings).  That seems hokey.  I never had this problem with Norton/Symantec.

At this point, I'm probably going to reinstall the system with it's factory image.  This is the first time in a very long time (I'm talking 10+ years) that I've had to reimage due to malware on a Window system.  I've other systems in the house running Windows, and some have NO 3rd-party AV (my Alienware system is running Win8 and it's using Windows Defender without issue).

I'll keep this post updated with any other information I discover over the next few days.

UPDATE - I've found some free tools --

UPDATE 2 - I've conducted some scans using the free tools and I'm still not able to find anything.  I'm wondering if the activity I've observed is actually part of their host discovery toolset...that sorta makes sense.  If only I could get some type of verification on this from a McAfee rep, or maybe find some document that describes how the host discovery system works and how it would look from a network security perspective.  But all that still wouldn't explain why the AV keeps disabling in the middle of the night...

FINAL UPDATE - Issue resolved.  After investigating further, I found that there was no infection.  Two things were occurring:  1) I've found that the AV services appear to be polling for services (network discovery - Symantec/Norton has this feature as well), 2) the self-update process had hung, which was causing the AV shutdowns.  Once I removed the existing version and got the latest, I found that there was a drastic difference between the two versions.  As well, the account portal had changed.  The fact that there was a major client upgrade may've broken communication with the account portal (that began working once I upgraded manually).  When this subscription is up, I'll either use Windows Defender or use one of my existing Symantec licenses to install that AV onto the system...not liking the McAfee AV experience.  :/