The Lair

Much to my shock and horror, I got infected with a virus (more properly, a trojan) last week. Before you ask; no, I was being lame and didn’t have my antivirus enabled at the time. I deserved the punishment I had to endure. In my defence, this sort of thing doesn’t happen very often to me… I usually know better than to click dodgy attachments and so on. In fact, I never click on attachments from chain mail and rarely click on attachments otherwise unless I know I’m due to get one (from the author). Yes, I was running Windows on my notebook at the time. Now that I’ve established my credentials (bwahahaha) and told everyone (unconvincingly) about how rare this occurence really is - let me break out the sack cloth and ashes etc. Ok, I’m done repenting, let’s move on.

It’s been a while since I dug into the dark and seedy alleyways of viruses and spyware. For the past few years, my interest in such malware has been merely from an end-users point of view - figuring out how to fight off Sasser, CodeRed and other beasties. However, in my misspent and misguided youth; I did tinker around with viruses and other nasties out of curiosity (and admittedly, a misplaced sense that this was “omg-so-much-cooler-than-skool”. It really wasn’t, but that’s another story). Back in the times when I had enough motivation to actually write a “virus”; the in-thing was the macro virus - written in a dodgy little language called VBA. VBA, of course, was the standard macro language for MS Office (most notably Word). Not that I really wanted to write viruses anyway, my motivations for getting into the “scene” (as it were) were for entirely different reasons. I grew up reading underground texts on clever little pieces of code written in assembly or C, I knew most of the DOS interrupt tables by heart and other system programming tricks described by people with cool sounding monikers had inspired me to become better at this whole programming thing. In that sense, virus writers back in the day were decent (or even good) programmers. A virus (written specifically for a platform) was incredibly compact, incredibly functional (they could hook themselves into memory, spread themselves by appending themselves onto executable files, deliver a payload of varying degrees of nastiness, all in a few kilobytes at most) and were (sometimes) remarkably well written. That’s what I wanted to do. Unfortunately, I joined the “scene” at a time when more and more kids like myself were being drawn from the rather arcane arts of good systems programming (assembly and C weren’t exactly the easiest languages to get into) and into the far easier, higher level languages like VBA.

So, that long and rambling digression into my life history merely serves to put one thing in context. I have at least a rough idea about what viruses can do. I don’t get infected too often (mostly because I’m paranoid) but I deal in enough dodgy keygens, cracks and other pieces of the underworld to make the occasional infection almost inevitable. So when I downloaded this particular executable, suffice to say that I was expecting something entirely different. Clicked on it. Immediately, I noticed that my hard disk started churning. Gah. Before I could react and kill the keygen-which-wasn’t, I got something which looked suspiciously like a Windows system tray notification. “Your machine has been infected with spyware! Please click to fix”. Um. Ok. I have to admit, they got most of the details on the balloon tooltip right. The next thing that happened is that my (obscure but very very configurable) firewall started to go nuts. Why does a process named rpcc.exe want to connect to port 25 of some address in the US? At this point, it might also be worth noting that my firewall does not whitelist anything by default. Whenever I need to access the web, I read and manually approve every single connection attempt. Yes, really. People have noticed and been amused by this habit of mine before; but it probably saved me from a lot of grief on this occasion. When the trojan activated and tried to download more nasties onto my machine, my firewall blocked it. W00t.

Ok, so I think (but can never be quite sure) that I have this thing contained. Now to find out what’s causing that balloon tooltip (and the periodic requests to port 25 of a remote machine). Look at task manager and there is nothing unusual. Alarming and rather scary. I know most of the services which should be running on the machine and there is nothing unusual in the names that I saw. Ok. If I can’t see it in the task manager, I cannot kill it. I have a problem. So, I open up Windows Explorer (working with the standard tools available in Windows, for now) and try to look for this rpcc.exe which is supposedly making all the remote requests. Guess what? Windows Explorer does not see this file either. Ouchie.

Panic? Almost. But I checked for the existence of the offending rpcc.exe from the command line first. And guess what? It was there. Ok, so this nasty little bug had hooked into Explorer and somehow masked the file from view. Hrrm. Ok, so punch in “del rpcc.exe” ? Not so fast. The file is still in use (because it’s loaded into memory). So no delete allowed. Gah.

Over to Sysinternals. Fire up their Process Explorer and rpcc.exe is visible. Kill. Next, fire up Autoruns, do away with the Explorer hook and a few other nasties which were set to start the next time Windows was launched. Go around deleting rpcc.exe and stonedrv.exe from the Windows sytem32 directory. rpcc.exe was no longer in memory, so it can be deleted from a DOS prompt. Use my copy of Bart’s PE to reboot into a safe environment and launch an anti virus scan. Sorted.

The thing was most curious about the entire episode was how rpcc.exe managed to stay invisible from the Task Manager. A couple of options are discussed here - setting the application title to an empty string is particularly evil. A bit more digging around and I discovered another possibility. The scary feature in NTFS known as ADS (Alternative Data Streams). Most informative page on ADS found here. Maybe that wasn’t the technique used at all, but ADS sounds extremely interesting for any number of reasons.

Yeah, and I “punished” myself by forcing a reinstall of Windows on the notebook. Once any sort of trojan has gotten into the works; that’s always the safest option. That’ll teach me to let my antivirus shields down.