Original Post for context: https://programming.dev/post/45440011

I want to start off by saying I make a lot of assumptions here. I know virtually nothing about cybersecurity, less about viruses and I just threw names of viruses that popped on ClamAV into a search engine and fell down a rabbit hole. So, take absolutely everything with like six teaspoons of salt. I got into linux and FOSS stuff about 2 years ago and spent the first year mainly breaking and reinstalling Mint and Ubuntu and learning about all the different ways Apple does not want you to use linux on old hardware. Make of this what you will.

Okay, update. I got busy yesterday and today, first thing I did was pull the syslogs from the 28th to the 4th of February. As you can imagine, this was a metric shit tonne of information, like over 250,000 entries. After some specific grepping, I managed to get down to some usable data.

Fig.1 https://ibb.co/nq0gVVGt

There’s this repeated pattern of:

Jan 13 07:59:50 xerces systemd[1]: Finished schroot.service - Recover schroot sessions.

Jan 17 09:20:28 xerces systemd[1]: Starting schroot.service - Recover schroot sessions…

Jan 17 09:20:30 xerces schroot-init[1056]: * Recovering schroot sessions

Jan 17 09:20:31 xerces schroot-init[1056]: …done.

Jan 17 09:20:31 xerces systemd[1]: Finished schroot.service - Recover schroot sessions.

Jan 18 05:40:14 xerces systemd[1]: Starting schroot.service - Recover schroot sessions…

Jan 18 05:40:17 xerces schroot-init[1066]: * Recovering schroot sessions

Which corresponded with my working on my computer. This is a normal service, but I have never had to perform a secure change of root on this machine. I did just a plain change of root from a live install once just to fix some display drivers. There’s also a huge gap around the 19th where it doesn’t start at all for several days. From the 29th of January this service would start along with a secure change of root session every time I opened my laptop. Which makes me think potentially some of this shit has been on my machine since early this year and maybe, since I only use WINE when I’m writing music that it just didn’t get enough uptime to run to completion. I am leaning heavily on the .DLL as being the seed for all the poison I’ve since found on this machine. I think because It installs as a .DLL the writes to the registry and WINE is only ever in use when I’m using Ardour. I have Mastering Software, DAWS, other VSTs from back in the day and I like to use them still. I run 64x WINE in a Bottles container. This, plus a fantastic little program called yabridge lets you run windows VSTs on Linux with pretty good latency. (Read the manual it’s not as difficult to configure. You’ll beat your head off the table trying to get it to work without it.) Anyway, because that bottle needed access to the network to ping a server with my license whenever I use some of this stuff. Coupled with the fact I kept my samples in my Desktop, that’s what gave them access to the Network and my filesystem. Then on the 29th you can see where they start executing an attempt to exfiltrate my data.

Fig2. https://ibb.co/ynfNtBmz

Jan 29 21:35:13 xerces systemd[1]: Finished schroot.service - Recover schroot sessions.

Feb 01 00:43:06 xerces systemd[1]: Starting privoxy.service - Privacy enhancing HTTP Proxy…

Feb 01 00:43:07 xerces systemd[1]: Started privoxy.service - Privacy enhancing HTTP Proxy.

Feb 04 20:39:01 xerces systemd[1]: Starting schroot.service - Recover schroot sessions…

Feb 04 20:39:03 xerces schroot-init[1273]: * Recovering schroot sessions

Feb 04 20:39:03 xerces schroot-init[1523]: E: 20copyfiles: realpath: /run/schroot/mount/ubuntu_i386-09dc1b7f-395b-4c0b-af5c-d071bb580c18/etc/resolv.conf: No such file or directory

Feb 04 20:39:03 xerces schroot-init[1523]: E: 20copyfiles: dirname: missing operand

Feb 04 20:39:03 xerces schroot-init[1523]: E: 20copyfiles: Try ‘dirname --help’ for more information.

First the program re-establishes itself as root, then it starts privoxy.service. Privoxy is the default proxy for the Tor Network. Which is why the ports read 0.0.0.0 and they were proxied to 127.0.0.0 because that’s localhost. I’m just guessing, but I’d say, because it’s Tor, we were the exit node. Ergo, any connection from it would appear as if it was local. After that you can see the 20copyfiles :realpath: /run/schroot/mount/ubuntu_i386-09dc1b7f-395b-4c0b-af5c-d071bb580c18/etc/resolv.conf. This is where they attempt to start copying from my SSD, just after schroot-init, it’s a service that was loaded at startup and this attempt fails. I think that 20copyfiles is probably a call for a script and the missing operand is like a missing flag, or an object that hasn’t been defined correctly. I am not familiar with Windows terminal at all. I initially entertained the idea that 20copyfiles, was maybe referring to either a numbered directory on Windows, like the home folder could be numbered 20 or something. I also speculated maybe it’s saying to copy 20 directories deep recursively. I am of the mindset that a big part of this is crime for hire, so pre-written scripts stapled together. This first part seems to be dynamically changing.

They rooted me with 32x Linux and the housemate was connected to a windows 10 server. There’s a shit tonne of trojans in here, but everything is windows. It proliferated and a lot of files have been infected, but I don’t think they can execute much of them because of the OS mismatch. Since this was loaded by a malicious .DLL file in WINE, it would make sense for the instructions to be CMD and not executable in Linux. Smart enough to use a virtual machine to backend me with a 32x ubuntu server, but not smart enough to have:

if [ “$os” = “linux” ]; then sudo su cp ~/home/ <destination> fi

Again, guessing, but crime to buy shit. Probably targeting Windows because of Market Share. I just happened to have a program that can accept .DLL’s and has a registry to write to. Fuck me, right?

Fig. 3 https://ibb.co/dwT0CGCn

As you can see here the program repeatedly attempts to mount their filesystem to /run/. But they can’t get into it until they turn off Network Monitoring which is the line that reads:

“Intializing Network Drop Monitor.Service.”

So, they forced a Kernel level drop for Network Monitoring. Then we have “reached target remote-fs.target.” So, they have achieved access to my filesystem and then immediately after that, it looks to me like that’s when they got access to my network connection through systemd. They created an anacron service to redo these commands every hour. In case the connection drops, in case they get kicked from the Network. Every hour this cron job will execute to re-establish that connection to the filesystem and the Network. Again, every single person on this Network was admin, so just absolutely asking for it. You can see at the bottom there running at reboot under Cron Info.

Fig. 4 https://ibb.co/1tJQPgjM

Here you can see they umount /home/ /proc/ /sys/ /tmp/ /dev/ as they schroot into these directories. It’s interesting because they clearly have a way of matching the OS, probably a script that runs a virtual machine for them, that seems to be the most flexible part about this whole thing. So far, with the exception of being able to get access. I don’t think they’ve been able to actually do much, because it’s all pre-made for Windows. They loaded SSH keys as well and got root, but so far straight copy commands appear to have all failed. Which checks out for a mish-mash of scripts someone has cobbled together off of Github and a small a server farm. I don’t believe for a second these people wrote these programs. This is totally like an office sized operation. I would guess Russia, but I haven’t figured that out. I also believe in addition to capturing data that this is supposed to be about creating a botnet to harvest compute. Probably for a DDOS attack, I’ll get into that when I get to ClamAV, but first we have to talk about more persistence I discovered today.

Fig. 5 https://ibb.co/KzWkSsC5

So, I grepped for chroot and I found this service called avahi-chroot helper. The avahi-daemon is another user on this machine. This service has never appeared before, I could be wrong but I don’t think avahi ships with it. I killed it, disabled it and deleted it and didn’t actually look to see what it was doing which I regret now. I wonder if that service was related to dropping Network Manager to allow access to the remote filesystem. It ran at startup, it doesn’t run anywhere now.

Fig. 6 https://ibb.co/j9FT73Gy

Here in the logs you can see they didn’t just start Privoxy as a service and load a cron job to restart it. They added it to the users group and gave it permissions. Luckily, from what I can tell, I can’t see if it was able to connect from my machine. Maybe I’m wrong and I’ll uncover that they managed to connect, they certainly appeared as localhost on the ports they opened, so anything’s possible at this stage. I hope I can find the uncovered IP somewhere in the logs, but I haven’t decided how I want to search them for that yet. If anyone has any ideas, let me know.

Fig. 7 https://ibb.co/206CZ6mB

Privoxy was on here as a user. Again, they were (at least through my system) attempting to capture network traffic, input data and files on the SSD. I believe, since they had full remote access to my desktop they probably manually copied my data using the GUI. I don’t think they’d just say “the scripts didn’t execute properly we’re not having it.” So, if that’s true, anyone know if I might be able to find an IP somewhere that’ll point me to the right country? If they’re connected and they couldn’t get their proxy started, maybe they’d show up unmasked somewhere. Maybe, also in the viruses themselves once I get some of them open. Anyway, I removed privoxy as a user and I purged it from the system. This corresponds to the cron jobs which ran scripts to re-establish chroot and privoxy at boot.

Fig. 8 https://ibb.co/V05WVj1m

I used photorec to mine my data back. It’s a great bit of software that’s free. It’s a simplified file carver that parses a disk and extracts data by the segment of the disk it was written to. This is great for recovering documents, photos, files. But, pretty much useless for anything else. They did a quick wipe of all of my user data, but they didn’t overwrite anything with 0s. So, everything still exists on disk, but you can’t do much with a bunch of contextless elf files, java containers and .sqlite extensions. They fucked my whole audio stack, removed my midi configurations (really angry about that one actually). It’s not the personal info I’m sore about the most, it’s the hours of tuning. They remove the config files, the display preferences. I run old apple hardware, like over a decade. Which takes a lot of additional tuning to get a decent performance out of it. You need extra services for the fan, need to spoof an OS from apple in RefiND in order to boot the iGPU. You need to tune applications like, MPV and anything that requires graphics acceleration to get the hardware to work properly for video decoding and low-latency audio. They destroyed my audio stack, lost my stored sample folders for projects I was working on. They’re just a big error now. You have to build the deprecated nVidia driver yourself against the headers and patch it in, because the kernel no longer supports it. Why did I not encrypt my drive? Bluntly, I’m an idiot. I didn’t think anyone would bother me on my home network. Back on track.

Fig. 9 https://ibb.co/jZhg4PcF

Since there’s over 4 and a half thousand directories of files organised by segment they were found on the next thing I did was run this:

sudo find /media/nemo/c9133831-7bbb-4230-a339-8f441c9ffe50/ -type d -name “* Directories *” -print0 | while IFS= read -r -d ‘’ dir; do     find “$dir” -type f -print0 | while IFS= read -r -d ‘’ file; do         ext=“${file## *.}”;         if [[ “$file” == " $ext" ]]; then             ext=“.noext”;         fi;         mkdir -p “/media/nemo/c9133831-7bbb-4230-a339-8f441c9ffe50/$ext”;         mv “$file” “/media/nemo/c9133831-7bbb-4230-a339-8f441c9ffe50/$ext/”;     done; done

This is just telling the computer to find every single directory with “* Directories *” in its name that exists on the removable drive and sort through their contents recursively and order them by file extensions. I wanted to carve out .DLLs and .exe files In the process of doing this I found a tonne of files whose file extensions were unreadable, a lot of _DLL and _exe going on. Which forced my choice how I decided to run ClamAV. ClamAV is a free antivirus for linux. It is available with a GUI (I think). I’ve only ever used it from the command line and it’s great. It combs through your system by file, line by line of the Hash in order to find viruses. I got worms, trojans, downloaders, RATS all of them. I am going to assume you know all this, but since I read the wikipedia page for computer viruses after running a few of these names through startpage.com, please enjoy this tangent.

There are viruses which attach to a file and are executed when that program/file is executed, run, or selected. Inserts a malicious piece of code into a file and copies itself and spreads to other files from there. Trojans are programs that look like one thing, but are actually another. Keyloggers, microphone recorders, information stealers, Remote Access Trojans. Sometimes they send out calls to download more viruses. Worms are self-replicating, they copy themselves without needing a host file. I’m beginning to warm to the hypothesis that the worms are the delivery method for the Trojans.

Fig. 10 https://ibb.co/21VZKJgG

After I sorted through all the “.Directories” directories. I just opened a terminal in the folder of the external drive and did:

‘sudo rm -d Directories’

from the directory they were in on the drive.

Which just deletes everything containing the term “Directories” the ‘*’ either side just mean all things that may come before or after. So, as long as they have “Directories” in their name, they’re gone.

Fig. 11 https://ibb.co/MDKtYxMb

This is ClamAV currently scanning and quarantining all files contained on the external drive to a folder contained on that drive as well. My plan is boot into Tails OS from a live install USB and open them up with a text editor, image viewer and less to find out what they actually do and where they’re set to connect to. If any of you have any software recommendations to view these guys, let me know, I’m just fumbling through this blind. I did this using the command below which just tells clamscan to search recursively, flag infected files and move them to the quarantine folder I created. You have to create the directory before hand, clamav can’t make the directory in path.

clamscan -r --infected --move=“/media/nemo/c9133831-7bbb-4230-a339-8f441c9ffe50/scan results” /media/nemo/c9133831-7bbb-4230-a339-8f441c9ffe50/

Fig. 12 https://ibb.co/JwSzQJXF

These are files that ClamAV flagged as infected and they are infected. From what you can see In the Screen grab of ClamAV my external storage is RIDDLED with trojans, all based on Windows. There’s (what I’m assuming are) Keyloggers like Word.Digger-1. There’s Remote Access Trojans. Take a look at this guy.

Fig. 13 https://ibb.co/GQcwSN31

Mydoom was everywhere in early 2000’s. One of the original famous botnets. It’s a worm, Network worms can copy through your Network to other devices on it. They’ll copy themselves to torrent clients and spread that way, they’ll read your email contacts and send themselves as emails to everyone in the list. MyDoom happened in 2004. It came from Russia and it did two big things. First, it spread and propagated, creating backdoors into people’s systems that were then exploited further by later viruses that followed MyDoom.b and DoomJuice. They embedded remote access trojans to create a Botnet and DDOS the SCO group and Microsoft. Within a week MyDoom infected more than 500,000 computers in the US. It spread itself through an email and when you clicked on the link it would install itself as a phony .DLL and write itself to the registry.

Fig. 14 https://ibb.co/fwFjRVM

Ding Ding Ding! Hmmmm, interesting. I should point out this was not the thing that popped as a remote access Trojan the first time I discovered this on February 4th. That Virus in the .DLL read something along the lines of WinExpiro. But, This is actually just a tonne of shit. I don’t know how many files exactly but I had over 5.5G of infected files quarantined before I posted this. If you look at the ClamAV screen, I believe they all propagated outwards from a worm like this. I also noticed some interesting interrupts.

Fig. 15 https://ibb.co/5hVD6LCW

An Interrupt request is sent to the Programmable Interrupt Card to cause a drop out in one function and an to be taken over by an interrupt handler. (learned this yesterday). Useful for, “Hey, this has disconnected, so we’re closing the directory you’re in” or “This thing isn’t working right, so we restarted it.” All guess work, obligatory, “I am not a sysadmin”, but that might be how it brought down Network Manager with that .service. Anyway, Interupt 37 is for the xhci_hcd, my USB 3.0. I have over 1,000,000 and they climb by the thousands every second something is plugged into the USB port. That ain’t is normal. I looked it up and the first suggestion was failing hardware. Well, it’s not just my 2tb SSD, it’s my 1tb HD, my 500gb, my flip phone and every flash disk 32 gigs and under that I have in the house. Or, something else. Out of everything so far, I think it’s this guy:

Fig. 16 https://ibb.co/h1ZQzFkf

I have the suspicion, once this is finally done and I load these from the quarantine folder into Tails and actually get a look at them, this guy is gonna be the one that spreads this shit from device to device. I bet you it’s gonna have a trigger, for when a new device is connected, mount it as a Windows rw filesystem and then copy yourself and propagate there. I think this because of this image.

Fig. 17 https://ibb.co/W4kVxDvB

This is a newer external drive I have, formatted for ext4, but here it’s mounted as exFAT. The scaling is still all fucked up on my machine, so you’ll have to zoom in. I 100% think that’s the cause of IRQ 37. I think a worm mounts it as exFAT tries to copy itself and then can’t because it’s ext4 and so, it disconnects and tries again. That’s what’s spiking the CPU. For anyone who remembers WannaCry, how it took over the entire NHS in the UK. Then it took over the HSE in Ireland. They hadn’t had security updates in 3 years. Nobody cared, because it was a closed network with no access to the Internet from the outside. It got on a flash drive, or on someone’s phone and they plugged it in to a computer at work. Something entirely innocuous. Took over ventilators, MRI machines, Employee records, Patient Records. Anything that was connected became completely unusable. Then ransomed them for Bitcoin. Even if the worm can’t root onto your machine, if you’re running an old version of iOS or android that could be a problem. They could get root access to Linux. Is android 11 really unthinkable? I’m guessing the worm backdoors into the system and then the dynamic part of this stuff detects the operating system and launches a matching Virtual Machine that it then allows remote access through. It had services for networkd as well as network manager. So, it’s a lot of try and see what sticks. Then just load up trojans directly from your /schroot/ also loaded fake SSH keys and tunnel in that way. Nasty shit, really. There’s dozens of worms. What really tripped me out. I keep Bluetooth disabled, generally. So, if I am connecting to something for sound, it’s through HDMI, or the Audio Jack. I connected a little speaker to my machine, audio jack. Speaker started to die, so I plugged it into my computer and this was the sound it made.

Fig. 18 https://jumpshare.com/s/lWPFdR9Mbii26Oh6zfgk (This link will expire in 24 hours Do NOT listen to this with headphones on, you will hurt yourself.)

Below is the spectrograph of the exported .wav. You can see the point I plug this in and there’s all this noise. That’s the IRQ interrupts. I think the worm is trying to mount the speaker and copy itself to it. It’s just a power port and it’s old, micro usb, but the cable is a data and power cord. The next thing I gotta do after everything on this drive is quarantine. Is re-run ClamAV from / with my drives connected and add a flag to delete as soon as it’s found. I’m gonna have to do a few passes because I have big files here, so I upped the file size and scan size to 2GB and the max files to 30000 from 10000 and the recursive directories from 15 to 50. That is what is taking so long. The results so far though, just from the one external drive that held the data dump, There’s almost 3GB of infected files quarantined on that drive so far. Since I have removed the schroot, the backdoors meant to re-establish it, the services that were loaded for Network Manager and Networkd. I don’t think this thing can access my network, because they can’t drop the network manager. Again, just guessing.

Fig. 19 https://ibb.co/m5RkFZgj

I do linux for fun, this is a hobby, I just really hate people with fucking with my stuff. Thanks for reading, most of you guys seem all right, I’ll keep you updated as this progresses and If anyone has a recommendation for a tool to view these things, let me know.

Update: Right, I wrote this two days ago and was ready to post it. But, I got to about 5.5GB of viruses quarantined on that drive and decided that was a bit much. So, I did:

sudo rm -f /path/to/quarantine

Immediately kicked me from the drive, locked it too so only root could open it up. My guess is that that was just one avenue for locking the user out. I think because they did a secure change root, it would have locked me out completely had I not gotten all their persistence, ssh keys and gotten root back for myself. I should add, my user is still listed as owner, however the directory now says it uses advanced permissions and those are blank. Escalating to root allows me access again. I think the idea is that if this happened on my main hard drive it would lock me out of the system completely and if they were still root it would mean they could still have access to everything and buy them some time to finish copying whatever data they wanted. I think if they had control of root still I wouldn’t have been able to escalate privileges and get entry again. Also, that command removed the new password manager file I created for the first account I made here a couple days ago. Near as I can tell, it deleted everything in my recents folder. That’s why I got a new account for this followup. So, now I’m starting a full system wide pass of ClamAV again. This time using clamdscan to see if I can speed it up a little. I used:

sudo clamdscan --fdpass --infected --move=/media/nemo/3d8c1d75-73cd-4d6a-9c5f-daf4fd8d825 a/Poison/ /

–fpass is to ignore ownership of the file so clam doesn’t get locked out by permissions –-infected tells it to flag only infected files and not do a verbose output. Then the –move= directory is an external flash drive I have. This scan is gonna take a couple days probably because I am doing everything from root, all mounted media, everything from the home folder and below. I have the recursive set to 30 directories which should reach just about everything on the machine currently. Max File Size I have at 2G. Then for my other SDD, I’m gonna do a separate pass and up it to 12GB. I have a lot of 4k video files, session project files and just generally big stuff. I am also going to take a break from this for a couple days to rest and do real life shit. I have the tendency to hyperfixate on shit like this. If any of you nerds can suggest me some tools I can use to look at all this malware on Tails, let me know, I want to Scooby Doo this shit as much as possible. I will update again when I’ve gotten to tails.

-ushiftye