What the hell was THAT?!?
- by Massimo
My system is Windows XP SP3, updated with the latest patches.
The PC is connected to a Cisco 877 ADSL router, which does NAT from the internal network to its single static public IP address. There are no forwarded ports, and the router's management console can only be accessed from the inside.
I was doing two things: working on a remote office machine via VPN and browsing some web pages on the Cisco web site.
The remote network is absolutely safe (it's a lab network, four virtual servers, no publicly accessible services and no users at all; also, none of what I'm going to describe ever happened there).
The Cisco web site... well, I suppose is quite safe, too.
Suddenly, something happened.
Strange popups appears anywhere; programs claiming they're "antimalware", "antispyware" et so on begins autoinstalling; fake Windows Update and Security Center icons pop up in the system tray. svchost.exe began crashing repeatedly. Then, finally, after some minutes of this... BSOD.
And, upon rebooting, BSOD again. Even in safe mode.
Ok, that was obviously some virus/trojan/whatever. I had to install a new copy of Windows on another partition to clean things up. I found strange executables, services and DLLs almost anywhere. Amongst the other things, user32.dll and ndis.sys had been replaced. A fake software called "Antimalware Doctor" had been installed. There were services with completely random names or even GUIDs (!), and also ones called "IpSect" and "Darkness". There were executable files without an .exe extension. There were even two boot-class drivers, which I'm quite sure are the ones that finally caused the system to crash.
A true massacre.
Ok, now the questions:
What the hell was that?!? It was something more than a simple virus!
How did it manage to attack my computer, as I am behind a firewall and was not doing anything even only potentially harmful on the web at the time?
