Skip to main content

Unclean

Why the fuck do PC guys think that they can "clean" infected PCs? I'm old-school unix -- if there's even a hint of compromise, you can't trust the box any more and it should be paved and rebuilt from scratch and carefully checked backups.

So I'm the linux/network guy at my current MSP gig, and I get a call-out to a company that's having internet troubles -- the internet is slow, when it works at all, for them. Its on the other side of the city, so getting there involves sitting in the car for a bit. No worries on that, I find traffic relaxing, especially when it's on the clock.

I arrive and plug my laptop into the network just to get a taste of what's going on. Sure enough, the internet is slow when it works at all -- lots of unresolvable names and slow load times. I decide to passively wireshark the cable, as sometimes you can get a hint as to who's doing what by listening to the broadcast traffic. The only thing that stands out from there is one PC that is doing a lot of broadcast name lookups for things like yahoo.br and somemail.com and the like... uh oh.

So OK, the next step is to look at their firewall. And surprise surprise, it is a four year old soho Asus wifi/router with some ancient Tomato firmware on it. And oh, it only supports 4K simultaneous connections. And oh, one PC is using like 3800 of them. And oh, that PC is the same one which is banging away making broadcast name queries.

So, yeah, that explains everything. Now to find the computer that's doing the offending. This involves some digging around in DNS and tracing cables, and we eventually arrive at a computer that's sitting on the customer company's president's desk.

Yeah.

Just like every other computer in the world, when I arrive at this computer I find it A) unattended, B) unlocked, with C) the Quickbooks showing the company financials open on the screen.

Yeah.

I have his assistant close and save the Quickbooks -- my number one rule is don't fuck with the money supply -- and start poking around. I am a linux/networking guy, so I'm just doing a paper-bag examination and I'm pretty sure that unless I can find something stupid like a batch file running I'm going to have to escalate this to the PC guys to get it fixed. I bring up the task manager, and lo and behold there are a bunch of processes called MailCracker32.exe running.

Jolly decent of them to not rename their cracker to something less obvious like mouse_drv.exe.

The cracker is running under two user ids, one is Administrator, and the other one is Admin. This isn't a good start, but I kill the processes, find the running directories on the affected users' desktops (again, jolly decent of these folks to not go out of their way to hide this), and start talking to Mr. President about what I've found.

I have to respect him, because when I told him what was going on, he asked me: is this something that could happen by surfing porn sites? And I said yes, it's possible, and he just nodded, totally chill. Well OK if you're going to own it, I can respect that, even if you are an idiot about how you go about it.

While we're having this conversation, MailCracker32.exe starts up again.

Well fantastic, this means we have some kind of trojan or root-kit running which is dropping the MailCracker and starting it up if it doesn't find it running. Maybe I screwed up the cleanup, so I kill and delete it -- again -- and we watch it for another five minutes. Nope, comes back.

Right, this computer isn't trustworthy, it'll have to be paved. Mr. President isn't keen on that, but I emphasize that there's no way to know what else is on the computer -- keyloggers, screen capturing software, remote control, back doors, DOS-participation software, you name it. Besides, he deals with the company's money on this computer. That's very much now at risk.

After coordinating with the head PC guy back at the office, it is decided I will take the computer back to the office where one of the guys will fix it.

When I get there, I speak to the guy and give him the lowdown, telling him what I think needs to be done. "Well I'm not sure about that", says the PC guy, "I'll copy the files and data off and then poke around with these cleaners I have."

I express some skepticism that this will be sufficient, but leave him to his job -- he is, after all, the relevant professional.

Fast forward two days of trying to get a Cisco RV042 speak NAT-T to an ASA 5505, and my phone rings. It's Mr. President, and I've already given the punch line away because he tells me that the internet is slow, and they poked around in the task manager and those MailCracker32 processes are back.

And he wants to know why it wasn't fixed properly.

Well great. Not only did PC guy fail to "clean" this computer, but he made the company look bad, and me bad in particular. PC guy is lucky he was out having a colonoscopy done because frankly he would have otherwise found my foot in his ass.

So I apologise to the customer and say I'll chase it down and make it right. I settle for yelling at PC guy's boss, and at that point it becomes his problem instead of mine... and unfortunately for the sake of stories getting happy endings (or even an ending) since it is both a PC problem and not my problem, I lose interest in it.

I know PC guys all have a suite of tools -- unique to each PC guy -- which they trust, but seriously, when did it become acceptable to just "clean" a compromised computer instead of building it back up to a trustworthy state?

And yes, I understand that this is the more attractive solution than a rebuild is because A) Windows systems are jenga constructions of instability and B) backups are hard so no users ever do them, but seriously I would have thought that put that all together and users would take more care to protect their fragile edifices?

And yes, I'm mostly mad because I ended up looking bad. If a PC guy makes himself look bad I'm concerned about the company image, but for the most part that's between him, his boss, and the customer.