Home > Ramblings > When malware saved the day

When malware saved the day

December 5th, 2010

Back up your files, kids.  Not tomorrow, not after breakfast — now.  If you don’t already have a good system, there are plenty of easy options like Backblaze.

I bet you can guess where this is heading.  But first, some backstory.

About a week ago, I was idly surfing the web.  Surf, surf, surf.  Just wasting time after moving Stopping in Every State off of Posterous and onto my own server.  I clicked a link on a search result, and while the page was loading, I noticed a Java applet fire up in the browser window.  That was immediately alarming for two reasons.  First, this is not 1999, so there are pretty much no legitimate reasons to use Java applets on web pages.  Second, I had read about a Java virus that hit Reddit a few weeks back.

I closed the browser as quickly as possible, but it quickly became apparent that I was too late.  First, a rogue security tool popped up.  Then I noticed a large amount of disk activity.  Pop-up windows for questionable sites.  The works.

In a bit of a panic, I first shut off my network card (which has a physical switch on my laptop).  I fired up task manager and started killing suspicious processes.  Then out came Process Explorer, and with that I began shutting down unusual DLLs.  Still under attack, I went in with Hijack This (which I keep on my USB thumb drive) and started undoing damage.  At the same time, I fired up a borrowed computer and got the latest versions of a host of legitimate anti-malware tools, including Malwarebytes Anti-malware, Windows Defender, and Ad-Aware.  I transferred them with my thumb drive, ran them, and let them do their things.  They found a bit of malware and claimed to have removed it.

The situation seemed much improved on my laptop, so I turned the network card back on.  I cautiously fired up the browser and tested a few sites.  Things looked normal, so I smugly declared victory and continued wasting time on the ‘net.

All was fine for about 30 minutes until I decided to check Google Analytics for Keacher.com.  I was a bit surprised by one of the popular search keywords, so I went to Google to check it out myself.  Sure enough, my blog popped up high on the results list, so I clicked it.

Then I freaked out.

Instead of displaying my friendly familiar blog, I was sent to some sort of ad-filled page on a different server.  I tried a few more searches and a few direct links, and the behavior was exactly the same as a compromised WordPress installation.  I cursed the misfortune of getting hit by spyware and a hacker on the same night and fired up a few shells into my server.

I went into damage control mode.  I shut down keacher.com, grabbed the latest from WordPress.org, and installed that in a new directory.  After scrubbing the database, I brought the site back up with the new installation (which did not have the old theme, since at the time I had to consider it potentially compromised).

After a bit of this, it dawned on my that keacher.com was not the only site behaving oddly.  Many sites started having strange ad-related redirections from Google’s search results.  Suspicious, I did a search for Apple.  When I clicked on the result for www.apple.com and saw an ad page, I knew I still had a local malware problem.

That set off about 10 hours of searching, scanning, registry analyzing, and deleting.  No matter what I did, I couldn’t figure out what pest still infected my computer, let alone remove it.  Eventually, I decided that it must be some type of particularly elusive rootkit and threw in the towel.  I went to a local computer store and bought a new hard drive, which I promptly installed in my laptop.

Many hours of software installation ensued.  Eventually, I was ready to transfer my documents from the old drive to the new drive.  I popped the old drive in my external USB to SATA adapter, mounted the drive, and casually began the copy.

“Access denied.”

What?  That couldn’t be right.  I knew that I was using Encrypted File System (EFS) on my old Windows installation, but I had taken pains to backup and import the certificate and key.  I thought it might have been some sort of file ownership or NTFS permissions problem, but no amount of fiddling made any difference.  I could access encrypted files modified before August 20, 2007, but nothing newer.  The reported certificate thumbprints for both the new and old files were the same, but for whatever reason, the newer files refused to be decrypted.

That was a huge problem for me.  While I have several independent backups, most of them use NTFS and would retain the original encryption.  Since I appeared to have saved the wrong encryption key, I would be unable to access any of the post-2007 files on any of those backups.  (I pulled out a couple of backup drives and confirmed that to be the case.)

The good news is that I had anticipated this possibility — out of fear that I would forget the passphrase for the encryption key — and had made a totally separate backup using a completely different encryption scheme.  I retrieved that drive from its off-site storage spot and confirmed that it was good, if a bit out of date.  The last update to it was over 6 months ago.

Unfortunately, that separate backup did not contain one of my prize data sets due to size constraints: my comprehensive photo archive, 550 GB in size, containing every frame I’ve shot since late 2003.  I have multiple copies of the so-called “selects” (the best shots from each shoot), but I had only one copy of the entire archive.  And it was encrypted with the mystery EFS key.

Even though I could not access any of the newer EFS data using the key I had previously exported, I could still access all of the data — new and old — from the old, infected Windows installation.  That realization set in motion intense efforts to successfully export the EFS key from the old installation in a way that would be usable on the new installation.  Each attempt required popping the cover on my laptop and switching the system drives, which was a huge pain.

I tried everything I could think of.  New exports, different methods of export, experiments with the command-line “cipher” tool, adding users to the new and old Windows installations,  creating new EFS certificates, creating new EFS keys, re-keying the encrypted files… I knew the key was in there somewhere, since clearly I could access the files in the old installation, but no matter what I did, the post-2007 files remained stubbornly unreadable in the new installation.

After over a day of screwing around with the encryption, I declared defeat on that too.  I put the old drive back in the laptop one last time, fired up the old Windows installation, hooked up the comprehensive-photo-archive backup drive to the USB to SATA bridge, and told the computer to start decrypting.  Including other files, 650 GB needed to be decrypted, and due to the nature of the setup, the system could manage only 3 MB per second (net).

For the next 60 hours, my computer did nothing but decrypt files.  Since I didn’t want to put the computer back on the net in a compromised state (remember, I had to be running the hacked installation in order to decrypt the files), I couldn’t really do much else with it.

I was sweating bullets the entire time.  Would the still-present rootkit kill my old copy of Windows?  Would the backup drive survive several days of continuous, heavy use?

Fortunately, the decryption proved both uneventful and successful.  When it had completed, I swapped boot drives on my laptop again and found that I was able to successfully read the newly decrypted data in the new Windows installation.

All told, the malware infection was a blessing in disguise.  It prompted me to discover that my backup solution was flawed.  Who would have thought that a “System Repair” type malware would actually be useful, albeit indirectly?

Had I suffered a catastrophic drive failure on my laptop where my system were left unbootable, I would have found out too late that my encryption keys were bad, and my data would have been permanently lost.  Instead, I was able to correct my backup strategy without losing any data.

It’s important to make backups.  It’s even more important to make sure that the backups are usable.

  1. Brian
    December 5th, 2010 at 07:46 | #1

    Glad to hear everything worked out well, save the time spent. Regarding photos, subscribe to SmugMug. Unlimited storage space (including storing RAW files) and it also is a photo gallery. I love it.

  2. December 5th, 2010 at 17:24 | #2

    I’m going for the shallow observation that I wondered about the theme change. Now I have my explanation. Glad it all worked out!

  3. January 18th, 2011 at 21:51 | #3

    Submit this to some geeky site as a short non-fiction piece. I got a kick out of this and as such, geeks would like this as much as me X 3.

Comments are closed.