I recently ran a BitDefender AV scan which picked up and cleaned the GenericKDZ trojan – a very nasty infection which includes a keystroke logger. I am adamant about security – always changing default passwords, strong passwords, verifying links, turning off unnecessary services, firewalls, NoScript, patching, air gapping, etc. I even have Deep Freeze installed in an attempt to keep the computer in a steady state (with the D data drive unfrozen, but encrypted)!
To get this infection was shocking (IT professional with 15+ years experience and 3x cert). Though, I am NOT a security professional. Personally, I think this very well could be a targeted attack – and based on current firewall logs, it "appears" that I am still under attack – with attacks coming from cloud based hosting platforms operated by Amazon, MS, etc. These attacks appear to be coming from the same group of networks, consistently. They are scanning across different ports and IPs.
Initially, there appeared to be small, "minor" damage to some Word documents – curiously, these were locked with a password (I know). The damage was the same across dozens of documents – it appears a script may have ran to first unlock these documents and then damage them in the exact same manner. Curiously, another very odd problem cropped up with a few of my Excel workbooks – when moving the cursor to a different cell, the cursor blinks a total of 11 times. Everytime. This happens across all Excel spreadsheets new and old. It doesn’t matter if I’m updating a cell with a big formula, entering the number "2", or simply moving the cursor to a new, blank cell. It doesn’t matter how much memory is currently being used during operations. It blinks 11 times, EVERY single time. K, is the 11th letter of the alphabet. What do you have when you put a series of "K’s" together? Try lining up 3 side by side. Very, very odd. There were also several other odd things happening such as Windows Defender stopping, failed updates, offline scanning not completing, etc.
I ordered replacement hardware and VERY oddly there is image retention on the laptop screen of a waving flag (CLEARLY visible when booting the laptop). I can’t make this up.
The laptop with the virus did have Computrace enabled in the BIOS – I won’t jump to conclusions but it IS permanently enabled. The only way to rid THAT problem was to completely replace the hardware.
I am now doing a build out of the replacement laptop – new hardware, NO Computrace (disabled), fresh install of OS, firewall, AV, updates, patches, etc. I am not convinced this problem has gone away and am worried that I may be a victim of a possible DNS poisoning, or MIM attack. In a nutshell, here are a few reasons:
- When I do NSLOOKUP for domains i use, i get a response that ALWAYS states "non-authoritative answer" This is extremely concerning. Among other reasons, I don’t recall this happening previously.
- When I do tracert or pings to a domain such as Fidelity.com, I see different IP addresses. (18.104.22.168) (22.214.171.124). Sometimes, a site like Shutterstock.com will give me 3 different addresses between tracert, ping and nslookup. I realize alot of sites use CDNS but i’m not sure how that impacts load balancing, IP addresses, etc.
- When I look at the site certificates I’m also seeing surprising things. I am seeing a "domain validated" site certificate for a local bank website I use. I’d expect to see at least a "organization validated" certificate.
- When I run a "route print" command, I am getting a response that states "on-link" for most of the routing table. From my understanding this is creating a direct, "dial up" link to the IP in question and bypasses the gateway. If true, this seems to be truly shocking.
- When i run a tracert, I am seeing 5 ip addresses before the packets even reach my ISP’s router! At glance, these absolutely look like computer IP addresses (such as 126.96.36.199) instead of a normal router name. When I trace these IP’s it "appears" that they are on the ISP’s network-doing what is the question.
- I recently stated using BitDefender VPN to further security. However, it now appears that I am being forced onto a VPN server based out of Chicago when previously I was able to disconnect and then automatically reconnect to a different US server – such as Miami, or New York. This is brand new software that’s only been installed for a few days. The only US server I can now connect to is out of Chicago by a company called "24 Shells".
- My computer was constantly disconnecting from WIFI throughout the day – some days, it was worse than other. But, oddly enough, the disconnect happened 85% of the time at a Comcast router in Chicago. I called support and they always wanted to point to my equipment and my laptop. But, the fact remains is that the route was good 85% of the time and just dropped in Chicago. A disconnect and reconnect to wifi seemed to solve the problem. It was almost as those i was being manually dropped from that device in Chicago.
- I am doing NOTHING nefarious from this box (or from any device for that matter). I simply have business assets and data I need to protect. I run a legitimate business from my home office.
Any help or direction would be greatly appreciated.
Source: Windows Questions