We post a lot of blogs here about all kinds of threats, including pervasive botnets, rootkits, rogue apps, the latest flavor of spam doing the rounds, and so on and so forth. So, for a change I thought I’d talk about something a bit more personal that happened closer to home—something that happened to a good friend of mine. Not a gruesome tale by any means, but one that will hopefully be of interest to some of our less technical readers who may be able to identify with my friend’s plight. I’ve separated the story into three sections and will post them here a few days apart, each containing links to their preceding posting so anyone who missed one can easily catch up.
Part I – Discovery
A call for help
A friend of mine, Derek, recently asked me if I could help him figure out why his Internet connection had been running so slowly for the past week or so. Like many people, Derek used his computer mainly for emailing, surfing the Web, social networking, and updating his personal blog. He didn't know too much about what went on behind the scenes but he did have antivirus software installed and he had Windows Update set to automatically download and install system updates as they were released. All in all, he is probably a fairly typical computer user. He said he couldn't remember any particular event that would be responsible for his slow Internet speed and his antivirus software wasn't reporting any infections on his computer.
A picture paints a thousand bits
When I first looked at Derek’s computer, it had just been started up and there weren’t any windows or applications open; at least none that we could see. He had, however, recently installed a shareware network monitor that gave a graphical representation of his Internet usage over time:
The length of the graph represents several minutes. Green is for downloading, red is for uploading.
Derek told me his Internet connection was rated at 128 kbps and according to the graph it was obvious something was using a fairly big chunk of that. At first glance, it appeared that an application running in the background was consuming the majority of his bandwidth.
If I can’t see it, how could it be there?
By ”background” I mean that there was no icon for it visible in the system tray and so it wasn't obvious to Derek that it was actively running. Using Windows Task Manager, I took a quick look at the running processes on the computer and was provided with a couple of immediate suspects. If it did turn out that one of them was responsible, we could surmise that the fact that it was visible inside Task Manager suggested it wasn’t trying particularly hard to conceal itself. However, it is unlikely that the average computer user will know how to check running processes and probably wouldn’t know what to look for even if they did. On top of that, even fewer people are likely to know how to check their active network connections, which is what we did next.
Not just one, but many
Running netstat (I’ll come back to both this and Task Manager later) via the command prompt showed us exactly which executable file had open network connections. It was, in fact, one of the suspect processes we saw in Task Manager, and had dozens of established connections to a variety of different hosts and IP addresses. Note that the following output has been reformatted for clarity:
“suspect_process.exe” is not the real name of the file, that will be revealed later.
Let’s shoot first and ask questions later
Now that we had established just which program was causing the problem—not only using a large chunk of his relatively thin Internet pipe, both downloading and uploading data, but also consuming other system resources such as CPU cycles (computer processing power) and RAM (computer memory)—we then ended the active process via Task Manager, which as we’d hoped immediately put a stop to the data being transferred to and from his computer. Using Regedit* we then navigated to the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and removed the offending startup entry that had been set to start automatically with Windows whenever Derek started or restarted his computer. We then spent an hour or so checking other things on his computer, but suffice to say the first two actions above were the most important in stopping the bandwidth thief in its tracks. (*To run Regedit, click start > Run… and in the pop-up box that appears, type regedit and click OK.)
So, just what was this mysterious application that had invaded my friend's computer that neither he nor his (free) antivirus software had absolutely any idea about? How did it get there? What was it transferring?
Be sure to check back for the next chapter of Derek’s story, when in order to answer those questions we'll need to take a short step back in time to approximately one week before he contacted me.