Virus ex machine
Thursday, June 18, 2020
Let's be honest: We rarely work on non-computer machinery. We usually deal with ordinary PCs and mobile devices. But sometimes we receive exceptions. For example, a recent malware research incident involved a machine. Or, to be more precise, its software.
A Chinese laser cutting machine powered by Windows 7 arrived at our laboratory.
We plugged a malware-free flash drive into the device to copy its software, then connected the drive to a PC and received a malware alert:
Worm.Siggen.12242 (infected). All files on the flash drive were gone and a hidden partition appeared. The machine's software was also shipped on a USB stick. When we attempted to copy the distribution files from the media, multiple malware alerts popped up (attachment below).
The good news is our corporate anti-virus solution was already deployed on the computers: it was the anti-virus that identified the problem.
Dr.Web discovered quite a collection and Worm.Siggen.12242 was not the only item it contained. By the way, since we’re talking about a worm, it's safe to assume attackers probably intended to infect the customer's entire network. Or perhaps it was mere negligence.
Our support engineers immediately requested a log file from the host as well as malware samples to analyse:
We need to check the host's log files to determine which files were deleted and why. Unfortunately, without the log files and a malicious sample there is nothing else we can tell you.
You can run this utility to collect log files and upload the resulting report to this ticket.
The file had been moved to quarantine—which was also a good thing because the sample could then be extracted from storage and examined. The user was afraid, but our support engineer was able to reassure him:
“Whatever you copy from quarantine won't be deleted immediately. Just extract the file and instantly compress it with an archiver application. Set a password if you like. Forward the archive to us. After that you can immediately delete the file.
Of course, you need to exercise caution and only copy the file on a host where it can't be launched.”
The subsequent analysis revealed a wondrous thing—yet another “ancient” malicious program.
It doesn't seem like a false positive. Rather, we are dealing with an old malicious program that replaces folders with shortcuts and hides files. That doesn't happen very often nowadays. Apparently, all files on the flash drive are now simply hidden.
Enable the option to show hidden and system files in the Windows Explorer. Or open the command prompt and run the instruction as an administrator:
attrib -s -h -a -r E:\* /s /d
This should change the file attributes back to normal.
If you are certain that no malware was previously present on the flash drive, then obviously the malware was written to the drive while files were being copied from the laser-cutting machine and that, in turn, means the machine itself is infected. It was probably compromised during manufacturing.
First, if possible, scan the machine with Dr.Web CureIt and neutralise all discovered threats.
The user was then provided with download links for special Dr.Web utilities that would detect and cure the infection.
By the way, at the same time the user got in touch with the Chinese machine supplier.
The Chinese support service was on point: "There is no malware involved. Just disable your anti-virus and keep working. Don't worry."
What can we say… 😊
Dr.Web did discover a virus on the machine.
The machine's system is definitely infected with BackDoor.Andromeda.178.
Deleting the file will have no adverse impact on the system's operation. In fact, the system will benefit from its deletion. Though to be perfectly safe, back up the file before you remove it.
If a flash drive is plugged in and gets exposed to the malware, it will write Worm.Siggen.12242 to it and create a directory with non-breaking space as its name. All files on the media will be moved to this directory.
As a result, data is not destroyed and remains intact.
You can find them all in that special directory.
You may even be able to use Total Commander to find and open the folder if the option to show hidden and system directories and files is enabled.
Further examination of the machine revealed the malware didn't just reside in the system, but also infected a program required to operate the device.
Dr.Web CureIt! identifies the main application's executable as infected (the location on the D drive is highlighted on the screenshot). If the anti-virus deletes the file, we will be left with a pile of metal instead of the laser-cutting machine.
Fortunately it was a virus, not a trojan. Because of that, it was possible to delete the malicious code (recall that unlike trojans, virus code can be removed from a file).
The Anti-virus Times recommends
- Old viruses do not die. The systems on which they run are more likely to disappear. But that's not going to happen any time soon.
- A corporate anti-virus must be up and running on computers within your infrastructure. And someone should monitor infection statistics, too. The chance that someone may plug a compromised flash drive into a wrong computer is always a possibility.
- Just bought a computer? Run an anti-virus scan.
- Hardware is cheap these days, and an operating system under which trojans can run may be found in all sorts of devices ranging from printers to smart toilets.
- Quarantining suspicious files should be set as a default action. Otherwise, security researchers will have no way to analyse the file.
- Back up your data before treating systems essential to your organisation.
- Unfortunately, one can't take manufacturers at their word.
- If you experience problems like the one we've just described, contact us.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Niuxin
22:50:46 2020-07-09
Неуёмный Обыватель
23:37:32 2020-06-18
Татьяна
18:48:52 2020-06-18
Toma
18:38:00 2020-06-18
Пaвeл
17:09:31 2020-06-18
Masha
14:47:00 2020-06-18
EvgenyZ
12:44:13 2020-06-18
Dmur
10:56:33 2020-06-18
ka_s
08:10:54 2020-06-18