My neighbor called me the other day and asked if I could look at his computer. (Something you might well experience yourself :-) ).
The ISP problem turned out to be the ISP’s problem, and resolved itself the next day.
The laptop, however, turned out to be a different story. When I was done with it, my neighbor asked, “Well, is that an Ask Leo! story?”
Why, yes. Yes it is.
Become a Patron of Ask Leo! and go ad-free!
As with any well-used system, the symptoms were somewhat obscured by what could also be normal behavior.
My neighbor’s description boiled down to this: “I can’t get to most sites. Oh, and I think I saw the word ‘redirect’ flash by at one point, could that be related?”
Well, yes, it could be, but that alone is certainly not a symptom of a problem. Redirects are common – when you use a URL-shortening service like bit.ly or tinyurl.com, then you’re using a redirect. An example might be one of my own: https://go.askleo.com/ms redirects you to microsoft.com.
But as you can imagine, redirects can be used for evil as well. So with “I can’t get to most sites” being the major symptom, it was certainly a consideration.
The contributing factor
One thing that may have contributed to the problem was that the security suite – Norton 360 – had expired.
Now, it’s unclear just how much or how little Norton does in the expired state, but it certainly didn’t make me feel good about the machine. Ultimately, my guess was that it was extremely vulnerable until Norton was renewed, or until an alternative was installed.
And, indeed, attempting to download an alternative is what clued my neighbor into the problem: none of the sites he was trying to reach would respond.
The evidence of a redirect virus
Whenever I hear about unexpected redirects, one of my go-to places to look is in the “hosts” file. Hosts is a shortcut for DNS lookups – the mapping of domain names, like “askleo.com” to their IP addresses (220.127.116.11, currently). Windows, and indeed all popular operating systems, look at the hosts file for an IP address-to-domain mapping before asking DNS servers for the answer.
As you might expect, what some malware likes to do is change what’s present in hosts. If they can change the IP address associated with, say, askleo.com, then they can cause your visit to askleo.com to actually go to their malicious server instead. Fortunately, this is one of the things that most security software can prevent, and https connections warns you about if detected. Our security software wasn’t running in this case, and of course not all sites are https, and https warnings are, unfortunately, common enough that we often ignore them anyway.
Sure enough, in the hosts file (c:\windows\system32\drivers\etc\hosts) were some absolutely suspicious entries.
What was interesting is that these entries were preceded by dozens of blank lines – almost as if the malicious software was hoping that we might not scroll down if looking at the file, and thus miss these entries.
Coincidentally, I’d just heard of this specific variant a week before.1
Those two sites – google-analytics.com and connect.facebook.net – are two services websites often use to compile usage statistics. For example, all the Ask Leo! sites use Google Analytics, so I can see how many people visit, where from, what pages are the most popular, and more. The Facebook reference, as I understand it, is common when sites use Facebook “Like”, “Share”, or comment services.
By modifying the hosts file, malware inserts their own servers into the stream instead of the official servers. For example, instead of downloading the code from Google to collect analytics for a website, who-knows-what was downloaded from the malicious servers and run. (In my neighbor’s case, I believe the malicious servers had already been taken down, and it was the failure to get anything at all that was causing his browsing attempt to fail completely. But I could be wrong.)
If you know me at all, you can guess my first step.
I booted from a Macrium Reflect rescue disk, and used it to make a backup image of the laptop. Even though we call it them “rescue” disks, many backup tools will allow you to use those disks to make backup images.
This is important for two reasons:
- No matter what I did next, I couldn’t make matters worse. :-) If I did, I could just restore the backup image and start again.
- It would allow me to examine the machine in more details after it had been fixed. In fact, the screen shots accompanying this article are taken from the backup image, restored to run in a virtual machine.
This sure sounds like my article: How do I remove a virus if it prevents me from downloading or installing anything? Indeed, that’s right where I started: by running Windows Defender Offline. I downloaded it on another machine, burned it to CD, booted the laptop from it, and ran a scan.
It detected malware, but failed to fix it.
In fact, I ran it twice, because the first time I didn’t notice that the fix had failed.
Next, I downloaded and tried another stand-alone repair disk from another security software vendor, which also failed (more explicitly this time).
This didn’t bode well.
Fortunately, that last repair disk also included a command-line interface.
I figured it was time to take matters into my own hands.
All I did was edit the hosts file with a text editor to remove the malicious redirections that resulted from the redirect virus. I have no idea why neither tool I tried was able to do that.
I’d been reluctant to start there, since I expected the hosts-file modification to be a symptom of a larger problem, and I wanted the security software to scan for and correct those issues as well. Apparently not.
Windows Defender Offline then reported the system as clean, as did the other repair disc.
Then I downloaded and installed a copy of MalwareBytes Free on the system, and ran that. It also reported several items – mostly PUPs – which it quickly cleaned out.
Next I rebooted, connected to the internet, successfully downloaded Microsoft Security Essentials, and let it run a complete update and scan. Similarly, I re-ran MalwareBytes, allowing it to update its database first, and it came up clean as well.
To be honest, I have no clue as to exactly how the machine became infected. There are many possibilities.
Similarly, the PUPs that MalwareBytes found could have been the result of random previous installations, completely unrelated to the major infection, or they could have been additional downloads facilitated by the infection.
Or it could have all been something else completely.
We’ll never know.
The machine was left with Microsoft Security Essentials as its security software, Windows Firewall enabled, and MalwareBytes Free for on-demand scans as needed.
The reason I share this story with you, beyond it just being an interesting case study in malware detection and removal, is that there are several important take-aways:
- Have a recent image backup to restore to. There wasn’t one in this case, but had there been, the story would have been much more boring: restore from backup prior to infection and get on with life.
- Renew or replace your security suite before it expires.
- Not all anti-malware tools catch, or repair, all malware. While the specific failure I encountered was unexpected2, that something wasn’t fixed is common. Having alternate tools or techniques (or resources, like people to call on) ready can be important.
- And, of course, learn how to Stay Safe on the Internet.
Do at least the first and the last, and you may never need to have a story like this of your own to tell.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!