Windows 10 - Bad RAT & how I "defeated" it

Discussion in 'Windows 10' started by Space_Janitor_Man, Mar 7, 2019.

  1. Space_Janitor_Man

    Space_Janitor_Man MDL Novice

    Jun 20, 2018
    5
    0
    0
    #1 Space_Janitor_Man, Mar 7, 2019
    Last edited: Mar 7, 2019
    I've learned quite a lot from this community so I thought I would give back by sharing an experience I had recently with Windows 10. I'm on a private network and this still managed to defeat me for months so I'm guessing there was some nearby activity involved as well. The biggest signs that confirmed it was an attack were:
    • LOUD fan / high fan RPM when idle on the machine.
    • Warning from Windows DEP that svchost.exe was trying to be maliciously modified
    • Mouse lagging / video+audio lag when streaming
    • Services with suspicious permissions when investigated in regedit
    • Services that just wouldnt die that are needed for the RAT to work (RemoteAccess / VirtualWifi / Distributed Link Coordinator, Bluetooth networking, OneSync/Setting Sync, ConnectedDevicesPlatform...)
    • Devices installing on their own even with Windows Update, Update Orchestrator Service, Windows Update Medic service disabled
    • Websites redirecting to phishing versions of the site - Gmail was the most obvious
    There's a longer list I can go through but that was the gist of it. Luckily, a month or so in I found this site confirming my suspicions (I cant post link due to post limit - google "Harden Windows 10 - A Security Guide") . Low and behold, after following his very detailed instructions, it slowed down the attack to the point where I could actually make some progress. Best $10 I ever spent (not affiliated with that sites author - just super happy with results after wanting to bash my head with frustration. He also posts all the instructions WITHOUT having to pay, the donation just provides you with GPO Baselines and Batch Scripts to take care of the work quickly if needed)

    After documenting the services that would turn themselves on automatically, I was able to determine the madness behind the attack.
    • Bluetooth confirming it was a local attack in addition to internet based
    • VirtualWifi being killed in Wlansvc regedit increased internet responsiveness in addition to using SimpleDNSCrypt to obfuscate traffic entries.
    • Blocking Internet Explorer/Edge/Microsoft.Photos/MobSync with secpol.msc using control+f10 on language selection after install completes on first setup screen increased responsiveness
    • Blocking DHCP service/Workstation/Server/Distributed Transaction/TabletTouch using services.msc during installation in the "Installing Services" screen helped responsiveness
    Again, this was such an insane attack... I have no idea how Windows is so vulnerable out-of-box. I'm still working on fixes because the occasional service still auto-spawns. Digging into service permissions in HKLM\SYSTEM\CurrentControlSet\Services\ and disabling inheritance, setting myself as the Owner / removing all other users and adding the group "Everyone" set to Deny All is the only way I've found to kill them.

    I used to use ESET HIPS to monitor when registry values would change, but ESET ended up causing more problems since it relys on dcom which I've learned to disable after reading the instructions I linked above.

    I'm not going to try and re-explain how the instructions helped, please check out the site if curious. Lots of best practice advice for Windows 10 I was NOT familiar with. Lesson learned.

    TLDR; Windows Security GPO baselines + Software Policy Active ftw.

    Bad Services list that would constantly respawn:
    • AssignedAccessManager
    • Bcast
    • BITS
    • CDPUserSvc
    • CBDHsvc
    • DevicesFlow
    • DevicePicker
    • DeviceAssociation
    • DiagTrack
    • UnistoreSvc_XXXX
    • UsrDataSvc_XXXX
    • Microsoft_Bluetooth_AVC
    • NetBios
    • SecLogon
    • SharedRealitySvc
    • SharedAccess
    • Ras_ALL
    • RDP_all
    • RemoteAccess
    • OneSyncSvc
    • PlugNPlay
    • PushToInstall
    • PIMIndexMaintenence
    • PhoneSvc
    • PeerDistSvc
    • TabletInputService
    • SSH
    • SSDP
    • Ike and AuthIP IPsec Keying
    • wuausvc

    I can finally move on with my life... for now. Cheers and hopefully this never happens to you.
     
  2. ch4os

    ch4os MDL Junior Member

    Jan 9, 2010
    84
    92
    0
    To me this sounds like you are only fighting the outcome/activity of some malware you obviously have on your computer instead of getting rid of the actual malware itself.

    For me personally I would’ve never tried to fix that Windows. Try to figure out what process caused the infection in the first place (might be impossible though) and reinstall completely. There‘s almost no way of knowing for sure you got rid of everything.

    Just my 2 cent ;)
     
  3. Space_Janitor_Man

    Space_Janitor_Man MDL Novice

    Jun 20, 2018
    5
    0
    0
    #3 Space_Janitor_Man, Mar 7, 2019
    Last edited: Mar 7, 2019
    (OP)
    Trust me, I definitely considered that. This is all happening on a clean install with signatures verified on any 3rd party software added afterwards. At the moment the only software I have installed are internet browsers, sandboxie to protect browsing activity, Software Policy Active, WFC, and my VPN software (which I purchased a dedicated IP with).

    In addition, I've been using software repository services such as Chocolatey to add an additional layer of verification and security.

    Also, Malware wouldnt install bluetooth networking devices... right?
     
  4. ch4os

    ch4os MDL Junior Member

    Jan 9, 2010
    84
    92
    0
    Well. It’s hard to give any more helpful advise without having the full picture here. I don’t say it’s impossible but I’m still a bit unsure about how the initial attack started.

    Devices/drivers being added could all be the result of something else that was run before somehow. Hard to tell what happened exactly.

    It’s just that I wouldn’t expect lags or high CPU usage when someone was that clever to actually find a way to your PC offline wise. You normally would try to act in a more sneaky manner. And finding its way to your PC without using the internet seems highly unlikely imho. Yes, there might be ways and proof of concepts, but what are the odds here.

    I might be wrong though, maybe you‘re actually a high value target for someone. It does happen, so... definitely possible but it’s not your everyday hack i guess.
     
  5. WindowsGeek

    WindowsGeek MDL Addicted

    Jun 30, 2015
    619
    124
    30
    Malware could have been introduce via a thumb drive, some kind of social engineering.
     
  6. s1ave77

    s1ave77 Has left at his own request

    Aug 15, 2012
    16,136
    24,058
    340
    Fresh Windows 10 install ... tons of scheduled maintenance tasks, preferrably triggered when system idles for a certain time.

    Unaware user notices the fact ... consults the net ... net implies it might be a virus disguised as system process ... user panics ... starts recommended mitigations ... system is screwed ... format :c ... cycle starts over ....


    Reminds me of a friend i stopped maintaining the system due to such 'nonsense' :cool2:.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    6,384
    14,075
    210
    :tooth:

    He uses Sandboxie and stills get infected?
    Properly configured/hardened sbie could have prevented any infection...

    :tooth:
     
  8. macnavarra

    macnavarra MDL Member

    Nov 13, 2017
    224
    52
    10
    What you described there is comparable to total car damage by the insurance company. :biggrin5:
     
  9. ememex

    ememex MDL Novice

    Oct 26, 2016
    1
    0
    0
    Any experienced sysadmin will simply nuke the install and start fresh. How can you still trust your system after experiencing such a massive infection? If "nearby" devices were also infected, a private network is useless. Chances are you were using the same login credentials on more than one machine (or PCs were domain-joined, who knows) for the attack to be persistent.

    Where did you download your Windows installation images from?

    You basically used a rooted OS for months... did you not consider that your activity was being recorded as well? Every single keystroke was probably used against you. I hope you changed your passwords on a clean machine!
     
  10. LiteOS

    LiteOS MDL Expert

    Mar 7, 2014
    1,636
    700
    60
    go to regedit in this location [ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost ]
    if u empty the subkey UnistackSvcGroup from values
    the services that related like UnistoreSvc will stop working
    always its good to make a backup
     
  11. MS_User

    MS_User MDL Guru

    Nov 30, 2014
    3,202
    609
    120
    wipe your HD is the only way to be 100% sure.
     
  12. Space_Janitor_Man

    Space_Janitor_Man MDL Novice

    Jun 20, 2018
    5
    0
    0
    Thanks for all of the replies! I took your advice and used an OEM Windows USB vs image I verified + rufus considering they couldve infected the non firmware write protected USB at some point during the process. I also ran Windows Repair Tool (tweaking.com) after the fresh install to ensure all registry permissions + service permissions were reset to default.

    @s1ave77 - I understand the double edged sword of being overly aware without the amount of patience and expertise needed to actually remove the virus. I guess the illusion of a network being private isnt truly private if its still making its way though.

    I'll wait until I've completely nuked the drive (or actually swap it with a new one) + fresh Windows DVD + recommended security steps + connecting to any in-home wifi behind a router via access point using OpenWRT/LuCI before I report any additional diagnostics.

    I dont think I'm high value, but Ive worked for some large consulting companies / an artist so who knows. The troublesome part of anonymous hackers is they remain anonymous. I'll do some reading on collecting networking packets / logs / identifying my attackers if I ever want an answer on the who :( I just figured those who want to do so will use the same methods or even more advanced as those who access certain areas of the internet.

    Edit: Also, I'll do some further research on hardening Sandboxie to help mitigate browser based attacks. I'll escalate the importance of using keystroke encryption to prevent further monitoring.

    Edit 2: Seeing the thread recently of someone bypassing the Firmware protection on USB makes me realize a DVD is truly the only safe way if someone wants to mess with my clean install...
     
  13. macnavarra

    macnavarra MDL Member

    Nov 13, 2017
    224
    52
    10
    #13 macnavarra, Mar 11, 2019
    Last edited: Mar 14, 2019
    I don't think someone can bypass these USB flash drive easily or at all : Kingston Datatraveler DT100G3/16GB
     
  14. Space_Janitor_Man

    Space_Janitor_Man MDL Novice

    Jun 20, 2018
    5
    0
    0
  15. macnavarra

    macnavarra MDL Member

    Nov 13, 2017
    224
    52
    10
    #15 macnavarra, Mar 12, 2019
    Last edited: Mar 12, 2019
  16. eemuler

    eemuler MDL Member

    Jul 31, 2015
    222
    63
    10
    You have infected computer(s) on your network. Been there - I'd get re-infected even before I'd finished installing Windows. Best way forward is to do a clean install while disconnected from the network, do all the hardening, firewall, anti-virus etc. and only then connect to the network. If you can get another internet connection (e.g. tether your phone or use a dongle), use that for setting up everything and only connect to your 'private' network when all shields are up.
     
  17. Herman Munster

    Herman Munster MDL Novice

    Aug 18, 2011
    16
    1
    0

    Ya not just a format but something like dericks boot and nuke
     
  18. Herman Munster

    Herman Munster MDL Novice

    Aug 18, 2011
    16
    1
    0

    I use lockable sticks for service
     
  19. Space_Janitor_Man

    Space_Janitor_Man MDL Novice

    Jun 20, 2018
    5
    0
    0
    #19 Space_Janitor_Man, Mar 21, 2019
    Last edited: Mar 21, 2019
    (OP)
    Update: I zero wiped my HD 4 times using low level format tool on Hirens Boot CD PE (which is pretty cool, definitely looking at what tools they use). I also detected arp spoofing on the network beyond 239.255.255.0. I ordered a Windows 10 Recovery DVD on amazon for $10 and also a 2019 Driver DVD for $10. $20 + some patience and with your help, some logical thinking helped me remove the malware. Now, hopefully I can prevent it from returning to my machine and will take this experience as a lesson. I insisted on using DVD vs USB because of the suspect network issues / not an admin of the other machines within my household to force them to clean. If I cant trust the network, I cant trust the image. Even with the hash verified isos on USB, it didn't fix the problem.

    Now, I just need to get up to date on networking best practices and have been reading...
    • "Network Analysis using Wireshark 2 Cookbook" - Nagendra Kumar Nainar, Yogesh Ramdoss, Yoram Orzach
    • "CompTIA Security+ Certification Guide" - Ian Neil
    • "Learning Malware Analysis" - Monnappa KA
    • "Hands on Penetration Testing on Windows" - Phil Bramwell
    • "Nmap Network Exploration and Security Auditing Cookbook" - Paulino Calderon
    I'm sure it will return until I leave this household but at least I have a clean image to fall back on so I don't have to start from scratch every time. I know I mentioned I wouldn't post until I'm in a truly private network, but for now, this solved the Windows half of this issue.

    Malware, how I hate you so. Just to be double safe Im going to re-flash my bios chip (yes, I know of the bricking potentials) using a serial programmer in case of other hidden backdoors just waiting to be opened.

    Thanks for your calm advice - it helped me realize the path in front of me. I'll ensure to VERY thoroughly read "Hands on Penetration Testing on Windows" to help identify further warning signs.

    <3
     
  20. eemuler

    eemuler MDL Member

    Jul 31, 2015
    222
    63
    10
    #20 eemuler, Mar 21, 2019
    Last edited: Mar 21, 2019
    Just read my post above - #16. I've used the kind of 'private network' you are talking about. What I used to do worked for me 100%.

    If you're connected via LAN (ethernet cable) and your motherboard supports network booting, you should probably be turning that off in the BIOS.