My blog has very low activity, so if you’re reading this post; it means you’ve searched for a solution for your problem, but haven’t yet found one.
About 3 weeks ago I was hit by the ‘System Check’ malware. A script on a website (can’t recall off by head which, but it was one of the WordPress sites), likely through a poisoned carrot on the theme files or some upload. My anti-virus (ESET) picked it up, a few times at that. I was curious, and looked into my temp folder to see what was up. A few moments later I had forgotten about the intrusion (I have bad memory), and I turned off ESET Firewall to open a port range (don’t ask why). Then bang!!! I was hit by the malware.
So this is what basically happened (I think):
- An intruder plants a malicious script in a WordPress site (or comments field)
- User goes to site
- Script runs with the rest of the blog
- Script downloads executable file to the internet temp folder
- File runs silently, connecting to wherever to install ‘System Check’ malware, and do other things like hide folders and the sort.
- Your DNS cache is poisoned and your computer hijacked
- You lose hope
I won’t go into the details of how to uninstall/remove the thing. There’s plenty of tutorials out there. The most interesting thing for me is what is left after you clean your system.
For example, I have a redirect issue whenever I go to Google. At first it was random, but now it happens every time. Whenever I click on a search result I am taken to something like http://***.com/?c=eaa2e3099b054bf5ecb0888b2a3428e1&uid=***.
The page appears and disappears as fast as your interent connection, sometimes I’m directed to the page I was looking for, but on other instances I’m sent to http://yellw.info/* .Now that was what was concerning me, because I can’t find anything on a ‘yellw.info’ malware or the sort, so I effectively can’t clean the thing.
Wondering how the process works, I decided to catch the MITM thing, and here’s the script that’s executed during the whole process, it’s a form submission that might seem harmless, but we won’t know:
I don’t know if the data in the form variables means anything specific, I tried running the MD5 hash on the net, but didn’t find anything definite. I didn’t try to catch other urls to see whether they’re consistent with the one I posted here. One thing I noticed was that when I just go to the page with blank parameters, I end up at yellw.info with missing GET parameters.
I know I’m not offering a solution to the problem, I have no time to find out what’s wrong, but I’ve tried many things;
Each contributed valuably, but didn’t solve the problem. I even checked my registry for changes to DNS details (where router data is stored), but I haven’t tried flushing that bit yet). ComboFix found a copy of the original files that installed when I went to that dodge website, but nothing’s changed. As far as I have checked, all the domains are registered by DirectNIC. Refer to pic below
A few things I would suggest however are to:
- block yellw.info with your firewall
- try to exhaustively block the domains that you keep redirecting to (obviously I mean IP addresses, assuming this thing is hosted on a private server somewhere)
- remain alert, there might be more tricks as your PC is essentially a bot
I’m quite curious as to how the bot manages to be resilient to whatever I try, I’ll definitely post another article if I find the solution to the problem.
Stay safe 🙂