I've noticed in the past few weeks problems emerging from using my paid-VPN.
I know...I know "don't use Windows". But some of the tools I need to use for my profession are only available on windows, and the alternatives are insufficient.
After a few minutes of usage, my anti-virus/internet security program will crash. The event log specifies it "terminated unexpectedly". The program restarts 1 second later. Then the link to my VPN will be severed.
Moments later, I get a "Failed to connect to server" event from MSIInstaller because the firewall component of the service forbids any non-VPN connecitons (I do this by specifying the MAC address of the TAP adapter in access rules).
After running Combofix each time this happens, I find an infected Version.dll in C:\Windows\SysWOW64 which has a valid digital signature but isn't the correct version of the dll. My ntuser file will also be infected.
These infections appear to operate as shells to grant backdoor access. Whoever is doing this is very good at what they're doing.
It's either an infection on the VPN server or it's an attack being carried out inbetween my computer and the server. They're not only exploiting an issue in OpenVPN, but also using a 0day which targets my specific security program.
I recall hearing about Rule 41 becoming law and am beginning to wonder if it's possible for the government to be doing this sort of thing so soon?
I doubt it is the government but I wanted to ask if any of you have experienced connection issues or issues with your security programs within the past month while using TOR or a VPN.
Worst case scenario I'll be reformatting and only running my VPN from within a VMware virtual machine...but if they already have a 0day to kill my AV program I wonder if they can attack a hypervisor too.
Attacked While Using VPN
Other urls found in this thread:
openvpn.net
twitter.com
Oh well, guess this is going straight to archives. I hope none of you have to deal with this bullshit
Honestly most people on Sup Forums don't understand anything of what you just said
If you just posted bullshit psuedo-tech gibberish it's unlikely anyone would call you on it.
You should try to use EMET and see how the system fares.
I have never encountered an attacker of that sophistication. How exciting!
What is your specific security program?
You should probably go ahead and install gentoo m8.
Besides that, if you think a government would want to target you, yes they can.
>valid digital signature
Doesn't that mean they have MS's keys
Why don't you install Wireshark and monitor traffic? See if anyone is actually remotely accessing your computer?
Better to do this on a separate box
Why?
Honestly, just nuke the system. Find any files you absolutely need, absolutely no exe, MSI, standalone programs, etc. Dban the disk. Reinstall windows. The only thing that happens when a computer is like this is more shit comes in through the gaping vulnerabilities. It blows to have to do but better safe than sorry.
A compromised system can't be trusted to audit itself, presumably.
Fair enough. But if it did show up then we have an answer, don't we? If it doesn't well then... What you said.
u wut
Distracted. I'm trying to say that he should give it a shot, and if he sees anything fishy well then there it is, he can move from there. Otherwise, no harm done.
This.
Oh, I'm a dumbass. You mean a separate box on the same network, so you can monitor the same traffic.
U rite, user.
Yes indeed, same network. Should've been clearer.
Hmmm. Have you tried running Wireshark on your device and seeing what connections are being made? Maybe Wireshark on another device through a hub? Should be fairly easy to stop with an application level firewall. Also, you need to setup an admin account and run as guest. That should help with the dlls being fucked with. If not, try another VPN and see what happens. Would be interesting if this was existent through many vpns. It may be true that you are simply being individually targeted as well. Depending on your employment situation you may want to let them know what's going on. You may be able to check a larger sample size of machines if your place of employment knows there may be an issue. This may be only 1 part of an attempt to exhilarated data from your employer.
It's an older version. It's possible that it was weak and cracked or leaked a while back.
If all of the traffic is going through the VPN it would just be encrypted.
He already know that the attacker tried to escalate and his firewall blocked a non vpn connection. I doubt that he wants to let that connection proceed anyhow.
What would he gain from running wireshark?
After removing whatever malware was installed, it apparently reinstalls itself upon using the VPN. Running wireshark would possibly give some indication of where it's coming from
Maybe MITM to OpenVPN server using 0 day against OpenVPN client....Maybe server is compromised. Exciting!
OP, set up a linux machine and share it's network connection with the infected machine. Use HOSTAPD, most distros have it and the Arch Wiki explains how to set it up.Monitor everything from the comfort of Linux.Netstat and Tcpdump are great tools for monitoring.
Relax, it's just skynet flirting with you.
Wow.
OP here, sorry guys I thought no one was going to reply my thread so I had given up on it.
This infection is worse than I originally thought.
There are entries for malicious driver files in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
My mbr is also compromised.
Who the fuck knows what else is infected.
And for the record, I have never run any cracked applications on this computer. It's all 100% legit stuff.
I'm kind of freaking out.
I have never seen malware trying to stick its tendrils into such...varied places. It doesn't make sense - they already had infected two really important system files. And doing this sort of thing is supposed to make it easier for heuristic scanners to detect malicious applications.
Another thing that worries me is that this malware doesn't seem to be doing anything destructive at all, it's just extremely subtle.
If the government really did do this, does that mean I'm already fucked?
I need to chill out a bit and when I do I will try your suggestions, starting with using a VM to see if this can be replicated there so I can do some static malware analysis. But I know, as some of you may also, that there are plenty of pay-to-use FUD (fully undetectable) crypters out there that can detect when the application is being run in a VM.
I really hope I'm just being silly but oh boy do I have a bad feeling about all this.
>And for the record, I have never run any cracked applications on this computer. It's all 100% legit stuff.
Maybe you are an interesting or valuable target?
>malware doesn't seem to be doing anything destructive at all, it's just extremely subtle.
Who knows what kind of freaky shit it may be doing.
I would personally ditch all my hardware, close the VPN account, and change all my passwords....
What VPN are you using?
That was my thought. Maybe his VPN provider has proprietary software that is actually a trojan of some sort.
>I really hope I'm just being silly but oh boy do I have a bad feeling about all this.
It sounds pretty bad desu. But why would a govt target you though? They usually don't target random individuals.
Also, what country are you in? What you are describing doesn't fit the definition of run of the mill malware.It,sort of describes something a nation state would use, but you say the "versions" do not match,so I would tend to think this doesn't involve the government. It's unlikely, but possible, you have picked up the Stuxnet virus. ; )
Seconding, I'm definitely interested to know what VPN and whether he's using a proprietary client software or not
You mean which provider?
One not based in the US or the "Five Eyes" nations. I don't really want to specify which company atm.
I use OpenVPN.
openvpn.net
The VPN provider offers proprietary software but I do not use it and they do not require it.
I don't know. I'm still hoping it was something other than that.
I'm in the US. And before you ask, I'm not an immigrant and my family has been in this country for several generations.
What VPN are you using?
I've heard of VPNs being malicious before.
Are you sure that your applications won't run in Wine?
What applications do you have to use Windows for, anyway?
>I don't really want to specify which company atm.
agreed, tell us which vpn OP
>Maybe you are an interesting or valuable target?
No. I'm a software developer. I don't even work in the cyber security industry. I used to be pretty well versed in pen testing but have not used those skills in years.
Now I'll reply to other posters.
I wasn't.
Will try
Kaspersky Total Security. They rank pretty high up on the yearly rankings and I've been using them for years without issue. I don't use most of the "Total Security" features, I depend on it mostly for anti-virus and firewalling.
I'm considering dual booting. I need a non-VM'd windows to use certain programs. Wine won't cut it.
The government should not target me. I am not interesting at all.
This is one of the things worrying me. Stuxnet was deployed by using valid digitally signed files.
I will.
Yep
I'm going to try doing this.
I believe you are correct but I can't be sure. It's not like I keep track of every single windows file when it changes. I wouldn't have known something was wrong if combofix didn't pick up on it. No other security program I ran found it.
I would find it exciting if it wasn't being done to me.
Will do.
Ha.
>Kaspersky
You know that's Russian Security Software, right?
Call me a shill, but I'm just saying.
Yes of course I know. If I were living in Russia I wouldn't be using it.
>No. I'm a software developer.
Maybe you develop something valuable?
>Will try
Use EMET on the OpenVPN client process see if that stops the attack.
>I would find it exciting if it wasn't being done to me.
Neither would I desu.
I wouldn't use it period man.
Keep us updated OP, this is interesting
1. Be sure to let the VPN company know what you found. If you don't, and they see a thread like this AND they are being paid to compromise devices, you may get v8 and such.
2. Dump the hardware, backup data and get a new VPN.
You haven't mentioned which VPN service or which AntiVirus.
Calling BS
Saying either is just another way to seal the discovery quicker by the attacking party.
Please keep us updated when/if you fix it OP.
Also since you mentionned doing pen testing in the past i suggest you report this in a nice wrappup article on some blog platform or whatever so you can get a lot of normie internet (you)s and maybe expose the existance of 0day on openvpn, the fact that your provider is russian mafia or whichever epic plotwist you'll encounter along your way