Okay, here’s a shit story. I was doing a routine scan with ClamAV feb 4th. Out of nowhere it popped for a trojan. Thought it was a bit weird, probably a false positive. Nope. I discovered a weird .DLL in WINE, not in their repos, not something I installed. listed as .BRM for windows 6. I hashed it and ran it against everything I’d pulled from my .DLL files. No match. I went digging and found the schroot under /run/ I took a look at the properties and the env showed 128.7TB of storage. The program I use with WINE requires network access to authenticate and because it was for audio production, it had access to my filesystem for samples.
Broke out wireshark and confirmed they were exfiltrating data. I always have the camera covered and the Mic disabled, but only through a blacklist. As soon as they saw me, they wiped everything from my home folder, everything that wasn’t a base part of kde was gone. They got my passport, resumes, had just downloaded all my data from google and deleted my accounts. Wedding photos, contact lists, phone numbers, Everything. Immediately unplugged the router, disconnected the modem.
Found the roommate, he uses windows 10. No security updates, no antivirus. Rooted into his machine as well. 7 foreign IPs routing traffic over privoxy, shut down all the ports, airplane mode, took his important data and burned a windows 10 iso. He’s okay now. I’m currently running photorec, foremost and autopsy on an image of my drive trying to get what I can. Reopened a bank account, changed the phone number now I’m paranoid. Network password was stupid easy (not my connection, I don’t own it) and he had it set up so everyone with the password was admin. Every machine in the house is potentially compromised. He had a whole host of web 3.0 bullshit, chinese wifi camera,(probably watching through that) old google home assistant, ps4, xbox, light controls.
We ditched the router, the people I share this place with have no idea what a computer even is and I am trying to explain to them why this is a problem. My synthesiser’s OS is based on montevista linux, I connect it to the laptop all the time. There’s a server farm out there trying to get into insecure connections. I was rooted with 32x linux using a fake .DLL in WINE, he was rooted into by a Windows 10 machine. Of course he uses an admin account for everything. I pulled a shit tonne of persistence off my computer. Cron jobs, Startup scripts for privoxy and schroot, services, grub configuration, SSH keys, User Logins, Key loggers. This is sophisticated enough that they could tailor something on a per machine basis and I never would have found it if I hadn’t been actively looking because since they schroot, none of those processes were available to me to view. I just had a funny feeling the last time I used WINE because the configuration kept updating and it normally only does that if you add a library, or make a change to the program and I hadn’t done that in a month.
I need some help, fellas because I went to the cops and the cybercrime unit stops at “He posted my nudes on Facebook.” This was not intended for me, this is meant to spread across as many machines as possible. ISP in our area recently put in fibre in a bunch of different houses and I’m worried they may be piggy backing our connection off our neighbours. How many people out there are using older versions of android with no security updates? What if they get someone who works in power generation, law enforcement, a nurse on the way to the hospital. It is so bad and I cannot get any one to listen to me. They think I’m a lunatic. Last thing, can you give me some advice on containerising applications in docker, command line docker. I’m not giving a company my personal information to use their stupid GUI and I want to cut this off at the head. No more free access to the file system, every application and all the files I use with them on their own container. How do I build something from source in a leak proof Docker environment? how do I install a web browser with no access to geoclue, date and time or files? Resources, if you can, would be incredibly helpful. I am only doing linux for 2 years as a hobby, this is out of my wheelhouse. Just a blank container with one program, so I can inspect files coming in and out of and decide if something gets access to my home directory or not. stay frosty out there.
Edit: finally figured out how to add pictures to this. You’ll notice the tree from home folder that it’s basically fucking empty. You’ll also see ventoy which I had to have to get my housemate’s stupid ASUS laptop to let me burn Microsoft’s spyware onto it. You’ll also see photorec which is currently digging through all the data left on the disk.img, you’ll also see the output of my first attempt using foremost, which failed because the disk was mounted and live. Here is the audit.txt https://files.catbox.moe/picf4y.txt If you scroll down just a little bit, you will see the poisoned .DLL and the .exe that was hidden in it. Listed as created year 2000 and 1998. I don’t use social media, like at ALL because it’s all poison. Don’t you call me a fucking liar. You have ABSOLUTELY no idea what I have been through in the last 3 days. I have talked to local police, state police, had to img my entire drive and send it to them. I have lost copies of all my personal identification documents, immigration documents, I have had law enforcement visit me repeatedly. THIS IS NOT a fucking joke.
Edit: Christ the way this website handles image hosting, I can’t. 3 days of chainsmoking, talking to cops, reinstalling OSes and explaining to a 45 year old man that your router password cannot be 1love[name of his cat that he posts about on instagram]
Here all the images in one place. Sorry, incredibly stressful period right now, I use GNUicecat and since all of my user settings are gone I don’t know what’s working and what isn’t because I haven’t had 3 hours to sit down and configure it yet:
I need a fucking smoke
Something about this post is weird as fuck and some part of this story is missing for sure.
First of all, routine scans with ClamAV. Why are you routinely scanning your system, and what’s your expectation here? In most cases system compromise happens by executing something malicious or by exploiting something on your system, For the former, an active background scanner would help, but not a routine scan, and it’s easier to just not execute suspicious stuff. For the latter, your routine scanning is worthless.
Then the compromise over a WINE DLL seems something between borderline impossible on one hand, and like a very targeted and handcrafted attack on the other hand. Sure, wine is not a sandbox, but seeing this as the point of entry for a full blown persistent RAT is weirding me out massively.
Lastly, “them” setting up seemingly good persistence on your system, yet not hiding any indicators of compromise, and then nuking everything when they are seen. Why that effort? Either set yourself up for the long run and hide, or when detected just say “eh, whatever”. This also seems weird, since on one hand there’s indication for a professional, targeted attack, and other points sound more like rookie script kiddies.
Lastly, you. You seem like a pretty confident user while getting hit like that. It just feels off.
I’m not claiming you’re lying, and I couldn’t blame you for leaving information out because of opsec. But everything about this story feels off. I kinda assume that you’ve been actively targeted, and you should ask yourself why. What information or access do you have? How have you been pwned that “easily” and where did that DLL come from? How was it placed and executed?
This also seems weird, since on one hand there’s indication for a professional, targeted attack, and other points sound more like rookie script kiddies.
After watching a handful of videos about scam and hack houses in India, this isn’t far off. A hodge podge of knowledge they’ve garnered over the years, cobbled together with scripts they’ve picked up.
yeah, I’m not saying its fake but it does read just like a linux-horror creepypasta
Lastly, “them” setting up seemingly good persistence on your system, yet not hiding any indicators of compromise, and then nuking everything when they are seen.
That seems sort of plausible to me. It was hidden, but it’s not perfectly hidden.
My interpretation was OP isn’t necessarily the target here, but a victim of some Windows hack spreading around their shared network. It’s possible the whole network was “worth” such attention.
My interpretation was OP isn’t necessarily the target here, but a victim of some Windows hack spreading around their shared network. It’s possible the whole network was “worth” such attention.
Yeah, it might be that another system in the network was the initially compromised system, but I’m questioning whether Windows malware would be able to spread over wine to a unix machine to actually cause damage there. But that’s an attack vector I literally have zero idea about, just kinda seems suspicious.
And yeah, everything in OPs story is absolutely plausible, but it’s more of a gut feeling given the provided information that it just feels off. I might be fully in the wrong here, and they’re the unluckiest random person to ever have touched a unix machine, I don’t know. Definitely curious how this will develop though.
Sounds stressful asf, you should try take a break and relax (e.g. turn off all computers in the house for a few days). The rushed decisions you make now might not be the best
In terms of suggestions, I’d recommend:
- Isolating untrustworthy network devices (e.g. web3 shit and your roommate’s pc) in VLANs
- Running untrustworthy code in containers or vms
- Getting a proper router (openwrt one maybe?) and managing it yourself, don’t let your roommate touch it
- Setting up firewalls on your pc (restrict ports to the ones you actually need)
This would involve learning more about networking, Wikipedia and the arch wiki has pretty good information on it.
Setting up firewalls on your pc
opensnitch is a nice GUI firewall that has a bit of an annoying learning curve if you are not used to networking, but is otherwise very good.
This seems like something you should post in infosec communities rather than here.
Docker wouldn’t save you from this.
Yep, wine is a translation layer, not a sandbox.
Guess i have to plan in a periodic nmap cronjob with alerts against a whitelist now.
Post the hashes of the compromised files
Hey man, sorry you’re going through this.
Realistically I don’t think there’s much more you can do than what you’re already doing.
You wiped your machines, wiped the router, wiped the “smart home” devices, that’s it.
Now what you gotta do is:- Change the password to your important services and ensure 2FA is on for everything (Do you have a Android phone? I recommend the Aegis app)
- Did you have IDs or Documents on the files they got their hands on? If so, stay vigilant to ensure they won’t try to get loans or a credit line in your name.
- Separate the “Smart home” stuff into its own VLAN (Assuming you can’t just get rid of it altogether)
- Consider where this Malware came from. It originated via Wine, but how?
Were you running pirated software on there? If so, the source you got it from isn’t to be trusted.
this is meant to spread across as many machines as possible […] How many people out there […] What if they get someone who works in […] It is so bad and I cannot get any one to listen to me. They think I’m a lunatic.
Most viruses are meant to spread as wide as possible, what’s important above all is that you must calm down.
Saving the world is not your responsibility, if your local Cybersecurity division doesn’t want to help, oh well. Focus on Securing your stuff.
If you truly want to help, consider sending the infected .DLL to a service like VirusTotal. If it’s a new malware they haven’t seen before, the virus’ signature gets shared.
Also consider filling a complaint to IC3. While I don’t think they’ll reach out back to you, if this is a new Botnet or new Crime network they’re not already aware of, your report will bring it to their attention.In relation to isolating your apps from each other, maybe take a look into QubeOS. It’s built from the ground up for this purpose, though it might prove rather overkill for most users.
deleted by creator
And here are the images of the Audit from Foremost because fucking Catbox won’t fucking work https://ibb.co/Y7p1SxJK
Can you post the PCAP?
Lmao yeah dox yourself on public forum
Get a better job so you can afford better drugs. This is “Minimum Wage Methy”, and you want to be “Salaried Methy”.
Btw, far too much connectivity services still want to run as root nowadays. Was a bit of digging, to figure out how to run openssh rootless as unprivileged user. Instead of privilege escalation that has holes now and then, Linux does that already in clean, do
suif you want root.That happened ™
Who are you helping with this naive reply?
Others so they don’t fall for the troll. If you can’t see it you either didn’t read the post, or don’t have enough knowledge to call out bullshit on this topic.
Explain to me what the troll is here. I read the entire post. Seems like someone got access to one thing and then tried their hand at others. Easy to do when your first point of access (the router) is setup poorly.
I saw this happen years ago with a collocated Apache web server that the company failed to update Plesk on. Find one doorway and things fall like dominoes. We found hacks that weaved all the way into individual websites.
Assuming it’s a fake post: what for?
Yes, it absolutely FUCKING did. Dumbass
That’s absolutely NOT the way to get help. Dumbass.
account created 2 hours ago
not tying this to their main account?
Which can also mean that they are reaching out on multiple platforms.
Maybe if it didn’t read like the rant I hear from 10 different people a mont about how they used Wireshark to prove they were compromised without providing any real evidence.
Though there are more and more professional cyber-“mafia” groups now. And some of them do target small business/private too.
That happened ™
It happens every day. Hundreds if not thousands of times.
