Hi all,
I’ve recently had a malware experience I need some help with - firstly in terms of dealing with the ‘cleanup’ but also in terms of possible wider security concerns, as I’m quite alarmed at what it was able to exploit without any superuser privilege.
Background:
Recently, in an attempt to get an uncooperative printer running in our home Linux environments, I admittedly took a bit of a risk and purchased some firmware. This was provided as a link to what appeared to be a file hosting service, and what appeared to be a downloadable .rar file (I can provided this link, if appropriate).
Upon attempting to extract it with PeaZip , it asked for a password, but the one provided by the seller was rejected as incorrect. I subsequently reported the sale as fraudulent and had my money refunded
Symptoms:
When booting this machine 3 days later, it was observed to hang mid-boot, shortly after showing GDM service. When I pressed the power button for less then 2 seconds, it shut down, but seemed to output different progress messages than usual - it had different writing font compared to normal.
I subsequently tried rebooting with the router off, and it booted up as normal, allowing me to immediately back up and delete anything I considered important.
I then reconnected the wifi, at which point I noticed a 13.7MB/s outgoing data transfer. Even more alarming, upon opening Terminal I was greeted with an admittedly inventive rendition (in the Terminal window itself) of “Never gonna give you up” culminating in a purple love heart <3 . I disconnected it from wifi again - clearly aware now the machine had been compromised, and when I opened Terminal it was normal again (only with no wifi).
Response:
It’s a given, obviously, that this .rar was malware, and in hindsight it’s a risk I should have been more cautious with - although having exhausted every other trick I knew to get this printer working, and spent my $60, the sunk cost seemed made it seem worth being optimistic…
But, in an effort to turn this into at least a learning experience - not to mention damage control - I’m trying to figure out exactly what’s happened here, specifically:
-Is there any way to figure out just what this attack was, how it worked, and what data has been compromised or uploaded to the attacker?
- Should I be concerned about the backups of personal data I copied off? Could other seemingly innocuous files (eg PDFs) now be edited to contain malicious code? Is there any way to check?
-Has it possibly propagated through the rest of my home network? How would I check/mitigate if other PCs or potentially even routers/IoT devices have had malware served to them?
- How did a supposed .rar file even make such wide changes through the system as to change even the boot process? This particularly is quite alarming, that one malicious file can seemingly have such free reign if it tricks the user into opening it. I don’t remember having to enter my own user password at any point so I wouldn’t think any executable would even have permissions to make such changes to the boot process.
I haven’t formatted and reinstalled the operating system onto the laptop as yet, because I’m curious to work out what went wrong, but I wonder if this is possibly a wider vulnerability that needs investigation.
Thanks