Okay, here’s a shit story. I was doing a routine scan with ClamAV feb 4th. Out of nowhere it popped for a trojan. Thought it was a bit weird, probably a false positive. Nope. I discovered a weird .DLL in WINE, not in their repos, not something I installed. listed as .BRM for windows 6. I hashed it and ran it against everything I’d pulled from my .DLL files. I went digging and found the schroot under /run/ I took a look at the properties and the env showed 128.7TB of storage. The program I use with WINE requires network access to authenticate and because it was for audio production, it had access to my filesystem for samples.
Broke out wireshark and confirmed they were exfiltrating data. I always have the camera covered and the Mic disabled, but only through a blacklist. As soon as they saw me, they wiped everything from my home folder, everything that wasn’t a base part of kde was gone. They got my passport, resumes, had just downloaded all my data from google and deleted my accounts. Wedding photos, contact lists, phone numbers, Everything. Immediately unplugged the router, disconnected the modem.
Found the roommate, he uses windows 10. No security updates, no antivirus. Rooted into his machine as well. 7 foreign IPs routing traffic over privoxy, shut down all the ports, airplane mode, took his important data and burned a windows 10 iso. He’s okay now. I’m currently running photorec, foremost and autopsy on an image of my drive trying to get what I can. Reopened a bank account, changed the phone number now I’m paranoid. Network password was stupid easy (not my connection, I don’t own it) and he had it set up so everyone with the password was admin. Every machine in the house is potentially compromised. He had a whole host of web 3.0 bullshit, chinese wifi camera,(probably watching through that) old google home assistant, ps4, xbox, light controls.
We ditched the router, the people I share this place with have no idea what a computer even is and I am trying to explain to them why this is a problem. My synthesiser’s OS is based on montevista linux, I connect it to the laptop all the time. There’s a server farm out there trying to get into insecure connections. I was rooted with 32x linux using a fake .DLL in WINE, he was rooted into by a Windows 10 machine. Of course he uses an admin account for everything. I pulled a shit tonne of persistence off my computer. Cron jobs, Startup scripts for privoxy and schroot, services, grub configuration, SSH keys, User Logins. This is sophisticated enough that they could tailor something on a per machine basis and I never would have found it if I hadn’t been actively looking because since they schroot, none of those processes were available to me to view. I just had a funny feeling the last time I used WINE because the configuration kept updating and it normally only does that if you add a library, or make a change to the program and I hadn’t done that in a month.
I need some help, fellas because I went to the cops and the cybercrime unit stops at “He posted my nudes on Facebook.” This was not intended for me, this is meant to spread across as many machines as possible. ISP in our area recently put in fibre in a bunch of different houses and I’m worried they may be piggy backing our connection off our neighbours. How many people out there are using older versions of android with no security updates? What if they get someone who works in power generation, law enforcement, a nurse on the way to the hospital. It is so bad and I cannot get any one to listen to me. They think I’m a lunatic. Last thing, can you give me some advice on containerising applications in docker, command line docker. I’m not giving a company my personal information to use their stupid GUI and I want to cut this off at the head. No more free access to the file system, every application and all the files I use with them on their own container. How do I build something from source in a leak proof Docker environment? how do I install a web browser with no access to geoclue, date and time or files? Resources, if you can, would be incredibly helpful. I am only doing linux for 2 years as a hobby, this is out of my wheelhouse. Just a blank container with one program, so I can inspect files coming in and out of and decide if something gets access to my home directory or not. stay frosty out there.
Hey man, sorry you’re going through this.
Realistically I don’t think there’s much more you can do than what you’re already doing.
You wiped your machines, wiped the router, wiped the “smart home” devices, that’s it.
Now what you gotta do is:
Were you running pirated software on there? If so, the source you got it from isn’t to be trusted.
Most viruses are meant to spread as wide as possible, what’s important above all is that you must calm down.
Saving the world is not your responsibility, if your local Cybersecurity division doesn’t want to help, oh well. Focus on Securing your stuff.
If you truly want to help, consider sending the infected .DLL to a service like VirusTotal. If it’s a new malware they haven’t seen before, the virus’ signature gets shared.
Also consider filling a complaint to IC3. While I don’t think they’ll reach out back to you, if this is a new Botnet or new Crime network they’re not already aware of, your report will bring it to their attention.
In relation to isolating your apps from each other, maybe take a look into QubeOS. It’s built from the ground up for this purpose, though it might prove rather overkill for most users.