How to survive a drive-by malware attack

It was a Friday evening in December last year. I'd just got in from work, fed the cat, made myself a nice cup of coffee and settled down in front of the PC to catch up on the usual Friday evening internet entertainments: Bob the Angry Flower and the B3ta newsletter.

Chuckles all round, until I clicked one of the B3ta links to an apparently hilarious site, which loaded normally at first, but then appeared to kick Adobe Reader into action. A few seconds later I found that my browser was completely unresponsive. Strange.

Not that strange, though. I use Mozilla SeaMonkey as my main browser at home out of sheer dogged contrariness and I'm used to it occasionally going into a flat spin, especially when it encounters too many Flash ads on a single page. However, the unbidden appearance of Reader seemed a little suspicious and the sudden wild thrashing of the hard drive was a bit worrying as well.

I hit [CTRL]+[ALT]+[DEL], waited what seemed like an age for the Task Manager to appear, then finally gave up, held the power button down for five seconds and restarted.

Damn and Blaster

Like, I imagine, most of us, I take the security of my PC reasonably seriously but I don't obsess over it. I've had this PC since 2003 and before last year it had been compromised approximately once, in the days before SP2 happened and the firewall didn't start by default on a new connection.

My broadband got switched on at my new house, I set it up and within five minutes I had the Blaster worm spewing pop-ups at me and trying to shut my PC down. Annoying, but easily fixed.

Since then I've taken sensible precautions, but nothing over the top. I ran ZoneAlarm for a while until I got SP2 and switched to the Windows Firewall, I use AVG antivirus and my PC sits behind a firewalled router rather than the nasty USB modem that originally came with my broadband package. Nothing spectacular, but it does the trick.

Evil twin

Or at least it did until that fateful evening in December. The PC restarted happily enough, but paranoia had started to creep in, so I figured it wouldn't hurt to have a little peek under the bonnet to check that everything was in order.

I hit [CTRL]+ [ALT]+[DEL] again to bring up the Task Manager and had a scan through what was running. Everything looked normal enough until I spotted something called JimMcCauley.exe, which I was reasonably sure I'd never noticed before.

I ran a search for it and found it nestled in my Windows/System32 folder, where I discovered that it had been created only five minutes previously. Not a good sign. I tried to stop the process, but the process refused to be stopped.

Uh-oh

Next, I launched a command line window and ran Netstat. I love Netstat – it gives you a list of all the internet connections you have open and is very handy for telling you if something's talking to somewhere it shouldn't be.

I was expecting to find maybe one or two slightly suspicious connections. What I got was about a billion connections to Russian mailservers. Oh, shit. I yanked the network cable and panicked for a bit.