The infection started with a link sent, via a major social network from a friend’s account which had been compromised, with a comment designed to provoke curiosity in the person receiving it. It read, “Haha, you’re famous now, lol!” The link led to a webpage designed to resemble YouTube. On arriving, a notification popped up to say that flash player was out of date and offered to install the update. Accepting the update, instead of Flash, it installed a trojan horse computer program. Trojans give attackers an entry point into their victims’ computers. They work much like a burglar who, having gained entry by some means, switches off the alarm and unlocks the front door so their accomplices can get in. They are generally the start of a much larger infection as they can be used to download further malware onto the victim’s computer. As part of its installation routine, this trojan also installed an innocuous sounding file in an innocuous sounding folder. Take note of this file, it will be important later.
This particular trojan was a variant of Gen.Siggen, and installed itself as LSSASR.exe in the \Windows\SysWOW64\ folder, which is home to 32bit system programs which run on 64bit systems. Once it had turned off the firewall, it proceeded to download various other malware which I successfully removed using a combination of standard removal tools. With these secondary infections taken care of, I used an invaluable program called rkill to identify and kill malicious processes and which duly identified LSSASR.exe and stopped it running. I deleted the LSSASR.exe file and rebooted, fully expecting to see the virus scanner return a clean bill of health. And indeed, when the desktop was back up and I ran rkill again, it returned “no malicious processes found”. A few minutes into a malware scan with no warning notices, I was reassured, thinking that the enemy was bested and it was time to put the kettle on. Then, MSSE popped up with a notification that it had found an infection and was trying to clean it. It was LSSASR.exe again.
When I tried to remove it I got a notice that LSSASR.exe couldn’t be deleted because it was in use by the Java binary, a legitimate program for running Java programs. My initial thought was that the Java executable may have been infected so I stopped the process, deleted LSSASR.exe and uninstalled Java completely before reinstalling it from a trusted source. Upon rebooting, the same sequence of events occurred:
- a few minutes after getting to the desktop, the firewall was switched off.
- a fresh copy of LSSASR.exe would appear in SysWOW64.
- MSSE would find LSSASR.exe and try to clean the infection but fail
In a moment of clarity I realised that LSSASR.exe was itself a symptom, not the cause. I still needed to find out what was starting it all. Something was waking up after start-up, and when it found that LSSASR.exe was missing, copied a new one over and set it running. I opened up the list of programs set to start automatically and checked through them but missed it at first because it seemed so innocuous. It eventually caught my eye: javaw.exe, set to run that file I mentioned earlier, which went by the name of 16a09g1, located in
This file’s sole purpose, as far as I can tell, was to check that the machine it ran on was infected and if not, to re-infect it. The original infection process created the folder structure and placed 16a09g1 into it. It then added a line to the list of start-up processes that read: javaw.exe (which runs silently) will execute 16a09g1 every time the computer starts. 16a09g1 then checks if LSSASR.exe exists in SysWOW64 and if not, copies it over and starts it running. Once LSSASR.exe is running, it can open connections to remote servers, download other malware programs, or simply sit and listen for commands from the person who installed it.
The malware evaded security through a simple mechanism. The file that started the process, 16a09g1, didn’t have a known signature so it wasn’t flagged by any of the multiple scanners I used, though they caught the secondary infections. The key to the cure was simply that the command in the list of start-up items which set the re-infection process going was suspicious enough to catch my attention. Unfortunately, I securely deleted both the original infection file (the flash updater) and 16a09g1 before realising that I should have disassembled them to try and see exactly how they work. By the time I got around to asking for the original link, however, the webpage that had hosted it had been taken down, presumably by the social network itself once it was found to be serving malware.