When I got virus-pwned, thanks to impatience
Ugreen is a brand of simple consumer electronics that I like. I buy LAN cables, adapters, and all sorts of connectors from Ugreen because unlike other pieces of cheap electronics from the Far East, Ugreen products actually work pretty well, at a reasonable price point.
That is, until today.
I recently bought a USB Bluetooth dongle for my desktop from Ugreen. I considered TP-Link, a better brand, but I thought I’d give Ugreen a shot. It would be the first product I’ve purchased from Ugreen that needs a driver. Maybe after this I’d be comfortable buying more than connectors from Ugreen.
Bad, bad, bad.
What happened?
After unboxing the dongle, I take a look at the instructions manual. The manual implies that I need to install a driver. The box does not indicate that it’s plug-and-play.
So, I obediently truck along to Ugreen’s driver website, https://www.ugreen[com]/pages/download (note: in this article, i’m messing up the links in obvious ways so no one accidentally clicks onto potentially malicious sites). I search for the dongle, and I find it.
When i hover over the word Driver, I see that the URL points to something that has a different domain name, www.mediafire[.com]/file/3y3g…….rar/file.
It looks weird, so I check if the items on the page also point to mediafire. If they also point to mediafire, it would be less suspicious — they do. What would that do for you if the entire ugreen.com site is compromised, you ask me, incredulously? :shrug: Sometimes you’ve got to live a little? In this case I was impatient to get the little dongle working and move on to some work.
Nonetheless, I also look up mediafire on Google, and it seems to be a legit cloud file sharing website? I figured Ugreen is just being a bit unconventional, saving costs here and there and preferring not to host their own files. (Does that even make any sense??? *slaps herself*) Also I recalled that if you want to download the popular disk analysis tool CrystalDiskInfo, you download it from some random-looking mirroring site, so perhaps this is the same.
I click on the driver URL and am lead to the mediafire site. There is a big Download button, which i am NOT going to show here because that would require me re-visiting the site to capture the screen. I click the big button.
This is when things get legitimately weird.
A window pops up and says “Bitdefender… something something…” It looks strange but Bitdefender has been overprotective recently, so I ignore it (and I really wanted to get this over and done with).
The rar file that I download seems to be structured in a really weird way. I download 7-ZIP to un-rar the file, and it takes a few steps of navigation before I get to an .exe file that makes sense (I’m probably above average in terms of the average computer user, so I don’t think i was being dense? But I don’t blame you for disagreeing with me on that point given the current situation).
After I click on the .exe file, I get served a pop up saying the file’s authors are Silicon Graphics. I’m like, er, that is a famous (though downtrodden) Silicon Valley computer hardware and software company… what is going on? I thought, well, maybe these low margin (read: cheap) manufacturers are just re-using their code. What could go wrong? *slaps herself again*
Again, I’m not going to paste the screenshots here because it would require me retracing my steps… which I am *extremely not* going to do, no thank you ma’am.
After I click through the installation process, I see this error:
Before I get the chance to restart like the zombie that I am, I notice… hey, Bitdefender is freaking out with a pop up in my task bar. Ok, let’s click on that…
OH SHIT!
It looks like Bitdefender saved me from JS:Trojan.Cryxos[.]4309, a nasty trojan that accounts for 1.4% of all malware reports, and made it to Bitdefender’s list of top 10 malware in 2017. This was the pop up with “Bitdefender… something something…” I saw earlier. (Note to self: when your antivirus program tries to tell you something, shut up and listen.)
I realize the (blocked) pop up is still lurking in the background, so I manage to take some screenshots of what’s going on:
Nothing about this looks good.
My heart stops. A shiver runs down my spine. I experience an urge to bathe in a tub of peroxide.
But first things first.
WHAT HAPPENED???
Let’s think about this. So… Bitdefender seems to be saying it prevented that nasty thing from loading. But how the heck did that nasty thing almost get loaded? Is mediafire compromised… or are they in cahoots?? Did anything else get loaded (escaping Bitdefender’s defenses)???
I start a total system scan with my Bitdefender antivirus. Since it’s going to take forever, in the meantime, I try to do some forensics on what happened.
- I look up the domain name hagynovu[dot]pro, where the nasty trojan was hiding
Google sends me to ipinfo.io, which provides some details. The domain named is tied to a US-based IP address. My heart sinks when I see that other super spammy-looking domain names are attributed to this IP address.
I try a bit of denial: well, deep linking and ad services use strange names like this too (fbclid, wth is that? Oh, a Facebook thing. Legit enough for me, even if creepy). This could be benign like those, right? Denial is a wonderful drug.
2. Ok… now that I narrowly avoided the Cryxos trojan, I’m curious about what it does
It seems like it just pops up windows on compromised sites asking for your credentials to services like Microsoft, so they can steal your password. I relax because even if the trojan got loaded, I think I wouldn’t fall prey… I think??
Example from Google Images:
3. I wonder if there were other redirects that I missed, so I check out the history on my Firefox browser
Oh, crap. I see this:
Otnolat… what?
DAMMIT. A Google search tells me it is undeniably a piece of malware. Did it get loaded??????????? I suppose I will have to wait until Bitdefender completes the system scan. I’m not sure I would feel safe even then.
When life gives you lemons…
I’m not entirely sure what I need to do now.
This particular computer doesn’t have anything valuable loaded on it, so it’s a bit of a relief. But it does have access to certain cloud services. And it is on the same network as the other computers. I’m still nervous.
What else *can* we do? Let’s stay positive and action-oriented.
I realize that my Firefox browser doesn’t have pop ups blocked. I suspect this would have prevented the shady hagynovu side from loading in the first place, before being blocked by Bitdefender. I slap myself, Very Hard. I immediately install the Ublock and Privacy Badger plug-ins. (But would they have protected me from the Otnolat redirect? I’m not sure.)
(Update: I checked my Firefox settings and apparently I already have pop ups blocked… what gives? Why did the hagynovu window pop up, albeit overlaid with Bitdefender text?)
I consider re-installing the entire machine from a backup. But that would be inconvenient as the backup isn’t recent enough. If I knew for a fact that my system is compromised, I’d do it. But I’m in that middle space of being unsure. How does one decide?!
Importantly, I tell myself never again to buy anything that requires me to install a driver from the website of anything but a highly trusted brand who does security right (Apple? Google?).
A final kicker
You want to know the best part? I go on to the product’s Amazon.com page (from where I purchased it), and it says…
Wait for it…
Wait…
“Plug and Play for Windows 10.”
SLAPS HERSELF.
(Also: wtf, Ugreen?)
