25 May, 2018

I'll Do You One Better: Why Gamarue

Some weird things happened. I put my USB drive in another computer - looked normal, except there was a shortcut to Removable Disk. I thought it was from vaccinating/inoculating the drive against autorun.

Put it in my computer. Files missing. Shortcut turned out to be an actual shortcut to rundll32.exe, with a weird string behind.

Scanned with antivirus. Found Gamarue A.

To unhide files, use
attrib -h -r -s /s /d *.*
from https://www.easeus.com/file-recovery/virus-file-recovery.html. Files will be in a folder without a name (space? special space? undisplayable character?)

Ok, search for new computers on Google. Click on ad link to lenovo thinkcentre. Can't display page, says pixel.everesttech.net is unreachable. What? Where does this server come in? Did my browser get hijacked?

Firstly, everyone should check the real URL when mouseovering a link. But did you know it's easy to spoof this URL? Display one URL but actually send you to another? Google does it for ALL search results, not just ads. You only notice when a page doesn't load properly, though.

But can ads on Google also do this? Display a safe URL but actually redirect you to a malware site? Technically not... https://security.stackexchange.com/q/161071
They actually can, but only to "certain" "vetted" sites. So the only thing stopping them is Google's "vetting".

So what about everesttech.net? Is it a virus site? It looks like a common ad tracking site, like googleadservices. Look at the stackexchange discussion above. So why doesn't the link in Google ads work? Because everesttech.net is down.
It's a coincidence, this huge site that Google ads depends on is down.

  • USB drive got virus
  • Found way to unhide files hidden by virus
  • Google ad links not working
  • Thought browser was hijacked
  • Turns out a major site was down just as this was happening to me

But wait, something is weird. Google ads works normally on linux. Check my hosts file. I blocked pixel.everesttech.net!
  • everesttech.net isn't down, it just doesn't respond if you visit it directly. Suspicious.
  • everesttech.net also isn't malware, it's sort of necessary. Don't block it.

No comments:

Post a Comment