2

Question: Is there a type of malware out there that "goes stealth" when in a different environment from it's usual one (IE, when the computer is brought into the shop), and then reactivates when back in the usual environment. If so, how do I detect it, and what do I do about it?

If not, what did I experience? (See background)

Background: I'm a fairly new computer tech working for a small, locally owned shop. I just started working on customer computers a couple months ago, but I've been noticing a seemingly new trend that bugs me.

It started when a customer brought a laptop in, and complained of malware. They'd visit some websites and get advertisements and popups that weren't originally on those sites. I took the computer in and ran various scans on it: MalwareBytes, Spybot Search and Destroy, and AVG. None of the scans turned up anything. I even booted into Mini XP using a USB drive and ran scans from there. Still nothing.

Finally I called the customer and had them direct me to the sites in question. They were pretty standard sites, even ones I'd visited myself at home (MSN, Google, and a site where homes for sale are listed that I can't recall off the top of my head). Everything looked normal.

So we did a quick "tune up" of the laptop and sent it back to the customer. Or more accurately, my boss took it out. The moment they powered on the computer, the malware symptoms popped up: Sound ads, popups, etc. The customer was pretty angry. I would have chalked it up to my inexperience. Thing is, I've seen similar situations since, and not just for computers I worked on.

Thanks in advance for your time.

Kered
  • 21
  • How would the computer have any idea who is currently using the computer or where it is physically located? I have yet to see any malware that would react in such a way. If you scanned the computer and found nothing, you did your job. I am thinking that this customer is seeing something that is not really malware (popups are not malware btw). Is the customer using IE? I would kindly suggest using Chrome or Firefox, and then install the browser addon AdBlocker from the Mozilla or Chrome extension site. Great little addon that eliminates 99% of all annoying internet ads. – Richie086 Mar 03 '14 at 21:37
  • 1
    I suspect such malware would look at the network settings, and adjust it's behavior if, say, the subnet changes, but that's a complete guess. Also, it was my boss who observed the malware symptoms when it was returned to the customer. He's been at this much longer than I have, so I doubt he was mistaken. – Kered Mar 03 '14 at 21:42
  • Is your internet connection in work filtered in some way that would block what the customer is seeing at home? – Andrew Morton Mar 03 '14 at 21:54
  • Your work DNS may be preventing access to sites the user's home DNS is allowing? Still you'd expect some sort of trace... – Ecnerwal Mar 03 '14 at 22:01
  • We do have a dedicated firewall device filtering our network traffic, but I don't have one at home. Like I said, I've been to all the sites the customer had me visit on my home PC, so I know whatever they were seeing isn't part of those sites. – Kered Mar 03 '14 at 22:01
  • 1
    Maybe you could check the DNS settings on the user's router: Team Cymru spots 300,000 compromised SOHO gateways. – Andrew Morton Mar 04 '14 at 09:37
  • Now that's very interesting, Andrew. I admit my network-fu is not strong. I'll bring that up to our lead tech and see what he thinks. Thanks. – Kered Mar 04 '14 at 17:21
  • Kered, for your information, if you precede your comment with @AndrewMorton then I will be notified if you respond. It is only because I looked back at my comments that I saw your responses. As you're the OP, you should be notified automatically. – Andrew Morton Mar 04 '14 at 19:04
  • @AndrewMorton : Thanks again. New to this site, of course. Been meaning to give you kudos, or rep, or whatever, but I can find a button. – Kered Mar 04 '14 at 21:55
  • Re: rep etc. - don't worry about it :) If someone's comment turns out to be the answer, you can always ask them to make an answer saying the same thing, then you can mark their answer as helpful, or accept it as the answer by clicking the hollow green tick symbol. – Andrew Morton Mar 04 '14 at 22:48

0 Answers0