Thanks to Glasswire I became aware of a Trojan!

Hi GlassWire & community,

Figure I would take a moment to register here and share my morning’s story. I woke up today to find two foreign notifications waiting for me within Glasswire! Gasp! How rare! Just to get it out of the way: Windows 10 AU (v1607) is up to date, Windows Defender is up to date.

Pictures help tell a story. This is what I woke up to:


Well this isnt good. I recognize svchost.exe’s name, but looking at the address it’s sending data to doesnt make sense, and it’s not in the right directory (good feature Glasswire!). The other entry (attrib.exe) is obviously bad – and it’s clear to me almost immediately after one Google search that I’ve been infected with some sort of gpu cryptominer.

Windows Defender (even with this morning’s update) failed to find anything wrong, even when I pointed the scan directly at the directory Glasswire indicated where the SVCHOST.exe file is located (which I know should NOT be in appdata\roaming). So I fire up my trusty MalwareBytes (free) app, update it and run a full scan, and sure enough, it finds the culprit!

MB Scan Results:


the other two results are perennial false “risk” positives

Phew! Caught that svchost process and it’s reg keys!

As a precaution I took a look at the attrib.exe to see if it was modified. The timestamp points to the exact date and time when I updated windows to the anniversary update, that’s a good sign.

Modification timestamp:

Still, I send it up to virustotal anyways and force it to reanalyze the file (since it recognized the SHA256 of the exe)…
VT-Scan:

Things are looking good now :slight_smile:

I practice good security habits on the regular, including full scans with MalwareBytes and Windows Defender two times a month (which takes some time to complete when checking ~8TB of data). I run a VM to sandbox anything that could be potentially “risky”. Needless to say, I’m somewhat surprised and impressed that this malware somehow got on my machine, and it’s the first time in almost a decade something like this has happened (the last event many years ago being a nasty bit of malware called “virtumonde”), thus I figure, why not post about it!

This malware potentially would have been active for some time if it was not for Glasswire alerting me to the connection attempt. I’ve been using Glasswire (free) for about 1/2 a year now; after this morning I quickly found a deal and purchased Glasswire!

Now the hunt begins to figure out how this got on my system in the first place. As a side note, it also shows that Windows Defender is still not very good overall, and definitely needs support for other security products.

Please allow new users to add more than one image! A bit annoying to create my post, then go back and put things into imgur, THEN find out I also cant put links in posts…seriously now…that needs to be fixed .:angry:

3 Likes

@X_Naquada

Thanks for posting this, it’s a cool story! I upgraded your account to “member” so I think now you can post more images? Please check.

I think Discourse puts the limits on new accounts so spammers won’t post bad images, etc… sorry.

Thanks so much for upgrading to a paid version of GlassWire.

That did it, thank you! I updated the OP with images inline.