Angelus88
Posts: 442
Joined: Mon May 13, 2013 9:25 am
Location: Ivrea, TO (Italy)

Weird virus problem...

Sat Jan 24, 2015 1:34 am

Hello everyone! I'm sorry if I'm using this title but the problem is really weird.

I have a 24/7 h Raspberry Pi with an external usb hard drive connected where I download torrents.
This hard disk is also shared through samba so it's accessible from Windows.

It's happening very often that I find an exe file in the root of the external hard drive.
This file has a random name every time and when I tried to upload it to the VirusTotal website, it showed me this.

It looks like the Autorun virus, the one you often find inside usb sticks.

Why is this happening? I read that this virus spreads through Windows shares so it could be that it's my computer infected but last month, I wasn't at home for almost 20 days and there was no computer on but the Raspberry Pi. When I came back home, I found the virus again like it was coming from the Raspberry Pi itself.

What can I do? It doesn't bother me much but it's just that I can't understand HOW this virus creates itself.

ktb
Posts: 1447
Joined: Fri Dec 26, 2014 7:53 pm

Re: Weird virus problem...

Sat Jan 24, 2015 1:53 am

I don't have any good explanations for what is generating those executables on your external hard drive. However, It seems to me that the detection of "AutoIt" often turns out to be a false positive. What type of external hard drive is it? The model? Did the drive come with some sort of backup software solution pre-installed on it (maybe even installed on a separate [possibly hidden] partition)?

Angelus88
Posts: 442
Joined: Mon May 13, 2013 9:25 am
Location: Ivrea, TO (Italy)

Re: Weird virus problem...

Sat Jan 24, 2015 2:39 am

ktb wrote:I don't have any good explanations for what is generating those executables on your external hard drive. However, It seems to me that the detection of "AutoIt" often turns out to be a false positive. What type of external hard drive is it? The model? Did the drive come with some sort of backup software solution pre-installed on it (maybe even installed on a separate [possibly hidden] partition)?
First of all, thank you for the answer. No, the hard drive was a normal notebook hard disk that I putted inside an external usb case.
This drive has just one primary partition and I formatted it before using so it was completely empty at the beginning.

I really doubt it's a false positive because the name is always random and virus total show a detection ratio of 39/57 so really high!

ktb
Posts: 1447
Joined: Fri Dec 26, 2014 7:53 pm

Re: Weird virus problem...

Sat Jan 24, 2015 2:46 am

Angelus88 wrote:
ktb wrote:I don't have any good explanations for what is generating those executables on your external hard drive. However, It seems to me that the detection of "AutoIt" often turns out to be a false positive. What type of external hard drive is it? The model? Did the drive come with some sort of backup software solution pre-installed on it (maybe even installed on a separate [possibly hidden] partition)?
First of all, thank you for the answer. No, the hard drive was a normal notebook hard disk that I putted inside an external usb case.
This drive has just one primary partition and I formatted it before using so it was completely empty at the beginning.

I really doubt it's a false positive because the name is always random and virus total show a detection ratio of 39/57 so really high!
Interesting. You could try something like this http://www.avg.com/submit-sample or maybe http://kaspersky.antivirus.lv/eng/service/report/

User avatar
pluggy
Posts: 3635
Joined: Thu May 31, 2012 3:52 pm
Location: Barnoldswick, Lancashire,UK
Contact: Website

Re: Weird virus problem...

Sat Jan 24, 2015 10:48 am

Drive by using Java ?
Don't judge Linux by the Pi.......
I must not tread on too many sacred cows......

User avatar
Burngate
Posts: 6284
Joined: Thu Sep 29, 2011 4:34 pm
Location: Berkshire UK Tralfamadore
Contact: Website

Re: Weird virus problem...

Sat Jan 24, 2015 12:14 pm

Angelus88 wrote:It's happening very often ...
How often is very often?

If you disconnect the network, does it still reappear?
If you disable the torrent software, does it still reappear?
What else is the Pi doing, and can you disable that?

Angelus88
Posts: 442
Joined: Mon May 13, 2013 9:25 am
Location: Ivrea, TO (Italy)

Re: Weird virus problem...

Sat Jan 24, 2015 1:48 pm

ktb wrote:Interesting. You could try something like this http://www.avg.com/submit-sample or maybe http://kaspersky.antivirus.lv/eng/service/report/
VirusTotal analyses the file you upload with every existing Anti-Virus Scanner using updated virus definitions so I think it's the same thing.

pluggy wrote:Drive by using Java ?
What do you mean?
burngate wrote:How often is very often?

If you disconnect the network, does it still reappear?
If you disable the torrent software, does it still reappear?
What else is the Pi doing, and can you disable that?
I can try to disable the samba service or simply remove the samba share of that hard drive so it won't be accessible from Windows anymore. Let's see what happens... Maybe it's really one of my computer that generates that file.

User avatar
DougieLawson
Posts: 38804
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Weird virus problem...

Sat Jan 24, 2015 5:08 pm

What machines can write to your samba share? Run a full anti-virus scan on every Windows machine that has write access, one of them may be compromised.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

Angelus88
Posts: 442
Joined: Mon May 13, 2013 9:25 am
Location: Ivrea, TO (Italy)

Re: Weird virus problem...

Sat Jan 24, 2015 9:42 pm

DougieLawson wrote:What machines can write to your samba share? Run a full anti-virus scan on every Windows machine that has write access, one of them may be compromised.
Instead of disabling completely the samba service, I managed to make the share read only from every Windows machines so they can just read and copy files from the share to Windows but not vice-versa.

I did a full anti-virus scan on all the machines already but with no luck.

Let's see what happens now... Thank you so much guys ;)

ktb
Posts: 1447
Joined: Fri Dec 26, 2014 7:53 pm

Re: Weird virus problem...

Sat Jan 24, 2015 10:27 pm

Angelus88 wrote:
ktb wrote:Interesting. You could try something like this http://www.avg.com/submit-sample or maybe http://kaspersky.antivirus.lv/eng/service/report/
VirusTotal analyses the file you upload with every existing Anti-Virus Scanner using updated virus definitions so I think it's the same thing.
If that's what you think, then you do not understand the purpose of the links I provided.

False positives are a common issue with every scanner and VirusTotal is not perfect. I still believe that a false positive or misunderstanding is likely what you're dealing with. Who knows? We're only guessing based on very limited information. You can try to prove that it is not a false positive by manually submitting the file for analysis to someone with the skills and tools to make that determination.

Angelus88
Posts: 442
Joined: Mon May 13, 2013 9:25 am
Location: Ivrea, TO (Italy)

Re: Weird virus problem...

Wed Jan 28, 2015 10:10 pm

ktb wrote:
Angelus88 wrote:
ktb wrote:Interesting. You could try something like this http://www.avg.com/submit-sample or maybe http://kaspersky.antivirus.lv/eng/service/report/
VirusTotal analyses the file you upload with every existing Anti-Virus Scanner using updated virus definitions so I think it's the same thing.
If that's what you think, then you do not understand the purpose of the links I provided.

False positives are a common issue with every scanner and VirusTotal is not perfect. I still believe that a false positive or misunderstanding is likely what you're dealing with. Who knows? We're only guessing based on very limited information. You can try to prove that it is not a false positive by manually submitting the file for analysis to someone with the skills and tools to make that determination.
Ok, you're right, I did what you said but an automatic email response the day after told me that is not a false positive. It's definitely a virus. The Autorun virus, or AutoIt, the one that install itself through the Autorun.inf file you often find inside usb sticks.

Anyway, I turned the Samba share read-only from Windows and nothing happened since :) So definitely it's one of my Windows machines. I'll take a look. Thank you so much to all of you ;)

Return to “Troubleshooting”