All your computers are belong to us now

Background: when morgan_dhu's employer set her up with VPN so that she could work from home, the company IT guy was very firm: we could not install a software firewall on the work computer, and we could not put the work computer behind a router. The reasons didn't make much sense to us, but it was their computer, so they got to make the rules (she was also told that due to licensing issues, she could not install Mozilla on her work machine -- no seriously).

So we paid the cable company an extra $20 per month for 2 extra IP addresses so we could connect all our computers to the internet using a hub, instead of a router. And ever since then, the work machine has been naked to the internet, totally unprotected save for the frail figleaves provided by Norton Antivirus and Windows Update.

Since that time, all of the tech support and IT people at the company have been replaced with new people. The new people have a somewhat different philosophy than the old people: for instance, it is now permitted to install Firefox on one's work computer.

For a couple of years, we had one IP for each machine (my computer, morgan_dhu's computer, and her work computer) and they were all connected to the cable modem with a hub. Our personal computers were and still are protected by software firewalls; in addition, a few months ago, I decided I was tired of sending ridiculous amounts of money to the cable company each month, and bought a router. That enabled me to cancel one of the two extra IP addresses. So for the past few months, we had connected our personal computers to the router, and connected the router and the work computer to a hub, which connected to the cable modem. Yes, there was an unholy mess of cables behind the desk; we suspect the cables of developing their own form of intelligence and plotting world domination.

So, anyway, this afternoon, morgan_dhu started experiencing weirdness on her work machine. The mouse started moving around by itself, downloading a file, installing something, clicking past some kind of "are you sure you want to install this thing" warning, and the like. In short, it had been taken over by some kind of remote control software, and someone out there was merrily installing their little rootkit on it. The only question, really, is why it took so freaking long (unless of course it had been suborned years ago and only today the hacker had the bad judgement to start doing stuff when she happened to be using it).

Once we realised what was happening, I pulled the power plug on the computer, unplugged its Ethernet cable, and then we called the tech support at morgan_dhu's company. One of the first things he asked me to do was to plug the work machine into our router, enable VPN on the router, and reboot the work machine so that it would connect to the corporate network through the router.

Then he let me through several rounds of trying to find the freaking rootkit, to no avail. Ad-aware found zilch, msconfig.exe found zilch, and after he said goodbye, I downloaded a "rootkit revealer" from sysinternals.com, and that found zilch. Reviewing running processes also revealed nothing that didn't seem to belong. So Morgan's work computer is probably still suborned. Fortunately it's only turned on about 8 to 12 hours a day, so while it may be part of a zombie farm (although I'd think zombie farmers would really prefer to take over machines that are left on around the clock), it's at least not a very efficient zombie.

On the upside, we can now save ourselves another $10 a month by cancelling all the extra IPs and just going with basic highspeed service. We can also cut back the cable forest behind Morgan's desk, from "enough to stretch to the moon" to merely "enough to stretch around the block."

Advertisment: Anybody who can help me figure out where the rootkit/remote control malware is hiding on morgan_dhu's work machine may claim a lightly used 4 port linksys hub, free.