I updated Cygwin at work this morning. Like I had anything better to do… You see, the company runs (“lives” is a better description) on a Microsoft Exchange server. All of our email is kept in there. All of our meeting appointments are kept in there. When it goes down, lots of people are looking for stuff to do: there are no meetings so you have to do work, but you cannot do work because all of the important information you need to perform your duties were emailed to you last week and still sitting in your inbox. So, to kill a little time I decided to check that I had the latest version of Cygwin. For those not in the know, Cygwin is a nifty little package you can install on your Windows machine to make it more like a Unix machine: all the standard command line programs with a funky little abstraction layer that makes your hard drives look more like a Unix file system. There were huge amounts of updates.
After the work day was over (I sure hope Exchange is back up tomorrow, for the sake of the IT guys’ jobs), I decided to upgrade my version of Cygwin at home. After all, it was older than the version at work. A few minor updates, blah, blah, blah. While I was on the upgrade spree, I decided to also upgrade the virus definitions in Norton AntiVirus. According to the readout, it had only been a few days since the last automatic update, but who cares? I’m upgrade happy! Norton gets its update, everything is cool, nothing out of the ordinary. I pop open a Cygwin terminal window to copy a few files between computers and *WHAM*! “Hello, this is Norton AntiVirus telling you you’re a stupid dumbfuck user who has contracted a virus. I really can’t figure out how to repair the infected file because I’m just a dumb program and this virus, which is supposed to be simple to repair, just doesn’t really conform to my repair recipe.”
Oh, crap. I have a virus? HOW?! I don’t even really DO anything on that machine but hotsync my organizer, plus it’s behind a pretty darn secure firewall and probably isn’t about to be HaX0r3D. Okay, scan the whole hard drive. What’s infected. Check the white paper describing Backdoor.EggHead.
A few minutes later, I finished reading as the virus scanner approached completion. So, it is a trojan that is attached to an IRC bot. It doesn’t so much infect files as plant bad ones on your system. And somehow this IRC bot infected my system. I don’t even have a client program for chatting on IRC, much less a bot! Well, let’s see what it infected… Wow, this simpleton backdoor trojan that simply enables telnet and a few other things somehow managed to not only infect cygwin.dll and cygz.dll, but also managed to extract two Unix archive files (similar in concept to *.zip files, only these are *.tar.gz, a format that is very rare on Windows machines), infect two DLLs (not EXE files, like every other virus does, but DLL’s!!!), and rearchive the *.tar.gz files back where they were. Norton found 4 copies of the virus, two on the hard drive and two in these Unix archive files. No tell-tale registry keys. None of the other files it plants. Just two copies of two files that have no possibility of being touched, according to the white paper. For some reason, I have this feeling that Norton is full of spit and has a virus checker that can’t tell Schlitz from shinola. Now I can’t seem to use Cygwin because every time it tries to access that DLL, Norton comes along and bitch slaps the process. “Sorry, had to shut this bad boy down. The virus was starting to get uppity.”