How the AI made me suffer


 I was having lunch with my wife at a restaurant when I got a call from someone from work. A technician dealing with network security told me my office computer was infected with some nasty virus/worm/trojan. There was not much I could do, and being a Friday afternoon, the person who called told me they would do nothing else till Monday morning. The purpose of the call was to make me aware my computer was now isolated in a different VLAN where I would have almost no network services.

I immediately felt uncomfortable and worried. What could I have done wrong for this to happen? I tried to avoid all the common pitfalls of not seeing myself in this situation, but I was not doing well enough. Thankfully, the meal was delicious, and I could park the problem for a while.

I woke up early Saturday morning to shop and could not resist stopping by my office and checking my computer. As I was told, only a few services were working, I was getting a different IP address and had no access to any server on our intranet. I ran the corporate antivirus for a full scan, which rendered zero warnings, which was strange. I read the email I was sent, in which I was informed that the suspicious activity on my computer was detected as being part of Mozi botnet. I was unfamiliar with that, so I checked with ChatGPT and learned it is a botnet for IoT devices ... hold on, not for PCs? That was weird. Gathering more info on the Internet, I learned that it was a botnet that was disabled by an unknown actor (perhaps a state or a security service) on September 27th, 2023; that was odd, too.

I used the netstat command to see all the programs running and the socket numbers they were using, and I got a match: transmission-daemon.exe. The incident report mentioned a single UDP datagram exchanged with a Chinese server whose IP was flagged as dangerous by the ******* corporate network monitoring software powered by AI. Well, that Chinese server was definitely not known to me, but the executable was part of the Transmission BitTorrent client I had installed in the past from its project's website. Could this program be a problem? I did not know, but what I knew was the way it operated. It can chat with a bunch of peers I have no control or knowledge of (trackers and peers). 

Time to go home; the idea that all this might be a false positive started to pop up in my mind, but perhaps more info will be revealed on Monday. After all, I did not know any more details about what my computer might have been doing. 

The person handling my case on Monday differed from the one who called me on Friday. In our phone conversation, she needed to be more familiar with the situation and the additional info I submitted on Saturday morning. So I suggested she call me later once she was up to speed. Meanwhile, I performed a further test: verifying the executable responsible for the incident's traffic was in the Transmission software folder in Program Files. Sometimes malicious software disguises itself with a common executable name, but in my case, the program was in the correct folder (besides, it caused the antivirus to have no warnings). I notified the issue tracking system of all that info.

In my mind, it was becoming quite clear there was no other issue other than the transmission-daemon.exe being run, which I later verified could be explained as it was installed as a service on my computer. 

I was told that because the Transmission software caused the traffic that initiated the issue, it would be better if I removed it, which I did. However, my computer was still in the "thinking corner" and I was yet unable to operate any of the services of our intranet. Incidentally, one of these services was the issue tracking system :-)

I thought I could use a wifi interface to connect my desktop computer wirelessly to avoid the restrictions imposed on my wired network, but that was not enough. My computer could access servers on the Internet but not on the intranet. So I was only 50% more useful than before but useless in communicating with the very people who could fix my connectivity issues. Eventually, it occurred to me that I could use the Opera browser (with its built-in VPN service) to access our intranet servers as if I were outside of our network; this way, I could finally send information to the issue-tracking server. That approach worked ok, but the irony was not lost on me.

Once it became evident that there was a simple non-threat explanation of the traffic, I guess it was to review any other sign my computer might have given to any of the security systems. They came up with a potential risk report about the program AdAppMgrSvc.exe that might have caused some credential leaks in the past. That was part of the Autodesk software I installed from our own repository. I sent them the executable, but I tested it with VirusTotal, and the report returned 100% safe. 

After that checked out, I was told my computer would be reinstated to the network, and the incident closed. It only ate a good portion of my Monday morning. 

I am glad to know my computer is safe. Now I have a new password for my company account, and I am able to access our intranet so I can work. 


Comments

Popular posts from this blog

VFD control with Arduino using RS485 link

How to get sinusoidal s-curve for a stepper motor

Importing OpenSCAD designs into Onshape