How the AI made me suffer

-


 I was having lunch with my wife at a restaurant when I got a call from someone from work. A technician dealing with network security told me my office computer was infected with some nasty virus/worm/trojan. There was not much I could do, and being a Friday afternoon, the person who called told me they would do nothing else till Monday morning. The purpose of the call was to make me aware my computer was now isolated in a different VLAN where I would have almost no network services.

I immediately felt uncomfortable and worried. What could I have done wrong for this to happen? I tried to avoid all the common pitfalls of not seeing myself in this situation, but I was not doing well enough. Thankfully, the meal was delicious, and I could park the problem for a while.

I woke up early Saturday morning to shop and could not resist stopping by my office and checking my computer. As I was told, only a few services were working, I was getting a different IP address and had no access to any server on our intranet. I ran the corporate antivirus for a full scan, which rendered zero warnings, which was strange. I read the email I was sent, in which I was informed that the suspicious activity on my computer was detected as being part of Mozi botnet. I was unfamiliar with that, so I checked with ChatGPT and learned it is a botnet for IoT devices ... hold on, not for PCs? That was weird. Gathering more info on the Internet, I learned that it was a botnet that was disabled by an unknown actor (perhaps a state or a security service) on September 27th, 2023; that was odd, too.

I used the netstat command to see all the programs running and the socket numbers they were using, and I got a match: transmission-daemon.exe. The incident report mentioned a single UDP datagram exchanged with a Chinese server whose IP was flagged as dangerous by the ******* corporate network monitoring software powered by AI. Well, that Chinese server was definitely not known to me, but the executable was part of the Transmission BitTorrent client I had installed in the past from its project's website. Could this program be a problem? I did not know, but what I knew was the way it operated. It can chat with a bunch of peers I have no control or knowledge of (trackers and peers). 

Time to go home; the idea that all this might be a false positive started to pop up in my mind, but perhaps more info will be revealed on Monday. After all, I did not know any more details about what my computer might have been doing. 

The person handling my case on Monday differed from the one who called me on Friday. In our phone conversation, she needed to be more familiar with the situation and the additional info I submitted on Saturday morning. So I suggested she call me later once she was up to speed. Meanwhile, I performed a further test: verifying the executable responsible for the incident's traffic was in the Transmission software folder in Program Files. Sometimes malicious software disguises itself with a common executable name, but in my case, the program was in the correct folder (besides, it caused the antivirus to have no warnings). I notified the issue tracking system of all that info.

In my mind, it was becoming quite clear there was no other issue other than the transmission-daemon.exe being run, which I later verified could be explained as it was installed as a service on my computer. 

I was told that because the Transmission software caused the traffic that initiated the issue, it would be better if I removed it, which I did. However, my computer was still in the "thinking corner" and I was yet unable to operate any of the services of our intranet. Incidentally, one of these services was the issue tracking system :-)

I thought I could use a wifi interface to connect my desktop computer wirelessly to avoid the restrictions imposed on my wired network, but that was not enough. My computer could access servers on the Internet but not on the intranet. So I was only 50% more useful than before but useless in communicating with the very people who could fix my connectivity issues. Eventually, it occurred to me that I could use the Opera browser (with its built-in VPN service) to access our intranet servers as if I were outside of our network; this way, I could finally send information to the issue-tracking server. That approach worked ok, but the irony was not lost on me.

Once it became evident that there was a simple non-threat explanation of the traffic, I guess it was to review any other sign my computer might have given to any of the security systems. They came up with a potential risk report about the program AdAppMgrSvc.exe that might have caused some credential leaks in the past. That was part of the Autodesk software I installed from our own repository. I sent them the executable, but I tested it with VirusTotal, and the report returned 100% safe. 

After that checked out, I was told my computer would be reinstated to the network, and the incident closed. It only ate a good portion of my Monday morning. 

I am glad to know my computer is safe. Now I have a new password for my company account, and I am able to access our intranet so I can work. 


Comments

Post a Comment

Popular posts from this blog

VFD control with Arduino using RS485 link

-
Image
Variable Frequency Drives ( VFD ) allow the control of spindles so speed can accurately be controlled and a detailed acceleration profile for the spindle and reverse rotation can all be handled. In essence a VFD is an three phase inverter for three-phase AC motor. I am using a popular (I mean cheap) Chinese VFD and though the reference manual is not great, I could see there is a built-in RS-485 port. I usually control the start, stop and speed selection using the keyboard on the unit but I thought it will be more useful if I could control everything from the same Arduino is doing our CNC table control. Some cheap RS-485 off eBay and some lines of code later, I can start, stop and change the speed from an Arduino. What a cool thing to have! Some configuration of your VFD are needed before you can use it like that.  You need to set PD163=1 (I am using address 1 in the code). PD=164=1 (for setting serial to 9600bps) and PD165=0 (for using ASCII and 8N1 character format)
Read more

How to get sinusoidal s-curve for a stepper motor

-
Image
After some experimentation, and delving a bit into the math of motion, I realized there can be a significant difference on the motion of a machine by just making small changes. A common and popular approach to smooth one axis of motion is to use a trapezoidal speed pattern, where acceleration and deceleration are uniformly accelerated movements (aka constant acceleration motion) separated by a portion happening at cruising speed. The problem comes with the fact that, while that approach is simple to understand and to code, it does contain sudden changes in the acceleration, that show as spikes on the acceleration derivative, called jerk. These sudden changes in the acceleration translate into undesired vibration in our machines. Most of that can be eliminated by selecting a motion pattern that does not contain sudden changes of acceleration. If we chose a mathematical function for our speed whose second derivative is continuous, then we reduce system vibration quite a lot. One ma
Read more

Stepper motor step signal timing calculation

-
Image
While we use stepper motors in many devices, the timing of the step signals is not always well understood. Most of us can see how a fixed speed is a bad idea unless the speed of motion is really slow, but it is fixed speed what is really to generate with simple code. You just can use the Arduino Blink example to send a fixed frequency of pulses to a stepper motor driver. If too slow, just reduce the delay value. But for most real-life applications variable speed controls will perform better. These systems will speed up the motor to a given maximum speed and it will slow it down to stop at the desired step count. But understanding the math behind this process is sometimes not obvious. Let us start with the simple case of the so-called trapezoidal speed motion profile. Here motion takes place in three phases: acceleration, constant speed (cruising) and deceleration. But the point is how can our code create such a behavior. Stepper motor drivers usually accept two signals to control
Read more