Closed MillenniumWare closed 1 year ago
Liryna
commented
1 year ago Hi @MillenniumWare ,
Thanks for sharing your experience. Malware and normal Softwares are free to use any opensource libraries. I would be really curious to know how Dokan could help them. Do you have any idea how / where your computers got infected ? If you still have them, could you share the system mount event logs ?
MillenniumWare
commented
1 year ago Here's an example of one of the even logs. I do not see anything that could indicate who or what was abusing this. As for infection, unless it's got something to do with a program that after months of registering as clean on my extremely sensitive anti-virus showed up as a trojan dropper, right when I was dealing with a series of cyber attacks on my systems, I don't know for certain where this came from. I think that was an unrelated issue. I talked to some sysadmins at my university who specialize in incident response and they claim something that would abuse a driver like dokan could have tampered with my UEFI firmware, and advised me to reflash the affected machines. And yeah, I know hackers can abuse whatever they want. I'm just concerned there could be something preventable, version specific or not, that allows dokan to be abused, and as a cybersecurity enthusiast I'm a bit concerned on the off chance that this isn't the source of my past cyberstalking issues, it could be something that's being used for widespread malicious activity. I only know a little python and some beginner ethical hacking stuff, so I sadly can't look into the C code myself to see if there's some odd flaw you may have overlooked. Honestly it would not surprise me if dokan was used as way into low-level access (given that an older version was abused, maybe some weird vulnerability is present) and/or as a way to exfiltrate collected data in a spyware/stalkerware scenario. What's beyond strange is that I didn't see any virtual drives mounting. I have plenty of software that can create virtual drives (Macrium Reflect, etc...) but they all seem to function after deleting this suspicious copy of dokan.
</Event`
Liryna
commented
1 year ago I am not saying it is impossible but Dokan driver code was in the past multiple time reviewed by security teams due to specific companies using it. They reported issues which are now fixed and even before the release you are referring to. Those issues were even not that close from what you have experienced. Without more information or a way to reproduce, I don't think we can do much here and I have some doubt Dokan is an open door (even old releases) for malware.
Thanks again for sharing and please do not hesitate if you have additional data that can help define if whether Dokan was involved and how.
As mentioned in the title, it appears that hackers are abusing your software (specifically the version of dokan1 from 06/01/2020) to create malware. Both of my main computers were infected. On my laptop, the variant of the dokan-based malware had some fishy stuff in the metadata and was identifying itself as published by Microsoft Windows. There was huge background mounting activity in event viewer, even though I have nothing that uses standalone dokan (used to have a program that had its own forked version but that's unrelated). I had to delete the files (the ones stuck in system folders had to be removed with an external live environment) to get rid of this tainted version of dokan. Upon removal, the laptop began to run much better and stopped crashing all the time. On my desktop, however, the situation was a bit different. The files showed no signs of tampering, so likely the malware was hidden in the slack space (that empty space between the actual file data and the end of fhe allocated area, responsible for the slightly larger "size on disk"). This particular machine never even had the previously mentioned software that used its own dokan fork, and event logs showing the suspicious activity went as far back as the days when I had a stalking problem and the stalker was behaving like it knew what I was writing on my private social media. Upon deleting the files, something interesting happened that basically for certain proved that this was indeed some cleverly hidden malware. I'd been having an issue where I had to use the admin command prompt to access MMC applets cause an "administrator" locked me of the normal access methods. Needless to say, removing the dokan files got rid of this issue. So yeah, TL;DR there are people out there abusing your tool likely for kernel-level access of some kind (likely for spyware in my case given my circumstances). I wish I'd saved the tainted files from the laptop as evidence, but I was in too much of a panic when I found this stuff and I was only concered with quickly eliminating the problem because it began to crash the system while I was doing school work.