ComboFix is a popular anti-malware tool used by many computer technicians. Unlike most scanner applications that check files for particular signatures, ComboFix is more of a script that runs through its different stages completing various tasks to counter specific malware infections. It also stops all services while running which gives it a fighting chance against rootkits that few other tools can clean up.
ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.
Unfortunately, for roughly nine hours yesterday, a compromised version of the anti-malware tool was served up that would actually infect a computer with the Sality virus. As a self-replicating virus, Sality infects a computer and is also found to copy itself to USB drives and network drives.
The information about ComboFix’s compromise was shared in a thread over at BleepingComputer, the primary mirror for ComboFix.
Known impacted versions have a SHA256 hash:
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8
The download link on BleepingComputer was removed yesterday after learning of the compromise. Earlier this afternoon, a clean version of ComboFix was again made available: http://www.bleepingcomputer.com/download/combofix/
In case you downloaded and ran ComboFix yesterday, BleepingComputer Admin Grinler recommends taking the following steps:
- Scan your computer with ESET’s Online Scanner.
- Download and scan your computer with the Kaspersky Rescue Disk
- Use SalityKiller if you are unable to use the above tools for some reason. When using this tool, you should disconnect from your network first.
It is not currently known or released how the download came to be compromised, so users may be cautious in using ComboFix and any others until an investigation can be completed to ensure that any open doors have been closed. Fortunately, given the age of the Sality virus, most antivirus products catch and block the infection but that is assuming the client PC has an antivirus on it.