ComboFix is a popular anti-malware tool used by many computer technicians. Unlike most scanner applications that check files for particular signatures, ComboFix is more of a script that runs through its different stages completing various tasks to counter specific malware infections. It also stops all services while running which gives it a fighting chance against rootkits that few other tools can clean up.
ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.
Unfortunately, for roughly nine hours yesterday, a compromised version of the anti-malware tool was served up that would actually infect a computer with the Sality virus. As a self-replicating virus, Sality infects a computer and is also found to copy itself to USB drives and network drives.
The information about ComboFix’s compromise was shared in a thread over at BleepingComputer, the primary mirror for ComboFix.
Known impacted versions have a SHA256 hash:
The download link on BleepingComputer was removed yesterday after learning of the compromise. Earlier this afternoon, a clean version of ComboFix was again made available: http://www.bleepingcomputer.com/download/combofix/
In case you downloaded and ran ComboFix yesterday, BleepingComputer Admin Grinler recommends taking the following steps:
- Scan your computer with ESET’s Online Scanner.
- Download and scan your computer with the Kaspersky Rescue Disk
- Use SalityKiller if you are unable to use the above tools for some reason. When using this tool, you should disconnect from your network first.
It is not currently known or released how the download came to be compromised, so users may be cautious in using ComboFix and any others until an investigation can be completed to ensure that any open doors have been closed. Fortunately, given the age of the Sality virus, most antivirus products catch and block the infection but that is assuming the client PC has an antivirus on it.