Okay, here's a shit story. I was doing a routine scan with ClamAV feb 4th. Out of nowhere it popped for a trojan. Thought it was a bit weird, probably a false positive. Nope. I discovered a weird .DLL in WINE, not in their repos, not something I installed. listed as .BRM for windows 6. I hashed it and ran it against everything I'd pulled from my .DLL files. No match. I went digging and found the schroot under /run/ I took a look at the properties and the env showed 128.7TB of storage. The program I use with WINE requires network access to authenticate and because it was for audio production, it had access to my filesystem for samples.
Broke out wireshark and confirmed they were exfiltrating data. I always have the camera covered and the Mic disabled, but only through a blacklist. As soon as they saw me, they wiped everything from my home folder, everything that wasn't a base part of kde was gone. They got my passport, resumes, had just downloaded all my data from google and deleted my accounts. Wedding photos, contact lists, phone numbers, Everything. Immediately unplugged the router, disconnected the modem.
Found the roommate, he uses windows 10. No security updates, no antivirus. Rooted into his machine as well. 7 foreign IPs routing traffic over privoxy, shut down all the ports, airplane mode, took his important data and burned a windows 10 iso. He's okay now. I'm currently running photorec, foremost and autopsy on an image of my drive trying to get what I can. Reopened a bank account, changed the phone number now I'm paranoid. Network password was stupid easy (not my connection, I don't own it) and he had it set up so everyone with the password was admin. Every machine in the house is potentially compromised. He had a whole host of web 3.0 bullshit, chinese wifi camera,(probably watching through that) old google home assistant, ps4, xbox, light controls.
We ditched the router, the people I share this place with have no idea what a computer even is and I am trying to explain to them why this is a problem. My synthesiser's OS is based on montevista linux, I connect it to the laptop all the time. There's a server farm out there trying to get into insecure connections. I was rooted with 32x linux using a fake .DLL in WINE, he was rooted into by a Windows 10 machine. Of course he uses an admin account for everything. I pulled a shit tonne of persistence off my computer. Cron jobs, Startup scripts for privoxy and schroot, services, grub configuration, SSH keys, User Logins, Key loggers. This is sophisticated enough that they could tailor something on a per machine basis and I never would have found it if I hadn't been actively looking because since they schroot, none of those processes were available to me to view. I just had a funny feeling the last time I used WINE because the configuration kept updating and it normally only does that if you add a library, or make a change to the program and I hadn't done that in a month.
I need some help, fellas because I went to the cops and the cybercrime unit stops at "He posted my nudes on Facebook." This was not intended for me, this is meant to spread across as many machines as possible. ISP in our area recently put in fibre in a bunch of different houses and I'm worried they may be piggy backing our connection off our neighbours. How many people out there are using older versions of android with no security updates? What if they get someone who works in power generation, law enforcement, a nurse on the way to the hospital. It is so bad and I cannot get any one to listen to me. They think I'm a lunatic. Last thing, can you give me some advice on containerising applications in docker, command line docker. I'm not giving a company my personal information to use their stupid GUI and I want to cut this off at the head. No more free access to the file system, every application and all the files I use with them on their own container. How do I build something from source in a leak proof Docker environment? how do I install a web browser with no access to geoclue, date and time or files? Resources, if you can, would be incredibly helpful. I am only doing linux for 2 years as a hobby, this is out of my wheelhouse. Just a blank container with one program, so I can inspect files coming in and out of and decide if something gets access to my home directory or not. stay frosty out there.
Edit: finally figured out how to add pictures to this. You'll notice the tree from home folder that it's basically fucking empty. You'll also see ventoy which I had to have to get my housemate's stupid ASUS laptop to let me burn Microsoft's spyware onto it. You'll also see photorec which is currently digging through all the data left on the disk.img, you'll also see the output of my first attempt using foremost, which failed because the disk was mounted and live. Here is the audit.txt https://files.catbox.moe/picf4y.txt If you scroll down just a little bit, you will see the poisoned .DLL and the .exe that was hidden in it. Listed as created year 2000 and 1998. I don't use social media, like at ALL because it's all poison. Don't you call me a fucking liar. You have ABSOLUTELY no idea what I have been through in the last 3 days. I have talked to local police, state police, had to img my entire drive and send it to them. I have lost copies of all my personal identification documents, immigration documents, I have had law enforcement visit me repeatedly. THIS IS NOT a fucking joke.
Edit: Christ the way this website handles image hosting, I can't. 3 days of chainsmoking, talking to cops, reinstalling OSes and explaining to a 45 year old man that your router password cannot be 1love[name of his cat that he posts about on instagram]
Here all the images in one place. Sorry, incredibly stressful period right now, I use GNUicecat and since all of my user settings are gone I don't know what's working and what isn't because I haven't had 3 hours to sit down and configure it yet:
I need a fucking smoke
Hey man, sorry you're going through this.
Realistically I don't think there's much more you can do than what you're already doing.
You wiped your machines, wiped the router, wiped the "smart home" devices, that's it.
Now what you gotta do is:
Were you running pirated software on there? If so, the source you got it from isn't to be trusted.
Most viruses are meant to spread as wide as possible, what's important above all is that you must calm down.
Saving the world is not your responsibility, if your local Cybersecurity division doesn't want to help, oh well. Focus on Securing your stuff.
If you truly want to help, consider sending the infected .DLL to a service like VirusTotal. If it's a new malware they haven't seen before, the virus' signature gets shared.
Also consider filling a complaint to IC3. While I don't think they'll reach out back to you, if this is a new Botnet or new Crime network they're not already aware of, your report will bring it to their attention.
In relation to isolating your apps from each other, maybe take a look into QubeOS. It's built from the ground up for this purpose, though it might prove rather overkill for most users.