(This story was first published on 12 February 2021 and is being republished in light of the new report by a US-based forensic company, finding 22 additional files that show the computer of Bhima-Koregaon case accused Rona Wilson was compromised by a malware attack.)
Can a cyber attacker infect your laptop/desktop computer with a malware, in a completely remote manner? Can your computer be compromised without your knowledge?
Yes, it can be.
A shocking report by a US-based digital forensic consulting company, Arsenal Consulting, which revealed that the personal computer of one of the accused in the Bhima Koregaon violence case, Rona Jacob Wilson, was compromised for over 22 months, has unnerved many of us.
Wilson’s computer was seized by the National Investigative Agency (NIA) on 17 April 2018, while his computer was reportedly infected with malware on 13 June 2016.
Arsenal Consulting’s report, accessed by The Quint, was submitted in the NIA special court, as well as the Bombay High Court. The report claims that ‘incriminating documents’ cited by the investigating authorities were allegedly planted on Wilson’s computer using NetWire malware.
The digital forensics firm noted that this appeared to be corroborated by how documents supposedly authored on Wilson’s computer had been created using Word (Microsoft) 2010 or 2013 – while the version of Word installed on his computer was of 2007.
Their report also states that the incriminating documents were never opened on his computer.
The Quint spoke to Sandeep Shukla, professor of Computer Science and Engineering at IIT Kanpur, who has read the forensic report available in the public domain. He speaks about the remote access malware used in this case, and how we can protect our laptops/computers from getting similarly compromised.
What do you have to say about the forensic report on Rona Wilson’s computer?
I think these activists were not very computer savvy. Secondly, this email came from one of his friend/correspondents, ie, Varavara Rao’s email account. It could be that Rao’s computer was already comprised or the attacker made a gmail address which looked very similar to Rao’s gmail ID. Rona Wilson obviously trusted the email and opened the attachment file.
Many people in India use pirated versions of Windows and Microsoft Office etc. In that case, they often don’t get a notification to update the software, which makes their computers vulnerable to malware.
Can a malware infect a computer which is running an updated, paid version of an Operating System (OS) or software like MS Office?
Neither Microsoft nor Adobe or any other software knows all its vulnerabilities. One might update software in a timely manner but still there could be some security vulnerabilities known to the hackers but not the software manufacturers.
Eventually, the software manufacturers do come to know about the vulnerabilities but it gives enough of a window to these hackers to infect computers with malware.
Did Rona Wilson have an antivirus installed on his computer? And is an antivirus software enough to protect computers from malware?
The forensic report says that Wilson was using Quick Heal antivirus which is made in India. Five different versions of malware were found on his laptop, two were detected by Quick Heal and quarantined but three were not detected. Which means that the antivirus also failed.
Antivirus can fail in many different ways:
One is, the code of the malware, in this case NetWire, has been changed in a obfuscated way because of which the antivirus fails to detect it.
Second, people often do not configure their antivirus correctly which has to be done properly so that if at all a file is downloaded, it automatically invokes an antivirus check. That is why it is always advisable to carry out a deep scan of the computer system rather than quick scan.
Why couldn’t the Indian forensic team detect the malware on Wilson’s computer? Is it very hard to detect?
The kind of capabilities that this US-based forensic company, Arsenal Consulting, seems to have is not present with most Indian forensic teams. But still the Indian forensic team should have been able to find the malware. I don’t think they did due diligence.
How can a person protect her/his computer from malware?
You should have updated versions of an antivirus and must perform a deep scan of the computer regularly, update your software etc – these are all part of good cyber hygiene. But, even the latest versions of Microsoft or Adobe software will have some vulnerabilities.
As we understand, cyber attackers are always working on finding vulnerabilities. That’s why they often succeed in discovering vulnerabilities before the manufacturers of the software and use it for their benefit. Even the latest version of a software may not have all the protections.
One has to be extremely vigilant about what emails one clicks on, what files we click or download. Even if one is getting an unexpected email from a known source, one should call up that person to check whether he or she has sent an email and then click on it.
One has to be very careful with emails and attachments. That’s the only thing I can say to protect computers.
Can the attacker gain control over the computer through malware like NetWire?
As per Arsenal’s forensic report, the attacker had full control and access of Wilson’s computer for 22 months.
NetWire malware not only installs itself in the system but also communicates with the command and control server which is controlled by the attacker. The report shows which command and control server it was communicating with. This server can send more customised malware of various kinds to the computer. The attacker had 22 months to deliver incriminating PDF files to Wilson’s computer.
Reports show that Wilson’s computer was communicating with at least 7-8 different servers. These servers might not be in India and they could be cloud-based servers.
The attacker will never use their own server because it would be easy to locate them through their IP address.
They will take the service of some other server, over the cloud perhaps, and use that to attack computers.
Can the cyber attacker be tracked?
There is a group of people called ‘Citizen Lab’ in Canada. They have the capability of correlating many other attacks to find out who could be behind the attack. But in general, tracking an attacker is very difficult without having a huge data bank of past attacks used by various attackers.
I doubt whether Indian law agencies have all the required resources, data and capabilities to trace the attacker.
How can I find out if my computer has been infected with a malware?
There are not exactly any customer-friendly products that can help an individual detect a malware.
Paid versions of McAfee or Kaspersky antivirus have enhanced capacities which is beyond regular or free antivirus software. For example, they have blacklisted a few websites and sound an alarm if at all such websites are opening or working on the computer.
But again, nothing will give you 100 percent guarantee... that your computer is not attacked or infected. A forensic test is the only way to be 100 percent sure about whether your computer has ever been infected with malware or not.
How advanced is the NetWire malware?
If I have to rank this malware between 1 being the best and 10 being the worst, I would rank NetWire between 7-8. NetWire is a very customisable malware. It is a ‘remote access trojan’ (RAT) which establishes persistent communication between the victim and the server or the attacker.
Please note that the attacker can access the victim’s computer only when it is connected to internet.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)