Webroot missed Trojan:O97M/Sonbokli.A!cl - which then infected client computers

Show first post

27 replies

Userlevel 1
Hi Muddy7,

My questions at the time were:

  1. Did those emails come from your computer or was your email address spoofed?
  2. Did the offender get access to your recent email communications with your customers by compromising your machine or did something get compromised somewhere between those communications leaving your machine and their arriving at the recipients' machines?

I don't know if Webroot was to blame for not detecting the initial infection.  My point in switching software was because WSA was unable to detect exactly the type of malware used to spread the spam my account had sent out, whereas many other software packages do.   Support said they were working on it, but it was too late for me and my clients.
Anyhoo, to answer your questions:
1. They were sent with my credentials, but my machine was off.  It wasn't spoofing, because the sender address wasn't forged.  They were legitimately sent from my account.  I know this because I was emailed immediately by my host provider that it suspected mass spam emailing between 6:00 and 6:30AM that morning.  They stopped further transmissions.
2. Not sure when/where/how the data got intercepted, or if simply my credentials were hacked by malware.
Malware is getting more and more clever.  It used to be quite obvious, but in this case:
- was delivered from a legitimate (not spoofed) email address
- was a reply to a previous email in a chain
- contained a file called [mylastname].doc, which is certainly less conspicuous than "shipping_details.pdf"
- signed with my sig file
- sent to recent clients, many of whom I send reports or other .doc, .xls or .pdf files frequently
- contained no spelling or grammar mistakes
If I had been at the other end of that email, I'm 90% sure I would have counted it as legitimate and opened it.  I don't blame my clients for opening it either.  In the end, I would rather use more advanced detection algorithms to find this stuff ahead of time, not only for the security of my local machine but for that of my clients.  
I switched to Bit Defender for all devices and purged all my old emails in the Outlook trash.  Found a bunch of stuff, and I did a couple manual deletes.  So far so good.
Userlevel 7
Thanks for the reply!

@HollowMan wrote:
They were sent with my credentials, but my machine was off

OK, so that establishes pretty conclusively that the emails were not sent from your machine.

@HollowMan wrote:WSA was unable to detect exactly the type of malware used to spread the spam my account had sent out

 Not quite sure how Webroot could detect the type of malware that was used to send out mails that apparently did not come from your machine?
Maybe there's something that I've missed here in your explanation (I'm not always the brightest of sparks when it comes to IT stuff :@). And anyway, we seem to be in danger of starting going round in circles. One thing is completely understandable: you've had a terrible experience, as a result you don't feel comfortable with Webroot, and indeed I imagine if I were in your boots (in more than one respect I am not!) I would probably feel the same. So as I say, completely understand and I wish you the best with your new protection 😃


    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings