Attacked While Using VPN

I’ve noticed in the past few weeks problems emerging from using my paid-VPN.
I know…I know “don’t use Windows”. But some of the tools I need to use for my profession are only available on windows, and the alternatives are insufficient.
After a few minutes of usage, my anti-virus/internet security program will crash. The event log specifies it “terminated unexpectedly”. The program restarts 1 second later. Then the link to my VPN will be severed.
Moments later, I get a “Failed to connect to server” event from MSIInstaller because the firewall component of the service forbids any non-VPN connecitons (I do this by specifying the MAC address of the TAP adapter in access rules).
After running Combofix each time this happens, I find an infected Version.dll in C:WindowsSysWOW64 which has a valid digital signature but isn’t the correct version of the dll. My ntuser file will also be infected.
These infections appear to operate as shells to grant backdoor access. Whoever is doing this is very good at what they’re doing.
It’s either an infection on the VPN server or it’s an attack being carried out inbetween my computer and the server. They’re not only exploiting an issue in OpenVPN, but also using a 0day which targets my specific security program.
I recall hearing about Rule 41 becoming law and am beginning to wonder if it’s possible for the government to be doing this sort of thing so soon?
I doubt it is the government but I wanted to ask if any of you have experienced connection issues or issues with your security programs within the past month while using TOR or a VPN.
Worst case scenario I’ll be reformatting and only running my VPN from within a VMware virtual machine…but if they already have a 0day to kill my AV program I wonder if they can attack a hypervisor too.

Leave a Reply