busybee fluffy rambles

I got super lucky that I noticed something was going weird when I did; basically my computer was left idle for a while, and then out of the blue I saw a “preparing to delete files…” dialog box, which appeared to be preparing to delete everything on my system. I pressed “cancel” and then immediately a flurry of random windows system dialogs popped up, so I forcibly disconnected the computer from the network so I could investigate. Several core system services were in a “paused” state, and it looked to me like someone had taken remote control of the system and was likely hunting around for a bitcoin wallet or other sensitive data and then attempting a (very clumsy) scorched-Earth afterwards. When they (or their script) realized they’d been caught, they probably ran a very quick thing to destroy all traces of their intrusion.

In hindsight I should have disconnected the network before pressing cancel on the deletion dialog, but oh well.

Anyway, after that I rebooted onto a Knoppix live USB and then ran ClamAV to see what sorts of malware was lurking, and all it found was the aforementioned viruses that had been installed into some MSVC runtime things. Which is a pretty good place to install a virus, if you want it to affect as much as possible!

I have a few theories about how my computer got infected to begin with. I only ever use it to play VRChat and the occasional indie game, and in particular I serve on the SIX jury panel, which involves installing untrusted binaries from who-knows-where, and usually having to defeat Windows Defender because “this app is untrusted,” yadda yadda. I don’t think any of the submissions were malicious, but one of them was probably from somone who’d been infected, and this was just lying in wait for who knows how long.

The other likely possibility is that my machine got exploited when I had a vulnerable VRCX installed. Given that I often perform in VRChat to large, crowded instances, that gives me plenty of attack surface for a drive-by infection. I do remember at one concert a few weeks ago there was a group of people raiding from a hacking group and running hacked clients, and at one point during all this I got disconnected with a “Strange client behavior” error, and I think this was before the most recent VRCX patch.

Either way, I should have been running a real virus scanner (such as ClamAV) to detect things earlier, but oh well.

Fortunately I didn’t lose any data, and in the immediate aftermath of recognizing the issue I immediately killed every auth token for everything I could think of that’s connected to that system and also changed my passwords on all connected services (Discord, Microsoft Account, Twitch, Steam, etc.). This computer also doesn’t have anything sensitive on it, aside from one synced folder that does contain a few software license keys and a few other things, but nothing there was tampered with, at least. My main concern was potentially losing my Steam, VRChat, and Discord accounts, and as far as I can tell that’s been averted.

Since VRChat now runs pretty well on Linux (via GE-Proton), I finally took Kookie’s advice and am switching to Linux for my VR rig. As far as I know the only major problem I’ll run into is not being able to run the Bigscreen Beyond configuration tool natively, but supposedly it works fine from a VM, and it’s not like I ever need to change the settings on it anyway. It’ll be a good experiment; hopefully I can get everything running reliably by next Friday.

This computer was the last one I had in active use that ran Windows as its main OS, and given how craptacular Windows has gotten in the last few years and how much developers are realizing that Windows is not so great anymore, I’ll be happy to try Linux as my main gaming OS.

But, anyway, let this be a reminder that even if you’re “good at computers” and generally practice good hygiene, you really should run a virus scanner. ClamAV is free and Really Good, and also finds malware that targets Linux and macOS. I am now running it on my NAS (as a weekly scan) and will soon be running it on all my Macs and Linux machines as well.

For the Linux install I’m going to first try EndeavourOS, since it’s what Kookie uses and apparently is reasonably easy to get VRChat working in. If I find that I can’t stand Arch after all I’ll just go with mainline Debian instead. Either way I’ll probably use Wayland-Gnome as my desktop environment, although apparently Plasma works a bit better with VRChat. I don’t actually care one way or the other about Gnome vs KDE since both of them are just shitty Windows clones as far as I’m concerned, but since this is a gaming PC that lives in my living room I want DPI scaling and compositing to work right, and I only have so much care in me about the specifics of a UI I’m only going to use as a shell for launching Steam and OBS anyway.

UPDATE: Unfortunately, it turns out that the Bigscreen Beyond only works with AMD GPUs on Linux at this time. ☹️ Guess I’m going to have to grin and bear it with Windows 11. Hopefully I can at least decrapify the install.