Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Someone gained remote access to my machine


  • This topic is locked This topic is locked
7 replies to this topic

#1 exgmano

exgmano

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 29 March 2013 - 12:31 AM

As someone who is working towards a bachelors degree in computer networking, I have a half decent understanding (or so I thought) of how the internet works. But today... today my mind was blown. I knowingly downloaded something for a game that was a bit sketchy, fully aware that there was a 90% chance a keylogger came packaged with it, didn't concern me that much. I tend to be a bit reckless with my machine because just about every virus I've ever come across I can take care of with relative ease (and heck virus removal offers a weird thrill). Throw in a Hiren's boot CD, run trusty old MBAM, TDSS killer etc. and smash malware with an iron fist. Not to mention I tend to re install my OS every two months because I make such a mess of my file system I figure its best I start anew, and continue to dump everything to desktop.

 

So here's the story of what happened today, I'm playing my game and having a blast when all of a sudden it closes. I figure "Hey, the game just crashed that's pretty lame". Upon attempt to run the game again and log in I was confronted with a "Password is incorrect" message, at this point I knew what was going on, got keylogged and someone was in the process of trying to cause havoc with the account. I giggled a bit, then proceeded to go to the website and push a password reset request through my email, since the email had a different password I wasn't too concerned. Upon logging into my email to confirm the password reset, I saw another email sent to confirm the change of email on the account, which I did not request. A fraction of a second later, my display did a brief reset and returned to normal, except for the fact that I was no longer in control of my mouse and keyboard, someone else had taken that liberty. It took me a second to realize what was happening and I reached over and smashed that power button on my tower down. But it was to late, they swiftly used a ctrl+c and ctrl+v combo to paste the link to change the account email into the URL bar. I was flabbergasted and staring at my powered down computer for a minute. I was shocked.. and impressed.

 

Upon power on I booted into safemode, checked msconfig to find a svchost.exe located in the startup folder and knew that it was the culprit. Proceeded to update MBAM and run a full scan. Checked processes in task manager and checked the location of all the svchost.exe processes and found the baddie in c:\users\username\AppData\Roaming, and killed the process. I let MBAM finish scanning and sure enough detected that file and a couple others in the same directory, deleted those, then checked the folder myself and deleted some other files that shouldn't have been there. The system option to enable Remote Assistance was also enabled in control panel, so I disabled that nonsense. Looked to be some visual basic files. Ran TDSS and Rkill with nothing to report.

 

So that's about it, ran netstat and TCP view to check active connections and didn't see anything foreign, just stuff coming from the loopback address etc. As for my account it's long gone, but I didn't really care about it.

 

So I'm baffled. How is it so easy to exploit Remote Assistance? Not to mention I'm on my college network which has a pretty giant network topology to crawl through, with what I would assume contains a multitude of security devices. I'm just trying to make sense of this all. In addition, If you have any suggestions to make sure I'm back to where I want to be security wise I'm all ears. 


Sorry for the long read!

 

 

 

 



BC AdBot (Login to Remove)

 


#2 aSILENTfire

aSILENTfire

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 29 March 2013 - 12:49 AM

Haha you sound like me, but I haven't seen active on-screen activity for for almost 2 months now!

So I really shouldn't give you advice haha!

 

Some simple exploit protection that I know of is EMET and Secunia PSI, if that fails, I usually just end up using a boot CD lol



#3 exgmano

exgmano
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 29 March 2013 - 12:56 AM

I was pretty impressed at the sophistication of all of this, I expected the keylogger, but the remote access made me giggle.



#4 aSILENTfire

aSILENTfire

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 29 March 2013 - 01:33 AM

Yes I'm sure both of you were having a great time.. but in seriousness it does bring the experience to a different level when its live action combat like you described.. I've actually caught my a computer browsing GPS tracking websites in the history, as I was taking a shower, a couple days later Linux terminal battles were the rage, but they were having some trouble with spelling commands right, and actually had to man a command... ahh the good ol days when things were simpler..


Edited by aSILENTfire, 29 March 2013 - 01:35 AM.


#5 exgmano

exgmano
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 29 March 2013 - 01:39 AM

man sudo, amidoingitrite?



#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:43 AM

Posted 29 March 2013 - 03:03 PM

Hello exgmano, and welcome to Bleeping Computer! :thumbsup:
 

How is it so easy to exploit Remote Assistance?

Unfortunately, there are several ways a hacker can use remote assistance to take control of your computer. As you mention, you knew the download you chose looked dodgy...there could easily have been an executable file that would enable remote assistance embedded in your download package. There are different ways this could happen as well. Malware gets around pretty easily these days.
 
==========
 
If you would like to check your machine for further malware, I'd be happy to assist you. I'm going to move this topic to the Malware Removal Forum where it will stay.
 
First, please post the MBAM log from when you removed the keylogger, then we'll get a log from another tool:

Please download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.pif
  • Double click on the DDS icon, allow it to run.
  • Mark the option attach.txt.
  • Click on Start.
  • After the scan has finished, confirm the message with Ok.
  • DDS will automatically open both logfiles.
  • You can find them on your desktop as well.
  • Please post the content of those logfiles with your next answer.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

==========

In your next reply, please copy and paste the following:
  • The MBAM log
  • The DDS log
  • The attach.txt
bloopie

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:43 AM

Posted 02 April 2013 - 06:11 PM

Hello again,

Are you still with us?

This is a Topic Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie

#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:43 AM

Posted 05 April 2013 - 05:48 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users