Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sneaky is creepy


  • Please log in to reply
10 replies to this topic

#1 bmrbogtrotter

bmrbogtrotter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 10 April 2016 - 01:01 PM

This is my first post so I hope I don't violate any rules or post in the wrong place. I have someone I use to call friend but after his odd behavior while on my computer to locate VHS to download from a website he said was real "cool"  He said he needed to stop Malwarebytes from running because it would not allow the download,  This hackers site does not show any activity as far as downloading.  Just click a file and sooner or later it is in your files.  After he returned my pc back to me I checked around to see what is is he might have done and noticed in my downloads three particular files.  Following up on them, seems as if one is a router hack, another a silent inst aller and the last, a password stealer. 

 

 

Can't seem to find how to paste something simple so I will rewrite

 

Nirsoft.&.Sysinternals.Utilities.Suite_2016                  SetupS.SendTo Sil...   20, 992kb

 

SetupS,SendTo.Suite_v16.120.0_ssApp                    Application                   21,140kb

 

SetupS.SendTo.Suite_v16 120.0_ssApp                    SetupS.SendTo Sil...    17,576KB

 

Am I wrong in thinking the purpose of having these downloaded on my PC is something nefarious or are they just random benign

files of which he was illustrating the ease of that hackers website?

 

Any insight would be very appreciated.  I can't remain in  limbo.


Edited by hamluis, 10 April 2016 - 02:28 PM.
Moved from Gen Sec to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:20 AM

Posted 10 April 2016 - 02:41 PM

 Following up on them, seems as if one is a router hack, another a silent inst aller and the last, a password stealer. 

 

From where did you get that information?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 JohnnyJammer

JohnnyJammer

  • Members
  • 1,120 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:11:20 AM

Posted 10 April 2016 - 08:13 PM

Well nirsoft is and can be used to steal passwords so what ever he did has nothing to do with VHS mate, he simply trying to access your PC by the sounds of it and appears to be no friend but someone with small mans syncdrome.

 

I would say he used nirsoft to access wifi passwords and windows credentials, even passwords from internet explorer, firefox and chrome.



#4 bmrbogtrotter

bmrbogtrotter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 10 April 2016 - 09:38 PM

Hello Didier, thank you for responding.  I presume you understood they came from my download library and therefore are referring to each as to where I found the information that allowed me to characterize each as I had.

With respect to this file I located on my PC; file:C:\ppApps\NirSoft-Sysinternals\NirSoft\mailpv.exe I believe I found the following it in a link associated with Bleeping Computer. I recall thinking I could trust that info:

Threat behavior

HackTool:Win32/Mailpassview is a freeware tool that is used to display passwords for a number of email applications. It has a graphical user interface (GUI), but can be run without being displayed to the affected user by utilizing command line switches to save the captured password information to various formats. It can show passwords for the following email applications: Microsoft Outlook Express Microsoft Outlook Windows Mail Windows Live Mail IncrediMail Eudora Netscape 6.x/7.x Mozilla Thunderbird Yahoo! Mail Hotmail/MSN mail Gmail A configuration file named <filename>.cfg is dropped in the folder the program runs from, f or example, Mailpv.exe would drop Mailpv.cfg.

An image of the tool is shown below:

and;


Threat behavior

Hacktool:Win32/Netpass is a detection for the network password recovery tool. It may have the file name "netpass.exe" and is capable of recovering locally stored passwords for network computers.12919020_10208069716155005_194429809_n.p

 

and as source:12939444_10208070560656117_866294318_n.p

12939139_10208070100884623_309838927_n.j.

 

I hope that addresses that which you were referring. All seems sinister to me. That and about 400 new items Malwarebytes located immediately thereafter;

 

 

#5 bmrbogtrotter

bmrbogtrotter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 10 April 2016 - 09:51 PM

Thank you 

JohnnyJammer.  I just felt as if I had been punched in the gut from reading your comment.  Not from or as by you of course. You seem to confirm my exact same suspicions.  Its not as if I have any great secrets. I don't think that is what individuals have in mind when they secretly try to gain access or install keyloggers.  It may be correct to say that the vast majority would not know how, what or why  anyone had invaded their privacy and that the attacker uses his experience over someone else's lack of experience  and accepts that as a challenge when a challenge was not made. Pity there are people in this world like that.  "Just because they can"

#6 JohnnyJammer

JohnnyJammer

  • Members
  • 1,120 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:11:20 AM

Posted 10 April 2016 - 10:16 PM

Well a lot of script kiddies like to take control of machines to use as Ddos zombies or calculating bit coins.

Some people just think they are awesome because they watched a youtube video and learnt how to do something but never actually created their own exploit and or method of attack/ access.

 

Its only when you say "Ohh so if i did this would you be able to access it" then they generally change the subject because they actually have no clue.

I have had many convo with people in online games threading this and that blah blah, start getting info from their device's or ask some technical questions and they either leave, change subject or call you a chinese hacker LOL.

If you dont know something then there is nothing wrong with admitting it, you look better being honest then a fool claiming to be a Ub3r L337 Hax0r using tools you never know how they work or write your own.

 

Go watch some of Didier's videos mate, he knows what he is talking about.



#7 bmrbogtrotter

bmrbogtrotter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 10 April 2016 - 10:22 PM

 My internet usage meter indicates usage of just over 9 GB for the past 4 days.  1900 items in 19 folders  in my Pictures library is .5.5 GB and 1074 files in 74 folders is not quite 2 GB which make up the bulk of my usage in the two months I have had this machine..No vids downloaded. Just watched a few on You Tube and surfed FB a few hours since then.  An IT friend said last night that the property details of my network indicated another server other than the three identical listings I had. and with an addition of... IPv4...but a blank address appeared to him that someone other than myself had access my PC

Do I need to call out my former friend or does he already know.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:20 AM

Posted 11 April 2016 - 12:18 PM

I was asking because I wondered if you used a kind of AV scanner on these files, and then it would be useful to have the output of that scanner.

 

I suppose you can not get (reliable) information from the person who did this? To determine if said person did something nefarious.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 bmrbogtrotter

bmrbogtrotter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 11 April 2016 - 12:44 PM

Thank you again Didier.   I'm not familiar with an AV scanner.  Does it indicate activity they have caused or responded to?  In your opinion, are those randomly selected downloads of a list or do they seem to have a deliberate connection for a future attempt to access data remotely?

 

 

*Edit   Antii Virus  not Audio Video...my bad


Edited by bmrbogtrotter, 11 April 2016 - 01:15 PM.


#10 bmrbogtrotter

bmrbogtrotter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 11 April 2016 - 01:09 PM

After telling me that the site from where the aforementioned downloads came from (and they show no indication whatsoever as they download in stealth) that I would love that website....and upon simply being shown and with no accusations as to what I had found, he offered the following as a sidestepped denial which I find to be totally conflicting with his initial praises 

http://www.nirsoft.net/false_positive_report.html

 

 

 

and

 

https://www.foolishit.com/2009/10/nirsoft-utility-launcher-beta-with-sysinternals-functionality/

 

 



#11 bmrbogtrotter

bmrbogtrotter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 11 April 2016 - 01:37 PM

Johnny Jammer...After re reading your above comment it seems as if that response was directed at me trying to bluff someone here into telling me how to do what I said was done to me.  Talk about adding insult to injury.  I was wanting to know if someone whom I had once trusted breached that...period.  Not the steps or methods to destroy that.  Trust does not work that way, Mate.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users