Hi all, new to the forum. Thought I would join and share an interesting story with you all (posted this on another anti malware site last night, as I have been a member of this site for a while without posting, I thought now would be the time - considering I have something interesting to post :-).
My brother in law doesn't have internet access and only uses his laptop to record music he plays on his guitar. He tells me that his alleged friend is an "l33t h4x0r" (my words) who apparently told him that he could get onto anyone's computer via a VPN connection (My brother in laws words, not mine).
My brother in law who doesn't really know the first thing about computers has been complaining to me for weeks that his so called mate (l33t h4x0r) has infected his laptop with something, I always fobbed him off. To humour him, one time I ran an Avast virus scan, a malwarebytes scan, analysed the running processes, startup locations etc. and determined that there was nothing out of the ordinary (I mean, he doesn't even have an internet connection for crying out loud - so how could he be infected with anything?).
The brother in law has been round to the house a few times, complaining that airplane mode keeps switching itself off (he is paranoid and switches it on and also covers his webcam with a duster!!). I try to explain that as he does not have an internet connection in the first place that he is just paranoid etc..
My brother in law came round to my house again last night with his laptop and said to me that he was at his friends ("l33t H4x0r") house with his laptop the other day and that he noticed that his friends ("l33t H4x0r") laptop screen "looked like his (my brother in laws) windows 10 laptop screen" and that his "friend" didn't even have windows 10. This piqued my interest ever so slightly, so to put his mind at ease (and mine) I dug a little deeper.....
.....I ran various scans, Avast, Malware bytes, TDSS killer and a few other anti rootkit tools, nothing, I then fired up GMER and low and behold "rootkit behaviour detected", I found a hidden service teamviewer_service.exe and trusted installer hidden service. I did a little bit of research in the background (on another machine) and came across the following site :-
GMER crashed a couple of times and the screen on the laptop flickered briefly once (I knew the "L33t H4x0r" was now watching the screen - I was, after all connected to the internet)
The GMER scan finished and I tried to right click and disable the service (GMER crashed again). (He remotely removed RAT) Consequent scans showed no hidden files!!. GMER still showed an unknown MBR though.....
.....I rebooted and did a "bootrec /fixmbr" and "bootrec /fixboot", then did another GMER scan when Windows loaded and nothing found.
My brother in law informed me that at one point (prior to the above) he had gone to the toilet whilst at his "friends" house and heard a USB insertion /removal noise. (The start of the RAT installation, perhaps?).
My brother in laws "friend" it would seem, did the following (whilst my brother in law was relieving himself):-
Inserted a USB pen containing Teamviewer.exe (version 5), the pre populated.ini, and an injector tool with a dropper that had been repacked and checked against virus total and the likes to ensure virus and anti malware avoidance, he then ran this executable which installed the service and hid the executable. Obviously this used a stolen certificate, as installation on X64 should not be that trivial.
My brother in laws friend has BT broadband (I deduced from looking at saved SSID's).
I also believe that his "friend" saved his own credentials with BTFON to allow the automatic connection to BTFON SSIDs (free connection to the internet to BT broadband users routers via UN and PW of existing BT customers). This would allow my brother in laws laptop to get an internet connection without my brother in law having an internet connection of his own - (assuming someone in the vicinity of my brother in law has a BT broadband connection (highly likely)). Thus allowing the H4x0r 24/7 access to the laptop to spy on webcam/mic etc. to what avail though, I do not know?
TLDR. don't trust anyone.
Edited by daveg1, 04 November 2016 - 12:45 PM.