Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi all


  • Please log in to reply
3 replies to this topic

#1 daveg1

daveg1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 04 November 2016 - 12:35 PM

Hi all, new to the forum. Thought I would join and share an interesting story with you all (posted this on another anti malware site last night, as I have been a member of this site for a while without posting, I thought now would be the time - considering I have something interesting to post :-).

Background

My brother in law doesn't have internet access and only uses his laptop to record music he plays on his guitar. He tells me that his alleged friend is an "l33t h4x0r" (my words) who apparently told him that he could get onto anyone's computer via a VPN connection (My brother in laws words, not mine).

My brother in law who doesn't really know the first thing about computers has been complaining to me for weeks that his so called mate (l33t h4x0r) has infected his laptop with something, I always fobbed him off. To humour him, one time I ran an Avast virus scan, a malwarebytes scan, analysed the running processes, startup locations etc. and determined that there was nothing out of the ordinary (I mean, he doesn't even have an internet connection for crying out loud - so how could he be infected with anything?).

The brother in law has been round to the house a few times, complaining that airplane mode keeps switching itself off (he is paranoid and switches it on and also covers his webcam with a duster!!). I try to explain that as he does not have an internet connection in the first place that he is just paranoid etc..

My brother in law came round to my house again last night with his laptop and said to me that he was at his friends ("l33t H4x0r") house with his laptop the other day and that he noticed that his friends ("l33t H4x0r") laptop screen "looked like his (my brother in laws) windows 10 laptop screen" and that his "friend" didn't even have windows 10. This piqued my interest ever so slightly, so to put his mind at ease (and mine) I dug a little deeper.....

 

.....I ran various scans, Avast, Malware bytes, TDSS killer and a few other anti rootkit tools, nothing, I then fired up GMER and low and behold "rootkit behaviour detected", I found a hidden service teamviewer_service.exe and trusted installer hidden service. I did a little bit of research in the background (on another machine) and came across the following site :-

 

https://www.digitalshadows.com/blog-and-research/hidden-teamviewer-service-advertised-on-criminal-forum/

GMER crashed a couple of times and the screen on the laptop flickered briefly once (I knew the "L33t H4x0r" was now watching the screen - I was, after all connected to the internet)

The GMER scan finished and I tried to right click and disable the service (GMER crashed again). (He remotely removed RAT) Consequent scans showed no hidden files!!. GMER still showed an unknown MBR though.....

.....I rebooted and did a "bootrec /fixmbr" and "bootrec /fixboot", then did another GMER scan when Windows loaded and nothing found.

Deduction

My brother in law informed me that at one point (prior to the above) he had gone to the toilet whilst at his "friends" house and heard a USB insertion /removal noise. (The start of the RAT installation, perhaps?).

My brother in laws "friend" it would seem, did the following (whilst my brother in law was relieving himself):-

Inserted a USB pen containing Teamviewer.exe (version 5), the pre populated.ini, and an injector tool with a dropper that had been repacked and checked against virus total and the likes to ensure virus and anti malware avoidance, he then ran this executable which installed the service and hid the executable. Obviously this used a stolen certificate, as installation on X64 should not be that trivial.

My brother in laws friend has BT broadband (I deduced from looking at saved SSID's).
I also believe that his "friend" saved his own credentials with BTFON to allow the automatic connection to BTFON SSIDs (free connection to the internet to BT broadband users routers via UN and PW of existing BT customers). This would allow my brother in laws laptop to get an internet connection without my brother in law having an internet connection of his own - (assuming someone in the vicinity of my brother in law has a BT broadband connection (highly likely)). Thus allowing the H4x0r 24/7 access to the laptop to spy on webcam/mic etc. to what avail though, I do not know?

TLDR. don't trust anyone.


Edited by daveg1, 04 November 2016 - 12:45 PM.


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:10 AM

Posted 04 November 2016 - 06:22 PM

Hi :welcome: to Bleeping Computer.

As a new member be sure to read the Welcome to Bleeping Computer! Guide and the following...



For Linux users.



Regards.
NickAu


Edited by NickAu, 04 November 2016 - 07:03 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:10 AM

Posted 04 November 2016 - 08:03 PM

My Opinion

 

First thing your brother needs to realize is that this l33t h4x0r is not his friend and he needs to sever all ties with him, Friends do not hack friends PC's. Friends to not plug USB sticks into friends PC's without permission.

Once your brother has served all ties with this l33t h4x0r, he will need to disable the WiFi on the PC, This may mean removing the wifi card,

 

Then he may need to reinstall the operating system if he ever wants to get online with that PC, I would never trust a OS that has been hacked.


Edited by NickAu, 04 November 2016 - 08:10 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#4 daveg1

daveg1
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 05 November 2016 - 11:17 AM

Totally agree, I am going to re-image the laptop as no matter how good I think I am, I could never be 100% sure that the laptop was malware free. Friends do not do that, this takes a special kind of low.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users