WebSentry.ca

So… the hacker struck again. This time we were more prepared for observation. I had asked my work to phone me if anything unusual happened, so when the mouse started moving on one of our machines, we were ready. It was found that the hacker was connecting through the running VNC server on the computers, which led me to believe that my VNC password had been compromised. Although this is always a possibility, I found after a quick web search that there had been a security alert put out for a “VNC 4.1.0 – 4.1.1 (VNC Null Authentication) Auth Bypass Exploit”. So, that was what had let the hacker in, our own remote admin software. I have since then had it removed from all the computers, as I never trusted it 100% but this proved it all the more.

When the hacker connected, he opened up a command window and ftp’d down a rar executable file. He ran it, then I gave the decision to pull the network cord before he got too far. The executable was self installing so its payload was being delivered from a installable batch file. After searching for a few of the files through google, I came across this link as the most closely resembling the files that had been downloaded. http://www.sophos.com/virusinfo/analyses/trojmultidrds.html.

Basically, what it looks like it does is install a Serv-U server daemon (with its configuration file), then installs a crippling program which destroys defences on computers such as hiding processes/services and registry entries. It then follows up with installing a remote installation program, a service starting tool, and a command-line registry editting program. This is what this one self-executing executable file would and has done. From then, the hacker basically ‘owns’ the machine, can ftp files on it, the machine ip settings are locked down, and remote installation tools are in place so they can remotely execute any program they wish with the process being completely hidden.

Scary stuff eh? So, basically the only way to reverse the process suitably at this point is to give a nice clean install to the computer, and not to install too much third-party software such as VNC for now, or at least with much more rigourous security exploit monitoring on my side.