WebSentry.ca

So… the hacker struck again. This time we were more prepared for observation. I had asked my work to phone me if anything unusual happened, so when the mouse started moving on one of our machines, we were ready. It was found that the hacker was connecting through the running VNC server on the computers, which led me to believe that my VNC password had been compromised. Although this is always a possibility, I found after a quick web search that there had been a security alert put out for a “VNC 4.1.0 – 4.1.1 (VNC Null Authentication) Auth Bypass Exploit”. So, that was what had let the hacker in, our own remote admin software. I have since then had it removed from all the computers, as I never trusted it 100% but this proved it all the more.

When the hacker connected, he opened up a command window and ftp’d down a rar executable file. He ran it, then I gave the decision to pull the network cord before he got too far. The executable was self installing so its payload was being delivered from a installable batch file. After searching for a few of the files through google, I came across this link as the most closely resembling the files that had been downloaded. http://www.sophos.com/virusinfo/analyses/trojmultidrds.html.

Basically, what it looks like it does is install a Serv-U server daemon (with its configuration file), then installs a crippling program which destroys defences on computers such as hiding processes/services and registry entries. It then follows up with installing a remote installation program, a service starting tool, and a command-line registry editting program. This is what this one self-executing executable file would and has done. From then, the hacker basically ‘owns’ the machine, can ftp files on it, the machine ip settings are locked down, and remote installation tools are in place so they can remotely execute any program they wish with the process being completely hidden.

Scary stuff eh? So, basically the only way to reverse the process suitably at this point is to give a nice clean install to the computer, and not to install too much third-party software such as VNC for now, or at least with much more rigourous security exploit monitoring on my side.

Yesterday was a stressful day… I got a call from work asking if I was remotely controlling a computer, as I sometimes do, for maintenance when I am not nearby. I was not.

Dread set in as I quickly started asking exactly what they saw. The computer was opening web browsers and a command window was open with lots of typing. My guess? Most likely they were downloading scripts to set up shop and make the computer theirs.

Why did this happen? How did this happen? I have no definite answer to that. It could be possibility an unforced windows update, or the lack of user security consciousness that could have led to this. Not to mention I found it had a copy of RealVNC (which I sometimes use for remote connections) with ‘No Authentication Required’ selected, therefore, if anyone did a scan for machines with a vnc server on our network, and tried to connect, there would be no password or anything to stop them from connecting. My setting for it is by default a fairly long password, but either a virus strain (assuming possible) or the user had reset it to nothing.

I went in, and ran some Spybot and Ad-Aware utilities and they found some things, most of them more harmless spyware that comes from general surfing on the Internet. The computer was also loaded with Yahoo games and other ‘contraband’ to the IT policy. This is what happens with you give users more privileges than you should. The user that had viewed this ‘attack’ gave me some quick notes of what the hacker was doing before I instructed to pull the network cord. This hacker/script-kiddie had been downloading his whole tool-kit from a free web hosting site. It had a lot of stuff, including server daemons, batch files, and lots of very damaging type files.

I decided to download a few of them to check what they were, being very careful to not actually execute any of them. It was just as I had expected, the scripts this guy had were highly refined to scan internal networks to try and spread, while also subdue-ing the current machine and opening ways that they could connect easier and hide their presence. I then submitted a ‘report abuse’ form to the web hosting company, I know it is a temporary fix, but hey, causes a few minutes of annoyance for the hacker. I am surprised the web hosting companies do not shut them down faster, four of the twenty-ish files were caught by my Corporate Symantec right away and would not let me download them. Shouldn’t web hosting companies be running these too?

I installed a very exclusive firewall on the workstation, and removed all the un-necessary programs (eg. ones especially breaking the IT policy). I Spy-botted, removed things, and it should be fine for now. Next step when I find some time, seeing if this hacker got a functional root kit successfully installed, or if it was just the vnc server. *sigh*