PDA

View Full Version : Trojans And Spyware


Stuartbe
17-02-2004, 22:52
Just been called to a customers house.......

She was worried about strange activity on her pc. (600k narrowband :D )

As she made me a welcome cup of tea I was watching the pc monitor. As I watched the mouse cursor started to move and went into Iexplore and then history. The customer was aparently running her internet banking on the site earlier that day and the link was in history. The cusror then selected the online bank and to my horror clicked on the password box. The user had password save in IE switched on and sure enough - Up popped her password on the screen in ******. The cursor then clicked onto her current account. I then dived behind the pc and pulled out the usb cable (snapping off the connector in the process) The user came in wondering what was going on.

After I pulled out the half usb connector from the back of the machine I cleared all the passwords and then connected the cable modem to a hub via ethernet and linked from the hub to my laptop. I run ethereal in prom. mode and renewed the lease on the cable modem....

After about 10 mins the mouse started to move again. There were bucket loads of packets going going in and out on port 1243 (sub 7). There were allso crap loads on port 3389 (terminal services) - remote desktop assistance. I watched this for a while and then net messaged the pc from my laptop with " THIS IS THE FBI - YOUR CONNECTION HAS BEEN DETECTED AND WE ARE TRACKING YOU NOW "....

The mouse stopped moving and then a windows box apeared -- " sorry !! we were only having a bit of fun " :rofl: :rofl: :rofl:

Nothing after that.........I think I scared them off. Ip was from a us university and I have allready e-mailed the listed administrator.....

Ran etrust on the computer and found 27 diff. trojans and 14 diff. viruses :eek:

Then ran adaware 14532 components detected :eek: :eek: :eek:

Cleaned the computer for her and installed kpf on the computer and re-installed her out of date norton and installed spywareblaster. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

What a night - Just goes to show - some users think they are secure and its the internet banks that get hacked - WRONG....

Having a well deserved beer now with the extra £30.00 she gave me for sorting her out :)

Ramrod
17-02-2004, 22:58
Just been called to a customers house.......ÂÂÃ⠀šÃ‚£30??! I reckon you should have been paid more than that! :eek: Good work!

Stuartbe
17-02-2004, 22:59
£30??! I reckon you should have been paid more than that! :eek: Good work!

That was the extra :) The bill was £90 ....

Oh and I put an ethernet card in to - got rid of gearbox from her old dailup (still asking her to register) and left the system defraging.

I think she is a happy bunny.....

Ramrod
17-02-2004, 23:00
That was the extra :) The bill was £90 ....
Phew! ...still repped you anyway :D
...how many bits of spyware :eek: :rofl:

Stuartbe
17-02-2004, 23:02
Phew! ...still repped you anyway :D
...how many bits of spyware :eek: :rofl:

14532 :eeek:

Florence
17-02-2004, 23:03
Just been called to a customers house.......

She was worried about strange activity on her pc. (600k narrowband :D )

As she made me a welcome cup of tea I was watching the pc monitor. As I watched the mouse cursor started to move and went into Iexplore and then history. The customer was aparently running her internet banking on the site earlier that day and the link was in history. The cusror then selected the online bank and to my horror clicked on the password box. The user had password save in IE switched on and sure enough - Up popped her password on the screen in ******. The cursor then clicked onto her current account. I then dived behind the pc and pulled out the usb cable (snapping off the connector in the process) The user came in wondering what was going on.

After I pulled out the half usb connector from the back of the machine I cleared all the passwords and then connected the cable modem to a hub via ethernet and linked from the hub to my laptop. I run ethereal in prom. mode and renewed the lease on the cable modem....

After about 10 mins the mouse started to move again. There were bucket loads of packets going going in and out on port 1243 (sub 7). There were allso crap loads on port 3389 (terminal services) - remote desktop assistance. I watched this for a while and then net messaged the pc from my laptop with " THIS IS THE FBI - YOUR CONNECTION HAS BEEN DETECTED AND WE ARE TRACKING YOU NOW "....

The mouse stopped moving and then a windows box apeared -- " sorry !! we were only having a bit of fun " :rofl: :rofl: :rofl:

Nothing after that.........I think I scared them off. Ip was from a us university and I have allready e-mailed the listed administrator.....

Ran etrust on the computer and found 27 diff. trojans and 14 diff. viruses :eek:

Then ran adaware 14532 components detected :eek: :eek: :eek:

Cleaned the computer for her and installed kpf on the computer and re-installed her out of date norton and installed spywareblaster. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

What a night - Just goes to show - some users think they are secure and its the internet banks that get hacked - WRONG....

Having a well deserved beer now with the extra £30.00 she gave me for sorting her out :)


Nice one but I never keep my passwords for the bank on the pc.
Never seen anyone with soo many spywares its a wonder the pc worked at any decent speed. :eek:

paulyoung666
17-02-2004, 23:04
scary story central , i have seen it done at work , legitamately i might add , it is scary enough seeing it done like that , never mind being done that way , kudos to you for sorting it out :)

Stuartbe
17-02-2004, 23:06
scary story central , i have seen it done at work , legitamately i might add , it is scary enough seeing it done like that , never mind being done that way , kudos to you for sorting it out :)

Thanks m8.....

Maybe its time that ntl recomend a firewall, antivirus and anti spyware apps to all its users. Lets face it - if you have all three installed it makes life far more dificult for the script kiddies !

swoop101
17-02-2004, 23:09
Why do people not learn the basics of security even when you spell it out to them.
It is no wonder that there are so many nasties out there, when the loonies and script kiddies know that a huge number of open systems are out there waiting to be found.
It should be a requirement that some form of instruction be given to these people that just buy a comp from the nearest outlet and plug it in with no thought for the necessary precautions.
Well done for your professional expertise stuart :tu: (should have signed them up for an instruction course)

Stuartbe
17-02-2004, 23:13
Why do people not learn the basics of security even when you spell it out to them.
It is no wonder that there are so many nasties out there, when the loonies and script kiddies know that a huge number of open systems are out there waiting to be found.
It should be a requirement that some form of instruction be given to these people that just buy a comp from the nearest outlet and plug it in with no thought for the necessary precautions.
Well done for your professional expertise stuart :tu: (should have signed them up for an instruction course)

I think that forcing the OEM's to at least install a firewall and antivirus would be a good step.... !

homealone
17-02-2004, 23:29
I think that forcing the OEM's to at least install a firewall and antivirus would be a good step.... !

that's a good point - most mobo cd's usually have at least an AV, but installation is often optional, having a NAT function in the connecting device, would be good, too :)

Stuartbe
18-02-2004, 10:49
that's a good point - most mobo cd's usually have at least an AV, but installation is often optional, having a NAT function in the connecting device, would be good, too :)

Just recived an email from the admin at the US uni.... He has investigated and is going to take action :eek: ! I have emailed him the full details...

Looks like some admins take this seriosly !!!!!!

Bifta
18-02-2004, 10:58
Heh, along the same lines, we used to netbus colleagues PC's at work, wait for them to stick a CD in the drive, as soon as they closed it, reopen it remotely ... after 4 or 5 times it was getting difficult to contain ourselves.

Stuartbe
18-02-2004, 11:04
Heh, along the same lines, we used to netbus colleagues PC's at work, wait for them to stick a CD in the drive, as soon as they closed it, reopen it remotely ... after 4 or 5 times it was getting difficult to contain ourselves.

Ahhh. Old times - I miss the old win98 boxes on our lan. I used to winnuke them if someone upset me :D

Its great fun when the ring the helpdesk and you ask them what they have done to cause the BSOD :rofl: