The Task
Today I was given the wonderful job of security analyst for a friend of the family. Basically to put it simply I had to go fix their computer or else I would have been crapped on by the powers that be (my father). The computer would restart every time it got on the internet, so I had to burn a CD of programs I would take and/or use. Not thinking clearly I didn't make a multi-session disc and that would come back to bite me later as I'll explain.
I go over to their house and have one look at the computer. At first I could open regedit but some process was actually closing that every so often so I couldn't look at the normal keys I check first (Run, RunOnce, RunServices). I proceeded to use Task Manager to close out every thing I could think of which then gave me access to regedit (finally!). I then checked the normal places and it turned out there were roughly 6 entries in Run and a couple in RunServices which were very suspicious and obvious viruses. I use the term obvious because I know how to look for certain patterns and I can notice when something doesn't fit the normal pattern.
I then did the normal clean routine I do. I installed Ad-aware and ran it with the latest definitions. I deleted the registry entries and zipped up the files into a folder. I don't know why I decided to keep the virus (not knowing there were about 6 different ones) but sometimes I like to look over stuff especially since I thought this was something new. This particular one I was looking at was something semi new in the spyware world. Here's the description:
W32/Rbot-AA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels while running in the background as a service process.
I cleaned this virus and what I thought were everything then rebooted. I tried the internet and they showed me the error they were getting. Turns out I didn't get every virus and there was one left: lsasss.exe. It's so close to lsass.exe that I thought it would be okay but it was a quick fix. I deleted the registry entry, restarted and all seemed well.
Wrong.
While I was sitting on the computer looking at Task Manager for any lingering viruses, I noticed scrgrd.exe would pop up. I closed it and within seconds it popped up again. I thought “Okay maybe there's some virus I left or some backdoor that is hidden in the system that's causing the virus to keep running itself”. After closing it a couple of times I noticed other random exes running like cmd.exe (no command shell was visible), tftp.exe, and ftp.exe. It then started to make sense. The computer was being infected while I was sitting there by some “hacker”.
I laughed and said to myself “Okay Mr. Cool Guy. If you think you know what you're doing you really haven't met me have you?” I then proceeded to run netstat -a -n to get the network connections and try to see where the person was coming from. I also used Task Manager to close the cmd.exe and other programs as they opened. The tug-of-war then ensued and this went on for a good couple of minutes before I started to grow some intelligence.
I enabled Internet Connection Firewall, turned on logging, and restarted the dial-up connection. I checked Task Manager to see if any other programs were being ran and I didn't see anything new pop up. I knew I had fixed the problem but only temporarily. I then went to the Windows Update website to see if there is any old problem that is causing this. Sure enough this computer has never ran Windows Updates. No Service Pack 1, no ject fix, no RPC fix, no nothing. This computer was as open as a waffle house and some “hacker” was exploiting it's weakness.
Rather than take the day and a half to download SP1 and all of the Windows Updates I decided I should make a CD with all of them on it just to be safe. This is where multi-session would have helped out because the CD I made with AVG and Ad-aware on it was less than 10 megs which is a huge waste. I could have kept the same CD and just added the necessary updates but I was dumb so now I get to waste 2 cds on this project instead of 1. Luckily though I don't have to go back because Internet Connection Firewall is keeping the “hacker” at bay.
Enter the Hacker
I consider myself a true hacker. I like to disassemble practically everything I can to figure out every thing possible. I've broken into my fair share of systems but they were never windows boxes. I was a script kiddie for most of what I did, but unlike the “hackers” of today I fully understood how each tool worked and how to protect myself in the unlikely event that I'd be noticed. My exploit of choice was the old wu-ftpd 2.6.0 exploit which was present on a certain default Redhat installation. I even tweaked a backdoored wu-ftpd to replace it which made it look exactly like the old version. By default when you compiled the backdoored wu-ftpd it would take your timestamp and version number but if you changed a couple of files it could look exactly like the default. I thought I was cool but I almost got caught which is why I stopped doing that kind of stuff altogether.
The extent of my “damage” was literally a recompile of wu-ftpd. Some admins took the extra time to redo the entire OS which was overkill. These are the same people that say you cost thousands or millions of dollars when in actuality they could have fixed it in all of 10 minutes by downloading an rpm and installing it.
Fall from the Dark Side
The dark side was tempting but the light is so much better. I know what most hackers are capable of now because I was one. I also like the challenge of protecting a network and doing forensics on finding out who's trying to invade our systems. I've yet to have a real hack attempt on any of my Linux boxes even though lots of people have tried over the years. I reinstall Slackware every time a new update comes out, so there's really no room for any stale backdoors or anything. I also have a very good firewall script which keeps everyone out of the default ports but allows traffic between my home and work networks.
The Hilarity
The funny thing about this whole ordeal is they were exploiting a dial-up account. How stupid do you have to be to want to gain access to dial-up accounts? The only good they do is provide a bounce to attack other hosts but even then a broadband connection makes way more sense. Why be limited by 56k when you can control a cable or DSL connection at 3mb/s? It only makes slight sense if you're on a dial-up but I remember in my dial-up days I begged for a fast connection to exploit because they were infinitely better and I could use them to download programs or backdoors way faster than a dial-up ever could.
Conclusion
Most viruses now aren't malicious in nature. They are mainly “proof of concept” exploits that simply prove that there's a hole in the OS. Without viruses Microsoft would have a tough time finding all of the holes in their OS. I'm sure Apple and Linux have holes but they don't have people actively looking for them nor do they have the numbers Microsoft has.
I'm not condoning hacking or viruses at all. Without them, there would be a group of hackers that exploited Operating Systems from the shadows. There would be almost no news on the subject and these group of people would get away with it for years before they got caught (if they ever did). Viruses tend to bring the holes out in the open for everyone to see, not just those select few that can profit the most. Frankly I'm glad people have nothing better to do than to find holes in Operating Systems because eventually there'll be no more holes left to plug. I just hate having to be the one to clean up the messes they leave behind.