Announcement

Collapse
No announcement yet.

Ex-Brother-in-Laws infected PC and possible trouble

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Ex-Brother-in-Laws infected PC and possible trouble

    My ex-Brother-in-Law got infected with some sort of ransomware. He's freaking out. Said his PC was beeping and had him call some number, everything was locked up. He called the number, installed the software they told him to install, and then when someone connected to PC, asking for personal info, he shut down the PC. When he restarts, he can't do anything. I'm familiar with the ransomware.

    I had some questions though. Instead of just removing the malware / formatting the PC / reinstalling, whatever, if I could monitor the network traffic, using something like Wireshark, and grab an IP address, and then trace that IP address to a country, assuming they're not connecting via a proxy or something, how much trouble could I get into if I tried hacking into their network?

    There's scanning tools like Nessus that make scanning for vulnerabilities fairly simple and then there's tools, like Metasploit, that make exploiting those vulnerabilities fairly simple. If they're in a country where we don't have diplomatic relations, could I still get in trouble? Or if I where to go through a proxy with a country that we didn't have diplomatic relations with, to hide my real IP, and then tried getting into their network, could I get in trouble?

    Thanks.
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

    #2
    Re: Ex-Brother-in-Laws infected PC and possible trouble

    they will most likely be using aproxy - probably some haxored pc running windows.

    Comment


      #3
      Re: Ex-Brother-in-Laws infected PC and possible trouble

      Originally posted by Spork Schivago View Post
      My ex-Brother-in-Law got infected with some sort of ransomware. He's freaking out. Said his PC was beeping and had him call some number, everything was locked up. He called the number, installed the software they told him to install, and then when someone connected to PC, asking for personal info, he shut down the PC. When he restarts, he can't do anything. I'm familiar with the ransomware.

      I had some questions though. Instead of just removing the malware / formatting the PC / reinstalling, whatever, if I could monitor the network traffic, using something like Wireshark, and grab an IP address, and then trace that IP address to a country, assuming they're not connecting via a proxy or something, how much trouble could I get into if I tried hacking into their network?

      There's scanning tools like Nessus that make scanning for vulnerabilities fairly simple and then there's tools, like Metasploit, that make exploiting those vulnerabilities fairly simple. If they're in a country where we don't have diplomatic relations, could I still get in trouble? Or if I where to go through a proxy with a country that we didn't have diplomatic relations with, to hide my real IP, and then tried getting into their network, could I get in trouble?

      Thanks.
      It's your baby now, hope you like trips to hell. If all his files have been encrypted by the malware, you can't even copy them elsewhere! Well, you can, but w/o the decrypt keys, they may as well be empty.

      They're gonna be all set up and hardened long before they start scamming/pushing, so even if you think you've found an "in," the IP could be spoofed/proxied for all you know.

      Here's the deal: That shit got on there thru some third party script/banner/whatever, that merely used the system as whitespace to "advertise" their numbah. As typical with social engineering, they prey on the stimulus-response. He called the number, probably gave them a code that tied the event back to them; a means for them to "customize" the crap he was "convinced" to download. Sheepishly, he took it; what is this, discount week at jiffy lube?

      Now, by his own actions, he's in over his head.


      I hope this sinks in for anyone else reading: Use a hosts file!

      Coming up on 2016, it's just plain STUPID not to!

      For anyone foolish enough not to run a hosts file, you kill the power at the first sign of the time-delayed droppers! Then, wipe cache/temp/etc. Like any of that needs repeating...


      Originally posted by stj View Post
      they will most likely be using aproxy - probably some haxored pc running windows.
      Wouldn't be surprised. That thing downloaded could be just that! Sort of how microshit does P2P on any computer to help "update" (infect) others, and "spread the love."
      Last edited by kaboom; 10-16-2015, 03:36 PM.
      "pokemon go... to hell!"

      EOL it...
      Originally posted by shango066
      All style and no substance.
      Originally posted by smashstuff30
      guilty,guilty,guilty,guilty!
      guilty of being cheap-made!

      Comment


        #4
        Re: Ex-Brother-in-Laws infected PC and possible trouble

        Originally posted by stj View Post
        they will most likely be using aproxy - probably some haxored pc running windows.
        I agree, they probably will be running some sort of proxy. However, perhaps they own the proxy or if I could get into the proxy, I could look through the logs and find their real IP addresses...
        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

        Comment


          #5
          Re: Ex-Brother-in-Laws infected PC and possible trouble

          Originally posted by kaboom View Post
          It's your baby now, hope you like trips to hell. If all his files have been encrypted by the malware, you can't even copy them elsewhere! Well, you can, but w/o the decrypt keys, they may as well be empty.

          They're gonna be all set up and hardened long before they start scamming/pushing, so even if you think you've found an "in," the IP could be spoofed/proxied for all you know.

          Here's the deal: That shit got on there thru some third party script/banner/whatever, that merely used the system as whitespace to "advertise" their numbah. As typical with social engineering, they prey on the stimulus-response. He called the number, probably gave them a code that tied the event back to them; a means for them to "customize" the crap he was "convinced" to download. Sheepishly, he took it; what is this, discount week at jiffy lube?

          Now, by his own actions, he's in over his head.


          I hope this sinks in for anyone else reading: Use a hosts file!

          Coming up on 2016, it's just plain STUPID not to!

          For anyone foolish enough not to run a hosts file, you kill the power at the first sign of the time-delayed droppers! Then, wipe cache/temp/etc. Like any of that needs repeating...




          Wouldn't be surprised. That thing downloaded could be just that! Sort of how microshit does P2P on any computer to help "update" (infect) others, and "spread the love."
          I believe I'm familiar with the scam he fell victim too. I've seen it on maybe three or four customers PCs and I know a couple computer suave people who had friends / acquaintances who also fell victim. Typically, there's two variants, perhaps ran by the same scam artists. The first one, they call you saying you have a virus and need you to go to a website to remove it. Generally, they claim to be Microsoft.

          The second one, the one that my ex-Brother-in-Law fell for, you go to a website, a pop-up appears, it looks like a blue-screen of death. It doesn't look like a pop-up, although it is. If you simply close the browser using CTRL-ALT-DEL or maybe ALT-F4 or just shut it down and restart, you're fine. The window gives you a number to call, claiming it's a Microsoft number and they'll fix it for free. When you call, they get your e-mail address, phone number and address. Then they instruct you on how to go to a website. You go there, download some trojan, and when you run it, they connect to your PC. They lock you out of everything, including the registry. At this point, they say in order to fix it, they need something like 200$. I knew a person who gave them credit card number, social security number, address, banking info, etc. Everything they asked for to "prove" his identity.

          My ex-Brother-in-Law was smart enough to shut it down when they connected to his PC. I told him to bring it in. I doubt any files are encrypted. Albeit there are viruses that can and do encrypt your file system, the few variants that I've dealt with, with this virus, weren't that sophisticated.

          Generally, when ever I come across any infected PC, I simply hook the hard drive up to my Linux box, copy the data off, saved passwords, bookmarks, etc and just format, reinstall. I've found once your PC is infected, even if you have an AV or program like Anti-Malware Bytes, there's really no way to be certain there isn't something lurking behind. Rootkits seem to be extremely hard to remove. I've tried, just for fun, to remove one. Got one removed once but could never get internet back on the machine. No matter what I did, the IP stack was gone. Had to format and reinstall.

          One last thing, I believe once he downloaded what they told him too and when he installed it, they actually go through your PC. Probably using some sort of script, to grab saved passwords, etc. I really hate people like that, that take advantage of other people. Thought it'd be fun to just try and mess with them a little.
          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

          Comment


            #6
            Re: Ex-Brother-in-Laws infected PC and possible trouble

            Wouldn't they still need a real IP address in order to receive any information from the infected PC back to their servers? When I say real IP address, I mean to include proxy addresses as well. I know you can spoof your IP address, inject custom packets into the network, etc, but without a real IP address, data could never be returned to the sender, correct? It'd be kinda pointless, being one-way-only. Less you where just trying to get in and then had a dropper or something install software that connects back to a real IP, IRC server, etc. Right?
            Last edited by Spork Schivago; 10-16-2015, 04:40 PM.
            -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

            Comment


              #7
              Re: Ex-Brother-in-Laws infected PC and possible trouble

              you or them can get a real or more-real i.p. just by using a UDP ping.
              dont underestimate the number of ways you can both manipulate and work around the routing.

              Comment


                #8
                Re: Ex-Brother-in-Laws infected PC and possible trouble

                With hundreds if not thousands of domains registered daily for nefarious purposes using a host file is pretty much a waste of time, sure it will stop some bit definately not all. Far better to follow the advice of security professionals and secure your browser and stay fully patched and updated.

                Mayware tends to communicates with a server somewhere, means the criminals behind it can push other software out to "their" computers. Whilst you might be able to find that maybe but I doubt you'll be able to find who is controlling it.

                It will be interesting to see if its real or fake crypto malware.

                Comment


                  #9
                  Re: Ex-Brother-in-Laws infected PC and possible trouble

                  disable flash
                  disable java bytecode

                  if your using windows and they still have it after the IE5 incidents - disable active-x etc.

                  Comment


                    #10
                    Re: Ex-Brother-in-Laws infected PC and possible trouble

                    No script, Ghostery, an ad blocker and click to run flash. And i wouldn't use IE.
                    And don't be an admin, be a user.
                    Last edited by diif; 10-16-2015, 05:32 PM.

                    Comment


                      #11
                      Re: Ex-Brother-in-Laws infected PC and possible trouble

                      Originally posted by diif View Post
                      With hundreds if not thousands of domains registered daily for nefarious purposes using a host file is pretty much a waste of time, sure it will stop some bit definately not all. Far better to follow the advice of security professionals and secure your browser and stay fully patched and updated.

                      Mayware tends to communicates with a server somewhere, means the criminals behind it can push other software out to "their" computers. Whilst you might be able to find that maybe but I doubt you'll be able to find who is controlling it.

                      It will be interesting to see if its real or fake crypto malware.
                      Yeah, hostfiles don't really provide the security that they used to. In Linux, there's distros you can use to setup a PC as a firewall and I've seen software that inspects in the packets for known attacks. Perhaps the software also searches the incoming packets for known malware / viruses. You know, block the shit before it hits the local client rather than at the actually client. I'm sure Windows has a similar feature.
                      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                      Comment


                        #12
                        Re: Ex-Brother-in-Laws infected PC and possible trouble

                        Originally posted by stj View Post
                        disable flash
                        disable java bytecode

                        if your using windows and they still have it after the IE5 incidents - disable active-x etc.
                        I want to say I got a white letter from Java saying that they actually recommend not installing it on PCs unless absolutely necessary and then only enabling it when it needs to be used, then disabling it right after. Seems with every security fix they where coming out with, they'd find or it'd create a bunch more vulnerabilities. So many devices use Java, just not PCs. A good example is Blu-Ray players. I believe a lot of them are rootable because of some Java exploit. I don't know if they just reverse the byte code to source and find a vulnerability in the code or if they are actually exploiting Java itself.
                        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                        Comment


                          #13
                          Re: Ex-Brother-in-Laws infected PC and possible trouble

                          Originally posted by diif View Post
                          With hundreds if not thousands of domains registered daily for nefarious purposes using a host file is pretty much a waste of time, sure it will stop some bit definately not all. Far better to follow the advice of security professionals and secure your browser and stay fully patched and updated.

                          Mayware tends to communicates with a server somewhere, means the criminals behind it can push other software out to "their" computers. Whilst you might be able to find that maybe but I doubt you'll be able to find who is controlling it.

                          It will be interesting to see if its real or fake crypto malware.
                          There was some Malware that a person was exploring. He ran it in a virtual machine and watched the traffic from the virtual machine's NIC to the main PC (having the main PC disconnected from the network). He noticed it was trying to connect to an IRC server and then post an IP address and some other info, maybe usernames or something to a channel. Using a sniffer, he was able to grab the username and password to the channel. He logged in and said something to the one user there. I don't remember what it was. Something like this is the FBI, we're tracking your IP address, do not disconnect (or maybe something totally different). Anyway, the kid thought it was one of his friends messing around with him and when he realized it wasn't, the channel and the guy was gone! I thought that was kinda cool.
                          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                          Comment


                            #14
                            Re: Ex-Brother-in-Laws infected PC and possible trouble

                            Originally posted by Spork Schivago View Post
                            My ex-Brother-in-Law got infected with some sort of ransomware. He's freaking out. Said his PC was beeping and had him call some number, everything was locked up. He called the number, installed the software they told him to install, and then when someone connected to PC, asking for personal info, he shut down the PC. When he restarts, he can't do anything. I'm familiar with the ransomware.

                            I had some questions though. Instead of just removing the malware / formatting the PC / reinstalling, whatever, if I could monitor the network traffic, using something like Wireshark, and grab an IP address, and then trace that IP address to a country, assuming they're not connecting via a proxy or something, how much trouble could I get into if I tried hacking into their network?

                            There's scanning tools like Nessus that make scanning for vulnerabilities fairly simple and then there's tools, like Metasploit, that make exploiting those vulnerabilities fairly simple. If they're in a country where we don't have diplomatic relations, could I still get in trouble? Or if I where to go through a proxy with a country that we didn't have diplomatic relations with, to hide my real IP, and then tried getting into their network, could I get in trouble?

                            Thanks.
                            ive gone after the scammers before. Amazon AWS as a proxy, or googles cloud hosting thing.
                            Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

                            "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

                            Excuse me while i do something dangerous


                            You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

                            Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

                            Follow the white rabbit.

                            Comment


                              #15
                              Re: Ex-Brother-in-Laws infected PC and possible trouble

                              Originally posted by Spork Schivago View Post
                              Yeah, hostfiles don't really provide the security that they used to. In Linux, there's distros you can use to setup a PC as a firewall and I've seen software that inspects in the packets for known attacks. Perhaps the software also searches the incoming packets for known malware / viruses. You know, block the shit before it hits the local client rather than at the actually client. I'm sure Windows has a similar feature.
                              Smoothwall, monowall or pfsense are all good Linux firewalls.
                              Software to do packet inspection is not cheap and certainly not a Windows feature.
                              Even so with the thousands of differing types of malware released daily it would still need the signatures to compare against.

                              Comment


                                #16
                                Re: Ex-Brother-in-Laws infected PC and possible trouble

                                Originally posted by goontron View Post
                                ive gone after the scammers before. Amazon AWS as a proxy, or googles cloud hosting thing.
                                Are you saying you've used Amazon AWS or Google's Cloud Hosting thing to hide your IP or they used it? I'm afraid if I try using something like that, if the Amazon servers are in my country, my government could get it and prosecute (if they cared). When I was 14 or 15, I was exploring a Unix type of machine. I didn't mean any harm or anything, but the owner detected my exploration and thought I was a hacker from Cornell (we live maybe 50 miles away or so). Needless to say, she reported me to C.E.R.T. (Computer Emergency Response Team). I believe they were part of the FBI. I got in a lot of trouble but when she found out my age and everything, she dropped all the charges. My parents wouldn't let me use a PC for a full year after that. It really sucked. She was real nice and said next time I want to explore, I might want to contact the owner first and let them know so my actions weren't considered malicious.
                                -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                Comment


                                  #17
                                  Re: Ex-Brother-in-Laws infected PC and possible trouble

                                  Originally posted by diif View Post
                                  Smoothwall, monowall or pfsense are all good Linux firewalls.
                                  Software to do packet inspection is not cheap and certainly not a Windows feature.
                                  Even so with the thousands of differing types of malware released daily it would still need the signatures to compare against.
                                  I thought for sure, with all the money Microsoft was making, they'd have a stateful packet inspection firewall that they provided with the OS. Just about every Linux distro comes with one for free, iptables. And yeah, maybe a combination of stuff could be used, a signature database that everyone has access too (ie, McAfee, Norton, open-source programs, etc) and then some sort of heuristic type detection. I know Norton for Windows has been working on some heuristic type detection stuff. A lot of false positives though I guess.
                                  -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                  Comment


                                    #18
                                    Re: Ex-Brother-in-Laws infected PC and possible trouble

                                    Originally posted by Spork Schivago View Post
                                    I thought for sure, with all the money Microsoft was making, they'd have a stateful packet inspection firewall that they provided with the OS. Just about every Linux distro comes with one for free, iptables. And yeah, maybe a combination of stuff could be used, a signature database that everyone has access too (ie, McAfee, Norton, open-source programs, etc) and then some sort of heuristic type detection. I know Norton for Windows has been working on some heuristic type detection stuff. A lot of false positives though I guess.
                                    Deep packet inspection is expensive enterprise stuff, and the antivirus companies all have their own databases. That way they can claim they are better that their competitors.

                                    Far better to follow basic common security practices. And certainly don't hand your PC to the bad guys.

                                    Comment


                                      #19
                                      Re: Ex-Brother-in-Laws infected PC and possible trouble

                                      a number of ISP's run deep-packet inspection on all traffic.
                                      unfortunatly they are only interested in gathering data for the government about everybody.
                                      Virgin runs atleast 2 NARUS units in the fucked-up u.k.

                                      that's the joke here, the governments are the real terrorists or they could use all the shit we pay for to fix things.
                                      for example the ISP's could pinpoint and stop most viruses and port attacks.
                                      they could also provide the courts with a copy of hillary's emails in and out of her server(s)

                                      Comment


                                        #20
                                        Re: Ex-Brother-in-Laws infected PC and possible trouble

                                        Originally posted by stj View Post
                                        a number of ISP's run deep-packet inspection on all traffic.
                                        unfortunatly they are only interested in gathering data for the government about everybody.
                                        Virgin runs atleast 2 NARUS units in the fucked-up u.k.

                                        that's the joke here, the governments are the real terrorists or they could use all the shit we pay for to fix things.
                                        for example the ISP's could pinpoint and stop most viruses and port attacks.
                                        they could also provide the courts with a copy of hillary's emails in and out of her server(s)
                                        When I was stationed at Camp Geiger, when I was in the USMC, we had two networks. A secure network for sensitive data and the regular network. I didn't have access to the secure network but I did to the main one. My friend and I ran a portscan on the IPs connected to that network and what we found was astonishing! So many of the PCs where infected with backdoors. Back Orifice was a popular one back then I believe. I just wish I had a chance to run it on the secure network. I reported it to my Sergeant and he didn't do anything. Said he was afraid my friend and I would get in trouble for running the scan in the first place.
                                        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                        Comment

                                        Working...
                                        X