How a friends computer got hacked and hijacked
your PC by Microsoft
Hacking the hacker: How a consultant shut down a malicious user on a client's
A friend's system got hijacked by two different hacker groups who were using
the system to distribute files. Also the hackers had complete access
to all my friends files including financial information such as credit cards. I have a grudging
admiration for how these groups are so clearly organized. <sigh>
I got a phone call which mentioned some problems. After a bit of
diagnosing I asked them to reboot. They said they got a message stating
that a particular program iroffer.exe needed to be cancelled. I was a bit suspicious
so I did a web search on that name.
Turns out they got hacked due to four causes:
- The hardware firewall hadn't been installed on their high speed
connection. They had just moved a month previously and hadn't yet unpacked
it.. This would've stopped the
recent worms from getting close to their system. (If you're on a dialup
connection this option won't work. In which case you really want to have
the software firewall in place.)
- They hadn't run the Windows Update for the last month for various reasons.
This would've stopped the recent worms from getting on to their system.
(In Windows XP Start >> Control Panel >> System >> Automatic Updates. At the
very least I'd suggest checking "Keep my computer up to date" and "Notify me
before downloading any updates and ...". If you're on a high
speed connection you may want "Download the updates automatically and ..."
- The antivirus software update hadn't been run either for the last month various reasons.
Also their subscription had expired which they didn't realize. Again
this might've stopped the worms from getting on to the system. (I say
might've because the worm might've snuck on before the updates had been
available for downloading. However once the updates had been
downloaded McAfee likely would've halted the system from being hijacked.)
- They didn't have a software firewall in place such as
Zone Alarm. I take responsibility for this one as I didn't
think it was required due to all of the above being in place. If the
viruses/worms had gotten on
to their system this would've blocked their access to the Internet. Unless
one of the users authorized a programs access to the Internet use without
realizing the significance of the program name.
Any one of these being in place would've stopped the worms and the hijacking
of their system.
However all of these solutions should be in place to ensure redundancy in
security. For example it may take several days after a virus
comes out before the antivirus signatures have been updated and thus your system
may be already be compromised. Then the software firewall could help.
McAfee found the following twelve viruses on the system:
- W32/sdbot.worm.gen & .b
- generic dropper
Then when searching the hard drive I came across the following folders
Notice how organized the hackers are when it comes to their directories.
They are using batch files to create the directories in a logical fashion.
They have a directory for speed tests and requests.
Part of why I created this page was because the friend stated "You hear about
this happening but when you try to track down exactly who had
the problem you can never find out who it was. It's always "Oh I heard it from
so and so." Who in turn heard it from so and so and so forth." Well, now
you heard it from me.
[ Tony's Main Page ]