Whack attack!

[Treval]

So,

is it possible for an attacker to abuse/use your connection/inject into your PC even if it's off but the router is on and the cable is plugged into your NIC, working and transferring data from the internet?
More specifically, inject into your PC and take control of it? I would think not, since it's off.
What about abusing the connection itself?

tip: no I'm not looking for *ware-scanning solutions. It's just out of curiosity. =P

[tsarles]

The fact that you have a router means nobody can initiate a connection from outside to in. When you go to a web site, you can receive that traffic because you requested it, and it is a response to an open socket. However, if someone from outside initiates an incoming transmission unsolicited, the firewall will drop it. This is unless you have a port forward setup.... but if you did have that, you would know about it.

There is such thing as Wake on LAN to turn on a computer that is off over the network, although I have never seen anyone actually implement it.

In short, no

[Treval]

Well.

1) I have implemented Wake-on-LAN and it's *censored* handy, especially when I'm bed with my laptop and I forgot to turn the PC on and need resources from it (there is a neat little WOL-GUI front end app; I even posted a blog about it).

2) Yes I have ports forwarded. Can't someone portscan me and then just exploit those ports?

3) Is my Kaspersky firewall going to warn me when someone is trying to inject into a process/enter my computers?

[BC_Programmer]

Why are people so bloody paranoid? No offense intended, of course.

2) Yes I have ports forwarded. Can't someone portscan me and then just exploit those ports?

I have a <LOT> of ports forwarded myself.

When I port scan my IP (from another off-site PC, of course), or perform one of the many online port scans it comes back with no response on every single port.

A Connection with these ports can only be established if the PC that it was being forwarded to is listening to that port. <AND> it has to accept the connection. Otherwise the routers default behaviour, which is usually to completely ignore the attempt, kicks in.

3) Is my Kaspersky firewall going to warn me when someone is trying to inject into a process/enter my computers?

If it doesn't it's not as good as everybody seems to think  (short answer: yes)

[Treval]

Well Mr. BC-programmer, I'm the target of two hacker groups. No, they are not noobs. One Dutch, one from the UK.
They already compromised my e-mail accounts in the past, not to mention my PC.

So yes, naturally I am paranoid.
Not to mention there are a group of kiddies following me everyone on the internet googling my name and what I do and if I take a dump or what not and post it on a forum laughing about me.
Yeah. You wouldn't want that to happen to you.

If you haven't been hacked, sure, don't be paranoid.
But once you are, then it's alarm time.

How do I get in these situations?
Let's just say I don't like society and make most people my enemy.

[BC_Programmer]

Well Mr. BC-programmer, I'm the target of two hacker groups. No, they are not noobs. One Dutch, one from the UK.
They already compromised my e-mail accounts in the past, not to mention my PC.

So yes, naturally I am paranoid.
Not to mention there are a group of kiddies following me everyone on the internet googling my name and what I do and if I take a dump or what not and post it on a forum laughing about me.
Yeah. You wouldn't want that to happen to you.

If you haven't been hacked, sure, don't be paranoid.
But once you are, then it's alarm time.

How do I get in these situations?
Let's just say I don't like society and make most people my enemy.

Well, I guess that makes more sense. I have a bunch of "hackers" who claim they are going to "grep" me, but given their complete misuse of the term grep I'm pretty certain they really have no idea what they're doing, hahaha. They did demonstrate their ability to grep a text file, which was somehow supposed to scare me. needless to say it provided me a source of amusement, not paranoia, heh.

[EEVIAC]

They did demonstrate their ability to grep a text file, which was somehow supposed to scare me.

I had to chuckle at that   

[Treval]

Compare that to people who actually know how to write Byte hashes to exploit certain vulnerable open services and know more than a dozen different languages in mastery including:

PHP, SQL, JavaScript, PERL, blablablabla ... server/client side whatever, you name it.
They're just freaks.

[BC_Programmer]

you're supposed to call it "Perl" even though it's an acronym. Otherwise Larry Wall will slap you. At least that's the legend.

[EEVIAC]

Compare that to people who actually know how to write Byte hashes to exploit certain vulnerable open services and know more than a dozen different languages in mastery including:

PHP, SQL, JavaScript, PERL, blablablabla ... server/client side whatever, you name it.
They're just freaks.

yah, I am aware of the the general expertise in this game, although I haven't attempted "hacking to learn", yet.  Will get there, however.  Maybe after another year of programming.  

Otherwise Larry Wall will slap you. At least that's the legend.

hee hee

[Treval]

Programming annoys the bananas out of me. I've been on it for 5,5 years now for 3 languages.
It makes me go like this:

Konane CS

[BC_Programmer]

It makes me go like this:

Konane CS

LOL, that was hilarious

[Treval]

Omg, I loved the map de_dust. I can pwn so many noobs on it. Maybe today I can pwn enough noobs, that I raise my rank in the server, from 3 to 1, héé héé.

lol..
That video is really, really old. Like, 6 years or something.

[BC_Programmer]

Omg, I loved the map de_dust. I can pwn so many noobs on it. Maybe today I can pwn enough noobs, that I raise my rank in the server, from 3 to 1, héé héé.

lol..
That video is really, really old. Like, 6 years or something.

Well... only games I play online are quake 2 and Zdaemon. Only Played CounterStrike once. Needless to say rocket jumping rocket jumping doesn't work any better on that then it does on Crysis. At least the game is merciful and doesn't have quads.

[Azzaboi]

First of all maybe you shouldn't piss off the hackers so much?

Second, don't be paranoid? Yes be paranoid! It's only the foolish thinks they are safe. Where there's a will there's a way. So long you have a active connection, there's a way in. You can pretty much just slow them down or make it hard enough they give up.

Thrid, where there's Microsoft there's a hole of exploits. It's the most targeted and the easiest to find holes in. Keep your software, security and OS up-to-date as much as possible.

Kaspersky Internet Security 2010 is quite good at Proactive Defense and will attempt to block network scans and attacks if setup correctly. Black Ice Anti-hacker is great to go on the revenge if you or your server is being attacked or DDOSed by reflecting it back, but only good for intrusion detection, fails as a complete firewall.

Pro Hackers will go stealth and inject a keylogger, grabbing your passwords and personal details over and over. They don't do damage, they just watch and gather, use, hand out to others as dumps (these are the worst as then any idiot then can screw with you) or ignore. Kaspersky can detect most keyloggers, however they use a stuffer over the file to make it invisible to most anti-virus scanners.

If they can't attack the computer, emails and other things are a lot easiler, depending on your password and details. The stupid secret word is the biggest security hole for email, leaving a easy backdoor. Instant Messagers like yahoo and msn are also major exploit holes.

[BC_Programmer]

Black Ice Anti-hacker is great to go on the revenge if you or your server is being attacked or DDOSed by reflecting it back

That doesn't make sense. you can't "reflect" a DDOS and actually do anything. you'll just reflect the ping or SYN or ACK or whatever floods right back to the respective machines, most of which will probably just be zombie PCs in a bot-net. Also, this is worse because it adds more processing to each recieved packet during the attack, making the DDOS actually succeed.

Second, don't be paranoid? Yes be paranoid! It's only the foolish thinks they are safe. Where there's a will there's a way. So long you have a active connection, there's a way in. You can pretty much just slow them down or make it hard enough they give up.

Yawn. you bore me. I've seen the "work" these hackers do when they make their tools, IE, the source code. they make bloody awful programmers for the most part. and I highly doubt the ones that actually know what they're doing are "out in the wild" so to speak.

I'm going to assume "Pro hacker" means Proficient hacker, since there is no such thing as a "professional" hacker any more then there is a such thing as a professional Janitor.

Kaspersky can detect most keyloggers, however they use a stuffer over the file to make it invisible to most anti-virus scanners.

This sentence doesn't really make any sense. *censored* is a "stuffer"?

anyways,  one "detection" method was to simply see if the file contained the text "Software\Microsoft\Windows\CurrentVersion\Run" anywhere in it, and if it found it, it was flagged a keylogger. Yep that's state of the art detection right there. That was Mcaffee several years ago IIRC.

Thrid, where there's Microsoft there's a hole of exploits. It's the most targeted and the easiest to find holes in. Keep your software, security and OS up-to-date as much as possible.

yes, I'm quoting forwards and then backwards. oh well.

It's the most targeted but it's not easy to find holes in it, simply because it is targeted more and all the "good ones" were pretty much sealed around XP SP2.

At least Microsoft never by default had IIS set up to accept a backdoor password. Way to go redhat! And <That> was actually easy to find, they just had to look at the source code, it was right there, pretty much two if() statements.

[kpac]

Compare that to people who actually know how to write Byte hashes to exploit certain vulnerable open services and know more than a dozen different languages in mastery including:

PHP, SQL, JavaScript, PERL, blablablabla ... server/client side whatever, you name it.
They're just freaks.

Oh yeah, it takes a lot for them to use milw0rm to find exploits. Most of them wouldn't hack their way out of a paper bag.

[Treval]

"If it doesn't it's not as good as everybody seems to think (short answer: yes)"

I don't agree with that because a good attacker will first shut off both your av and firewall and let your OS believe they are still running while they aren't. Then, they go intrude.

In my networking class, my prof said "the fact you are typing your password is a vulnerability. Somebody can come and see over your shoulder. This happened at a few work places". Also physical keyloggers etc. =P

When I first scanned my system with Kaspersky, even my FIREWALL was fully exploitable (it was from 2005 the version I had). Next to that, I had 47 exploitable holes.. I believe if you take any noob's machine and you scan it for vulnerabilities, it will come up full of holes. Most people's JRE is also not up to date. =)

Yes, milw0rm is .. ****. A paradise for hackers. Or noobs, to say. Anyway.

Sometimes now and then when I launch MSN I get the message "behavior similar to PDM.Keylogger detected". So what am I supposed to think if it only happens sometimes?

[EEVIAC]

You know, every time scroll by the networking forum and see "Whack attack", it reminds me of the game I use to play in Show Biz Pizza (which is now Chuck e Cheese), called "Whack-A-Mole"         It's the game where you stand with a club and hammer down the moles when they pop up out of the machine... 
Not relevant, just had to say it.

[Treval]

Lmao. I'll try it. =P

[EEVIAC]

Lmao

I had to google this...  I'm not the most familiar with chat acronyms   

[Treval]

Poor EEVIAC. I guess I'm just 26. =P

[Azzaboi]

For your questions BC_Programmer

About Black Ice, I actually agree with you. It was designed with a good idea for servers mostly and had optional features to reflect attacks, basically it was meant to crash the attacking computers but mostly bring down zombies (DDOS probably just be zombie PCs as you said - innocent infected computers) which will just can be setup more. Adding more to the network load for a short time. Like I said fails as a complete firewall.

While most hackers might be kids playing around make crappy code (kiddy scripts) and making destruction/jokes, you haven't counted everyone in the world. What I meant by "Pro Hacker" or whatever you would like to call them, they spead their time on bigger targets, looking for faults and holes, then just addresses those either by exploiting them to their advantage, leaking the details out to others to mess with, or notifying the owner in their own way about the problem to be fixed. Basically no damage done (by themself but maybe by others), tracks cleaned up after themselves, and sometimes they are helpful. For example, the ex-hacker guy now working for World of Warcraft finding security holes, hacks and cheats - he doesn't write crappy code.

A "EXE stuffer" is a program which pads over the top of a virus or trojan to make it more hidden from anti-virus scanners. It adds extra dummy code around and inbetween, also increases the filesize a bit. Anti-virus scanners have to then rely on different heuristic methods for detection which aren't as effective and slower.

ps. They don't need to hide in the run, they could be injected into a service which windows runs in background or an application which the user starts up himself. Much smarter ways.

I mentioned Microsoft because yes, it's the most targeted, most used and haves the most information about, it is also the most hated. As soon as a hole is found, it's available for everyone to find (information over the net), by the time they have patched it, another is found and it cycles around. Microsoft has a good history of digging holes to fill the others as well. Any OS or software will have it's issues, some are just more of a target. Millions of people finding the holes compared to a few programmers trying to fix them up, work out the math.

Treval - Behavior similar to PDM.Keylogger detected by Kaspersky, you get in some games, virtual keyboards, security software like BestCrypt, etc, with this issue because that's what it's doing! If it reads your keyboard input in a virtual or direct bypassing way it will be detected. It's up to you to trust it or not. MSN can be accessed and with it's feature to it's basically file sharing all your computer can be exploited easily to take control of your computer files and send and receive data. I've never had the issue of Kaspersky detecting MSN as behavior similar to PDM.Keylogger, you might want to look into that or update to another version. It might be you just have the save msn chat turned on and it's recording what you type. If you tell Kaspersky to allow it, it will ignore it for a while then ask again, you have to tell it to trust, adding it to the Application Control > Threats and exclusions list for it not to check.

[Treval]

Yes indeed pro hackers are often contracted as top security staff that work for the Pentagon etc.

I know a pro hacker (security guy) who is really really really paranoia about things. His computer doesn't have a harddisk, it's wired to another server, if intrusion is detected, in the first few milliseconds the computer auto-shuts off, the connection is killed, etc etc... then he has another computer for the sole purpose of generating 2.000.000 (2 million!) different passwords per hour so that it's harder to break in. He has blast proof doors and walls and has camera's EVERYWHERE. Every door every corner everything. He has like 8 NICs working together as firewalls/distribution systems... it's just madness.

Well at least he's safe. =P

[EEVIAC]

That's interesting.  Being a security specialist, you may become too well-known in the hacker world and may become a target, at risk for who-knows-what... 

If I were a security specialist, I would prefer to stay anonymous, if possible.

[BC_Programmer]

Well at least he's safe. =P

You should let him know that if he is ever under the influence of a mind control device all of his work will be for naught!

I'd try to get him to wear a tin-foil hat or something like that, he seems like a edgy fellow that just needs a nudge in that direction.

of course if you <like> him you mgiht nudge him towards a therapist. That sounds more like that mental illness (I forget the name) where you think everybody is out to get you.

[Treval]

BC_Programmer, do you live in fairytaleland? It's not an offense but you seem to act like it.
If your job is to work from home and log into/transfer top secret FBI/government data, then yes, your house is best to be like that and your computer setup.

[BC_Programmer]

If your job is to work from home and log into/transfer top secret FBI/government data, then yes, your house is best to be like that and your computer setup.

Yo unever said where he worked or what he did. You just said "Pro Hacker Security guy" which is rather vague.

[mroilfield]

BC_Programmer, do you live in fairytaleland? It's not an offense but you seem to act like it.
If your job is to work from home and log into/transfer top secret FBI/government data, then yes, your house is best to be like that and your computer setup.

I highly doubt that he will be working from home sending "Top Secret" government data from his home PC. I also highly doubt that he would be talking to you about it. It sounds to me like this guy feeding you a bunch of crap.

[kpac]

It sounds to me like this guy feeding you a bunch of crap.

Or maybe Treval is making up the bunch of crap.

[Treval]

Believe what you want. Such inexperienced people..
Both of you go back under your bridge. ;O

[mroilfield]

Or maybe Treval is making up the bunch of crap.

Yeah I had that thought as well.

[Treval]

I bet you won't be saying this when you get hacked aswell.

[kpac]

I bet you won't be saying this when you get hacked aswell.

Haha, yeah right.

[Treval]

No, I'm not threatening. I'm saying, when you do get hacked sometime, you won't be laughing or saying those things.

[kpac]

No, I'm not threatening. I'm saying, when you do get hacked sometime, you won't be laughing or saying those things.

Yes, I know....

Haha, yeah right.

 

[BC_Programmer]

My point was we were speaking in the context of a home user; as somebody else said (I think it was Azzaboi) the <good> hackers are also smart enough to no to go after big targets. There is a lot more to gain for leaking source code, as well as revealing trade secrets or future plans of the company. A case could be made that "identity theft" can be done through hacking, but the reality is that a lot of the information needed for identity theft is not persistent; also, the main way to get such information has been through phishing, and no amount of protection can really stop somebody from filling out that form (you can detect it as a phishing attempt, you can notify the user, but if they decide to fill out the form anyway, game over for them).

Consider for a moment, a keylogger. Let's say one got installed on my PC this instant; for whatever reason, who knows. It could take months before they get a single password from me, simply because firefox has them all saved. (being that it's installed the malware could also acquire this information too, but I'm assuming just a "pure" keylogger.

"Black hat" hackers are almost summarily less skilled then security specialists; since, as Treval hinted, many of them are former black-hat hackers, or just hackers, period. Therefore it's safe to say that they have gained more experience in the meantime.

This is also attested by the fact that most of the "major" company hacks have bee ndone simply because that company has an obvious open hole. the Half-Life 2 leak, for example, and not because of some innate skill by the hacker themselves. For the most part they are just jabbing at a barn door looking for a knothole, pardon the implication... heh, when they find it, it's usually luck. perhaps they can, through experience, know where most knotholes lie. but their poking still makes sound on the other side of the door in the form of access logs, which will only be deleted if the hacker can gain access before  they are read. considering that many companies actually print hard copy of the network traffic between critical points in their network and/or make backups immediately it can be difficult to eliminate them all. Additionally, the fact that a log is gone at all often puts these companies into "red alert" state. the hacker would need to properly remove those relevant entries to mask their intrusion, as well as change any other data to remove any "hints"... for example, "total number of entries" and total size and other such data. Then additional problem is that some of that data is often sent to a database which uses another different password, so the hacker's job has gone from poking for knotholes in a barn door to trying to get into a horse's stable using the same method. Of course database logins are <additionally> logged elsewhere, possibly even in the original logfile.

It is when a company has <flaws> in it's security that hackers get in. not because said hackers are leet or skilled. for the most part they pretty much just use something like nmap to determine that a server is using, say, an outdated version of apache. they can then look for the documentation on that version and it's bugs and security "patches" to see what was patched afterwards and then take advantage of the fact that the version they need to access is not patched for it.

[Azzaboi]

Treval - generating 2.000.000 (2 million!) different passwords per hour

Yes, this is known as a rolling password and has been quite secure, they even use it as an extra security option for the game World of Warcaft. You have a small device you take with you, press a button and tap in the code by hand on the computer as the secondary password. Every minute, a new code is generated, so the device gets you the latest encrypted.

Someone able to brute your password as well as hack that code and gain access to your account within a minute or less before the next random code swaps over is highly unlikely. It's a very good device.

Friend has one for his crazy World of Warcraft playing due to also using the account on public computers like the netcafe. Those netcafe computers are the worst at stealing all your details with keyloggers and trojans. Even if the password is stolen, it's useless after been used once or timed and rolled over to another.

BC_Programmer - I've seen hundreds of keylogger reports and even found a server dump though using advance google indexing search. Honestly it was 335 txt files, each with about 20 to 80 username/passwords and various details stripped from all the typed junk. They are smart enough to scan the username and password areas of most sites. Also those Autocomplete passwords can be leached within seconds. There was some ways around detecting this, if the user types garbage inbetween the password, selects and delete, rather than backspacing, or have a key scrambler, etc.

Format from memory, looked like:

==================================================
Entry Name        : http://www.myspace.com/
Type              : AutoComplete
Stored In         : Registry
User Name         : xxxxxxxxxxx
Password          : xxxxxxxxxxx
==================================================

or

serv : https://ssl.rapidshare.com
login       : xxxxxxxxxxx  
password    : xxxxxxxxxxx

serv : http://www.youtube.com
username    : xxxxxxxxxxxxx
password    : xxxxxxxxxxx

Targetting popular sites, but as well as randoms.
And yes, they where all most all valid including credit card details, etc, it was scary what was collected. It's also amazing how many people don't take care of their computer and simply ignore that it would ever happen. My friend's brother is like that, pasted me a memory stick with old practice exams as well as a autorun virus which was detected instantly by Kaspersky (I've got autorun disabled anyways), but he's had it on his computer for a month or so and infected a number of others including some of the school's computer, pissed me off telling them all how to remove it!

Just to note, this keylogger dump site may/maynot still be up and running!
I still have record of the site url, the site has been reported, the log links are down, de-indexed from google but the main domain is back after just checking now says 'Bye ' and kicks you back to google.
I guess I'll pm the url if requested.

[Treval]

Very nice. =)

[BC_Programmer]

They are smart enough to scan the username and password areas of most sites

a keylogger logs keys. it does not see where these items are being typed.



This is all rather trivial anyway; In order to infect a PC malware of any sort needs a visible "vector"... for example, one common vector is to install a winlogon_notify hook. they can "hide" this key, but if they do that, winlogon won't see it either and therefore won't load it. Autoruns can help find such things. They could, theoretically, install a function hook globally after winlogon loads them, in which case autoruns will not detect them. rootkitrevealer will detect the inconsistency, though.

Additionally, there are a number of other vectors in which a dll may "force" itself to be loaded into other processes. these dlls are almost always easy to identify- random base names is a common attribute. such dlls can be found using process explorer's "dll" view in the lower pane. for self-repairing malware (which usually installs itself in "groups"... for example, a keylogger might also run and continuously make sure the trojan downloader "buddy" process is running, and if not, start it again, and vice versa. These are easily stopped by suspending one or both processes with process explorer and then ending them both. the tricky part is sometimes such buddy triads involve dlls loaded in other processes.

for me, when I have a infection (although it has been over a year and a half since my last one, since which time I've changed OSes twice) I simply use process explorer to try to determine the actual file names, and then boot to a seperate OS; maybe my Linux Mint install, for example, and delete those files. booting usually results in a few "missing DLL" type errors, but I can safely delete such entries via regedit.

[Azzaboi]

They are smart enough to scan the username and password areas of most sites

a keylogger logs keys. it does not see where these items are being typed.

You missed the sentence before that one.

...stripped from all the typed junk.

It looked like it logged all keys into one huge dumps named adminlogs####.txt per unique ip address, with the website urls and even click locations (or some weird data), and created scans from that file into varies other txt files with the format I've shown above. It also had separate files which seem to be all the saved passwords striped from the victims computer registry.