The Attack from Hell!

Please post here any content related to fighting viruses on the internet. (ie. Internet e-mail headers to help track down virus infected computers in the MX-3 community.)
User avatar
h3xt0r
Regular Member
Posts: 111
Joined: May 6th, 2008, 4:30 pm
Location: Union City CA, USA.

The Attack from Hell!

Post by h3xt0r »

The Attack from Hell!

What could I possibly be talking about? An attack from Hell? What? Well let me explain what happened and how I plan on preventing it in the future, as well as what the Hell is going on! It will all make much, -much-, more sense when I explain.

It all started about four or so months back when I began to notice an exponentially large increase in network activity on my local area network. At the time I quickly realized I was getting DDoS’d! Obviously I couldn’t really do much and when looking through my logs I realized whoever was doing it wasn’t playing around either! There was well over 10,000 unique IP addresses pounding away at my one 25MB/10MB connection. I couldn’t do anything against such odds! So I simply unplugged my cable modem for an hour and played some Soul Caliber whilst I waited. After reconnecting the modem and receiving a new IP I was back up with no problem.

However, the comfort of high speed internet was short lived. Only an hour after reconnecting my modem I was under attack again! I repeated what I had done before with the modem and began pondering how they managed to find me so quickly. I reconnected to the modem as I had done before, and BAM! Within minutes this time I was back under attack. I will not lie; I was a bit frustrated at this point for obvious reasons. I decided that it would be in my best interest to contact my ISP and inform them of the problem. Which after roughly an hour on the phone I managed to get a tier 3 Network Security Engineer, which was rather pleasing and after another hour or so on the phone we managed to block all those IP’s from attacking my network. (I should also note that this is the point in which I was given the log of the attacks.)

After a few days I began to ponder again, how they were able to find my machine? Normally when a DDoS is performed on a website you attack the DNS (Domain Name System) server. Essentially a DNS translates a binary identifier (the IP) into something more meaningful to the user. IE: google.com is actually 74.125.224.16. You can read more about DNS in the reference page at the end of the document. Anyhow, I digress.

So how did they get my information, and done so quickly without me going out and making connections? I began the hunt on my local machine looking for anything suspicious. I couldn’t find squat! I was absolutely puzzled! I pondered this for a good week before I literally slapped myself because the answer was right at my feet! And I mean, really, it was at my feet; my laptop! It had been on running folding at home! I began looking around on my machine and quickly found a few Trojans alongside a slew of other malware.

And so began the hunt! After isolating the laptop from the network and containing the malware threats I began to dissect them one after another looking for the code that sent my IP address back to the attackers. After almost a week of reviewing code I was still without the answer. So I began digging deeper into the laptop looking for an answer. And after almost a full month I finally found the answer! There was a bit of custom code added onto a .dll file which would execute another, and another, and another, till finally it got to a little function that would occasionally ping a system.

I decided to find out whom that IP belonged to, and tracked it back down to Hell, Michigan USA. I found this incredibly amusing and almost instantly checked to see if that computer was indeed the master machine of this devilish plot or in fact another infected machine. Doing a port scan I found a plethora of open ports that are typical of an infected machine. However one particular port of interest seemed to be open; Port 666. This particular port was being used for IRC. Cool! A botnet that still runs on IRC!

After a few more hours of hounding away I managed to call and get a hold of the owner of that machine! “Sweet” I said to myself, maybe I can get a hold of the actual bot on the machine and start doing some damage of my own. IE: seize control of the attacker’s bots. Needless to say the owner of the machine was a bit skeptical of sending me anything, and after about 15min of talking with them I finally gave up and simply instructed them that they should look into an antivirus or something. A few days later that machine stopped replying to port 666, so at least something good came out of the conversation.

However, I was still without an answer; who the bloody hell attacked me and why? I began asking around to some of my friends in the Security business and no one seemed to have any information. I posted here and there giving some friends a heads up of the situation etc. Nothing more happened and I simply waited which resulted in nothing and so I more or less thought the threat had been eliminated. They had their fun and were now over it. That was the case until three weeks ago.

Three weeks ago I was chugging along fine when something interesting happened to my desktop. It died, but not you’re normal death. It was running than crashed and refused to boot. After further inspection I noticed that two drives were missing from my raid array. 1&2 were missing. Further inspection leads me to believe that their bios had been flashed. Two drives, two new drives, just stop working? Interesting I said however there are very few people that I know that have the technical knowledge and ability to pull something like that off. I ignored it as coincidence until just recently.

About a week ago I woke up and promptly had the glorious college student breakfast; leftover pizza and a soda! I booted up my laptop (my desktop is still down). When it started up I quickly noticed my CPU was being maxed out well longer than it should be for a boot. I looked at what was running and was shocked to see well over 50 Trojans and assorted malware! Quickly I pulled my network cable out and began the long process of cleansing the system. I was able to remove most pretty easily however some where a little less than willing to be removed. I decided to just roll my system back to a week or so and see what happens from there.

After the roll back completed I booted the laptop back up to find myself back where I had started. Buggers I though, my saved rollbacks had been compromised! Which wasn’t that surprising at all seeing as how I have seen plenty of Trojans that have abused known security issues with the Windows roll back system. I began the long processes of removing them by hand! After a few days I had removed them all, or so I had thought. It wasn’t till later on Wednesday of last week that I noticed something wasn’t right with my system. My google/bing searches were being hijacked. Neato I said! I looked into my host files and found a whole slew of stuff I really didn’t want there. With ease I just found the defaults for the host files and restored them. Problem solved!

However, who was doing this? Was it the same people from the Hell incident a few months ago? I can only assume so seeing as how I have been laying pretty damned low. However, again, how did they find my machine? There is nothing to give me away, or so I had thought. I began looking into the connections being made by my machine and was horrified by the amount of network activity directed towards my machine. What the duce was happening here I thought to myself. What was different?

I ran a little program of mine that checks hash marks from a saved point against my current to see if any system critical components had been modified. Nothing! So I began searching by hand looking for anything to give their device away. With no luck I was beginning to get rather frustrated when a friend of mine mentioned looking into the TCP/IP stacks on my machine. Which I did and was surprised to find I had a metric buttload of crap in there that was far from normal. My only conclusion is that it had been something I had missed from the first attack alongside a few rootkits. Upon removal my network activity returned to normal and all was good!

What was the network activity you ask? Everything! My machine was working as a proxy doing stuff from DDoS to torrent’s. I am actually surprised I missed something this BIG on my machine. However I am happy that it’s all over now. After doing some research I found some known security issues with the firewall revision both hardware on my router and software on my laptop and have fixed both. Since, I have been clean of all infection.

I am still stumped as to whom I pissed off so horrifically bad that they are going through such lengths to attack my machines and have requested the assistance of a whole slew of security specialists that I am on good terms with. Hopefully I can get to the bottom of this before anymore damage to my machines or annoyances.
-H3xT0r
kateCapshaw wrote:The moment somebody says to me, "This is very risky," is the moment it becomes attractive to me.
User avatar
Daninski
Supporting Member
Posts: 7055
Joined: June 18th, 2007, 10:51 am
Location: Trenton ON.

Re: The Attack from Hell!

Post by Daninski »

Gee and I thought my buddies modem getting hijacked was a big deal. He ended up with a $2500+ phone bill for calls to Tiawan. I simply replaced his modem after I did a low level format of his hard drive. Your problem was well beyond any thing I could handle. I use Zone Alarm security suite. It really slows down Torrent downloads but so far after like 6 years it has served me well. Good Luck
2004 Subaru WRX Silver, stage 2, minty interior.
2002 Subaru WRX Blue, SOLD (best E test numbers I've ever seen)
94 MX-6. Sold
92 GS KLZE 5 Speed
96 GS 5 speed, KLZE, Sold
95 GS Minty Shape Sold
92 GS Sold
92 GS Parts Car scrapped.
Feedback viewtopic.php?f=37&t=66348" onclick="window.open(this.href);return false;
7477th member.

I know you believe that you understand what you think I said but I'm sure you realize that what you heard is not what I meant.
User avatar
_-Night-Shade-_
Senior Member
Posts: 2664
Joined: January 15th, 2009, 8:00 pm
Location: Toronto, Ontario, Canada

Re: The Attack from Hell!

Post by _-Night-Shade-_ »

Wow, dude you're one of those nerdy tech guys aren't you! :P
--------------------------------------------
[WORKLOG] [FOR SALE] [Wishlist] [Feedback]
User avatar
Evo_Spec
Senior Member
Posts: 2504
Joined: December 30th, 2008, 3:41 am
Location: Calgary, Alberta, Canada

Re: The Attack from Hell!

Post by Evo_Spec »

that's....pretty intense, i'm freaking horrible with networking, if restarting the modem/router doesn't work, than i'm screwed XD
User avatar
h3xt0r
Regular Member
Posts: 111
Joined: May 6th, 2008, 4:30 pm
Location: Union City CA, USA.

Re: The Attack from Hell!

Post by h3xt0r »

Daninski wrote:Gee and I thought my buddies modem getting hijacked was a big deal. He ended up with a $2500+ phone bill for calls to Tiawan. I simply replaced his modem after I did a low level format of his hard drive. Your problem was well beyond any thing I could handle. I use Zone Alarm security suite. It really slows down Torrent downloads but so far after like 6 years it has served me well. Good Luck
Oh man I used to love Zone Alarm! Right up until I got a 64bit OS and ZoneAlarm didn't support any at the time... Now I am using Kaspersky. As far as torrent speeds, I loss maybe 50kb/s not enough to really care but than again I also run a monster machine...Most of the time.

Evo, I used to be the same way. Just have to do alot of tweaking/testing and a s--- ton of reading and you can learn just about anything. It also helps if you like to solve puzzles... I love puzzles. :-P

And no Nightshade Im not one of those tech guys....Im one of 'those' tech guys. xD

On another note. Perusing through some files on my laptop Im still picking up parts of trojans that I didn't catch. Still have a gnarly little bot on here that I am having the hardest time getting rid of. *rageface*
-H3xT0r
kateCapshaw wrote:The moment somebody says to me, "This is very risky," is the moment it becomes attractive to me.
User avatar
Inodoro Pereyra
Senior Member
Posts: 2067
Joined: March 11th, 2009, 3:44 pm
Location: Back in Buenos Aires, Argentina

Re: The Attack from Hell!

Post by Inodoro Pereyra »

h3xt0r wrote:
On another note. Perusing through some files on my laptop Im still picking up parts of trojans that I didn't catch. Still have a gnarly little bot on here that I am having the hardest time getting rid of. *rageface*
I'd recommend you to use spybot. It's really very effective finding and getting rid of trojans.
U28sIG5vdyB5b3UgYWxzbyBrbm93IGJhc2UgNjQuLi5odWg/DQpTSE9XIE9GRiEhIQ==

"The more I know man, the more I love my dog."

Diogenes of Sinope.
User avatar
h3xt0r
Regular Member
Posts: 111
Joined: May 6th, 2008, 4:30 pm
Location: Union City CA, USA.

Re: The Attack from Hell!

Post by h3xt0r »

Inodoro Pereyra wrote:
h3xt0r wrote:
On another note. Perusing through some files on my laptop Im still picking up parts of trojans that I didn't catch. Still have a gnarly little bot on here that I am having the hardest time getting rid of. *rageface*
I'd recommend you to use spybot. It's really very effective finding and getting rid of trojans.
I use a whole slew of antivirus and malware removal. They have a harder time picking up custom written code. Hence why I am doing most of this by hand. That and I want to keep most of the malware so I can go through and see if there is anything of interest. Another really good malware removal tool is Malwarebytes. ;)
-H3xT0r
kateCapshaw wrote:The moment somebody says to me, "This is very risky," is the moment it becomes attractive to me.
User avatar
Inodoro Pereyra
Senior Member
Posts: 2067
Joined: March 11th, 2009, 3:44 pm
Location: Back in Buenos Aires, Argentina

Re: The Attack from Hell!

Post by Inodoro Pereyra »

Well, I admire your energy...
I used to be just like you, back in the day (that is, almost 20 years ago), collecting viruses for study...
Then, 2 years ago I had to disinfect 115 viruses by hand, and it took me a week to finish... :shrug:

And now, all I can say is: the more I know Windows, the more I love Ubuntu. :mrgreen: I can't believe I haven't had to use an antivirus in more than 8 months now...
U28sIG5vdyB5b3UgYWxzbyBrbm93IGJhc2UgNjQuLi5odWg/DQpTSE9XIE9GRiEhIQ==

"The more I know man, the more I love my dog."

Diogenes of Sinope.
User avatar
_-Night-Shade-_
Senior Member
Posts: 2664
Joined: January 15th, 2009, 8:00 pm
Location: Toronto, Ontario, Canada

Re: The Attack from Hell!

Post by _-Night-Shade-_ »

Inodoro Pereyra wrote:
h3xt0r wrote:
On another note. Perusing through some files on my laptop Im still picking up parts of trojans that I didn't catch. Still have a gnarly little bot on here that I am having the hardest time getting rid of. *rageface*
I'd recommend you to use spybot. It's really very effective finding and getting rid of trojans.
No offense but I highly doubt he needs our advice about how to protect his sh*t :roll:
--------------------------------------------
[WORKLOG] [FOR SALE] [Wishlist] [Feedback]
User avatar
Flyer
Regular Member
Posts: 815
Joined: November 7th, 2007, 6:17 am

Re: The Attack from Hell!

Post by Flyer »

Protip: Don't annoy /b/...
MrMazda92 wrote:I find Honduh forums more helpful, typically more pleasant too.
User avatar
Daninski
Supporting Member
Posts: 7055
Joined: June 18th, 2007, 10:51 am
Location: Trenton ON.

Re: The Attack from Hell!

Post by Daninski »

Ya I really like Malwarebytes, it's saved me in the past when other spyware programs were ineffective. Everyone, download Malwarebytes right now, update it and run the program. See for yourself.
2004 Subaru WRX Silver, stage 2, minty interior.
2002 Subaru WRX Blue, SOLD (best E test numbers I've ever seen)
94 MX-6. Sold
92 GS KLZE 5 Speed
96 GS 5 speed, KLZE, Sold
95 GS Minty Shape Sold
92 GS Sold
92 GS Parts Car scrapped.
Feedback viewtopic.php?f=37&t=66348" onclick="window.open(this.href);return false;
7477th member.

I know you believe that you understand what you think I said but I'm sure you realize that what you heard is not what I meant.
User avatar
Inodoro Pereyra
Senior Member
Posts: 2067
Joined: March 11th, 2009, 3:44 pm
Location: Back in Buenos Aires, Argentina

Re: The Attack from Hell!

Post by Inodoro Pereyra »

_-Night-Shade-_ wrote:
Inodoro Pereyra wrote:
h3xt0r wrote:
On another note. Perusing through some files on my laptop Im still picking up parts of trojans that I didn't catch. Still have a gnarly little bot on here that I am having the hardest time getting rid of. *rageface*
I'd recommend you to use spybot. It's really very effective finding and getting rid of trojans.
No offense but I highly doubt he needs our advice about how to protect his sh*t :roll:
None taken. But, in my experience, there are 2 things that make advise (from anybody) great:

1. It's FREE.
2. YOU decide if you'll take it or not. Not the person who gives it to you, nor anybody else.

Based on that, I gave my advise freely. I'm sure he's qualified enough to decide for himself if he needs it or not.
U28sIG5vdyB5b3UgYWxzbyBrbm93IGJhc2UgNjQuLi5odWg/DQpTSE9XIE9GRiEhIQ==

"The more I know man, the more I love my dog."

Diogenes of Sinope.
User avatar
h3xt0r
Regular Member
Posts: 111
Joined: May 6th, 2008, 4:30 pm
Location: Union City CA, USA.

Re: The Attack from Hell!

Post by h3xt0r »

Flyer wrote:Protip: Don't annoy /b/...

Anyway, I highly doubt it was them... I've done no white knighting or killing kittens to invoke their wraith. I believe I may have found out who it is...
On the update side of things I found a cool little file. "gatherNetworkInf0.vbs" Now "gatherNetworkInfo.vbs" is a part of the network discovery from Microsoft for Windows 7 however notice the 0? Not the right one. This one does just what the name implies and is relaying network info back to another system. I am looking into that system now.

Nightshade; Advice is always welcome! I mean even stupid stuff can help me out sometimes, IE: "Hey go look at a toilet for 5min" and I'll do it and than BAM! "Holly crap i know the answer!". (Wasn't a toilet though, was a tree....True story.)

[Admin: watch it..]
-H3xT0r
kateCapshaw wrote:The moment somebody says to me, "This is very risky," is the moment it becomes attractive to me.
User avatar
h3xt0r
Regular Member
Posts: 111
Joined: May 6th, 2008, 4:30 pm
Location: Union City CA, USA.

Re: The Attack from Hell!

Post by h3xt0r »

Hate to double post but there is an update to be had!

So after further scanning of the system I found a particularly interesting bit inside my winsock2 registry's. Winsock2 is essentailly the middle man between a program (think of this web browser or an FTP client, etc.) and the TCP/IP Stack. (refer to this Wiki link for more information on Winsock2.) Inside the registry there were several entries calling a file called kwadg.dll along side a series of commands. That file look funny? Switch the letters around and it spells KDawg; a user on private security forum that I browse who also likes to go by kwadg. So after -A LOT- of time of hunting I have finally found the culprit though I highly doubt he wrote this one out himself. After reviewing the dll file I also found calls to several other files and I'am in the process of reviewing them. However, all threats have now been successfully removed and the system is again secure.

So what did I do to upset him so? On the forums we find security issues, test them, then find ways to prevent them. A group of individuals on the forums occasionally find security issues, however, there has been a growing issue with their members abusing them for their own gain and it was under my suggestion that they all be removed from the forums. This obviously doesn't sit well with them seeing as how this is their cash cow. Hence the intense assault on my machines.

I've informed the community of the issue and needless to say they will no longer be an issue. So now that thats all done... I can finally get to work on my Car... As soon as I sell my truck.. Anyone want a Ford F350 Turbo Diesel? Hahaha!
-H3xT0r
kateCapshaw wrote:The moment somebody says to me, "This is very risky," is the moment it becomes attractive to me.
User avatar
MrMazda92
Supporting Member
Posts: 5201
Joined: October 8th, 2009, 5:35 pm
antispam: No
Location: Midwest

Re: The Attack from Hell!

Post by MrMazda92 »

You are incredibly patient... I would have just reformatted the computer. I keep slipstreamed discs of XP and Vista(with all my programs I can't live without included on the install) for just such a scenario.

If I have massive problems, I shut down the PC... boot up Knoppix, rip/clip/quarantine anything I need to remove from the HDD, and then reformat.

At the very worst, it takes me about 4 hours to have a fully functional, speed-demon laptop again.

I used to be a computer guy, now I'm a computer AND car guy. XD

I'm thinking I might try and control my Megasquirt(when I get it) from my iPhone as well, until I can get a fancy touchscreen + computer for the console.

Anyways, if you re-format like I do... you won't even NEED antivirus. It literally doesn't matter. Starting over is faster, easier, and less stressful if you're used to it!

Unless you do online banking... in which case, buy a Mac. I do my banking on my iPhone, I have yet to meet somebody who's had their iPhone "hacked". That's about the only time I would suggest a Mac either.
Daily:
'12 Challenger R/T + STP - 3.92 w/ LSD, JG Cam, headers, SkipShift delete, Clutch Delay Valve delete, Hurst STS, RAM Clutch Adjuster, StopTech 6 Piston Brakes, Sticky Nittos, 435 WHP

Kid Hauler:
'08 Suburban LT 4WD - TVS 1900 Blower, LF SC Cam, headers, AFM delete, true 5" lift, 33x12s, 523 WHP

First Love:
'92 GS 5 spd - Straightneck KL/67mm TB, MegaSquirt/Coilpacks, 5 lugs/Speed6 brakes/FD wheels, wiretuck, coilovers, headers, AEM WB, Borla
Deleted: VAF/Power Steering/Air Conditioning/EGR/ABS/Auto Seatbelts/etc
Post Reply

Return to “Anti-Virus Forum”