Home

Feedback

Credits

About Raj

Hacking at VSNL

*
Introduction: Guidelines which will safeguard your system
*
Cracker/Hacker controls a user's system by sending a file through ICQ
*
Social Hacking
*
Hacking the computer system by the use of cookies
*
Chat with a VSNL Cracker

VSNL Alert!: Hacking at VSNL
Cracker/Hacker controls a user's system by sending a file through icq

by Raj Mehta, Bruce Gingery and Peter Doshi

From: Name <elided>
To: "Dr. Raj Mehta" <rajm@alumni.stanford.org>
Subject: Urgent
Date: Fri, 4 Oct 1996 12:00:51 +0530

Dear Dr. Mehta,
I have corresponded with u before. I need your help urgently this time. A certain obnoxious character transferred a file into my computer thru ICQ, saying it was the latest version of winamp, but it was a virus.

 

The file was an exe file, 307kb. I have not executed the file, but that character says the file is a system file---his exact words were "system file...u delete it thru add/delete prog...u try to remove it...i am already in control". I did not believe him, and I thought that since i have not executed the file,(i have deleted the file now) my system will not be harmed.

But moments later a midi file started playing on its own, and my start menu started opening and closing on its own. I immediately pressed the reset button, and although my system is working fine right now, his last words have scared me. He said my hard-disk will get formatted 48 hours from the time i took the file from him.

Sir, please tell me what to do. I have a lot of work stored on my hard-disk, and if something happens to it, it would be disastrous for me. I don't know what to do. Is it technically possible? I mean, i haven't executed that file, and yet my system went haywire at that time. will i loose my data? he said, like i mentioned before, "system file". Please do respond as soon as u get this message, as i am in a quandry. Please do help me. I have used mcaffee virusscan, but it shows no infection.

yours sincerely,

elided

PS. According to his threat, i have 48 hours left. I have changed my system date, and time. will it help if i keep changing it, to confuse the virus, if one does exist in my system?


Bruce's reply to this email:

On 25 Oct, elided wrote:
Bruce,

Can you please help. It seems like BO or something like that.

We can hope so.
Can you respond directly and cc to me?
Will do.
[munch]
Dear Dr. Mehta,

I have corresponded with u before. I need your help urgently this time. A certain obnoxious character transferred a file into my computer thru ICQ, saying it was the latest version of winamp, but it was a virus. The file was an exe file, 307kb. I have not executed the file, but that character says the file is a system file---his exact words were "system file...u delete it thru add/delete prog...u try to remove it...i am already in control".

That's entirely possible, unfortunately. Depending upon the other provisions taken by your attacker, he may be ``in control'' even while you are not connected to the net, may be able to cause your computer to dial into the net at any time, probably already has your dial-up password, and could pretend to be you, as he attacks VSNL, as well - making it look like it is YOU doing the attacking.

Deleting the file may be as simple as (from DOS) typing...

         attrib -s winamp.exe
         del winamp.exe
but it is a bit unlikely that those operations will fully clean your system.

I did not believe him, and I thought that since i have not executed the file,(i have deleted the file now) my system will not be harmed.

Not necessarily true. If the file was executed without your intervention, by exploitation of a security hole already present in Windows, it may have installed something which you have not yet deleted, nor even found.

All of this is completely logical. Anxiety will work against you, so please attempt to become calmer. An intrusion like this is usually a shock to anyone. The attacker cannot adapt his attack during times that you are not connected to the net. He COULD, however, have copies of both your message to Dr. Mehta, and to this reply.

But moments later a midi file started playing on its own, and my start menu started opening and closing on its own.

These sound like typical Back Orifice tricks performed by an attacker while you are connected to the net. In a way, it is fortunate that the attacker so exposed himself. It would be just as easy for him to snoop on you, without letting you know about it. If you have a microphone plugged into your soundcard, he could listen to your room, while you are connected to the net, if you have a camera installed, he could also watch, all without your knowledge. If this is indeed Back Orifice, everthing on your Hard Drive has already been exposed to him. He could have copied or modified anything.

I immediately pressed the reset button, and although my system is working fine right now, his last words have scared me. He said my hard-disk will get formatted 48 hours from the time i took the file from him.

That is possible. Especially with it already the 26th of the month, CIH virus, and variations on it, already prevalent. If you have a soft-upgradeable BIOS, it could also destroy the mother-board of your machine (or all usability of the machine, if it is a laptop). Other software, besides that virus could have also added this capacity - e.g. a Back Orifice ``Buttplug'' plugin.

I do not mean to scare you unduly here. It is necessary that you understand the possible risks, so that you can identify what has happened, whatever happens, and be ready to consider alternatives and extra precautions to prevent this from happening again.

Sir, please tell me what to do. I have a lot of work stored on my hard-disk, and if something happens to it, it would be disastrous for me. I don't know what to do. Is it technically possible?

Yes.

I mean, i haven't executed that file,

What you actually mean is that you have not DELIBERATELY executed that file. Unless your version has all of the latest security patches, AND those patches are fully effective, and the attacker has not found a previously unknown bug to exploit, you cannot be sure that you did not inadvertently execute that file. Remember the file you question might not be the file that is causing the emergency. It could be a decoy.

Back Orifice, for example, could be installed on your system, without your cooperation, through a signed Active-X control, through exploitation of a buffer-overflow bug in a Microsoft E-Mail program, or an older (before v4.06) version of Netscape, through an HTML attachment to a message received with Eudora, with any but the latest version of Eudora, and IE set as an ``opener'' for HTML messages.

These are just a few of the ways that you could ``cooperate'' with an attacker, without your deliberate act, to give him a foot-hold on your system. The ``signed Active-X control'' attack has been demonstrated on a security site in Israel, and is one for which the only considered solution is to not allow Active-X to run. With Windows-Java, some security may also be compromised, as it is only certain that the original specifications have not been followed. Perhaps the Sun Microsystems court case against Microsoft will expose more information.

If Back Orifice is installed on your system, you need to remove it, remove anything which would cause it to be re-installed, and remove its invocation from the Registry. It will NOT show in the Control- Alt-Delete task-list. If it does, it is probably a false entry, and killing that program would not close the real thing.

In addition, If it _is_ Back Orifice, it could send an ICQ or IRC or E-Mail or Usenet message every time you log onto the net, to notify the attacker of your new connection address. These can happen without your cooperation, and without normal IRC or ICQ or E-Mail or Usenet software installed on the system. If this is the case, any time you spend on-line at the moment potentially increases your danger.

and yet my system went haywire at that time. will i loose my data? he said, like i mentioned before,

If your system went ``haywire'' - without your cooperation, SOMETHING is there that does not belong. You MAY loose or already have lost your data, or you MAY be able to rescue it. The threat could be false, or some oddity of _your_ system, might prevent it being successfully carried out, even if you do nothing. I would not rely upon that last item, though, if I were you.

"system file".

The term ``System File'' as applied to Windows95/98/NT and even earlier versions of Windows, has a rather indistinct meaning. It could mean that the ``system'' attribute has been set, which was also available in DOS. If that is the case, that attribute must be turned off before a truly successful deletion can be done. (as above)

It could mean that it has been added to your StartUp group, in the Start Button menus, and/or Registry. It could also mean that some kind of modification has been attached to a normal file, or that a normally executed file has been replaced with a trojan substitute. It could mean that the file actually causing problems is a .vxd or .dll It could mean MANY things.

This is one of the problems with cryptic configuration files like the Windows95/98/NT Registry, and to a slightly lesser extent, .ini file on previous versions of Windows. It is quite likely that you do not know what SHOULD be starting up automatically, hence even if you look the right place, you will be unable to determine something which has been added by any somewhat skilled attacker. The default name for Back Orifice, for example is ".exe" (noname executable), but that name can be altered at install time to any other name. The file does not even have to be in your windows directory.

Please do respond as soon as u get this message, as i am in a quandry Please do help me. I have used mcaffee virusscan, but it shows no infection.

VirusScan _must_ have the latest signature files, and even then, is like any anti-virus software, always playing ``catch-up''. The problem is not with the virus protection software manufacturers. They produce a valuable bandage for a severely under-designed and insecure operating system.
   http://guide.vsnl.net.in/tcpip/columns/alt_os/
   http://guide.vsnl.net.in/tcpip/columns/security_internet/
DO NOT take the time on-line NOW to look at these web pages. This is for your later consideration.
yours sincerely,
elided
PS. Accordding to his threat, i have 48 hours left. I have changed my system date, and time. will it help if i keep changing it, to confuse the virus, if one does exist in my system?

Changing the system date is probably a good precaution, not sure to be effective. If indeed, a trojan such as Back Orifice, or virus has been installed on your system, it can maintain a time-lapse without your permission, and not directly using the exact system date. It is possible, but slightly less likely, that setting-back the date will trigger the very damages you are attempting to prevent.

I would STRONGLY suggest that you collect diskettes, shut down. Stay off line, and when you start up again, use the function key to reboot to DOS only (which will disallow Windows programs from running). Use the old DOS copy command to copy files that you MUST NOT LOOSE, to diskettes. If they are too big, and you have previously installed file splitting or compression tools (like pkzip) use them. Unfortunately, unlike many alternatives to Windows, there are no compression and splitting utilities which are part of the ``standard'' installation for commandline use.

Mark those diskettes as suspicious backups. You cannot be sure that they will not themselves become infected with a virus. You cannot be sure that the files you place on them have not been already modified. You will not wish to place them in the diskette drive again, until you are sure you have a fresh system with the latest signatures for VirusScan, or have chosen a more secure alternative operating system, and begun to learn to use it.

After saving the datafiles, and beginning again to breathe, I would suggest that you reboot in Windows, open the files containing crucial data, and save them in an ``interchange format'' (usually an ``Export'' option on the ``File'' menu), placing your essential data on diskette in a format that is not dependent upon the program which created them. For example, from MS-Word, you may save in RichText. From Excel, perhaps comma-delimited or tab-delimited files. Ideally these are files that you could view the contents of using only DOS Edit with or without Windows running. Each of these will depend upon the veracity of the program to truly save the information contained, and not discard essential information. Excel, for example, may preserve actual data values, but discard formulas. You may wish to print a copy of information in these files while you do this.

Ideally, what you would do now, is boot from the clean DOS system diskette which is write protected, and has been write protected since you first got your latest system installed. But it is unlikely that you have created such a diskette. That would have quite exceeded the normal precautions taken by people, and if you had done this, you would be unlikely to still be so disturbed about this attack. That diskette would have a copy of (e.g.) pkzip for MS-DOS installed on it, in addition to copy, DOS edit, and likely format and fdisk. But it is too late now to prepare that way for the current emergency, using only your own machine.

There is no guarantee that this will be fully effective. It is possible that pointers have been altered to already corrupt files.

If you are unable to positively identify what has been installed, you really need to go back and re-install everything from the copies you made of original installation software. Then upgrade it with the various patches and service releases you have since added. But do this AFTER rescuing data you must rescue.

If you have access to another system, known to be ``clean'' (not just THOUGHT to be clean), create a diskette as described above on that system, and use fdisk and format from booting _that_ diskette to completely clear the hard drive, before re-installing everything. That diskette should be write-protected before it is ever inserted into your diskette drive.

I do not have a good understanding of your experience, at this point. It may be that you will need to find a local expert to assist you.

 Bruce Gingery   
 Advanced Integrators, LC  <URL: http://gtcs.com/ai/>
 Cheyenne, Wyoming, USA

The Second Incident

Dear Sir,
On the 27th of October I received small messages on my screen saying you are being hacked by Dr_amer (or something of that kind)...Then my computer restarted ...I connected and proceeded to change my password..in telnet.. I logged into it..went to option 6 but it said insufficient privileges...password not changed:cannot access protected password entry...

When I went to check my usage time (option 9) and it said 05:00:01 I don't know if this was the time left...but I consider that impossible as my account was renewed about two weeks ago for a 500 hrs account... I would like to ask your help in this matter and also if there is anyother way in which we can change the password.

I think you are aware of the urgency of this matter and I will be highly obliged if you could reply as soon as possible. Your's sincerely. vsnl user - name elided
for vsnl user - name elided



Copyright © 1996, 1997, 1998 Dr. Raj Mehta. All rights reserved.