STORY: USB hacksawer gets pwned

[kz26]

Well, this is a long story. I'll start at the beginning:

In my AP Psych class recently, people were giving Powerpoint presentations. The teacher and one group complains that the computer is running really slow. So I go over and take a look at it, thinking it's just a bull**** subjective complaint. I notice that the computer is almost unresponsive - they weren't kidding. Opening up task manager, I try to figure out what's going on. Didn't really expect to find much there, but suddenly a few weirdo processes catch my eye: RAR.EXE, BLAT.EXE, sbs.exe, and stunnel.EXE. Obviously, these are all classic components of the USB Hacksaw. I reboot the comp into safe mode, take a look at the startup entries, and find a link to "sbs" in C:\Windows\$NtUninstall931337$. Bingo.

Navigating to this folder I find all the incriminating evidence - programs, file dumps, etc. Of course no Hacksaw is complete without the send.bat. As expected the attacker's username and password are here. I was kind of wary, half-expecting the Gmail credentials to be a fake/throwaway account, but when I saw the inbox and the name on it I realized this was a very real account

People confirmed that this was a real student - a senior, in fact. I told the teacher immediately, who called the IT guys. They were swarming over the computer and were shocked by the fact that all the teacher's files were copied.

Fortunately, our school blocks outbound SMTP on port 465 (which Gmail uses) so this lo$er's plan wouldn't have worked anyway. I guess he's facing suspension (expulsion?). All this from a computer that was running slow

Odd, though - does the Hacksaw really slow down the computer? Perhaps if this kid had written his own code it would have worked out a lot better for him...but now he's gonna be cooling his heels for a while. PWNED.

[moonlit]

Odd, though - does the Hacksaw really slow down the computer? Perhaps if this kid had written his own code it would have worked out a lot better for him...but now he's gonna be cooling his heels for a while. PWNED.

It shouldn't do, but seeing as it had been compromised once, the computer could well have been well and truly owned by anything other than the hacksaw.

[nicatronTg]

If the hacksaw was on there, it must have been pretty vulnerable to just about any attack. My anti-virus picks up just about every part of the hacksaw, making it very easily detected. I doubt that just the hacksaw did that. It was more likely a mixture of various attacks.

[sablefoxx]

Hmm, while I don't admire turning others over to the authorities, maybe deleting all the files and talking to the guy would have been a better approach, its never good, and you should never be proud to get someone else into trouble (unless is some realllllly bad).

It seems to me that if you both watch hak5, you'd prbly get along. It just sounds to me like an opportunity to make a friend, rather then completely fuck up some other kid's life.

I have a couple of questions for those 'IT People'

1. Why are students or teachers for that matter able to access task mgr?

2. Why were you (a student) able to access regedit and find the sbs.exe start up key?

3. Why do students have access to the C:\ drive (and 'folder options') ?

4. Why are the students using the teacher's account in the first place?

5. Blat.exe is found by just about every AV program, wtf are you using?

And these are just the problems I can find coming from your story, god knows what else they're doing!

Opening up task manager, I try to figure out what's going on. Didn't really expect to find much there, but suddenly a few weirdo processes catch my eye: RAR.EXE, BLAT.EXE, sbs.exe...

take a look at the startup entries, and find a link to "sbs" in C:\Windows\$NtUninstall931337$...

Navigating to this folder I find all the incriminating evidence - programs, file dumps, etc.

[SomeoneE1se]

Hmm, while I don't admire turning others over to the authorities, maybe deleting all the files and talking to the guy would have been a better approach, its never good, and you should never be proud to get someone else into trouble (unless is some realllllly bad).

It seems to me that if you both watch hak5, you'd prbly get along. It just sounds to me like an opportunity to make a friend, rather then completely fuck up some other kid's life.

I have a couple of questions for those 'IT People'

1. Why are students or teachers for that matter able to access task mgr?

2. Why were you (a student) able to access regedit and find the sbs.exe start up key?

3. Why do students have access to the C:\ drive (and 'folder options') ?

4. Why are the students using the teacher's account in the first place?

5. Blat.exe is found by just about every AV program, wtf are you using?

And these are just the problems I can find coming from your story, god knows what else they're doing!

are you high? you would give someone you never met access to your personal info?

[kz26]

Hmm, while I don't admire turning others over to the authorities, maybe deleting all the files and talking to the guy would have been a better approach, its never good, and you should never be proud to get someone else into trouble (unless is some realllllly bad).

It seems to me that if you both watch hak5, you'd prbly get along. It just sounds to me like an opportunity to make a friend, rather then completely fuck up some other kid's life.

I have a couple of questions for those 'IT People'

1. Why are students or teachers for that matter able to access task mgr?

2. Why were you (a student) able to access regedit and find the sbs.exe start up key?

3. Why do students have access to the C:\ drive (and 'folder options') ?

4. Why are the students using the teacher's account in the first place?

5. Blat.exe is found by just about every AV program, wtf are you using?

And these are just the problems I can find coming from your story, god knows what else they're doing!

In my school, there's basically two groups, the smart, cultured people and the dumba$$es. I (and my friends) belong to the former, while this kid was just some piece of trash (screws around with everything, no respect for rules, bad grades, etc). I happen to particularly respect this teacher, plus I later found out that he had copied MY files from MY USB. So why should I have any respect for him? All of this happened during class, with an overhead projector showing the screen, with his username and password in public view

Answers to questions:

1. usually they aren't, vast majority of teacher+student accounts have no local admin privileges but this particular teacher's account has admin status for some reason

2. I'm kinda the tech guy around my school, and actually I used msconfig

3. see #1 - result of having admin access. If the teacher's account had been properly locked down this never would have happened

4. what kind of teacher is going to go thru the hassle of logging out and logging in just to get a presentation? and the student kinda has the element of surprise on their side

5. dunno, school is using Symantec Corporate AV w/ really old 2007 definitions

[sablefoxx]

are you high? you would give someone you never met access to your personal info?

to the former, yes

In my school, there's basically two groups, the smart, cultured people and the dumba$$es. I (and my friends) belong to the former,

No offense but you kinda sound like a dick there... also this is not the 'Disney Fan Club Forums', using $ doesnt really do anything but make you look dumb (my apologies if your keyboard is broken)

while this kid was just some piece of trash

I thought you didn't know him... I am reminded of a Orwell quote, "All animals are equal, but some animals are more equal than others. "

(screws around with everything, no respect for rules, bad grades, etc).

Sounds a hell of a lot like me, and prbly a lot of the other people around here...

I happen to particularly respect this teacher, plus I later found out that he had copied MY files from MY USB. So why should I have any respect for him? All of this happened during class, with an overhead projector showing the screen, with his username and password in public view

Answers to questions:

1. usually they aren't, vast majority of teacher+student accounts have no local admin privileges but this particular teacher's account has admin status for some reason

2. I'm kinda the tech guy around my school, and actually I used msconfig /* its all gravy */

3. see #1 - result of having admin access. If the teacher's account had been properly locked down this never would have happened

4. what kind of teacher is going to go thru the hassle of logging out and logging in just to get a presentation? and the student kinda has the element of surprise on their side

5. dunno, school is using Symantec Corporate AV w/ really old 2007 definitions

That's legit, and i totally agree this kid is a dumb ass if he used his own email account

PS:

I'm not the guy you busted (in case you were wondering)

[sc0rpi0]

Hmm, while I don't admire turning others over to the authorities, maybe deleting all the files and talking to the guy would have been a better approach, its never good, and you should never be proud to get someone else into trouble (unless is some realllllly bad).

It seems to me that if you both watch hak5, you'd prbly get along. It just sounds to me like an opportunity to make a friend, rather then completely fuck up some other kid's life.

I agree! Very well put.

[Corrosion.]

The security there sounds a bit like my school......

and seriously what kind of idiot uses his own email? I may not be the best but even I know better than that!

[Darren Kitchen]

Quite funny. Just goes to show how skiddie tools are in the USB key of the beholder, err something like that.

[nicatronTg]

The security there sounds a bit like my school......

and seriously what kind of idiot uses his own email? I may not be the best but even I know better than that!

Just a thought:

He could have set up a fake e-mail, and used another gmail account to get the email from it, but he didn't. Instead of following the number one rule of not disclosing real info, he took the easy way to skiddie hell.

[Corrosion.]

Could have setup a mailinator account. Although not secure you wouldn't be able to figure out it was him simply by loggin in

[operat0r_001]

umm why am I getting so many refer hits from this post ... EDIT

[moonlit]

people like YOU that get people kicked out of school for not provin' a fucking thing .....I got kicked out of school but at least they pulled the stupid ass insecure program out so peoples SSN did not get owned

Because I'd just sit there and continue to work on clearly compromised computers without piping up, obviously.

Just so happened that the guy was stupid enough to use his own email, and then stupid enough to infect a public computer using it.

[Bao]

Just stumbled across this little topic and found it pretty interesting.

One thing to remember schools, specially highschools and smaller publish colleges arn't known for having the best IT people or even computer software. They have to defend against computer savy students while making the system stupidly simple for teacher and students that know nothing about computers. The guy was stupid enough to use his own email addy and not hide his tracks well, kinda deserves to be caught.

Kudos to OP

[Spikey]

That kid was dumb with doing it on a school network. The school should upgrade to Nod32. My Nod32 will kill it even when downloading it from the web.

[silentknight329]

my school is like that.. we have access to EVERYTHING except that we cant install.. but we can play games off of our flashdrives... access cmd prompt regedit... everything.. we use a "emailing" program called 1st class... instant messaging disabled... to bad we can im using Novell... they are 2 stupid to block it... yah.. its great...

[xil--ooples--lix]

beautiful

[Deags]

I told the teacher immediately, who called the IT guys.

Are you kidding me! Why would you do that!

The Rules of School

1st RULE: You do not tell parents about SCHOOL STUFF.

2nd RULE: You DO NOT tell teachers about SCHOOL STUFF.

3rd RULE: If a group says "fuck off" or trips another out the war is on.

4th RULE: Only two groups to a fight.

5th RULE: One war at a time.

6th RULE: No teachers, no parents.

7th RULE: Wars will go on as long as they have to.

8th RULE: If this is your first day at SCHOOL, you HAVE to join.

[kz26]

Um...because I'm not a dick and I respect that teacher and that particular kid was a douche?

[sablefoxx]

Um...because I'm not a dick and I respect that teacher and that particular kid was a douche?

* Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total. Always yield to the Hands-On Imperative!

* All information should be free.

* Mistrust Authority—Promote Decentralization.

* Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position.

* You can create art and beauty on a computer.

* Computers can change your life for the better.

...from the hacker ethics

[USBHacker]

Hahaha, pwned!

Oh, that reminds me, last year (my last year of school) I used my claymore against a high up teacher, and got his passwords... including the one to the online student grading system!

Let's just say I got 6 As in the end of year report ;)

[manuel]

Lies! All Lies!!! I want to see proof that you did that.

[RogueHart]

Hahaha, pwned!

Oh, that reminds me, last year (my last year of school) I used my claymore against a high up teacher, and got his passwords... including the one to the online student grading system!

Let's just say I got 6 As in the end of year report ;)

i dont know you. but i just lost every trace of respect i could have had for you.

i agree that the guy shouldnt have automatically turned the guy in. i would have just written down the email. and the title for the emails the program was supposed to send. then fixed the issue. BS'ed the teacher about the problem. then told the guy through a fake email using the right title that he needs to back off or he would be turned in next time.

my BS excuse would include telling the teacher that he/she should change all of his/her passwords.

i agree that all informations should be free ect ect. but when someone is using something like this for malicious purposes they hare making life harder on us by bringing some of the stuff to the public eye. which in turn causes people to try and force us to stop.

[K1u]

Hahaha, pwned!

Oh, that reminds me, last year (my last year of school) I used my claymore against a high up teacher, and got his passwords... including the one to the online student grading system!

Let's just say I got 6 As in the end of year report ;)

Haha, epic. They were using Blackboard im guessing?