Jump to content

Arp Poisoning Terror Story


eliminatebotnets

Recommended Posts

Its not a case of not knowing what is going on and defaulting to a "you crazy!" stance, its a case of understanding how computers work, how botnets work and how physics works. This isn't a virus or bot that will affect Windows, your phone, old PDA's without wifi, printers etc. There is no way that a MITM attack 2 years ago will stop your phone or an old PDA from working.

As for your PC, are you sure some of the hardware isn't FUBAR or that the copy of Windows your using is legit? (if you keep installing a compromised OS or your RAM is fraked, a reinstall will not fix anything).

However, if you happen to live near an electronic warfare testing facility or naval base, then this can cause problems (example: Israeli Navy had to turn off its EW systems when bringing ships in closer to the coast to provide missile defence as it messed up everything electronic nearby), but then everyone would have them.

Link to comment
Share on other sites

Well I've been a bit ticked off with people telling me that X is not possible and being written off like I don't know much about computers. On the same hand I can understand that if someone told me this stuff before I had witnessed it, I'd probably think they were a little paranoid too. Admittedly my knowledge on hacking and networking was very limited and still have allot to learn.

Computers have basically been my life for the past 15 years. I'll admit that I've not had much experience with vista and many of the folders and network settings are very different than XP. All I was trying to do is come up with some concrete proof that something is not right with my pc. Problem is, just about all the files APPEAR to be fine, since just about all are legit files and services. The problem is HOW they are being used. It's impossible to really know what each process is doing under the hood, so pictures do nothing to help.

As for your PC, are you sure some of the hardware isn't FUBAR or that the copy of Windows your using is legit? (if you keep installing a compromised OS or your RAM is fraked, a reinstall will not fix anything).

I'm convinced the OS is compromised, yes. The thing is, I put in a brand new hard drive TWICE and it did nothing. Have same problems on both PCs. Laptop im using now has a OEM version of Vista 64-Bit Home Premium. My desktop has a Retail 32-Bit Home Basic version. The RAM and Hardware on both should be fine but both can be exploited.

There has to be a process running at boot that loads a modified version of windows into ram. Then windows setup grabs that file from ram and loads it. When I try to look at the BCD bootfile it tells me its being used by another process. Which means its running in memory but when I look online it says you should be able to edit it. I'm in a Windows Shell of some sort.

post-19555-1277180937_thumb.jpg

There is no way that a MITM attack 2 years ago will stop your phone or an old PDA from working.

Forget the MITM attack. That allowed him on my PC but now he is ON the PC. He can load anything on any device I connect to it. Also, my PDA and Phone work they just not how they should. I'm getting a replacement phone BTW and im NOT going to get anywhere near my PC or use wifi this time and see if it works. We'll see.

Exaggerated a bit when talking about my old Pocket PC. It's from 2002. Wifi did exist at the time but all it has in it is a network card. The manual only listed the ability to sync with a pc and to dial a connection. It is positively being controlled remotely. The windows i open can be closed, if he chooses he can open certain programs by himself. The screen can even be locked out, so pressing on it does nothing.

Even showed a couple of people this in person and their only explanation was that "Well it is pretty old. When did you get that thing?". Seriously, how many old computer programs have you seen that automatically open and close programs? It is denial kicking in because they can't explain it.

Could make a youtube video of it or something, if im allowed to upload it.

One last thing: When I moved and got a dsl connection, I did not change any hardware because I'd just made a new pc months before. Wasn't about to drop another grand on another one. So that may have got rid of it for one computer but the rest still would of been screwed.

Apologies for every post being long. Impossible to explain in short detail.

Edited by eliminatebotnets
Link to comment
Share on other sites

The thing that I don't get is when you mentioned that your bios settings were changed.

As far as i know that cannot be done without physical access to the machine.

I'd say you have a backdoor installed on your machine, though if you've done fresh builds/installs, etc. You "should" be fine.

Do you have a flash drive or sd card that you've been using on your machines or have multiple machines on your network.

If it is a virus/backdoor of some sort it could transfer across a network or removable media, so if you fix one and the other is infected the second the fixed one is connected to your network it could be compromised.

Link to comment
Share on other sites

The thing that I don't get is when you mentioned that your bios settings were changed.

As far as i know that cannot be done without physical access to the machine.

I'd say you have a backdoor installed on your machine, though if you've done fresh builds/installs, etc. You "should" be fine.

Do you have a flash drive or sd card that you've been using on your machines or have multiple machines on your network.

If it is a virus/backdoor of some sort it could transfer across a network or removable media, so if you fix one and the other is infected the second the fixed one is connected to your network it could be compromised.

Well if you read about botnets/botmasters (http://www.symantec.com/norton/theme.jsp?themeid=botnet), they basically do have sort of a virtual physical access to your computer, if they can bypass your router or firewall. They can see all the files on your machine, change settings, flood your computer with data and redirect network traffic. While I'm not sure if they can actually get into your bios, they could change your boot settings in windows and then insert a boot sector virus on a failed boot and somehow infect the BIOS that way.

When your computer is soft rebooted, the ram in not completely erased and some data/settings can carry over after a restart. Kind of like when you quick format a hard drive and it deletes the data but it's not really deleted.

This actually happened to me. I restarted my pc, wanting to get into setup but I missed the setup screen and windows started to load. I didn't want to wait for windows to load, so I restarted before the boot could finish. What I didn't realize is that by doing that you corrupt the boot sector. So now when the system was restarted again, the boot sector was altered. Then when I looked in the BIOS settings, a couple of settings were different than before.

In regards to the transferring a virus across a network: Yes, my phone and PDA must have been infected that way, as they were used to transfer data from my pc, when I didn't know a hacker was in my system. What doesnt make sense though, is how my PDA is able to be accessed remotely with my pc or internet not even turned on. Unless there is some way to silently connect to it with a dial up number without me authorizing it? I can see the network adapters he installed, but can't remove them. Weird. It is an old outdated version of mobile windows though. So I guess limited security.

Edited by eliminatebotnets
Link to comment
Share on other sites

I've heard that when your computer is soft rebooted, the ram in not completely erased and some data/settings can carry over after a restart. Kind of like when you quick format a hard drive and it deletes the data but it's not really deleted. Something similar actually happened to me a couple of times. I restarted my pc normally once and before it got to the BIOS screen, it restarted again. Then when I looked in the BIOS settings, a couple of settings were different than before.

Mixing two things here that are not the same.

RAM degrades as time goes on as noted in Ep 521 and Ep 522. Originating idea from http://citp.princeton.edu/memory/

Files deleted in Windows just get a flag changed to signify the file is no longer there. The hex value E5 signifies in Windows that a file has been deleted. It changes the beginning of the file (being the filename) first value to E5. So you can identify and recover Windows deleted files.

The RAM being volatile data and the files being non-volatile data. At least from a forensic standpoint.

Edited by Mr-Protocol
Link to comment
Share on other sites

Mixing two things here that are not the same.

RAM degrades as time goes on as noted in Ep 521 and Ep 522. Originating idea from http://citp.princeton.edu/memory/

Files deleted in Windows just get a flag changed to signify the file is no longer there. The hex value E5 signifies in Windows that a file has been deleted. It changes the beginning of the file (being the filename) first value to E5. So you can identify and recover Windows deleted files.

The RAM being volatile data and the files being non-volatile data. At least from a forensic standpoint.

I see what your saying about the differences between the ram and hard drive. Was just trying to make a weak analogy. ;)

Edited by eliminatebotnets
Link to comment
Share on other sites

Your ignoring how to fix this for some reason. DBAN everything, re-flash your router & change your MAC, install windows from a known good source. Job done.

+1

It never ceases to amaze me how people come on here, ask for help and then argue the point. You say you are a person who knows nothing about computers, yet cannot accept the most straight forward and logical tips.

I also wonder what your browser habits, data you have backed up's cleanliness (virii, spyware etc) and the sources of not only your OS but other applications you install.

Link to comment
Share on other sites

TBH I suspect he might be a troll. Either that or he is a complete dinkus when it comes to computers. Anyhoo, the path forward is clear, I shall not be involved any further.

Honestly, I thought maybe you weren't an ass. Calling me a troll and an idiot. You could of just said you don't know what the problem is and left it at that.

You don't seem to understand the problem. I told you that whatever the hell this is, it DOESN'T COME OFF THE SYSTEM. Even replacing the HD. If someone has full access to my computer and has keyloggers installed, what the hell good is changing my mac going to do? He's going to see what I changed the MAC to and just change it to that. Is it that hard to understand?

But I know you guys all say its impossible to get into the BIOS or Hardware and you guys know it all. I'll try changing my MAC as you suggested, but I'm giving it a 10% chance of working at best.

If some admin of this site could please close this post. Obviously nothing constructive is going to come out of it at this point.

Link to comment
Share on other sites

Honestly, I thought maybe you weren't an ass. Calling me a troll and an idiot. You could of just said you don't know what the problem is and left it at that.

You don't seem to understand the problem. I told you that whatever the hell this is, it DOESN'T COME OFF THE SYSTEM. Even replacing the HD. If someone has full access to my computer and has keyloggers installed, what the hell good is changing my mac going to do? He's going to see what I changed the MAC to and just change it to that. Is it that hard to understand?

But I know you guys all say its impossible to get into the BIOS or Hardware and you guys know it all. I'll try changing my MAC as you suggested, but I'm giving it a 10% chance of working at best.

If some admin of this site could please close this post. Obviously nothing constructive is going to come out of it at this point.

:) Yeah man VAko's been here a really long time and is in fact admin here.

and I have to agree with what has been said here...

About TPB though, did you get your copy of windows there? someone could have inserted a bot into the installation disc.

Link to comment
Share on other sites

Junk the system? It sounds like it must be pretty old by now, given the history of events, also you're not by chance reinstalling the same bit of warez'd software on every system and using the same AV? I had a friend who used something like NERO and a NERO Crack, he'd format due to problems I dunno every couple of months, he got in such a state one time he brough his disk round to me, within a few seconds of plugging it in, my AV had detected his NERO and NERO Crack was actually a virus...

Link to comment
Share on other sites

  • 4 weeks later...

Ok, I don't care if I'm bringing this thread back from the dead. Also I don't care if you don't believe what is said in the below link. This is exactly the kind of crap I was trying to explain.

http://subversionhack.livejournal.com/

Also try googling "BIOS level rootkits" or "SMM rootkits" for more info.

Don't know how I was never able to find this before. This sounds like a complete joke but IT IS 100% NOT. The only reason I can think that this isn't more public is because you simply cannot believe it until it affects you. It displays the ignorance of society, that this shit has existed for years but nothing has been done about it??

Link to comment
Share on other sites

Please read what you post...

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope. But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.

"We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus," Ortega said.

Root privs or physical access...

Edited by Mr-Protocol
Link to comment
Share on other sites

Please read what you post...

Root privs or physical access...

Well that is one persons perception, but there are others in the links provided at the bottom of the page that disagree... Personally after everything I've been through, I know this to be a COMPLETE LIE.

Even if someone DID break into my old apartment without me knowing and installed this shit on my computer, the fact remains that the devestation it causes and how easily in can spread is F#$%ING SCARY. Another fact? Many people have this on their PC and have no idea it's there.

Like I said you can give me the run around all you want about the Physical Access. But anyone that decides to target you with this can do anything to your pc and any device with an internet connection. End of Story.

Look at the posts at the bottom going all with way back to 2003!! Think of how many machines this has spread too since that time. It's mind boggling how this has never been publicized.

Edited by eliminatebotnets
Link to comment
Share on other sites

Ok.. it looks like I was wrong about this existing since 2003. According to this guy that is just as crazy as me, this "thing" has existed since 1997. :o

Re: Researchers: Rootkits headed for BIOS 2006-11-19

hylas

You are not going crazy, it's real.

I concur with 99% of what you have written, it's the same thing, (I have Macs, System 7 - OS X 10.4.x)

See my previous post above - I'm coming late to this thread.

This has been around a long time, I first found it (fought it in '97).

Most recently '05, I'm sure it's still on (all) my machines.

Yes, it's cross-platform, with an insidiously wicked sense of humour, not to discount the seriousness of this thread and several of our predicaments (mine included), but that's how I'm able to identify it as the same (group?) as the attack in '97.

I think it's a serious problem for (US-World) national security (unless, of corse it *is* "national security".

"The trojan has controllers on the universal power supply."

Which elevates it to "logic bomb" status, I've lost monitors, graphic cards.

If you get too close it soft-power shutdowns your ass. (which is stunning).

Complete control (IMHO).

"... sometimes it lets you think that you are winning, only to find out after hours of hard work that it was a nasty joke played on you."

Exactly.

"Rules as we know them, are no longer are applied."

I believe it places microcode on closed (previously burned) CDs, DVDs, etc. it tags everything, thats why you can't rid yourself of it.

Hardware trumps root.

No, you're not crazy.

Question is, what are (we?) you going to do about it?

I'm been trying to get attention about this for almost 10 years.

hylas

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/arti...372/34207#34207

Edited by eliminatebotnets
Link to comment
Share on other sites

It's low risk.

Bottom line you are paranoid. If you have a hardware rootkit such as this, whether it be installed on your BIOS or on your PCI rom. You probably installed it while looking for "leet" hacks for whatever you were searching for.

Which brings an excellent point. Don't download untrusted applications/scripts, and don't allow them to be run on your system.

There are also detection methods for hardware rootkits. Maybe you should google that instead of bothering the hak5 forums about who is right or wrong?

Link to comment
Share on other sites

It's low risk.

Bottom line you are paranoid. If you have a hardware rootkit such as this, whether it be installed on your BIOS or on your PCI rom. You probably installed it while looking for "leet" hacks for whatever you were searching for.

Which brings an excellent point. Don't download untrusted applications/scripts, and don't allow them to be run on your system.

There are also detection methods for hardware rootkits. Maybe you should google that instead of bothering the hak5 forums about who is right or wrong?

Low risk? ;)

I'm 29 and have never had an interest in hacking. So that was a pretty bad guess.

There are programs/files in the past I shouldn't have downloaded. Guessing there may have been even careful users that have done the same. So one bad download deserves a lifetime of trouble?

Obviously you couldn't have read much in the links because if you did you would know that NOTHING detects this. It runs before anything in some sort of virtual hardware.

This whole experience in these forums has been a huge embarrassment, from you to the admin that runs it. Ignoring the things I say and then asking me why I don't just format my hard drive. Seriously.

People like you just see me as a troll trying to get attention because my information conflicts with your obviously superior knowledge. I posted here to try to find help for a serious problem, when I couldn't find anything on google. Now that I have, there is hope to get some real information on this.

Now there has been people here that actually tried to help and actually came up with some good suggestions. I'd like to thank them. If noone has anything else (meaningful) to add, I'm long gone. Only came back because I thought some might be interested by the info. Ignorance is underestimated.

Link to comment
Share on other sites

Situations like this can happen, but they are very remote. I am a paranoid person, but not to this extent.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...