kz26 Posted May 29, 2008 Share Posted May 29, 2008 Well, this is a long story. I'll start at the beginning: In my AP Psych class recently, people were giving Powerpoint presentations. The teacher and one group complains that the computer is running really slow. So I go over and take a look at it, thinking it's just a bull**** subjective complaint. I notice that the computer is almost unresponsive - they weren't kidding. Opening up task manager, I try to figure out what's going on. Didn't really expect to find much there, but suddenly a few weirdo processes catch my eye: RAR.EXE, BLAT.EXE, sbs.exe, and stunnel.EXE. Obviously, these are all classic components of the USB Hacksaw. I reboot the comp into safe mode, take a look at the startup entries, and find a link to "sbs" in C:\Windows\$NtUninstall931337$. Bingo. Navigating to this folder I find all the incriminating evidence - programs, file dumps, etc. Of course no Hacksaw is complete without the send.bat. As expected the attacker's username and password are here. I was kind of wary, half-expecting the Gmail credentials to be a fake/throwaway account, but when I saw the inbox and the name on it I realized this was a very real account People confirmed that this was a real student - a senior, in fact. I told the teacher immediately, who called the IT guys. They were swarming over the computer and were shocked by the fact that all the teacher's files were copied. Fortunately, our school blocks outbound SMTP on port 465 (which Gmail uses) so this lo$er's plan wouldn't have worked anyway. I guess he's facing suspension (expulsion?). All this from a computer that was running slow Odd, though - does the Hacksaw really slow down the computer? Perhaps if this kid had written his own code it would have worked out a lot better for him...but now he's gonna be cooling his heels for a while. PWNED. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.