Solved

Rogue remote control identification

Posted on 2011-09-02
11
311 Views
Last Modified: 2012-05-12
Hi all

We had a report from an end-user this morning about a rogue remote control session on her PC. The user witnessed the remote session reading e-mails and then shutting down her PC.

I've checked the event logs and there's nothing there, and have also ran a number of anti-spyware tools (CA, AVG, MalwareBytes, Spybot Search & Destroy) and none of them have found anything malicious.

What else can I check to identify the cause and source of the intrusion?

Cheers,

Paul
0
Comment
Question by:vistasupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
11 Comments
 
LVL 38

Accepted Solution

by:
Gerwin Jansen, EE MVE earned 250 total points
ID: 36472820
Hi, possibly a rootkit. You can scan for rootkits using GMER. Please scan (will take some time) and post back the results.
0
 
LVL 2

Assisted Solution

by:Sarcast
Sarcast earned 250 total points
ID: 36473832
Check the firewall and turn it on. No connection, no session.

Apart from that, if a rootkit or virus is involved, it's always safer and the best solution to backup and reinstall the system.

Apart from that you can run the netstat command to see open connections.
0
 

Author Comment

by:vistasupport
ID: 36474041
the only results from the GMER scan is that our AV product (CA) is being identified as an API Interceptor.

Other than that, there's no other entries.

I will reinstall the system, but I'd like to identify the cause to try to prevent future occurrences, as well as provide answers to senior people - something I can't do at the moment.

Thanks

Paul
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 36475143
In that case, what kind of remote / management application are you using? It may be as simple as someone knowing a password and just using Windows Remote assistance or some other commercial aplication that you use. I'm assuming your WindowsXP is SP3 and fully patched.
0
 

Author Comment

by:vistasupport
ID: 36483137
We use Dameware remote control, which writes to the event log upon connection as well as notify the end user.  Windows Remote Assistance is disabled.  Yes, Win XP SP3 fully patched through WSUS.

I've now run 5 different scans against and still not picking anything up.  How likely is it that such a tool can completely remove itself and if it is doing that, how is it getting back on (assuming the attacker would wish to get back on)?

I'm struggling to understand how there's no trace of such activity.

Thanks

Paul
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 36483388
>> How likely is it that such a tool can completely remove itself and if it is doing that, how is it getting back on (assuming the attacker would wish to get back on)?

I'm afraid this is possible in theory but it will require that the person has knowledge of an administrative password (domain or local) or a 0-day security issue. Copying files through a share to %TEMP%, starting a service through psexec, connecting and reversing the whole, including removing its traces.

This is a difficult case, I'm thinking of a way to log all inbound traffic, either by means of a firewall or some packet logger like wireshark.

Has this issue happened again in the meanwhile? Do you know of the same incident with other employees?
0
 
LVL 2

Expert Comment

by:Sarcast
ID: 36483432
Did you find any evidence at all of this happening, apart fromt he User 'seeing it happen' ?

Not to discredit the user, but I've seen users having misinterpreted technical issue's rather often.
For example, a wireless mouse with low battery can do funny things with a mouse and a restart could also be caused by windows update.

0
 

Author Comment

by:vistasupport
ID: 36483867
gerwinjansen - We haven't had reports of any other incidents so this does seem to be an isolated event.  We'll take a look at the security on our LAN as we've just gone through some log files with our firewall people and there's absolutely no evidence the attack originated externally.

sarcast - from the users description, it's unlikely to be a technical issue.  The remote session loaded up some e-mails and then clicked on the Start button, chose shutdown and then shutdown the PC.  That seems to be a clear number of specific steps.  We did initially think it was technical, but after that description it's unlikely.



0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 36484293
>> we've just gone through some log files with our firewall people and there's absolutely no evidence the attack originated externally

That is (partially) good news, means that no one was able to access your system(s) from the outside. But it also means that someone from the inside may know admin usernames/passwords. I would change them if this is not already normal practice after such an incident. Do you have local admin accounts or only domain admin accounts?
0
 

Author Comment

by:vistasupport
ID: 36488172
Yes, it seems unlikely we are going to track this down so we need to review our security.

We have local admin accounts on each PC, but member server admin accounts are disabled. Default domain admin account is also disabled.

Looks like we need to reset the password on every local admin (or disable it?) and lock down the firewall to only accept Dameware connections from specific IPs (those in IT dept).

One problem we have is managing password change for remote users.

We have two groups:

Business Development team - equipped with laptops that are members of our domain, but have offline files enabled. They visit the office and connect to the domain on an irregular basis - there's no guarantee that they will receive a password expiry notification (currently 14 days) during their visit.

Field workers - will login to OWA & Sharepoint via a remote web browser (home PC, etc) from non-domain PCs.

Currently we set their passwords to not expire - what's the best way for them to change their password while off our domain should their password expire?  
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question