You probably got here from my web page. I am trying to make folks aware of how bad a problem with hacking has gotten. This story is true. I have provided all evidence, which I still maintain on CD-ROM in a very secure location. All evidence was also turned over to the FBI and used in the prosecution of an idiot who called himself a true hacker.
As I mentioned on my web site, the group know as Cult of the Dead Cow released a Trojan Horse program called Back Orifice while at a Hacker Conference in Los Vegas in July/August 1998. Back Orifice was named because it is 1) a back door and 2) to make fun of Microsoft's Back Office suite of system management utilities. The group claim it to be their duty to expose Microsoft vulnerabilities. They posted their egotistical opinions at sites such as AntiOnline and Slashdot.
I became involved with Back Orifice the evening of August 11, 1998. I was sent an AVI (Microsoft Video File) from a relative. This file was infected with a BO plug-in called.....this is a stupid name....ButtTrumpet. It seems that ButtTrumpet uses a technique called buffer overrun to cause Windows to run malicious code. It's a sneaky technique, but effective, especially with data files, since data is not executable. But by embedding binary code that "overruns" the buffer, when the program quits due to the buffer overrun error, control is returned to the calling routine in memory, which happens to now be overlaid by the program code that was in the data file.
In most cases, ButtTrumpet is supposed to run undetected. However, I had received the file embedded in an E-Mail, I ran it directly from Netscape mail. The result was an AVI file that did nothing. I was suspicious, but since I was running Anti-Virus software, I did not believe I had any kind of virus, just corrupted data...after all, data doesn't run, right?
Over the course of the next few days I began to experience firewall failures. My Proxy server software was no longer working for more than a couple hours at a time. I could reboot, and work for a few more hours. I was not sure if the problem was related to Windows 98, as I had experienced numerous problems with it as a new Operating System product. But this firewall failure had my attention, and I worked on the problem for several nights in a row. I tried other firewall software I had used on other systems before, but they also failed. Finally, after working on the problem all weekend, Midnight Sunday to be exact, I was tired and wanted to go to bed to be rested for work the next morning. So out of frustration, I disabled all of my proxy software and decided to run stand-alone until I had time to work the problem the following weekend. But instead of going to bed, I got a clue, or more like a big surprise. You see, I had disabled all of my proxy software, and was just turning out the lights in my office when I heard my modem go off hook and dial my internet provider. Shocked, I turned back on the lights and canceled the connection. Thinking it might just be Net.Medic trying to connect to my ISP for some stupid reason, I turned off Net.Medic and rebooted. To my surprise, immediately after the reboot, my computer dialed out to the internet. Again I canceled the connection. I then opened an MS-DOS window and ran the "netstat -an" command to determine what was trying to use dial-up networking. I saw an address I did not recognize. So I started looking in my firewall logs and noticed a reference to mail.telepac.pt and SMTP mail protocol. Knowing that I at no time sent SMTP mail to anybody besides my ISP, I knew this was a major lead. So, to prevent the outbound connection, I reinstalled my proxy software and setup my DNS and host file listings for mail.telepac.pt to a dummy address on my local IP private LAN. This prevented the mail from going outside my network to whoever the recipient was at mail.telepac.pt.
My next action was to connect to the internet and search InterNIC for the information on telepac.pt to contact the provider of this mail server for additional information. I found telepac.pt was a foreign ISP. What I did not know, was who was getting mail from this SMTP mail server. So I started trying to find an application with telepac.pt embedded in it. What I found, thanks to the Windows find utility, was a program called WINDS.DLL in my windows system directory. I looked at the properties of the file and saw some amazing things. First off, the file was dated 5-11-98, the same as the Windows 98 system files, and yet the internal date shown as created on my system was.....August 11, 1998....Did the light come on for you too? So now I had a file I was reasonably sure was doing something, probably other than sending E-Mail, running on my system. But from where? Somebody had gone to great lengths to hide this program by setting system dates to match the kernel, etc.
So where indeed was this running from. Believe it or not, it had
been installed as a System Service in my Windows registry. A DLL
file installed with the title WINDS.DLL which matched the program name.
So I removed it from my registry. I wanted to know what was going
on in WINDS.DLL. I decided to open the binary file with, of all things,
wordpad.exe. Yes, you can open most binary files with Wordpad.
I searched the file for telepac.pt and found the destination E-mail address
was to worker@hempseed.com. Now I don't know about you, but this
thing smelled of hacker to me. All I could imagine was that some
@$$ hole was laying around smoking dope and hacking my system. That
really pissed me off...err...hacked....me off. It hacked me so much,
that I sent worker@hempseed.com one hell of a nasty e-mail. Unfortunately,
he never got to read it, thanks to the guys at Media Stream, the owners
of the hempseed.com domain who run an E-Mail service. (InterNIC is most
helpful to contact these folks...grin). After more browsing of WINDS.DLL,
I discovered what things were being monitored....things like user ids and
passwords. So after I had WINDS.DLL disabled, I rebooted and went
to bed.
With my new found information, the next morning at work I approached
a good friend, well call him Bob. Bob was the head of computing security
for the company I work for, and a former NSA agent. Bob was a Good
Guy! Bob was very interested in my findings, and was equally concerned
with the monitoring of user ids and passwords. You see, I am a senior
system administrator on some pretty critical systems in my company, as
well as having access to financial data. Bob called the head of security
about the matter to see if my company wanted to be involved in the investigation.
Our company asked us to file a local police report. I've got to tell
you, it is not easy to file a cyber crime report with your local PD.
They are not accustomed to these types of crimes. I had to talk to
3 people before I got a detective who could work the case. I gave
the detective all the information, as well as e-mailed the files to him.
My company did not take any further action on the matter, and left everything in the capable hands of the local police department and the FBI, at least that's who I think had the wiretaps and surveillance vehicles outside my house....grin
Anyway, realizing I was still pretty much on my own, I took the initiative and contacted Media Stream. I was fortunate, in that I reached an individual who had some brains and authority. They took immediate action and shut off Mr. Worker's access to his hempseed.com e-mail account. I sent my contact at Media Stream all of the data and files I had captured. I felt better knowing this hacker would not have information about his victims...realizing I could not be the only one. Matter of fact, turns out there were over a thousand victims....just 8 days after the release of Back Orifice....over 1000 victims. Keep in mind, I did not know it was Back Orifice at this point. I had read about it already in a security alert I receive in my personal e-mail, but had not yet made the connection.
So being the curious analyst that I am, I still wanted to know HOW this bozo got his hands in my system via a data file....I knew at that point the culprit was that damned AVI file. I started reading about Buffer Overflows, which eventually lead me back to Back Orifice. What caught my attention was the information I found on the plug-ins for BO. Turns out I had recognized the name ButtTrumpet embedded in WINDS.DLL.
Now by this time, the FBI was monitoring my telephone activity and watching my house...yes, the vans with the dark windows, blinds, et.al. This freaked my wife out, especially since she used to work for the Secret Service. I just shrugged it off, figuring it was routine, and knowing I was one of the good guys. I felt bad that they had tapped the wrong line and were only getting my voice traffic and none of my data traffic. That's the problem with having a strong background in telecommunications, those telltale clicks actually mean something besides line noise. In the meantime, I was gathering information of the author of ButtTrumpet. A looser who called himself Brian Enigma and NetNinja. The great part for me was that I knew a hacker with this dip's motivation had to have an ego the size of a small palace. Sure enough, Mr. Enigma had a web page with his complete BIO...including what kind of company he worked for, where he liked to hang out for coffee, and a black and white photo of himself in a wig and fedora hat. I put my little data package together and e-mailed it to my contact at Media Stream. Knowing that Media Stream was now working with the FBI in NY, I titled the mail, "Merry Christmas FBI...if you'll wait a minute, I'll put a red bow on your hacker."
I then picked up the receiver of my phone and waited for the routing
clicks....then spoke to my dial tone...he he...telling the FBI that the
good guy had now tracked down the bad guy and asked them to contact me
in a more appropriate manner. The next day, my friend at Media Stream
called me and said the FBI in NY needed me to contact the FBI in Kansas
so as to forgo the normal paperwork for normal inter-office communication.....this
spy stuff never ceases to amaze me. So I spoke to an FBI investigator
who was eventually assigned the case out of Kansas City. Within a
few weeks, the case had escalated beyond my little hacker incident...Mr.
Enigma had been a very bad boy! He is now awaiting prosecution and
unemployed....YES!
So the first week of December I started studying NOBO. Found it actually contained BO function structures, but that they were indeed benign. It seems with NOBO, that it spoofs a Back Orifice server application to capture BO connection attempts. I tested it using both a windows GUI client and a LINUX text client. In every case, NOBO protected my PC on IP port 31337. Be careful with AntiGen. It thinks NOBO is a BO server because it responds to Port 31337 BO Ping requests.
I then had some fun...I customized the NOBO message for when Back Orifice users would attempt to connect to my PC. My apologies to Barbara McNamara of NSA...I took a bit of creative license.
********************** Taken from my NOBO Customized Message ********************
Congratulations!
You have been identified as part of a United States NSA sting operation. As a result, we have identified your ISP and captured a log of your activities. An FBI agent will be contacting you shortly, and you can expect a subpoena to appear before a federal grand jury. Your computer system will be confiscated, and you will be giving up access to any computer systems for the remainder of your natural born life.
In addition, we are cooperating with the individuals used in this sting operation to provide all information for their use in a civil law suit. So if you own a house, car, or other assets, they may soon no longer be yours.
Sincerely,
Barbara
A. McNamara
Deputy
Director, National Security Agency
United
States of America
********************** End of my NOBO Customized Message ********************
Would you believe within 2 hours of going online, I had somebody ping and try to hack me? As a mater of fact, in only three days, I had three different hack attempts. The first guy was from Switzerland (you've got to love InterNIC search). He was not at all intimidated by my message. So I used a few utilities of my own....I let the creep know I knew he was there....he went away! Just 30 minutes later I was the subject of another hack attempt. Upon investigation, I ran across data that suggested the BO trojan was extremely predominant, especially with AOL users. I guess that figures, from my perspective.
In each case I sent detailed log information to the ISP of the hacker, as promised...grin. I then took the data from all three hack attempts and forwarded it to the ABUSE department of my ISP at that time, Cable and Wireless Internet. They were most interested since they called me the next day. The head of security asked me if there was anything that could be done. I suggested that they filter out all IP Port 31337 traffic on both TCP and UDP protocols at the backbone routers. He agreed. That stopped all the hack attempts from outside of Cable and Wireless. But about a week later, I received two more hack attempts from C&W users, inside the network. So I sent the data to the security manager, and for a brief period C&W filtered out Back Orifice traffic on all router, inside or outside.
UPDATE: Most ISPs will no longer provide this level of security. You are on your own. Back Orifice is one of a multitude of Trojan Horse programs. See http://www.simovits.com/nyheter9902.html for a list of known trojan horse ports.
UPDATE: Get a firewall! Even a software firewall is better than no protection at all. I have even created the FrazierWall Linux firewall.
REMEMBER...WHEN SURFING THE WEB, BEWARE THE SHARKS!