I had been called to a company because it appeared that one of their Windows 98 computers had been hacked. The computer was connected to the Internet and was used for web surfing and email. The only symptom they reported was a significant slowdown in processing. Sure enough, even though the PC had more than enough processor power to run its applications, it was running very sluggishly. The day before it had been a fast and responsive machine. Now, it seemed to struggle with every mouse click and screen change. The mouse cursor hesitantly flashed during operations -- an indication of slow processing. They had already run an antivirus scanner with an updated signature database file. It had found nothing. Still, everyone was suspicious. Malicious mobile code is coming out so fast these days than even the most accurate scanners can’t track all of the new ones.

The first thing I did when I arrived was to disconnect the PC from the Internet by unplugging its network card cable. That way if the machine was being attacked or monitored from the Internet, no more damage could be done. I then hit Ctrl-Alt-Del to see what program processes were running. There were a few that I didn’t recognize, but that by itself is not surprising. Then I used the SYSEDIT.EXE command to examine the system startup files. The SYSTEM.INI file definitely had something suspicious. There was a line under the [boot] section, shell=explorer.exe Netlog1.exe , that was loading a strange file into memory every time Windows started. First, I used the Task menu to remove Netlog1.exe from memory, and then I examined it using a file text editor.

Quickly scanning the file for anything out of the ordinary, I noticed text strings pointing to a public Internet IP address and port number (explained in Chapter 6, Trojans and Worms). Then I saw it, a text string saying, “The victim is online!” A legitimate company didn’t write this file. I did a search for all files that had been modified or created in the last few days. There were a dozen or so. I removed all the ones I didn’t trust. One was a password file, evidencing that a hacker had entered into the system and set up his own logon accounts. The root directory contained a Delete.bat file, which would allow the hacker to erase most of his tracks and files with one command if he thought he was about to get caught. There was even a module that would move a backup copy of Netlog1.exe into memory if the first was removed.

After analyzing the bogus files a bit more, I identified the culprit as The Thing. The Thing is a remote access Trojan that provides backdoor access to hackers. Once loaded, the Trojan uses both IRC and ICQ chat channels to notify hackers of the IP address of the latest victim. Then hackers can upload and download files secretly. The Thing is used to upload larger hacking programs with more functionality. What made this sort of attack even more dangerous was the hacked machine was attached to a corporate network with access to lots of other resources. The hackers could have downloaded every datafile on the network (constrained only by the local user’s logon permissions). Once the Trojan was removed, the PC gained its original efficiency again. I uploaded The Thing to commercial antivirus researchers so it could be incorporated in the next signature database releases. My clients didn’t understand how a Trojan program could have been placed on their computer. They hadn’t downloaded any programs (or so they thought). They wondered how the Trojan got installed if all they did was surf the Web. Welcome to the world of malicious mobile code.