1

Walking back to my computer (Windows 10), I noticed that my browser's history tab had just opened without me touching it and I thought I saw my cursor moving around. I had no control over my mouse until I ctrl-alt-deleted.

When I came back I had multiple new tabs open to things like ps4 digital game cards bought under my account and confirmation emails saying I just had bought a few hundred dollars worth of them. I also had a confirmation email about an account created with my email on "gameflip.com". I've never even heard of this website but it looks like its a place where you can sell stuff. My credit card company sent me an email detecting fraudulent charges and I dealt with that so I think I'm good on that end. Also, changed my passwords and all that jazz.

The problem is that I can't figure out how they did this. I've scanned my computer with Windows Defender, Malwarebytes, and Malwarebytes Anti-Rootkit. I also ran Malwarebytes in safe mode as well but they all found absolutely nothing.

Someone suggested I go to grc.com and run a scan to see if I had any open ports, but they were all in stealth mode except 21 which was in closed status. I'm not super tech savvy so I'm not sure if that means anything but as far as I can tell, "closed" shouldn't really be bad right?

If someone had just figured out my credit card number and passwords then whatever, that's easily solved, but how do I stop them from just taking control of my computer again?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Vaidd
  • 31
  • 1
  • 1
  • 3
  • "_If_ _someone_ _had_ _just_ _figured_ _out_ _my_ _credit_ _card_ _number_" In case of doubt change al passwords. Strong password policy is a must and in different services you should always use different passwords. If somehow your facebook account credentials were sold, you dont want them tu use that password to enter your email for example. – bradbury9 Sep 26 '18 at 07:11

3 Answers3

8

There are a large number of remote control utilities.

VNC is just one of them.

Virtual Network Computing is open source so anyone can copy the source and include it as the payload of a trojan that they arrange to have installed on your computer.

Anti Virus software is not necessarily going to see everything. Something that is new or something that is a one off that is created for one job will not have made into yiour anti-virus signature files as yet.

Also, anti-virus software is not going to see the VNC part of the software as a problem.

If someone tricks you into installing some software that included this then they would be able to access your computer at any time.

Closing unused ports is always a good idea, but a trojan will probably be using a commonly used port like port 80 which is used for web browsers and web servers or will search for a unused port that is open. A Trojan that is well written could also only respond on a particular port under certain set conditions to prevent their being found.

If an attacker has had enough time to take over your PC and has made a variety of purchases through your web browser using your credit card details and processed confirmation emails, then they have had enough access and timew to totally compromise your computer.

I would think that there is no effective method of cleaning this up short of Copying all data to a secure external drive, wiping the hard drive and any connected data storage, including cloud storage that may contain re infection software, and reinstalling everything from scratch.

Make sure that any access to the backup drive containing all of you data is done in such a manner that you do not risk re infection.

You will also need to update passwords on any accounts the attacker had access to and replace all of your credit cards.

2

Steps I would take to prevent reentry.

  1. Nuke it from orbit.
  2. Install only required software. Dont install cracked/patched software.
  3. Stop/Disable unneeded services.
  4. Update all software (OS and programs).
  5. Dont use untrusted USB dongles.
  6. Create a user account with no privileges (no admin, no installation rights) and use it as default account.

Cross fingers that the attack has not gotten into hardware, you could consider updating/flashing from vendor firmware.

Edit: You may also consider going into a more secure oriented OS one that secures by isolation. Dont think this suggestion as spam, but I used a VM oriented OS one, which separates regular actions in different VM's (personal/email, banking, web-social, web-untrusted, vault_passwords) so if you get penetrated the only affected VM could be deleted and recreated with no fuss. That OS was Qubes, there are others with a similar approach, but I liked most that one.

bradbury9
  • 350
  • 1
  • 10
  • 1
    I doubt the hardware was infected. If it was though, updating/flashing the vendor firmware is not likely to be effective given the fact that a malicious BIOS could pretend the flashing succeeded when it really did not. You would have to use SPI programmer hardware and connect it directly to the BIOS chip in order to be really sure that you have replaced the current firmware with vendor firmware. – forest Sep 26 '18 at 02:22
-2

There is no need for anything to be installed at all, if somebody had/has access to your windows configuration settings and your network.

There is a feature called "remote desktop" (RDP) integrated into windows that allows just that - you merely have to enable and configure it, and anyone who knows the username and password of a user account you configured for it can access it. If this was used, either someone needs to know your password (have you given it to someone?) or have somehow setup another user account (which lusrmgr.msc should show you).

The more interesting question is how your network was accessed: The results of the scan you describe look typical for a home NAT router/firewall not setup to forward RDP connections. RDP is not designed to reverse connect or similar, so there are four possibilities:

  1. someone on YOUR network is playing a joke on you
  2. someone installed something (eg a VPN client) that can route traffic around your firewall/router
  3. your router was tampered with
  4. another remote access software (eg VNC, or indeed something illicit) is installed
schroeder
  • 125,553
  • 55
  • 289
  • 326
rackandboneman
  • 975
  • 4
  • 9
  • 1. some joke - that's a local attacker, not a joker, 2. the outside scan would have picked up on that, 3. a tampered router would be to open a port, so the scan would have shown this, 4. that kind of defeats your RDP suggestion doesn't it? – schroeder Nov 15 '17 at 13:26
  • RDP grants the local user access to the mouse, too. While RDP would mean that nothing would have to be installed, given the network realities, it would appear that a RAT was installed that was going undetected. A much easier thing to do than to manipulate the network, the router, configure RDP and wait. If someone had that much access to set all that up, I'm not sure they would fiddle around that much. So much easier to install a RAT. – schroeder Nov 15 '17 at 13:30