Author Topic: Brother-in-law's computer got hacked  (Read 320 times)

I D Shukhov

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 6341
Brother-in-law's computer got hacked
« on: March 06, 2018, 09:09:04 pm »
My wife and I both got emails that were suspicious in that there wasn't much content to the message except to say that this person has shared a secure message with you and to click on a link that would purportedly take you to Dropbox to retrieve it.  My wife forwarded the message to Dropbox and they verified it had a malware payload.

What do you do in such a case if you don't have backups?  Is it even possible to disinfect a compromised computer?


The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Re: Brother-in-law's computer got hacked
« Reply #1 on: March 06, 2018, 09:30:25 pm »
Stupid end users clicky clicking on shit that random nobodies send them.

Hopefully Benali72 will weigh in here since he has a wealth of knowledge in reusing old computers.

The general idea:

Keep the computer turned off. Don't let it run in Windows any more.

Boot that computer from a Linux recovery disk (search old threads here for suggestions.)

Connect an external hard drive to the computer, and start copying off the computer whatever user data you can.

Run an anti virus checker on the copied data.

Basically, recover the data for later use, and then disinfect that data, preferably while running Linux. (Normies whose computers get p0wned don't run Linux and Linux is immune to most malware.)

Forget about recovering the wasted PC. At best you may be able to format the hard drive and reinstall Windows. That is really the only safe use to make of that PC.

You have to just know  an awful, awful lot to do all of these steps effectively and I've already suffered through enough of that kind of shit this past year and spent too much time writing up stuff. Check out the forums for more info.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

I D Shukhov

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 6341
Re: Brother-in-law's computer got hacked
« Reply #2 on: March 07, 2018, 04:57:04 am »

Forget about recovering the wasted PC. At best you may be able to format the hard drive and reinstall Windows. That is really the only safe use to make of that PC.

You have to just know  an awful, awful lot to do all of these steps effectively and I've already suffered through enough of that kind of shit this past year and spent too much time writing up stuff. Check out the forums for more info.

That's about what I figured.  The computer is hosed because it would be too difficult to find and root out the malware.  It's a company computer, so I'm figuring they are going to have to deal with it -- i.e. pay for it.  I'll report back later as to what the final resolution was when I see him again.  I feel a little bad for him, because he relies on his PC heavily for his work (works from home).  If I am contacted for advice, I'll forward the message.  Thanks.  I'll have something to give him.




The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Re: Brother-in-law's computer got hacked
« Reply #3 on: March 07, 2018, 06:43:53 am »
It's a company computer, so I'm figuring they are going to have to deal with it

Then why  talk about it? I would surmise that if it's his employer's computer, he is to stay hands-off and not do any systems level work on it until their tech person looks at it.

This script was for you, not your brother in law. Don't give this info to him. Since he asked you for help, and since he was the miscreant who infected his PC in the first place, I assume he will be completely dangerous and make things worse. That's an end user, they mess things up.

I provided a complete skeletal schema for helping him with this. I figured you, since you are the family tech person between jobs, could use the experience.

It's kind of ugly work you may have no interest in, but putting yourself to work on something like this does several good things:

- You learn things.
- You exercise probably currently languishing problem solving abilities. (They do cross over. Problem solving I have to perform on web hosting issues or setting up Linux sharpens me for writing code, or even for figuring out why our self propelled lawn mower won't self propel.)
- You gain more self confidence in your problem solving abilities.

Even a home project like this makes one feel that they're still in the game.

All problems needing to be fixed are ugly and won't be the ideal work.

Preach mode toggle off now...
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

pxsant

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 1668
Re: Brother-in-law's computer got hacked
« Reply #4 on: March 07, 2018, 07:05:47 am »
Does he work for a major corporation?   If so, they will just reimage the system.  That process does a bit level reimage so anything which was on there will be gone.

If it is a smaller corporation, all bets are off.    Unless they have a good process for reimaging a system, they may not be able to get rid of the infection.

I hope he had his work stored out on the corporate network and not locally.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Re: Brother-in-law's computer got hacked
« Reply #5 on: March 07, 2018, 07:18:30 am »
I hope he had his work stored out on the corporate network and not locally.

That is a very important point.

If his data lived on the company network - Then the laptop is just a thin client with a few apps, basically. It can be readily repaved.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

I D Shukhov

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 6341
Re: Brother-in-law's computer got hacked
« Reply #6 on: March 07, 2018, 07:18:53 am »
Does he work for a major corporation?   If so, they will just reimage the system.  That process does a bit level reimage so anything which was on there will be gone.

If it is a smaller corporation, all bets are off.    Unless they have a good process for reimaging a system, they may not be able to get rid of the infection.

I hope he had his work stored out on the corporate network and not locally.
He works from home for a small company.  He relies on his PC for all communications with a staff he manages.  That means online meetings, sharing of docs and other collaboration tools which he proudly showed me about a year ago.  I'd be really surprised if this company has a tech person.  I'm  curious as to how this gets resolved.

I D Shukhov

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 6341
Re: Brother-in-law's computer got hacked
« Reply #7 on: March 07, 2018, 07:26:03 am »

I provided a complete skeletal schema for helping him with this. I figured you, since you are the family tech person between jobs, could use the experience.

It's kind of ugly work you may have no interest in, but putting yourself to work on something like this does several good things:

- You learn things.
- You exercise probably currently languishing problem solving abilities. (They do cross over. Problem solving I have to perform on web hosting issues or setting up Linux sharpens me for writing code, or even for figuring out why our self propelled lawn mower won't self propel.)
- You gain more self confidence in your problem solving abilities.

Even a home project like this makes one feel that they're still in the game.

All problems needing to be fixed are ugly and won't be the ideal work.
Interesting.  Maybe I'll call him.  We're not very buddy-buddy.  It would be doing a good deed.


The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Re: Brother-in-law's computer got hacked
« Reply #8 on: March 07, 2018, 07:33:19 am »
Pxsant gave you a valuable tip. interview your BIL briefly. Find out:

What apps he needs most to have running?

What data he knows about that is stored on his computer? (DON'T turn the computer back on to find this! Follow my recipe. You can boot from a Linux CD safely and browse the hard drive safely. If you run Windows again the malware may start encrypting or eating his data.)

Again, in summary, two key things to extract from the guy:

Which programs he runs.

And where he is aware that data lives, on his computer, or just on a cloud account.

The cloud accounts will not be your concern since the malware can't touch them. You should only be concerned about locating data stored on the computer he has no other copies of.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

I D Shukhov

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 6341
Re: Brother-in-law's computer got hacked
« Reply #9 on: March 07, 2018, 07:37:16 am »
Pxsant gave you a valuable tip. interview your BIL briefly. Find out:

What apps he needs most to have running?

What data he knows about that is stored on his computer? (DON'T turn the computer back on to find this! Follow my recipe. You can boot from a Linux CD safely and browse the hard drive safely. If you run Windows again the malware may start encrypting or eating his data.)

Again, in summary, two key things to extract from the guy:

Which programs he runs.

And where he is aware that data lives, on his computer, or just on a cloud account.

The cloud accounts will not be your concern since the malware can't touch them. You should only be concerned about locating data stored on the computer he has no other copies of.
Okay.  Thanks.  I'll give him a call and see where he stands.

I D Shukhov

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 6341
Re: Brother-in-law's computer got hacked
« Reply #10 on: March 07, 2018, 08:08:20 am »
I called him and I had this all wrong.  He's on a corporate VPN with about 300 or so employees.  The company is therefore bigger than I thought. They have an outsourced IT department who told him to change his PC and Outlook passwords on Monday when the incident occurred.  Beyond that, he's had no further contact with the IT department.

In the meanwhile, 5 or so other employees have experienced similar emails originating from their Outlook accounts in recent days, so apparently the incident is ongoing.   He told me he's going to file another trouble ticket.

It's correct that I couldn't mess with this computer.  It apparently is managed at the corporate level because he says that software he uses is installed remotely for him.   

He thanked me for the call.


The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Re: Brother-in-law's computer got hacked
« Reply #11 on: March 07, 2018, 08:11:59 am »
I would definitely *not* regret losing the "opportunity" to help with this.  >:D

The guy might even be running a Citrix or other remote session - remotely hosted Windows instances running in the cloud. They would just nuke the old VM and give him a new one. You can rent such a service from AWS now.
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.

I D Shukhov

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 6341
Re: Brother-in-law's computer got hacked
« Reply #12 on: March 07, 2018, 08:19:39 am »
I would definitely *not* regret losing the "opportunity" to help with this.  >:D

The guy might even be running a Citrix or other remote session - remotely hosted Windows instances running in the cloud. They would just nuke the old VM and give him a new one. You can rent such a service from AWS now.
I wonder if Outlook itself is compromised?

And it's been 3 days now without a resolution.  I can image the hyperactivity at the moment in the outsourced IT department.

pxsant

  • CCF Winner's Circle - Supporter
  • Wise Sage
  • *
  • Posts: 1668
Re: Brother-in-law's computer got hacked
« Reply #13 on: March 07, 2018, 08:22:48 am »
Wait a minute.  If he is on a corporate VPN this a much bigger problem whether the company realizes that or not.   On a corporate VPN, his system is nothing but a thin client.  When he is in outlook, he is on the VPN so anything he opens is opened at the corporate level.   He sees the open email on his thin client but Outlook and the actual email are open in the VPN space.

If he boots from scratch and never connects to the VPN, does he still have a problem locally?   Can he go out on the Internet over his own provider without the VPN active?

Depending on the answers, the issue could be restricted locally or the corporate servers could be the infection issue.

===========

Let me modify that a bit.   He may not be operating as a thin client after all.   With a standard VPN, he is probably connecting to remote servers as if they were local but all his apps including Outlook are probably installed locally.  So when he opens an email, it is local, not remote.

It depends on how his connection exists - e.g. if he is using Citrix it is different than a VPN.

His only option is to get his laptop back to the support people to have it checked out and reimaged.  The best option is if they ship him a replacement FEDEX and he can return the old one.

The Gorn

  • I absolutely DESPISE improvised sulfur-charcoal-salt peter cannons made out of hollow tree branches filled with diamonds as projectiles.
  • Trusted Member
  • Wise Sage
  • ******
  • Posts: 22324
  • Gorn Classic, user of Gornix
Re: Brother-in-law's computer got hacked
« Reply #14 on: March 07, 2018, 08:47:00 am »
^ Yeah, heh heh. Someone's fracked.

Glad it's not MY problem!

Did I make that big enough?  :laugh:
Gornix is protected by the GPL. *

* Gorn Public License. Duplication by inferior sentient species prohibited.