Nailing Hackers’ Hides to the Wall

Sometimes the Best Defense is a Strong Offense!

Reported by Dirk Racey, Private Investigator / Tech Journalist

Dave Powell’s call almost flipped me out of my comfy St. Barts’ hammock. It’s been decades since I’d heard from the guy. We did some good work back in the ‘80s. He was the Senior Editor of Networking Management Magazine, and dreamed up these great ideas for articles about network security and industrial espionage. And as his on-call gumshoe, I’d investigate and write them up. But that was long ago, so I almost spilled my umbrella drink when his voice poured out of my cell: “Hi Dirk… Dave Powell… I need you in Boston ASAP. I’ve got a job for you.”

“Is it interesting enough to lure me out of this hammock?” I parried.

“Sure is. Some hacker’s trying to invade my PC… Been trying to get in every 10 minutes like clockwork for the past two months! But more than that, you’ll get to bust heads.”

Ah…magic words! Dave’s a nice guy and all, but he lacks the killer instinct. I don’t. I’m not above busting heads when necessary (in a technological sense, of course). So I hopped a night flight and bounced into Boston on the skirt tails of a hurricane named after some lady. (Wish I could remember her name, but I had seriously fortified myself for the rocky ride.)

And for the first time in more than 20 years, Dave and I met again at our favorite Back Bay hang… Rosie’s, where everybody who once knew my name tried to avoid letting it show.

Invasion of the PC Snatchers

“Thanks for coming, Dirk.”

“No prob dude. The first three rounds are on you. It sounds like your PC’s under some kind of automated attack. Whaddya know about it?”

Dave whined that over the past year, his PC had been hit by three nasty viruses. It happened twice when he wasn’t even surfing the web. And the third time, a virus hit just as he visited a well-known pet-health site. Two of these viruses required his local Geek Housecalls to rebuild Windows from the ground up. (Dave’s not very technical.)

“You know,” I reminded him, “your computer CAN be infected regardless of whether your Web browser is even open. You can be in Word, Excel, or even no application at all… and a virus can still get in. But beyond that, the smart money also uses virus scanners, firewalls, or secure Internet routers functioning as firewalls. You have them… don’t you?”

“I do,” Dave mumbled across his martini. “I use the Windows Firewall, subscribe to Norton/Symantec Antivirus, and use the free Malwarebytes scanner for good measure."

“I love Malwarebytes,” I interrupted. “But beware of the copycat ‘Malware Doctor’ virus that’s going around. If its fake scanner window appears on your PC, don’t click ANYTHING… Just call your Geek guy immediately. But you do appear to be well-covered on the malware front. So what else can you tell me about these attacks?”

Dave explained that someone seemed to be trying to get into his system once every 10 minutes, 24 hours a day, 7 days a week. “Norton keeps alerting me to the attempts,” he said (Figure 1). “And when I view each alert's details,” (Figure 2) “they say the hacker is trying to inject Tracur Trojan into my machine… whatever that is.”

“We’ll look into that later,” I said. “Anything else?”

“Yes…My scans with Norton and Malwarebytes found and deleted a few Tracur Trojan files. A few other files were ‘quarantined,’ but most of the remaining issues that the scanners detected 'couldn’t be fixed.' This was all despite Norton claiming that the Tracur Trojan intrusions had been blocked. So the next time Geek Housecalls comes over, I’ll see if they can wipe out the remaining malware files.”

“Do that sooner rather than later,” I advised. “When virus scanners can’t completely fix an issue, it may be because the malware has altered Windows Registry entries or critical system files. Virus scanners often handle such issues with kid gloves. So your Geek guy might have to restore the PC’s operating system once again.”

That cheery news put Dave in a pretty grim funk. “Dirk, I want these intrusions STOPPED. I want you to spread the hackers’ PCs out on a Logan runway and land 787s on them… I want you to nail the hackers’ hides to the wall (with rusty nails if possible)!”

After Dave picked up our second round, I decided to first retool my opinion about his killer instinct and then to saunter up to his place for some face time with his PC (and hopefully, with his lovely wife’s marvelous baked ziti). He was also right…Busting hacker heads was definitely worth a few days away from ye ol’ hammock.

Plan of Attack

“Okay, let’s examine the patient,” I said, as the two of us gathered around Dave’s monitor. “I see your Internet Service Provider [ISP] is Verizon … That’s interesting, and I’ll tell you why later. But out of curiosity, did you ever get cable TV?”

“No.”

“Unbelievable. OK, Dave… returning to the 21^st century… here’s our plan of attack. It’s simple. Pay attention. First, we’ll shut down the hacker’s potential channels into your machine. Second, we’ll turn the tables and collect some information about him. And third… if possible… we’ll see if we can strike back.”

Shutting Down Channels

“Dave, It’s a different world now than when we last worked together. Back then, the IBM PC was still pretty new, and network security was in its infancy. Today, the average PC user has no clue how many security tools are at their fingertips… built into their machines or free on the Web. And hackers count on that.

“Most importantly, they count on PC users being clueless about how insecure their connections to the Web really are. It’s entirely possible that your PC is wide open to Web invasions without you even knowing it. There are literally thousands of ‘hidden’ communication channels between your Internet router and the Web that may need shutting down. But the fact that your access is through a provider like Verizon will probably make that task a lot easier.”

I added that people who’ve been attacked usually think that they need to get a new IP (Internet Protocol) address for their PC (this address is a series of integers formatted like nnn.nnn.nnn.nnn). “Sometimes, you can do this by simply turning your Internet router off for several minutes, hours, or even days… and then turning it back on. But this doesn’t always work. And in fact, it may not actually tighten your security all that much.”

“And why would that be?”

“It's because most Internet routers use two IP addresses… a public IP that any system on the Web must be able to see to communicate with you, and a private IP that should be invisible to everyone on the Internet (but isn’t always). Here…I’ll draw you a picture (Figure 3). Some networks may be slightly different. But usually, Web communications move through a router (R in the diagram) that your service provider installs or that you purchase and add on your own. This router stores two IP addresses. It assigns your PC a private IP address (IP-1). The PC side of your router is actually a Local Area Network (LAN)… and the router gives private IPs to every device in your home that you connect to this LAN. (These addresses come from a pool of IPs that are reserved for such applications.) The router also receives its own public IP (IP-2) from your Internet service provider. The Internet side of your router is called a Wide Area Network (WAN)… and the service provider gives a different public IP to each customer’s router. (These addresses come from a pool of ‘external’ IPs that the ISP basically ‘owns.’)

“So if a hacker tries to directly enter or attack your PC, they shouldn’t even be able to see its private IP address (IP-1). Normally, hackers should see only your router’s public address (IP-2). (As we will see in the Tips following this article, this isn’t always the case.) But more important than these IPs, hackers may also be able to get into your home network using the router’s communication ports.”

“Ports?”

“Yes, they’re like the tons of TV channels you’d get if you subscribed to cable… you Luddite! Internet protocols specify more than 60,000 software-defined ‘ports’ for handling web traffic between operating systems, browsers, software applications, gaming systems, and Internet services. Most of your PC’s Internet traffic will move through fewer than 2,000 of these channels, but if you’re a heavy online gamer, many more of them may be open to the Internet. That's one reason why online games can lower a PC’s security.”

Scanning Dave’s System

“Can we check my ports?” Dave wisely asked.

“Definitely. Most people haven't heard of Gibson Research’s ShieldsUP site and its free security-auditing tools. But if you go there, it’ll (safely) probe areas where your router (and PC) may be vulnerable to Internet intrusions, including:

• Internet File Sharing
• Common Ports
• Service Ports
• Windows Messenger Spam
• Web Browser Headers

“These tests can reveal how many of your router’s Internet ports are open, and how much of your computer’s configuration data is exposed to the world. Let’s try it…”

I ran the ShieldsUP tests on Dave’s PC, and was amazed at how secure his router actually seemed to be. Even the detailed scan of its ports (Figure 4) showed that they were all in green "Stealth" mode. This meant that… regardless of whether the ports were actually “open” to traffic… the router did not respond to remote probing through them. In other words, the router kept its mouth shut and didn’t give itself away to intrusion attempts. That was great.

(If this scan had shown that ports were open, we could have moused over them to get more information and then gone to the router's internal software to close them. But before closing a port, it’s best to read the background info on the ShieldsUP site and to research the system or resource that’s using the port. Closing ports may produce undesirable consequences. So when in doubt, it’s usually best to “Stealth” a port rather than “Close” it.)

But despite the router's nicely “stealthed” ports, ShieldsUP still “Failed” Dave's system! This was because his router had also responded to some old-fashioned “ICMP PINGs” that ShieldsUP threw at it. “In a way, PINGs are today’s version of Morse Code,” I explained, “They’re fairly old-fashioned ways of sending ‘Are you there?’ messages and seeing if anyone replies. Your router replied, and hackers could use that to detect it. This is a security risk.”

So we deactivated the setting that allowed his router to respond to PINGs. To do so, we used the following Verizon-specific procedure (other internet service providers will have their own). We:

1. Opened his Firefox browser. In its URL line, we entered the standard IP address that’s used to administer home routers (192.168.1.1), and then hit Enter.
2. Logged into the router using the private ID and Password that Dave created for himself when the router was first installed.
3. Clicked the Firewall Settings icon at the top of the router page.
4. Answered Yes to Verizon’s warning messages.
5. Clicked Remote Administration in the left-hand panel.
6. Unchecked Allow Incoming WAN ICMP Echo Requests (e.g. pings and ICMP traceroute queries) in the Remote Administration list.
7. Clicked Apply.
8. Logged out of the router.

This, plus the router’s completely “stealthed” ports, would make his PC almost invisible to hackers. Later, we deactivated some other settings in his router menus … to further increase its security. (See the Tips following this article for more information about that.)

“So now that we’ve locked down your router from unauthorized access, it’s time to collect some intel about your hacker friend! But first, I’m going to catch the commuter train to Boston. There’s someone down there I want to see. So while I’m away, I want you to watch for those Norton attack alerts, open their detail screens, and note the IP address the intrusions are coming from.”

An Afternoon with the FBI

One Center Plaza is a sweeping arc of a building… a broad brick and cement curve across the street from Boston’s starkly ugly Government Center plaza. I was headed for Suite 600… the local office of the FBI. After my encounter with them back in the ‘80s, I decided to play it straight. No funny business this time. So (not wanting to leave fingerprints behind) I shouldered through their door and asked to talk with someone about hackers. The feds don’t get this sort of request every day (especially in person), and a nice agent escorted me into their conference room for a little chat.

A few cautious minutes later, I re-emerged on the street with the info I needed. And when I rejoined Dave, he showed me that his intrusions were coming from two different IP addresses:

• 89.187.53.210
• 91.217.153.48

This puzzled me, because you wouldn’t think that attacks from different computers would hit his PC every 10 minutes like clockwork. Something smelled like week-old fish.

The Enemy Within

“I’m starting to wonder what this Tracur Trojan thing really is,” I told him. “People have many web resources at their disposal for learning about viruses, Trojans, and other malware. A good first step is to search your scanner vendors' web sites. Norton and Malwarebytes may have posted their own warnings about Tracur Trojan. But the first place I always go is Microsoft’s own Malware Protection Center.”

So we high-tailed it over there, searched for “Tracur Trojan”, and learned some game-changing facts:

• Tracur Trojan plants itself in Windows system folders, drops in some extra files for good measure, alters the Windows Registry, AND causes the links in search results (especially in Firefox searches) to open onto unfamiliar pages (instead of the pages the original links should have launched). And if one clicks the links in those pages, more malware could enter the PC. (Dave’s computer exhibited this Firefox behavior.)
• The above technique is called a social-engineering attack because it tries to use one’s natural behavior (clicking search links) to sneak harmful programs past virus scanners and firewalls.
• And… most interesting… the Tracur Trojan malware is programmed to automatically call out to the very same IP addresses that Dave saw in his Norton alerts! And if Tracur Trojan connects to those addresses, it downloads additional programs. These could include keyboard trackers to capture user IDs, passwords, account numbers, and so on.

“So Dave, your computer isn’t being attacked from the outside. The Tracur Trojan malware (however it got into your system) is trying to call out from inside your PC… and THAT’s what Norton has been preventing!”

On the Hackers’ Trail

“Would you like to see where those IP addresses lead?” I asked Dave.

“Oh yes,” he said.

Now, a whole bunch of web sites allow anyone to trace IP addresses and sleuth out more about them. My current BFFs are:

• http://www.liveipmap.com
• http://www.ip-adress.com
• http://www.whatismyip.com/tools/ip-address-lookup.asp

I especially like the first one because it also lets me report evil IPs and see what others are saying about them. (When you open it, it will display a map location for your own router’s public IP address.) So we used these sites to look up the hackers’ IP addresses, and discovered that:

• 89.187.53.210 is in Chisinau, Republic of Moldova, is connected at DSL speed to the ISP “Scientific-Production Center Monitoring LTD” (also called “R&DC Monitoring”), and it appears to be on “George Cosbuc Street.” (Figure 5)
• 91.217.153.48 is in the Ukraine, is also connected at DSL speed to the ISP “PP Alexy Klimenko,” and it maps to a location on “Khreshchatyk St.” (Figure 6)

For good measure I then Googled the IPs themselves, and dredged up more tantalizing tidbits:

• Both of the addresses are apparently related to a company called “RIPE NCC Operations”… for which several different names, addresses, phone numbers, and emails are available online.
• One of the people who had already reported these IPs also claimed that they are tied to the Ukranian mob.

“Cool stuff,” Dave enthused. “This means that someone could go straight to those locations and shut them down with extreme prejudice!”

“Now don’t go getting ahead of yourself, bucko!” I cautioned. “Each IP-mapping service uses one of several available geolocation databases. They look in their databases for a known router that seems to be closest to the target IP… and then display that router’s location on the map. So the accuracy of the result will depend on the database used and the number of known routers in the target IP's area. Different IP-mapping services may point to different locations… though they will usually all be within a few miles of each other.”

“Really?”

“Yep… Here, let’s try an experiment. First, pull up http://www.liveipmap.com again, and see where it places your router’s public IP (the one that’s also listed at the top of your ShieldsUP scan-result pages). Now do the same with the other two mapping sites. Where do they all place you?”

“Wow… one of them shows a location only about two miles from here. Another puts me in an adjacent town. And the third has me in downtown Boston… about eight miles away."

“As you see, IP tracing is an inconsistent science,” I added. “And the locations shown for hackers’ IPs will similarly be slightly off... but usually accurate to within a few miles.

“And now, for the second part of our experiment. Use this HubPages article to determine your PC’s private IP address. Then put it into the same three mapping sites. What shows up then?”

“They all say something like ‘PRIVATE IP ADDRESS LAN’ and their maps are blank.”

“This confirms that your computer’s private IP is indeed hidden behind your router. And the hackers’ PCs are probably hidden behind their routers in the very same way. But hackers still have ways to learn your private IP address… without you even knowing it,” I added. (I showed him how anyone can do that, but I’ll tell you in a Tip following this article.)

Nailing Hackers

“So I guess these jerks are pretty much out-of-reach?” Dave lamented.

“For most people yes,” I replied. “But we’ve collected some good intel about them from publicly available sources. And in your case, the hackers’ escapades are already so well known that reporting them to the authorities wouldn’t hurt them that much more. But if you are ever hit by an attack that appears to be new, you can definitely land a few 787s on the hackers heads by reporting them to:

• The FBI. I visited them to ask if they take hacker reports. They do. Go to www.FBI.gov, mouse over the SCAMS & SAFETY tab at the top of the page, and select Report Internet Crime. This opens their Internet Crime Complaint Center (IC3), which once focused on Internet fraud. But since hacking is so often a part of Internet fraud these days, the IC3 page takes hacker reports too. Click the big red “File a Complaint ” link at the bottom of the IC3 page, provide all requested information, and tell them everything you’ve learned about the hackers and their attack.
• The US-CERT Incident Reporting System. As with the FBI, tell CERT everything you know abut the intrusion.
• Also consider reporting to private (but keenly interested) sites like BroadbandDSLReports.com. They offer great background info here and encourage people to forward attack information (and even Zipped malware files) here.
• You should also contact your virus/malware scanner vendors… so that they can research and respond to any new intrusions that you see.

“Filing those reports will alert experts who have even better tracking tools, and will help shield other PC users from similar attacks. After all, Dave, if nobody had reported the IPs you’ve been seeing, your Norton scanners may not have stopped your PC's attempts to contact them. And right now, some mobster in the Ukraine might have your bank-account numbers!”

But Dave still seemed bummed. Yes, his attack wasn’t new. In a web awash with e-contagions, it had infected many PCs before his, and will no doubt attack many more later. But I reminded him that someday a new attack will show up at his computer’s door. And when it does, he’ll know how to research it, track down the culprits, and really nail their hides to the Internet wall by reporting them to the people who can do something about them. And Dave isn’t alone … We ALL can do that!

"And cheer up, Dave... We’re not through with those hacker dudes yet! I’ve got a bunch of frequent-flyer miles stacked up in a holding pattern right now. And I hear that Moldova and the Ukraine are lovely this time of year. So I’m going to take a little side trip on the way back to St. Barts. And our hacker friends would be wise to watch their backs and their PCs for a change... ‘cause after a grueling detour like that, I’ll be in a REAL BAD MOOD!”

• Use a good virus scanner, personal firewall, and/or a secure Internet router. Some great virus scanners are even free… like Malwarebytes and Avast. And a router that is secured as described in the article can be as effective a barrier as firewall software itself. Also find out if your Internet Service Provider employs their own high-end virus scanners. If they do, their scanners may be better (and more up-to-date) than yours.
• Update your virus scanner and firewall software frequently… and scan your PC periodically. Do “Full System Scans” once a month, and “Quick Scans” weekly.
• If you (like Dave) use two virus scanners, it’s best to only let one of them operate automatically in real time. Then, when you want to do a “just to be safe” manual scan with the other, disable the automatic scanner first. If you don’t, both scanners could get in each others' way.
• Change the password in your router periodically. And if you’ve never changed it, find the instruction book (or search the Web for instructions) and change its password NOW. Your router may still be using a factory-default administrative password that hackers have long known!
• In addition to turning off your router’s PING responses (as described in the article), some of the router’s "Access Control" ports and services may also be open. So check all of the router’s menus and dialog boxes, refer to its printed (or online) manual, and turn off any Access Control ports and services that make sense. And when in doubt, it’s usually best to “Stealth” a router’s communication ports rather than “Close” them.
• If your PC is hit by a virus, Trojan, or other attack, use the procedures and resources described in this article to collect intel about it. And Google it to learn even more. You may find detailed instructions for removing infections yourself. But beware… some instructions may be outdated. And some procedures may be dangerous in the hands of people who’ve never edited a Windows Registry. It’s usually best to call an expert.
• The article explained why IP-mapping sites may get you “near” a hacker’s location but not give an exact fix. It’s actually more complicated still… because hackers have ways to turn unsuspecting users’ PCs into “Web Zombies” or “Bots.” These machines have been invisibly drafted into a hacker’s army to spread infections farther and faster. So when you map a “hacker’s” IP, it might point to a friend, relative, or stranger who doesn’t even know his PC is part of a hacker’s “ring.” And in fact, your own PC could be a hacker’s Zombie right now! Some of the indicators of that include longer boot-up and shut-down times, a reduction in Internet connection speed, the sudden appearance of new desktop icons or toolbars, an unexplained drop in free disk space, unusual browser behaviors, and dramatically reduced system performance. Best defense? Keep your malware scanners updated, and scan often!
• If your research indicates that an attack is fairly new, report it to at least the agencies mentioned above. And if the theft of money or identity is involved, also contact the Federal Trade Commission.
• Go to this interesting site to see how easy it is for anyone to capture your PC’s private IP address (which the site calls its “Internal IP Address”). They use some well-known Java code to sneak past your router and pull this address into their server. As they point out, it’s easily done without alerting you, and other web sites (both evil and legit) can do the same when you open them. Many people claim that this capture is impossible. Obviously, it isn’t. And while it would take some pretty advanced hacking to do great harm through this IP, the above demo shows how easily private data can be obtained without your consent.
• Look for https:// in the URL of any web page where you are entering sensitive personal data. This indicates that the exchange is encrypted for maximum security.
• Always use strong passwords... and preferably, different ones on every site. If a site permits, the password should contain at least 12 letters, numbers, and special characters. This can be a real pain, but if your data or identity are ever hacked, you’ll do it gladly.
• What’s the difference between viruses, Trojans, and worms? Viruses are programs that change the way computers operate, without the knowledge or permission of their users. Viruses usually spread by replicating themselves (much as a biological infections spread). Some also try to damage programs, delete files, or reformat hard disks. Trojans (like the famous horse) try to hide malicious code contained inside. Trojans usually don’t replicate themselves, but instead, launch their internal code to destroy or steal data. Also unlike viruses, Trojans are usually “invited” into PCs… through email attachments or programs downloaded or run over the internet. And worms are like viruses that do not “infect” or “corrupt” files. Instead, worms often exist as macros inside legitimate files (like Word or Excel documents)… and spread by releasing additional copies of these source documents (which in turn contain the worm macros).
• It's well-known that Apple and Linux/Ubuntu computers are more secure from viruses than Windows PCs. But they are not immune! As I was finishing this article, a friend had to take her MacBook Pro to the Apple store for a virus cleanout. So while Apples may be safer, they ARE still at risk.

I sincerely want to thank Peter Engeldrum for his invaluable technical help in testing and fact-checking this article!