Tech Support Guy banner
Status
Not open for further replies.

Tracking my Computer via Hardware

1K views 14 replies 6 participants last post by  lunarlander 
#1 ·
after disconnecting from internet , malware bytes keep giving popup message: malicious website blocked (my browser is still open when this occurs)

it states: outbound, port number, ip address, process: c:/users/computer name/ desktop/ name of browser browser (ie: firefox browser)/ the word "browser"/name of browser browser (ie: firefox browser)/firefox/firefox.exe

is this definitely a RAT?
THANKS
 
#2 ·
it might be anything
Malwarebytes blocks websites on a large range of criteria
Some include: contains malware. Phishing. Adware. Scams
your situation does not suggest a RAT. Remote Access Trojan)
MBAM blocks browser access and even if you disconnect the internet, if the browser is still open & on the webpage, MV+BAM will continue to block until you close the browser
 
#4 · (Edited)
Can a livecd get a rat on it?

If so, I recall hearing something about just restarting the computer and it is gone? If i open an email with an auto-execute RAT in it, and it downloads onto the cd, what do i need to do? Use a fresh linux livecd? Somthing else?

I heard that if the RAT can not reach the hard drive, it can not do anything (other than if someone puts it in the bios) So why doesn't everyone use a livecd if a RAT would be ineffective. My guess is that a RAT would be effective on a livecd. As you can see, I am new with livecds, but want something that will protect me from RATs.

Whats the best livecd to use? I'm looking for the best protection first, followed by easiest to use.

Sidenote: Do i have to be using an ethernet connection to use a livecd to access the internet?

I am trying to prevent someone from getting onto my computer. They have done this by sending me emails that auto-execute and possibly sniffing packets, etc. I use the tor network when i can and other times a vpn.

Thanks
 
#6 ·
Is there anything (ie:hardware) on my computer that would allow someone who had previously gotten onto it via a RAT to track my computer and see exactly where it is as far as location goes - AFTER i wipe the drive and the RAT is definitely gone? So if they put something on software/ program wise - that is definitely gone and does not apply to my question as far as using that to track my computer.
Thanks.
 
#7 ·
if you have formatted your hard drives(s) and have a fresh install of windows, a decent firewall and Antivirus/Antimalware then you should be ok. Note that I did say hard drive(s) if the RAT was installed or another drive other than your primary C:\ then in theory it can still be active if you didn't format those drives too.

I use the following

ZoneAlarm Pro (paid for firewall0
AVG Internet Security (Paid for)
Malwarebyte free
SuperAntiSpyware (Free)
Spybot search and destroy (Free)
CCLeaner (Free)
Adw free
Junware remal tool free

machine is nice and clean.
 
#9 ·
I heard that you can check the livecd to see if there is a RAT on it. How do you do this using ubuntu livecd without installing it. I have a windows 10 os as the host. I would rather not put all of the computers info here, thanks. Even if you can point me to an article that shows me how as i have not found one on the web yet.
thanks again!
 
#11 · (Edited by Moderator)
Is there anything (ie:hardware) on my computer that would allow someone who had previously gotten onto it via a RAT to track my computer and see exactly where it is as far as location goes
I don't think there is any kind of hardware that an attacker can place into your computer without being physically touching your box. And you can always open your box and everything will be there before your eyes. Dont forget to check the back of the box - where you plug in your keyboard, because hardware keystroke recorders are installed there.

But there are other ways of doing 'persistence'. One way is to modify your saved program installers. Installers can be modified to install anything the attacker wishes, without you noticing anything. When you copy that installer to a backup, then it could live on, so to speak, and re-appear on the new Windows when you run that installer. So the best bet would be either download fresh from the web when you re-install Windows, or make the backup as soon as you download it.

So why doesn't everyone use a livecd if a RAT would be ineffective.
A LiveCD is not usually used because people can't save things. It is true that using a LiveCD one can still mount a USB memory stick and store things there, but people are lazy, and convenience wins. As for LiveCDs harboring RATs - you have to trust the web site in question to maintain security. If the ubuntu site was hacked, then the attacker can modify their LiveCD image, which would be very bad. But note, other than that method, there is no way a RAT can modify a CD. Once a CD is burned, it is essentially sealed, unless it is the re-writeable kind. But I don't think they sell CD-ReWritables nowadays because blank CDs and DVDs are so cheap, it doesn't make sense spend more to buy a re-writable.

I think your best option moving forward is to secure your newly re-instaled Windows. ( If you don't trust it, then re-install again - Windows 10 only takes about 20 mins to install ) Then you want to 'harden' it. First, google for 'harden Windows <Your-version-number>' and you will get guides on how to do that. Download and save the html, re-install Windows, and then do the hardening offline using the saved html document. Hardening aims to practice the Least Privilege principle so that the user only activate the features and things he needs. So that vulnerable network facing programs, services are not activated. This ties into minimizing your attack surface, so that a RAT cannot get in, in the first place.
 
#12 · (Edited)
Thanks everyone, especially LL.

I understand your point about hardening windows and about people saying not to go to certain websites, etc. But this is the problem with hardening windows. Someone who is refined at hacking/ RAT placement is still doing it successfully.
One way is through spoofing an email address, sending that email to me with a RAT that auto-executes. Also, they may be picking up some kind of signal from my computer (ie: mac address, sniffing packets, etc) that is allowing them to get my real ip address. I think the latter is happening.

LL - you stated........other than that method, there is no way a RAT can modify a CD.
Are you saying that if ed snowden had the most sophisticated RAT on earth he couldn't send a RAT to me that could write to my livecd that is Not a RW cd? I am not being sarcastic LL, truly, I just want to be sure I completely understand you. Thanks.

I need to be able to use my computer and not have a RAT get on my computer. If I open an email with an auto-execute RAT in my hardened windows os, or someone sends me one via my ip or other unique indentifier, I don't see anyway that windows will block it though "possibly" a good firewall will...maybe.

So if it is "impossible" for a RAT to get on my computer when I am using a linux livecd, then I am happy to use a livecd. I don't need to save anything to the computer - I never do. So far this is the only option I see. If my host os is windows (I am guessing that with a livecd I must have a host ????) - how can I shut that off from the internet (or at least not turn it on) so that it can not be targeted instead of the livecd - even though I booted up via the livecd. I realize this may be a mute point if I booted from the livecd, but I don't really know.

Are any of the livecd's (Ubuntu, debian, etc) better than anyone else as far as protection, or is that another mute point?

So...do you think ed snowden could get a RAT on my livecd? I am totally being serious by asking this (sorry for repeating myself). I just like to understand for certain, even if there are no certainties as I'll bet someone will write here :)

One important thing I forgot to mention ......... besides them possibly getting on my computer via auto-execute email, and ip / mac address unique identifiers, they also know exactly what computer make model etc I use because they have gotten on before. I think they are getting through this way, quite possibly. I do updates with secunia psi and it shows no threats as I check it daily. Thanks.

Thanks LL (anyone who contributes)!!
PS: I have had RATs get on before - no doubt.
 
#14 ·
For ultimate safety use a live version of linux that runs in Ram, then when you switch the computer off everything you did disappears. So no passwords etc get stored on the computer's hard drive.

However, like I said before and you ignored, do you have any real evidence you were ever hacked ? If you do what is it ? Also exactly how do you know 'they' had your MAC address ?
 
#15 · (Edited by Moderator)
Hi ttech,

Several things you can do:

1) Monitor your Event Viewer for Application Error (eventID 1000) and Application Hang (eventID 1002) messages.
2) Check for software updates religiously. See FileHippo App Manager (http://filehippo.com/download_app_manager/ )
3) Check Sysinternals Autoruns for new auto-starts regularly.

You are mystifying what hackers do. Attackers go after vulnerabilities in network facing programs. It is always a vulnerability, and they have an exploit for it; which allows them to execute their code. Having your ip alone does not mean they can attack, they always need a security vulnerability in a network facing program, like FireFox, Flash, or some other. Vulnerabilities gets fixed, intentionally or not, with new updates. If you suspect for example that you got attacked while using Firefox, then see if they have an update. If not, then on your next install of Windows, use Chrome. Then a future version of Chrome will have a vulnerability in it, and so you will have to switch again. So the game continues.

If the RAT runs only in memory, then there is nothing you can or need to do except reboot the PC. I believe most attacks write to the disk, saving a program. Then executes it to install the RAT. This can be stopped by anti-executables. This class of protection stop the execution of any program unless it is clicked on by you. Also they construct a whitelist of what was on your PC during install, and only those on the whitelist are allowed to execute. Of course you should thus only install this after a fresh install of Windows. This class of protection does not rely on virus signatures, if you clicked on a program then it runs, if you didn't then it is blocked. Its that simple. There are several of these: Anti-Executable by Faronics, NoVirusThanks by novirusthanks.org, AppGuard by appguardus.com, and VoodooShield by voodooshield.com.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top