If you missed the other articles in this series please read:
In part two we left off where John had actively connected to the professor’s computer in his search for the upcoming math exam. John now used one of the features of the trojan, which was the ability to list the drives on the destination computer. This was done with the trojan client on his laptop. We can see from the below packet that John successfully retrieved a drive list;
05/13-13:47:20.863584 0:D0:59:1C:75:30 -> 0:D0:59:2B:77:EE type:0x800 len:0x64 192.168.1.101:3410 -> 192.168.1.103:1061 TCP TTL:128 TOS:0x0 ID:3686 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0x7A6773AA Ack: 0x4B3A4E57 Win: 0xFFE8 TcpLen: 200x0000: 00D0 592B 77EE 00D0 591C 7530 0800 4500 ..Y+w…Y.u0..E.
0x0010: 0056 0E66 4000 8006 681F C0A8 0165 C0A8 .V.f@…h….e..
0x0020: 0167 0D52 0425 7A67 73AA 4B3A 4E57 5018 .g.R.%zgs.K:NWP.
0x0030: FFE8 DC79 0000 3030 32AC 413A 5C20 2D20 …y..002.A:\ –
0x0040: 5265 6D6F 7661 626C 65AC 433A 5C20 2D20 Removable.C:\ –
0x0050: 4669 7865 64AC 443A 5C20 2D20 4344 2D52 Fixed.D:\ – CD-R
0x0060: 4F 4D 0D 0A OM..
John at this point had a list of everything on the professor’s hard drive at his fingertips. All he had to do was a little browsing to find the object of all his attention; the math exam. Without too much searching he navigates to the computers desktop;
05/13-13:47:41.144444 0:D0:59:2B:77:EE -> 0:D0:59:1C:75:30 type:0x800 len:0x6C 192.168.1.103:1061 -> 192.168.1.101:3410 TCP TTL:128 TOS:0x0 ID:1378 IpLen:20 DgmLen:94 DF
***AP*** Seq: 0x4B3A4EAE Ack: 0x7A6775CF Win: 0xFC42 TcpLen: 200x0000: 00D0 591C 7530 00D0 592B 77EE 0800 4500 ..Y.u0..Y+w…E.
0x0010: 005E 0562 4000 8006 711B C0A8 0167 C0A8 .^.b@…q….g..
0x0020: 0165 0425 0D52 4B3A 4EAE 7A67 75CF 5018 .e.%.RK:N.zgu.P.
0x0030: FC42 D358 0000 3030 33AC 433A 5C44 6F63 .B.X..003.C:\Doc
0x0040: 756D 656E 7473 2061 6E64 2053 6574 7469 uments and Setti
0x0050: 6E67 735C 4164 6D69 6E69 7374 7261 746F ngs\Administrato
0x0060: 72 5C 44 65 73 6B 74 6F 70 5C 0D 0A r\Desktop\..
Ahoy math exam!
Huzzah! John has found the math exam! He was quite giddy with the excitement of it all now. It was in a folder on the desktop. How very convenient John thought. This was going far easier then he thought. Now he downloaded it.
05/13-13:49:57.747314 0:D0:59:1C:75:30 -> 0:D0:59:2B:77:EE type:0x800 len:0xBA 192.168.1.101:501 -> 192.168.1.103:1073 TCP TTL:128 TOS:0x0 ID:3704 IpLen:20 DgmLen:172 DF ***AP*** Seq: 0xBC7FE4FE Ack: 0x8D56BC8A Win: 0xFF9F TcpLen: 20
0x0000: 00D0 592B 77EE 00D0 591C 7530 0800 4500 ..Y+w…Y.u0..E.
0x0010: 00AC 0E78 4000 8006 67B7 C0A8 0165 C0A8 …x@…g….e..
0x0020: 0167 01F5 0431 BC7F E4FE 8D56 BC8A 5018 .g…1…..V..P.
0x0030: FF9F 14FA 0000 5468 6973 2069 7320 7468 ……This is th
0x0040: 6520 6669 6374 696F 6E61 6C20 6D61 7468 e fictional math
0x0050: 2065 7861 6D20 7468 6174 204A 6F68 6E20 exam that John
0x0060: 7761 6E74 6564 2074 6F20 7374 6561 6C0D wanted to steal.
0x0070: 0A73 6F20 6865 2063 6F75 6C64 206D 616B .so he could mak
0x0080: 6520 7375 7265 2068 6520 7061 7373 6564 e sure he passed
0x0090: 2E20 4E6F 7420 776F 7274 6820 6974 2061 . Not worth it a
0x00A0: 7420 616C 6C2E 2053 6864 756C 640D 0A6F t all. Should..o
0x00B0: 6620 7374 7564 6965 6421 f studied!
Well as the packet says, he really should have studied instead of breaking into someone else’s computer. That is a criminal offence in almost every country that I know of. Certainly the college would take a dim view of it, were they to find out. John however was all finished with the professor’s computer, and disconnected from the trojan server. He finished out the math class in a state of half sleep, and then went home.
Something isn’t quite as it should be
The professor wrapped up his class, and then answered a few questions from the students before heading back to his office. He grabbed a seat, and brought up his email client to check his mail. As expected the document his colleague had sent had arrived. He clicked on the attachment and saved it to his desktop. From there he tried to get the anti-virus program to scan it. Odd, he thought the program did not seem to want to respond. Though he was a math professor, and not a computer one he has paid attention to the briefing the IT Staff had given them all. “Never open up an attachment or document without first scanning it”. Yes he remembered that clearly. Problem was though he could not get the darn program to work!
Well life is too short for this so he simply picked up the phone and called IT support. He was told that a support agent would be down shortly to check out the problem. Once the IT admin arrived he tried the same routine that the professor did to no avail. A tad mystified he tried to restart the service manually only to see it go back down a minute or so later. Very odd indeed. The admin then next did a netstat scan to check out the connections, if any, that were presently running.
The admin did not recognize the port number 3410, but it did ring a rather faint bell for him. Everything else there looked normal. Well off to google he went for an answer. He put in port 3410 and did not like at all what he saw listed there. The very first hit was for a trojan called Optix Pro which had a default port setting of 3410. At this point the admin advised his supervisor of what he thought was going on. After discussing the matter for awhile they decided to let the trojan, or suspected trojan stay in place. The professor did not have anything overly personal on the hard drive, and the IT supervisor wanted to catch the person, if possible, while in the act of trespassing on the professor’s computer.
Nothing else happened for the remainder of the day, and the IT supervisor decided to let things ride as they were, for one more day. After that the machine would be formatted, and have everything reinstalled. Well as luck would have our lazy student John had another math class the next day. Once John strolled into class he decided to connect once again to the professor’s computer and check to see if the exam had changed. That was to be his final mistake. The IT staff were monitoring the computer, and immediately saw the connection. Luckily for them they recognized the IP address as being an internal one. Best of all it was one that was assigned to the math classroom! Oh baby! This was going to be sweet. The IT admin called in his supervisor and told him of what was going on. They then consulted the classroom diagram to see where the IP belonged. With that in hand they called in the student dean, and walked into the classroom.
John was rather surprised to see the IT supervisor, student dean, and IT admin walk into class. What the heck were they doing here? They then all turned to him, and looked at him. He had a sinking feeling in his stomach about what they were here for. They then walked up and seized his computer, and walked him out of class, and into the Dean’s office. John quickly confessed once confronted with the evidence. The Dean not being impressed with this turn of events informed John that he did not have to worry about the math exam anymore, as he was expelled from the college. Should have studied, seemed rather of little comfort to John.
The IT supervisor now had the ammunition in hand to hopefully end the open door policy at the college. He also now wanted to install some intrusion detection systems on each departmental switch to hopefully avoid another episode like this. It would have been caught a far site quicker, had there been some in place. Well there was one thing that had worked well the IT supervisor thought in retrospect; the math professor did as he was advised to do. He saw something odd, and followed established procedure. This is what foiled John’s plans of stealing the math exam and not having to write it. All in all, not a bad couple of days, but the network needed some tightening up.
Conclusion
This was of course a fictional account, but this type of event has occurred many times in the academic environment. Not only that but it has also affected home computer users, and ultimately their bank accounts. Organized crime is quickly seeing the benefits of Trojans, and a little social engineering. There have been quite a few examples of bank customers crying foul upon discovery of their bank accounts missing funds. In each case that I read, after an exhaustive and expensive internal audit by the band, the breach was found to be on the customers computer. It was a trojan with a built in keylogger that was the culprit every time. Lesson to be learned here is pay attention to your online activities, and always pay very close attention to attachments that are sent to you. I sincerely hope this article series was of interest to you. Until next time, safe and happy computing!
If you missed the other articles in this series please read:
