Chinese Computer Espionage

[olhamada]

I was just in China for a week long business trip. After returning to my hotel from a day in Beijing, I tried to access my in-room safe but my code wouldn't work. (No, I didn't forget or mis-enter the code). I called hotel management and once the manager came up, he had the safe open in under 20 seconds. I had set things up in the safe so that I would notice if anything had been tampered with. Nothing was missing, but someone had most certainly been through my stuff. Among other items, I had left my laptop and charging cable in the safe and now I am paranoid that a keylogger or other hacking/espionage program has been placed on my computer - especially since now every so often I get a message that says another computer is using my IP address and I am being kicked offline.

How can I determine if there is a "ghost" program on my harddrive that is logging my movements, passwords, etc...?

[Groleck]

Just a shot in the dark....but I bet someone on this board is savvy enough with computers.

There's a software package for hacking called "BackTrack" and it's Linux based. You don't have to have your whole computer become a Linux machine, but you (or someone) can download BackTrack to a bootable USB drive.

BackTrack is essentially an extensive collection of hacking tools, but can also be used for evaluating security issues in your own machine.

I'm not savvy enough myself, I'm just a student who took a class on some basics of penetration testing. But if someone had administrative access to your machine they could install a rootkit, which operates at the kernel (very low level) of the operating system. The thing about rootkits is that they operate a lower "level" than firewalls and antivirus software, more or less getting around them. When combined with software like "hacker defender" someone can hide the processes relating to the hack, even from an administrator.

If it's a rootkit, you might use a tool like "Rootkit Revealer" or F-Secure's "Blacklight" which can help you find it.

Keep in mind I don't know enough about comp software, but the short of it is, if you can find someone who knows what I was just talking about then they can prob fix it for you.

Wish I could be more helpful.

- Dan P.

[olhamada]

Quote:

Originally Posted by Dan P

Just a shot in the dark....but I bet someone on this board is savvy enough with computers.

There's a software package for hacking called "BackTrack" and it's Linux based. You don't have to have your whole computer become a Linux machine, but you (or someone) can download BackTrack to a bootable USB drive.

BackTrack is essentially an extensive collection of hacking tools, but can also be used for evaluating security issues in your own machine.

I'm not savvy enough myself, I'm just a student who took a class on some basics of penetration testing. But if someone had administrative access to your machine they could install a rootkit, which operates at the kernel (very low level) of the operating system. The thing about rootkits is that they operate a lower "level" than firewalls and antivirus software, more or less getting around them. When combined with software like "hacker defender" someone can hide the processes relating to the hack, even from an administrator.

If it's a rootkit, you might use a tool like "Rootkit Revealer" or F-Secure's "Blacklight" which can help you find it.

Keep in mind I don't know enough about comp software, but the short of it is, if you can find someone who knows what I was just talking about then they can prob fix it for you.

Wish I could be more helpful.

- Dan P.

Thanks, Dan. I am also no IT expert. I'll give your suggestions a shot prior to wrapping it in det cord.

[Dusty]

Quote:

Originally Posted by olhamada

I was just in China for a week long business trip. After returning to my hotel from a day in Beijing, I tried to access my in-room safe but my code wouldn't work. (No, I didn't forget or mis-enter the code). I called hotel management and once the manager came up, he had the safe open in under 20 seconds. I had set things up in the safe so that I would notice if anything had been tampered with. Nothing was missing, but someone had most certainly been through my stuff. Among other items, I had left my laptop and charging cable in the safe and now I am paranoid that a keylogger or other hacking/espionage program has been placed on my computer - especially since now every so often I get a message that says another computer is using my IP address and I am being kicked offline.

How can I determine if there is a "ghost" program on my harddrive that is logging my movements, passwords, etc...?

IMO, you're burnt. Get all new stuff.

[Papa Zero Three]

Quote:

Originally Posted by Dusty

IMO, you're burnt. Get all new stuff.

What he just said. The more important thing is what was/is on your laptop that might be compromised, be it company materials or any other personal information? At a minimum, its a possibility that they just copied your entire hard drive and are sifting through your data. The opposite end of that is that they have indeed installed software on your system and given that its most likely state sponsored, detecting it with anything commercially available is not going to work. Don't download anything off of the laptop that you have on the hard drive(documents, excel sheets,ppt, etc),hopefully you have back ups of your files somewhere separate that you can load on a brand new computer. Treat the laptop and the files on it as suspect and destroy it, thats the only way to be 100% certain.

I am by no means a computer expert, but will the drive scrubbers that are commercially available wipe the drive of everything, including any suspect ghost programs? Then you basically start over loading drivers and your OS and software.

These scrubbers come in and overwrite the data with 1s and 0s, so it would be, I think, like having a brand new computer. I am just not sure how sophisticated these programs are, and if it would take care of suspect software.

[Richard]

Better change your passwords for all of your accounts ASAP - but don't use that computer to do it.

Richard

[JimP]

also sounds like you have been set up as a "Bot". Don't connect to the net until you get this thing scrubbed and re-loaded. Consider everything in there compromised. Commercial companies can do this easily for you.

[MtnGoat]

Quote:

Originally Posted by olhamada

I was just in China for a week long business trip. After returning to my hotel from a day in Beijing, I tried to access my in-room safe but my code wouldn't work. (No, I didn't forget or mis-enter the code). I called hotel management and once the manager came up, he had the safe open in under 20 seconds. I had set things up in the safe so that I would notice if anything had been tampered with. Nothing was missing, but someone had most certainly been through my stuff. Among other items, I had left my laptop and charging cable in the safe and now I am paranoid that a keylogger or other hacking/espionage program has been placed on my computer - especially since now every so often I get a message that says another computer is using my IP address and I am being kicked offline.

How can I determine if there is a "ghost" program on my harddrive that is logging my movements, passwords, etc...?

Are you military in any form?

[olhamada]

Quote:

Originally Posted by MtnGoat

Are you military in any form?

I know - it was stupid and naive - and I knew better. Baaaad decision, MtnGoat. (Sorry couldn't resist).

I'll take my licks. But I'm also looking for assistance. I think Dusty's right - may need to scrap and start over.

[35NCO]

Quote:

Originally Posted by olhamada

I was just in China for a week long business trip. After returning to my hotel from a day in Beijing, I tried to access my in-room safe but my code wouldn't work. (No, I didn't forget or mis-enter the code). I called hotel management and once the manager came up, he had the safe open in under 20 seconds. I had set things up in the safe so that I would notice if anything had been tampered with. Nothing was missing, but someone had most certainly been through my stuff. Among other items, I had left my laptop and charging cable in the safe and now I am paranoid that a keylogger or other hacking/espionage program has been placed on my computer - especially since now every so often I get a message that says another computer is using my IP address and I am being kicked offline.

How can I determine if there is a "ghost" program on my harddrive that is logging my movements, passwords, etc...?

Please send me a PM with further details of the event when you have a moment. I can help you, but you now have a great deal of other problems that need to be addressed on a different level. This is a very serious issue, not meant to be discussed openly.

[DIYPatriot]

Quote:

Originally Posted by 35NCO

Please send me a PM with further details of the event when you have a moment. I can help you, but you now have a great deal of other problems that need to be addressed on a different level. This is a very serious issue, not meant to be discussed openly.

I agree with 35NCO - and all others saying to get new stuff. Definitely do not access any networks with it and do not log into ANY sites with it. Keyloggers are tough as nails to detect. The ones we use mask their presence within the system's registry and will not show up in task mgr or as a running windows system service (assuming you're running windows and not a variant of linux or some other sys).

A new PC is in order for you and if you need further help, please don't hesitate PM'g me, either. And for the love of God, do not simply back up your hard drive and restore your files to a new machine. A decent programmer will spoof several commonly accessed files and let the logger hide in plain sight.

[BOfH]

olhamada,
While I am not an expert, I do know a thing or two . QP Dusty and other posters are indeed correct, if you suspect compromise, the best thing is to rebuild or replace the machine. You best move right now would be to replace your machine outright and allow the drive of this one to be forensically examined. DO NOT power the machine on, or connect it to any networks. Once the drive has been copied by an analyst, use a bootable Linux CD/Flash drive(BackTrack was mentioned by a previous poster and is an excellent choice for this) to recover your files. If you do plan on re-using the drive, make sure you use DBAN or the Linux 'dd' utility to overwrite the entire drive as many modern rootkits hook the MBR(Master Boot Record) and will NOT be removed with a simple format. MOO: They were probably more interested as to what was on your machine, than what you plan to do with your machine later on; I suspect they copied your drive.

Modern keyloggers and/or backdoors/remote access tools can be hardware or software, and depending on design, can be almost impossible to detect. Hardware does not fare as well with regards to detection as someone with a decent knowledge of computer hardware and who knows where to look can detect it, software on the other hand comes in many forms and can be almost impossible to detect. Depending on design, if the tool used is based off of the TDL/TDSS rootkit family(as most modern crimeware is), then most A/V packages can detect and possibly remove such malware, custom code on the other hand is very difficult to detect and remove. Depending on how "good" they were/are, they may have left behind some clues in system logs and file system journal/MFT.

IMHO: With regards to information warfare China is absolutely hostile territory for any US traveler, especially those with government ties and/or on government business. Consider some basic defenses when leaving your laptop secured but unattended:
a) Encryption - generally mandated by most private and government policy, this will make it far more difficult for an adversary to install malware and/or copy your data.
b) File integrity monitoring software, i.e. OSSEC HIDS, will alert you to changes in critical system files as well as new files in odd places.
c) Basic fieldcraft - hair/thread in the right place(s) can easily tip you off to compromise
d) Non-persistent operating system environments - I have an acquaintance in the semi-conductor industry who regularly travels to China. He takes a designated laptop, and uses a bootable flash drive with a portable Linux distribution to do his work, the flash drive stays on his person at all times.

My .002, FWIW...

[booker]

Quote:

Originally Posted by BOfH

olhamada,
d) Non-persistent operating system environments - I have an acquaintance in the semi-conductor industry who regularly travels to China. He takes a designated laptop, and uses a bootable flash drive with a portable Linux distribution to do his work, the flash drive stays on his person at all times.

My .002, FWIW...

That is an excellent idea. Simple, yet extremely effective.

[BOfH]

Quote:

Originally Posted by booker

That is an excellent idea. Simple, yet extremely effective.

Thanks! I did a similar thing internally at my current employer using Slackware, Live Linux scripts and net PCs(Asus/Foxconn) for thin-client use.