Compromised Computer

[cmhbob]

The bad guys have compromised two laptops, owned by my main character and his daughter. The question is, what can they do with them, and how (on a higher level) do they do it?

Danny (main character) received a thumb drive in the mail. I can make that any size needed. His wife tried to open the files on both his laptop and his daughter's, triggering whatever needs to happen. Right now I've written that all she saw was

[FONT=&quot]"I tried looking at the flash drive, but we think it's been corrupted."[/FONT]
[FONT=&quot]I raised an eyebrow since my mouth was full of chicken. [/FONT]
[FONT=&quot]"Every time we tried to read it, we'd get a pop-up about needing to format the drive because Windows couldn't read it. Tired three or four times on both yours and Dani's laptops. No luck."[/FONT]

What I want to happen is that the bad guys have access to whatever Danny happens to be viewing online, like they can see his searches, read emails (possibly), and be able to activate the webcam and microphone. Assume a Windows 7 Home Premium laptop of average specs for the time. Danny is computer literate, but somewhat lazy about keeping things updated that don't update automatically.

1. This stuff was all doable in 2011, correct? I can't imagine that there have been that many technical advances in viruses in three years.
2. Reading the emails isn't critical, but I assume it was possible and might be handy. What's the easiest way for the bad guys to do that? Key-logging, or just sent a copy of the email to another address? How would they read inbound mail?
3. How is the information packaged and sent to the bad guys? Would it have been possible to do it almost real-time in 2011? Assume the good guys live in San Diego/Chula Vista area, so they have cable internet.
4. They don't want to communicate with the webcam, but rather use it for surveillance, to see/hear what's going on in Danny's house. I know monitoring software can remotely activate cameras, but how is that data delivered to the person monitoring the system? Is that delivery typically invisible to the user?

Thanks for the help!

 

[King Neptune]

There's plenty of software out there for doing exactly what you say. I just typed "remotely monitor computer" in google, and this was one of the top results. I didn't look at the details, but it appers to give someone access to see anything on a computer.

http://www.sniperspy.com/

There are other system administration programs that allow one to observe everything without detection. Network administrators often use such software remotely to do something to a system. People update software while they are at home having a party, just looking at the progress from time to time. Generally the programs would use IP or communications.

 

[Dennis E. Taylor]

A lot depends on how sophisticated your protagonist is. But assuming he's been using a freeware security app (because he's a cheapskate) or none (because he's seriously naïve), then a thumbdrive can easily infect a computer just by being plugged into the USB port. Once it's in there, malware can basically send a copy of every network stream somewhere else. So every email that comes into your computer or goes out of your computer, every web page access, every response on a web form, gets sent to whoever is monitoring. Unless you're streaming video or something, cable internet is more than fast enough so you wouldn't even notice. And yes, keystroke logging, screen scraping, and webcam hijacking as well.

 

[cmhbob]

I'm wanting the install of the software/virus to be invisible to his wife. Angry Guy, does the code basically point the stream to an IP address? Not really important to the story, but I want to understand. It's basically done realtime, rather than batched at night, for instance.

 

[badwolf.usmc]

A common virus like that would point to an IP address. Often, unless there is a good network connection, instead of viewing what is going on the screen, the virus will be a key logger that will record what keys are pressed. It can send the info realtime, or cache it if there is no network connection to await a connection.

In 2011, Windows XP and Windows 7 are the big operating systems in production, and they both behave very differently. While I'm sure a virus could get past the security of Windows XP with a thumb drive, Windows 7 is much more difficult since it would restrict Root access to a much greater degree.

 

[Dennis E. Taylor]

A lot of places probably still had Vista as well.

But yeah, Vista or Win7 will come up with the admin prompt if you are a limited user. I can't remember if that comes up if you are created as an admin. I suspect not.

Anyway, at the place I worked back then, we got a virus from someone using a thumbdrive that had been infected. The virus got everywhere and we had to stamp it out one computer at a time. We'd been using Microsoft's free "Security Essentials" package (which IMO is worth every penny) and the computer didn't even bleep. We switched to Norton soon after.

The virus installs itself in the boot sector of the thumbdrive, which the o/s executes automatically when you insert it into a port. You wouldn't see anything.

And yeah, IP address is more likely, and it could be realtime or batched (although if it's monitoring network traffic, the record file would get very big very fast)

 

[Casey Karp]

You might want to take a look at this Mother Jones article from earlier this year: http://www.motherjones.com/politics/2014/05/blackshades-malware-remote-access-webcam-fbi regarding remote access/computer takeover software that's been on the market since at least 2010.

That article references an earlier Ars Technica piece that looks at several similar sets of software and the culture around it: http://arstechnica.com/tech-policy/...e-men-who-spy-on-women-through-their-webcams/

Looks to me like everything you're asking about doing is completely possible, including the silent install.

 

[cmhbob]

Excellent, Casey. Thanks so much for that.

 

[badwolf.usmc]

A lot of places probably still had Vista as well.

But yeah, Vista or Win7 will come up with the admin prompt if you are a limited user. I can't remember if that comes up if you are created as an admin. I suspect not.

Anyway, at the place I worked back then, we got a virus from someone using a thumbdrive that had been infected. The virus got everywhere and we had to stamp it out one computer at a time. We'd been using Microsoft's free "Security Essentials" package (which IMO is worth every penny) and the computer didn't even bleep. We switched to Norton soon after.

The virus installs itself in the boot sector of the thumbdrive, which the o/s executes automatically when you insert it into a port. You wouldn't see anything.

And yeah, IP address is more likely, and it could be realtime or batched (although if it's monitoring network traffic, the record file would get very big very fast)

Yea, as an admin you still get the prompt, at least in Win 7. It takes a little work to disable it.

I had the opposite experience with Security Essentials. We switched to it after Norton allowed several computers to become infected. While it isn't perfect, we had a robust firewall which monitored all network traffic. I still use MSE on my personal computers to this day and haven't had any issues.

 

[Maxx B]

Yep all of this is possible. I would not point it to an IP address, as if it was compromised, you would lose control. I'd have the software point to a random domain name, then the DNS could be redirected if need be. If you were certain that the victim has no idea what is going on with their computer, you could even have the PCs acting as web servers with a dynamic DNS setup. The antagonist could then log in from any random location and not leave a trail back to his / her computer or it's IP address.

In this day and age would anyone trust a thumb drive turning up in the post? Is this part of the plot? I'd rather go with a web based attack. One that could work is the fake call from Microsoft, the caller says they are calling about a security error that was sent from their computer.
This type of scam is real and not only do they infect your computer, they take the opportunity to rip off your credit card as they take a small payment, to fix the problem.

If the antagonist knows a little bit of info about the victim, the call could be made more real, the caller can give address details etc to add legitimacy. Once the wife thinks its real, they would ask her to go to a web site and either initiate a remote session, where they 'fix' her computer, whilst installing their own spy software or get her to download a fake hotfix.

The other one would be to use phishing to lure her into an infected web site that would install the software. Maybe some special offer codes for a store she likes might work to lure her to a compromised or fake website.

If the antagonist can get close to the house and has the skills, he/she could attach to their network via their wi-fi and install the software that way.

The level of sophistication of the attack all depends on the skills of your antagonist. Although the security of Windows 7 out of the box is improved, it's still relatively easy to hack when you know what you are doing.

Hope this helps or gives you ideas