How a friends computer got hacked and hijacked

Protect your PC by Microsoft
Hacking the hacker: How a consultant shut down a malicious user on a client's FTP server

A friend's system got hijacked by two different hacker groups who were using the system to distribute files.   Also the hackers had complete access to all my friends files including financial information such as credit cards.  I have a grudging admiration for how these groups are so clearly organized. <sigh>

I got a phone call which mentioned some problems.  After a bit of diagnosing I asked them to reboot.  They said they got a message stating that a particular program iroffer.exe needed to be cancelled.  I was a bit suspicious so I did a web search on that name. 

Turns out they got hacked due to four causes:

1. The hardware firewall hadn't been installed on their high speed connection.  They had just moved a month previously and hadn't yet unpacked it..  This would've stopped the recent worms from getting close to their system.  (If you're on a dialup connection this option won't work.  In which case you really want to have the software firewall in place.)
2. They hadn't run the Windows Update for the last month for various reasons.  This would've stopped the recent worms from getting on to their system.  (In Windows XP Start >> Control Panel >> System >> Automatic Updates. At the very least I'd suggest checking "Keep my computer up to date" and "Notify me before downloading any updates and  ...".   If you're on a high speed connection you may want "Download the updates automatically and ..." option. )
3. The antivirus software update hadn't been run either for the last month various reasons.  Also their subscription had expired which they didn't realize.  Again this might've stopped the worms from getting on to the system.  (I say might've because the worm might've snuck on before the updates had been available for downloading.   However once the updates had been downloaded McAfee likely would've halted the system from being hijacked.)
4. They didn't have a software firewall in place such as Zone Alarm.   I take responsibility for this one as I didn't think it was required due to all of the above being in place.   If the viruses/worms had gotten on to their system this would've blocked their access to the Internet. Unless one of the users authorized a programs access to the Internet use without realizing the significance of the program name.

Any one of these being in place would've stopped the worms and the hijacking of their system.

However all of these solutions should be in place to ensure redundancy in security.   For example it may take several days after a virus comes out before the antivirus signatures have been updated and thus your system may be already be compromised.  Then the software firewall could help.

McAfee found the following twelve viruses on the system:

• Backdoor-ACH
• ICQPager
• W32/sdbot.worm.gen & .b
• ServU-Daemon
• IRC/Flood.bc
• Bat/Mumu.worm
• W32/Slanper.worm.gen
• W32/Warpi.worm.gen
• generic dropper
• W32/Graps.worm
• W32/Valla.b
• W32/MoFei.worm.dll

Then when searching the hard drive I came across the following folders

Notice how organized the hackers are when it comes to their directories.  They are using batch files to create the directories in a logical fashion.  They have a directory for speed tests and requests.  

Part of why I created this page was because the friend stated "You hear about this happening but when you try to track down exactly who had the problem you can never find out who it was. It's always "Oh I heard it from so and so." Who in turn heard it from so and so and so forth."  Well, now you heard it from me. 

[ Tony's Main Page ]