Weird events: please advise

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Hi,

I would be seriously grateful if someone could take a look at this
problem..

A close friend of mine has just taken a job with an IT security
company. A condition of employment is that, unless agreed beforehand,
all work (in or out of hours) becomes the intellectual property of his
new employer. My friend has been working on some potentially valuable
software with me and has no intention of handing it over to his new
boss. He therefore made the required declaration and explained that
this single project, nearly finished, must be agreed as separate from
his new contract with them. Fine, they say. No problem.

Then, on the very first weekend after he started work, his home PC was
hacked. He discovered his scheduler had been altered to run Windows
update every five minutes - and this on his old home PC which runs
Windows 98 and doesn't need an update. Weird stuff was happening.

He got off-line fast. A subsequent check found *34* different spyware
programs on his PC. When he realised he was under attack he tried to
delete the key files but could not do so online. He could only delete
them after he'd pulled the plug on his broadband - i.e. someone else
was already accessing them online.

I pointed out that coincidentally it is also only a week since he got
broadband. I wonder whether his old virus settings/firewall were
simply not good enough for a constant broadband connection with the
extra risks it entails. So maybe that's the deal. After all, people
who work in IT are often the worst at remembering to take precautions.

But he's very, very uncomfortable. Someone at work on Friday told him
"You aren't nearly paranoid enough." Spooky, huh?

What does anyone out there think? Please answer soon, as he is
extremely stressed about the situation and feels he may have to resign
in the next 24 hours if he still feels so paranoid. Who wants to work
with people who basically break into your house? An innocent "Duh"
explanation is what I hope for - but any ideas would be very welcome.

Thank you,

Writehand

 

[igor]

Archived from groups: comp.security.firewalls (More info?)

I noticed same problem once

Look in your task scheduler, you may have a schedule to run a program every
5 min with similar name to live update in your windows folder. remove it


"Writehand" <sophie.jameson@ntlworld.com> wrote in message
news:q3gpc0lmom9f45sdcligpf8deinpetedvm@4ax.com...
> Hi,
>
> I would be seriously grateful if someone could take a look at this
> problem..
>
> A close friend of mine has just taken a job with an IT security
> company. A condition of employment is that, unless agreed beforehand,
> all work (in or out of hours) becomes the intellectual property of his
> new employer. My friend has been working on some potentially valuable
> software with me and has no intention of handing it over to his new
> boss. He therefore made the required declaration and explained that
> this single project, nearly finished, must be agreed as separate from
> his new contract with them. Fine, they say. No problem.
>
> Then, on the very first weekend after he started work, his home PC was
> hacked. He discovered his scheduler had been altered to run Windows
> update every five minutes - and this on his old home PC which runs
> Windows 98 and doesn't need an update. Weird stuff was happening.
>
> He got off-line fast. A subsequent check found *34* different spyware
> programs on his PC. When he realised he was under attack he tried to
> delete the key files but could not do so online. He could only delete
> them after he'd pulled the plug on his broadband - i.e. someone else
> was already accessing them online.
>
> I pointed out that coincidentally it is also only a week since he got
> broadband. I wonder whether his old virus settings/firewall were
> simply not good enough for a constant broadband connection with the
> extra risks it entails. So maybe that's the deal. After all, people
> who work in IT are often the worst at remembering to take precautions.
>
> But he's very, very uncomfortable. Someone at work on Friday told him
> "You aren't nearly paranoid enough." Spooky, huh?
>
> What does anyone out there think? Please answer soon, as he is
> extremely stressed about the situation and feels he may have to resign
> in the next 24 hours if he still feels so paranoid. Who wants to work
> with people who basically break into your house? An innocent "Duh"
> explanation is what I hope for - but any ideas would be very welcome.
>
> Thank you,
>
> Writehand

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Wed, 16 Jun 2004 19:24:14 +1000, "igor" <nuklear@iprimus.com.au>
wrote:

>I noticed same problem once
>
>Look in your task scheduler, you may have a schedule to run a program every
>5 min with similar name to live update in your windows folder. remove it

Thanks for the advice.

Things have moved on - here's an update:

Having isolated the machine, my friend's had time to examine the hard
drive carefully.

Quite apart from the multiple bits of adware/spyware, he found the key
files containing his software work infected with a virus that would
have destroyed all his data as soon as he opened the files.

Far more worrying, he found a lot of what looks like security services
encryption files he has never seen before in an archive folder. Had he
not been going through his system with such care he might not have
noticed them - the folder hadn't been used for a couple of years. The
files look as though they could be dynamite.

When I say "looks like" - as soon as he found them he consulted his
lawyer, who passed him on to a criminal lawyer. He then took the whole
thing to his offices.

A copy of the hard drive is now with my friend's lawyer and my friend
has involved the police.

Someone appears to have hacked him either to store sensitive files or
to place incriminating material on his drive.

I am pretty certain no legitimate commercial organisation would do
this. My guess is that it's some weirdo who, for whatever reason, is
trying to damage the guy.

BTW, it's interesting to read different posts - different viewpoints
about my dopey friend's security. His vagueness doesn't surprise me at
all - after all, doctors (a professional group I've worked with
extensively) are famous for missing diseases in their immediate family
- and my friend only ever used that machine for gaming and coursework.

Guess it depends on your perspective. If you're selling security
software/hardware or providing support you're going to be all too
aware of the vital importance of online security in your daily life.
My friend works on obscure corners of anti-virus programming and, I
guess, he just didn't focus on its relevance to his home PC. He will
now. <g>

As for Windows 98 - with a wife and kids at home and a state of the
art set up at work, upgrading my home kit wouldn't necessarily be my
priority.

Anyway - that's where we stand. I don't expect the police will be that
interested - they're not interested in domestic burglaries, after all.
At least he's passed the problem to the authorities, and set up an
entirely new, more secure system. Of course, the poor guy is driving
himself crazy trying to work out who might have done it, but I guess
he may never know.

Thanks for your help.

Writehand