CSI Computer Forensics - Real Cases From Burgess Forensics
#9 - The Case of the Teacher and the Trickster

The stories are true; the names and places have been changed to protect the potentially guilty.

It was a grey October day, the kind of day when a guy likes to cozy up next to a bank of servers to keep warm, when the Teacher first called me. "They think I'm nuts" were the words emanating from the phone. Well, just because you're paranoid doesn't mean they're not out to get you. I sat up and went to my desk, away from the noisy fans cooling off all those Gigahertzes. "What's the problem, Miss?"

The young woman explained that she was a not-yet-tenured teacher in a New England (greyer there than here) high school with a problem. Seems that a student in one of her classes was repeating things in the classroom that she had uttered only the night before in the apparently illusory privacy of her own living room. This was happening on a repeated basis and this little freak was freaking her out. She made sure her windows were shut at night. She had someone else speak inside her house while she listened outside - no words escaped to be heard, much less repeated. She looked around for bugs...found only a few spiders. She hired a P.I. to sweep for listening devices - none were found. She went to the police, who were uninterested without some evidence. Her supervisor at the school would not take it seriously. The principal at the school thought she was nuts. She felt that she was in danger of being fired and losing out on a career she'd savored. She was at her wit's end and sounded it.

She began to suspect her computer was the means of access to invading her privacy, but had no idea how. She already had identified the subject individual and did an admirable amount of research on the subject of computer invasion. She sent me reams of chat logs, articles about cyberinvasions, firewall logs, other suspicious-looking goings-on with her computer. I put on my data galoshes and began to wade through the deluge to see what looked like a threat and what did not, and to see if I could find the means of remote access, if any. Like the old saying that to a hammer everything looks like a nail, then to a victim, everything begins to look suspiciously like an attack. When there are actual bogeymen around, every sound makes a person jump. Let's take on a few of the suspects.

Norton Antivirus had picked out some. One was "lsass.shutdown" - the Sasser Worm. A bad character indeed. By contrast, lsass.exe is a part of Windows XP itself. Sasser came in looking like something harmless, but shut down computers - sometimes before they even finished booting. Airline flights had to be cancelled. Satellite communications were blocked. Insurance companies and banks had to close down for a short while. The Sasser Worm was a bad actor, but it wasn't giving remote control access and after all, her antivirus program had used its own kind of handcuffs to subdue that particular intruder.

Her computer told her that it was recovering orphaned files and security descriptions, replacing bad clusters and bad logfiles, and fixing unreadable security. All are signs of problems, but are messages generated by Windows' own repair programs, Chkdsk and Scandisk, and aren't openings for an intruder to walk into the computer unopposed.

Another scary Norton message read, "NIS is protecting your connection to a newly detected network on adapter "WAN (PPP/SLIP) Interface". But this was just the program reporting on the computer's own wide area network adapter and Internet access being enabled.

She noticed that an oddly named program called "Wild Tangent" seemed to be active. Turns out that Wild Tangent is a game network company. It is pretty active in using the computer's network resources, and puts a lot of advertisements on the user's computer. But as bothersome as some find it, it comes preinstalled on many computers, including the Teacher's Dell. Not a likely avenue for remote control by an unauthorized user.

Our little heroine even learned to use Netstat (stands for "network statistics"). Netstat displays network connections, statistics, routing tables, and more juicy info. Linux users can directly invoke it. Windows users can bring it up through a DOS box (command shell) by clicking on "Start" then "Run", then typing in "CMD", and finally "netstat" in the window that comes up. Mac users can invoke it by first bringing up the "Terminal" available in the Utilities that come with a Macintosh. But netstat can bring up a screenloads of hard-to-understand information. Try it yourself with various switches (like "netstat -a" or "netstat -p"). Hers was unalarming to a jaundiced but practiced eye.

She considered getting a firewall and watching the logs. But slogging through firewall logs is a scary nightmare when you don't know precisely what you're looking for, and don't completely understand what you're looking at. There are so many hundreds of roboprograms knocking at everyone's computer back door all day long that successfully identifying each could be all a person does all day. It's like describing your entire day in detail, including what you said. "Today I said hello. Today I wrote that I said hello. Today I wrote about writing about saying hello. Today I noticed that I hadn't put "hello" in quotes and made a note about that. Today I cussed long and vociferously and stopped writing it down." You get the idea. "Today I got an idea!"

Once I got hold of her computer, I of course first made an identical copy of the hard drive. I don't recall exactly, but I may have used Media Tools Professional from RecoverSoft.

I figured we were looking for a Remote Control Trojan. Like the original Trojan Horse, Trojans may come attached unnoticed to a free gift, such as a game, or attached to an email. Once inside the formerly secure walls of your computer, a payload is unleashed but unlike the original Trojans, may go unnoticed while the originator remotely, and often surreptitiously, takes control of your computer.

I ran several anti-malware programs, including my favorite at the time, Ewido (later bought by Grisoft, itself then acquired by AVG). I also ran Norton, Panda, Spybot and more. Different programs catch different stuff. A few viruses were shoveled up, but for remote control Trojans - bupkis. I had to do something else.

I'm no stranger to hare-brained ideas, so I dreamed up a DIY tool. I made a list of remote control Trojan names, aliases, and executables (the actual name of the file that does the dirty work) and compiled them into a table. I fired up trusty old EnCase Forensic, loaded the drive, and then input my table as a keyword list. I had EnCase search the entire hard disk - active and compressed files and unallocated space, file sllack, MBR, and virtual memory file - for the entries on my new keyword list. From the results, I discarded everything that was part of an antivirus program or dictionary, and skimmed through what was left.

And...pay dirt! Sitting in the registry entries from old compressed system restore snapshot files were references to 30 instances of the setup files for one nasty Backdoor Trojan and for one desktop surveillance spyware program. They came complete with dates of installation and IP addresses of the point of origin. Quite a find.

It seems our freaky teen perp was a script kiddie. He'd apparently gone to a site that gives away prepackaged hacking and exploit programs to all-comers. Rather than give the teacher an apple, he'd apparently sent her an email with an evil payload. Once in place it was child's work - er, kiddie's work - to control her computer at will. At this point, it was no big deal to turn on our heroine's microphone, record her talking in her living room, download the file to his own computer, then repeat the content back to the teacher the next day. Who wouldn't be set off-kilter by that?

Finally we had enough evidence to let the police complete the job. I sent the report to the DA, who ran with the case. Being a minor, the terrible teen got off with a warning, some unwanted attention, and a transfer to a different classroom.

For the future, I first recommended completely reformatting or replacing her hard disk and securing her Windows Administrator account with a password. Amazing but true, most people don't know there is an Administrator account on their computer, and leave it wide open and unsecured. Booting into Safe Mode (Hold down the F8 key at boot up, select "Safe Mode"), then accessing User Accounts through the Control Panel allows the user to easily set passwords through the "change an account" option. I suggested also getting a new AOL account (if she had to have AOL), and getting a relatively inexpensive hardware firewall. At the time, I suggested the Netgear FVS318.

The happy ending: our worthy teacher kept her job, validated her complaints, eventually finished her Master's degree and got to be something of a security expert in her own right. By the time we finished with all the back and forth, it was nearly Spring.

As for me, I moved out of the server room and back to my place in the Sun. Okay, it's a desk; it's by a window; it's where I do my forensic thing.

This is just one of the many "CSI* - Computer Forensics Files: Real Cases from Burgess Forensics". Stay tuned for more stories of deceit uncovered by computer forensics.