How can I tell if a keylogger got added to my PC while I was in Beijing?

Dustin Cook · 10-31-2008, 06:18 PM

Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote in
news:aXqOk.72593$yq3.34533@en-nntp-07.am2.easynews.com:

> Juan I. Cahis wrote:
>> Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote:
> >
>>> If the hacker has physical access to the computer, all bets are off.
>>> He can boot from a CD or pendrive and install whatever the heck he
>>> likes on the laptop.
>>
>> Unless you have set the BIOS password, which any respectable SysAdmin
>> of any respectable business corporation doing international business
>> should always have set.
>
> Like I said, physical access trumps all. How long do you think it
> would take to zap the cmos battery or remove the HDD, boot it in a
> spare laptop and then replace the (now infected) HDD?

heh, physical access doesn't trump encryption.

--
Regards,
Dustin Cook, Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org

LR · 11-01-2008, 04:34 AM

Dustin Cook wrote:

> heh, physical access doesn't trump encryption.
>
>
>
>
http://citp.princeton.edu/memory/

<http://www.channelregister.co.uk/2008/02/27/bitlocker_hack_prevention/>
"Question is, will anyone use them?"

Mark McIntyre · 11-01-2008, 07:09 AM

Dustin Cook wrote:
> Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote in
> news:aXqOk.72593$yq3.34533@en-nntp-07.am2.easynews.com:
>
>> Juan I. Cahis wrote:
>>> Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote:
>>>
>>>> If the hacker has physical access to the computer, all bets are off.
>>>> He can boot from a CD or pendrive and install whatever the heck he
>>>> likes on the laptop.
>>> Unless you have set the BIOS password, which any respectable SysAdmin
>>> of any respectable business corporation doing international business
>>> should always have set.
>> Like I said, physical access trumps all. How long do you think it
>> would take to zap the cmos battery or remove the HDD, boot it in a
>> spare laptop and then replace the (now infected) HDD?
>
> heh, physical access doesn't trump encryption.

Course it does. You can image the HDD, you can install hardware that
intercepts the decrypted stream en route between disk and memory, you
can put in a modded CMOS or BIOS that includes a builtin keylogger or
data logger thats part of the firmware etc etc etc.

If you have access to the box for long enough, its yours.

David H. Lipman · 11-01-2008, 08:10 AM

From: "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net>

| Course it does. You can image the HDD, you can install hardware that
| intercepts the decrypted stream en route between disk and memory, you
| can put in a modded CMOS or BIOS that includes a builtin keylogger or
| data logger thats part of the firmware etc etc etc.

| If you have access to the box for long enough, its yours.

Now your making things up...
"put in a modded CMOS or BIOS that includes a builtin keylogger "

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Mark McIntyre · 11-01-2008, 06:54 PM

David H. Lipman wrote:
> From: "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net>
>
>
> | Course it does. You can image the HDD, you can install hardware that
> | intercepts the decrypted stream en route between disk and memory, you
> | can put in a modded CMOS or BIOS that includes a builtin keylogger or
> | data logger thats part of the firmware etc etc etc.
>
> | If you have access to the box for long enough, its yours.
>
> Now your making things up...

Ya reckon?

> "put in a modded CMOS or BIOS that includes a builtin keylogger "

PC BIOSes are on EEPROMS. Booting the pc from a CD and running a custom
BIOS upgrade is far from beyond the bounds of possibility.

People hack the BIOS for CD and DVD drives all the time to add features
and remove region settings. A quick google search shows that numerous
people have hacked their PC bios to enable features that the mobo
provider decided weren't for use.

FromTheRafters · 11-01-2008, 07:56 PM

"Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
news:e%5Pk.76280$wc2.48368@en-nntp-01.am2.easynews.com...
> David H. Lipman wrote:
>> From: "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net>
>>
>>
>> | Course it does. You can image the HDD, you can install hardware that
>> | intercepts the decrypted stream en route between disk and memory, you
>> | can put in a modded CMOS or BIOS that includes a builtin keylogger or
>> | data logger thats part of the firmware etc etc etc.
>>
>> | If you have access to the box for long enough, its yours.
>>
>> Now your making things up...
>
> Ya reckon?
>
>> "put in a modded CMOS or BIOS that includes a builtin keylogger "
>
> PC BIOSes are on EEPROMS. Booting the pc from a CD and running a custom
> BIOS upgrade is far from beyond the bounds of possibility.
>
> People hack the BIOS for CD and DVD drives all the time to add features
> and remove region settings. A quick google search shows that numerous
> people have hacked their PC bios to enable features that the mobo provider
> decided weren't for use.

BIOS might not be the right term - but what used to be called "option ROM"
and now referred to as "expansion ROM" can be used nefariously by malware
program fragments. I don't think an entire keylogger would work, but I could
be wrong. Most people don't realize just how much code lives outside the HD
or on the harddrive outside the filesystem's files.

David H. Lipman · 11-01-2008, 08:05 PM

From: "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net>

| David H. Lipman wrote:
>> From: "Mark McIntyre" <markmcintyre@TROUSERSspamcop.net>

>> | Course it does. You can image the HDD, you can install hardware that
>> | intercepts the decrypted stream en route between disk and memory, you
>> | can put in a modded CMOS or BIOS that includes a builtin keylogger or
>> | data logger thats part of the firmware etc etc etc.

>> | If you have access to the box for long enough, its yours.

>> Now your making things up...

| Ya reckon?

>> "put in a modded CMOS or BIOS that includes a builtin keylogger "

| PC BIOSes are on EEPROMS. Booting the pc from a CD and running a custom
| BIOS upgrade is far from beyond the bounds of possibility.

| People hack the BIOS for CD and DVD drives all the time to add features
| and remove region settings. A quick google search shows that numerous
| people have hacked their PC bios to enable features that the mobo
| provider decided weren't for use.

I won't change my statement. The BIOS is very low level. Keyloggers and password stealers
are very high level. Compare to the OSI model.
Whose motherboard ?
What BIOS ?
What chip-set ?
What EPROM chip ?

This is all very Tom Clancy but not real world.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

FromTheRafters · 11-01-2008, 06:24 PM

"Mark McIntyre" <markmcintyre@TROUSERSspamcop.net> wrote in message
news:_FXOk.81640$ym1.68821@en-nntp-09.am2.easynews.com...
> Dustin Cook wrote:
>> Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote in
>> news:aXqOk.72593$yq3.34533@en-nntp-07.am2.easynews.com:
>>> Juan I. Cahis wrote:
>>>> Mark McIntyre <markmcintyre@TROUSERSspamcop.net> wrote:
>>>>
>>>>> If the hacker has physical access to the computer, all bets are off.
>>>>> He can boot from a CD or pendrive and install whatever the heck he
>>>>> likes on the laptop.
>>>> Unless you have set the BIOS password, which any respectable SysAdmin
>>>> of any respectable business corporation doing international business
>>>> should always have set.
>>> Like I said, physical access trumps all. How long do you think it
>>> would take to zap the cmos battery or remove the HDD, boot it in a
>>> spare laptop and then replace the (now infected) HDD?
>>
>> heh, physical access doesn't trump encryption.
>
> Course it does. You can image the HDD, you can install hardware that
> intercepts the decrypted stream en route between disk and memory, you can
> put in a modded CMOS or BIOS that includes a builtin keylogger or data
> logger thats part of the firmware etc etc etc.
>
> If you have access to the box for long enough, its yours.

Replies in this thread seem to back and forth between two of the hackers'
motivations. One where he is after the data at rest, and one where he goes
after subverting the system (and maybe gets the data after decryption). The
subject line asks about a keylogger that may have been added during the
time the laptop was left unattended in a hotel room - and how to detect it.

I assume of course a so-called "rootkit" was involved. Any hacker worthy
of the title would want to use stealthing techniques. So the question
becomes
how can I tell if my computer has been rootkitted?

What is interesting is the shift from outright theft of a laptop to the
perhaps
more lucrative compromise of the laptop. Steal someone's personal data
and open a credit card account - then buy a truckload of laptops. Modern
banking makes it all possible - and they charge you for "protection" against
such happenings.

....what a racket!

Jeff Liebermann · 11-01-2008, 06:34 PM

On Sat, 1 Nov 2008 19:24:04 -0400, "FromTheRafters"
<erratic@nomail.afraid.org> wrote:

>I assume of course a so-called "rootkit" was involved. Any hacker worthy
>of the title would want to use stealthing techniques. So the question
>becomes
>how can I tell if my computer has been rootkitted?

Windoze:
RootkitRevealer v1.71
<http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx>

Linux:
ChkRootKit
<http://www.chkrootkit.org>

It's amazing what you can find with Google.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

David H. Lipman · 11-01-2008, 06:42 PM

From: "Jeff Liebermann" <jeffl@cruzio.com>

| On Sat, 1 Nov 2008 19:24:04 -0400, "FromTheRafters"
| <erratic@nomail.afraid.org> wrote:

>>I assume of course a so-called "rootkit" was involved. Any hacker worthy
>>of the title would want to use stealthing techniques. So the question
>>becomes
>>how can I tell if my computer has been rootkitted?

| Windoze:
| RootkitRevealer v1.71
| <http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx>

Fpr Windows Gmer is *better* !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Thread: How can I tell if a keylogger got added to my PC while I was in Beijing?

Thread Tools

Display

Hybrid View

Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

Re: How can I tell if a keylogger got added to my PC while I wasin Beijing?

Re: How can I tell if a keylogger got added to my PC while I wasin Beijing?

Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

Re: How can I tell if a keylogger got added to my PC while I wasin Beijing?

Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

Thread Information

Users Browsing this Thread

Posting Permissions