0

I am new to this forum, so apologies in advance if this question does not seem to fall within its scope, or if it seems too long:

On two occasions over the past ~3 weeks, a hacker gained remote access to my laptop (PC running Windows 10), as evidenced by mouse cursor movement. On both occasions, I was connected to the WiFi network at my university, and rapidly shut down the computer as soon as I saw what was going on.

On the first occasion, I was in denial, assuming that the cursor movement was due to a touchpad malfunction. The second time, the cursor movement looked very purposeful and human-like; I am confident that my computer was remotely accessed.

Since then, I have only used this laptop offline. I am preparing to do a clean install of the OS. Before that point, however, I'm trying to find any evidence that confirms my initial suspicion that my computer was accessed through the RealVNC Server that I did have running on there. This assumes that someone was able to identify my password through brute force.

Tricky thing is, I'm lacking in evidence that this was the means of access. Usually, VNC Server connections should prompt an on-screen notification, which I never saw. I also cannot find evidence of VNC connections if I search the Event Log for the dates/times when I noticed the cursor movement. So, now I'm wondering if (a) the hacker suppressed the logging/notification, or (b) my laptop was accessed in some other way.

There are three other pieces of information that might be useful:

(1) If I look in the Event Log at the date/time of the first incident, I can find a Logon of Type 3, with Security ID "ANONYMOUS LOGIN", Security ID "NULL SID", a Login Process of "NtLmSsp", and blanks or 0's in any fields that would provide information about the origin (no Workstation Name, no IP address, etc). Is this consistent with a web-based VNC login, or something else?

(2) In both cases I noticed the cursor movement when I was using Chrome. Maybe just a coincidence.

(3) I have run full scans with both Symantec and MalwareBytes; neither detected anything.

It seems that understanding the cause of these incidents will be important for preventing them from happening again. As stated above, I plan to reinstall the OS, and since I have no future need for VNC Server, I will not reinstall it. I've also been changing the relevant passwords. But I'm not sure if that will be enough.

Thank you in advance for your time.

Joe M
  • 2,997
  • 1
  • 6
  • 13
kc32768
  • 3
  • 1

1 Answers1

0

Looks like someone is trying to bruteforce your Windows' credentials, as of NtlmSsp event suggests it. I don't think this is related to VNCServer, unless you configured it to login with your Windows' credentials.

Before anything else, as we don't know if you've been RATed or not, you should monitor any Internet connection made on your computer (with no connectivity). As you're using Windows, this can be made using netstat (CLI) or SysInternal's TCPView (GUI). Check for any connection on unusual port made by any processes, as a tool can easily be injected in e.g. explorer.exe. If there is any suspicion of unwanted connections, try to remove infection yourself, using Malwarebytes or, as a workaround, SysInternal's Autoruns. Don't use Symantec Norton Antivirus as it is not very efficient and buggy.

If there is nothing, what I'd do next, before reinstalling your Windows, is to connect to your University's WiFi, disable VNC, and check for more events like the one you described.

To do this, launch a monitoring tool like Cyberarms IDDS (free and open-source) to check any attempt of intrusion. It'll then show you the IP address and you will be able to report it to your University's Network Administrator, and block it using the IDDS or your FireWall.

Pierre G.
  • 112
  • 5
  • Thanks very much for the detailed reply. Offline, netstat shows four TCP entries which look like the computer looping back to itself (local address = 127.0.01, foreign address = my computer's name, all ports are in the 523xx range). – kc32768 Aug 12 '18 at 00:44
  • Also, additional possibly relevant information from the Event Log: – kc32768 Aug 12 '18 at 00:57
  • (1) For both dates, in the Event Log I see several attempts to query the existence of a blank password. (2) For the first date, these queries are followed by Event entries involving both auditing events and process creation, with many of the processes referring to smss.exe - is this the problem? – kc32768 Aug 12 '18 at 01:08
  • All of these events and processes are Windows' legit processes, the problem is that someone is trying to authenticate to your machine the way a network computer would login to an Active Directory Server. Also, the machine looping back to itself should not be worrying. Again, ports are between 49152 and 65535, so that means there are dynamic ports, and probably some Windows' connection to itself (csrss is a server process e.g.) I think someone is actively trying to connect to your computer from your network using blank credentials, maybe to have access to a supposedly network drive. – Pierre G. Aug 12 '18 at 08:50
  • AFAIK, this can be legit (automatic crawl from your Uni's server) or this can be done by an attacker, but in my opinion there is no way to be preoccupied by that. I think you should run a very more comprehensive scan of your machine to detect any backdoor, change your Windows' credentials, and normally you'll be done. Oh and change your Antivirus, as Google's Project Zero already found numerous kernel zero-day in it. – Pierre G. Aug 12 '18 at 08:55