In this post, I will share with you my recent experience troubleshooting a major disruption in my client's network, analyzing
k8h3d Trojan footprints on Microsoft Windows computers, how to defeat it and some practical tips to protect your organization against cyber attacks and avoid becoming a victim of a botnet.
Recently my team and I were hired to troubleshoot a client's network to understand why they were having constant unstable Internet connectivity issue and high latency response time. The company was highly dependent on the Internet connectivity and employees were complaining that their computers were very slow and for them to experience these issues were major loss in terms of revenue. They wanted us to fix the problem immediately so we began digging.
At first, we started by inspecting their network equipment. We carefully went through each switch, access point, firewall and router and they all seemed to be working as expected. However, we noticed a strange amount of connections from TCP port
65533 to a certain IP address on the Internet. The high number of connections would cause the routers to become unresponsive and crash repeatedly.
Some employees reported that they are suddenly seeing a new user account with the name of
k8h3d on their login screen. It led us to believe that the network might had been compromised by a Trojan malware and it had spread itself across the entire network.
We suspected that the computers might had been compromised so we tried to separate the infected hosts from the rest of the network to see if it makes any difference and it did. Everything would go back to normal once they were cut off the network. We then took one of the infected computers to the lab to analyze the malware further. Taking our findings and looking them up on the Internet, we realized that the Trojan first must have had arrived on the system by visiting a malicious website and downloading and executing an Office document. Then it had spread itself via SMB (TCP/445) or MS SQL (TCP/1433) by exploiting the MS17-010 vulnerabilities in Microsoft Windows SMB Server. It would turn the host into a
zombie and would try to spread itself as much as possible to extend its botnet.
While you can’t get a botnet, you can be part of one without you even knowing it. At their most basic, botnets are made up of large networks of "zombie" computers all obeying one master computer called "Command and Control Center". Once those things are in place, a botnet should be ready to go cause some mayhem. When the the computer is infected by a Trojan, it’ll open up a “backdoor” that will allow the hacker to access and control certain aspects of the connected device.
Your machine and the network will slow down, sometimes significantly. The tasks that botnets usually perform require lots of CPU power and bandwidth, which can make even basic web browsing feel sluggish. Botnet attacks can use basically any system resource, too, meaning you’re sharing your performance with a criminal. The goal isn’t to harm you, but that’s often a consequence. Instead, it’s to use you to harm others.
I'm really not sure what this malware is called since I didn't find much information about it, but I just call it
k8h3d malware. The good news is that removing this malware isn't very difficult. All you need to do is to scan and clean your computer by an up to date anti-malware software, remove a few firewall rules, remove some registry keys and clean up some scheduled tasks. You can read more about it here.
As we were analyzing the network we found significant number of outdated and un-patched Windows computers connected to the Internet without any protection software. The MS17-010 vulnerability has been around for quite some time now and it's crucial to patch those security holes. I believe that the black hat hackers are almost always one step ahead and the least we can do is to take cyber security seriously and make sure we enforce reasonable security policies.
Educating yourself against the threats on the Internet is one of the best lines of defense in your personal cyber security. While traditional Internet Security software programs can catch a lot of the threats before they get to you, it can’t catch all of them. cyber criminals will try any tactic to try to get your personal information, including non-digital methods such as tech support phone scams, tax fraud and social engineering. Here are some tips and best practices for you to consider:
- Avoid pop-ups, unknown emails, and links
- Use strong password protection and authentication
- Connect to secure Wi-Fi
- Install security software updates and back up your files
- Enable firewall protection at work and at home
- Invest in security systems
- Consult with your IT department
- Avoid using the same password for every login
- Keep your operating system fully patched and updated
- Keep your personal and private information locked down
- Use a VPN software provider who won't keep a log of your traffic
- And finally take security seriously
Having the right knowledge can help minimize your company’s breach surface. Remember: just one click on a corrupt link could let in a hacker and one failure to fix a flaw quickly could leave you vulnerable to a cyber attack.
If you think I missed a tip or you have a similar story as well, share it with me and the community in the comments section.
I am a security consultant, full stack web developer and co-founder of Bits n Bytes Dev Team, a small group of highly talented professionals, with over 10 years of experience in systems administration, Linux administration, cloud deployments, virtualization, server monitoring, performance tuning and high availability.
I'm available for hire and you can check out my portfolio website or contact me at raadi[at]bitsnbytes.ir.