The Managing Director of the UK branch of a multi-national finance company contacted CY4OR with concerns that an unauthorised user was gaining access to the companies PC’s.
The symptoms were described as frustrating, files were being deleted, programs were opening & closing and the mouse pointer moved without user intervention; the computers were unusable.
A CY4OR investigator attended the company’s offices and imaged the server and relevant workstations. He then examined these forensic images to identify any signs of unauthorised access via hacking tools, security exploit or virus; this computer forensic analysis identified a Remote Access Trojan.
A Trojan portrays itself as something other than what it is at the point of execution; while it may advertise its activity after launching, this information is not apparent to the user beforehand. A Trojan must be sent by someone or carried by another program and may arrive in the form of a joke program or software of some sort; it copies a small bit of code into your computer, this enables remote access to the relevant computer. The malicious functionality of a Trojan may be anything undesirable for a computer user, including data destruction or compromising a system by providing a means for another computer to gain access, thus bypassing normal access controls.
The company’s computers had a commercial remote administration software product installed by the their IT department; this software was not configured correctly and was allowing remote access to hackers, making it possible for them to view and fully-interact with the computers from any other computer or mobile device anywhere on the Internet! Remote administration software allows remote control between different types of computer and for ultimate simplicity, there is even a Java viewer, so that any desktop can be controlled remotely from within a browser.
Having identified the source of the immediate problems the company was experiencing, the investigator later returned to the offices and carried out a full IT Security audit.