Hacker Takes Control Of PC Via Steam When Playing TF2

[jhmed]

So, yesterday a good friend of mine was playing TF2 when all of a sudden his Medic began to move on its own. The in-game menus began opening and closing on their own, very peculiar stuff... He exited the game. Then, with Steam still active in the system tray, the hacker began to open Office documents etc... He closed Steam down which seemed to end the threat. It was late and he couldn't call to have me investigate for him, so today I had him bring his rig over for the day so we could inspect logs etc...

I didn't see anything in the event viewer that was alarming, and since he made no notation of the times etc just that it was between 12-1am, there were a lot of things happening as he was trying to figure things out. We ran Virus scans (Norton Corp v8 or 10 I can't remember which, Norton online scan from symantec website and we did a scan with AVG) and did a Spybot check. Everything appeared clean. Checked Windows Update to ensure he was up to date with the latest and greated from Bill and Co.

I looked at the Windows Firewall, and there were a lot of Exceptions, but all seemed ok. I shut off a couple that I deemed unnecessary and told him to monitor the situation and to call me if it happens again -- 3am I don't care....

Tonight he called me and told me it happened again. I VNC'd in ( v4something Enterprise, with encryption) and watched as this guy took control of the machine. I watched as he would attempt to launch games on my friends My Games page in his Steam account, and even turned on his WinTV card. We exited Steam and the activity stopped. I closed every port on Windows Firewall except VNC, Steam, and Skype, and we launched TF2 again. Within minutes it happened again.

I checked the logs on the router (wireless is disabled on the router), and the logs in Event Viewer, the Steam forums and I did some Googling but to no avail.... IP scan (using netscan.exe) shows only my friend's PC and the Router on the LAN.

We have unplugged his PC from the net, and he will be bringing it back to me tomorrow. I changed his passwords for sensitive sites from my machine (except Steam -- if this OP obtained the IP thru Steam, we don't want him finding my IP and possibly compromising 2 systems) and we will be trying to figure out how this person is getting in, and more importantly, how to stop it.

I've never seen this in person before, so I'm not too sure where to begin. I think I will start by performing the steps for Anti-Virus/Malware removal on this site... But I don't know if it will do any good.

Any help would be appreciated.

Thanks in advance,

Andy

 

[jhmed]

Performed Rootkit checks with Panda, AVG and sysinternals Rootkit Revealer.

Found nothing; a few false positives with RKR but otherwise nothing...

Suggestions? Anybody?

Before re-installing Win-doze I want to be reasonably sure that this will not continue.

 

[Blind Dragon]

I looked at the Windows Firewall, and there were a lot of Exceptions, but all seemed ok.

Biggest problem I pulled out of your post is this

You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo (Vista compatible)
Kerio
Online Armor
Zonealarm (Vista Compatible)


After that I would follow the preliminary removal instructions and post back here with the logs

 

[jhmed]

Thanks! Will do!

 

[Zsj]

Blind Dragon, Good post! I was going to say that Firewalls are everything, as to safety from inbound hackers, also, try contacting his ISP and try to get a log of those days(if even possible).

also, PortBlocker by AnologX thats a very good program that will stop entry from many things, you can also add different port to have it block. and POW! by AnologX stops pop ups.

Blind Dragon, is Comodo a good firewall? because i had ZoneAlarm Before and it didnt really work for me.

 

[Blind Dragon]

It depends what you consider a good firewall. Comodo is a more effective firewall but it can also be a bigger pain because of warnings. It takes a lot longer to set up. The nice thing about it is a feature called defense+ this is basically their HIPS. It isn't based off definitions but instead the actual behavior of programs. So it will recognize malicious behavior instead of simply comparing your files to those in its database.

It is free though so I would definitely try it out as it is a very good product and like I said the only down side is that for some people it is over protective.

Make sure if you get it that you select the advanced option instead of basic during install, so that it includes defense+

 

[jhmed]

Asked his ISP for any info and to possibly refresh the IP for us, but they refused any assistance. I ended up giving him a spare router I had kicking around in hopes the MAC address of another router might pull a different IP from the ISP's DHCP.

We'll see.

 

[Blind Dragon]

after you attach the logs from preliminary removal instructions we will be able to see if there is a DNS hijack and if there is we can find out who is on the other end of this as well as cut them off

 

[Zsj]

Probably a master at hacking!
if so, take extra precaution! he may fry his comp! so i would encrypt the computer itself with a triple password encrypter.

<end>

 

[Blind Dragon]

Simply installing the firewall should give control enough to allow/deny access.

They obviously figured how to enable themselves as trusted through windows firewall, but third party firewall is different.

For an attack like this they had to install some remote administration software. Which will have to connect in order for them to access. The firewall should not allow this without your permission

 

[Zsj]

Yeah, Thats good! completely forgot about that part, must be getting altimers at the age of 14...

 

[DelJo63]

Because of the technology used, once the connection is made, the server side
can run all kinds of stuff.
This is the hazard of Client/Server programs as the firewall has already been breached
by the user configuration necessary to make Steam work in the first place.

The (real) solution is to

1. Stop playing that game altogether
2. Find another site to play games on
3. abandon Steam

 

[zeroxzero]

well ur pc sure get a big problem with this hacker problem

i get a spyware lately and i install AVG internet security (30 days free XD)
and the firewall is perfect for wht i can say but ofcause it is pain to set it up cause it deny anything that trying to access internet or other computer which want to access to ur computer it also a anti spyware and anti rookit too so it should be able to help u

u can try it and post back if it help u ......thanks

 

[bushwhacker]

Zero, AVG sucks. That's all.

Jhmed, you can try to change the information on the steam first, such as secret questions and password, on the DIFFERENT computer and see if it helps.

If not, I'll help you out with steam through the pm, or steam.

 

[Zsj]

Really? AVG sucks?

well all I know is that you should try PortBlocker, jhmed.
it will alert you of computer access attempts and stop them from entering.

Also, Spybot S&D, it has some useful Tools for protecting the registry and Other settings.


An Internet log viewer would be good, too.

 

[zeroxzero]

maybe i did not know many software that have firewall since i did not use them often cause i only use window firewall(the AVG i already delete it since i having problem to update)

my comment here is try not to use some anti-spyware that say it self is free,most of the time it self is spyware(anti-spyware with firewall).

because i advise to use avg is at least it is "brander"

of cause u can try using other software ppl recommand here just becareful
(i was shock when the time i get spyware i found out in internet that many anti-spyware is fake to trick u install them)

as i mention at the 1st place i do not know much about firewall software