+ 2016 Write-Ups

Modulated Arc Lighter

+ 2015 'Filthy Casual' posts

#003: Work printer mischief #002: Cat5/6 & digital audio #001: Precursor

+ 2014 Write-Ups

Microcontrollers NOT ALLOWED

+ 2013 Write-Ups

Migratory Box of Junk

+ 2011 Write-Ups

PCB SuperFuser revisted SatNav battery hacking

+ 2010 Write-Ups

ChipQuik SMD tutorial Polyimide masking tutorial

+ 2009 Write-Ups

Identifying counterfeit flux Capacitive Discharge Welder (#2) Capacitive Discharge Welder (#1) PCB Fabrication tutorial PCB Superfuser tutorial

+ 2008 Write-Ups

Ammonium vs Ferric etchant

+ 2007 Write-Ups

CREE Flashlight hacking tutorial

+ Other stuff

PodeCoet's YouTube page
Filthy Casual
Entry #004 - Riad's Stroke (A tale from tech support)
By PodeCoet - Thursday, January 29th 2015 @ 21:42:44 ADST

Can't be arsed? Click here for a page summary (spoiler warning)

This post was rejected by a moderator from Reddit's /r/TalesFromTechSupport (one of my favourite subs), with the following reason:

"There's a lot about that post that makes it not appropriate for this sub. Chanspeak. Image Links. NSFW language. It's not going to fly here, sorry"

You have been warned, turn back now if you're a Sensitive-Suzan.

I made the mistake of asking my friend for a favour months ago, and now I seem to be repaying said favour ten-fold. There's a reason why I don't get out much, and this pretty much sums it up.

Today's job is running some new wiring in a vehicle's engine bay, for an after-market radiator fan controller. I've been doing lot of these lately.

What the fan controller does isn't really relevant, but it has a blue display that lights up - and apparently that's worth $400.

A gent (Riad) shows up a short while later, sounding rather distraught. With my head in the engine bay, I couldn't help but overhear that he's having some strange problems with his PC, but he wasn't being very specific, almost as if he's hiding something.

I know what you're thinking, man - Random guy shows up to your friends house, talking about IT problems, precisely when an IT-guy happens to be there. Convenient, right?

Yep.

Inevitably, there was a "Hey man, PodeCoet is good with computers, why don't you ask him?" - And I was eventually suckered into paying the guy a home-visit.

Turns out he's just down the road from my friend, and we begin to walk over through a rather dense cloud of awkwardness.

Bear in mind, this guy's a stereotypical gym buff, and I'm a stereotypical electronics guy with pony-tail and goatee (to be fair, the goatee is four inches long now)

We go through the usual introductory talk, and once we deplete our stores of generic questions, he stops suddenly, looks me dead in the eye, and asks

"Do you believe?"

...Believe in what? God?

"No, like the unseen, I know it sounds stupid, but someones talking to me through my computer - when I'm up late at night typing documents my computer sometimes beeps, and swearwords start to show up in the document!"

Wh... I don't even... I reassure him that it's probably someone messing with him through remote access. Not that that would normally be of any consolence, but at least it's not a friggen' ghost.

I get to his place, plug in my trusty flashdisk, and run a full plethora of scans. I also manually sift through his registry, ensure all updates and definitions are installed/up-to-date, and that there are no rogue listeners (ie: means of remote access)

It's clean. Absolutely spotless. Not even any trace of porn in the browser history. No toolbars either! He was even careful to uncheck "Install the ASK toolbar" during Java updates.

I inform him that I've taken steps to harden his defenses, so that it's far more difficult for people to get in and mess with his documents, hopeful that I didn't sound too patronizing.

I got a "thanks bro", as well as a prolonged awkward handshake and loving stare into the eyes, then went on my merry way

10PM that evening, I get a phone call from a number that I don't recognise... Who the hell calls at 10PM? I pick up, and it's Riad! He got my number from a mutual friend, which I must say I was rather displeased about.

"They're fucking with my shit again! CAN YOU COME OVER NOW?!"

I figure screw it. I want to know what this is just as bad as he does. So I drive over not knowing what the hell to expect.

His younger brother lets me into the house, and leads me the loungeroom, where Riad is sitting there, face glued to the screen. There's a chair and a cup of black tea waiting for me right next to him.

He tells me to sit and watch, in silence no-less. There's a Word document open, with lots of legal jargon.

Seconds turn to minutes, with zero activity. His younger brother walks out of his room to the fridge and asks me if I want some cheese.

Sure. Why not. I'll have some cheese. I've been offered far more unusual things in far stranger settings.

Kid brings the cheese, glares over my shoulder and asks what we're staring at. Riad responds with

"Nothing man, go back to your room"

The kid stomps back to his room and we continue our awkward staring session.

"Just wait bro, you'll see, I'm not fucking crazy man"

...Uhh, sure -- Holy shit, did I want out of there something fierce.

Not a moment later, the cursor starts moving eratically, as text starts getting shifted around the document. Then the following appears on the screen:

lol sup fagit i found u

The hairs on the back of my neck stand on end, and Riad just about shits himself.

I know this is probably a 'hacker' (more like a script kiddie), but knowing this stuff happens, and actually seeing it happen in front of your eyes are two entirely different things.

Meanwhile Riad rolls back in his chair while stuck in an "I told you man... I told you man..." loop

I do my best to reassure him, and then I of course proceed to make it worse:

"Look, Riad, if I disconnect this cable, their access is lost"

So I disconnect the ethernet lead from his PC, severing his connection to both the Internet and his Local Network.

Everything appears to stop, and we both breathe a sigh of relief for a brief moment

Then, on the screen:

fuk u n00b

WHAT THE FUCK... I do my best to contain myself, but all I could muster was "That's impossible. THAT'S IMPOSSIBLE".

Meanwhile, Riad is going into cardiac arrest and can barely catch his breath.

Hah! I know. He probably has a WiFi card, and he's still connected through his wireless connection. I check Device Manager, and the PC physically. Nope. Only one ethernet adaptor.

So, Bluetooth then? Nope.

A-Ha! Wireless keyboard contention! Nope., the keyboard is wired, and I couldn't see any wireless dongles attached to his PC.

So I start task manager, but alas, no unusual tasks.

...Fucking Netstat then? Nope. No unsual listening ports.

The hell's going on here? We're disconnected from the 'net, no means of control from the outside using WiFi or bluetooth, or from the inside using the remainder - no unusual tasks, no unusual listening ports, wired keyboard and mouse

It has to be a rootkit. The vilest, scummiest virusses that can avert detection. And the curses being typed aren't live, they're likely stored in a file and played back at random, nobody is controlling anything. It's a stupid virus using a SendKeys() analogue.

So I ask Riad when it started. He replied:

"I got sick of replacing the batteries on my keyboard, so I bought a wired keyboard, and then it started"

...

I then asked him if there were any other wireless keyboards in the house, to which he responded:

"yeah we bought two of them at the same time ages ago for a discount. But I threw mine out and bought a wired one a few months later"

Huh. Wireless keyboard contention would explain everything... But there's no wireless dongle attached to this PC?

I check Device Manager and it shows multiple Human Interface Devices, but there are also many USB devices attached, including a webcam.

So I gently remove the PC out of it's cabinet, careful to pull enough slack on all the cords so they're not torn out. I can't see any bloody dongles anywhere.

...Until I look closer - in a "free" port underneath one with a USB lead attached:

Hidden Dongle

It's one of those damn "micro dongles" - The black 'cap' fell off, as did the metal shielding. All that's left was a thin PCB inserted into the USB slot

Those curses Riad has been seeing on his screen? It was his little brother playing Counter-Strike on his PC, taunting the opposing team.

Riad's PC appeared to be picking up spurious transmissions from his brothers Wireless Keyboard, using the half-assed franken-dongle attached to his USB port.

All is solved, Riad has recovered, and I was sent home with a jar of haloumi cheese.

What a friggen' night.

See you in the next post!

-PodeCoet