Problem solve Get help with specific problems with your technologies, process and projects.

Challenge 9: The Root of the Problem

Do you suspect your network's security has been compromised? If so, with the right set of tools, you can discover and remedy such a problem in no time. See how other IT professionals went about getting to the root of their particular network infiltration.

The following book excerpt is from the recently released Hacker's Challenge 3 (McGraw-Hill Osborne) by David Pollino, Bill Pennington, Tony Bradley and Himanshu Dwivedi. This chapter presents a situation in which the security of an organization has been compromised.
Industry: Publishing
Attack Complexity: Moderate
Prevention Complexity: Moderate
Mitigation Complexity: Moderate

Wednesday, November 9, 2005, 15:17

Dillon McCabe had put in six solid years working for Markwell Publishing—half of them as a one-man IT department. He had essentially pieced the network together with chewing gum and tin foil when there was no budget at all, and he had put in 80-plus–hour weeks to handle all of the network administration tasks as well as the technical support issues for the desktop systems. Markwell Publishing owed him.

Dillon had been there through it all since the company was launched. He'd been through times when he wasn't sure he would be paid at all, and raises and bonuses were virtually unknown. Now that Markwell Publishing had survived to adolescence and was making a name for itself, one of its larger competitors had started to take notice. Slyck Press had approached Dillon with a job offer for substantially more money than Markwell was paying him.

He tried to rationalize that it was out of some sense of loyalty and fellowship, but the real reason Dillon went to Frank Samuels, Markwell Publishing's founder and president, was simple greed; he asked for an increase in pay and benefits above and beyond what Slyck Press had offered him. If he could use the Slyck Press's offer as leverage, he hoped he would be able to earn the money he wanted while staying with coworkers he knew and with a network he architected.

Frank thought about it, but said that he didn't believe the job was worth the kind of money Dillon was asking for. Dillon was shocked and disappointed when Frank did not counter. On the spot, Dillon gave his two weeks' notice and left Frank's office more than a little disgruntled.

He would have simply walked out on the spot, but he decided to do some "patching" of some computers before moving on to his new position with Slyck Press. He downloaded some tools to his USB flash drive and proceeded to "update" a few key systems.

Tuesday, January 10, 2006, 09:08

It was going to be one of those days, apparently. Noah had barely walked to his desk and sat down when Greg, the head of the advertising sales group, came to see him.

Noah Chapman had been working in the IT group of Markwell Publishing for almost three years, but he had just recently been moved up to the position of managing network administrator and all of the dirty work that entailed when Dillon McCabe had left the company for a more lucrative position with another publisher.

He would be more impressed with himself, and his promotion, if it weren't for the fact that only three people were on the IT team, including himself, and his promotion came by seniority, not by virtue and dedication.

He picked up his Markwell Publishing mug, a company gift for everyone last Christmas in lieu of real bonuses, and took a sip of his coffee with hazelnut-flavored creamer. "What can I do for you, Greg?" Noah asked.

"Well, this may sound very strange, but is there any way that Dillon may somehow be getting information from my computer?" said Greg.

"I am sure it is technically possible. Why do you ask?" said Noah.

"Since he left, we have lost a number of contracts and bids for new business. Every time we lose, it seems that Slyck Press is the one that beats us, and they seem to beat us by only a little bit. It just seems too coincidental to me," Greg said. "I think maybe he is somehow getting information from my computer so that he knows what we are bidding or what we are offering so they can swipe the business from us."

"OK. Let's go take a look," said Noah.

Noah and Greg walked across the office to the advertising sales team area. Seated in a small sea of cubicles, with walls just high enough to prevent the team from making eye contact and being distracted by each other, were approximately 20 employees diligently sending e-mails and placing phone calls to sell ad space in Markwell Publishing's various magazines.

The two walked past the advertising sales team and into Greg's office. Noah could hear the power supply and fan and the distinct noise of the hard drive grinding away as the activity light on the front of Greg's laptop flickered and flashed.

"Can you figure out what is going on?" asked Greg.

"I can't be sure yet. For starters, though, since you think the computer may have been compromised, I can't trust any of the files or utilities on it. Thankfully, I have a diagnostics disc with the tools I need. The Helix Live CD tools give me just about everything I need, and I added a few of my own, too," Noah said. "That way, I can run my utilities from a known clean CD instead of a suspect computer."

Noah put his diagnostics CD into the computer's CD-ROM drive and opened a command prompt. He searched his bag of tricks on the diagnostics CD and ran FPort, a free forensic utility from Foundstone. Foundstone was founded and run by the authors of McGraw-Hill/Osborne's venerable Hacking Exposed books. Foundstone had since been purchased by McAfee, but it still operated as a separate division, and the free utilities that Noah had come to rely on were still available.

FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.

Pid Process Port Proto Path
1060 svchost 135 TCP C:WINDOWSsystem32svchost.exe
4 System 139 TCP
4 System 445 TCP
1132 svchost 1025 TCP C:WINDOWSSystem32svchost.exe
4 System 1063 TCP
0 System 3587 TCP
0 System 3588 TCP
0 System 3595 TCP
0 System 3596 TCP
1320 5000 TCP
1320 123 UDP
0 System 123 UDP
0 System 137 UDP
0 System 138 UDP
1060 svchost 445 UDP C:WINDOWSsystem32svchost.exe
4 System 500 UDP
1132 svchost 1032 UDP C:WINDOWSsystem32svchost.exe
4 System 1623 UDP
0 System 1900 UDP
0 System 2355 UDP
0 System 3089 UDP

"What is all that gibberish?" Greg inquired.

"This utility will not only show us which TCP and UDP ports are open, but it will also link them to the applications that are using them so we can identify any unknown or suspicious ones," Noah explained.

Running FPort didn't lead to any epiphanies, so Noah went back to the diagnostics CD. This time he ran Process Explorer, a free utility available from Sysinternals. Process Explorer examines the processes running on the system and maps them to the handles or dynamic link library (DLL) files that they have open.

"Nothing there either," said Noah. "Perhaps Dillon was more clever than I give him credit for."

Noah went back to his CD and found a tool called BlackLight, a utility from F-Secure. "This utility can detect files and processes that are hidden even from the Windows operating system." Noah was trying to keep Greg informed of what he was doing.

Noah ran BlackLight and generated the following results:


(start logfile)

02/11/06 9:37:20 [Info]: BlackLight Engine 1.0.30 initialized
02/11/06 9:37:20 [Info]: OS: XP 5.2.3790 (Service Pack 1)
02/11/06 9:37:22 [Note]: 7019 4
02/11/06 9:37:22 [Note]: 7005 0
02/11/06 9:37:24 [Note]: 7006 0
02/11/06 9:37:24 [Note]: 7011 1448
02/11/06 9:37:25 [Note]: 7018 2032
02/11/06 9:37:25 [Info]: Hidden process: C:rootroot.exe
02/11/06 9:37:25 [Note]: 7018 10180
02/11/06 9:37:25 [Info]: Hidden process: C:Program Files Internet Exploreriexplore.exe
02/11/06 9:37:25 [Note]: FSRAW library version 1.7.1014
02/11/06 9:37:48 [Info]: Hidden file: C:WINDOWSqservice.exe
02/11/06 9:37:48 [Note]: 7002 0
02/11/06 9:37:48 [Note]: 7003 1
02/11/06 9:37:48 [Note]: 10002 2
02/11/06 9:37:48 [Info]: Hidden file: C:WINDOWSservices.dll
02/11/06 9:37:48 [Note]: 10002 2
02/11/06 9:37:48 [Info]: Hidden file: C:WINDOWSJiurlPortHide.sys
02/11/06 9:37:48 [Note]: 10002 2
02/11/06 9:37:48 [Info]: Hidden file: C:WINDOWSkurlmon.dll
02/11/06 9:37:48 [Note]: 10002 2
02/11/06 9:37:48 [Info]: Hidden file: C:rootBeniOku.txt
02/11/06 9:37:48 [Note]: 10002 3
02/11/06 9:37:48 [Info]: Hidden file: C:roothook.dll
02/11/06 9:37:48 [Note]: 10002 3
02/11/06 9:37:48 [Info]: Hidden file: C:rootProAgent.exe
02/11/06 9:37:48 [Note]: 10002 3
02/11/06 9:37:48 [Info]: Hidden file: C:rootroot.exe
02/11/06 9:37:48 [Note]: 10002 3
02/11/06 9:37:48 [Info]: Hidden file: C:rootServer.exe
02/11/06 9:37:48 [Note]: 10002 3
02/11/06 9:37:49 [Note]: 10002 3
02/11/06 9:37:49 [Note]: 10002 3
02/11/06 9:37:49 [Note]: 10002 3
02/11/06 9:37:49 [Note]: 10002 3
02/11/06 9:37:49 [Note]: 10002 3
02/11/06 9:38:14 [Info]: Hidden file: C:WINDOWSsystem32HookApi.dll
02/11/06 9:38:14 [Note]: 10002 2
02/11/06 9:49:38 [Note]: 7007 0

(end logfile)

Noah checked out the BlackLight log and noted some of the hidden files. He did not recognize anything offhand, so he did a Google search for the first one on the list -- qservice.exe. Some of the Google results suggested that qservice.exe was related to a Trojan called ProAgent, which Noah noticed was also one of the hidden files detected by BlackLight.

"Very sneaky, Mr. McCabe," Noah said, admiring his former boss's creativity.

Noah opened an Internet Explorer web browser window and went to the Trend Micro virus information website at He did a search for ProAgent and came up with the following description:


This Trojan steals e-mail and Instant Messenger (IM) password from the affected system. Upon execution, it drops a copy of itself in the Windows folder and logs the user's keystrokes. It then sends the information to the remote malicious user via e-mail.

It also creates a registry entry that enables its automatic execution at every system startup.

"According to this, the ProAgent file detected by BlackLight is sending information from your computer to an outside e-mail account," Noah explained. "So we have a pretty good idea of what is going on here and who is responsible for it. I have a little more investigating to do. After I get more information, we can take our findings to management I think."

"If you say so," said Greg. "I'm still catching up."


  1. What built-in Windows tool could have been used to identify open ports?

  2. How should Markwell Publishing have handled Dillon's departure to protect against this attack?

  3. How can the company protect its internal systems and data from being abused through the inappropriate use of USB flash drives?

  4. What else can Markwell Publishing do to try to safeguard its systems from rootkits?

Does this sound like a problem that could happen or even is happening at your company? Read the next installment of this excerpt from the book Hacker's Challenge, "Solution 9: The root of the problem" to see how Noah and Greg work around this apparent network infiltration.

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.