?

Log in

No account? Create an account

Previous Entry | Next Entry

little hands have BIG eyes. . .

or why a good password policy, attentive admins and a preferably domain controller is really necessary to protect a computer lab

Yesterday a machine was brought back from one of our clients sites badly infected with ransomware, we cleaned it off and started looking at this machine which came out of a lab we had set up last summer. It has been used for the last 6 months by teenagers to play a limited set of pc games, do homework, etc. None of the software packages we had installed were there, non of the accounts which were configured to control access and windows steady state was compeltely gone. We scratched our heads over what had happened and assumed someone had managed to get into the pc when the admin was in the can and reset the CMOS password and reinstalled windows from HP recovery media. . . not so much it turns out. . .

always remember the simplest answer is likely what happened.

When I got onsite I checked the other machine. 7/8 machines had lost all the info 4 had been restored back to factory defaults by the recovery partitions and three were hung up in the process of reloading the factory defaults. Only 1 was still the way it had been setup.

All the machines still had bios password and recovery functions from the boot screen disabled. My guess is 6 months of having the admin password typed in to run programs off of CD resulted in enough glimpses of the password to put it together. Which allowed some enterprising young adult to log into the administrator account and initialize the recovery partition. All to install some stupid online game they wanted to play. . . and they cost everyone else computer access as the Lab is now out of order for the foreseeable future until this non-profit can come up with the funds to have the machines re-installed and re-imaged, *NOT* a cheap proposition. Considering last time it was over 14 hours of work.

Comments

( 3 comments — Leave a comment )
(Deleted comment)
razorslave
Feb. 7th, 2010 06:11 am (UTC)
effectively they did.
(Anonymous)
Feb. 10th, 2010 02:57 pm (UTC)
Job security
Hey Bra,
It's what keeps us in levi's and lipstick (or laytex and leather). What sort of ransomware was it?
-Mish
razorslave
Feb. 10th, 2010 05:03 pm (UTC)
Re: Job security
Some variation of the most recent iteration of Antivirus 2009 or one of it's clones. . .

you know the one, the pop up "YOU"RE INFECTED press ok to scan" and if you click anywhere on the pop up it's actualloy a giant ok button and it installs itself and a shit-ton of friends on your pc, disables windows ability to uninstal it, (unless you know what you are doing)
( 3 comments — Leave a comment )