Hello, Spybot SD...

My Dell Inspiron MT537 Windows XP Pro has been invaded at least twice since August 2011 and was turned into a Proxy Server apparently for use by a large company that provides VPN's and other Proxy services.

In the first incident, my machine was rigged by a .exe associated with a Free Dialup service known as Dialup_for_Free. It took me more than a year before I realized that my Windows Remote Access was used, at least in part, for using my computer(s) & IP address as a proxy server.

Because I check my machine regularly for Remote Access intruders, the 2nd takeover took me 25 days to realize my computer had been turned into a proxy server. It is quite possible that a third takeover may have occurred, but there are no indications of this in the 'remoteaccess' sections of the Windows XP Pro Registery.

The basic proof of the takeover/proxy server was originally discovered when I used an Eset Antivirus app known as 'SysInspector.exe' which listed the domain names that Windows labels as 'EVAL=5'... all told, there were about 10,000 different domain names.

Without going too far into the complete history of these events, I would like to ask safer-networking to take a deep look into this not-so-recent phenomenon. There are YouTube videos that describe how to invade someone's computer using Windows 'Remote Assistance' that date back as far as 2008.

What I think is needed are as follows...

1) An immediate 'red flag' to appear when anyone enters a computer through the Windows Remote Assistance Software
2) An app that would undo all of the proxy server settings which would immediately stop the machine from being used as a proxy server.
3) A method to clear the Windows Registry of all the domains that were flagged through the use of the installed Proxy Server.
4) And a TRACERT that would attempt to track down the organization that is providing proxy service through the criminal use of an unsuspecting person's computer.

Thank you

This article is from the September 2002 issue of Security Administrator...

http://technet.microsoft.com/en-us/library/dd632947.aspx#EGAA

One of the most important subjects that were described in this issue was that "Broadcasts" can be set up by RATs as a "homing signal." In my study of my own machine, I felt that a large company (that a call an "enterprise") secretly contract hackers to rig computers for the 'enterprise.' The enterprise needs a homing signal in order to find the reconfigured machine. This feature is also important to find the machine again when the machine's IP address is changed.

To broadcast this signal is also very important to the enterprise as it cannot be traced back to itself. Hackers can also sign their work by leaving an identification tag in the remote access sections of the compromised machine to ensure payment for their work.

Here are two paragraphs from the above link which can by found under the section called "Scurrying Rats..."

The process can send the intruder (aka the originator) an email message announcing its latest takeover success or contact a hidden Internet chat channel with a broadcast of the exploited PC's IP address. (I've watched hundreds of victim PC addresses appear in an hour on these channels. I've also seen intruders collect thousands of compromised machine addresses and use them as online currency.) Alternatively, after the RAT server program is launched, it can communicate directly with an originating client program on the intruder's PC by using a predefined TCP port. No matter how the RAT parts establish connectivity, the intruder uses the client program to send commands to the server program.

RAT originators can explore a particular machine or send a broadcast command that instructs all the Trojans under their control to work in a symphonic effort to spread or do more damage. One predefined keyword can instruct all the exposed machines to format their hard disks or attack another host. Intruders often use RATs to take over as many machines as they can to coordinate a widespread distributed Denial of Service (DoS) attack (known as a zombie attack) against a popular host. When the traffic-flooded victim tries to track down the intruder, the trail stops at hundreds of innocent, compromised DSL and cable-modem users, and the intruder walks away undetected.