[update] Tracing a Hacker

I’ve been browsing this site and its forums for several months, never contributing to any discussions or even creating an account until now.

Last week, my friend, noticed a window appear when he booted his computer; this window only appeared for a brief second and had “matrix” style numbers on it. Being concerned with what he had seen, he ran an anti-virus scan on the computer which returned no threats; but he knew that was incorrect. He was able to isolate an unknown process in task manager, locate the source files which I will mention later, and remove them himself. It appears that he was successful in removing the threats because they have not resurfaced, but here where the story takes a serious turn. Later that day, he discovered he was unable to log onto his steam account, he went to recover his password but when he attempted to recover it he did not receive the proper email from steam to allow him to reset it; instead he received no email. After attempting a few more times, he became confused, and he looked on the steam community site at the activity of his account. What he found was: someone had assumed control of his account, changed his password, changed the email attached to the account, removed all his friends, replaced them with others, and played his games for a short time. My friend, quickly realized that the files on his computer could be, and probably were related, to his steam account being hacked. Worried about his other online accounts he changed, without incident and from another device, all of his other passwords; however he did receive an email regarding an attempt to change one of his email passwords but every else is secure. After confirming all his other accounts were safe his attention then turned to recovering his Steam account, cleaning his computer, and stopping the person that did this from doing it again. He has started the proper Steam ticket to have his account recovered but they have yet to reply to his request.

As for the reason why I am posting here we are looking for advise on how to proceed on a few fronts. These fronts are: ensuring the recovery of his steam account, finding the person that did this too him, and stopping that person from doing it to others.

We aren’t completely up the river with respect to finding the person. My friend noticed something weird about one of the steam users who had been added as a friend to his account: one of the people had the same name as one of the files he found on his computer. That doesn’t automatically make him guilty but is certainly is a strong indicator. Also we are in the process of recovering the malicious files that he deleted in an attempt to trace their connections. He has backed up his important files and after he tries to recover the files he is going to format his computer.

That is pretty much all that has happened so far. We would like some people’s advice on how to deal with this situation. How would be go about tracing what has happened to an individual, or group? Should we contact any authorities, and which ones? What would you do? Any input on the situation would be much appreciated. We are competent with technology so we would be open to all pathways available.

Thank you for taking the time to read this post.

[UPDATE]

So with regards to find the person or persons who orchestrated this hacking we have given up; it would take too much time. Fortunately, my friend was able to get his steam account back from valve, he now has full control back and is enjoying playing his games. As for the three friends on his account that were added by the person who took it, one of whom had the same name as a file found on my friends computer, my friend decided to send two of them a message while they were online. One of the two didn't respond, but the other doubled down and talked with my friend. This conversation was short and consisted of this unknown guy calling my friend a, "nice jew boy" and sending a picture of my friend taken from his webcam.

Even after that happened we are still going try to move on and prevent it from happening again. My friend doesn't think they have any other photos because he remember when the webcam light came on; but it is creepy nonetheless.

Anyway, thanks to all those who proved their opinion and best wishes on this situation. if anyone has anything else they would like to contribute, please do, I am always open to listening to another possible resolution to the situation.

Hello PolarVortex I deal with Hackers and people who threaten to hack me quite frequently. If your friend has used a Paypal or Credit Card on the computer or any accounts that would be my first concern, because having a credit card compromised is not fun and a pain full process to recover from. I suggest to watch the transactions made the card. So if a purchase is made and it wasn't your friend they can contact the card provider and have them fix the issue. If money or other people's data such as email, addresses, or phone number are able/ have been taken from the hack I suggest you contact the authorities.

Once that is done or you don't want to get the law involved. I suggest you find the root of the attacker files. I would make a list of all Apps and take any important documents such as photos and files. Then clear the hard drive and do a fresh install of the OS. I would get in contact with Valve "over the phone would be best to resolve the issue" and they might have data of servers that your compromised steam account has been on. So they can obtain the Hackers IP, unless they have amazing internet I don't think they will be running a Proxy while playing games. Obtaining the IP could help authorities find the hacker.

He is being vigilant and watching his credit and banking accounts. Contacting valve to get this guy’s IP is something we will definitely try.

Thanks!

You could reverse-engineer the malicious files

This would be good if the files are still on the computer. If it's a keylogger of some sort, you can isolate the file and sniff the packets. I used to do this in a sandbox to find out where the logs were going, since the packets would usually contain the email destination and the password to said email. Things could have changed, though, it's been a while since I've done this.

Wow, my condolences to your friend. Hope the best for him.

If this person got half a brain he/she cracked somebody else s Wifi used a public hotspot or just concatenated a few free vpns. Also the Trojan on your computer was very likely an encrypted executable, in order to sneak past the anti-virus.

Catching this person is probably going to cost you allot of resources and time. And then you're probably going to find that it's some poor kid living in a crappy situation unable to pay for games.

My advice: spend your time and effort on better IT-security for your computer. Forgo the hole justice/revenge thing and file it under valuable lesson learned.

I for one run windows in kvm on a Linux host system with pcie-passthrough, and windows ins't allowed online except for white-listed steam and game servers.

Also I use a different throw away credit-card for every game. I also create a new account for every game that I buy.

It might just be me, but your security seems a little overkill.

Hello polarvortex,

I'm sorry to read this. First of all a warm welcome to this Forum. I guess for me this is also quite the first time getting into a real discussion here. I dislike the forum interface a bit.

Last week, my friend, noticed a window appear when he booted his computer; this window only appeared for a brief second and had “matrix” style numbers on it. 

So you noticed this after boot time? Some details would be good. When I hear this, it sound like the Windows Command Line Tool. Beside of that, what version of Windows is used? Sometimes Windows update has the same effect. Custom Software too. There some possibilitys. 

Being concerned with what he had seen, he ran an anti-virus scan on the computer which returned no threats; but he knew that was incorrect.

Here you just learned that Anti-Virus software is very dump(and way overpriced). Here my Question: What Software you used exactly? Anti-Virus just byte platter-en matching software. When someone writes something new the best Anti-Virus will be useless.  

He was able to isolate an unknown process in task manager, locate the source files which I will mention later, and remove them himself. It appears that he was successful in removing the threats because they have not resurfaced, but here where the story takes a serious turn.

There a lots of processes within your system. Again what kind of process was it? Some details, a name maybe. It make sense that your remove "unknown" process. But how did you try to identify this as "thread" ? What was the name? 

When you have a name there are good chances to identify this process to a program it may belong.

Later that day, he discovered he was unable to log onto his steam account, he went to recover his password but when he attempted to recover it he did not receive the proper email from steam to allow him to reset it; instead he received no email. After attempting a few more times, he became confused, and he looked on the steam community site at the activity of his account. What he found was: someone had assumed control of his account, changed his password, changed the email attached to the account, removed all his friends, replaced them with others, and played his games for a short time. 

I know how this sounds, but where is the relation? Where is the proof? This seems not like a real proof. Why: You removed some files and a process was disappeared. But a Steam Account can also be compromised by a weak password. This is in general more likely. Why was his Steam Account compromised but his E-Mail address wasn't ? 

My friend, quickly realized that the files on his computer could be, and probably were related, to his steam account being hacked. Worried about his other online accounts he changed, without incident and from another device, all of his other passwords; however he did receive an email regarding an attempt to change one of his email passwords but every else is secure. After confirming all his other accounts were safe his attention then turned to recovering his Steam account, cleaning his computer, and stopping the person that did this from doing it again. He has started the proper Steam ticket to have his account recovered but they have yet to reply to his request.

Good reaction. 

As for the reason why I am posting here we are looking for advise on how to proceed on a few fronts. These fronts are: ensuring the recovery of his steam account, finding the person that did this too him, and stopping that person from doing it to others.

I'll do this later, but you should not expect high quality answers from a public. Finding is always the hard task. I would to suggested: Don't try it.

Why: The chances to identify someone directly with this  is almost zero. This is work for someone who do spending days on this on a professional side. You're missing the tools, you'are missing the knowledge for this. The right thing to do is learning from this. You can't prevent people of doing bad things in the Internet. 

When you want to do this, you need to go to court for this. But for this you need do have a proof, something idenifing. But when he's not even in your contry the chances are getting lower and lower. 

We aren’t completely up the river with respect to finding the person. My friend noticed something weird about one of the steam users who had been added as a friend to his account: one of the people had the same name as one of the files he found on his computer. That doesn’t automatically make him guilty but is certainly is a strong indicator.Also we are in the process of recovering the malicious files that he deleted in an attempt to trace their connections. He has backed up his important files and after he tries to recover the files he is going to format his computer.

Very good. The Question here: Where did he find this files? Maybe it's just a local of Steam to sore files in this way? 

That is pretty much all that has happened so far. We would like some people’s advice on how to deal with this situation. How would be go about tracing what has happened to an individual, or group? Should we contact any authorities, and which ones? What would you do? Any input on the situation would be much appreciated. We are competent with technology so we would be open to all pathways available.

Great. Could be worse ;-). So here comes my advice for you. For the next time. When you believe one

of your system is compromised. Shut it down. Disconnect it from the Internet, boot a Linux live image and a  create a disk image from the compromised system. When you have this do a new installation of you OS.

Make sure the change ALL passwords after this. First from E-Mail Accounts, then from everything else. Make sure to use strong and different passwords for important services. Maybe you activate two factor authentication on services which uses the Mobile Phone Number. I dislike this, but it increases security a lot.

Then you need to exam the disk image. Copy it and run a virus scanner on it. Try to find the 'unknown' code. Check what is does. Check what files are changed. Check for open connection to any server. 

You can also can use tools like sleuthkit. 

Even without, make sure that the boot loader remains clean, same for harddrive firmware. The best is maybe to update to the latest version of the BIOS and/or Disk Firmware.

The problem is that you need to identify this code. First you need to isolate and then you need to verify. It's dangerous to jump to any conclusion without a proof. You need to find the malicious code. Everything else is just wild guessing.

To get it into an secure environment you can use try to get it in VM running. But maybe this is getting to much. I'm not sure where do you live, but maybe reporting it to the FBI could be an idea. But only when you are ready to prosecute them. 

It's better to learn of this, make sure to have the latest greatest version of your Software. It's not clear where the attack came from. You have to make sure that everything is up-to-date.

Since some weeks there a lot of vulnerability public on Router. Make sure that yours isn't one of them. When you get paranoid get an OpenWrT Router. See here and here. I could go all night long.  

Maybe Steam itself was the issue, at least there are some Proof of Concepts open. So it's hard to say where is coming from. 

Thank you for taking the time to read this post.

You're welcome. I hope this is helpful and I was understandable enough. Sorry for grammatical mistakes.

Thanks to the other response, special that watching over your credit card and Co. is important!

 PS: I think hacking is here the wrong word to use. It should be moved into a extra forum for security. 

best regards

Akendo

Hey,

I will be answering your questions from top to bottom, as they appear in the thread, to the best of my ability.

The window that opened during the booting process was a command prompt console window. He is using Windows 7.

He ran two anti-virus programs: avast! and Microsoft essentials.

The process that he terminated was named “vbc.exe*32” which is a visual basic compiler. At the time he was not using anything that would require a visual basic complier and it is not a process that is normally on his computer; therefore he considered it the source of the malicious program.

The proof of the connection between the things he found on his computer and his steam account being stolen, is the timing and one of the files found on the computer was named after one of the friends added to my friends stolen account. The person who controlled the malicious software had tried to steal his email account, and my friend knows this because he received the email containing the password reset procedure. His steam account and this one email were the only things that were compromised before he changed all his passwords.

The presumed malicious files were found in “AppData” and using internet searches were found to be virus and not associated with any legitimate software on his computer.

Unfortunately, as mentioned in another response, the amount of time and resources finding this guy would take is far greater than my friend nor I are willing to expend. He, and myself, have instead taken the approach of just recovering his steam account and preventing this from happening again.

The advise you gave to find the malicious file, and various other tips, have been recorded for next time something like this happens; hopefully I will never need to use them.

Thank you for taking the time to construct such a detailed response.

Yeah I have basically given up on finding the guy that did this. My friend is focusing on talking with Valve to get his account back and preventing this from happening again.

Hello PoloarVortex,

thank you for the best of your ability. ;-). I'm glad you could see my points.

Here some information: Software updates sometimes causing triggering of custom scripts. This sometimes can even happening from 'professional' made software.  When a system becomes older, chances are high that such software is in place. 

Additionally is vbc a tool that getting installed by Microsoft them self. So when you was affected of malicious code, I have hard times to belied you wood not find with your antivirus program.  Further did you remove the vbc or the Code that executed it? How did you remove it. 

When it was a key logger, the information has been A send to another Sever or B stored somewhere. Maybe you could find the log? I also could image that the username based file was the log.  

But I guess you did the right thing. It's hard to figure things out without having some files in front of you. So best is guessing....

The best is to have a good backup strategic 

best regards

Akendo

I am so sorry for your friend I hope he can get his account back and he can play his games again I have just had my  steam account hacked posted something here and I was back in and when you do get the account back turn on steam guard