Rescuing a hacked computer

It’s the call every IT-savvy child of elderly parents dreads: ‘I got a message on the screen saying my computer had a problem and I had to call Microsoft. I rang them and they took control of the computer, then said it would cost several hundred pounds to put right…’. Oh, oh.

So, having told them to switch it off and disconnect everything (including the router and the external hard-disk that serves as their on-premise File History drive), this last weekend, I took the 600 mile round-trip to go and look at the machine and see what I could do.

This blog post is a write-up of my approach in case anyone finds it useful later. I’ve written it partly because I couldn’t find something similar when I first got the call, so had to make my approach up as I went along. I’m not saying it’s the best approach, it’s just how I decided to tackle the problem. I should say, this post is very technical and not for the faint-hearted. I also naturally can’t be responsible for anything that happens if anyone else follows this write-up.

Before the technical bit, though, it’s important to say something about emotions. My parents were understandably devastated they’d fallen for the scam and were very upset by the experience. I was therefore very clear with them: they were victims and mustn’t put any blame on themselves for being silly. The impact of their emotional state, however, meant that I didn’t want to risk rubbing salt into the wound by asking about what the person involved had done while they had remote control. It’s highly unlikely they’d have an accurate memory of what they saw on the screen in any case. This meant that my approach was to assume the worst and that everything was potentially compromised.

Backups

My parents’ computer didn’t have a full disc image. I back up the documents folder every few months and store those backups at my house, and they have an external hard disk used for File History. This meant that Plan A for the recovery was to rescue everything off their drive if possible, if not I’d use my latest backup, mixed with the File History for newer material.

Preparatory work

Before leaving my house, I burnt two DVDs: one with a copy of Trinity Rescue Kit, and the other with Windows 10 recovery media (read this first). Both would turn out to be invaluable in the rescue. I’d also kept an offsite backup of my parents’ computer from a few months previously at my house and just in case I copied that backup to an S3 bucket to make it more accessible. (It wouldn’t fit on a DVD.) I also took a Raspberry Pi with me in case I needed to mount the external hard disk in a different Linux environment, although I didn’t need this in the end.

The router

Not knowing what the suspected criminal had done, one of my biggest fears was that the router had been attacked and dodgy firmware installed to facilitate MITM attacks by providing inaccurate DNS lookups. I quickly verified that wasn’t the case: the DNS addresses set in the router firmware matched ranges used by the ISP’s infrastructure and the firmware version reported matched a recent update. Phew.

Rescuing data

Before even considering booting into Windows to investigate the damage, I thought it best to get as much data off the machine as I could, in case some of it was recoverable. (I wanted to avoid booting to Windows in case it was a crypto-locker that had a service set to run on startup that would continue encryption where it last finished.)

To do this, I needed to boot Trinity Rescue Kit (TRK) (a cut-down command-line only version of Linux designed to be used as a Live CD for rescues). But even after setting the BIOS to use the Optical drive as primary boot medium, booting failed on the Sony Vaio laptop involved. I could only get to the Vaio’s own recovery screen, which I suspected was just a frontend to WinRE (the Windows Recovery Environment). After a bit of research, I realised the BIOS option I’d forgotten was to allow Legacy boot (as opposed to UEFI). Once that was changed, Trinity Rescue Kit booted successfully.

I inserted a clean memory stick into the USB socket and then used the TRK menu to mount all local filesystems, then exited to shell.

Using

fdisk –l

to list the mounted drives, it took a little looking to spot the main drive partition seen by Windows as C: – the disk also appeared to have two recovery partitions on it, plus a couple of other partitions.

df –H

showed the free space on all drives, including the 100% free on the memory stick, helping me check where that had mounted.

Then it was a matter of copying files using the copy recursive, verbose command, and pretty much leaving it to do its thing.

cp –rv source destination

My initial concern was email, since I suspected I didn’t have recent backups of that. My parents use Mozilla Thunderbird, which stores emails (and address books) within the user’s roaming profile at C:\Users\<name>\AppData\Thunderbird\Profiles, so that was the first thing I copied.

Having done that, it was onto Documents, Music and Photographs.


Rescuing precious photographs in Trinity Rescue Kit

A few hours later, I had a memory stick full of data, but didn’t know whether it was useful or damaged.

Putting that memory stick carefully to one side, I decided it was time to take a look at Windows.

Booting the damaged copy of Windows

A quick trip back into the BIOS to reset the boot type to UEFI, and checking the network was unplugged, it was a matter of starting Windows normally. Windows booted fine, but into Safe Mode. I immediately got a couple of ‘application failed to start’ errors, and then noticed a number of drivers were missing, meaning things like audio services and networking were broken. Trying ipconfig at the command prompt gave no results, suggesting to me that this was indeed a broken copy of Windows (although on reflection I realise it might well have just been Safe Mode without Networking, but I wasn’t taking chances…)

Since restoring Thunderbird email by copying a whole profile, rather than the mailbox, isn’t the recommended route, I put a copy of ImportExportTools on another (clean) memory stick and used that to install that add-on into Thunderbird. That then allowed me to export the mailboxes as ‘mbox with subfolders’ onto that same memory stick.

I noticed the tell-tale sign of a recently installed copy of Citrix LogMeIn (which I imagine the hacker had used to gain access) and also spotted that ESET NOD32 (their anti-virus program) and Windows Defender were also both failing to start, but other than that I sadly didn’t have time to do too much looking around at what had been done. I did however open a couple of documents at random successfully, which suggested the attacker hadn’t been entirely successful and we’d got off lightly. Maybe the rescued files on the stick were OK after all.

I took both memory sticks to an old, offline, laptop (which I wouldn’t have been particularly upset about if it had been infected) and scanned them with another up-to-date copy of ESET NOD32. Nothing found. Another piece of good luck.

Wipe and reinstall Windows

I only had a weekend to spare, and I knew there was a lot still to do, so rather than detailed forensics, I decided to completely wipe the disk and start again. Knowing there were the recovery partitions on the hard-disk (because I’d seen them under TRK), I decided to use that route rather than the Recovery Media I’d burnt. This turned out to be a mistake.

What I’d forgotten is that the laptop had originally shipped with Windows 8.0, and been upgraded as part of the free upgrade to Windows 10 offer for the first months after Windows 10 had launched (now expired). ‘Formatting’ was fairly instantaneous (I assume it just removed the FAT) and within half an hour, I had a clean copy of Windows 8. Better than a broken Windows 10 , but not what I had wanted or expected.

That lead to a question – the free upgrade offer had expired. Would the Windows 10 recovery media (which is only designed for rescuing a copy of Windows 10) allow me to upgrade from 8, and would Microsoft’s licensing be clever enough to respect an attempt to license 10 on the basis of previous installation on the same hardware without needing payment for the upgrade? Much to my pleasant surprise, the answer to both questions is ‘yes’. Well done and thank you, Microsoft. That’s very nice.

(An aside for those who are unaware and might have forgotten as I had – Windows 10 doesn’t have serial keys as previous versions did. The ‘key’ was generated in the original upgrade from 8 to 10 and stored against a Hardware ID in the Microsoft account linked to the installation. Evidently the recovery media was magic enough to notice that the hardware matched a previously-permitted key, and so allowed the activation transparently.)

Whilst all this was happening, back on the laptop, I checked more of the files I had recovered. 100% of the sample I tried were fine, other than some filenames having lost special characters because of going via Linux. A small price to pay. We wouldn’t need to reinstall file-by-file from the File History drive plus the backup I had ready-to-go in S3. Another bit of sheer luck.

Restoring data

About six hours after I’d first booted into TRK, we had a clean, freshly-installed, copy of Windows 10 ready to go. It was then ‘just’ a matter of spending about another four hours installing and configuring software, creating user accounts, linking Dropbox and OneDrive accounts such that those files would restore themselves, and then copying all the files back off the memory sticks.

For the Thunderbird email client, I restored the mailboxes again using the mbox files created by ImportExportTools and then copied the address book files (abook.mab and history.mab) from the profile backup I’d made in the first place, into the new profiles.

The final step was to change passwords. Everywhere. Since I don’t know what the attacker had done in the time he had control of the machine, this meant Internet Connection passwords, Router admin password, WPA2 PSK, Windows sign-in password, Google account password, Email passwords, etc. etc. And then, of course, every other device on the network had to be reconfigured to match. This took about 90 minutes, partly because of a wireless printer which didn’t seem to be designed to deal with a change in the WPA2 key. In retrospect, it would probably have been ‘safest’ to change passwords before restoring the files and linking Dropbox/OneDrive accounts but I don’t think this has caused a problem.

About twelve hours after starting, the damage (to the computer at least) had been undone. The contents of the two memory sticks used were then archived in Amazon Glacier, just in case I need to refer to them again.

Of course, there’s always a blindingly obvious thing you miss when doing these complex tasks at short notice, and in my case it was that I hadn’t virus-scanned the external hard disk that had been connected to the laptop, prior to reconnecting it. Luckily, I’ve since checked that and it is fine, too.

Lessons learnt

  • Keep backups. Multiple backups, including offsite ones. Although it wasn’t needed, knowing I had the copy I’d put in S3 if it were needed, was greatly reassuring.
  • I was exceptionally lucky that only Windows System files and Program Files seemed to have been affected, allowing me to rescue the machine with no data loss.
  • TRK is invaluable, but you don’t want to be learning complex Bash incantations as you go. It’s probably worth spending the time to learn the main ones.
  • Windows 10 licensing with regards to upgrading from Windows 8 is magic and, again, I was very lucky everything just worked when I mistakenly restored Windows 8.
  • I need to find my parents a more sustainable way of backing up Thunderbird profiles automatically, since File History doesn’t seem to cover the AppData roaming profile directory.
  • Despite all the times I’ve told my parents to always tell me if something’s wrong, people are liable to panic and do stupid things when it comes to cyber-security if they get scary warnings. All I can do is to reinforce the message that there are bad people out there and make myself responsible for checking everything important is safely backed-up.

As I said in the beginning of this post, it’s possible this wasn’t the best way of handling the situation. I was very much thinking on my feet, having not done it before. Let me know in the comments if you think of something I missed or could have done better.

Of course, it may yet turn out that the technical challenge of resurrecting the computer was the easy part. I have no idea what data (if any) was stolen in the attack, and so there’s the potential for serious identity theft and further fraud. My parents have been given a careful warning to be wary of everything.

This incident has been reported to www.actionfraud.police.uk, and also to my parents’ bank, who have put a fraud watch on their account. I’d strongly urge anyone else in this situation to do the same.