The Hacking at KOVTR – interim update.

What if there was an organisation that was employed by some of the largest publishing conglomerates in the world that not only had the capability to interdict content digitally, but did so, illegally and boasted of their prowess to do so.

What if these people had utilities to make themselves almost invisible to the operating system, the log files and knew how to clean up after themselves to ALMOST make it appear as if they were never there.?

What would happen if these Internet Corporate Spetnatz Cyber Comandos decided to take on the small (less than 50 average readers per day) website of an aging and nearly extinguished Internet entrepreneur?)

… and whatif that internet entrepreneur had been hacked a few times in his life, had a reasonable knowledge of Unix, PID’s, ascii txt log files as a supplement to MYSQL datafiles and made lote of diverse backups of everything?

Last week the unthinkable happened. I had the pleasure to come to the attention of just such an organisation and of course, they injected [pun intended] themselves into the focus of my attention.

I also had the “luck” to be logged in and observed and captured (using Camtasia video screen capture) their antics in real
time as they went about destroying my Blog site.

Their actions could not be called piracy, as they didn’t take anything.

They didn’t physically harm anyone.

Yet approximately 12 people were possibly infected with a virus and I
lost two days of my life exploring the damage by looking into several
hundred PHP files. Testing their scripts and tracking the IP numbers
that they deleted from the log files and the SQL server.

In our upcoming article entitled “Corporate interests Hijacking the
Net” we will discover who is behind the Hacking of KoVTr.com,
who are their shareholders and Directors and why they appear to be
able to move around the net at will, invisibly wrecking havoc on web
sites globally.

No need to keep checking back, just follow me on Twitter and you will
receive a Tweet when I post.

The additional benefit is that I have set-up a number of alternative
sites, as I believe that this suite will be targeted so the company
involved can protect it’s interests.

Comment to the Internet Spetnatz Commandos….

The incursion last night into my home computer system failed.

The Sony VGNA-190 that you took down the MBR for was an unprotected seven
or eight year old computer used only as a Media Server for the
family. (It took eight minutes to restore the MBR, because first I
had to remember where I left the USB key….. and then I had to find
the Sony boot CD……). However the Router captured all traffic to
and from the Sony and the log file has been written out to a computer
not on the net. Sec B1 & Class C-a)

The score for Round 1 at half time

Group NBT Plc Spetnatz Internet Raiding Party 1
vs
Koltai, ageing internet entrepreneur                   0

Lets see how we do later in the week…….

For those 12 persons that were infected by the virus, it has been identified as:

Common name:	Winantivirus
Technical name:	Application/Winantivirus2006
Threat level:	Low
Alias:	WinAntiVirus Pro 2006,
Type:	Potentially Unwanted Program (PUP)
Effects:	It is a Potentially Unwanted Program, which can affect the users’ consent, awareness or control over the program. It does not spread automatically using its own means.
Affected platforms:	Windows 2003/XP/2000/NT/ME/98/95
First detected on:	Dec. 5, 2005
Detection updated on:	Oct. 8, 2007
Statistics	No

Virus – Brief Description

Winantivirus belongs to the category of Potentially Unwanted Programs, also known as PUPs. PUPs are programs that, due to their features or means of distribution, can affect users’ consent, awareness or control over operations like: Installation. Modifications carried out on the computer. Behavior of the program. Processing of personal data. Uninstallation. The evaluation criteria of PUPs are based on the proposals suggested by the Anti-Spyware Coalition, organization Winantivirus uses the following propagation or distribution methods: Exploiting vulnerabilities with the intervention of the user: exploiting vulnerabilities in file formats or applications. To exploit them successfully it needs the intervention of the user: opening files, viewing malicious web pages, reading emails, etc. It is dropped or downloaded to the computer by other malware specimens, for example: Downloader.LHW, Downloader.NEX, Downloader.NEY.

The Notice on KOVTR whilst it was down over the weekend.

We apologise, KOVTR is down whilst we remove the virus that was placed there by the
kind people from Envisional Ltd Who were hired by the nice people
at:

To place a virus on KOVTR so that regular readers would not want to come back here and  so that the site would be listed by Google as being infected by Malware. If you have received one of these on your screen don’t click on it or attempt to close it. We apologise and suggest that you NOT turn off or reboot your machine.

At 1:12 am on the 7th of May, an employee of Envisional or a contractor sanctioned by
the owner of IP number [62.128.158.145] that in-addr-arpa resolves as
dedi158-145.envisional.net did cause a scruipt to be executed on
KOVTR.com that altered approximately 224 php files in the WordPress
area of KOVTR and caused them to be infected with a downloadable
virus file.

The insertion code in the PHP files starts <?php /**/ eval(base64_decode(“aWYoZnVuY3R… and is executed by the browser on the client side to binary decode the virus to install in the registry of the reader of the content causing the above popup “fake MALWARE” warning. The Registry entry looks like this and should be removed using Run, regedit with the reference in the picture below being the appropriate location in the registry that requires removal. The file has no name – yet, and will only execute on reboot or power cycling. Otherwise please run a good virus removal tool We apologise for this incursion and assure you that we will publish the complete log-files proving that an IP number from Envisional Ltd Was responsible for inflicting this damage on our readers computers. KoVTr will be back up within seven hours. (Sorry – it’s taking longer than I thought – estimated time of “reappearance is now approximately 14:30 hours AU EST 8th of May.) We just need to go and close a few WordPress security holes and reset the rat-trap shoebox filters Envisional Guys – sometimes you should check who you’re messing with before such a blatantly public and uncloaked hacking incursion is attempted. I will be sending you a bill for my time and I will be asking my readers to estimate the time and cost loss to them also. Either way, please be advised that you will be hearing from our solicitors. Each and every key stroke was logged (okay, byte uploaded) its; just keystroke logged sounds so much groovier therefore denial is impossible. We suggest you have a quick whip around from your clients for the upcoming legals…… Whilst there is the tiniest possibility that they were not the ones that placed the file on KOVTR, our system log files confirm that theirs was the only IP number that spanned the period of the PHP script execution and the time stamps on the altered PHP files. Their action can only understood by comparing it to a zealot religious Proctor, circa 1650 in Olde England that would enter your home looking for books that were on the list prohibitum of Holy Mother Church and burning them. However, we would add that the Priests had a carte blanche by the populace who accepted that the book burnings of salacious materials were for their own good. We sincerely doubt that any such comparable arrangement/defacto agreement now exists between the worlds Internet users and Envisional Ltd and their employer/clients, namely Warners, Sony, IFPI, Microsoft MPAA Vivendi/NBC Paramount and Fox. Additionally, the Priests didn’t leave behind nice little virus easter eggs that would cause the users of the Internet that chanced upon KOVTR to become infected with Malware that was extremely difficult to get rid of. Our opinion is that this activity borders on criminal malfeasance and is certainly in contravention of Australian Federal laws on illegal entry into a computer system and alteration of data thereon. Older readers would remember the Ausnet Services Hacking incident where the perpetrator received a three year jail term for a similar break and enter.