Monday, December 17, 2012

TrueCrypt HID Device Hack with Knoppix

I was hacked by the TRlADS while living in Asia and have went through 20 computers (half Windows, half Mac ) and 5 phones ( 3 iPhone's, 2 Galaxy S3’s ) (8 cable modems) and 10 Routers ) in the past 2 years trying to figure out how they got me. I have the hack under control now but still want to know everything.  In Addition to installing DD-WRT on my Routers until I got wise to that, I know they were using my iPhone as a wifi beacon command center in addition to many other mash-ups but I think they spread the hack via HID devices on a USB Drive that they customized a TrueCrypt travel disk installer to accomplish.  I would break their hack from time to time and see clues like 2TB VFAT drives on a small 4GB USB Flash Drive etc so I know they are disguising the Hard Drive and hiding behind Virtual Drives that say they are for example 500GB but since they grow dynamically, they don’t need all of that space right away so these losers have plenty of space outside of this bubble to operate on my hard drive and I can’t even see them. The hack survives low level reformatting and Apple Genius Bar told me I know more than them after several failed visits. I now use TrueCrypt to re-encrypt and reformat my hard drives which I think is working until they restore the volume header with an HID device or a cron job ( I'm not sure )

While I lived in Asia they really controlled my iPhone, read about that nightmare here 


I realized my phone was a command center when I had a hunch and powered off my iPhone4S as my Ubuntu Live CD Boot was hanging as it tried to connect to the Internet.  The second I powered off my iPhone 4S ( never jailbroken nor even plugged into a computer ), my Ubuntu Screen said “Disconnected from Network”.  I recreated it 4 times in a row.  The scary part is that I was using a Cat5 connection directly into the Cable Modem and wifi was shut off ( so it seemed.  They served me fake screens that masked the real settings on my phones and computers ).  Even though I booted using a Ubuntu Live CD, their hack was still controlling my machine.  It was a MacBook Pro15 that I used to boot Ubuntu from and I didn’t even mount a hard drive, it was all LIVE CD.  After researching I found that Knoppix has the ability to create a persistent file system that takes precedence over a subsequently booted Live CD ( in my case, Ubuntu 12.04 )  See Knoppix at http://www.knopper.net/knoppix/index-en.html I am good at computers but not a programmer so that's where my ability to solve this ends.  I can’t list everything they did because I would need to type forever but here are a few subject areas I think they exposed to control my machines, upon which I will elaborate on the TrueCrypt set-up after the bullet points.

-  They hacked my Power Supply by implanting a trasp device in My Bose Speakers and possibly my high end water machine that sent malware farts through my electrical grid and tunneled into my system that way.  I always had a Fire-wire connection open out of nowhere on my Macs and my Window’s computers always had new HID Devices connecting out of nowhere ( A FUCKING GHOST!!!  LOL )  I think they use a lot of tools from www.nirsoft.com ( cool site ) like USBDVIEW etc...

-  They Used MIDI notes sent via TCP that was communicating with a Braille keyboard interface on my phones.  They also used Netboot Images served via a Media server somewhere in Cyberspace.  None of this came up on Virus Scans and they would mimic Google Updates to get the traffic through.  One day I watched Chrome update 6 times with a 15MB update each time.  They spoof IP addresses all of the time and do Man in the Middle attacks on my network constantly.

-  The Most clever of all is when they knew I was on Match.com so they had a Chinese Girl contact me and I was amazed at how quickly she wanted to come to my house, it was too easy actually but right after she came I noticed the hacking got 10 times worse. I now realize she came to get my cable modem Mac address so they could clone my cable modem. Did you know that if you clone a Comcast Customer's Mac address on their modem and plug it in at your house, you will instantly have the same cable service as them for Internet. I was shocked that Comcast doesn't run cron jobs looking for duplicates since it allows people to get free internet but they can see if they check though, they just don't check I guess because not many people are bad-ass enough to clone a cable modem's Mac ID. Anyways, they cloned my Mac Address from my Cable Modem to an older Motorola Model and they were sitting in between my house and Comcast intercepting all of my traffic until I figured it out and called Comcast.  The Guy at Comcast almost shit himself in amazement as we had him send a refresh signal to me but there was a 10 second delay as the Hackers Cloned Modem received it first, and rebooted and upon sending a second one right away, the second refresh signal hit my modem since theirs was rebooting.  Comcast cut them off and just to be safe I went and bought another new modem.  The guy said he never saw or even heard of such a thing and this guy was in the abuse department Tier 2 support.  Yes, these fuckers are clever.

I could tell you five more but want to stay focused on the main part of their hack.

Here is what I also think they did to keep control of my machines.

See http://www.Truecrypt.org, they are using that in conjunction with Knoppix as 90% of their operation ( I Think.... )  If you are familiar with TrueCrypt, Read on......
I suspect that they used a hidden volume as the keyfile for the outer volume in order to prevent the outer volume from mounting at all if I removed their hacked OS hidden on my system.  This would assure that the system always booted with their backdoor fuse file system which I discovered through pure luck when I was creating hidden and outer truecrypt volumes on a hacked machine.  Their hack made a mistake and assumed that the hidden volume I created was part of their set-up so they proceeded to copy over a 666MB .iso file that had the same name a linux Dragonfly Live DVD except that Dragonfly is 900MB, not 666MB like this one.  I am guessing at saying it is a remastered Live CD of Knoppix because Knoppix can actually embed the file system to stay persistent across reboots but i’m not techie enough to go much further on that subject.  I zipped the .iso file and uploaded it to http://bit.ly/666hack if you want to check it out.  Let me know what it does.....  I also made a video of me extracting it from the .iso file where it kept saying certain files already exist during the extract even though I extracted it to an empty folder.  Must be due to duplicate files with two dots in front and it moved it up a directory ( just guessing but I would love to know what this .iso file does.  This is their bread and butter for their hack.  The .iso file wouldn’t open on my Mac, it said cannot open, being used by OSX.  I couldn’t even copy it or burn it using disk utility either.  I had to burn it using TOAST to get it off the machine.  This file is possessed. http://bit.ly/666hack2


I think all of the VFAT 2TB files that I saw were actually dynamic Truecrypt volumes ( see below from TrueCrypt which is why I think that way ).  They were hidden on all of my Flash Drives and the only thing that would expose them and mangle them off the flash drive was HP TOOL


 I was able to get the hacked read-only flash drive to format 75% of the time by quickly changing between NTFS and FAT formatting within that program and would get a read-only error a few times until an attempt would break through and format the damn thing.That would be the Truecrypt Read-Only aspect I assume.




The feature below allows them to have a 1 size fits all hack since the USB device they use to infect your system will create a dynamic volume equal to the host’s hard drive’s maximum size which works well if the person they are hacking has a 300GB hard drive or 1TB hard drive, it expands to the maximum possible size and is easier for them to hide by making you think it is your main hard drive except they have all of their hacked hidden operating systems outside of the dynamic volume and you can’t see it.  If you save a Truecrypt volume as a favorite, you can set the options to have the volume mount either after logon or when the drive first gets power ( Thats even before the damn Bios!!!!! Regarding this, I outsmarted them while still living in Asia when I used an external keyboard to change my bios password because the #4 on the numpad for some reason effected a backspace, not a #4 and even though I typed 88884444 as the password, I used the 4 up top for the first two and the numpad 4 for the second two which backspaced the first two fours out and made the password 8888 but my hackers assumed it was 88884444 so I entered that into the bios on the next boot ( using all numbers from the top row) and the screen said “password correct” then quickly bluescreened and never booted again.  Thats when I knew they had me before the bios, now I can see how with the ability of Truecrypt.)  FYI, The Windows Version of TrueCrypt has the most features compared to Mac or Linux for TrueCrypt, but these guys were using the Sourcecode and hiding everything from the visible eye.






They use the non-admin feature below to create a volume they can access without admin privileges.  Even if you install a new operating system and lock it down, they can still access it because the system is basically built on a wide open file system.  To make things even worse, any files shared by the hidden OS and your OS will be mounted as read only and not even throw errors most of the time so anything you change on your computer will be trumped by their already intact fuse file system.






By utilizing TrueCrypt SourceCode, I assume that they have a clone of their hack OS that is protected as a hidden volume when they mount their outer dynamic volume so that way they have a back-up if you are somehow lucky enough to delete the one they mount during the early boot process but the first one they mount is mounted read-only so you can’t delete it anyways.  This shows you how many options Truecrypt can give a hacker.







Please let me know what they are doing and how they are accomplishing it.  I have tons of other stuff too but don’t want to overwhelm anybody and take their eye off what I think is the main part of their system.  These guys are good.

Edward
Email Me HERE