26

How can an attacker use a compromised computer to do things over the internet? For example, if an attacker infects a PC with a general payload, other than searching through the computers files and changing things, what else can they do? For instance, can an attacker use a compromised computer to surf the internet? If so how is this done in general terms? If they have a reverse shell open or whatnot, you cannot really see webpages and so forth, so do they somehow push their activity through the compromised PC? If so what do they need to do this?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Rideboards
  • 587
  • 6
  • 8
  • 10
    There are many ways an attacker can use a compromised computer. One way that the attacker can use a compromised computer is to simply route all of his traffic through the compromised computer (e.g. by way of a VPN tunnel, a SOCKS5 tunnel, SSH tunnel, etc). Then, remote hosts will see connections originating from the compromised computer instead of the attacker's computer. – mti2935 Oct 11 '21 at 21:52
  • 4
    Anything can be pushed across a network connection. How do you think you're seeing webpages? – OrangeDog Oct 13 '21 at 13:56

1 Answers1

76

They can do a heck of a lot

One of the most common misconceptions I hear people say about cyber security is, "Well, hackers have no reason to come after me/this." As long as you have some type of connection to the internet, hackers have plenty of uses for your hardware. It does not matter if you are running a high-end server or a smart refrigerator, your system is worth something to a hacker.

Things you can do from just about any hacked device

DDoS attacks: A hacker with access to a large number of compromised devices, organised into something called a botnet, can use them to all simultaneously access an internet resource to try to overwhelm its capacity. This requires they install a very simple program on your device.

Brute Force Attacks: Many systems lock you (your IP address) out after so many password guesses. If you get locked out after 10 guesses, then you can only get into a system if it uses one of the 10 most popular passwords before you have to wait and try again later. If you have a botnet of 100 compromised devices to work with, then you get 1000 guesses before you are locked out. This also requires they install a very simple program on your device.

Spam: Servers that send out spam are routinely flagged and blacklisted, but if you have a lot of hacked computers to work with, you can use them each as spam platforms so when one gets blacklisted, you move on to the next. This could either rely on installing an SMTP Virtual Server on your device or just hacking your personal email account using spyware to use as a spam platform.

  • Targeted Spam: Again, using spyware, they can send spam from your personal account, but they can specifically target your contacts to take advantage of the trust people have in knowing you personally.

Proxying (out to the internet): They can set your device up as a proxy for their own (often illegal) online activities. Basically they just need to install VPN endpoint software on your device, and all of their traffic will be routed through your IP. As long as they control your device well enough to make sure it is not logging their access to it, they can make it look like you are the one doing the illegal activity, and not them.

Proxying (into a local network): Another application for using you as a proxy is to gain access to local network resources. If your device is on a local network, it may have access to Servers, NASs, Security Cameras, etc. that can not be directly accessed from the internet. But by proxying through a device that can access both the internet and your LAN you can use it to attack systems that would otherwise be inaccessible from the outside.

Things where something more powerful like a PC or Laptop are preferred

Crypto Mining: Mining things like bitcoin uses up a lot of electricity and processing power and can burn out components quicker. By using a hacked computer to do this, they don't have to pay the costs for all that, you do. They just need to install crypto mining software on your machine and attach it to a wallet they control.

File Storage/Hosting: They could use your computer as a file repository or web server; so, if they need somewhere to store a bunch of pirated media or to host their child pornography website, they could create a hidden partition or virtual machine on your computer to do it.

RMM: An even more extreme form of using you as a proxy is to take total control of your machine and use it as though it is their own. Windows has built into it a thing called Remote Desktop Manager which allows Windows to share its desktop over the internet. Mac and Linux also have easily installed counterparts that do the same thing. There are also some RMM programs you can install that can give you a full desktop view of a machine that is separate from what the end user can see so you do things without being noticed. If a hacker puts RMM software on your computer, then they can use your computer in every respect as if it were their own. This would make implementing any of the previous uses much easier, or they could just use it in whatever personal ways they prefer. It could even be something as ridiculous as using it to run an instance of Minecraft with a wiggle script so that they can idle farm cactuses with a zombie account while they do their real playing on their personal computer.

Nosajimiki
  • 1,857
  • 9
  • 13
  • 20
    It should be noted that many of these things don't directly affect the target machine in a notable way. Most users would not notice if their storage capacity suddenly decreased by 50 GB, or if their machine sent out spam emails. So most users, who are infected, don't really notice it. –  Oct 12 '21 at 14:48
  • 1
    Agreed. If I included everything malicious a hacker could do to an infected machine itself, this would become a VERY long list. But in reality, these hidden activities are increasingly becoming the goal of many hacks. – Nosajimiki Oct 12 '21 at 15:01
  • 7
    Yes, because these are mostly immediately monetizable. Sometimes, access to these machines is sold in bulk too, so the person using the compromised machine doesn't necessarily know (or care) how the machine was compromised in the first place. –  Oct 12 '21 at 15:10
  • 17
    "It does not matter if you are running a high-end server or a smart refrigerator, your system is worth something to a hacker." – Indeed. If I remember correctly, one of the first big outages of the Stack Exchange family of sites was caused by a DDoS attack performed using a botnet of compromised home security cameras. – Jörg W Mittag Oct 12 '21 at 17:21
  • 1
    'One of the most common misconceptions I hear people say about cyber security is, "Well, hackers have no reason to come after me/this."'. My thoughts exactly, heard that too, they forget that one reason is that they're an easy target for not following good security practices, and that many easy targets can amount to about the same value of one "big" target. – Nagev Oct 13 '21 at 07:49
  • 6
    @nagev Exactly. Don't worry about the bullet with your name on it, worry about the six thousand marked 'To Whom It May Concern...' It's almost trivially easy to scan entire subnets at once for basic vulnerabilities, and when you already have (the beginnings of) a botnet trawling five million IPs for possible exploits costs very little and two or three hits will already be a viable ROI. – Shadur-don't-feed-the-AI Oct 13 '21 at 11:38
  • @Nosajimiki you could add under proxying, that its not just to disguise their own address, but that hacked devices inside an organization can be used as a stepping stone to access higher value targets behind a firewall. For example, the bank's servers may not have any external connection and only talk to other computers inside the bank. One compromised desktop inside the bank can be used to as a jump point to get at the bank's servers. – user46053 Oct 13 '21 at 16:09
  • 1
    @user46053 Thanks, I've added that to the list. Frankly there is just so much you can do, I'm probably missing a lot more here, this was just the stuff I could think of off the top of my head. – Nosajimiki Oct 13 '21 at 16:47
  • The RMM/Minecraft example seems oddly specific, speaking from experience? :D – fgysin Oct 14 '21 at 11:55
  • 1
    @fgysin Let's just say I used to work with a guy who did not understand what the "E" meant in CEH. – Nosajimiki Oct 14 '21 at 13:57
  • The first few all fall into one category: when the police trace who's doing the bad thing, they'll find that it came from your computer, instead of the hacker's. – user253751 Oct 14 '21 at 15:18
  • @user253751 A general rule of hacking is that hackers don't want to be caught; so, some level of obfuscation can be found inherent in almost anything a hacker will do. – Nosajimiki Oct 14 '21 at 16:30