Cheat Engine

[Gniarf]

As the title says, I think I got hacked (details below) and now I started having a lot of questions about how it worked, and how networks work.

So I was playing a game and suddenly had 2-3 error messages popping up, saying that c:\....\appdata\temp\[randomly generated name].exe wasn't a valid win 32 app. Plus one saying that it was 16bit and couldn't be run on my 64 bit OS.
Looking at said exe it turns out to be 0kb in size, I guess it erased itself.

Let's assume my system was sane before the attack. That would mean the att-haker managed to create a file on my system and run it through 3 cmd prompts. How?
I thought about "he sent data on an open port of my router, targeting a vulnerable service", but how did my router know that those packets from the net should go to the target computer? (lan config below)

Looking at the taskman: wft did he run his payload through syswow64/cmd.exe if it was 16 bit??
And why use cmd.exe instead of directly running the payload?
One more odd thing: when we run an application through cmd, we get a black window, but I didn't see any. Payload was run through "cmd.exe /c path_to_the_exe", and /c doesn't hide prompts. They weren't moved offscreen because they weren't in the taskbar either. And taskman shows those prompts were run be my username... So actually what happened to those prompts?

Quite obviously I'd to know how to prevent such attacks from happening again.
1-No, don't tell me to install an AV, "resident protection", software firewall, those crumble performance, but never seem to protect me from the actual threats. When i do run trojans, full system scans do not find a thing and I always end up manually hunting my malwares.
2-I was thinking about an hardware firewall/switch to replace my current switch, with every computer in dmz, but blocking all trafic from/to the modem except on a few ports I'd manually configure (email, web browsing, and dhcp). Think that would work?
3-Any other idea?


Network configuration
1 modem/router. Exact open ports unknown, but I guess TCP+UDP 20,21,25,80,110,443 + several teredo upnp rules pointing to the target.
linked to
1 lan switch
linked to
2 computers (incl. the target)
No "friendly" buddy playing pranks

Info about the target
os win7 x64
telnet server service off
rdp service enabled
windows firewall off (incase it'd change anything)
one idle browser opened, displaying fallout's wiki.
No AV (oh sorry, I meant win defender)

Info about the other computer
os xp 32
rdp service enabled
download computer
you go there with a hazmat suit (though I bet AVs won't find a thing...)
No AV (errm...win defender)

semi off topic question: both computers can browse the internet (=use port 80) how does the router know which should get the replies?

[Dark‮&#8238]

It came with something you downloaded, can't you remove it manually?

[Gniarf]

The thing is: there is nothing left to manually remove, just a 0kb file (actually I wiped it too).

If I downloaded trojan I'd have had the errors messages the instant I run it, not 3+ months later. Plus if it were a delayed trojan it would need to start itself with windows or via scheduled task, but all those are clean (registry run/RunOnce keys+scheduled tasks).

So if it's not a trojan, how did it get there?

[Dark Byte]

Most likely a browser exploit that installed it on your system.

[Gniarf]

A browser exploit that would install a generic malware downloader that would download+run the 16bit app... It would explain why the 16bit payload was run through a syswow64 prompt.

I'm going to investigate how those work exactly, but in the meantime, as far as you know is it possible to have a browser hijacked if it's just opened, idle, displaying a blank page?

EDIT: Yes it is possible. Most likely I got boned by a kid who found a metsploit tutor on youtube and my IP in a wiki.

Now it's time for bunkerization.