Fact: Porn sites are bad places to visit in the workplace. And yet I have seen executives in major corporations sit at their desk with the monitor facing the hallway watching porn. I have seen my IT colleagues yank Internet privilege for users who download and store movies on servers. I have seen malware by the ton come in through porn sites. “Would you like to run AKSDKLLS.EXE?” is usually a bad thing indeed, and users religiously hit the NO button which is probably encoded to read NO on the screen but installs the keyboard logger in the background anyway.

A troublesome client call last week provoked a darker trend in security. This client has one system (of three) that always has malware. At one time it was infected by malware that set the HIDE attribute on every single file on his computer, so it took me two hours to clean it out. In the process, I was advised by the user that the business owner tends to open up every single email link he receives, which is asking for continual hell.

When the client call came in, the system was again locked up. Only this time his system was locked on boot to an FBI website page indicating his IP was blacklisted and for $200 he could get it cleaned up — on a credit card! Knowing that the FBI does not do that — they show up at the front door with guns — this was yet another malware infestation. So I began cleaning it out with good old RKILL, ComboFix, and then MALWAREBYTES scanning. Bored, I also noticed something odd in the My Documents folder.

A great many files (not temp) were marked as HIDDEN once again, so I presumed that virus as mentioned above was still resident, possibly as a rootkit. Joy! More hours of work. But as I examined the hidden files, I saw that many were PowerPoint files with names such as SHERRI IN SPAIN or some such thing. Now we are entering a whole new land as there were about 100 of these things, and also compressed in ZIP files, all individually hidden with odd creation dates. As Sherlock Holmes would say, “Elementary, dear Watson: we have a porn browser here.” This user, not the business owner, is the Moriarty who consciously downloads tripe and then marks it hidden. It takes time to do this and some smarts as most people do not know that old feature from DOS. I opened one and saw that Sherri is, indeed, quite happy, and closed it fast.

I showed the owner and documented to his eyes what his fine fellow was doing. I was ordered to clean it out, which I did, and also advised the owner to talk with his employee. I advised the owner that this was putting his entire business at risk as he sells medical insurance policies. We are talking HIPAA security rules here too. Management of staff is his business, not mine, so I left with a check and an embarrassed owner.

Darker thoughts intruded on my drive home. The ladies being displayed were of age, but what if instead of being 26 they were 16 or 6! I almost drove off the road at that one. The security aspect alone being set aside, my role as a consultant also comes into play. What are our responsibilities for security and consulting if we EVER find child porn on a user’s system? I was stunned to even consider the idea and very shaken up. Reading the newspaper, we all know it happens but to other people, right?

Perhaps the computer gods were on my side, for the next day, I found some new ransomeware released called “ANTI-CHILD PORN SPAM PROTECTION.” It pretends to be from a legitimate government source stating that your computer is sending out child porn spam links by email. It tells you that it has encrypted your data to protect you (yeah, right) and for $500 to $1000 a MoneyPak or PaySafe card you can get the password for your files. The program is launched IMMED on boot. IF you can CDRom boot, look for C:\DVSDLK\SVCHOST.EXE and delete this to regain your desktop.

The files that this infection creates when it is installed are:

c:\Documents and Settings\All Users\Desktop\fvd31234.bat
C:\Documents and Settings\All Users\Desktop\fvd31234.txt
c:\dvsdlk\svchost.exe
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\ultimatedecrypter\dc.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe

The Anti-Child Porn Spam Protection ransomware will also create a Windows service with a service name of fdPHosts, a display name of Function Discovery Provider Host Records, and an imagepath of C:\WINDOWS\system32\svschost.exe. This service will run in the background creating password-protected copies of new data files that are created on the computer and then delete the originals. Therefore, once you regain access to your computer, you should immediately disable this service.

This type of ransomware was very close to what my client had.

The issue of finding disturbing, possibly even criminal, data on client computers is something that a consultant may have to confront when investigating security issues, like malware infestations. It carries with it additional security risks and severe legal implications as well, both for the client and for the individual consultant. Handled correctly, it can be at least a one-sided devastating experience for the client and not impact the IT professional.

The following are my suggested take-away points.

  • First, there must a disclosure statement signed by the client in ADVANCE of any work. A colleague involved with a consulting franchise uses a work order signed by the client per visit. It must state that the consultant will only BROWSE data and, secondly, only install software approved by the client. This ensures that the consultant cannot be blamed for dumping porn or anything else onto the system.
  • Secondly, document your findings if you find “porn” of any nature. If adult-themed, immediately advise your client in detail as I did for my client. Do NOT open more than one file if you can do so, just to verify the existence of data. Show the client what you are doing. Stress that the data was present BEFORE you even walked into the door. My client did ask me if this stuff just “comes in” over the web, and while it can, the protocols in my case worked against that. Be clear and precise.
  • Third, educate the client on malware and the security risks that are associated with such data. HIPAA alone qualifies as a major red flag. It must be made clear that his or her business is at legal risk!! (Is your lawyer on your rolodex?) They may not know what a keylogger does, so educate them!

In my case, the situation stopped here when the client ordered me to remove everything I could find, which I did, and pronounced the system clean of obviously questionable data. This qualifies as “best effort” which is about a 95% guarantee. Advise the client that all obvious data candidates have been deleted and, if possible, sign your work order to that effect.

Worst-case scenario

If child pornography (or anything of a criminal nature) is found, my colleague’s consulting franchise has specific instructions. DO NOTHING, stop all work. Get up from the computer then and there. You have to be careful here. Although this franchise’s rules say to inform the client what you have found and then call the police, also consider stepping into a side room to call the police before informing the client, especially if you suspect that it is the client who is culpable. The risk of physical injury is very, very real. Tell the client, based upon your best interest on this score, but do not leave the client’s office. Stay present. When the police arrive, detail your discovery, and tell the truth to the authorities. This is a criminal act and should be treated as such. You just became part of the legal process too. There will be a court action so document your work and keep it in detail. You may need to testify.

Tough situation isn’t it? I hope we never find such data on our client’s computers. As an IT security pro or consultant, have you ever had to face a situation like this? Do you have clear guidelines about what to do and what not to do from your organization? Share your thoughts in the comments.

Also see: