Re: So that's how they do it
If i were writing such malware i would embed a copy of my remote access code in every pdf file found during the recon phase, as we all know PDF's are a crackers wet dream with the amount of security vulnerabilities.
Maybe also embed myself in some services like print spooler to re-enable my remote access after the restores have taken place.
If a cracker has had access for any period of time then you have to assume your entire estate is compromised and take appropriate steps, this is why the fundamental security principals must be adhered to at all times.
Least privs to be able to do your job, firewalls should never be turned off even when only on the LAN, firewalls tuned to only allow things you are expecting, unused services turned off etc etc etc. In this day and age your LAN is only marginally safer than the internet and should be treated as such.
Biting the hand that feeds IT
