A Windows 98 & ME forum. Win98banter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » Win98banter forum » Windows 98 » General
Site Map Home Authors List Search Today's Posts Mark Forums Read Web Partners

Windows reality - The Torpig botnet and LOTS of others out here



 
 
Thread Tools Display Modes
  #1  
Old May 7th 09, 07:27 AM posted to microsoft.public.win98.gen_discussion
MEB[_17_]
External Usenet User
 
Posts: 1,830
Default Windows reality - The Torpig botnet and LOTS of others out here


Yet another botnet is hacked from the outside, this one uses the boot
record/MBR to store the hack to take over Windows computers.

http://www.theregister.co.uk/2008/10...anking_trojan/

One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised
Accounts
http://www.rsa.com/blog/blog_entry.aspx?id=1378

Botnet hijack: Researchers dissect Torpig malware operation
http://threatpost.com/blogs/botnet-h...ware-operation

UC Santa Barbara
http://www.cs.ucsb.edu/~seclab/proje...pig/index.html

Analysis of Sinowal
http://web17.webbpro.de/index.php?pa...sis-of-sinowal
MEB NOTE: this hack has changed over time [its been around for around
four years or so], thinking it works in only one OS or group of OSs is
NOT a reasonable approach to inhibiting its expansion. The reason WHY is
it happens to be extremely successful and extremely difficult to detect
and remove. Numerous variants now exist.

Antivirus tools try to remove Sinowal/Mebroot
http://windowssecrets.com/2008/11/26...inowal-Mebroot

MBR/Mebroot/Sinowal/Torpig is back – better than ever
http://www.trustdefender.com/blog/20...ter-than-ever/

File eyu4vh.exe received on 01.05.2009 05:30:58 (CET)
http://www.virustotal.com/analisis/f...e7b6f1ead6bcec
MEB NOTE: the hack can be in several different forms, the above shows
one variant.

http://securityorb.com/blog/?cat=32

http://www.eweek.com/c/a/Security/MS...tack-Reloaded/

Storm Botnet Is Behind Two New Attacks
http://it.slashdot.org/it/07/08/26/1558245.shtml

Power Point 5 - botnets - PDF
http://www.cs.utexas.edu/~yzhang/tea...lides/5-10.pdf



--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

  #2  
Old May 7th 09, 11:38 AM posted to microsoft.public.win98.gen_discussion
thanatoid
External Usenet User
 
Posts: 2,299
Default Windows reality - The Torpig botnet and LOTS of others out here

MEB wrote in
:

SNIP

http://web17.webbpro.de/index.php?pa...sis-of-sinowal


"only XP systems are affected because..."

Viva 98!

--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?
  #3  
Old May 7th 09, 11:38 AM posted to microsoft.public.win98.gen_discussion
thanatoid
External Usenet User
 
Posts: 2,299
Default Windows reality - The Torpig botnet and LOTS of others out here

MEB wrote in
:

SNIP

http://web17.webbpro.de/index.php?pa...sis-of-sinowal


"only XP systems are affected because..."

Viva 98!

--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?
  #4  
Old May 7th 09, 02:12 PM posted to microsoft.public.win98.gen_discussion
98 Guy
External Usenet User
 
Posts: 2,951
Default Windows reality - The Torpig botnet and LOTS of others out here

MEB wrote:

Yet another botnet is hacked from the outside, this one uses the
boot record/MBR to store the hack to take over Windows computers.


I find the name somewhat ironic. Mebroot. MEB root.

Based on this technical analysis:

http://www.trustdefender.com/blog/20...ous-than-ever/

1) Mebroot is mainly deployed through a drive-by download when
you visit “everyday” websites - sometimes (or usually)
delivered via recent pdf file exploits (which we know windows-98/
adobe acrobat 6 are not vulnerable to).

2) after infecting the Master-Boot-Record, it employs a complicated
mechanism to inject itself into the ATAPI Harddrive Driver.
Presumably the XP ATAPI driver (atapi.sys) operates or
is constructed differently than the windows-98 ATAPI driver.
In fact, there is no such file (atapi.sys) on a typical win-98
system (at least not on my system).

3) Once it's made itself part of the ATAPI driver, it uses that
position to then alter core windows components (svchost.exe
and services.exe). Since Windows 98 does not have those files
or provide "services" the same way that NT-based OS's do,
Mebroot must either have additional code to support operation
on win-9x platforms, or it simply abort itself and not function
if it finds itself on those platforms.

Analysis of Sinowal
http://web17.webbpro.de/index.php?pa...sis-of-sinowal


Thanks for the link MEB.

If you go to this section: Runtime Execution of Sinowal

you'll see that Mebroot (Sinowal) is heavily dependent on running on and
finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more
evidence that Mebroot can't run or function as intended on win-9x
systems.

MEB NOTE: this hack has changed over time [its been around for
around four years or so], thinking it works in only one OS or
group of OSs is NOT a reasonable approach to inhibiting its
expansion. The reason WHY is it happens to be extremely successful
and extremely difficult to detect and remove. Numerous variants
now exist.


I'm surprised that NT-based systems will allow reading or writing to the
MBR, or that AV programs don't catch and prevent that sort of activity.
Even if they don't detect the Mebroot infector file or exploit, they
should at least be able to detect and prevent MBR tampering. Mebroot
analysis doesn't indicate that AV software is scanned for and disabled
as part of it's functionality.

But the take-home message is that Windows 98 is most likely not
vulnerable to Mebroot by virtue of it's design.
  #5  
Old May 7th 09, 02:12 PM posted to microsoft.public.win98.gen_discussion
98 Guy
External Usenet User
 
Posts: 2,951
Default Windows reality - The Torpig botnet and LOTS of others out here

MEB wrote:

Yet another botnet is hacked from the outside, this one uses the
boot record/MBR to store the hack to take over Windows computers.


I find the name somewhat ironic. Mebroot. MEB root.

Based on this technical analysis:

http://www.trustdefender.com/blog/20...ous-than-ever/

1) Mebroot is mainly deployed through a drive-by download when
you visit “everyday” websites - sometimes (or usually)
delivered via recent pdf file exploits (which we know windows-98/
adobe acrobat 6 are not vulnerable to).

2) after infecting the Master-Boot-Record, it employs a complicated
mechanism to inject itself into the ATAPI Harddrive Driver.
Presumably the XP ATAPI driver (atapi.sys) operates or
is constructed differently than the windows-98 ATAPI driver.
In fact, there is no such file (atapi.sys) on a typical win-98
system (at least not on my system).

3) Once it's made itself part of the ATAPI driver, it uses that
position to then alter core windows components (svchost.exe
and services.exe). Since Windows 98 does not have those files
or provide "services" the same way that NT-based OS's do,
Mebroot must either have additional code to support operation
on win-9x platforms, or it simply abort itself and not function
if it finds itself on those platforms.

Analysis of Sinowal
http://web17.webbpro.de/index.php?pa...sis-of-sinowal


Thanks for the link MEB.

If you go to this section: Runtime Execution of Sinowal

you'll see that Mebroot (Sinowal) is heavily dependent on running on and
finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more
evidence that Mebroot can't run or function as intended on win-9x
systems.

MEB NOTE: this hack has changed over time [its been around for
around four years or so], thinking it works in only one OS or
group of OSs is NOT a reasonable approach to inhibiting its
expansion. The reason WHY is it happens to be extremely successful
and extremely difficult to detect and remove. Numerous variants
now exist.


I'm surprised that NT-based systems will allow reading or writing to the
MBR, or that AV programs don't catch and prevent that sort of activity.
Even if they don't detect the Mebroot infector file or exploit, they
should at least be able to detect and prevent MBR tampering. Mebroot
analysis doesn't indicate that AV software is scanned for and disabled
as part of it's functionality.

But the take-home message is that Windows 98 is most likely not
vulnerable to Mebroot by virtue of it's design.
  #6  
Old May 7th 09, 02:48 PM posted to microsoft.public.win98.gen_discussion
98 Guy
External Usenet User
 
Posts: 2,951
Default Windows reality - The Torpig botnet and LOTS of others out here

thanatoid wrote:

http://web17.webbpro.de/index.php?pa...sis-of-sinowal


"only XP systems are affected because..."

Viva 98!


Yes. I missed that:

--------------
Affected Systems

Only Windows XP operating systems are affected, because of the file and
mechanism dependencies of Sinowal. Sinowal includes statical signatures
to find the respective code to hook in system files; they are static and
may not be found in different file versions. Sinowal has following file
dependencies:

* Master Boot Record to be just one sector big
* ntldr
* ntoskrnl
* memory directly after ntoskrnl in memory to be free
* Partition Table may not be changed

(no mention of the atapi driver here)
---------------

In looking up information on Mebroot / Sinowal, I found many pages
showing Windows 98 in the list of vulnerable operating systems. A
continuation of stupid, misleading, ignorant or reflexive tendencies to
add Windows 98 to such lists, or a concerted effort to continue the
illusion that windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to see win-98
show up incorrectly on lists of affected systems, and MEB will continue
to bring the new malware to our attention - even though they do not (and
most likely will not) be operable on or compatible with windows 98.
  #7  
Old May 7th 09, 02:48 PM posted to microsoft.public.win98.gen_discussion
98 Guy
External Usenet User
 
Posts: 2,951
Default Windows reality - The Torpig botnet and LOTS of others out here

thanatoid wrote:

http://web17.webbpro.de/index.php?pa...sis-of-sinowal


"only XP systems are affected because..."

Viva 98!


Yes. I missed that:

--------------
Affected Systems

Only Windows XP operating systems are affected, because of the file and
mechanism dependencies of Sinowal. Sinowal includes statical signatures
to find the respective code to hook in system files; they are static and
may not be found in different file versions. Sinowal has following file
dependencies:

* Master Boot Record to be just one sector big
* ntldr
* ntoskrnl
* memory directly after ntoskrnl in memory to be free
* Partition Table may not be changed

(no mention of the atapi driver here)
---------------

In looking up information on Mebroot / Sinowal, I found many pages
showing Windows 98 in the list of vulnerable operating systems. A
continuation of stupid, misleading, ignorant or reflexive tendencies to
add Windows 98 to such lists, or a concerted effort to continue the
illusion that windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to see win-98
show up incorrectly on lists of affected systems, and MEB will continue
to bring the new malware to our attention - even though they do not (and
most likely will not) be operable on or compatible with windows 98.
  #8  
Old May 7th 09, 06:55 PM posted to microsoft.public.win98.gen_discussion
thanatoid
External Usenet User
 
Posts: 2,299
Default Windows reality - The Torpig botnet and LOTS of others out here

98 Guy wrote in :

thanatoid wrote:

http://web17.webbpro.de/index.php?pa...ysis-of-sinowa
l


"only XP systems are affected because..."


SNIP

In looking up information on Mebroot / Sinowal, I found
many pages showing Windows 98 in the list of vulnerable
operating systems. A continuation of stupid, misleading,
ignorant or reflexive tendencies to add Windows 98 to such
lists, or a concerted effort to continue the illusion that
windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to
see win-98 show up incorrectly on lists of affected
systems, and MEB will continue to bring the new malware to
our attention - even though they do not (and most likely
will not) be operable on or compatible with windows 98.


I am sticking with 98SELite, I don't use any other MS
"software", I have ScriptSentry installed, and I don't care
about any online "dangers". In 15 years I have gotten ONE virus
in an email from an idiot friend. (It couldn't do anything
because I had the system well-secured, but it sure was unwilling
to be removed.)



--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?
  #9  
Old May 7th 09, 06:55 PM posted to microsoft.public.win98.gen_discussion
thanatoid
External Usenet User
 
Posts: 2,299
Default Windows reality - The Torpig botnet and LOTS of others out here

98 Guy wrote in :

thanatoid wrote:

http://web17.webbpro.de/index.php?pa...ysis-of-sinowa
l


"only XP systems are affected because..."


SNIP

In looking up information on Mebroot / Sinowal, I found
many pages showing Windows 98 in the list of vulnerable
operating systems. A continuation of stupid, misleading,
ignorant or reflexive tendencies to add Windows 98 to such
lists, or a concerted effort to continue the illusion that
windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to
see win-98 show up incorrectly on lists of affected
systems, and MEB will continue to bring the new malware to
our attention - even though they do not (and most likely
will not) be operable on or compatible with windows 98.


I am sticking with 98SELite, I don't use any other MS
"software", I have ScriptSentry installed, and I don't care
about any online "dangers". In 15 years I have gotten ONE virus
in an email from an idiot friend. (It couldn't do anything
because I had the system well-secured, but it sure was unwilling
to be removed.)



--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?
  #10  
Old May 7th 09, 09:46 PM posted to microsoft.public.win98.gen_discussion
MEB[_17_]
External Usenet User
 
Posts: 1,830
Default Windows reality - The Torpig botnet and LOTS of others out here

98 Guy wrote:
thanatoid wrote:

http://web17.webbpro.de/index.php?pa...sis-of-sinowal

"only XP systems are affected because..."

Viva 98!


Yes. I missed that:

--------------
Affected Systems

Only Windows XP operating systems are affected, because of the file and
mechanism dependencies of Sinowal. Sinowal includes statical signatures
to find the respective code to hook in system files; they are static and
may not be found in different file versions. Sinowal has following file
dependencies:

* Master Boot Record to be just one sector big
* ntldr
* ntoskrnl
* memory directly after ntoskrnl in memory to be free
* Partition Table may not be changed

(no mention of the atapi driver here)
---------------

In looking up information on Mebroot / Sinowal, I found many pages
showing Windows 98 in the list of vulnerable operating systems. A
continuation of stupid, misleading, ignorant or reflexive tendencies to
add Windows 98 to such lists, or a concerted effort to continue the
illusion that windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to see win-98
show up incorrectly on lists of affected systems, and MEB will continue
to bring the new malware to our attention - even though they do not (and
most likely will not) be operable on or compatible with windows 98.


You missed the important part:

The original hack contacts the actual hacking site for the OS SPECIFIC
CODING.

9X is not in-vulnerable... sorry.


--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MMTASK.TSK: Lots of questions. Justin Thyme Software & Applications 6 March 23rd 05 10:24 PM
Firefox. Using lots of resources Terry James Software & Applications 10 February 7th 05 07:12 PM
Lots of disk activity Phil General 11 October 22nd 04 05:02 PM
lots of logs on the C:\ drive Alex General 2 June 29th 04 01:33 AM
Lots of Problems all of a Sudden Chris Improving Performance 1 May 27th 04 10:00 AM


All times are GMT +1. The time now is 05:46 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 Win98banter.
The comments are property of their posters.