If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
|
#1
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
Yet another botnet is hacked from the outside, this one uses the boot record/MBR to store the hack to take over Windows computers. http://www.theregister.co.uk/2008/10...anking_trojan/ One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts http://www.rsa.com/blog/blog_entry.aspx?id=1378 Botnet hijack: Researchers dissect Torpig malware operation http://threatpost.com/blogs/botnet-h...ware-operation UC Santa Barbara http://www.cs.ucsb.edu/~seclab/proje...pig/index.html Analysis of Sinowal http://web17.webbpro.de/index.php?pa...sis-of-sinowal MEB NOTE: this hack has changed over time [its been around for around four years or so], thinking it works in only one OS or group of OSs is NOT a reasonable approach to inhibiting its expansion. The reason WHY is it happens to be extremely successful and extremely difficult to detect and remove. Numerous variants now exist. Antivirus tools try to remove Sinowal/Mebroot http://windowssecrets.com/2008/11/26...inowal-Mebroot MBR/Mebroot/Sinowal/Torpig is back – better than ever http://www.trustdefender.com/blog/20...ter-than-ever/ File eyu4vh.exe received on 01.05.2009 05:30:58 (CET) http://www.virustotal.com/analisis/f...e7b6f1ead6bcec MEB NOTE: the hack can be in several different forms, the above shows one variant. http://securityorb.com/blog/?cat=32 http://www.eweek.com/c/a/Security/MS...tack-Reloaded/ Storm Botnet Is Behind Two New Attacks http://it.slashdot.org/it/07/08/26/1558245.shtml Power Point 5 - botnets - PDF http://www.cs.utexas.edu/~yzhang/tea...lides/5-10.pdf -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#2
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
MEB wrote in
: SNIP http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! -- Lots of theoretical butchers are alleged and other bloody eyes are suitable, but will Pam secure that? |
#3
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
thanatoid wrote:
http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! Yes. I missed that: -------------- Affected Systems Only Windows XP operating systems are affected, because of the file and mechanism dependencies of Sinowal. Sinowal includes statical signatures to find the respective code to hook in system files; they are static and may not be found in different file versions. Sinowal has following file dependencies: * Master Boot Record to be just one sector big * ntldr * ntoskrnl * memory directly after ntoskrnl in memory to be free * Partition Table may not be changed (no mention of the atapi driver here) --------------- In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. |
#4
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote in :
thanatoid wrote: http://web17.webbpro.de/index.php?pa...ysis-of-sinowa l "only XP systems are affected because..." SNIP In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. I am sticking with 98SELite, I don't use any other MS "software", I have ScriptSentry installed, and I don't care about any online "dangers". In 15 years I have gotten ONE virus in an email from an idiot friend. (It couldn't do anything because I had the system well-secured, but it sure was unwilling to be removed.) -- Lots of theoretical butchers are alleged and other bloody eyes are suitable, but will Pam secure that? |
#5
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
thanatoid wrote: http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! Yes. I missed that: -------------- Affected Systems Only Windows XP operating systems are affected, because of the file and mechanism dependencies of Sinowal. Sinowal includes statical signatures to find the respective code to hook in system files; they are static and may not be found in different file versions. Sinowal has following file dependencies: * Master Boot Record to be just one sector big * ntldr * ntoskrnl * memory directly after ntoskrnl in memory to be free * Partition Table may not be changed (no mention of the atapi driver here) --------------- In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. 9X is not in-vulnerable... sorry. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#6
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
Full-Quoter MEB wrote:
You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. What text exactly are you referring to? Do you know how to use cut and paste? Why don't you cut and paste here the text that supports your statement above? |
#7
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
Full-Quoter MEB wrote: You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. What text exactly are you referring to? Do you know how to use cut and paste? Why don't you cut and paste here the text that supports your statement above? YOU cut it, so put it back ya friggin dip... Why don't YOU, for once, actually READ the information. Wouldn't that be a remarkable change from your usual nonsense and ignorant postings. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#8
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
Full-Quoter MEB wrote: You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. What text exactly are you referring to? Do you know how to use cut and paste? Why don't you cut and paste here the text that supports your statement above? YOU cut it, so put it back ya friggin dip... Why don't YOU, for once, actually READ the information. Wouldn't that be a remarkable change from your usual nonsense and ignorant postings. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#9
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
I can't find anything that supports your claim that the loader phones home
for instructions, but even if it did the instructions wouldn't be much use as the exploit requires NTLDR and NTOSKRNL, which do not exist in 9x systems. Either provide a reference site which explains how this can affect W9x systems or take your scaremongering to a more appropriate group. -- Jeff Richards MS MVP (Windows - Shell/User) "MEB" wrote in message ... snip You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. 9X is not in-vulnerable... sorry. |
#10
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
Full-Quoter MEB wrote:
You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. What text exactly are you referring to? Do you know how to use cut and paste? Why don't you cut and paste here the text that supports your statement above? |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
MMTASK.TSK: Lots of questions. | Justin Thyme | Software & Applications | 6 | March 23rd 05 09:24 PM |
Firefox. Using lots of resources | Terry James | Software & Applications | 10 | February 7th 05 06:12 PM |
Lots of disk activity | Phil | General | 11 | October 22nd 04 05:02 PM |
lots of logs on the C:\ drive | Alex | General | 2 | June 29th 04 01:33 AM |
Lots of Problems all of a Sudden | Chris | Improving Performance | 1 | May 27th 04 10:00 AM |