Windows reality - The Torpig botnet and LOTS of others out here

98 Guy wrote:
thanatoid wrote:

http://web17.webbpro.de/index.php?pa...sis-of-sinowal
"only XP systems are affected because..."

Viva 98!

Yes. I missed that:

--------------
Affected Systems

Only Windows XP operating systems are affected, because of the file and
mechanism dependencies of Sinowal. Sinowal includes statical signatures
to find the respective code to hook in system files; they are static and
may not be found in different file versions. Sinowal has following file
dependencies:

* Master Boot Record to be just one sector big
* ntldr
* ntoskrnl
* memory directly after ntoskrnl in memory to be free
* Partition Table may not be changed

(no mention of the atapi driver here)
---------------

In looking up information on Mebroot / Sinowal, I found many pages
showing Windows 98 in the list of vulnerable operating systems. A
continuation of stupid, misleading, ignorant or reflexive tendencies to
add Windows 98 to such lists, or a concerted effort to continue the
illusion that windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to see win-98
show up incorrectly on lists of affected systems, and MEB will continue
to bring the new malware to our attention - even though they do not (and
most likely will not) be operable on or compatible with windows 98.

You missed the important part:

The original hack contacts the actual hacking site for the OS SPECIFIC
CODING.

9X is not in-vulnerable... sorry.


--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

98 Guy wrote:
MEB wrote:

Yet another botnet is hacked from the outside, this one uses the
boot record/MBR to store the hack to take over Windows computers.

I find the name somewhat ironic. Mebroot. MEB root.

Based on this technical analysis:

http://www.trustdefender.com/blog/20...ous-than-ever/

1) Mebroot is mainly deployed through a drive-by download when
you visit �everyday� websites - sometimes (or usually)
delivered via recent pdf file exploits (which we know windows-98/
adobe acrobat 6 are not vulnerable to).

2) after infecting the Master-Boot-Record, it employs a complicated
mechanism to inject itself into the ATAPI Harddrive Driver.
Presumably the XP ATAPI driver (atapi.sys) operates or
is constructed differently than the windows-98 ATAPI driver.
In fact, there is no such file (atapi.sys) on a typical win-98
system (at least not on my system).

3) Once it's made itself part of the ATAPI driver, it uses that
position to then alter core windows components (svchost.exe
and services.exe). Since Windows 98 does not have those files
or provide "services" the same way that NT-based OS's do,
Mebroot must either have additional code to support operation
on win-9x platforms, or it simply abort itself and not function
if it finds itself on those platforms.

Analysis of Sinowal
http://web17.webbpro.de/index.php?pa...sis-of-sinowal

Thanks for the link MEB.

If you go to this section: Runtime Execution of Sinowal

you'll see that Mebroot (Sinowal) is heavily dependent on running on and
finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more
evidence that Mebroot can't run or function as intended on win-9x
systems.

MEB NOTE: this hack has changed over time [its been around for
around four years or so], thinking it works in only one OS or
group of OSs is NOT a reasonable approach to inhibiting its
expansion. The reason WHY is it happens to be extremely successful
and extremely difficult to detect and remove. Numerous variants
now exist.

I'm surprised that NT-based systems will allow reading or writing to the
MBR, or that AV programs don't catch and prevent that sort of activity.
Even if they don't detect the Mebroot infector file or exploit, they
should at least be able to detect and prevent MBR tampering. Mebroot
analysis doesn't indicate that AV software is scanned for and disabled
as part of it's functionality.

But the take-home message is that Windows 98 is most likely not
vulnerable to Mebroot by virtue of it's design.


Wrong. Pay more attention to the delivery method and method used to
install the actual hack.
I didn't write the MEB inclusions just to take up some of my time.

The picked apart version [analysis and discovered] WAS specific to NT
[and most are, its the most used OS by parties and generally the worst
protected/mis-used by the public] but that does NOT mean this is *only*
applicable to NT based OSs.

And while you're at it, check these same style of attacks used by
government:

http:/peoplescounsel.org/dirt.htm
http://peoplescounsel.org/ref/carnivore.htm

Both of these are/were CROSS-PLATFORM/non-OS specific in their abilities.

--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

98 Guy wrote:
MEB wrote:

Yet another botnet is hacked from the outside, this one uses the
boot record/MBR to store the hack to take over Windows computers.

I find the name somewhat ironic. Mebroot. MEB root.

Based on this technical analysis:

http://www.trustdefender.com/blog/20...ous-than-ever/

1) Mebroot is mainly deployed through a drive-by download when
you visit �everyday� websites - sometimes (or usually)
delivered via recent pdf file exploits (which we know windows-98/
adobe acrobat 6 are not vulnerable to).

2) after infecting the Master-Boot-Record, it employs a complicated
mechanism to inject itself into the ATAPI Harddrive Driver.
Presumably the XP ATAPI driver (atapi.sys) operates or
is constructed differently than the windows-98 ATAPI driver.
In fact, there is no such file (atapi.sys) on a typical win-98
system (at least not on my system).

3) Once it's made itself part of the ATAPI driver, it uses that
position to then alter core windows components (svchost.exe
and services.exe). Since Windows 98 does not have those files
or provide "services" the same way that NT-based OS's do,
Mebroot must either have additional code to support operation
on win-9x platforms, or it simply abort itself and not function
if it finds itself on those platforms.

Analysis of Sinowal
http://web17.webbpro.de/index.php?pa...sis-of-sinowal

Thanks for the link MEB.

If you go to this section: Runtime Execution of Sinowal

you'll see that Mebroot (Sinowal) is heavily dependent on running on and
finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more
evidence that Mebroot can't run or function as intended on win-9x
systems.

MEB NOTE: this hack has changed over time [its been around for
around four years or so], thinking it works in only one OS or
group of OSs is NOT a reasonable approach to inhibiting its
expansion. The reason WHY is it happens to be extremely successful
and extremely difficult to detect and remove. Numerous variants
now exist.

I'm surprised that NT-based systems will allow reading or writing to the
MBR, or that AV programs don't catch and prevent that sort of activity.
Even if they don't detect the Mebroot infector file or exploit, they
should at least be able to detect and prevent MBR tampering. Mebroot
analysis doesn't indicate that AV software is scanned for and disabled
as part of it's functionality.

But the take-home message is that Windows 98 is most likely not
vulnerable to Mebroot by virtue of it's design.


Wrong. Pay more attention to the delivery method and method used to
install the actual hack.
I didn't write the MEB inclusions just to take up some of my time.

The picked apart version [analysis and discovered] WAS specific to NT
[and most are, its the most used OS by parties and generally the worst
protected/mis-used by the public] but that does NOT mean this is *only*
applicable to NT based OSs.

And while you're at it, check these same style of attacks used by
government:

http:/peoplescounsel.org/dirt.htm
http://peoplescounsel.org/ref/carnivore.htm

Both of these are/were CROSS-PLATFORM/non-OS specific in their abilities.

--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

Full-quoter MEB wrote:

But the take-home message is that Windows 98 is most likely not
vulnerable to Mebroot by virtue of it's design.

Wrong. Pay more attention to the delivery method and method used
to install the actual hack.

For one thing, the delivery method (aka exploit) is not the important
part. The delivery method exists to only to retrieve and launch the
real payload.

Pay more attention to the delivery method

Even you paid no attention to the delivery method when you made the
post. The focus of your post was on the botnet, not the exploit. You
made no special effort to detail or explain what the delivery methods
are for Mebroot / Torpig.

But no matter, as win-98 is not vulnerable to the proposed exploits
anyways (malformed pdf files).

I didn't write the MEB inclusions just to take up some of my time.

Your "meb-notes" are so vague as to be meaningless. I have no idea what
you were talking about in your "meb-inclusion". You provided no detail.

The picked apart version [analysis and discovered] WAS specific
to NT [and most are,

The analsis was just that - an analysis. If there was a fork in the way
the code runs, if the code checks for win-98 presence, then you presume
the author of the analysis does not mention it on purpose. That would
be sloppy. But your argument depends on it. But you have really no
rational argument to support it.

but that does NOT mean this is *only* applicable to NT based OSs.

The ball is in your court to find a posted analysis that confirms the
code performs a check to see if it runs on win-98, and if so it has the
means to deal with that.

And while you're at it, check these same style of attacks
used by government:

http:/peoplescounsel.org/dirt.htm
http://peoplescounsel.org/ref/carnivore.htm

Both of these are/were CROSS-PLATFORM/non-OS specific in
their abilities.

And both of those have nothing to do with the price of tea in China.

Full-quoter MEB wrote:

But the take-home message is that Windows 98 is most likely not
vulnerable to Mebroot by virtue of it's design.

Wrong. Pay more attention to the delivery method and method used
to install the actual hack.

For one thing, the delivery method (aka exploit) is not the important
part. The delivery method exists to only to retrieve and launch the
real payload.

Pay more attention to the delivery method

Even you paid no attention to the delivery method when you made the
post. The focus of your post was on the botnet, not the exploit. You
made no special effort to detail or explain what the delivery methods
are for Mebroot / Torpig.

But no matter, as win-98 is not vulnerable to the proposed exploits
anyways (malformed pdf files).

I didn't write the MEB inclusions just to take up some of my time.

Your "meb-notes" are so vague as to be meaningless. I have no idea what
you were talking about in your "meb-inclusion". You provided no detail.

The picked apart version [analysis and discovered] WAS specific
to NT [and most are,

The analsis was just that - an analysis. If there was a fork in the way
the code runs, if the code checks for win-98 presence, then you presume
the author of the analysis does not mention it on purpose. That would
be sloppy. But your argument depends on it. But you have really no
rational argument to support it.

but that does NOT mean this is *only* applicable to NT based OSs.

The ball is in your court to find a posted analysis that confirms the
code performs a check to see if it runs on win-98, and if so it has the
means to deal with that.

And while you're at it, check these same style of attacks
used by government:

http:/peoplescounsel.org/dirt.htm
http://peoplescounsel.org/ref/carnivore.htm

Both of these are/were CROSS-PLATFORM/non-OS specific in
their abilities.

And both of those have nothing to do with the price of tea in China.

Full-Quoter MEB wrote:

You missed the important part:

The original hack contacts the actual hacking site for the OS
SPECIFIC CODING.

What text exactly are you referring to?

Do you know how to use cut and paste?

Why don't you cut and paste here the text that supports your statement
above?

Full-Quoter MEB wrote:

You missed the important part:

The original hack contacts the actual hacking site for the OS
SPECIFIC CODING.

What text exactly are you referring to?

Do you know how to use cut and paste?

Why don't you cut and paste here the text that supports your statement
above?

98 Guy wrote:
Full-Quoter MEB wrote:

You missed the important part:

The original hack contacts the actual hacking site for the OS
SPECIFIC CODING.

What text exactly are you referring to?

Do you know how to use cut and paste?

Why don't you cut and paste here the text that supports your statement
above?

YOU cut it, so put it back ya friggin dip...

Why don't YOU, for once, actually READ the information. Wouldn't that
be a remarkable change from your usual nonsense and ignorant postings.


--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

98 Guy wrote:
Full-Quoter MEB wrote:

You missed the important part:

The original hack contacts the actual hacking site for the OS
SPECIFIC CODING.

What text exactly are you referring to?

Do you know how to use cut and paste?

Why don't you cut and paste here the text that supports your statement
above?

YOU cut it, so put it back ya friggin dip...

Why don't YOU, for once, actually READ the information. Wouldn't that
be a remarkable change from your usual nonsense and ignorant postings.


--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

98 Guy wrote:
Full-quoter MEB wrote:

But the take-home message is that Windows 98 is most likely not
vulnerable to Mebroot by virtue of it's design.
Wrong. Pay more attention to the delivery method and method used
to install the actual hack.

For one thing, the delivery method (aka exploit) is not the important
part. The delivery method exists to only to retrieve and launch the
real payload.

Pay more attention to the delivery method

Even you paid no attention to the delivery method when you made the
post. The focus of your post was on the botnet, not the exploit. You
made no special effort to detail or explain what the delivery methods
are for Mebroot / Torpig.

But no matter, as win-98 is not vulnerable to the proposed exploits
anyways (malformed pdf files).

I didn't write the MEB inclusions just to take up some of my time.

Your "meb-notes" are so vague as to be meaningless. I have no idea what
you were talking about in your "meb-inclusion". You provided no detail.

The picked apart version [analysis and discovered] WAS specific
to NT [and most are,

The analsis was just that - an analysis. If there was a fork in the way
the code runs, if the code checks for win-98 presence, then you presume
the author of the analysis does not mention it on purpose. That would
be sloppy. But your argument depends on it. But you have really no
rational argument to support it.

but that does NOT mean this is *only* applicable to NT based OSs.

The ball is in your court to find a posted analysis that confirms the
code performs a check to see if it runs on win-98, and if so it has the
means to deal with that.

And while you're at it, check these same style of attacks
used by government:

http:/peoplescounsel.org/dirt.htm
http://peoplescounsel.org/ref/carnivore.htm

Both of these are/were CROSS-PLATFORM/non-OS specific in
their abilities.

And both of those have nothing to do with the price of tea in China.

You are one of the most ignorant pieces of crap I have run across
yet.... READ THE MATERIAL then use that brain of yours you claim to own
and THINK about what is and was entailed...
I know that will be difficult for you, but try, just because you are
apparently a 98 IQ doesn't mean that with a little more work you might
be a 100 or so.. there's always hope..

Here's the unique part,,, those links on my site you dismissed in your
MASSIVE ignorance ARE not only similar, but one could reasonable
propose, even coded basically the same [dirt in particular].... but I
know that relationship will escape that limited intellect you suffer
under.... what was one of the fears associated with dirt?,,, that it
would end up in the wrong hands... not the same exact code,, doesn't
matter the ability, methodology, and usability had already been proofed..

Hey, while your pondering how to relieve yourself of your rather
obvious stupidity... peruse again through those links I previously
provided...... you'll find the support there..

BTW, don't cut and paste my posts to suit your ignorance...


--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______