Windows reality - The Torpig botnet and LOTS of others out here

Yet another botnet is hacked from the outside, this one uses the boot
record/MBR to store the hack to take over Windows computers.

http://www.theregister.co.uk/2008/10...anking_trojan/

One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised
Accounts
http://www.rsa.com/blog/blog_entry.aspx?id=1378

Botnet hijack: Researchers dissect Torpig malware operation
http://threatpost.com/blogs/botnet-h...ware-operation

UC Santa Barbara
http://www.cs.ucsb.edu/~seclab/proje...pig/index.html

Analysis of Sinowal
http://web17.webbpro.de/index.php?pa...sis-of-sinowal
MEB NOTE: this hack has changed over time [its been around for around
four years or so], thinking it works in only one OS or group of OSs is
NOT a reasonable approach to inhibiting its expansion. The reason WHY is
it happens to be extremely successful and extremely difficult to detect
and remove. Numerous variants now exist.

Antivirus tools try to remove Sinowal/Mebroot
http://windowssecrets.com/2008/11/26...inowal-Mebroot

MBR/Mebroot/Sinowal/Torpig is back – better than ever
http://www.trustdefender.com/blog/20...ter-than-ever/

File eyu4vh.exe received on 01.05.2009 05:30:58 (CET)
http://www.virustotal.com/analisis/f...e7b6f1ead6bcec
MEB NOTE: the hack can be in several different forms, the above shows
one variant.

http://securityorb.com/blog/?cat=32

http://www.eweek.com/c/a/Security/MS...tack-Reloaded/

Storm Botnet Is Behind Two New Attacks
http://it.slashdot.org/it/07/08/26/1558245.shtml

Power Point 5 - botnets - PDF
http://www.cs.utexas.edu/~yzhang/tea...lides/5-10.pdf



--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

MEB wrote in
:

SNIP

http://web17.webbpro.de/index.php?pa...sis-of-sinowal

"only XP systems are affected because..."

Viva 98!

--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?

thanatoid wrote:

http://web17.webbpro.de/index.php?pa...sis-of-sinowal

"only XP systems are affected because..."

Viva 98!

Yes. I missed that:

--------------
Affected Systems

Only Windows XP operating systems are affected, because of the file and
mechanism dependencies of Sinowal. Sinowal includes statical signatures
to find the respective code to hook in system files; they are static and
may not be found in different file versions. Sinowal has following file
dependencies:

* Master Boot Record to be just one sector big
* ntldr
* ntoskrnl
* memory directly after ntoskrnl in memory to be free
* Partition Table may not be changed

(no mention of the atapi driver here)
---------------

In looking up information on Mebroot / Sinowal, I found many pages
showing Windows 98 in the list of vulnerable operating systems. A
continuation of stupid, misleading, ignorant or reflexive tendencies to
add Windows 98 to such lists, or a concerted effort to continue the
illusion that windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to see win-98
show up incorrectly on lists of affected systems, and MEB will continue
to bring the new malware to our attention - even though they do not (and
most likely will not) be operable on or compatible with windows 98.

98 Guy wrote in :

thanatoid wrote:

http://web17.webbpro.de/index.php?pa...ysis-of-sinowa
l

"only XP systems are affected because..."

SNIP

In looking up information on Mebroot / Sinowal, I found
many pages showing Windows 98 in the list of vulnerable
operating systems. A continuation of stupid, misleading,
ignorant or reflexive tendencies to add Windows 98 to such
lists, or a concerted effort to continue the illusion that
windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to
see win-98 show up incorrectly on lists of affected
systems, and MEB will continue to bring the new malware to
our attention - even though they do not (and most likely
will not) be operable on or compatible with windows 98.

I am sticking with 98SELite, I don't use any other MS
"software", I have ScriptSentry installed, and I don't care
about any online "dangers". In 15 years I have gotten ONE virus
in an email from an idiot friend. (It couldn't do anything
because I had the system well-secured, but it sure was unwilling
to be removed.)



--
Lots of theoretical butchers are alleged and other bloody eyes
are suitable, but will Pam secure that?

98 Guy wrote:
thanatoid wrote:

http://web17.webbpro.de/index.php?pa...sis-of-sinowal
"only XP systems are affected because..."

Viva 98!

Yes. I missed that:

--------------
Affected Systems

Only Windows XP operating systems are affected, because of the file and
mechanism dependencies of Sinowal. Sinowal includes statical signatures
to find the respective code to hook in system files; they are static and
may not be found in different file versions. Sinowal has following file
dependencies:

* Master Boot Record to be just one sector big
* ntldr
* ntoskrnl
* memory directly after ntoskrnl in memory to be free
* Partition Table may not be changed

(no mention of the atapi driver here)
---------------

In looking up information on Mebroot / Sinowal, I found many pages
showing Windows 98 in the list of vulnerable operating systems. A
continuation of stupid, misleading, ignorant or reflexive tendencies to
add Windows 98 to such lists, or a concerted effort to continue the
illusion that windows 98 is vulnerable to even the most recent exploits
and malware.

With regard to this and future malware, we will continue to see win-98
show up incorrectly on lists of affected systems, and MEB will continue
to bring the new malware to our attention - even though they do not (and
most likely will not) be operable on or compatible with windows 98.

You missed the important part:

The original hack contacts the actual hacking site for the OS SPECIFIC
CODING.

9X is not in-vulnerable... sorry.


--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

Full-Quoter MEB wrote:

You missed the important part:

The original hack contacts the actual hacking site for the OS
SPECIFIC CODING.

What text exactly are you referring to?

Do you know how to use cut and paste?

Why don't you cut and paste here the text that supports your statement
above?

98 Guy wrote:
Full-Quoter MEB wrote:

You missed the important part:

The original hack contacts the actual hacking site for the OS
SPECIFIC CODING.

What text exactly are you referring to?

Do you know how to use cut and paste?

Why don't you cut and paste here the text that supports your statement
above?

YOU cut it, so put it back ya friggin dip...

Why don't YOU, for once, actually READ the information. Wouldn't that
be a remarkable change from your usual nonsense and ignorant postings.


--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

98 Guy wrote:
Full-Quoter MEB wrote:

You missed the important part:

The original hack contacts the actual hacking site for the OS
SPECIFIC CODING.

What text exactly are you referring to?

Do you know how to use cut and paste?

Why don't you cut and paste here the text that supports your statement
above?

YOU cut it, so put it back ya friggin dip...

Why don't YOU, for once, actually READ the information. Wouldn't that
be a remarkable change from your usual nonsense and ignorant postings.


--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

I can't find anything that supports your claim that the loader phones home
for instructions, but even if it did the instructions wouldn't be much use
as the exploit requires NTLDR and NTOSKRNL, which do not exist in 9x
systems.

Either provide a reference site which explains how this can affect W9x
systems or take your scaremongering to a more appropriate group.
--
Jeff Richards
MS MVP (Windows - Shell/User)
"MEB" wrote in message
...
snip

You missed the important part:

The original hack contacts the actual hacking site for the OS SPECIFIC
CODING.

9X is not in-vulnerable... sorry.

Full-Quoter MEB wrote:

You missed the important part:

The original hack contacts the actual hacking site for the OS
SPECIFIC CODING.

What text exactly are you referring to?

Do you know how to use cut and paste?

Why don't you cut and paste here the text that supports your statement
above?