If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#11
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
thanatoid wrote: http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! Yes. I missed that: -------------- Affected Systems Only Windows XP operating systems are affected, because of the file and mechanism dependencies of Sinowal. Sinowal includes statical signatures to find the respective code to hook in system files; they are static and may not be found in different file versions. Sinowal has following file dependencies: * Master Boot Record to be just one sector big * ntldr * ntoskrnl * memory directly after ntoskrnl in memory to be free * Partition Table may not be changed (no mention of the atapi driver here) --------------- In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. 9X is not in-vulnerable... sorry. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#12
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
MEB wrote: Yet another botnet is hacked from the outside, this one uses the boot record/MBR to store the hack to take over Windows computers. I find the name somewhat ironic. Mebroot. MEB root. Based on this technical analysis: http://www.trustdefender.com/blog/20...ous-than-ever/ 1) Mebroot is mainly deployed through a drive-by download when you visit �everyday� websites - sometimes (or usually) delivered via recent pdf file exploits (which we know windows-98/ adobe acrobat 6 are not vulnerable to). 2) after infecting the Master-Boot-Record, it employs a complicated mechanism to inject itself into the ATAPI Harddrive Driver. Presumably the XP ATAPI driver (atapi.sys) operates or is constructed differently than the windows-98 ATAPI driver. In fact, there is no such file (atapi.sys) on a typical win-98 system (at least not on my system). 3) Once it's made itself part of the ATAPI driver, it uses that position to then alter core windows components (svchost.exe and services.exe). Since Windows 98 does not have those files or provide "services" the same way that NT-based OS's do, Mebroot must either have additional code to support operation on win-9x platforms, or it simply abort itself and not function if it finds itself on those platforms. Analysis of Sinowal http://web17.webbpro.de/index.php?pa...sis-of-sinowal Thanks for the link MEB. If you go to this section: Runtime Execution of Sinowal you'll see that Mebroot (Sinowal) is heavily dependent on running on and finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more evidence that Mebroot can't run or function as intended on win-9x systems. MEB NOTE: this hack has changed over time [its been around for around four years or so], thinking it works in only one OS or group of OSs is NOT a reasonable approach to inhibiting its expansion. The reason WHY is it happens to be extremely successful and extremely difficult to detect and remove. Numerous variants now exist. I'm surprised that NT-based systems will allow reading or writing to the MBR, or that AV programs don't catch and prevent that sort of activity. Even if they don't detect the Mebroot infector file or exploit, they should at least be able to detect and prevent MBR tampering. Mebroot analysis doesn't indicate that AV software is scanned for and disabled as part of it's functionality. But the take-home message is that Windows 98 is most likely not vulnerable to Mebroot by virtue of it's design. Wrong. Pay more attention to the delivery method and method used to install the actual hack. I didn't write the MEB inclusions just to take up some of my time. The picked apart version [analysis and discovered] WAS specific to NT [and most are, its the most used OS by parties and generally the worst protected/mis-used by the public] but that does NOT mean this is *only* applicable to NT based OSs. And while you're at it, check these same style of attacks used by government: http:/peoplescounsel.org/dirt.htm http://peoplescounsel.org/ref/carnivore.htm Both of these are/were CROSS-PLATFORM/non-OS specific in their abilities. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#13
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
MEB wrote: Yet another botnet is hacked from the outside, this one uses the boot record/MBR to store the hack to take over Windows computers. I find the name somewhat ironic. Mebroot. MEB root. Based on this technical analysis: http://www.trustdefender.com/blog/20...ous-than-ever/ 1) Mebroot is mainly deployed through a drive-by download when you visit �everyday� websites - sometimes (or usually) delivered via recent pdf file exploits (which we know windows-98/ adobe acrobat 6 are not vulnerable to). 2) after infecting the Master-Boot-Record, it employs a complicated mechanism to inject itself into the ATAPI Harddrive Driver. Presumably the XP ATAPI driver (atapi.sys) operates or is constructed differently than the windows-98 ATAPI driver. In fact, there is no such file (atapi.sys) on a typical win-98 system (at least not on my system). 3) Once it's made itself part of the ATAPI driver, it uses that position to then alter core windows components (svchost.exe and services.exe). Since Windows 98 does not have those files or provide "services" the same way that NT-based OS's do, Mebroot must either have additional code to support operation on win-9x platforms, or it simply abort itself and not function if it finds itself on those platforms. Analysis of Sinowal http://web17.webbpro.de/index.php?pa...sis-of-sinowal Thanks for the link MEB. If you go to this section: Runtime Execution of Sinowal you'll see that Mebroot (Sinowal) is heavily dependent on running on and finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more evidence that Mebroot can't run or function as intended on win-9x systems. MEB NOTE: this hack has changed over time [its been around for around four years or so], thinking it works in only one OS or group of OSs is NOT a reasonable approach to inhibiting its expansion. The reason WHY is it happens to be extremely successful and extremely difficult to detect and remove. Numerous variants now exist. I'm surprised that NT-based systems will allow reading or writing to the MBR, or that AV programs don't catch and prevent that sort of activity. Even if they don't detect the Mebroot infector file or exploit, they should at least be able to detect and prevent MBR tampering. Mebroot analysis doesn't indicate that AV software is scanned for and disabled as part of it's functionality. But the take-home message is that Windows 98 is most likely not vulnerable to Mebroot by virtue of it's design. Wrong. Pay more attention to the delivery method and method used to install the actual hack. I didn't write the MEB inclusions just to take up some of my time. The picked apart version [analysis and discovered] WAS specific to NT [and most are, its the most used OS by parties and generally the worst protected/mis-used by the public] but that does NOT mean this is *only* applicable to NT based OSs. And while you're at it, check these same style of attacks used by government: http:/peoplescounsel.org/dirt.htm http://peoplescounsel.org/ref/carnivore.htm Both of these are/were CROSS-PLATFORM/non-OS specific in their abilities. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#14
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
Full-quoter MEB wrote:
But the take-home message is that Windows 98 is most likely not vulnerable to Mebroot by virtue of it's design. Wrong. Pay more attention to the delivery method and method used to install the actual hack. For one thing, the delivery method (aka exploit) is not the important part. The delivery method exists to only to retrieve and launch the real payload. Pay more attention to the delivery method Even you paid no attention to the delivery method when you made the post. The focus of your post was on the botnet, not the exploit. You made no special effort to detail or explain what the delivery methods are for Mebroot / Torpig. But no matter, as win-98 is not vulnerable to the proposed exploits anyways (malformed pdf files). I didn't write the MEB inclusions just to take up some of my time. Your "meb-notes" are so vague as to be meaningless. I have no idea what you were talking about in your "meb-inclusion". You provided no detail. The picked apart version [analysis and discovered] WAS specific to NT [and most are, The analsis was just that - an analysis. If there was a fork in the way the code runs, if the code checks for win-98 presence, then you presume the author of the analysis does not mention it on purpose. That would be sloppy. But your argument depends on it. But you have really no rational argument to support it. but that does NOT mean this is *only* applicable to NT based OSs. The ball is in your court to find a posted analysis that confirms the code performs a check to see if it runs on win-98, and if so it has the means to deal with that. And while you're at it, check these same style of attacks used by government: http:/peoplescounsel.org/dirt.htm http://peoplescounsel.org/ref/carnivore.htm Both of these are/were CROSS-PLATFORM/non-OS specific in their abilities. And both of those have nothing to do with the price of tea in China. |
#15
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
Full-quoter MEB wrote:
But the take-home message is that Windows 98 is most likely not vulnerable to Mebroot by virtue of it's design. Wrong. Pay more attention to the delivery method and method used to install the actual hack. For one thing, the delivery method (aka exploit) is not the important part. The delivery method exists to only to retrieve and launch the real payload. Pay more attention to the delivery method Even you paid no attention to the delivery method when you made the post. The focus of your post was on the botnet, not the exploit. You made no special effort to detail or explain what the delivery methods are for Mebroot / Torpig. But no matter, as win-98 is not vulnerable to the proposed exploits anyways (malformed pdf files). I didn't write the MEB inclusions just to take up some of my time. Your "meb-notes" are so vague as to be meaningless. I have no idea what you were talking about in your "meb-inclusion". You provided no detail. The picked apart version [analysis and discovered] WAS specific to NT [and most are, The analsis was just that - an analysis. If there was a fork in the way the code runs, if the code checks for win-98 presence, then you presume the author of the analysis does not mention it on purpose. That would be sloppy. But your argument depends on it. But you have really no rational argument to support it. but that does NOT mean this is *only* applicable to NT based OSs. The ball is in your court to find a posted analysis that confirms the code performs a check to see if it runs on win-98, and if so it has the means to deal with that. And while you're at it, check these same style of attacks used by government: http:/peoplescounsel.org/dirt.htm http://peoplescounsel.org/ref/carnivore.htm Both of these are/were CROSS-PLATFORM/non-OS specific in their abilities. And both of those have nothing to do with the price of tea in China. |
#16
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
Full-Quoter MEB wrote:
You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. What text exactly are you referring to? Do you know how to use cut and paste? Why don't you cut and paste here the text that supports your statement above? |
#17
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
Full-Quoter MEB wrote:
You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. What text exactly are you referring to? Do you know how to use cut and paste? Why don't you cut and paste here the text that supports your statement above? |
#18
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
Full-Quoter MEB wrote: You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. What text exactly are you referring to? Do you know how to use cut and paste? Why don't you cut and paste here the text that supports your statement above? YOU cut it, so put it back ya friggin dip... Why don't YOU, for once, actually READ the information. Wouldn't that be a remarkable change from your usual nonsense and ignorant postings. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#19
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
Full-Quoter MEB wrote: You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. What text exactly are you referring to? Do you know how to use cut and paste? Why don't you cut and paste here the text that supports your statement above? YOU cut it, so put it back ya friggin dip... Why don't YOU, for once, actually READ the information. Wouldn't that be a remarkable change from your usual nonsense and ignorant postings. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#20
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
Full-quoter MEB wrote: But the take-home message is that Windows 98 is most likely not vulnerable to Mebroot by virtue of it's design. Wrong. Pay more attention to the delivery method and method used to install the actual hack. For one thing, the delivery method (aka exploit) is not the important part. The delivery method exists to only to retrieve and launch the real payload. Pay more attention to the delivery method Even you paid no attention to the delivery method when you made the post. The focus of your post was on the botnet, not the exploit. You made no special effort to detail or explain what the delivery methods are for Mebroot / Torpig. But no matter, as win-98 is not vulnerable to the proposed exploits anyways (malformed pdf files). I didn't write the MEB inclusions just to take up some of my time. Your "meb-notes" are so vague as to be meaningless. I have no idea what you were talking about in your "meb-inclusion". You provided no detail. The picked apart version [analysis and discovered] WAS specific to NT [and most are, The analsis was just that - an analysis. If there was a fork in the way the code runs, if the code checks for win-98 presence, then you presume the author of the analysis does not mention it on purpose. That would be sloppy. But your argument depends on it. But you have really no rational argument to support it. but that does NOT mean this is *only* applicable to NT based OSs. The ball is in your court to find a posted analysis that confirms the code performs a check to see if it runs on win-98, and if so it has the means to deal with that. And while you're at it, check these same style of attacks used by government: http:/peoplescounsel.org/dirt.htm http://peoplescounsel.org/ref/carnivore.htm Both of these are/were CROSS-PLATFORM/non-OS specific in their abilities. And both of those have nothing to do with the price of tea in China. You are one of the most ignorant pieces of crap I have run across yet.... READ THE MATERIAL then use that brain of yours you claim to own and THINK about what is and was entailed... I know that will be difficult for you, but try, just because you are apparently a 98 IQ doesn't mean that with a little more work you might be a 100 or so.. there's always hope.. Here's the unique part,,, those links on my site you dismissed in your MASSIVE ignorance ARE not only similar, but one could reasonable propose, even coded basically the same [dirt in particular].... but I know that relationship will escape that limited intellect you suffer under.... what was one of the fears associated with dirt?,,, that it would end up in the wrong hands... not the same exact code,, doesn't matter the ability, methodology, and usability had already been proofed.. Hey, while your pondering how to relieve yourself of your rather obvious stupidity... peruse again through those links I previously provided...... you'll find the support there.. BTW, don't cut and paste my posts to suit your ignorance... -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
MMTASK.TSK: Lots of questions. | Justin Thyme | Software & Applications | 6 | March 23rd 05 09:24 PM |
Firefox. Using lots of resources | Terry James | Software & Applications | 10 | February 7th 05 06:12 PM |
Lots of disk activity | Phil | General | 11 | October 22nd 04 05:02 PM |
lots of logs on the C:\ drive | Alex | General | 2 | June 29th 04 01:33 AM |
Lots of Problems all of a Sudden | Chris | Improving Performance | 1 | May 27th 04 10:00 AM |