If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
Yet another botnet is hacked from the outside, this one uses the boot record/MBR to store the hack to take over Windows computers. http://www.theregister.co.uk/2008/10...anking_trojan/ One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts http://www.rsa.com/blog/blog_entry.aspx?id=1378 Botnet hijack: Researchers dissect Torpig malware operation http://threatpost.com/blogs/botnet-h...ware-operation UC Santa Barbara http://www.cs.ucsb.edu/~seclab/proje...pig/index.html Analysis of Sinowal http://web17.webbpro.de/index.php?pa...sis-of-sinowal MEB NOTE: this hack has changed over time [its been around for around four years or so], thinking it works in only one OS or group of OSs is NOT a reasonable approach to inhibiting its expansion. The reason WHY is it happens to be extremely successful and extremely difficult to detect and remove. Numerous variants now exist. Antivirus tools try to remove Sinowal/Mebroot http://windowssecrets.com/2008/11/26...inowal-Mebroot MBR/Mebroot/Sinowal/Torpig is back – better than ever http://www.trustdefender.com/blog/20...ter-than-ever/ File eyu4vh.exe received on 01.05.2009 05:30:58 (CET) http://www.virustotal.com/analisis/f...e7b6f1ead6bcec MEB NOTE: the hack can be in several different forms, the above shows one variant. http://securityorb.com/blog/?cat=32 http://www.eweek.com/c/a/Security/MS...tack-Reloaded/ Storm Botnet Is Behind Two New Attacks http://it.slashdot.org/it/07/08/26/1558245.shtml Power Point 5 - botnets - PDF http://www.cs.utexas.edu/~yzhang/tea...lides/5-10.pdf -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
#2
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
MEB wrote in
: SNIP http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! -- Lots of theoretical butchers are alleged and other bloody eyes are suitable, but will Pam secure that? |
#3
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
MEB wrote in
: SNIP http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! -- Lots of theoretical butchers are alleged and other bloody eyes are suitable, but will Pam secure that? |
#4
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
MEB wrote:
Yet another botnet is hacked from the outside, this one uses the boot record/MBR to store the hack to take over Windows computers. I find the name somewhat ironic. Mebroot. MEB root. Based on this technical analysis: http://www.trustdefender.com/blog/20...ous-than-ever/ 1) Mebroot is mainly deployed through a drive-by download when you visit “everyday” websites - sometimes (or usually) delivered via recent pdf file exploits (which we know windows-98/ adobe acrobat 6 are not vulnerable to). 2) after infecting the Master-Boot-Record, it employs a complicated mechanism to inject itself into the ATAPI Harddrive Driver. Presumably the XP ATAPI driver (atapi.sys) operates or is constructed differently than the windows-98 ATAPI driver. In fact, there is no such file (atapi.sys) on a typical win-98 system (at least not on my system). 3) Once it's made itself part of the ATAPI driver, it uses that position to then alter core windows components (svchost.exe and services.exe). Since Windows 98 does not have those files or provide "services" the same way that NT-based OS's do, Mebroot must either have additional code to support operation on win-9x platforms, or it simply abort itself and not function if it finds itself on those platforms. Analysis of Sinowal http://web17.webbpro.de/index.php?pa...sis-of-sinowal Thanks for the link MEB. If you go to this section: Runtime Execution of Sinowal you'll see that Mebroot (Sinowal) is heavily dependent on running on and finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more evidence that Mebroot can't run or function as intended on win-9x systems. MEB NOTE: this hack has changed over time [its been around for around four years or so], thinking it works in only one OS or group of OSs is NOT a reasonable approach to inhibiting its expansion. The reason WHY is it happens to be extremely successful and extremely difficult to detect and remove. Numerous variants now exist. I'm surprised that NT-based systems will allow reading or writing to the MBR, or that AV programs don't catch and prevent that sort of activity. Even if they don't detect the Mebroot infector file or exploit, they should at least be able to detect and prevent MBR tampering. Mebroot analysis doesn't indicate that AV software is scanned for and disabled as part of it's functionality. But the take-home message is that Windows 98 is most likely not vulnerable to Mebroot by virtue of it's design. |
#5
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
MEB wrote:
Yet another botnet is hacked from the outside, this one uses the boot record/MBR to store the hack to take over Windows computers. I find the name somewhat ironic. Mebroot. MEB root. Based on this technical analysis: http://www.trustdefender.com/blog/20...ous-than-ever/ 1) Mebroot is mainly deployed through a drive-by download when you visit “everyday” websites - sometimes (or usually) delivered via recent pdf file exploits (which we know windows-98/ adobe acrobat 6 are not vulnerable to). 2) after infecting the Master-Boot-Record, it employs a complicated mechanism to inject itself into the ATAPI Harddrive Driver. Presumably the XP ATAPI driver (atapi.sys) operates or is constructed differently than the windows-98 ATAPI driver. In fact, there is no such file (atapi.sys) on a typical win-98 system (at least not on my system). 3) Once it's made itself part of the ATAPI driver, it uses that position to then alter core windows components (svchost.exe and services.exe). Since Windows 98 does not have those files or provide "services" the same way that NT-based OS's do, Mebroot must either have additional code to support operation on win-9x platforms, or it simply abort itself and not function if it finds itself on those platforms. Analysis of Sinowal http://web17.webbpro.de/index.php?pa...sis-of-sinowal Thanks for the link MEB. If you go to this section: Runtime Execution of Sinowal you'll see that Mebroot (Sinowal) is heavily dependent on running on and finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more evidence that Mebroot can't run or function as intended on win-9x systems. MEB NOTE: this hack has changed over time [its been around for around four years or so], thinking it works in only one OS or group of OSs is NOT a reasonable approach to inhibiting its expansion. The reason WHY is it happens to be extremely successful and extremely difficult to detect and remove. Numerous variants now exist. I'm surprised that NT-based systems will allow reading or writing to the MBR, or that AV programs don't catch and prevent that sort of activity. Even if they don't detect the Mebroot infector file or exploit, they should at least be able to detect and prevent MBR tampering. Mebroot analysis doesn't indicate that AV software is scanned for and disabled as part of it's functionality. But the take-home message is that Windows 98 is most likely not vulnerable to Mebroot by virtue of it's design. |
#6
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
thanatoid wrote:
http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! Yes. I missed that: -------------- Affected Systems Only Windows XP operating systems are affected, because of the file and mechanism dependencies of Sinowal. Sinowal includes statical signatures to find the respective code to hook in system files; they are static and may not be found in different file versions. Sinowal has following file dependencies: * Master Boot Record to be just one sector big * ntldr * ntoskrnl * memory directly after ntoskrnl in memory to be free * Partition Table may not be changed (no mention of the atapi driver here) --------------- In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. |
#7
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
thanatoid wrote:
http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! Yes. I missed that: -------------- Affected Systems Only Windows XP operating systems are affected, because of the file and mechanism dependencies of Sinowal. Sinowal includes statical signatures to find the respective code to hook in system files; they are static and may not be found in different file versions. Sinowal has following file dependencies: * Master Boot Record to be just one sector big * ntldr * ntoskrnl * memory directly after ntoskrnl in memory to be free * Partition Table may not be changed (no mention of the atapi driver here) --------------- In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. |
#8
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote in :
thanatoid wrote: http://web17.webbpro.de/index.php?pa...ysis-of-sinowa l "only XP systems are affected because..." SNIP In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. I am sticking with 98SELite, I don't use any other MS "software", I have ScriptSentry installed, and I don't care about any online "dangers". In 15 years I have gotten ONE virus in an email from an idiot friend. (It couldn't do anything because I had the system well-secured, but it sure was unwilling to be removed.) -- Lots of theoretical butchers are alleged and other bloody eyes are suitable, but will Pam secure that? |
#9
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote in :
thanatoid wrote: http://web17.webbpro.de/index.php?pa...ysis-of-sinowa l "only XP systems are affected because..." SNIP In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. I am sticking with 98SELite, I don't use any other MS "software", I have ScriptSentry installed, and I don't care about any online "dangers". In 15 years I have gotten ONE virus in an email from an idiot friend. (It couldn't do anything because I had the system well-secured, but it sure was unwilling to be removed.) -- Lots of theoretical butchers are alleged and other bloody eyes are suitable, but will Pam secure that? |
#10
|
|||
|
|||
Windows reality - The Torpig botnet and LOTS of others out here
98 Guy wrote:
thanatoid wrote: http://web17.webbpro.de/index.php?pa...sis-of-sinowal "only XP systems are affected because..." Viva 98! Yes. I missed that: -------------- Affected Systems Only Windows XP operating systems are affected, because of the file and mechanism dependencies of Sinowal. Sinowal includes statical signatures to find the respective code to hook in system files; they are static and may not be found in different file versions. Sinowal has following file dependencies: * Master Boot Record to be just one sector big * ntldr * ntoskrnl * memory directly after ntoskrnl in memory to be free * Partition Table may not be changed (no mention of the atapi driver here) --------------- In looking up information on Mebroot / Sinowal, I found many pages showing Windows 98 in the list of vulnerable operating systems. A continuation of stupid, misleading, ignorant or reflexive tendencies to add Windows 98 to such lists, or a concerted effort to continue the illusion that windows 98 is vulnerable to even the most recent exploits and malware. With regard to this and future malware, we will continue to see win-98 show up incorrectly on lists of affected systems, and MEB will continue to bring the new malware to our attention - even though they do not (and most likely will not) be operable on or compatible with windows 98. You missed the important part: The original hack contacts the actual hacking site for the OS SPECIFIC CODING. 9X is not in-vulnerable... sorry. -- ~ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Diagnostics, Security, Networking http://peoplescounsel.org The *REAL WORLD* of Law, Justice, and Government _______ |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
MMTASK.TSK: Lots of questions. | Justin Thyme | Software & Applications | 6 | March 23rd 05 09:24 PM |
Firefox. Using lots of resources | Terry James | Software & Applications | 10 | February 7th 05 06:12 PM |
Lots of disk activity | Phil | General | 11 | October 22nd 04 05:02 PM |
lots of logs on the C:\ drive | Alex | General | 2 | June 29th 04 01:33 AM |
Lots of Problems all of a Sudden | Chris | Improving Performance | 1 | May 27th 04 10:00 AM |