I received a warning from Google ......

[Dustin]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:i44kh0011hs@news2.newsguy.com:

> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
>| "~BD~" <BoaterDave~no.spam~@hotmail.co.uk> wrote in message
>| news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d@bt.com...
>>> Dustin wrote:
>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d@bt.com:
>
>>>>> Dustin wrote:
>>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d@bt.com:
>
>>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>>> anti-virus programme on an already compromised machine is, in
>>>>>>> all probability, a futile exercise*.
>
>>>>>> LOL, you would certainly be in the minority if you think I was
>>>>>> wrong in the advice I provided concerning malware.
>
>>> [....]
>
>
>>> What FTR actually said .....
>
>>> "True, it could be installed and be kept from accessing certain
>>> areas by a rootkit".
>
>>> Do you *really* disagree with that?
>
>| One thing you are apparently not getting the significance of is
>| that the "installation software" for the proposed AV that you want
>| to install on the "compromised" machine likely has its own
>| detection software for known malware (including some rootkits)
>| *and* rootkit detection software that alerts to inconsistancies in
>| what is presented through APIs to the other tools due to filter
>| drivers and the like.
>
>| It may be impossible to install such AV programs on a "compromised"
>| machine, if the preinstallation detection software is aware of, yet
>| not capable of removing detected malicious activity - it may tell
>| you that you need to address the other issue before attempting to
>| install that software (I'm not aware of this actually happening
>| though).
>
>| The most likely scenario is that the installation goes off smoothly
>| without a hitch on *most* compromised machines (removing the
>| compromise in the process) - which, I believe, is Dustin's point.
>
>
> That a case of an in situ installation of a fully installed AV
> soloution.
>
> That's not the case of of the hard disk being removed and placed
> within a surrogate.

Well, once you remove the host drive and take the suspect bad host out
of the equisation, it does make life easier for hunting malware. :P




--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

[~BD~]

Dustin wrote:
> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote
>> What FTR actually said .....
>>
>> "True, it could be installed and be kept from accessing certain
>> areas by a rootkit".
>
> A rootkit still has to play by certain hardrules; nothing can be hidden
> completely. Some in house developed tools for prior work with
> malwarebytes are likely useful in such a scenario.

Just to be clear, Dustin - it is *you* who is accepted as being the
guru! I am simply an interested 'user' who is frustrated by the fact
that bad guys use this marvelous technology with criminal intent.

> I didn't say I couldn't do it without any tools. I just said I wouldn't
> provide details. And what would be the point in doing so anyway? You
> wouldn't understand what I was writing about... and I'd just be
> providing information to anyone interested in circumventing technology
> rootkit style. While I don't feel it's information that they couldn't
> acquire on their own, I see no real point in.. well, advancing the
> technology ahead of schedule.

That all seems a most reasonable stance to take.

>> Do you *really* disagree with that?
>
> Of course not, a rootkit is nothing more than stealth; BD. However,
> it's not foolproof. The old addage is this: "Whatever software can do,
> software can undo."; That does *not* include crypto, however. Another
> beast entirely.
>
> To further on my post previous to you BD, Technology and the underlying
> principles hasn't really changed that much. Computers are faster now,
> sure; but they still follow the same laws if you will that the older
> ones did. In the DOS days, TSR software could be what you would say is
> a rootkit in the windows world; providing it was instructed to hide
> folders from dir or windows explorer *g*.
>
>

Let me now quote from another 'guru'

"Performing a standard Disk Format and Reinstall of the Operating System
will render common infections incompatible, but not all Rootkits and its
accompanying payload of malware ..... Rootkits work from outside the
Operating System and can hide in Bad Sectors of the Hard Disk - thus
have places to hide on the Hard Disk that are essentially outside the
Operating Systems environment, untouchable by it, yet still at hand.....

Most wiping, erasing, formatting, and partitioning tools will not
overwrite logical bad sectors on the Disk, leaving the Rootkits and
their accompanying payload of malware behind and still active.....
Rootkits in themselves are not a threat ..... the danger is that
Rootkits have the invincible power of Stealth ..... Malicious
Programmers can hide their malware safely inside the protection of the
Rootkit....."

**

That doesn't sound too dissimilar to what *you* have said, does it?

You may like to see the original, which is post Number 46 here:-

http://forum.kaspersky.com/index.php...6&#entry485236

That was a thread which I started back in Oct 2007! Maybe if others read
all the posts there they'll have a better understanding of the /real/ BD!

HTH

--
Dave - I had bought and was using Kaspersky AV Version7

[~BD~]

FromTheRafters wrote:
> "~BD~"<BoaterDave~no.spam~@hotmail.co.uk> wrote in message
> news:ifCdnZBsxp-fPPjRnZ2dnUVZ8vadnZ2d@bt.com...
>> Dustin wrote:
>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>> news:KNSdnZ_Wh89i4PnRnZ2dnUVZ8ridnZ2d@bt.com:
>>>
>>>> Dustin wrote:
>>>>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote in
>>>>> news:35SdnQv8T-xdsvnRnZ2dnUVZ8mqdnZ2d@bt.com:
>>>>>
>>>>>> /I/ think *Dustin* is wrong. *I believe that installing an
>>>>>> anti-virus programme on an already compromised machine is, in all
>>>>>> probability, a futile exercise*.
>>>>>
>>>>> LOL, you would certainly be in the minority if you think I was
>>>>> wrong in the advice I provided concerning malware.
>>
>> [....]
>>
>>
>> What FTR actually said .....
>>
>> "True, it could be installed and be kept from accessing certain areas
>> by a rootkit".
>>
>> Do you *really* disagree with that?
>
> One thing you are apparently not getting the significance of is that the
> "installation software" for the proposed AV that you want to install on
> the "compromised" machine likely has its own detection software for
> known malware (including some rootkits) *and* rootkit detection software
> that alerts to inconsistencies in what is presented through APIs to the
> other tools due to filter drivers and the like.
>
> It may be impossible to install such AV programs on a "compromised"
> machine, if the preinstallation detection software is aware of, yet not
> capable of removing detected malicious activity - it may tell you that
> you need to address the other issue before attempting to install that
> software (I'm not aware of this actually happening though).
>
> The most likely scenario is that the installation goes off smoothly
> without a hitch on *most* compromised machines (removing the compromise
> in the process) - which, I believe, is Dustin's point.
>
>

I accept what you say, FTR - especially the *most* part! ;-)

No doubt you will review my post to Dustin Re: Kaspersky thread.

As I've said to you many times before, I value your help and guidance.

[~BD~]

Peter Foldes wrote:
> Don't feed the Trolls especially this Troll
>

What is your problem, Peter Foldes?

Are you paying for 'the bandwidth' or is it another reason?

*Everyone* is entitled to post on Usenet groups! ;-)

[Dustin]

~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote in
news:SO-dnbqjPJQ6zPvRnZ2dnUVZ7rednZ2d@bt.com:

> Dustin wrote:
>> ~BD~<BoaterDave~no.spam~@hotmail.co.uk> wrote
>>> What FTR actually said .....
>>>
>>> "True, it could be installed and be kept from accessing certain
>>> areas by a rootkit".
>>
>> A rootkit still has to play by certain hardrules; nothing can be
>> hidden completely. Some in house developed tools for prior work
>> with malwarebytes are likely useful in such a scenario.
>
> Just to be clear, Dustin - it is *you* who is accepted as being the
> guru! I am simply an interested 'user' who is frustrated by the fact
> that bad guys use this marvelous technology with criminal intent.

Do you think I got the brownie points and respect from my peers
overnight? I've been doing this for a very long time, BD.


>> I didn't say I couldn't do it without any tools. I just said I
>> wouldn't provide details. And what would be the point in doing so
>> anyway? You wouldn't understand what I was writing about... and I'd
>> just be providing information to anyone interested in circumventing
>> technology rootkit style. While I don't feel it's information that
>> they couldn't acquire on their own, I see no real point in.. well,
>> advancing the technology ahead of schedule.
>
> That all seems a most reasonable stance to take.

Finally, you're starting to understand.

> Let me now quote from another 'guru'
>
> "Performing a standard Disk Format and Reinstall of the Operating
> System will render common infections incompatible, but not all
> Rootkits and its accompanying payload of malware ..... Rootkits work
> from outside the Operating System and can hide in Bad Sectors of the
> Hard Disk - thus have places to hide on the Hard Disk that are
> essentially outside the Operating Systems environment, untouchable
> by it, yet still at hand.....

While they can hide in bad sectors, without code pointing the machine
to run the code found in the bad sectors; it's like having the
components on your shelf to make a bomb, but short of you mixing the
stuff and wiring the circuits up; it's not going to explode.

Sectors don't have much room, and you have to account for low level
disk utilities such as spinrite that will test bad sectors and reissue
them as good if they aren't actually bad; trashing the rootkit code
storage site.

> Most wiping, erasing, formatting, and partitioning tools will not
> overwrite logical bad sectors on the Disk, leaving the Rootkits and
> their accompanying payload of malware behind and still active.....

You should ask the guru who wrote this doomsday scenario for a viable
sample; or reference to one being shown wild. I won't hold my breathe
while I wait for those results, tho.

> Rootkits in themselves are not a threat ..... the danger is that
> Rootkits have the invincible power of Stealth ..... Malicious
> Programmers can hide their malware safely inside the protection of
> the Rootkit....."

I disagree with invincible; they are still software; running at a lower
level than say notepad, but still, software non the less.

> That doesn't sound too dissimilar to what *you* have said, does it?

Except I didn't try to scare anybody with the age old "it can hide in
the bad sectors!"; Did you know some late 80s copy protection used a
similar technique? In 1986, a game I bought for the coco3 had copy
protection via bad sectors; the built in diskcopy program couldn't deal
with bad sector disks, it would abort.

> That was a thread which I started back in Oct 2007! Maybe if others
> read all the posts there they'll have a better understanding of the
> /real/ BD!

The real BD? Seems, your a paranoid person, to me.


--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.