Malwarebytes

[Dustin]

~BD~ <~BD~@nomail.afraid.com> wrote in
news:it4ct2$o4f$1@dont-email.me:

> WTF???? I've no idea what you mean by this.

Must be an American only thing...google it.

> My understanding to date is that efficient Malware can reside inside
> a computer without the knowledge of a user (even if he's a techie!).
> Do you dispute this?

I would tend to dispute that. If you really understand the software and
the hardware and you don't buy into the movie BS, you know that's
simply NOT really possible.

> Do *you* have the skill to carry out a forensic test on a computer
> just as I've described?

BD,

I have the skill to enter a courtroom as an expert witness in computer
forensics, yes. In fact, I have done so. You already know this. digital
Forensics, ****head, is digital forensics.

Stop being anal. Malwarebytes is NOT malicious.

>> You were blantantly advertising the usage of warez.
>
> Again, that's your opinion. I certainly had the permission of the
> licensee of the Symantec corporate product and it was used only for
> test purposes over a few weeks. It was never used on any computer
> for the day-to-day protection of a personal computer. As far as I'm
> concerned, no harm was done (even though, perhaps, not strictly in
> accord with the Symantec license).

Not an opinion. Again you confuse opinion with fact. Fact, the licensee
didn't have the legal right to "loan" you a copy. Once you took that
disc, you had warez. When you actually made use of it and discussed it,
you violated forum policies and the rest is history. Your "opinion"
which has no facts to support it is that you had the permission. LOL.
You didn't, dude, as he didn't have it to give you in the first place.


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[Dustin]

G. Morgan <G_Morgan@easy.com> wrote in
news:bsrbv6lrsn8ilr3rf6lkv50jgbhfmumsc8@Osama-is-dead.net:

> notification or confirmation. There are key loggers that get by
> MBAM, SaS, and Windows Defender.

If you have viable samples and want to contribute to their demise, send
them along to me. I'll pass them to the MBAM team and I might even do a
bughunter update just for ****s and giggles.

> Spector Pro Keylogger is one such program. Why do companies like
> MBAM, SaS, and M$, ignore this very serious threat? Are they in bed
> with the manufacturer to buy their way out of being on the
> detection list?

BugHunter already knows various versions of the spectorsoft commercial
keylogger. Despite legal threats, I never removed the definitions. MBAM
also recognizes some versions. They update the software often to keep
out of our databases tho. heh. I thought you knew that, since you seem
to know so much now...

> Or are the malware companies too scared to include commercial
> products in the list for fear of legal reasons?

LOL! Not hardly.

> Maybe they are not able to figure out how to detect and remove it?

Dude, seriously? Spectorsoft is a well behaved semi stealthed (not
really) program. It's childsplay to detect and remove. Don't buy it's
nonsense sales hype. It does routinely provide newer executable builds
which evade the known definitions. It's a cat/mouse game and since it's
commercial, maybe they just aren't interested in buying it to detect it
for a week or two?

> What's the deal Dustin and David? Why won't MBAM detect Spector
> Pro?

http://forums.malwarebytes.org/

When I worked there, we did. You can ask that question in the forums
and one of the people can explain things.


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[~BD~]

Dustin wrote:
> I own you BD, I always will.

*FAR CANAL*!!!!

[Dustin]

~BD~ <~BD~@nomail.afraid.com> wrote in news:it6055$7ia$1@dont-email.me:

> Dustin wrote:
>> I own you BD, I always will.
>
> *FAR CANAL*!!!!

submission to 0wnage accepted.
Now, go make me some fresh coffee.


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[G. Morgan]

Dustin wrote:

>Doubtful rootkit is present...
>Wish I could have seen that box man.

I wish I saved an image of it now for analysis.

Making matters worse is I can't find the notes. I wrote down the .exe
name and 3 files it created.

Okay, I'll try again. Please tell me your method for documenting stuff
and the order you look for things. Since this was my first 'malware
research', I was playing it all by best guesses and happenstance.

I was just looking at running processes and services from "all users",
and examined the ones I didn't recognize. I found the .exe when I got
the pop-up, ran taskman and right clicked the "Windows Anti-Spyware" and
go to file location. It brought me to the download directory, but was
not there. I had not yet set Windows to show hidden and system files,
but when I did, there they were. I killed the .exe just to begin to see
the damage. If I didn't the pop-up would not allow me to get anything
done, it was very persistent.

[G. Morgan]

Dustin wrote:

>If you have viable samples and want to contribute to their demise, send
>them along to me. I'll pass them to the MBAM team and I might even do a
>bughunter update just for ****s and giggles.

Spector was the only one I tested. I posed this same question back when
I tested it (couple of years ago) and got <crickets>

>BugHunter already knows various versions of the spectorsoft commercial
>keylogger. Despite legal threats, I never removed the definitions.

Good for you! I'm glad you didn't cave. If they had taken you to court
and you won, it would set a great precedent. Maybe that's why they
never pursued it?

> MBAM
>also recognizes some versions. They update the software often to keep
>out of our databases tho. heh. I thought you knew that, since you seem
>to know so much now...

Actually, I did not know that a 'respected security' company would
intentionally evade malware scanners so often.

What is a sysadmin to do if there is no reliable way to detect and
remove? I had root access to lots of computers in an HP lab, I could
have easily installed it. How would the admin know his system was 100%
clean?

I guess the answer is, he can't.

>It's a cat/mouse game and since it's
>commercial, maybe they just aren't interested in buying it to detect it
>for a week or two?

It's a commercial spyware program that should be detectable. Microsoft
should include it's newest signature in every pushed update of the "
malicious removal tool".


>When I worked there, we did. You can ask that question in the forums
>and one of the people can explain things.

Meh.. maybe later.

[Dustin]

G. Morgan <G_Morgan@easy.com> wrote in
news:im9dv616jtpm0t630hs6826lt23ls062v6@Osama-is-dead.net:

> Good for you! I'm glad you didn't cave. If they had taken you to
> court and you won, it would set a great precedent. Maybe that's why
> they never pursued it?

Hmm. I doubt that's the reason. More likely, BugHunter is completely
free and I have nothing they could take. lol. BugHunter isn't as
mainstream as the others tho, either. In any event, I don't care much
for lawyers and I tend to tell them as much.

> Actually, I did not know that a 'respected security' company would
> intentionally evade malware scanners so often.

LOL, they have too. Imagine you purchased it, you load it on your wifes
laptop (you think she's ****ing around). She scans the box, the damn
thing gets caught... before it can transfer it's goodies over to you.

> What is a sysadmin to do if there is no reliable way to detect and
> remove? I had root access to lots of computers in an HP lab, I
> could have easily installed it. How would the admin know his system
> was 100% clean?

An admin with the proper tools can have a nice look around that box and
know for reasonable certainty that it's clean.

> I guess the answer is, he can't.

For some, I suppose. For example, if I don't trust this box OS, I boot
bart. try hiding from me then, when your codebase isn't running. The
thing is, you can't then. Your wide open, I *will* find you. You forget
the side of the tracks I come from I guess. trojans, stealth... nice n
all, but I know the tricks too.



--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[Buffalo]

Bullwinkle. wrote:
> It will help if you give honest answers
>
> Here is a straight forward question for you:
>
> Are you the father of your daughters recent baby?
>
> Your word is no good you will need to provide proof, either way.
>
> Remembering there is a 50-50 chance she is not your daughter.
>
> So you may be ok if you are the dad of the baby.

Hey Bulltinkle, you are even a bigger neurotic a-hole here than you are in
the 24hr ng.
Ask your mental dr for help, or, if you don't have one yet, GET ONE, ASAP!!!
Buffalo

[G. Morgan]

Dustin wrote:

>An admin with the proper tools can have a nice look around that box and
>know for reasonable certainty that it's clean.


What tools? Spector changes and morphs, so there is no guarantee. I
suppose the admin could white list services and processes, but that
would impede the work that has to be done. Besides, I was a admin
member on some machines.

[Dustin]

G. Morgan <G_Morgan@easy.com> wrote in
news:mdjfv6trfl4vtbvju8pti9155pldjbbrar@Osama-is-dead.net:

> Dustin wrote:
>
>>An admin with the proper tools can have a nice look around that box
>>and know for reasonable certainty that it's clean.
>
>
> What tools? Spector changes and morphs, so there is no guarantee.
> I suppose the admin could white list services and processes, but
> that would impede the work that has to be done. Besides, I was a
> admin member on some machines.

While spector does change and morph, not ALL of the executable does so.
I don't know why you want to get cheeky with me, but you're going to be
sorry you did...Evidently you don't write code or study it, so here's a
schooling for you.

Boot bart, ensure OS environment is under my rules. Backup the systems
registry hive files to say, C:\HOLD1. Next, mount the local system
registry hive SOFTWARE, examine ALL of the possible load points for any
executables. Examine them with snoop and if necessary, IDA
Pro/OllyDebug.

Unload said hive, making changes as needed (I'll find spector this way
alone, but I want you to understand your lesson well, so we're going
further).

Load SYSTEM hive, examine ALL load points (drivers baby!). Spector
isn't here, I'm doing this for your education. Take notes. Unload
system hive.

SAM hive contains security/passwords. If you need to hack your way past
admin pass, thats the file you **** with. IPSec issues are dealt with
in this file too. Take notes.

Once you find spector, (It's a telltale giveaway, it'll be sitting on
some hidden folder with a funny executable name. Should that not be
enough of an eye glaring catcher, when you open it in snoop and start
viewing the text sections only, it'll mention it's companies copyrights
and a slew of other things. When I said it changed to avoid sig scans,
It does, but not everything changes and when it changes, it's really
just being moved from one place to another. Shuffle the code around in
the editor, recompile kinda deal. Same program, different executable.
[g]

Once I'm done playing in the registry, it's time to look on root for a
fake explorer.exe (windows will autoload it if it's present). Next I
purose the startup folders where I know for sure windows will
automagically run things. Finally, the temp folders, just in case the
executables I found have friends they'll shell out too later.

I may even have a looksee in the drivers folder, as the rootkit won't
be resident and able to hide from me. I do a digital signature
verificaton via command line on all windows folders. Any dlls which
fail it are plucked for a closer examination. Unless, I already know
the dll by it's hash. I have a large database, doing this for such a
long time n all.

Okay.. That covers the majority of getting dirty. I'm leaving a few
things out, but I think you get the point now... Eh?



--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again