Malwarebytes

[Dustin]

G. Morgan <G_Morgan@easy.com> wrote in
news:6s80v6ti98j3lkl4757926eaik2hr3cms7@Osama-is-dead.net:

> And I wish I knew!

It's really neat. But, my hands are tied.

> I don't think it's malicious, it's installed on my machines!

Same here. I routinely recommend it to people.

> Of course I did, we'll see what he comes up with. ;-)

I have a general idea. This isn't the first time he's made those
comments...

> I'm not talking about revealing code, I'm more interested in the
> methodology. I guess I will have to do my own research. Maybe I can
> get you to confirm or deny my suppositions when I learn a little more?

The methodology is proprietary. I can't discuss any internals. I wouldn't
be able to confirm or deny anything that isn't related to what
malwarebytes does or does not do. IE: in the case with BD, I know it
doesn't do anything malicious and thats as specific as I can get.


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[~BD~]

G. Morgan wrote:
> Dustin wrote:
>
>> Evidently you didn't catch my clarification request... MBAM has
>> proprietary technology which allows it to hook lol (hehehe.. damn, I
>> wish I could tell you) the file system.
>
> And I wish I knew!
>
>> MBAM is NOT malicious and
>> doesn't install a rootkit or do anything else. I just can't tell you
>> any specifics man, sorry. If you think it's malicious, your about as
>> bright as BD.
>
> I don't think it's malicious, it's installed on my machines!
>
>
>> Did you seriously not catch what I really intended with my question?
>
> Of course I did, we'll see what he comes up with. ;-)
>
>>> That is not a trade secret I'm sure.
>>
>> Sadly, it is. Everybodies is. SuperAntispyware isn't going to cough up
>> their specs either. LOL.
>
> I'm not talking about revealing code, I'm more interested in the
> methodology. I guess I will have to do my own research. Maybe I can
> get you to confirm or deny my suppositions when I learn a little more?

Are you aware of anyone, Graham, who has loaded MBAM onto a fresh/clean
computer and then run the programme - the result should of course be
that nothing untoward would have been found.

Has that same machine then been forensically examined to determine if
MBAM has surrupticially installed it's very own malware - maybe a
rootkit? In normal course, no one who might have used MBAM to erradicate
malware would be remotely concerned once their computer appeared to be
operating satisfactorily again - now would they?!!

IIRC, SuperAntispyware was introduced at about the same time as MBAM.
has anyone tested *that* software in a similar manner?

I'm not alleging anything - I'm asking straight-forward questions!

FYI, you will see below that I *have* tried the diplomatic way (On
Wilders Security forums) by PM - without result!

**

BD sent a PM last December as follows:-


To: Marcin Kleczynski

Hello!

Please will you reconsider my ban and allow me to be a member of your
Malwarebytes forum again?

I had not meant to break the 'rules' by posting a slightly risqué Easter
card to Dustin Cook and I apologise for so doing. I am truly sorry that
my action offended.

I use your product myself and have recommended it to many others,
including some 'professionals'. You may be pleased to learn that I've
just run version 1.50 on my wife's XP laptop and it was 'clean'!

At the moment I am banned from posting! I hope you will help.

Sincerely

David B (aka BoaterDave and ~BD~ )

*

No response was received, so BD PM'd again as follows:-

*

Hello Bruce Harrison

I wonder if you could help in this regard?
(I copied my previous message to Marcin)

No response has been received from Mr Kleczynski and I got nowhere from
the bottom upwards.

Please at least acknowledge this message, even if you have no way of
helping. Thanks.

*

He replied as follows:-

I hope you understand that I have no idea what you are talking about so
there is no way I can say anything other than "I will have to look into
this".

*

There was no further contact! :-(

BD

[~BD~]

For anyone who is unaware:-

http://www.malwarebytes.org/company/management

[Beauregard T. Shagnasty]

~BD~ wrote (using his own nym for a change):

> I'm not alleging anything

Yes you are, in your usual slimy innuendo'd way.

> - I'm asking straight-forward questions!

Ha! That qualifies for the Joke of the Month.

--
-bts
-In a broadband world, you are just a dialup

[Polk Salad]

In article <isvcpg$o1o$1@dont-email.me>, ~BD~@nomail.afraid.com says...


>Please at least acknowledge this message, even if you have no way of
>helping. Thanks.
>
>*
>
>He replied as follows:-
>
>I hope you understand that I have no idea what you are talking about so
>there is no way I can say anything other than "I will have to look into
>this".
>
>*
>
>There was no further contact! :-(

Your absence the last few days has been "soothing."
Too bad you had to spoil it.

[Bullwinkle.]

Here is a straight forward question for you:

Are you the father of your daughters recent baby?

Your word is no good you will need to provide proof, either way.


"~BD~" <~BD~@nomail.afraid.com> wrote in message
news:isvcpg$o1o$1@dont-email.me...

I'm not alleging anything - I'm asking straight-forward questions!

[Dustin]

~BD~ <~BD~@nomail.afraid.com> wrote in
news:isvcpg$o1o$1@dont-email.me:

> I'm not alleging anything - I'm asking straight-forward questions!

Yes you are. In a slimy fashion.




--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[G. Morgan]

~BD~ wrote:

>Has that same machine then been forensically examined to determine if
>MBAM has surrupticially installed it's very own malware - maybe a
>rootkit? In normal course, no one who might have used MBAM to erradicate
>malware would be remotely concerned once their computer appeared to be
>operating satisfactorily again - now would they?!!
>
>IIRC, SuperAntispyware was introduced at about the same time as MBAM.
>has anyone tested *that* software in a similar manner?


Well, I can confirm that running MBAM on a fresh Win 7 will not alert to
anything. It also does not alter critical Windows files in the
Windows/system dir. either. I ran the sfc /scannow utility included
with 7 to test that very thing.

I purposely infected one of my Win 7 installations by hopping around
every pRon site I could click on. After 30 mins. or so, (running as
Admin, NO resident anti-sw utility, UAC turned off, and Avira
installed/updated and running. I used Firefox and Chrome to load up
100's of sites, oh yeah... I allowed scripts too. You have to... most
of the pRon sites rely heavily on scripts to re-direct, pop-up,
pop-under, and of course their money generating 'click-through' code.

I sure hated to see all that pRon, but hey, someone has to do it! ;-)

I received the dreaded "Windows Anti-Spyware 2011" malware. It's a
pretty nasty sucker. I found it running "as" if it were Flashget, but
the process was a hidden file that turned off real-time Avira, changed
all the file ownerships it could to: "Trusted Installer" and left Admin
AND System group members with only read access to the files. I found
the process manually and termed it, then shredded it. That stopped the
pop-up from coming up, but the damage remained. I documented much of
my steps as I did it, but it's on the other machine that's turned off at
the moment. Full report with questions are likely pending. But I'd
like to make it re-producible for the researchers, since I 'm not 100%
sure that was the 'only' badware I got.

SaS (picked at random to try first) did detect the Trojan, but did
nothing to repair the OS. Ran MBAM too, same thing. It was hard to
even run the exe's that were already compromised by the permissions
attack. I actually had to re-download on another machine to get the
bits. Every .exe I tried to launch even Notepad would not start, I
would get the 'Open With" dialogue box each time. Work-around was to
manually elevate and right-click "Run as administrator".

Oh yeah, it also eventually led to a DNS poisoning on that machine. But
it may be unrelated to the one that I was focused on. The damage was so
extensive, I could never 'trust' that installation again. I think I
documented enough info to give researchers, but I want to do it again
more methodically next time. Why anyone would want that job (a
researcher) is beyond me. My little experiment lasted almost 3 days for
just this one infection. It is very tedious work, and since I'm
starting from -zilch-. I don't know what tricks they use to isolate,
identify, and repair; but I know after two weeks on the job I'd simply
throw the PC out the window. It's not easy trying to figure out 'what'
it does, but figuring out a repair process for each would drive me nuts.
I have the attention span of a 2 year old some times. Being a
researcher or programmer is not compatible with my non-ability to focus
on so many details over a long period. I'm more of a "just fix it and
go" guy as opposed to the one who must know 'why' and 'how' it got
there.

I keep two installations dual-booted for exactly this type of thing. One
essential I did not have installed was "Winpatrol" by Bill P Studios.
It's not an anti-malware program, but does alert you to any new start-up
programs and services in real-time before it allows the change to occur
(by means of pop-up). I would normally have that installed but forgot
to for the experiment. I've been using Winpatrol for years. It's one
of those exceptionally useful utilities that most 'normal' PC'ers have
not even heard of. That's a shame. I ran the free version for years,
them sent him some $$ since I use it so much. The paid version only
unlocks some relatively useless stuff, as opposed to the other way
around. Methinks "Bill P" is just a really nice guy, basically giving
it away. I doubt he's making the money he could be if he were more of a
self-serving jerk, Al-la "Big Corp. USA".

Some of the best software is free though. I'm really disappointed Avira
(free) failed to catch it and halt it, even more so since this bugger
was able to turn off it's RT protection.

The day will come when some company manages to build a decent program
that does both, but I've been waiting on that for a decade. Many have
tried, all have miserably failed to be a one-proggy protection schema.

Symantac is getting there with their "Enterprise End-Point Protection",
never to be confused with Norton's 360°, consumer grade bloatware.

[Dustin]

G. Morgan <G_Morgan@easy.com> wrote in
news:ejc9v6l4nsje4kr612qfnm3jeq8tqbif1b@Osama-is-dead.net:

> I received the dreaded "Windows Anti-Spyware 2011" malware. It's a
> pretty nasty sucker. I found it running "as" if it were Flashget,
> but the process was a hidden file that turned off real-time Avira,
> changed all the file ownerships it could to: "Trusted Installer" and
> left Admin AND System group members with only read access to the
> files. I found the process manually and termed it, then shredded
> it. That stopped the pop-up from coming up, but the damage
> remained. I documented much of my steps as I did it, but it's on
> the other machine that's turned off at the moment. Full report with
> questions are likely pending. But I'd like to make it re-producible
> for the researchers, since I 'm not 100% sure that was the 'only'
> badware I got.

Here's whats going on.. You were close tho.

It actually sets all files from root down to hidden. You lose your
desktop icons and your programs menu has no entries. It's also
redirecting (via registry edit) executables to be launched thru it, so
if you do remove the executable you get the infamous open with box when
you try to run something. You edit the registry to fix this... It's one
line. ;p

Reset your file attributes with attrib.

> Oh yeah, it also eventually led to a DNS poisoning on that machine.
> But it may be unrelated to the one that I was focused on. The

I haven't seen DNS poisioning, You likely had the rootkit TDL4 as well.
It's a ***** too, man. Patches key windows files.
> Some of the best software is free though. I'm really disappointed
> Avira (free) failed to catch it and halt it, even more so since this
> bugger was able to turn off it's RT protection.

It turns off the RT the same way you would via the gui man. You
can't fault avira for that. Poor avira doesn't know it's not you
clicking away.

> The day will come when some company manages to build a decent
> program that does both, but I've been waiting on that for a decade.
> Many have tried, all have miserably failed to be a one-proggy
> protection schema.

You aren't going to find one anytime soon. These malware programs are
mainly trojans. Thousands pumped out via poly server side work daily.
No program is ever going to catch them all.



--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[David H. Lipman]

From: "Dustin" <bughunter.dustin@gmail.com>

> G. Morgan <G_Morgan@easy.com> wrote in
> news:ejc9v6l4nsje4kr612qfnm3jeq8tqbif1b@Osama-is-dead.net:
>
>> I received the dreaded "Windows Anti-Spyware 2011" malware. It's a
>> pretty nasty sucker. I found it running "as" if it were Flashget,
>> but the process was a hidden file that turned off real-time Avira,
>> changed all the file ownerships it could to: "Trusted Installer" and
>> left Admin AND System group members with only read access to the
>> files. I found the process manually and termed it, then shredded
>> it. That stopped the pop-up from coming up, but the damage
>> remained. I documented much of my steps as I did it, but it's on
>> the other machine that's turned off at the moment. Full report with
>> questions are likely pending. But I'd like to make it re-producible
>> for the researchers, since I 'm not 100% sure that was the 'only'
>> badware I got.
>
> Here's whats going on.. You were close tho.
>
> It actually sets all files from root down to hidden. You lose your
> desktop icons and your programs menu has no entries. It's also
> redirecting (via registry edit) executables to be launched thru it, so
> if you do remove the executable you get the infamous open with box when
> you try to run something. You edit the registry to fix this... It's one
> line. ;p
>
> Reset your file attributes with attrib.


Lawrence Abrams (aka; Grinler) created UNHIDE.EXE for this purpose.
http://download.bleepingcomputer.com/grinler/unhide.exe


I was given a notebook to clean and UNHIDE did the job.


>
>> Oh yeah, it also eventually led to a DNS poisoning on that machine.
>> But it may be unrelated to the one that I was focused on. The
>
> I haven't seen DNS poisioning, You likely had the rootkit TDL4 as well.
> It's a ***** too, man. Patches key windows files.
>> Some of the best software is free though. I'm really disappointed
>> Avira (free) failed to catch it and halt it, even more so since this
>> bugger was able to turn off it's RT protection.
>
> It turns off the RT the same way you would via the gui man. You
> can't fault avira for that. Poor avira doesn't know it's not you
> clicking away.
>
>> The day will come when some company manages to build a decent
>> program that does both, but I've been waiting on that for a decade.
>> Many have tried, all have miserably failed to be a one-proggy
>> protection schema.
>
> You aren't going to find one anytime soon. These malware programs are
> mainly trojans. Thousands pumped out via poly server side work daily.
> No program is ever going to catch them all.
>




--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp