Ping: Dustin Cook - How would *you* find this rootkit?

[Dustin]

Mike Easter <MikeE@ster.invalid> wrote in
news:972jlcF6hhU1@mid.individual.net:

> a.p.s only - no daft x-post to unrelated groups like a BD troll.
>
> ~BD~ wrote:
>
>> The latest TDL-4 version of the rootkit,
>
> The problems are/ start with/ detection. If you can detect a boot
> sector problem/condition, then you have to 'get rid of' - zero or
> perhaps replace - the boot sector which is followed by creation of a
> new boot sector and operating system.

Boot sector code can be lifted from the NT cdroms/dvds and dropped right
over the bad code. No real biggie here.


--
(Hey) I keep on thinking that it's
(Hey) all done and all over now (whoa)
You keep on thinking you can save me save me
(Hey) My ship is sinking but it's
(Hey) all good and I can go down (whoa)
You've got me thinking that the party's all over

[Dustin]

~BD~ <~BD~@nomail.afraid.com> wrote in
news:iuh7me$rvc$1@dont-email.me:

> The problem, surely, is knowing why one *should* look for a problem
> in the first place! If all appears quite /normal/ to a computer user
> ...!!!

I'm not an average computer user. You're tilting at windmills, again.


--
(Hey) I keep on thinking that it's
(Hey) all done and all over now (whoa)
You keep on thinking you can save me save me
(Hey) My ship is sinking but it's
(Hey) all good and I can go down (whoa)
You've got me thinking that the party's all over

[FromTheRafters]

"~BD~" <~BD~@nomail.afraid.com> wrote in message
news:iuh7me$rvc$1@dont-email.me...
> Mike Easter wrote:
>> a.p.s only - no daft x-post to unrelated groups like a BD troll.
>
> Adding an additional 34 readers is hardly trolling!
>
> alt.politics.scorched-earth alt.politics.scorched-earth@googlegroups.com
> Language: English
> 34 subscribers, Messages per month: 4267, Usenet
>
> http://groups.google.com/groups/dir?...ched-earth%2C&
>
> >
> > ~BD~ wrote:
> >
> >> The latest TDL-4 version of the rootkit,
> >
> > The problems are/ start with/ detection. If you can detect a boot sector
> > problem/condition, then you have to 'get rid of' - zero or perhaps
> > replace - the boot sector which is followed by creation of a new boot
> > sector and operating system.
>
> The problem, surely, is knowing why one *should* look for a problem in the
> first place! If all appears quite /normal/ to a computer user ...!!!

That's true, but what's your point? Are you paving the way to slimey
innuendo, or are you actually asking about detecting or identifying
a rootkit?

You're probably not going to find such a rootkit unless you suspect one is
present, or you routinely check the startup axis code. The thing is, a rootkit
will likely be hiding something else, and that something else *does something*,
more than likely using networking. When network activity is noticed, and an
investigation is conducted, it will be noticed that tools on the computer doing
the nefarious communicating are not giving a complete picture. It is *that*
that will cause one to suspect a rootkit.

Detection can be a behavioral thing, but identification requires more. Once
you suspect it is there, you inspect it from a clean environment to identify
it and possibly repair/replace affected areas.

If a certain paranoid fantasy about otherwise legitimate security software
(antivirus/antimalware) installing rootkits were actually true, said rootkits
would be discovered in short order by the behavior (activity) the programs
that they hide engage in.

[Aardvark]

On Fri, 01 Jul 2011 06:40:55 -0400, FromTheRafters wrote:

> If a certain paranoid fantasy about otherwise legitimate security
> software (antivirus/antimalware) installing rootkits were actually true,
> said rootkits would be discovered in short order by the behavior
> (activity) the programs that they hide engage in.

Yeah, but where would be the trolling fun for BD in accepting that fact?



--
"Those who do not make human beings the center of their concern soon
lose the capacity to make any ethical choices, for they willingly
sacrifice others in the name of the politically expedient and
practical." - Dwight Macdonald, “The Root Is Man.”

[FromTheRafters]

"Aardvark" <aardvark@youllnever.know> wrote in message
news:ZhjPp.27447$J65.1301@newsfe14.ams2...
> On Fri, 01 Jul 2011 06:40:55 -0400, FromTheRafters wrote:
>
>> If a certain paranoid fantasy about otherwise legitimate security
>> software (antivirus/antimalware) installing rootkits were actually true,
>> said rootkits would be discovered in short order by the behavior
>> (activity) the programs that they hide engage in.
>
> Yeah, but where would be the trolling fun for BD in accepting that fact?

Surely he wouldn't let a little logic cloud his vision.

[Aardvark]

On Fri, 01 Jul 2011 09:32:23 -0400, FromTheRafters wrote:

> "Aardvark" <aardvark@youllnever.know> wrote in message
> news:ZhjPp.27447$J65.1301@newsfe14.ams2...
>> On Fri, 01 Jul 2011 06:40:55 -0400, FromTheRafters wrote:
>>
>>> If a certain paranoid fantasy about otherwise legitimate security
>>> software (antivirus/antimalware) installing rootkits were actually
>>> true, said rootkits would be discovered in short order by the behavior
>>> (activity) the programs that they hide engage in.
>>
>> Yeah, but where would be the trolling fun for BD in accepting that
>> fact?
>
> Surely he wouldn't let a little logic cloud his vision.

Of course not. Why start now?

And that educating himself thing? Who needs that crap, eh?



--
"Those who do not make human beings the center of their concern soon
lose the capacity to make any ethical choices, for they willingly
sacrifice others in the name of the politically expedient and
practical." - Dwight Macdonald, “The Root Is Man.”

[FromTheRafters]

"Aardvark" <aardvark@youllnever.know> wrote in message
news:ECkPp.27453$J65.18735@newsfe14.ams2...
> On Fri, 01 Jul 2011 09:32:23 -0400, FromTheRafters wrote:
>
>> "Aardvark" <aardvark@youllnever.know> wrote in message
>> news:ZhjPp.27447$J65.1301@newsfe14.ams2...
>>> On Fri, 01 Jul 2011 06:40:55 -0400, FromTheRafters wrote:
>>>
>>>> If a certain paranoid fantasy about otherwise legitimate security
>>>> software (antivirus/antimalware) installing rootkits were actually
>>>> true, said rootkits would be discovered in short order by the behavior
>>>> (activity) the programs that they hide engage in.
>>>
>>> Yeah, but where would be the trolling fun for BD in accepting that
>>> fact?
>>
>> Surely he wouldn't let a little logic cloud his vision.
>
> Of course not. Why start now?
>
> And that educating himself thing? Who needs that crap, eh?

You spelled "earh" wrong. )

[Aardvark]

On Fri, 01 Jul 2011 12:19:07 -0400, FromTheRafters wrote:

> "Aardvark" <aardvark@youllnever.know> wrote in message
> news:ECkPp.27453$J65.18735@newsfe14.ams2...
>> On Fri, 01 Jul 2011 09:32:23 -0400, FromTheRafters wrote:
>>
>>> "Aardvark" <aardvark@youllnever.know> wrote in message
>>> news:ZhjPp.27447$J65.1301@newsfe14.ams2...
>>>> On Fri, 01 Jul 2011 06:40:55 -0400, FromTheRafters wrote:
>>>>
>>>>> If a certain paranoid fantasy about otherwise legitimate security
>>>>> software (antivirus/antimalware) installing rootkits were actually
>>>>> true, said rootkits would be discovered in short order by the
>>>>> behavior (activity) the programs that they hide engage in.
>>>>
>>>> Yeah, but where would be the trolling fun for BD in accepting that
>>>> fact?
>>>
>>> Surely he wouldn't let a little logic cloud his vision.
>>
>> Of course not. Why start now?
>>
>> And that educating himself thing? Who needs that crap, eh?
>
> You spelled "earh" wrong. )

Somebody did. I got a warning about the server not carrying the group,
which I ignored and sent anyway. The next reply, I checked the groups and
noticed the missing 't'.



--
"Those who do not make human beings the center of their concern soon
lose the capacity to make any ethical choices, for they willingly
sacrifice others in the name of the politically expedient and
practical." - Dwight Macdonald, “The Root Is Man.”

[~BD~]

David H. Lipman wrote:
> From: "G. Morgan"<G_Morgan@easy.com>
>
>> ~BD~ wrote:
>>
>>> How do you suggest that one might become aware of its presence?
>>>
>>>> There are multiple ways that it can be detected as well.
>>>
>>> What methods of detection are available, Mr Lipman?
>>
>> http://support.kaspersky.com/viruses...?qid=208280684
>
>
> http://www.securelist.com/en/analysi...0/TDL4_Top_Bot

Interesting - thank you!

[~BD~]

Dustin wrote:
> Mike Easter<MikeE@ster.invalid> wrote in
> news:972jlcF6hhU1@mid.individual.net:
>
>> a.p.s only - no daft x-post to unrelated groups like a BD troll.
>>
>> ~BD~ wrote:
>>
>>> The latest TDL-4 version of the rootkit,
>>
>> The problems are/ start with/ detection. If you can detect a boot
>> sector problem/condition, then you have to 'get rid of' - zero or
>> perhaps replace - the boot sector which is followed by creation of a
>> new boot sector and operating system.
>
> Boot sector code can be lifted from the NT cdroms/dvds and dropped right
> over the bad code. No real biggie here.
>
>

Microsoft clarifies MBR rootkit removal advice

http://www.computerworld.com/s/artic...curity+News%29

Malware like Popureb is especially difficult to detect and delete once
it's on a system because it overwrites the hard drive's MBR, the first
sector -- sector 0 -- where code is stored to bootstrap the operating
system after the computer's BIOS does its start-up checks. Because it
hides on the MBR, the rootkit installed by Popureb makes not only
itself, but any follow-on malware installed by it later, invisible to
both the operating system and security software.

MBR rootkit malware is among the most advanced of all threats,
researchers said yesterday during interviews about a different family,
called "TDL-4," a bot whose collection of compromised computers they
called "practically indestructible."

Several security firms have also weighed in on the debate about whether
users need to reinstall Windows.

"Reinstalling is definitely overkill for this malware problem," said
Vikram Thakur, principal security response manager with Symantec, in an
interview today. "It can be resolved simply by fixing the MBR via an
external disk."

Symantec offers a tool to help users do that.

HTH

Dave