As a 'bad guy' hunter you should know.
"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j6tagb$q3n$1@dont-email.me...
What if folk there *installed* malware instead of getting rid of it?
Who would know?
As a 'bad guy' hunter you should know.
"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j6tagb$q3n$1@dont-email.me...
What if folk there *installed* malware instead of getting rid of it?
Who would know?
On 10/09/2011 01:57 PM, ~BD~ wrote:
> There was a time when you, DHL, used to publish quite a long list of
> URL's - places for folk to visit to get detailed help with interpreting
> their HJT logs.
>
> Do you still publish that list? (If so, where, please?)
this is an old list-some sites may not work
http://forums.spywareinfo.com/index.php?&showforum=18
http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://forums.subratam.org/index.php?showforum=7
http://forums.security-central.us/forumdisplay.php?f=13
http://castlecops.com/forum67.html
http://gladiator-antivirus.com/forum...?showforum=170
http://www.lavasoftsupport.com/index.php?showforum=36
http://forum.piriform.com/index.php?showforum=12
http://www.wilderssecurity.com/forumdisplay.php?f=26
http://makephpbb.com/phpbb/viewforum.php?f=2
http://www.techmonkeys.co.uk/forums/viewforum.php?f=8
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://forums.spywaretimes.com/index.php?showforum=2
http://www.bluetack.co.uk/forums/ind...?showforum=172
http://forums.techguy.org/f54-s.html
http://aumha.net/viewforum.php?f=30
http://www.dslreports.com/forum/cleanup
http://forum.malwareremoval.com/viewforum.php?f=11
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
--
"What would you do with a brain if you had one?"
Registered Linux User #393236
From: "Max Wachtel" <maxpro4u@hotmail.com>
> On 10/09/2011 01:57 PM, ~BD~ wrote:
>
>> There was a time when you, DHL, used to publish quite a long list of
>> URL's - places for folk to visit to get detailed help with interpreting
>> their HJT logs.
>>
>> Do you still publish that list? (If so, where, please?)
>
> this is an old list-some sites may not work
>
< snip >
It is not the list he wants per se, its my inclusion/exclusion of aumha.net in that list
that he want's.
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
On 10/09/2011 09:01 PM, David H. Lipman wrote:
> From: "Max Wachtel"<maxpro4u@hotmail.com>
>
>> On 10/09/2011 01:57 PM, ~BD~ wrote:
>>
>>> There was a time when you, DHL, used to publish quite a long list of
>>> URL's - places for folk to visit to get detailed help with interpreting
>>> their HJT logs.
>>>
>>> Do you still publish that list? (If so, where, please?)
>>
>> this is an old list-some sites may not work
>>
>
> < snip>
>
> It is not the list he wants per se, its my inclusion/exclusion of aumha.net in that list
> that he want's.
seems it has had too much hinky sauce again.
btw-the list i posted was a composite of others'.
--
"What would you do with a brain if you had one?"
Registered Linux User #393236
~BD~ <~BD~@nomail.afraid.org> wrote in
news:j6sfd0$26j$1@dont-email.me:
> You've advised that this in impossible!
Uhh, No.. He didn't.
> Security specialists have recently discovered a virus that makes its
> way into the BIOS, making it very hard to get rid of using current
> commercial anti-virus solutions.
The "virus" isn't doing the bios modification, as the article most
clearly states.
> The BIOS rootkit, an MBR rootkit, a kernel mode rootkit, a PE file
> injector and a Trojan downloader are the elements encapsulated in
> this potentially destructive malware, which at the moment is unable
> to cause any damage to machines running 64-bit operating systems if
> the user privileges are limited.
It's a kit. Missing items de-nuts it. The virus isn't infecting the
BIOS.
> After it successfully infects the BIOS using a file called
> Cbrom.exe, which is a legitimate tool developed by Phoenix
> Technologies designed to modify the Award/Phoenix system's ROM
> binaries, it moves to infecting the master boot record of the
> device.
iT'S NOT INFECTING THE BIOS. It's adding an optionrom! Using phoenix's
own program, as they lack the skills to write their own ****ing
routines.
> The winlogon.exe or wininit.exe files are also corrupted and
> injected with codes that will generate the download of additional
> infections.
They aren't corrupted. They wouldn't run then. they are modified to
carry the trojan.
--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.
"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:j6sfd0$26j$1@dont-email.me...
> You've advised that this in impossible!
No I haven't. I believe I told you that there was not yet enough room in the
BIOS for a virus *infection* in the BIOS. I also am the one that pointed you to
several papers on PCI rootkits and such.
LoJack for Laptops comes closer to being a virus than does Mebromi.
I think that soon there will be a virus that infects the BIOS and have always
thought so, but it may not behave like your typical malware virus.
> Your comments requested on this item:-
>
> **
>
> Security specialists have recently discovered a virus that makes its way into
> the BIOS, making it very hard to get rid of using current commercial
> anti-virus solutions.
Those security specialists should explain to me how Mebromi qualifies
as a virus. While it is a PE file infector, I don't see any recursive
replication
going on overall. Before any discussion with them, I'd have to ascertain
whether or not they subscribe to the "all worms are viruses" idea - and
*then* ask them to explain how Mebromi even qualifies as a worm once
that idea is despensed with.
AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS as
a guardian for that MBR rootkit (persistence). In addition, a kernel mode
rootkit that hides an additional downloader's actions. It infects two specific
system PE files as a startup method for said stealth downloader.
If it had *infected* those programs with a copy of its own replicative
function it would *then* qualify as a virus (if there was recursion). In
order for the *BIOS* to be said to have been *infected* by a *virus*
there would have to be replicative code in the BIOS itself, and the
code it writes to the disk would have to have reciprocating code
to reinfect the BIOS if the administrator had flashed it (like LoJack
claims to do) - you need that recursion to make this a virus, yet as
I understand it, only the Mebromi installation routine has the BIOS
flash capability - not the infestation itself. So, it remains a trojan
with respect to BIOS infection.
I could be wrong, but this is how I understand it to be.
[...]
Do you have any specific on topic questions for the spyware group?
I think anything about this Mebromi is relevant to spyware, but they
may not be interested in any of my opinions on the matter of malware
type classification.
P.S. I don't mind the crosspost to a.p.s-e <waves>.
"FromTheRafters" <erratic.howard@gmail.com> wrote in
news:j6td40$86m$1@dont-email.me:
> LoJack for Laptops comes closer to being a virus than does Mebromi.
They're about the same. The same technology. However, atleast with
lojack they have bios vendor support and cooperation so aren't reduced
to including 3rd party utility to flash one style of BIOS only.
Membromi is a compilation of tools and a bit of coding, but generally
trojan.. asshat level work.
> I think that soon there will be a virus that infects the BIOS and
> have always thought so, but it may not behave like your typical
> malware virus.
I would be inclined to agree. However, the viral code must replicate.
Persistance alone doesn't qualify.
> Those security specialists should explain to me how Mebromi
> qualifies as a virus. While it is a PE file infector, I don't see
> any recursive replication
> going on overall. Before any discussion with them, I'd have to
> ascertain whether or not they subscribe to the "all worms are
> viruses" idea - and *then* ask them to explain how Mebromi even
> qualifies as a worm once that idea is despensed with.
It's not a file infector. The modified files will not "spread" code to
other files. It's modifying two PE files to ensure it gets an
opportunity to startup another module included with it.
> AFAIK, it is a trojan that installs an MBR rootkit and uses the BIOS
> as a guardian for that MBR rootkit (persistence). In addition, a
> kernel mode rootkit that hides an additional downloader's actions.
> It infects two specific system PE files as a startup method for said
> stealth downloader.
Yes, and the modified PE files do not further infect other PE files,
they are modified to ensure the program isn't replaced by the user.
Persistance. It has several layers of that, as you laid out above.
> If it had *infected* those programs with a copy of its own
> replicative function it would *then* qualify as a virus (if there
> was recursion). In order for the *BIOS* to be said to have been
> *infected* by a *virus* there would have to be replicative code in
> the BIOS itself, and the code it writes to the disk would have to
> have reciprocating code to reinfect the BIOS if the administrator
> had flashed it (like LoJack claims to do) - you need that recursion
> to make this a virus, yet as I understand it, only the Mebromi
> installation routine has the BIOS flash capability - not the
> infestation itself. So, it remains a trojan with respect to BIOS
> infection.
>
> I could be wrong, but this is how I understand it to be.
You aren't wrong, your understanding is correct.
> I think anything about this Mebromi is relevant to spyware, but they
> may not be interested in any of my opinions on the matter of malware
> type classification.
--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.
"Dustin" <bughunter.dustin@gmail.com> wrote in message
news:Xns9F79E70342F2FHHI2948AJD832@no...
> "FromTheRafters" <erratic.howard@gmail.com> wrote in
> news:j6td40$86m$1@dont-email.me:
>
>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>
> They're about the same. The same technology. However, atleast with
> lojack they have bios vendor support and cooperation so aren't reduced
> to including 3rd party utility to flash one style of BIOS only.
I was looking at it more from a computer science angle. If the persistence
module contains the modified MBR code (and overwrites the MBR if it is
found to be unmodfied), and the MBR supports the agent, and the agent
(perhaps through a network resource) can detect that the BIOS has been
unmodified (flashed without the LoJack code) and it can reflash the BIOS,
it appears to me that it qualifies as a virus.
The computer science virus definition makes no restriction on how the
process plays out, only the result is important. Mebromi doesn't have
that two-way guardian aspect - it only flashes the BIOS during the
installation and it is thereafter un-guarded. So Lojack comes closer,
and in fact may even qualify as a virus.
> Membromi is a compilation of tools and a bit of coding, but generally
> trojan.. asshat level work.
>
>> I think that soon there will be a virus that infects the BIOS and
>> have always thought so, but it may not behave like your typical
>> malware virus.
>
> I would be inclined to agree. However, the viral code must replicate.
>
Right, but do you see where I'm coming from where viral code is the
means for the implementation of the persistence? Two "programs"
(BIOS routine, MBR/code in partiton gaps/agent/network) that
are basically looking for infection markers and re-infecting if found
missing. The only thing missing is the obvious spreading (lack of
sneakernet vector for BIOS and harddrives) which isn't really a
requirement for a virus in the comp-sci arena - it is only required
that it doesn't overwrite its parent.
>> Those security specialists should explain to me how Mebromi
>> qualifies as a virus. While it is a PE file infector, I don't see
>> any recursive replication
>> going on overall. Before any discussion with them, I'd have to
>> ascertain whether or not they subscribe to the "all worms are
>> viruses" idea - and *then* ask them to explain how Mebromi even
>> qualifies as a worm once that idea is despensed with.
>
> It's not a file infector.
It's not a file infecting virus, but it does infect PE files according to the
write-up. The infection is not aimed at replication, but is only a means
of attaching to the startup axis without using the registry I think.
> The modified files will not "spread" code to
> other files. It's modifying two PE files to ensure it gets an
> opportunity to startup another module included with it.
Yes, so I take it you refuse to adopt the idea that "infection" can be used
to mean that particular type of file modification even if it is not viral?
That's okay, as long as I remember your take on it.
BTW, I found this about droppers, it appears that I have used older
terminology than you have on this one.
"A Dropper is a standalone program that drops a virus to a system.
Usually a dropper for a file virus is a very small program (a few bytes)
infected by a virus.
A dropper for a boot virus is usually a program that writes the image
of a boot sector virus stored inside it to a hard or floppy drive.
Virus droppers are no longer widespread as malware with the same
capabilities integrated are becoming more common. Malicious
programs with dropper-like capabilities are now identified as
Trojan-Droppers.."
http://www.f-secure.com/v-descs/other_w32_dropper.shtml
and this
"A DROPPER is a program that has been designed or modified to "install" a
virus onto the target system. The virus code is usually contained in a
dropper in such a way that it won't be detected by virus scanners that
normally detect that virus (i.e., the dropper program is not *infected*
with the virus). While quite uncommon, a few droppers have been
discovered. A dropper is effectively a Trojan Horse (see B3) whose
payload is installing a virus infection. A dropper which installs a
virus only in memory (without infecting anything on the disk) is
sometimes called an "injector"."
http://stason.org/TULARC/security/co...ter-virus.html
They seem to agree with my view that a zeroth iteration virus is actually a
dropper.
Unfortunately, these two are opposed on the idea that a virally "infected" file
is a dropper.
[...]
FromTheRafters wrote:
> "Dustin"<bughunter.dustin@gmail.com> wrote in message
> news:Xns9F79E70342F2FHHI2948AJD832@no...
>> "FromTheRafters"<erratic.howard@gmail.com> wrote in
>> news:j6td40$86m$1@dont-email.me:
>>
>>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>>
>> They're about the same. The same technology. However, atleast with
>> lojack they have bios vendor support and cooperation so aren't reduced
>> to including 3rd party utility to flash one style of BIOS only.
>
> I was looking at it more from a computer science angle. If the persistence
> module contains the modified MBR code (and overwrites the MBR if it is
> found to be unmodfied), and the MBR supports the agent, and the agent
> (perhaps through a network resource) can detect that the BIOS has been
> unmodified (flashed without the LoJack code) and it can reflash the BIOS,
> it appears to me that it qualifies as a virus.
>
> The computer science virus definition makes no restriction on how the
> process plays out, only the result is important. Mebromi doesn't have
> that two-way guardian aspect - it only flashes the BIOS during the
> installation and it is thereafter un-guarded. So Lojack comes closer,
> and in fact may even qualify as a virus.
>
>> Membromi is a compilation of tools and a bit of coding, but generally
>> trojan.. asshat level work.
>>
>>> I think that soon there will be a virus that infects the BIOS and
>>> have always thought so, but it may not behave like your typical
>>> malware virus.
>>
>> I would be inclined to agree. However, the viral code must replicate.
>>
>
> Right, but do you see where I'm coming from where viral code is the
> means for the implementation of the persistence? Two "programs"
> (BIOS routine, MBR/code in partiton gaps/agent/network) that
> are basically looking for infection markers and re-infecting if found
> missing. The only thing missing is the obvious spreading (lack of
> sneakernet vector for BIOS and harddrives) which isn't really a
> requirement for a virus in the comp-sci arena - it is only required
> that it doesn't overwrite its parent.
>
>>> Those security specialists should explain to me how Mebromi
>>> qualifies as a virus. While it is a PE file infector, I don't see
>>> any recursive replication
>>> going on overall. Before any discussion with them, I'd have to
>>> ascertain whether or not they subscribe to the "all worms are
>>> viruses" idea - and *then* ask them to explain how Mebromi even
>>> qualifies as a worm once that idea is despensed with.
>>
>> It's not a file infector.
>
> It's not a file infecting virus, but it does infect PE files according to the
> write-up. The infection is not aimed at replication, but is only a means
> of attaching to the startup axis without using the registry I think.
>
>> The modified files will not "spread" code to
>> other files. It's modifying two PE files to ensure it gets an
>> opportunity to startup another module included with it.
>
> Yes, so I take it you refuse to adopt the idea that "infection" can be used
> to mean that particular type of file modification even if it is not viral?
>
> That's okay, as long as I remember your take on it.
>
> BTW, I found this about droppers, it appears that I have used older
> terminology than you have on this one.
>
> "A Dropper is a standalone program that drops a virus to a system.
> Usually a dropper for a file virus is a very small program (a few bytes)
> infected by a virus.
>
> A dropper for a boot virus is usually a program that writes the image
> of a boot sector virus stored inside it to a hard or floppy drive.
>
> Virus droppers are no longer widespread as malware with the same
> capabilities integrated are becoming more common. Malicious
> programs with dropper-like capabilities are now identified as
> Trojan-Droppers.."
>
> http://www.f-secure.com/v-descs/other_w32_dropper.shtml
>
> and this
> "A DROPPER is a program that has been designed or modified to "install" a
> virus onto the target system. The virus code is usually contained in a
> dropper in such a way that it won't be detected by virus scanners that
> normally detect that virus (i.e., the dropper program is not *infected*
> with the virus). While quite uncommon, a few droppers have been
> discovered. A dropper is effectively a Trojan Horse (see B3) whose
> payload is installing a virus infection. A dropper which installs a
> virus only in memory (without infecting anything on the disk) is
> sometimes called an "injector"."
>
> http://stason.org/TULARC/security/co...ter-virus.html
>
> They seem to agree with my view that a zeroth iteration virus is actually a
> dropper.
>
> Unfortunately, these two are opposed on the idea that a virally "infected" file
> is a dropper.
>
> [...]
You are *SO* clever! :-)
On Wed, 12 Oct 2011 20:04:58 +0100, ~BD~ grovelled to FromTheRafters:
> You are *SO* clever!
You are *SUCH* a brown-nosing ****.
--
America is the only country that went from barbarism to decadence without
civilization in between. - Oscar Wilde
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote