internet explorer 5 shinannigans

[cauzomb]

The other day I caught internet explorer "explorer.exe" scanning my hard drive for *.* any Idea's why internet explorer needs to scan c:\*.* or c:\windows\desktop\*.* or c:\windows\system32\*.* then access classes and user.dat when the computer is supposedly idle with one internet explorer window open, with no page loaded, and network is released.....

Also there's some other file that only scans my drive and registry when I'm playing solitaire.... I'll have to track it down and post it later. something about a twain device and some kind of log file regarding spi?

Using some auditing tools and maybe I'll post some screen captures of the actions.. It's interesting.. I'm gonna find the root's of these scanning issues, and locate the logs the scanners are creating, then decide if they are windows system components or spyware. What I'm finding is that there are three or four applications that are "interacting" indirectly to scan, and list all the files into a specific log, or series of logs... then another application trying to compile that log into a paint file, then phone home, but that application has been denied access ot the internet.. but the network stack is now being given instructions to pad packets with info from buffers and conveniently the application is putting the paint file into the buffer area that is being polled for the packet padding data......

[jholland1964]

I have no idea, doubt it is doing that "alone" since it is not a scanner program...Malware maybe...BUT...why are you still using Internet Explorer 5?
Are you trying to prove the old adage...."Do as I say, not as I do?"
We do try to stress security here...

[cauzomb]

because it doesn't put the lotion on the skin...

[cauzomb]

I'm gonna watch it and find out what dll's it's using and what those dll's are doing, and so on and so forth, treat them like the government treats "potential terrorist" associations... 3rd and 4th removed associations will be subject to scrutiny.... I might discover a new spyware

[TurcoLoco]

As I am sure you already knew the best tools for the job, I recommend these two at least: ProcessExplorer and ServiWin.

[cauzomb]

As I am sure you already knew the best tools for the job, I recommend these two at least: ProcessExplorer and ServiWin.

I got one of those, and a couple more that go into detail of what file is accessing what other file on the drive, plus another decompiler to get down to the nitty gritty of what the associated files do..

Some of them are pretty complicated, it's hard to tell what is normal GUI code but some of the codec's for videos and some of the dlls have very abnormal file creation, and registry track erasing strings that are intermingling with the network stack and mspaint.

I noticed that one of the codec dll's is polling and placing data skimmed from user.dat and classes, "registry files" into an mspaint type tool brush action. I'm having a hard time locating the "log" file created but it looks like it makes a gif, then puts it in a memory address/buffer location, without saving it to the drive.

Looks like the the network stack, and the network card are programmed to poll this buffer/address area for data to use for "packet padding" so that it can have a propper sized packet...

An easy but time consuming way to get data from the registry onto the network without permission from the firewall or the router..

[TurcoLoco]

Yeah, time consuming but since it seems to be all automated it still is effective but still a very odd process of things that i have never heard or seen of!

You sure seem to be a magnet for some conspiracy type stuff cauz??

[cauzomb]

an update to this software behaviour, I have recenently seen protected packet scrubber applications being created as ~implantable in-the-router firmware. To scrub the packet padding data of anything originated from the internal network progress.. I have also noted the increase in ISP's use of ARP floods to get network cards that are directly connected to broadband modems, or less than secure broadband routers, to send automatic responses to ARP to MAC broadcast who has IP requests, in hopes that everyone has the newest greatest software/hardware, that's pre-programed to leak internal padding info from buffer memory area, at a high rate scanning throug hundres of addresses per second, locking onto a few, then slowely directing ARP broadcasts towards the few over and over, hoping the new latest and greatest software/hardware is installed, so that the buffer data is filtered through the ARP ACK padding, or any/every other packet that goes out can send their padded packets to a new "router" capable of scrubbing data from the padded area.... wonder what it does with the data that it scrubs.......