Slashdot Mirror
Massive Botnet "Indestructible," Say Researchers
CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"
Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.
Some operating system vendor is going to have to be sued for damages and lose before this ever stops.
Just wait for the next massive solar storm...
worldmobilenet.com -- World Prepaid Wireless Internet plans
Putting the thing in the MBR just means you can't intercept it during boot.
It doesn't for a second mean it's invisible.
Man, can't they detect a modified MBR nowadays? I even had mainboards which detected a modified MBR upon boot. So where's the problem?
Sounds like a challenge...
Reality has a liberal bias
Just wait till it faces blue kriptonite
Does it run Linux?
We don't see the world as it is, we see it as we are.
-- Anais Nin
Collect botnet creators. Apply one bullet to head. In public.
Repeat.
Nothing else will stop the leeches.
I do not fail; I succeed at finding out what does not work.
Somehow I think that's the least of their concerns.
Give me Classic Slashdot or give me death!
What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.
There's no -1 for "I don't get it."
the same botnet that's been recently terrorizing SMF forums all over the place?
And this is why. People are completely unable to understanding anything about the operation of their computers.
No, Linux would not solve this. If magically tomorrow every single Windows box was Linux instead, socially-engineered malware would appear the next day.
Apple tries to protect the system from its own user. That's probably the way of the future in general, as as it is to say.
Microsoft knows their OS better than anyone. For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines, disable the rootkit, and alert the user.
It would be a little bit of work for MS, but isn't this kind of service that you'd expect to get from a vendor that stands behind its products?
You were mistaken. Which is odd, since memory shouldn't be a problem for you
In 2004 my cousin had malware that hid in the partition table and even a fresh format and windows reinstall could get rid of it. Only a good dos fdisk that deleted the table with a format and reinstallation. Today evil malware can hide in both the shadow volumes of restore points to reinstall themselves and avoid detection and also system recovery partitions so a fresh os reinstallation will reinstall the malware. Fun times
http://saveie6.com/
> Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.
What's this "more, importantly, security software" nonsense? Was this narrated by William Shatner, or are these abused, runaway commas who needed a home?
I realize that's an unmarked quote from TFA, but I guess the editor over there is asleep right now.
Technically speaking, that's pretty awesome. I know they're bad guys, but some props to them. They're geek bad guys, and they've done some fine work here.
Just make sure you buy a UEFI mobo, or then buy mac-tel hardware. [mac mini, etc etc etc] (comes with UEFI).
[Linux / Windoze / OsX - can all run on this hardware, but gives you an easy one stop shop for a daily use machine].
Given MebRoot/TDL/TDSS/etc etc are all thanks to the "original" work of eEye bootkit, we should really be thanking them for this one ..
But really hats off to the mighty M$, for thwarting any move out of bios for so long .. coreboot anyone ?
anyhow, Use/buy a UEFI enabled board, if you have a bios based mobo, look to see if theres the built in "virus protection", which used to be just a check to see if something was modifying the MBR. many dont have it any more.
Ps: fixmbr \Device\HardDisk0
Isn't command and control the antithesis of indestructability? Any software that can be patched can be destroyed.
That must of been a great meeting:
Q. How do we stop all these botnets?
A. We take them over with our own super botnet!!!
Johnson your a genius.
....its the deamon!
Because all of its known sources are "blocked out" here, either by:
---
1.) NORTON DNS (& it's DNSBL vs. all forms of "malware-in-general")
---
2.) My custom HOSTS file which is currently as of this writing in its tempfile prior to commission back to the HOSTS file itself, @ 1,459,566++ blocked known bad sites strong, & more for speed (adbanners blocked)...
(AND, it updates every 15 minutes now from 17 different reliable sources for HOSTS file data, DNSBL's I convert, & also trackers of various botnets out there online, yes, including THIS one too(earlier variants & current build).
---
3.) System Security Hardening:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
(Which includes the "std. antivirus/antispyware/firewall toolsets in use, but also a HELL OF A LOT MORE like conscientious patching/updating the OS & apps, group & local security policies work, using javascript (the "harbinger of DOOM" @ times) judiciously/sparingly, etc./et al)
---
* Nice part about the "heart of it" in the HOSTS file + Norton DNS is that even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
(AND, Despite all the "hype" of "not being able to see its transmissions" due to encryption? An ISP/BSP can see it, & that's where the info. will come from, eventually - & every encryption, even QUANTUM lately, can be broken OR eavesdropped on... just a matter of TIME! Hey, if wind & water can blow down mountains, right?)
So, "that all said & aside", well... IF they're smart about it? They'll update their DNSBL's too (effectively blocking communications "back to HQ" for this thing!)
APK
P.S.=> Besides, there isn't a botnet (or even ROOTKIT) I can't deal with effectively for removal anyhow - & I don't use the same tools others do...
Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them...
... apk
For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines
But how ? The virus hides its first stage in the MBR and is launched *before* the OS. By the time windows has started the computer is *already* compromised, the virus is already running and can do all the trick it wants to hide it self from the running system, or to alter the software being run.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The president and congress can just use the commerce clause in the constitution to force everybody to buy an officially approved operating system and anti virus program..
There, see? Problem solved
For justice, we must go to Don Corleone
I work at a computer repair shop.
We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...
http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272
When news of this thing came out, or one MUCH like it rather (using "blended-threat" rootkit technology, in utilizing not only bootsector spawn & control, but also a filtering driver/hooking driver to protect itself @ the bootsector level?) - What's up there CAN & WILL get rid of it...
APK
P.S. => Even the guys researching it are saying what I am pretty much:
PERTINENT QUOTE/EXCERPT FROM SOURCE ARTICLE
---
"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. "It does a very good job of maintaining itself."
---
And, there you go... look in my link above? That'll do it, no system restore/reset/reinstall required... Yes, I am THAT sure it works, I've faced rootkits like this before (I am sure others here have as well & used similar tactics too).
It's just a matter of KNOWING how it works, & once you understand a thing? You can control, or destroy, it!
Simple - you just have to know how it operates, & what to do vs. it with tools out there for it (not std. tools, so I opt to go against rootkits using Process Explorer, FIRST, in usermode/RPL3/Ring 3 operation, & if that fails? Out comes Windows Recovery Console - blow the driver loading, & then reset the bootsector... it'll work!)
... apk
Curious Yellow was bound to happen sooner or later. I was wondering what was taking botnet authors so long, and why they were relying on a centralized system like DNS for coordinating their bots.
Need a Python, C++, Unix, Linux develop
The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.
Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.
Think of how they get Al Capone. Noting would make federal prosecutors more interested in the GPL than if they thought it was the best way to nail a bad guy.
BTW, I like the idea of malware coming with a GPL license agreement and link to the source code.
All that law enforcement needs to do is to purchase payload delivery on the botnet and include commands to delete Windows from each offending PC. Alternatively, they just need to place copyrighted material on each host and send in the MPAA and RIAA with infringement notices. That should get the job done.
When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.
To detect it, run the latest version of GMER.
http://www.gmer.net/
To remove it, you need to run a series of three scanners in this order:
TDSSkiller
http://support.kaspersky.com/viruses/solutions?qid=208280684
Combofix
http://www.bleepingcomputer.com/download/anti-virus/combofix
and Malwarebytes' Antimalware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1
Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.
As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.
-Z
or something like that, because linux machines are constantly running grub to rewrite the bootsector
you could rewrite part of the kernel binary so that it would lie to grub i guess.
or you could rewrite the grub binary to lie to the user.
those two things are kind of non-trivial because linux is increidbly diverse.
now that i think of it, perhaps Windows becoming 'diverse' is a way to prevent some of this junk from happening.
I had a bit of trouble removing it with TDSS kiler a few weeks ago, but got there in about half an hour.
If it wont run you will need the file association reset tool.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272
In that order too... will take a reboot (kill the driver, first... reboot, the blow out & refresh the bootsector - NO reinstall involved!)
* Be sure NOT to use Windows 2k/XP/Server 2003 Recovery Console on VISTA, Windows 7, or Server 2008 though (diff. bootsector format)!
However, theoretically @ least?
Listsvc & Disable WILL still work, as they only query the registry & write it, respectively, to find the offending protective driver, first & stop it from loading (reboot & then do fixmbr) - the registry structure remains the same essentially for them all, & in THIS case on drivers? It is.
Also - Since the NTFS5 filesystem is in place on them all so... in theory? You can use Win2000/XP/Server 2003 for the listsvc/disable portion to "knock-the-chocolate" outta the protective driver!
APK
P.S.=> That'll work, that is, until they "alter it futher" (ala Darth Vader)... protecting the registry where the MBR protective driver loads from, that is...
... apk
Your posts read like mental disorder, but I think it'd be fascinating to hear if you actually speak aloud in stilted, gratuitous
. I imagine you sound something like a cross between William Shatner and the pork chop sandwiches kid.
Anyone else morbidly curious?
Z34107
PS => I'll pay for your bus ticket to come speak on the proper use of the hosts file.
...z34107
DATABASE WOW WOW
http://it.slashdot.org/comments.pl?sid=2282088&cid=36618304
I wrote it up yesterday in fact, & posted it here also in regards to this rootkit that uses blended threat type tech!
That technique vs. it? Yes - it will work (until this thing is rewritten to also protect the registry as well in its driver... THEN, we have problems!)
* HOWEVER, since we're on the subject of 'critiquing others' in myself, who's only trying to help others here? Go away now troll... shoo!
(ROTFLMAO...)
APK
P.S.=> NOW, regardless of whether you like my writing style or not? Do you own this forums?? No - Thus, I take your off-topic trolling b.s. with a "grain of salt", troll... LOL, trolls: You're ALL THE SAME! Easily dealt with, since you're "off-topic"...
... apk
I, for one, welcome our new indestructible botnet overlords.
Infected emails?
Hacked website or ad provider serving out drive-by-downloads?
Compromised IM accounts?
All of the above?
Personally I think someone needs to write an "Internet Security for Dummies" book that uses real world analogies to explain internet security concepts to clueless people. For example, it could compare leaving your front door unlocked to not having a firewall. Or it could show real-world things that most people would never do (give their credit card or bank details to a total stranger because the total stranger promised money) and then explain that doing the same things on the Internet is just as dangerous.
Or it could show that buying pills from an online site advertized is a spam message is just as risky as buying them from a guy in a back alley. Or whatever.
Give it a scary sounding title and blurb to scare people into thinking the internet is really dangerous (which it is if you dont know what you are doing) and get them to pick up the book.
* Nice part about the "heart of it" in the HOSTS file + Norton DNS is that even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
Until you realize that malware can change the DNS settings of the interface directly, so while you think you're using Norton DNS, you're actually using InfectedSpywarePOS DNS.
"City hall" in German is "Rathaus" Kinda explains a few things......
That's OK. MS can just "lock'er down" like some of the competition, make 'er proprietary, claim IP, hire the codebreakers, turn-the-tables on the courts over accessibility and O/S binding and no-one can touch the MBR. Not allowed. But wait..... the MS whiners...
May the lies we live by make us strong, healthy, happy and wise - Kurt Vonnegut.
I don't GET MALWARE, & neither do others using HOSTS + the other protective measures I noted in that guide of mine, in fact? Here's a testimonial from a user HERE ON THIS SITE, you can write he to see if he wrote this, as to the efficacy of using a HOSTS file:
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
So, it's NOT JUST I, telling you HOSTS files are an effective addition to the concept of "layered security"...
---
On DNS settings:
Here, I ROTATE THEM PERIODICALLY, so I look @ them every 3-4 days here in fact because of that!
(Norton's ALWAYS up there @ the top, & in Windows you can put in multiple DNS servers to query, mind you - I know the IP's of the ones I use to rotate (NortonDNS, OpenDNS, ScrubIT DNS, Google DNS & my ISP/BSP ones too)
* In fact, on the job? That's one of the things I test for & check when dealing in fighting malwares (there's only so many places they can attack anyhow).
APK
P.S=> So YOU? You have been "shot-down-in-FLAMES" vs. myself... as trolls always are!
... apk
And, per my last post to you? Like TestedDonut, whose testimonial I put up in my last post?? I don't get malware, ever, in the 1st place...
NOW/Additionally: IF you see my init. post & the guide in it - you have to get one first... I don't per that guide is why!
I.E.-> I mean, heck - Cutting off what I called "the harbinger of DOOM" there (javascript) & being judicious in its usage alone cuts off a good 90% of the probability of getting one online in the first place!
(Plus, other things like doing text only email, not HTML scriptable types, helps as well)...
* I do MUCH more too, for the concept of "layered security" (best thing we have going currently in fact, & I've done guides like that since 1997 for securing Windows - here's what NEOWIN thought of that one:
http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
Great rating, when they got ahold of it in 2001 (older less comprehensive than today's is since 2007)
* In fact? I suggest you read it the newer one in my guide link I put into my 1st post - here it is again for your reference (you sound like you know a "trick-or-two" though, but you MAY pickup something too, never overlook THAT much):
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
From your DNS thing though? Though you have a point?? Well... sounds like you NEED to read that!
APK
P.S.=> HOWEVER, in fairness? That's been the most challenging point I've heard here vs. my ideas on "layered security" - VERY good!
You did make a good point though, I will give you that (& sorry for calling you troll - I thought you were the other post here (DEFINITELY a "troll"))
... apk
This is one option, but another is that people like the BSA will use it as an example of how "evil" free software is. When in doubt, public opinion tends to go the way of lobbyists.
Yet Another Tech Blog
(but so much more, including game and movie reviews)
http://yanteb.peasantoid.org
http://it.slashdot.org/comments.pl?sid=2282088&cid=36618304
In this rootkit's CURRENT DESIGN, that is... see my p.s. below in that regard!
* Hello again... -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36618376
APK
P.S.=> The technique noted there will do the job, guaranteed, until this thing is altered to ALSO PROTECT THE REGISTRY entries for its Ring 0/RPL 0/kernel mode protector of the bogus bootsector that is!
(Where the driver loads from that protects the MBR... listsvc & disable take care of that in this CURRENT DESIGN OF IT, no system reinstall needed... guaranteed!)
Still - IF they get 'wind' of what I am doing here? They will, mark my words... & then? THEN, we have problems! Make sure you have CLEAN backups people, mainly of your data you cannot just "reinstall"!
... apk
You could also run Grub from a LiveCD or a LiveUSB. If you are worried about the botware modifying the programs you use to create these then you could donate a few dollars to a distro you want to support and have them send you a LiveCD.
There is strength in this simple modularity as well as in diversity.
now that i think of it, perhaps Windows becoming 'diverse' is a way to prevent some of this junk from happening.
What better way to make Windows both diverse and modular than to make it open source?
We don't see the world as it is, we see it as we are.
-- Anais Nin
I would say it is the first of its kind, but you will only ever need one like it, so it is TEH botnet coded and maintained by Chuck Norris. Totally indestructible, Skynet is jealous. OMG phear dis one nothing will evar be betr lol
This is a hacked account, for which the owner can not be held responsible.
It's possible with an IOMMU. Most desktop systems don't have one, except for some Intel chipsets that are marketed to businesses.
For instance the Lenovo Thinkpad T400 has one.
http://en.wikipedia.org/wiki/IOMMU
For now, via this technique -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36618376
* For NOW that is... now, if later the designer of it "gets smart" & starts protecting the registry area from which ALL driver load up from on Windows NT-based OS, per the DDK design for them & registry structure for device driver instancing?
"HOUSTON WE HAVE A PROBLEM!"
APK
P.S.=> Still, doing this, in THIS order, kills it:
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
(I just hope the guys designing it don't read slashdot & see what I wrote, because were I they? I'd be writing a registry monitor & overwrite routine into that rootkit now.. because while that driver's resident? It can PROTECT that area of the registry just as it does the bogus MBR, & the disable command ONLY TAKES on reboot - if they protect the driver load area that protects the MBR? Big problem then... probably reinstallation!)
... apk
ISPs should just refuse connections from any system running MS Windows.
You write like Steve Gibson on meth. Hey, you are an AC...
Sounds like you have a lot of fun maintaining your defenses. I remember keeping up with that sort of thing back in the day. Then in 2003 I switched to Debian and haven't had to worry about malware since.
I'm amazed by the time and effort people spend to defend against malware when the best solution is so obvious. 'You can lead a horse to water..."
Maybe the problem is that some people enjoy "the game" so much that they wouldn't know what to do if they stopped playing.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
The botnet doesn't run itself. Send Seal Team 6 in with capture or kill orders. You don't have to get them all, a couple would be fine. I would expect the enthusiasm to keep running the botnet would significantly decrease after a couple of their buddies get a burial at sea.
Don't hire any of the above bloodthirsty "Three infections, max - and then smoke 'em!" types. Won't do to be euthanizing people the third time they catch a cold...or a venereal disease.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
That Command and Conquer is moving to a Pay 2 Play system. I don't care if electronic arts is ToDaLly - 4 it or not. The people wont go "4" it. Also there is no way 4 million already signed up, someone cooked that number on a spoon.
I've got to be reading this wrong, it doesn't make a lick of sense.
I have run into this problem lately with a unnamed client. I am wondering, load malwarebytes onto each machine and check or boot into BackTrack5 and run the programs I mentioned in the subject?
Obviously if I run a *nix OS to detect then no malware has a chance to hide itself. But for each one I must update the plugins in order to detect anything newer than the release of BT5. Thanks
Unless it's a massive bitcoin mining operation or some actual spyware of the sort which steals credit card data, there's not a lot I can think of that they would want those machines for which would be able to work with entirely encrypted communication. In particular, if they're spam zombies, the flood of email should be a clue.
Then again, there is the problem of knowing that a given attack was a DDoS, and knowing whether a given machine which participated in that attack was a botnet zombie or a legitimate user with bad timing.
Still, if there's a way to single these machines out, I agree with the original poster -- join a botnet, get disconnected.
Don't thank God, thank a doctor!
See
http://www.eecs.umich.edu/virtual/papers/king06.pdf
I would like to have PC's to implement non-interactive boot sequecy from microSD or SDHC type media only. That is because you can manually write-protect those after system preparation.
By non-interactive I mean that boot always from microSD if you don't press some complicated (like A-F-H-L) enough key combinations on the keyboard while POST sequence.
Only if you press that key combination you get to choose other boot media, which you need complete reinstall of the system.
Ofcourse the microSD then would have a boot system like EFI or whatever which enables (chain)booting from HD, PXE, USB, .. but only after the system consistency and security tests have been done.
That microSD would then implement mentioned consistency and security checks, using digital signatures etc. It would also be helpful implementing full HD encryption, diskless systems and because microSD is cheap, easily available, reasonably sized it would be easy to make a 1:1 backup of it once you have OS installed. If it ever got corrupted or broke you just replace and rewrite it after checking crypto checksum created when it was initiated and then reboot with it.
Once the microSD was prepared, you would install the OS(es) and each of those boot sectors would be signed by the keys stored on that microSD. If your OS boot sector(s) were tampered or the like. The boot would not proceed but ask fixing the system with the OS-install media which would then if needed even contact to manufacturer site and verify that the OS-boot secuency is OK or not.
The more I think of it that kind of system would make a lot of sense.
It would be very hard to bypass by unauthorized and malicious code. If anything goes wrong it would be also quite easy and cheap to fix. Also it would be very easy to understand by users and advanced users to tweak it new features.
Cheers,
Virtual Machine
Religion is what happens when nature strikes and groupthink goes wrong.
Maybe they are planning to make it open sourced ? :)
I don't think they are distributing their code so are not in violation of the GPL, you may have their code on your computer but you cannot make use of it. It's more like you have provided them with CPU and ISP resources so let's hope you have the source code to all the GPL stuff you have distributed to them.
Actually the amount of copying between the various interlinked crossed messages indicate some sort of automated content generation.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
... Is always the people, not the technology.
Instead of spending time trying to disarm the worm, do a regular investigation (i.e. simulate that you are someone willing to pay to use the botnet) and get the name of one of the builders. Trying to attack the botnet itself is a waste of time and resources.
Those of us who have worked in the anti-spam world for decades have been predicting this for many years, so it's hardly surprising that we've turned out to be right. Again. It's the inevitable consequence of the non-security of Windows. There is of course no reason to believe that this is the ONLY such botnet. (And if it is? It won't be for long.) With something on the order of 200 million compromised systems on the Internet, botnet builders have plenty to work with. What IS surprising is that so very few have been able to wrap their heads around the obvious and direct consequences of this state of affairs. For example, all click-based metrics are complete nonsense: anyone in control of a botnet of substantial size can alter them at will. For another, it is ludicrous to pretend that any email address can be kept "private", once used. And for a third, courts really do need to recognize that "X's computer did something" is in no way indicative that "X did something" -- a fact that should significantly alter much of the litigation underway. And this is only the beginning. It's going to get much worse.
I designed sphere of influence to look for this type of threat (based on cisco asa/ips for now, but changing)....p2p weakness is who it contacts and where geographically its talking too. If you happen to own a local business, and all of a sudden traffic is going all over the world to universities, homes etc...then you can correlate. my software visualizes this...its free to government agencies, education
check it out on http://www.youtube.com/watch?v=ekOXjrF9enI
im working on correlating url vs connectiont to see if any visualization could be gleaned ..
".niaga gnikcauq kcauq KPA .dnim fo ecaep evah dna naelc trats rO .erawlam fo eceip yreve thguac uoy fi reverof rednow dna llatsnier a tneverp ot gnihtyreve oD ni si dnim dega sih etats pu-dekcuf eht otni thgisni doog evig spmudniarb siH .KPA snrecnoc taht gnihton si dnim fo ecaep ,niaga nehT .rehtie t'nera seiroeht kcauq ruoy dna tnaveler ton er'uoY .apdnarg ,emoh oG" - by Anonymous Coward another off-topic "ne'er-do-well" /. troll on Thursday June 30, @07:31AM (#36620876)
"???"
Uh, COULD SOMEONE PLEASE GET ME A TRANSLATION OF THAT OFF-TOPIC "TROLL-SPEAK"?
(ROTFLMAO!)
* By the way, since the last line made it thru in actual english in my Python code, BOY, as you can see just 4-5 lines above? What I wrote's NO MERE THEORY!
Yes - it will work vs. the current design of this thing!
(That is, until they change the bogus MBR protecting driver to not only protect the fake rootkit MBR, but also the drivers initialization area if the registry also!)
APK
P.S.=> Now - The rootkit maker does THAT? "HOUSTON WE HAVE A PROBLEM" then a reinstall would be needed, imo but only then!
EXACT Steps to take in this order to "KNOCK-THE-CHOCOLATE out of this rootkit:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
... apk
Courtesy of my TrollTalkComReversePsychologyKiller.py "ReVeRsE-PsYcHoLoGy" system here, lol:
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = "String to reverse."
print reverse(s)
try:
#print(5)
s = "Go home, grandpa. You're not relevant and your quack theories aren't either."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
* ROTFLMAO!
APK
P.S.=> That's just what I use to deal with these trolls around here on /. ... lol Time for the A.M coffee now...!
... apk
I have no real idea to detect malware that bypasses virus scans and other routine measures. I know of the programs and tricks that have been mentioned here, but it's hard to learn what counts as a thorough or even sufficient check.
Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* This absolutely WILL work!
(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )
APK
P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)
... apk
"...CA na era uoy ,yeH .htem no nosbiG evetS ekil etirw uoY" - by gottabeme (590848) In his TROLLSPEAK portion of his reply on Wednesday June 29, @11:58PM (#36618920)
* Uhm, lol... Could we get a translation of that off-topic "troll-speak" of yours, please?
(LOL!)
(See my next reply instead, where you actually spoke normally instead of "troll-speak", ok?)
Thanks for your time!...
APK
P.S.=> Courtesy of this sourcecode for TrollTalkComReversePsychologyKiller.py
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "You write like Steve Gibson on meth. Hey, you are an AC..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
Here endeth the lesson... on the trollish part of your reply!
... apk
Just point the C+C server address to one not controlled by the bot. How hard can this be?
It seems to me the problem is really just that TDL-4 etc. can depend on the MBR being in the same place on all computers. Manufacturers should take a page from communications and "spread spectrum" the MBR over different sectors, and make those sectors unique to each drive. Make sure the sequence of sectors is not readable from the net. Perhaps change the sequence from power up to power up. End of problem.
E Proelio Veritas.
"Sounds like you have a lot of fun maintaining your defenses." - by gottabeme (590848) on Wednesday June 29, @11:58PM (#36618920)
I do, & I only had to do it ONCE, & I don't EVER get "sick online" either because of it...
Here's a testimonial from another user who uses a portion of what I do for "layered security" (best thing we currently have vs. threats online) only, in HOSTS files usage, because you can't get BURNED if you don't go into the 'malware kitchen':
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
AND, here is the rest of my defense system (& yes, it REALLY WORKS):
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
---
I'm amazed by the time and effort people spend to defend against malware when the best solution is so obvious. 'You can lead a horse to water..." - by gottabeme (590848) on Wednesday June 29, @11:58PM (#36618920)
That water?
That is "layered security" here:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
(1-2 hours of your time, for stable & secure uptime for YEARS into the distance.... it works, for Windows (the OS with more high quality drivers & software than Linux has by FAR (especially games)).
---
"Maybe the problem is that some people enjoy "the game" so much that they wouldn't know what to do if they stopped playing. - by gottabeme (590848) on Wednesday June 29, @11:58PM (#36618920)
Oh, I "don't play" - see above, my last reply too (lol, "ReVeRsE-PsYcHoLoGy" & below too (epsecially security info. on unpatched Linux vulerabilities in its KERNEL ONLY mind you, vs. nearly ALL of what MS gives you to do business & development with no less))!
---
"I remember keeping up with that sort of thing back in the day. Then in 2003 I switched to Debian and haven't had to worry about malware since." - by gottabeme (590848) on Wednesday June 29, @11:58PM (#36618920)
The ONLY thing protecting Linux users is "Security-By-Obscurity", or, isn't ANDROID (yes, it's a Linux variant that's actually getting a big share of market & usage by users on mobile phones).
Isn't THAT showing anyone anything by example? Does me!
NOW:
Some things you ought to know, on unpatched security vulnerabilities in Microsoft's near ENTIRE offering of what you need to do business & development, vs. THE LINUX 2.6x MAINSTREAM KERNEL ONLY:
This data's ALL from a respected source for known security vulnerabilities unpatched:
---
Vulnerability Report: Microsoft SQL Server 2008: (06/26/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (06/26/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (06/26/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010:
I'd recommend this to anybody, at least as a try out. It's free and it does a heck of a good job of detecting any sort of rootkits on the system. Though remember, this isn't the sort of tool a uneducated computer user can utilize. There is no one click do-it-yourself button.
http://www.gmer.net/
On that which you speak, here are the "layered security" methods I use for it (covers BOTH IP addresses & hosts-domain names of botnet C&C servers):
---
1.) 1,460,225++ KNOWN bad servers/sites/hosts-domains blocked in my custom HOSTS file (vs. hosts/domain names of C&C Servers), updated every 15 minutes from 17 reputable & reliable sources for DNSBL data, HOSTS file data, & my own research!
2.) Firewall rules tables in BOTH hardware router NAT stateful packet inspecting type (LinkSys (vs. IP addressed C&C Servers)) vs. this botnet & others like it
3.) Norton DNS (which uses a DNSBL filter vs. known bogus sites/servers/hosts-domains too) for "layered security" on the principle of "YOU CAN'T GET BURNED IF YOU CAN'T GO INTO THE 'MALWARE KITCHEN'", so-to-speak: Simplest principle there is, & you're onto it yourself!
---
So... how effective is that "layered security" on the principle of which you now speak of?
Ok, a testimonial thereof from another /. user doing the same in addition to my own:
---
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
---
Trick is though, here?
You HAVE TO HAVE the url/domain name of this thing, & IP Addresses of its C&C servers FIRST (for firewall blocking rules tables entries)...
* I don't know if ANYONE has that information yet on this latest model...
Hence, why I posted HOW TO REMOVE IT below, in its current design, guaranteed, 100%
(That is, until the rootkit/botnet makers change the driver to protect not only the MBR, but also the registry area where drivers initialize that is...)
In its latest version, I don't have the IP addresses or hosts-domain names yet!
HOWEVER - I do have it for its previous builds for the botnet itself & its C&C servers though, which they are also PROBABLY most likely STILL USING!
APK
P.S.=> In the meantime?
This IS how you kill the rootkit propogator yourself, & STEP-BY-STEP (it works, read it - makes TOTAL sense as to why by taking out the fake MBR protecting driver itself):
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* This absolutely WILL work!
(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )
... apk
Steps to take 2 "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* This absolutely WILL work!
(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )
Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)
APK
P.S.=> Actually, I posted HOW TO DO IT BEFORE YESTERDAY, 2 days ago, here on /.:
http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272
... apk
I agree with much of your analysis, except for the last part.
I think it has more to do with finding a fictional excuse to lock down the sharing of information, so that when it happens, people will say, "Oh, well. We understand this. We've seen it coming. So let's NOT riot and self-destruct in a non-orderly fashion."
This way, when world crises become intolerable, population control measures can be set in motion with a minimum of fuss and bother from the remaining herd.
But, yeah, I'm sure some of the people involved think it's all about wealth. And in the estimation of their controllers, they're dupes also.
Just make everybody switch to apple computers and the botnet is immediately worthless, along with 99.9999% of the malware out there.
You're welcome.
-Steve
When did that happen? The original scanners checked only the MBR and now they do not look at all? That would be pretty stupid.
Also, what about alternative MBRs? Does this thing keep a GRUB installation intact? And how does it hide in memory?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* This absolutely WILL work, no questions asked/period... vs. the CURRENT design of this botnet/rootkit that is...!
(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )
APK
P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)
... apk
To everyone else, I give a Linux box.
];)
Regards;
Steps to take 2 "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* This absolutely WILL work!
(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )
APK
P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)
... apk
Steps to take 2 "KNOCK-THE-CHOCOLATE" out of this rootkit's design currently:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* This absolutely WILL work!
(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )
APK
P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)
... apk
Why sign all your messages but not make an account? Wouldn't an account make it much easier to keep track of what you've posted, and notify you when people respond?
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
From my windows experience with viruses, the safest way IS to nuke it from orbit, its the only way to be sure.
Clean install. It really is too bad you can get free updated install disks from MS... as a clean install isn't the pain in the ass, it is updating all your service packs and updates, and drivers, etc... which you have to connect to the internet for, exposing yourself before you're fully patched. Never made any sense to me considering MS business model.
Windows or any other OS can detect this on start-up
No.
At start-up the system is already compromised.
If the windows loader checks the MBR with BIOS calls, it might by getting translated. ...from here on it's a cat and mouse game between microsoft trying to come up with newer idea to check for presence, and the virus writer creating newer versions that can also circumvent this new check.
If the windows system tries to check some content, nothing guarantees you that the drivers (hard-disk, filesystem, etc.) used to do so aren't compromised too.
If the system tries to compare driver checksums, it's not guaranteed that the comparer itself isn't corrupted (that the "good checksum list" or the public key used to check signatures wasn't overwritten)....
And modern botnets have an additional advantage : they can update their code while running. That means that, as soon as the virus authors find that microsoft uses a new check, they can send the new virus version to all the already infected machines. Copies running "in the wild" can be upgraded to the latest circumvention scheme, at the same pace as microsoft is writing them.
Once again : a compromised system can't be trusted anymore. Anything you can come up as an idea, could have been overwritten by the version of the virus running on your machine.
unless it is a full-fledged blue-pill
Virtualisation is one solution. Corrupting drivers (and checksum lists and public keys is another).
But you cannot squeeze something like that into the MBR, far too little space.
You can't also fit GRUB in the MBR, nor the Windows kernel. You never could.
Booting is a staged process. MBR is defenitely too small but for everything including for legit usage.
MBR loads a later stage in a known fixed place (with DOS & Windows its a regular file in a fixed position) (with GRUB, patches to make BIOS support big drives, and viruses - its unused sectors between the MBR and the first partition).
This space is still too small for the whole stuff, but it can contain better file/data access features (that's GRUB's stage 1.5, or Linux's LILO).
So it can load the stage after that from any file, from a hidden file system, whatever the author chooses and that can contain everything you need (the whole GRUB, the whole virus, the OS kernel, etc.) including full R/W filesystem access.
From that point on, you can have enough complexity in place, either to fire up a hypervisor, or to overwrite some critical files in order to go undetected, or check to be sure that the network-payload is still on the "Run after start-up" list, etc.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
http://it.slashdot.org/comments.pl?sid=2282088&cid=36621252
Steps to take 2 "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* This absolutely WILL work to kill the rootkit botnet propogator @ the source/root of it... the driver itself & the bootsector.
Then, once it starts bringing in the "std. fare" of OTHER malware it summons & infest you with - which it DOES do?
You can THEN use std. tools for malware/virus/spyware etc. removal, to "NUKE IT", w/ out a reinstall!
ProcessExplorer's another excellent tool, for killing unknown malwares/viruses when "std. tools" (antivirus/antispyware etc.) don't cut it... by freezing the source lib, service or exe itself & killing it on disk once frozen thus.
* This is a good idea to backup your data too, the personally created stuff you cannot just "reinstall" like OS &/or softwares as well...
APK
P.S.=> Only problem with my technique above, is tht IF the botnet makers alter the bogus MBR protecting driver to protect NOT ONLY the MBR as the current design does (which is WHY that series of steps can stop it, for now), but, also the registry initialization of itself from inside the registry here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE
(IIRC, there may be others also)
Then "HOUSTON, WE HAVE A PROBLEM"
Which the above registry location, iirc, IS the area the hooked/filtered driver resides for DiskIO (& which the rootkit's MBR protecting driver protects vs. overwrite via MBR protection)... this rootkit's maker, IF he decides to protect that as well? Backup your data, & NUKE IT FROM ORBIT!
However, in the meantime vs. this rootkit's current design? This works to kill it... & you can clean out any other infestations most likely with std. tools AFTER, if they exist @ all, period!
... apk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
APK
P.S.=> This rootkit's MBR protection comes from a driver that hooks/filters on the Storage IO driver somewhere in that device driver init. tree... & this + other areas are what control driver instancing (we had best HOPE he doesn't "get smart' & correct for the ability of RC's disable command to shut down this thing, @ the root (it's driver mainly))
... apk
The # of times I can post (& I can track my posts via tabs easily, & other methods (google site: searches even)...
I.E./E.G.-> I have a "technique" that's not a hack/crack of /., nor is it against the rules, for doing so: That's all!
Plus, I have been literally TOLD this before by trolls here whom I have "offended" & gotten the better of TONS of times on tech issues: & there's NOTHING worse than a geek who gets "shot down", lol... worse than WOMEN imo!
E.G.-> I have a pack of them from trolltalk.com whose "Geek Angst" is 'UP' vs. myself e.g.:
http://slashdot.org/comments.pl?sid=2230966&cid=36418796
Who use multiple accounts OR ac replies, etc. around here to "troll me" with etc./et al...
* In fact? Well - Here's a sampling of what they've told me, as they troll & harass (and yes, even libeled myself) me:
"Some (many) of us are tired of you're trolling and would like to be able to mod you down." - by Anonymous Coward on Monday May 23, @01:08PM (#36219132)
FROM -> http://it.slashdot.org/comments.pl?sid=2177744&cid=36219466
I've just "taken down" a pack of them (countertrolling, tomhudson, gmhowell, & others) who are or have consented to a "truce" with myself... only 1 more to take out now.
He has started hiding in his journals for the most part, OR doing AC replies (I think that's stopped though), because of that "fail list" above of only 1 of their members vs. myself on technical issues on this site...
APK
P.S.=> Thus, I gain little, if anything, by becoming a "registered 'LUSER'" - and, it would by the SAME TOKEN, make myself as easily "trackable" as they are... get it?
... apk
This absolutely WILL work! ... That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area
Nice contradiction there. I suggest you look up "absolutely" in the dictionary, it doesn't mean what you seem to think it means. It doesn't mean "probably, unless the rootkit makers got smarter".
See subject above, & thus? That's ALL THERE IS TO IT!
(Thus, my RC ListSvc, Disable, FixMBR technique works against its current design which has NOT changed yet...)
* Your forums "Illogic Logic" fails again, troll!
So, until it changes, & the exact way I noted? My technique, works...
APK
P.S.=> Needless to mention? I pointed it out & had the intelligence to do so... Did you??
... apk
Downmods by the trolltalk.com trolls by nefarious means (they downmod, logout, keep their cookie unaltered in state, & troll/harass as AC replies as you see now - transparent & easily seen thru), lol...
"If he had an account, all of his posts would start at -1 (due to downmods)" - by Anonymous Coward on Thursday June 30, @03:16PM (#36626278)
Sure, bogus downmods for no good reasons is more like it! Funny how I can show a 100++ of my favorite up mods in my 'p.s.' below though,eh? Especially vs. THAT outright b.s. ... and??
Proof? Ok:
These trolltalk.com trolls cheat the moderation system!
Here's how they downmod others, and this is where countertrolling - the one doing it now by ac replies explains what he's doing while he trolls others (to his fellow trolltalk.com friends):
http://slashdot.org/comments.pl?sid=2245866&cid=36491652
And, here's where countertrolling's "troll mechanics" for downmodding others is explained in detail by someone (me) that got sick of it happening:
http://slashdot.org/comments.pl?sid=2271908&cid=36579618
As far as bogus up moderations, the trolltalk.com bunch (tomhudson, countertrolling, & others) collectively "team up" to upmod one another, in teams, as favors to one another.
(Talk about low, and bogus!)
---
In fact, here's what countertrolling says about it, why he does it, and to all of us here:
"What the skiddies here don't understand is that I don't give a shit about dumbass 'karma' on the internet.. I'm here for the jollies with nothing to lose or fight for.. watching them destroy their world.. They can go absolutely nuts as far as I'm concerned.. It's nothing but pure entertainment (and data points) for me and mine... Tragicomedy is probably the best word I can think of to describe it" - by countertrolling (1585477) on Thursday June 30, @10:26AM (#36622502) Journal
QUOTED VERBATIM FROM -> http://slashdot.org/comments.pl?sid=2281808&cid=36622502
---
Sounds like a sick individual to me.
The "trolltalk.com" troll/harass/stalk & libel squad is:
---
tomhudson (have enough to silence tomhudson)
gmhowell (have truce in place)
webmistressrachel (she leaves me along afaik)
jeremiah cornelius (he & I got along fine, he leaves me be)
countertrolling (the only 1 left to "take down" that remains)
---
* Perhaps a few other stragglers like Qzukk, but afaik, he doesn't bug me...
(And, there you are, the truth of it...)
APK
P.S.=>
"and he'd be limited to a certain number of posts per day (and due to downmods, that "certain number" would be two)." - by Anonymous Coward on Thursday June 30, @03:16PM (#36626278)
BUT, I'm not... am I? Heck - I can POST MORE THAN REGISTERED "LUSERS" CAN IF I SO CHOOSE in fact, lol... period!
---
"That is, unless he pulled a MichaelKristopeit (but then, he probably hasn't figured out how to register 400+ accounts)." - by Anonymous Coward on Thursday June 30, @03:16PM (#36626278)
Why bother? Again, I can POST AS MUCH AS I LIKE (even more than registered "LUSERS" can, who are also EASILY TRACKED SHEEP)... and?
As far as my being "downmodded"?? It's funny I can show a hundred here of my favorites, easily:
---
Roughly 100++ of them & I post as AC (hard to get even +1, as /. hides our posts & we "AC"'s start @ ZERO/0 points, unlike registered "lusers", lol!):
+5 'modded up' posts by "yours truly" (5):
Read this, this is what I go thru with trolls -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36626278
And another like it, here in this exchange also:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36626356
(See what I meant now here in my original reply to you after seeing that URL above http://it.slashdot.org/comments.pl?sid=2282088&cid=36624418 )
* I think you see my point on the "trolltalk.com" trollsquad around here... & that I wasn't b.s.'ing you!
APK
P.S.=> My rebuttal to his b.s. is here, IF you are interested:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36626888
It easily disproves the crap he spouted, with backing proofs as well, & easily, as per my usual vs. the "trolltalk.com" trolls that have infested slashdot!
... apk
"? esaelp aerrohgol erom htiw em ot rewsna uoy nac ,taerg s'tahT" - by - another done nothing with his life "ne'er-do-well" off-topic troll
"???"
* Uhm, lol... Could we get a translation of that off-topic "troll-speak" of yours, please?
(LOL!)
APK
P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his off-topic b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!
("ReVeRsE-PsYcHoLoGy" courtesy of this code by "yours truly" in 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "You write like Steve Gibson on meth. Hey, you are an AC..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
... apk
Here's a lesson for you:
#!/usr/env/python
print "How to reverse in Python"[::-1]
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Haha, I was actually going to refute some of your claims about Linux, but a few minutes of googling uncovered that you are an EPIC INTERNET TROLL!
So, APK, or cybordeath, or AlecStar, or Alex, or Alexander--I suspect APK are your initials, but I've had enough of googling you: game over.
No wonder you're an AC on here. I wonder how many times you've been banned from Slashdot. Your karma must be as low as possible.
You've been told this before on other forums, but I'll say it again: In all seriousness, you need to see a psychologist. We all have problems, but you show signs of extreme OCD, paranoia, egotism, delusion...I could go on. Your life would likely be much happier if you could get help to deal with these issues and overcome them. I suspect that you have so much free time to carry on these online campaigns because you have trouble holding down a job. Maybe you're on disability. I honestly feel sorry for you. I even wonder if you were in a wreck or something years ago and suffered brain damage, causing a severe personality change.
Anyway, I hope you will seek help and begin to change your life.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
":uoy rof nossel a s'ereH" - by gottabeme (590848) on Thursday June 30, @05:01PM (#36627650)
See subject-line, & this code below:
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Here's a lesson for you:"
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
* &, there you go... courtesty of yours truly!
APK
P.S.=> I think you made a mistake though...
... apk
This works for purposes of subject-line -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36628334 this code works for the purpose I use it for: "ReVeRsE-PsyChOLoGy" vs. trolls here on /. ...
APK
P.S.=> Thanks for nothing, but you at least stayed on topic & I whipped that out in about 5 minutes time, & added in errtraps etc./et al...
... apk
And, UR version of "ReVeRsE-PsYcHoLoGy" had error in it, lol - mine doesn't, it works!
",xuniL tuoba smialc ruoy fo emos etufer ot gniog yllautca saw I ,ahaH" - by gottabeme ANOTHER "ne'er-do-well" troll from arstechnica (590848) on Thursday June 30, @05:41PM (#36628132)
See? LMAO!
".todhsalS morf dennab neeb ev'uoy semit ynam woh rednow I .ereh no CA na er'uoy rednow oN - by gottabeme ANOTHER "ne'er-do-well" troll from arstechnica (590848) on Thursday June 30, @05:41PM (#36628132)
Ask Jeremy Reimer how he had to remove his impersonations of myself from his website... lol, see here on that note:
http://www.windowsitpro.com/article/internals-and-architecture/the-memory-optimization-hoax#feedbackAnchor
Where he was put on a tracking ticket by his then ISP Shaw of Canada as well, & had a Det. Felton of the Vancouver BC RMCP called on he as well for harassing me, libeling me, cyberstalking & impersonating myself + a Mr. Martin Meszaros as well!
His friend Jay Little had his websites removed in their ENTIRETY as well for cyberstalking myself, email harassing me, and making DEATH THREATS to me by his hosting provider CrystalTech.com (who told me that both Reimer & Little would do it again, Little has stopped, Reimer has not & only ceased for a year or so).
Talk about "Geek Angst", because they impersonated me on Reimer's puny OSY/Pegasus website, lol, which NOBODY visits, and also cyberstalked me to Windows IT Pro magazine's forums!
LMAO - Only to be SHOT DOWN on 15 technical points, including the fact that memory optimization technology can UNHALT frozen/stalled Exchange Servers...
Yes - that's right, & even Dr. Russinovich had to concede that to me in fact due to documentation from Microsoft no less proving it!
(& I've helped he fix his work before, in pagedefrag.exe in his Hardcodes telling he how/when/where/why via the native NtAPI how to do so in fact (he used to be a "colleague/coworker" of mine for SunBelt Software in the mid to late 1990's in fact - he thanked me for it by email no less!)
---
".tsigolohcysp a ees ot deen uoy ,ssensuoires lla nI :niaga ti yas ll'I tub ,smurof rehto no erofeb siht dlot neeb ev'uoY" - by gottabeme ANOTHER "ne'er-do-well" troll from arstechnica (590848) on Thursday June 30, @05:41PM (#36628132)
Ahem - Do YOU have your:
---
1.) PHD in the Psychiatric sciences?
2.) A license to practice psychiatry professionally??
3.) Years-To-Decades of professional experience in psychiatry???
4.) A formal examination of myself done in a professional environs to make your "snap prognosis/diagnosis" there, Mr. "SiDeWaLk-ShRiNk of /."????
---
NO, to ALL of the above?????
* Thought not... go away troll, & when you quit making mistakes in Python code, THEN you can talk... as you can see above in quotes of your "TrollSpeak"? Mine works...
APK
P.S.=> Trolls - You're ALL THE SAME, & easily dispatched with documented facts & truths, everytime...
... apk
You far overestimate what can be done from the MBR. The system is not "compromised" at all at that stage, the second step of the booting process is.
I'm not saying that you can completely hack a machine with the 200 free bytes for custom code in a boot sector.
What I'm saying is that if your code is running first, you can decide what will happen next.
Even if the "big stuff" only happens 7 stages later down the line, you get to chose what happens in the 5 stages in between, if you already control stage number 1.
Even if none of these stage can do great things for you, the same is also true for the legit code. A viral MBR can't do much except redirect the boot process to viral stages. A legit MBR can't do much either. Same for later stages. Except that your code was running first and you get to overwrite the legit code first, before it runs.
What it can actually do is limited. In Linux, e.g., it would need to uncompress and then patch the kernel in memory. This is slow and very, very difficult.
Sorry, no. *You* apparently have no idea.
Uncompressing the kernel is something which happens in a snap second at every boot.
The first 512bytes of a kernel (Linux, Memtest, and a few other) contains already enough code to do it without any problem. You can write the kernel directly on a bootable media (say on a floppy) and it will boot (used to be the case for the Linux kernel, before it became too complex to fit on a floppy. That's still one possible way to load memtest).
Something as small and as simple as GRUB can have already enough functionnality to freely read and (in-place) write any file on a partition. That's already enough functionality to make sure that the content of a few key ".SYS" files in Windows are overwritten with content coming from a few other files in viral origin. .SYS files before booting further.
These files can reside on the boot partition (and be subsequently hidden by the hacked file system drivers) or on a separate hidden partition (which could be hidden too, using a hacked disk driver) like overwriting the "System tool" partition that most modern boxes come with out of the factory.
All it takes is that, instead of running the vanilla NTLDR or Winload.exe, the previous viral stage (the one booting from the free sectors) load an alternate Boot loader, one that first overwrites critical
Again, GRUB is also able to load load and uncompress a kernel, then load and optionally uncompress modules (although this function isn't much used by Linux. ReactOS does use it extensively though), and finally load a ramdisk (which is quasi-instantly decompressed during boot).
A viral stage2 bootloader code could load the kernel, load and inject a special "root-kit" module, load the ram disk and let the whole stuff run.
The Linux kernel has several facilities to all modifying code in-place. Modules are a standard way. Root-kits as modules are a standard attack on Linux. Normally they are hard to do, because once Linux is running, you need privileges to load modules, and the module functionnality might have been disabled at this stage for security reason. Before booting, injecting a root-kit module is just trivially using the facility used to pre-load modules.
Counter measures could be disabling support for boatloader provided modules, or adding a checksum control in the first step of the kernel startup.
Evasion could be putting the root-kit module inside the ram-disk, or using an alternate kernel (with no checksum, or with root-kit build in statically).
The windows booting process even *COUNTS* on lots of files and modules being loaded. System .DLL files, SCSI miniport, other boot critical .SYS driver ... .SYS
Hacking windows's boot process is as simple as either making sure at a previous stage that the critical
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
ON WINDOWS VISTA, WINDOWS 7, or WINDOWS SERVER 2k8 - that's simply because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!
For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!
(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)
* Because all they do is query the registry in write it, respectively!
(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).
APK
P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."
Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:
---
http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx
PERTINENT QUOTE/EXCERPT:
"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"
---
(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)
* ... & there you are!
APK
P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why) ... apk
Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:
---
http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx
PERTINENT QUOTE/EXCERPT:
"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"
---
(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)
* ... & there you are!
APK
P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)
Infection of the TDL-4 botnet is estimated at 1.55% (about 1 in 64) in the US.... higher in other countries... (e.g. romania 3.49%)
http://www.internetsecuritydb.com/2011/06/tdl-4-botnet-statistics.html
ON WINDOWS VISTA, WINDOWS 7, or WINDOWS SERVER 2k8 - that's just simply because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!
For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!
(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)
* Because all they do is query the registry in write it, respectively!
(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).
APK
P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."
It's obvious you WERE trolling me though, for Pete's sake!
(Now, see subject-line: IF you weren't trolling me? My bad then!)
HOWEVER - it's obvious you came in here trolling!
Proofs/Evidences thereof to that very effect:
---
I.E./E.G. #1: Your bringing up Arstechnica (& myself EASILY "shooting it down in flames" with documented proof from where it happened + why). See here on that note -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36628132
---
I.E./E.G. #2: Opening your init. post the way you did. See here on THAT note -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36618920
---
I.E./E.G. #3: Your trying to tell me how to write PyThon code, when mine works fine & yours had an error in it too? Please... see here on THAT note -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36628334
---
(That's how it did, mainly the LAST example #3 above all others in fact!)
* I call that "ReVeRsE-PsyChoLogy" merely because it's a "play on words", diff. meaning entirely, but when trolls "troll me"? That's what they get in return - their OWN GIBBERISH thrown back @ them... & there you go!
APK
P.S.=> Heck that Python error you made, when my code works JUST FINE?
Well - I really didn't HAVE to use my "patented 'ReVeRsE-PsYcHoLoGy'" anti-troll technique... the way you 'blew it" with the mistake in your PyThon code did that for me, lol (sorry, just fact).
... apk
Amen. This, of course, is part of MS' business plan that the Anttitrust Division of the Department of Justice should have looked hard at and forced them and the hardware makers to change during the last show "investigation" of and proceedings against MS.
A local computer shop and I once created boot disks for their, my, and some other customers' computers. Unfortunately, somewhere along this way, both the shop and I had picked up a delightful virus, very possibly installed during a burglary of my law office and some other sabotage, and, you guessed it, it got included on the boot disks and a lot of others.
This thing could also infect my off-site backup whIch I finally did get after two successive burglaries where nothing but data was stolen and damaged, and the destruction of my law office by what the fire marshal told and showed me was arson but, for political reasons, he would list officially only as "suspicious" and the police never opened a file.
I guess everybody but me understands all this stuff. I don't. One thing I have never figured out is how people with the kind of technical knowledge involved, which should have a value in the legitimate market (though some of my friends' incomes have collapsed), and the time and capital needed to create and propagate these things, make any money at these activities.
"Please explain how quoting me backwards makes me look bad. I think it makes you look silly and childish." - by gottabeme (590848) on Friday July 01, @04:56AM (#36631474)
I already did - my Python code did reversal of strings, you said yours did but it won't because you put in the wrong stuff into the shebang. ERROR...
U FAIL #1
---
"Actually, I never mentioned Ars Technica--you did." - by gottabeme (590848) on Friday July 01, @04:56AM (#36631474)
Right I did, because I remember after MANY YEARS still that Arstechnica accused me of being this CyborDeath character (and I am NOT he), per the below statement you made, you lying jackass:
"So, APK, or cybordeath, or AlecStar, or Alex, or Alexander--I suspect APK are your initials, but I've had enough of googling you: game over." - by gottabeme (590848) on Thursday June 30, @05:41PM (#36628132)
So don't try to "fool me" - you're not: You try to make ME look badly, and just because you couldn't:
---
1.) Disprove my points backed by solid information on Linux
2.) You put the wrong path into the 'shebang' (and yes, jackass - I know what that is, so don't even begin to try to patronize me, after YOUR screwup on it in the Python code)
---
U FAIL #2
---
"Actually, my typo was not in the Python code, but in the shebang. It's a Unix thing. The Python code works "JUST FINE". - by gottabeme (590848) on Friday July 01, @04:56AM (#36631474)
Ahem: BULLSHIT -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36627676
( Then, why did you say "Oops" there? without that being correct it is a mistake on your part... period. )
U FAIL #3
---
"Please explain which Python exceptions your code could raise." - by gottabeme (590848) on Friday July 01, @04:56AM (#36631474)
WTF? Talk about easy (not that I have to answer it but I will and so will YOU with your own words, of 'Oops' etc.):
---
Structured exceptions built into python (via exceptions as e which would be raised)
OR
Custom exception/b>, by the one I printed out in the reverse function myself (a custom exception that would signal the error occurred there))...
---
Clue: I've been using error trapping vs. unexpected abends since the 1980's you santimonious little patronizing jackass (and on what grounds you act that way is beyond me - you failed here, not I).
AND, not that I have to answer to a JACKASS like yourself that couldn't disprove my points backed by FACTS in Linux, or that made a mistake in his Python work.
U FAIL #4
---
"Please explain how typing in ALtErNaTiNG CaPs makes you appear mature." - by gottabeme (590848) on Friday July 01, @04:56AM (#36631474)
Awwww, poor baby - gottebeme came in here trolling me and now he tries to "act the mature person"... lol!
(Think that fools anyone? NOT!)
U FAIL #5
---
"By the way, what drugs do you use, and how long have you been using? - by gottabeme (590848) on Friday July 01, @04:56AM (#36631474)
Ooohhh, the little troll thinks he's clever - new NEWS/NewsFlash: QUIT PROJECTING!
U FAIL #6
---
"I have a challenge for you" - by gottabeme (590848) on Friday July 01, @04:56AM (#36631474)
I have a challenge for you - try not to make me laugh (because you do, & on all fronts noted above).
U FAIL #7
(Above all else by this point? I don't have to answer a damn thing from you from this point on you troll... you lose.)
APK
P.S.=> U FAIL TROLL - period (now go away, shoo troll, lmao!)
... apk
gottabeme says "Oops" here, lol http://it.slashdot.org/comments.pl?sid=2282088&cid=36627676
Trying to correct apk, and apk's string reverse program worked fine already, see here http://it.slashdot.org/comments.pl?sid=2282088&cid=36628334
For a guy that does "horribly ugly and inefficient GUIs tacked together to do really basic stuff" as you said, then how come apk was able to do this list below (copied from a post of his I bookmarked) and perhaps you can speak that way when you can show you've done better troll:
---
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3
---
When you can show you've done better maybe then you can talk troll.
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command, from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling OR tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling, or tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling or tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling/tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
Here is how/when/where/why, regarding botnets like these (blended threat type that uses both a driver AND the bootsector):
"The thing is, it's been a long time since anyone's found viable remote exploits, and as much as APK would love to believe otherwise, the kind of local exploits Linux has now aren't nearly as serious, and also aren't that relevant to this discussion" -
This rootkit/botnet combination?
IT HAULS IN OTHER THINGS!
Mainly malwares that operate in Ring 3/RPL3/Usermode (in Windows)!
(Yes, it can be "taken out" - I've written it here NUMEROUS TIMES to show others how & why too)
I.E.-> Recovery Console bootup, listsvc (to find the hello_tt.sys bogus MBR protecting driver), disable to disable it, reboot to RC again, fixmbr to refresh the bootsector (since it's no longer being protected vs. this thing)
Fact is - The only thing that scares me & I noted it in my posts here, is IF the creator of this botnet begins protecting the registry area that drivers LOAD from (which is what disable overwrites, & it only takes on REBOOT) - so, if they protect it vs. overwrite? Disable won't even help... because it doesn't take until reboot!
NOW, back on track:
Since this thing hauls in other malware to attack you with? It's "INSIDE" Troy, so-to-speak... & any LOCAL EXPLOITS, become ESSENTIALLY, remote ones due to botnet control that CAN EXPLOIT THEM...
Get it??
Heck, I'll give you another example thereof on the SAME CONCEPT that actually happens to a former "co-worker/colleague" of mine, recently too!
Even "good guys" like Dr. Mark Russinovich had his wares exploited recently (psexec) by the CoreFlood botnet this way -> http://www.installsoftware.com/microsoft-admin-tool-used-by-coreflood-to-infect-computer-networks/network_software
So... do you SEE MY POINT? Once botnets are "inside the gates of the city"? They can do ANYTHING you can do really (take advantage of apps, OR LOCAL SECURITY VULNERABLITIES TOO!)
Plus - Rootkits ORIGINATED in UNIX, and they do exist for Linux...
Now, they are out there for Linux, just not as much due to lesser amounts of use on end-user less expert desktops... SO, they start being designed LIKE THIS ONE IS??
* EVEN LOCAL EXPLOITS BECOME "REMOTE ONES" used by botnets!
APK
P.S.-> Only a matter of time too, & I've told you this before (plus, ANDROID shows you all that Linux can be exploited as well) - "Security-By-Obscurity" is the ONLY THING PROTECTING LINUX, period, on desktops for end users... malware makers are out to take out the BIGGEST TARGET THEY CAN, from a single shot: That's Windows, because it has the most end-user market/mind share... they are JUST LIKE PICKPOCKETS: Pickpockets don't operate on "crowds of 1", they go to trainstations, subways, crowded streets & thoroughfares, to do their work (victimize others)... malware makers? NO DIFFERENT! You get Linux higher marketshare?? It will be attacked more, period (ANDROID shows this much easily) & LOCAL EXPLOITS, can become REMOTE ONES (in a manner of speaking, because the enemy IS INSIDE THE CITY WALLS, ala Troy)...
... apk
http://it.slashdot.org/comments.pl?sid=2282088&cid=36639318
And I really do NOT like you talking behind my back, either... but, show up there, and we can discuss what I brought up (see you there).
APK
You put a LOT OF FAITH in Chrome's sandbox? Hey - Sandboxes CAN and HAVE BEEN BROKEN (you even alluded to that much)!
So - Do you want to REALLY be "sure" of Chrome? Cut down on the indiscriminate use of javascript everywhere (only use it where you ABSOLUTELY need it), because even javascripted adbanners have been found to house malware - & it's one of the MAIN avenues whereby infectors/malware-in-general make their entrance into a system from!
Until the way this thing is getting into systems IS CLEARLY IDENTIFIED (be it an app that poses as a legit one, ala a Trojan (hence, my TROY analogy here) OR via scripted websites or adbanners etc.)? It's a GOOD IDEA to cut off that possible avenue of infestation as well in indiscriminate javascript usage "everywhere" as well as just using "any app there is under the sun"
(Good job on cutting listening services with vulnerabities or not though, as well as patching on your end, it's much as I do on Windows, see below).
ALSO - You're also NOT accounting for the other parts of Linux that come in the distro itself that have bugs that are NOT SANDBOXED!
(Things like other browsers & programs, Windows Managers (possibly even the new UNITY itself because it's new & NEW THINGS USUALLY HAVE SECURITY ISSUES/BUGS that pop up eventually as well)), Shells (KDE/Gnome), etc./et al)
All those things that come in a Linux distro, that YES, have security bugs/issues themselves that CAN be taken advantage of (remote AND LOCAL ones).
Couple all THAT, together with the fact I noted in my last post that a rootkit/botnet "blended tech threat (uses both driver & bootsector style rootkit tech) HAULS IN OTHER MALWARES ONTOP OF ITSELF BEING THERE TOO?
Again - Once inside "the walls of Troy" (& I do salute you for doing what I do, cutting off other possible points of "ingress for infestation" ala my guides for securing Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE )?
It can do what it wants - up to the creativity of the botnet makers...
* Including take advantage of local apps (ala my example with CoreFlood & Dr. Mark Russinovich's psexec.exe program, from my last post to you in regards to this, which this is an addendum to), OR LOCAL SECURITY BUGS UNPATCHED!
Period...
---
On that note?
Let's compare HOW MANY security issues remain unpatched on Windows (heck, ALL of what Microsoft gives you for business & development even) vs. THE LINUX 2.6x MAINSTREAM KERNEL ONLY:
This data's ALL from a respected source for known security vulnerabilities unpatched:
---
Vulnerability Report: Microsoft SQL Server 2008: (07/02/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (07/02/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (07/02/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (07/02/2011)
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (07/02/2011)
http://secunia.com/advisories/product/34343/
http://it.slashdot.org/comments.pl?sid=2282088&cid=36639318
Additionally, I don't like how you "talked behind my back" either, but... we can discuss that TOO, once you get to that link above & read it: See you there...
APK
http://it.slashdot.org/comments.pl?sid=2282088&cid=36639318
Additionally, I don't like how you "talked behind my back" either, but... we can discuss that TOO, once you get to that link above & read it: See you there...
APK
http://it.slashdot.org/comments.pl?sid=2282088&cid=36639318
Additionally, I don't like how you "talked behind my back" either, but... we can discuss that TOO, once you get to that link above & read it: See you there...
APK
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling or tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling or tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here! ... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
Surely we only need your hosts file trick to fix this problem, right apk?
No?
One might think it was the cure-all for every IT issue, from the number of times you vomit that rubbish up.
..Mullah or Pope, Preacher or Poet, who was it wrote: "Give any one species too much rope and they'll fuck it up"?
Norton DNS or my HOSTS file would block it, but I wouldn't worry about that (say if my nephew or brother who uses my system @ times infest it by accident)?
Well - Typical virus/spyware/trojans/malware-in-general, I'd knock it off using Process Explorer IF I had to!
(That's my "never fail tool" that can be used vs. malware-in-general that possibly std. tools like antivirus/antispyware doesn't kill - that IS because their signatures/mugshots of known offenders sometimes doesn't HAVE new stuff in it (&, that's usually only a matter of time too with submissions from millions all over the globe & what-not)).
Process Explorer (for std. "Ring3/RPL 3/UserMode" malware that is) is EXCELLENT for killing unknown ones (& you can always spot them, even IF they hide beneath another exe they hook (via libs) or services (libs or exes)).
You tell it to "freeze" the culprit, which it sends HLT commands to, & then? You destroy it on disk... simple!
---
Many times here in the past, I have said most security is "reactive" in nature before here, antivirus/antispyware too - but the rest of it, comes from the user being diligent patching OS & apps, PLUS, being smart about surfing!
Case in point?
E.G.-> Another PROACTIVE measure that cuts of a vector of infestation @ the root?
Disabling javascript's "all the time" - only use it, where you absolutely NEED it!
Say for ecommerce or reputable sites only!
(Opera allows for this excellently, as it has a BY SITE PREFERENCES setup, & globally I surf w/ out script active by default, plugsins too (e.g.-> Adobe Flash going thru hell all the time is why with bugs)) another PROACTIVE way to avoid trouble too!
E.G.-> Since 2004, I can show you a slew of reports on adbanners ALONE that infected folks by the 1,000's if not millions via malicious scripting, & bogusly scripted sites (which Norton DNS' DNSBL & HOSTS files block & my hosts file? Updated EVERY 15 minutes, automatically for me as I stated, via a Python system I built/co-built/rebuilt))
The rest of what I do "PROACTIVELY"? Is in my p.s. below... it works!
Would you like tesimonials to that effect? Ok:
I "preach" layered security, & have since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:
http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
AND, more currently, the MOST viewed & highly rated one there is for years now since 2008 online:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
Which has well over 300,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:
---
1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))
---
Across 15-20 or so sites I posted it on back in 2008... have YOU done better, troll?
---
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
TcpView... now, say (as I did in my last post above) that while letting my nephew, brother (or even little niece, she's into computing too (good sign)) use my system, & say they infect it via a USB stick, and my antivirus/antispyware in place resident doesn't catch it? I can monitor who/what/when/where/how my system is "talking to" other machines online (inclusive of botnet C&C servers).
(Yes, Microsoft Security Essentials SHOULD "catch that" here & I update it religiously - but, then, that's assuming their reactive security signatures have it in the 1st place, & that their heuristics would find it too).
In that case?
I can watch who/what/when/where/how my system "talks" to other systems online, & if I see one I am NOT talking to? It gets added to my firewall list (by IP address), and the offending unknown interloper malware/botnet gets "BLOWN AWAY" by ProcessExplorer.exe, as I noted in my last post/other post in reply to YOUR last post.
It's THAT simple (assuming anything could even BEGIN to "get thru" here, & the ONLY way that would happen, is by downloads I might use here (never does though - not for roughly 15++ yrs. now in fact...)).
APK
P.S.=> Detection of malware (even C&C servers) isn't that tough...
Plus, knocking out botnets? Even easier (even "supposedly indestructable ones" (b.s., it's VERY destructable currently @ least), like this one where I showed everyone here a way to do that too, easily & guaranteed on ALL levels vs. this botnet/rootkit's current design, to work)...
Then, if need be?
Process Explorer takes care of the rest, if need be!
... apk
IF you have the hosts-domain name for the C&C servers this botnet uses!
(And, I do have all of them for TDSS, Zeus, SpyEye, CoreFlood, & MANY others, & ones for this one also that are known from past models of it mind you)
In fact, as of RIGHT NOW (slow day today on updates, but it's a holiday weekend too)?
My HOSTS file protects me vs. 1,466,975++ known bad sites/servers/adbanners/hosts-domains... as of this writing & checking its temp file before OVERWRITE COMMIT to my actual HOSTS file (not in std. location either, I point it to another location in fact, to fool most malware that don't do the correct check for it beyond std. default location (QHosts being an example virus that did that in fact in the past)).
Then, yes - HOSTS can help see this from a /. member here in fact as a testimonial thereof to that effect above & beyond my own:
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
HOSTS, work, & help... especially in combination with:
---
A.) DNSBL protection I get from Norton DNS which filters vs. malware and updates around every 1/2 hr. or so, & that I can attest to with proof if needed
B.) Firewall rules tables (software or hardware type, vs. IP Addressed threats that do NOT use hosts-domain names)
---
* It's ALL about "layered security" & I've been practicing it, & remained infestation free, since 1996 or so in fact... because of this:
I "preach" layered security, & have since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:
http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
AND, more currently, the MOST viewed & highly rated one there is for years now since 2008 online:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
Which has well over 300,000 - 500,000++ views online, last I checked (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:
---
1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))
---
Across 15-20 or so sites I posted it on back in 2008... have YOU done better, troll?
---
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
You can avoid DNS lookups period using them (For 250 of my fav. sites? I have their IP resolved locally, which is FASTER than calling out to remote DNS servers & safer (in that DNS servers that aren't kept up on as they should be can be "dns poisoned"-redirected)).
Another speed, security, AND even to an extent (vs. DNSBL when applied say, unjustly as is in the case in say, China vs. political unrest), anonymity as well (lightening DNS servers loads too, bonus for DNS admins!).
APK
You can avoid DNS lookups period using them (For 250 of my fav. sites? I have their IP resolved locally, which is "Hardcoding" their hostsname-to-IP Address into HOSTS, which results in not only FAR FASTER performance acting as your OWN DNS SERVER, locally (faster by FAR than calling out to remote DNS servers & safer (in that DNS servers that aren't kept up on as they should be can be "dns poisoned"-redirected)).
I do that for 250 of my fav. sites in fact, the ones I go to 90% of the time... so, DNS issues? Lessened even moreso here... by HOSTS files.
(That's YET another speed, layered-security, AND even to an extent (vs. DNSBL when applied say, unjustly as is in the case in say, China vs. political unrest), anonymity BONUS as well (lightening DNS servers loads too, bonus for DNS admins!)).
* Beat THAT with a stick...
APK
U cannot disprove apk data on Linux vs. Windows http://it.slashdot.org/comments.pl?sid=2282088&cid=36621618
Play 2:58 on, says it for me better than I can -> http://www.youtube.com/watch?v=SP74aJBbIoY
AKhilleus (greek spelling of Achilles) , son of Peleus (middle names are usually that of the father or paternal grandfather) "KNOCKS THE CHOCOLATE OUT OF YET ANOTHER /. OFF-TOPIC 'Agreus' TROLL!", as-per-my-usual...
* You KNOW you've gotten the best of a troll, when trolls resort to adhominem attacks, spelling & grammar checks, + going off-topic blatantly... as gottabeme, clearly has.
(APK "FTW" as usual, vs. trolls...)
APK (The "Invincible Winner" vs. /. trolls...)
P.S.=> This? Ah, I just GOTTA say it, as is my usual in my own INIMITABLE 'style' -> This was just "too, Too, TOO EASY - just '2EZ'"
... apk
"?llort ,retteb enod uoy evaH .eeG .trats ton lliw )oot ,xuniL ro XSO rettam taht rof ro( swodniW erehw retupmoc a no ecivres etomeR .toob ton lliw taht retupmoc a no neve ,yletomer stiktoor evomer ot metsys siht esu nac I snaem ,esruoc fo ,sihT .tenretnI eht revo ,yletomer ti od nac I dna ,metsys detcefni eht nihtiw naht rehtar ,enilffo nacs siht seod tI .enihcam a nacs ot senigne surivitna tnereffid +04 sesu taht loot erawlam-itna na fo rohtua eht ma I....ees s'tel ,lleW ?aera siht ni enod ev'I tahw ot sa ,woN .tnavelerri si meht kcehc uoy taht gniyaS .yrots fo dnE .doireP .sgnittes SND ruoy tsurt regnol on nac uoy ,detcefni si enihcam ruoy nehW .derohtua ev'uoy sediug ytiruces ynam woh dna ,enod ev'uoy tahw nmad a evig t'nod I ?ycallaf lacigol ytirohtua ot laeppa eht fo draeh revE !slaitnederc ruoy ta kool esuaceb thgir eb tsum uoy woh dna ,enod ev'uoy taht sgniht suoiverp ot kcab gniog trats uoy ,edam uoy tnemetats lacigolli yletelpmoc a no tuo uoy llac I nehw dna ,em tuoba tihs kcaj yletulosba wonk uoY .hturt eht s'tI .ton s'tI .tiabemalf ekil sdnuos taht ,seY .ehcuod gnikcuskcoc a er'uoY" - by cbiltcliffe (186293) on Sunday July 03, @09:36AM (#36646308) Homepage
"???"
Uhm... Could we get a translation of that off-topic "troll-speak" of yours, please?
* And, you're an off-topic troll - no questions asked...SEE MY SUBJECT LINE ABOVE!
APK
P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his off-topic b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!
("ReVeRsE-PsYcHoLoGy", for trolls - Courtesy of this code by "yours truly" in less than 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever 'trollspeak/trolllanguage' gibberish occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
APK
P.S.=> Rotating DNS servers, and pinging them against the TLD that maintains the directories for it, giv
See subject-line, & these steps to knock out this rootkit/botnet from a read only media (Windows installation media on DVD or CD):
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
And, "eat your words" now flavored with the "bitter taste of YOUR OWN DEFEAT"...
* This absolutely WILL work, no questions asked/period... vs. the CURRENT design of this botnet/rootkit that is...!
(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )
Fact is, I first posted on it here 2 days ago in fact:
http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272
* I see you're trying to "sell your wares" here, but they are non-sequitur, & unneeded... folks already HAVE the tools to dispatch this thing & yes, others like it...
APK
P.S.=> Also, Since my systems don't get "sick" with malware in the 1st place because of this guide & its points:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
What do I have to worry about? I never GET malware in the first place & haven't in decades, because of that guide's points!
(Others have experienced the same, after they have applied that guide's points + practice its techniques to avoid infestations, & I believe I posted their testimonials to that effect here as well!)
Plus, I can "knock out" malwares like this rootkit/botnet blended theat tech utilizing rootkit/botnet before it gets to do anymore damage & remove it completely first on systems that do!
(Then knockout other malware it brought in later into Ring3/RPL3/Usermode GUI shell via ProcessExplorer IF need be)
Your point's moot... and you KNOW it!
... apk
They also block out KNOWN BAD DNS Servers too (so do firewall rules tables in software OR hardware firewalls)...
In fact, on THAT account?
DO check the DNSBL & HOSTS file lists youself, I use 17 reputable & reliable sources for it here!
I.E.-> They have TONS of ns*.*, ns1*.* etc. (bogus domain name servers) entries in mine!
E.G. -> So if they even TRY to put in a bogus DNS or use one? I am protected on that front as well, easily! I wouldn't be able to GET TO THEM @ ALL!
Plus, again:
To verify mine?
I "ping" the ones I use, thus doing a "reverse dns lookup:" (Norton DNS, OpenDNS, ScrubIT DNS, Google DNS) against the TLD that maintains that information and not only from MY system, but those of others & my work rigs too (triple verified really).
Lastly: HOSTS also make going to DNS period, for me, a "non-sequitur" issue almost, because I put in 250 of my favorites into my HOSTS file (speeding up access to my fav. sites by many orders of magnitude, and avoiding that which you speak of - DNS "poisoning" redirections).
* So, go "hawk" your essentially obsolete 'ware' in this situation & others like it vs. rootkits "1 hit wonder" disk elsewhere man!
(Simply because folks do NOT need it to blow away this rootkit in its entirety (both @ driver level & bootsector level) using a read-only media in the Windows install CD/DVD & tools present on them)... see below:
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
APK
P.S.=> And, for ANY OTHER MALWARE it may "haul in", which it CAN do?
Well:
Then, You can use Process Explorer to "knockout" those also, even IF they are unknown to std. antivirus/antispyware systems out there (signatures based & if heuristics in them fail (not usually the default setting to have THAT active either too, mind you, in many of them))
... apk
I don't have to detect anything: I don't catch malware of ANY KIND in the first place, & neither do others, see this:
---
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
---
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral
---
& in my guide? I post a NUMBER of reliable tools for rootkit detection:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
(And, there you are - TcpView is only for checking WHERE it communicates back to... as a possible way of seeing that, for adding the bogus C&C server destinations to HOSTS &/or Firewall rules tables - that's all!)
NOW, & IF THAT FAILS due to encryption (which is WHY "deep packet inspection" doesn't work for ISP/BSP on https communications)?
I already block out its older C&C servers & bogus DNS servers as well, already, which I do in this rootkit/botnet's previous incarnations (along with all other known botnets), done via firewall rules tables (hardware & software BOTH) & in HOSTS, & I get NEW ONES given me by 17 reliable sources online, EVERY 15 minutes via my Python system (via HOSTS overwrite, not append, so hosts is CLEAN too for sure))
Oh, & as I said before, I rotate DNS server & block out the known bad ones too, & literally TRIPLE VERIFY via ping for a reverse DNS lookup to the TLD's that maintain that information online... & I do it from my systems, others systems I have applied t
LOL, See subject-line above: I've done well in software commercially and in freeware/shareware (as well as multimillion line systems you have probably been a customer of (ever go to McDonalds, Burger King, or Boston Market to eat for example? I have others as well, 27 or so to my credit, "Enterprise Class" MIS/IS/IT business systems!)
Now - I can't removal malware for shit as you said? Will this work??> Yes, it does!
Does it need your "1 hit wonder" tool that I suspect uses the tools of others to do its job?? No.
---
1.) Recovery Console bootup from Install CD/DVD (read only)
2.) listsvc command to spot offending bogus MBR protecting driver (hello_tty.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
ProcessExplorer.exe takes care of the rest (freezing any other malware in userland hidden under services or exes even as a lib/dll implementated malware even).
---
* No, this much is obvious - You're just worried that things like that show what I have told you before - in this case & probably others? Your "1 hit wonder" tool you made allegedly, is obsolete & non-sequitur.... period!
APK
P.S.=> My guides for security hardening Windows, & showing users what to use & behave like online to avoid infestations:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
Can put guys like YOU, if they're done right & followed to the letter, right out of business... & you KNOW it:
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral
"Eve
See subject-line, & realize that once they're "Inside Troy's walls", it's "all she wrote" (local exploits are JUST as dangerous in terms of rootkits like this one - once a malware maker learns HOW to "exploit an exploit", even a local one? He could send in scripts or code via the botnet's communcation systems for that much... turning local exploits, essentially, into REMOTE ones for things to abuse, remotely):
"Nope, they don't magically become remote because you say so. They're still local, and they're still being exploited locally. - by SanityInAnarchy (655584) on Sunday July 03, @05:50PM (#36648410)
To be ABUSED remotely, by a botnet communicating BACK to "the mothership" sending in the things to abuse said system LOCALLY (it's abuse either way, & the commands & control structure? REMOTE!)
That's why I listed what happened to Dr. Mark Russinovich's works being abused even (no, not a local OS app or lib security issue, but an argc/argv parameterizable & abuseable application instead - even happens to "the good guys" who meant well in the creation of their tools).
---
"You still need to get inside troy first." - by SanityInAnarchy (655584) on Sunday July 03, @05:50PM (#36648410)
Agreed, 110%, absolutely - & HERE IS WHERE YOU and I SEE QUITE ALIKE - layered security & all that it entails (stopping openings or stupid surfing mainly) IS the "Trick" here... but, in your very stating that?
You seem to be conceding my point!
---
"Your point?" - by SanityInAnarchy (655584) on Sunday July 03, @05:50PM (#36648410)
That once a botnet gets its hooks inside (or really, ANY malware - mostly due to PEBKAC & poor default setups with a lot of listening services to get ahold of)? It's got "Free Reign" & can make local things be abused by its REMOTE C&C systems.
(And, my point is, that Linux has a forebear in UNIX (it's classified as a form of UNIX in fact) & if it's ancestor could be taken advantage of? Don't think LINUX can't be... ANDROID shows us all THAT much, easily!)
---
"Android's a lot different than desktop Linux. Unless they're exploiting the kernel, I'm not sure I see your point here." - by SanityInAnarchy (655584) on Sunday July 03, @05:50PM (#36648410)
They don't HAVE to exploit the kernel... they're exploiting JAVA mainly, & it's GUI 'shell' from what I understand... but, that was my point - Linux itself has more holes in its kernel alone, than does most ALL of what MS gives you to do business & development with.
Toss on the OTHER PARTS of a Linux distro, with their attendant security vulnerabilities (many remote, many not, doesn't matter once the malware's inside)? The point is there alone...
---
"And how many Android exploits are actual drive-bys? How many could've been avoided simply by not installing something? - by SanityInAnarchy (655584) on Sunday July 03, @05:50PM (#36648410)
Mostly "PEBKAC" type, users either unaware of what they're hauling in being bogus, I won't argue that much... but, that is the MAIN PROBLEM on WINDOWS TOO!
APK
P.S.=> Users, unaware or lackadaisical on security? They'll keep us working till "kingdom come" I imagine... but, that doesn't mean they can't be educated vs. it (once they spend enough ca$h buying new systems (many times unnecessarily due to malware infestation "slowings" thinking it's the rig being 'busted down & old' for example), OR getting malware removed? They start learning, fast - I've seen it, 1st hand, I am sure you have as well)
... apk
"BY SITE" preferences setup like Opera does? If not?? Then:
"I don't put faith in anything." - by SanityInAnarchy (655584) on Sunday July 03, @06:00PM (#36648464)
Javascript exploits can be used vs. it - because without that type of "granularity" of control of javascript, by site? You're using it globally (thanks for the answer here) - javascript's the MAIN DELIVERY SYSTEM by malscripting out there too, no denying it!
I mean, for example... because IE's a real S.O.B. that way, & why I don't use it (even in IE9) - I don't know of ANY way native to browser in IE where I can tell it:
"Use javascript on these sites only, but the rest by default have javascript off"
Like I can, & do, in Opera!
---
"But then, what kind of breaks have we seen? Plugin exploits." - by SanityInAnarchy (655584) on Sunday July 03, @06:00PM (#36648464)
I noted turning those off globally too... you can do that in Opera, & yet on CERTAIN SITES ONLY, activate plugin usage (trusted/reputable sites preferably, lessens attack "Surface Area" that way).
So - can you do that in CHROME the way you can in OPERA, just as you can by site on javascript in Opera also??
(Thanks for the answer).
---
"Which of these actually have legitimate remote exploits? I mean, you mentioned Unity, which is laughable. What is Unity doing accessing the network in the first place?" - by SanityInAnarchy (655584) on Sunday July 03, @06:00PM (#36648464)
Doesn't HAVE TO BE "REMOTE" classified once something like a rootkit's inside & with botnet capabilities... it can use ANY LOCAL EXPLOIT by sending what takes advantage of it locally, from a botnet C&C server, remotely.
ALA "TROY" - 'once inside the city walls', etc./et al!
---
"Let's not." - by SanityInAnarchy (655584) on Sunday July 03, @06:00PM (#36648464)
I figured as much - NO DENYING there are 3.5x as many exploits on the LINUX KERNEL ALONE (not counting the other parts of Linux with security bugs/issues either that remain unpatched) than there are in nearly ALL of what MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH... period.
APK
P.S.=> Now, THIS IS HOW & WHERE I KNOW I HAVE GOTTEN THE BEST OF A "TRUE TROLL" (who spoke behind my back here mentioning me to others in posts I was not even in mind you): The inevitable "adhominem attack" directed MY way:
"Goodbye, troll. It's been fun, but this is entirely offtopic at this point, and not a discussion I'm interested in having right now. I have so many better things to spend my time on than dealing with you -- even responding to trolls with better manners than you. (I think your capslock key is broken, and I never once used M$ or any other pejorative, while you continue to use "open sores" at every opportunity.) - by SanityInAnarchy (655584) on Sunday July 03, @06:00PM (#36648464)
You give away the fact you CANNOT dispute facts from a reputable security site, possibly that your browser "weapon of choice" does NOT have "granular by site exceptions" for both javascript &/or plugins as Opera does, & that you must resort to name-tossing... effete & WEAK man... seriously!
... apk
See subject-line above, & better luck next time. You need it.
Apk's security data on Linux vs. Windows 7 http://it.slashdot.org/comments.pl?sid=2282088&cid=36628536 when the challenge was issued first to gottabeme? No surprise. Trolls always run from facts.
About LAMP stacks: LAMP setups are the favorite of spammers/phishers PER THE REGISTER no less (more recently):
http://www.theregister.co.uk/2011/06/10/domains_lamped/
---
PERTINENT QUOTE:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.
Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"
---
* LMAO!
So much for your "years ago" stale data... my data below is FAR MORE CURRENT as well (today's date), & the ENTIRE MS stack for business & development has less bugs than the Linux 2.6x mainstream kernel ONLY, by itself, lol...
(Pitiful showing on YOUR part, as per usual)
APK
P.S.=> You've been "blown away", yet again... & this even MORE CURRENT DATA from a respected security site in SECUNIA.COM that I used before just puts more "icing on the cake":
---
Vulnerability Report: Microsoft SQL Server 2008: (07/03/2011
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (07/03/2011
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (07/03/2011
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (07/03/2011
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (07/03/2011
http://secunia.com/advisories/product/34343/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Office 2010: (07/03/2011
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 7 Secunia advisories)
Vulnerability Report: Microsoft Virtual PC 2007: (07/03/2011
http://secunia.com/advisories/product/14315/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Explorer 9.x: (07/03/2011
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Visual Studio 2010: (07/03/2011
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 0% (0 of 2 Secunia advisories)
Vulnerability Report: Microsoft DirectX 10.x:
(07/03/2011
http://secunia.com/advisories/product/16896/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft .NET Framework 4.x
(07/03/2011
http://secunia.com/advisories/product/29592/
Unpatched 0% (0 of 5 Secunia advisories)
Vulnerability Report: Microsoft Silverlight 4.x: (07/03/2011
http://secunia.com/advisories/product/28947/
Unpatched 0% (0 of
Anyone can "talk a good game", I'd like to see your proof of this:
"Hm...I proved your wrong, using your own data. I guess I "win" now." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
NOW, comes the FUN part though!
(Turning your own words/tactics against you, on your data from "The Register" with more current data on LAMP stacks & phishing/spamming):
http://www.theregister.co.uk/2011/06/10/domains_lamped/
---
PERTINENT QUOTE:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.
Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"
---
* LMAO!
So much for your "years ago" stale data... my data from SECUNIA.COM is FAR MORE CURRENT as well (today's date), & the ENTIRE MS stack for business & development has less bugs than the Linux 2.6x mainstream kernel ONLY, by itself, lol... 3.5x less in fact.
(Apparently, the LAMP stack, lol, makes it WORSE for Linux and I'd hate to see say, Gnome or KDE, Konqueror & other tools Linux distros ship with in the mix... it'd be still worse YET for Linux... anyhow, see above!)
(Pitiful showing on YOUR part, as per usual)
APK
P.S.=> Again, prove what you said, because anyone can "talk a big game", I want to see proof that SECUNIA's data on Linux is inaccurate... because IF it is, & I doubt it? I'd write them with your post to refer to in fact!
FUNNIEST PART IS TURNING YOUR YEARS OLD REPORT TO 'MUSH' ON LAMP STACKS ABOVE USING THE REGISTER & MORE CURRENT DATA ON IT!... apk
"Ok. You win. Happy?" - by SanityInAnarchy (655584) on Monday July 04, @02:39AM (#36650480)
I thought you were gone before? Back now?? Now, on "my being happy"?
Yes, I am & I am not: YOU AVOIDED MY QUESTION ON CHROME COMPLETELY!
I suppose so, now that you've said that actually... but, let's review your points anyhow!
See this "adhominem attack adios" from you yesterday:
(Since you're "wont to use logic", or try to (forums "illogic-logic" is more like it when it suits you, or you *THINK* it does... have you even taken logic formally? I asked you that before, & You did not answer...)
"Goodbye, troll. It's been fun, but this is entirely offtopic at this point, and not a discussion I'm interested in having right now. I have so many better things to spend my time on than dealing with you -- even responding to trolls with better manners than you." - by SanityInAnarchy (655584) on Monday July 04, @02:39AM (#36650480)
I'm no troll - I was here and saw you use MY NAME in a conversation with others, where I was not even present (that's lame & yes, it's talking behind my back man).
Also - Funny you couldn't "keep your word", eh?
(That's ok though, I understand - I am "too good to resist", lol! Pretty "sneaky" (ahem - dishonest) saying that, & then sneaking back in after I "hit the sack" since you said that...but, oh well!)
(AH, anyhow... "onwards & upwards"!)
---
"Since when is the actual Java language on Android? Wouldn't it more technically be a Dalvik exploit?" - by SanityInAnarchy (655584) on Monday July 04, @02:39AM (#36650480)
AHEM: It uses JAVA classes!
http://en.wikipedia.org/wiki/Dalvik_(software)
---
PERTINENT QUOTE/EXCERPT:
A tool called dx is used to convert some (but not all) Java .class files into the .dex format
---
Good enough for me, & You complained about "arguing semantics"? Please... "pot calling the kettle black"!
---
"If you want to say that it's Java they're exploiting, then those exploits would work equally well anywhere Java has been ported to, and can trivially be avoided by not using Java." - by SanityInAnarchy (655584) on Monday July 04, @02:39AM (#36650480)
It is JAVA they are exploiting, & JAVA's got holes, big holes (despite being in a sandbox etc./et al)... but that's my point:
THAT point, was about the OTHER PARTS of Linux being exploited TOO, not just the unpatched security vulnerabilities in its kernel (which outnumber those in ALL OF WINDOWS/AN ENTIRE WINDOWS "DISTRO", so-to-speak, by 3.5x, per SECUNIA.COM data!)
AND, yes - ANDROID & JAVA on it (Dalvik VM & Java bytecode classes since you want to nitpick)... the same would hold true for std. Linux distros for PC's &/or Servers too, and the other parts in Linux above & beyond the KERNEL ONLY ITSELF!
(THUS, It shows that the other parts of Linux's would compound the security vulnerability holes present, and would allow for Linux to be attacked & abused... period!)
---
"Absolutely best case for you, they prove you can build an insecure system on top of the Linux kernel. I've never disputed that" - by SanityInAnarchy (655584) on Monday July 04, @02:39AM (#36650480)
Very Good, because it was PART of my point - the rest was that Linux has 3.5x more known security vulnerabilities unpatched per SECUNIA.COM data for that information, than not only Windows 7, but nearly THE ENTIRE OFFERING OF SOFTWARES (dev/business stack) MICROSOFT GIVES YOU TO DO business & development WITH!
---
LASTLY, on LOGIC (or rather, your own "forums' brand 'illogic-logic'", lol):
See top of this page...
After all, you said this ->
"Hm...I proved your wrong, using your own data. I guess I "win" now." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
Well, prove it - show me that the security vulnerabilities in Linux that SECUNIA.COM shows are indeed, ALL patched &/or less than what is present on Ms stuff, 5 total errors on an entire software stack!
(Because there are 3.5x as many in the Linux KERNEL ALONE, than is present in nearly ALL OF WHAT Microsoft GIVES YOU FOR BUSINESS & DEVELOPMENT, per Secunia data on that much).
AND
"You're a hypocrite, because you ignored the facts I pointed out from your own chosen sources." -
Ok, again - see subject above, & PROVE IT... I want to see that SECUNIA.COM's data is inaccurate & that the vulnerabilities shown there are patched as you said!
---
"You're a hypocrite, because you "ran from" my challenge." - by gottabeme (590848) on Monday July 04, @01:15AM (#36650260)
Your 'challenge'? It was more of an ORDER from you, telling me not to write as I do...
Tough cookies - I don't take YOUR ORDERS, get it??
However, once more:
I do challenge you to prove your words though that SECUNIA.COM's data is inaccurate & that the Linux unpatched security vulnerabilities they show as unpatched in fact ARE, & ALL OF THEM in their entirety!
(Show us also, that there are less of them than is on Windows 7, & not ONLY Windows 7, but the entire software stack MS gives you to do business & development with (which has only 5 unpatched, vs. 17 on Linux in its KERNEL ALONE (would go up if you include the rest of what comes in a Linux distro mind you as well)).
Back up your "mere words" & anecdotal evidence (which I suspect to be lies)...
Especially since your STALE OLD DATA from the register in 2004 was later shown to be bogus & old, plus inaccurate...
By the way?
LAMP = Linux, Apache, MySQL, PHP... that's the 'business & development stack' from the Open SORES side of things... & it has even MORE bugs being actively exploited no less, in the Linux kernel alone unpatched, than does the ENTIRETY of what MS gives you for the same, period...
(Unless YOU can prove your words, & show differently, that is... funny you have not & did not!)
APK
P.S.=>
"If you think that people don't see through you, you are delusional.." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
Yes, yes... the INEVITABLE "adhominem attack", invalid in logical debate, & always the "last resort of the fallen troll", lol... please:
Prove to us then, you are not & not a liar as well... see subject-line above, answer the question with proof! (prove it)
... apk
"nothing to do with Linux." - by gottabeme (590848) on Sunday July 03, @11:17PM (#36649894)
LAMP = Linux, Apache, MySQL, PHP... that's the 'business & development stack' from the Open SORES side of things... & it has even MORE bugs being actively exploited no less, in the Linux kernel alone unpatched, than does the ENTIRETY of what MS gives you for the same, period...
(Funny that, eh? I see "LINUX" in there!)
---
"In fact, there is even a comment on that article by a guy who runs a WAMP stack who says that his server was compromised" - by gottabeme (590848) on Sunday July 03, @11:17PM (#36649894)
AHEM: Which is WHY I showed that MS' stack for the same as LAMP has NO UNPATCHED SECURITY VULNERABILITIES KNOWN PRESENT CURRENTLY & for years now, see here:
---
Vulnerability Report: Microsoft SQL Server 2008: (07/03/2011
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (07/03/2011
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Internet Explorer 9.x: (07/03/2011
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Visual Studio 2010: (07/03/2011
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 0% (0 of 2 Secunia advisories)
Vulnerability Report: Microsoft Windows 7: (07/03/2011
http://secunia.com/advisories/product/27467/?task=advisories
Unpatched 7% (5 of 72 Secunia advisories)
---
vs. THE LIINUX KERNEL ALONE SHOWING 3.5x as many unpatched vulnerabilities BY ITSELF:
--
Vulnerability Report: Linux Kernel 2.6.x (07/03/2011
http://secunia.com/advisories/product/2719/?task=advisories
Unpatched 7% (18 of 270 Secunia advisories)
--
(Mind you, again: That's NOT even counting what the other parts of a Linux distro have, & certainly not those being exploited in the LAMP stack as shown by the register ONTOP OF THOSE TOO)
Which, again, you used STALE OLD DATA from 2004, & FROM THE REGISTER TOO NO LESS, but mine's FAR MORE CURRENT from "The Reg", & shows LAMP being exploited RAMPANTLY by phishers/spammers as their fav. to exploit no less vs. my current data shown above!
APK
P.S.=> You also said that you saw Linux's vulnerabilities shown @ SECUNIA.COM ARE PATCHED... prove it:
"Secunia's statistics are incorrect and out-of-date. I checked some of the CVEs for Linux, and Secunia lists them as unpatched, while Googling the CVEs shows that they were patched a long time ago." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
You said that, NOW PROVE IT, because I am genuinely interested in seeing it (and seeing you back your words (possibly lies, but... we'll see, shall we?))...
... apk
Yes - My technique works against it from a read-only Windows install media RC tools (recovery console), which are PROVEN (& inviolate due to being on CD/DVD media):
STEPS TO TAKE TO ERADICATE THIS ROOTKIT/BOTNET. NON-DESTRUCTIVELY:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* Which works against ANY rootkit, both bootsector originating type, or driver driven type (or like this one, a combination of BOTH), 100% guaranteed - NO QUESTIONS ASKED, period...
APK
P.S.=> Then, IF this thing "hauls in" any more malware, which it CAN do?
Then - You "mop it up" using Process Explorer completely once the rootkit is destroyed!
(ProcessExplorer.exe works vs. ANY malware, even hidden ones beneath other std. processes hooked by libs/dlls, or services even)
I.E./E.G. -> You use its "suspend" feature to send HLT instructions to the offending malware, & then?
Then, you can delete it on disk & it's "Gone With The Dawn"...
This works too, when other "std. tools" fail miserably (such as antivirus/antispyware IF their signatures are not present to ID said malware, and if their removal process won't work vs. said malware also).
"Here endeth the lesson"...
... apk
See subject - You can't back your words? You're FULL OF IT, liar. Put up, or shut up... it's THAT simple!
APK
P.S.=> You said this before, and now suddenly you're unwilling to back it up & show us proofs of it:
"Secunia's statistics are incorrect and out-of-date. I checked some of the CVEs for Linux, and Secunia lists them as unpatched, while Googling the CVEs shows that they were patched a long time ago." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36649602
You run from proving that above? That makes you nothing more than a trolling liar then... period & a sneaky little bastard too, coming & posting back here days later (didn't think I'd see it? You're also a fool then too)...
... apk
Just because Linux in its KERNEL ONLY, lol, has more bugs than Windows does by 3.5x, and in cases like this rootkit? Local bugs are exploitable remotely by said botnet this rootkit also has/is!
The Linux kernel only has MORE BUGS THAN NEARLY THE ENTIRETY OF WHAT MS GIVES YOU DO TO BUSINESS & DEVELOPMENT WITH, period!
(Which only shows even MORE BUGS when you toss on the rest of what comes in a Linux distro and worse yet when you see that LAMP (Linux, Apache, MySQL, PHP) make it worse yet by my having shown that it's the PRIME TARGET that GETS ABUSED by phishers/spammers whereas by way of comparison, SECUNIA DATA showed that the Microsoft "business software & development stack" has 0 bugs thru ALL OF ITS TOOLS by comparison to the swiss cheese in LAMP!)
(LMAO - & you tried to post stale old data from 2004 from the register saying Windows was less secure than Linux? LOL, I posted more current data from The Register showing that Linux/LAMP gets rampantly exploited by phishers/spammers, AND, that it's their favorite target for abuse for days @ a time, & then again, repeatedly!)
* You also said SECUNIA.COM's data is no good? Prove it... right here, again, for the 2nd time where you "Ran, Forrest - U RAN" -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36669620
APK
P.S.=> Show me ones I can't produce a valid working "work-around" to on the ones Windows has... ok?
(9/10 times I usually can do that easily - quite often by turning off services I don't need to be in a "listening/active" state anyhow (burning CPU cycles, memory, & various forms of I/O + electricity either))...
Windows 7's got 3.5x less than the bugs present in a KERNEL ONLY, in Linux no matter HOW you slice it - & a kernel alone "doth not an OS make" by itself...period!
That's why Linux is in "last place" in the PC-Server world, & has to find alternate markets - & why it's being shown for what it REALLY IS in the ANDROID mobile phone market: A SECURITY NIGHTMARE!
... apk
or LAMP, w/ ZERO KNOWN UNPATCHED SECURITY VULNERABILITIES:
"You also tried to sidestep the fact that MySQL and PHP run on Windows servers and can be compromised on those systems just as well as they can on Linux systems" - by gottabeme (590848) on Wednesday July 06, @12:30AM (#36668926)
So much for "Open 'SORES'" then, eh? See proof thereof below:
---
Vulnerability Report: Microsoft SQL Server 2008: (07/05/2011))
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
---
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (07/05/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
---
Vulnerability Report: Microsoft Exchange Server 2010: (07/05/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 0 Secunia advisories)
---
Vulnerability Report: Microsoft Office 2010: (07/05/2011)
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 7 Secunia advisories)
---
Vulnerability Report: Microsoft Internet Explorer 9.x: (07/05/2011)
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 1 Secunia advisories)
---
Vulnerability Report: Microsoft Visual Studio 2010: (07/05/2011)
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 0% (0 of 2 Secunia advisories)
---
* No "side stepping" involved - I compare software of LIKE TYPES & then some above from Microsoft, vs. LAMP (Linux, Apache, MySQL, PHP)... period!
Or, was this a lie?
---
http://www.theregister.co.uk/2011/06/10/domains_lamped/
PERTINENT QUOTE:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"
---
* LMAO! It's certainly more current than your b.s. from the same site that was from 2004, "super-stale & OLD" which had its roots on a report that showed Linux was LESS SECURE THAN WINDOWS WAS THAT YEAR TOO, no less... more "spin-master b.s." from the "Open 'SORES'" world!
(Wonder WHY your stuff is in "dead last place"? Don't!)
APK
P.S.=> You also run from & failed to produce proof of the Linux security vulnerabilities unpatched that YOU SAID are patched?
Back this up & show us proofs of it:
"Secunia's statistics are incorrect and out-of-date. I checked some of the CVEs for Linux, and Secunia lists them as unpatched, while Googling the CVEs shows that they were patched a long time ago." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36649602
You run from proving that above? That makes you nothing more than a trolling liar then... period!
( ... & a sneaky little bastard too, coming & posting back here days later (didn't think I'd see it?))
You're also a fool then too!
That - along with your posting STALE OLD DATA from 2004 from the Register, & I put out more current data showing that LAMP setups are RAMPANTLY EXPLOIT
Play 2:58 on: Says it better than I can -> http://www.youtube.com/watch?v=SP74aJBbIoY
I.E. (by video analogy) -> AKhilleus (greek spelling of Achilles) , son of Peleus (middle names are usually that of the father or paternal grandfather) "KNOCKS THE CHOCOLATE OUT OF YET ANOTHER /. OFF-TOPIC 'Agreus' TROLL!", as-per-my-usual...
Yes - You KNOW you've gotten the best of a troll, when trolls resort to adhominem attacks, spelling & grammar checks, + going off-topic blatantly...
(As SanityInAnarchy clearly has 3-4 times now... despite his attempted usage of "forums' 'illogic-logic'" + the fact he has NEVER TAKEN LOGIC FORMALLY afaik (he won't answer when I ask that), vs. facts I posted he was unable to combat...)
---
Especially this one about CHROME not having a "by site" preferences ability natively as Opera does vs. iframe, plugin, or javascript exploits:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36648788
---
* APK "FTW" as usual, vs. trolls...
APK (The "Invincible Winner" vs. /. trolls...)
P.S.=> This? Ah, I just GOTTA say it, as is my usual in my own INIMITABLE 'style' -> This was just "too, Too, TOO EASY - just '2EZ'"
... apk
& the only reason. How's it doing as a server in business (where cost = everything)?
Let's see from the source YOU USED, in "The Register", once again:
---
http://www.theregister.co.uk/2011/06/10/domains_lamped/
PERTINENT QUOTE:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"
---
LMAO - ALSO?
What about desktops? 94++% of the world's PC's use Windows, period, and everyone knows it!
Hence why for 15++ yrs. now, I have been hearing "is this the year of Linux on the desktop" & it NEVER happens... free, or not!
APK
P.S.=> Yes, you DO have to prove this:
"I already explained how Secunia is not a valid source for your arguments. I don't need to refute its data because it itself is invalid." - by gottabeme (590848) on Wednesday July 06, @08:16AM (#36670630)
Ok, "sure" (sarcasm) - PROVE IT!
(Put up, or SHUT UP)...
... apk
IT FAILED 2nd DAY ON THE JOB:
http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch
---
NOW on NASDAQ?
WRONG - Where you said NASDAQ uses Linux? Oh, really?? LMAO (wrong):
"Yeah, it's only what Google, Yahoo, Facebook, NYSE, NASDAQ, etc. use on their servers
- by gottabeme (590848) on Wednesday July 06, @08:16AM (#36670630)
Instead - Try it's Windows Server 2003 + SQLServer acting as "the OFFICIAL TRADE DATA DISSEMINATION SYSTEM" @ NASDAQ instead!
---
NASDAQ Migrates to SQL Server 2005:
http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005
---
and here:
NASDAQ Uses SQL Server 2005 â" Reducing Costs through Better Data Management:
http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/
---
(In fact, It's been running 24x7 in fail-over clusters for coming up on a DECADE NOW in fact... check the Microsoft "GET THE FACTS" pages @ MS!)
* Man... LMAO!
APK
P.S.=> Small wonder it's also doing "SO WELL" here too on this note as a server also:
---
http://www.theregister.co.uk/2011/06/10/domains_lamped/
PERTINENT QUOTE:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"
---
... apk
Yes, you DO have to prove this:
"I already explained how Secunia is not a valid source for your arguments. I don't need to refute its data because it itself is invalid." - by gottabeme (590848) on Wednesday July 06, @08:16AM (#36670630)
Ok, "sure" (sarcasm) - PROVE IT, because YOU SAID THIS BEFORE THAT:
"Secunia's statistics are incorrect and out-of-date. I checked some of the CVEs for Linux, and Secunia lists them as unpatched, while Googling the CVEs shows that they were patched a long time ago." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
Prove it... show us that data then - why do you keep "RUNNING" from doing that? Because it's another LIE from you, like the one on NASDAQ?? (See below).
In fact - I can show EASY workarounds for the 2 remote errs in Windows (they don't affect home PC's even if they're setup right for security, that is, or even corporate workstations) the same for the 3 local ones...
(Funny part is 1 is caused by Apple softwares!)
* SO - Can you show the same for the 17++ errors in Linux, WHICH DO HAVE A REMOTE SECURITY VULNERABILITY UNPATCHED ALSO!
APK
P.S.=> Or, are you going to be as "accurate" as you were ABOUT NASDAQ USING LINUX?
See here on that account folks & get read to laugh:
"Yeah, it's only what Google, Yahoo, Facebook, NYSE, NASDAQ, etc. use on their servers - by gottabeme (590848) on Wednesday July 06, @08:16AM (#36670630)
Instead - Try it's Windows Server 2003 + SQLServer acting as "the OFFICIAL TRADE DATA DISSEMINATION SYSTEM" @ NASDAQ instead!
---
NASDAQ Migrates to SQL Server 2005:
http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005
---
and here:
NASDAQ Uses SQL Server 2005 â" Reducing Costs through Better Data Management:
http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/
---
(In fact, It's been running 24x7 in fail-over clusters for coming up on a DECADE NOW in fact... check the Microsoft "GET THE FACTS" pages @ MS!)
"Put up, or SHUT UP"... & not your inaccurate LIES about things... I want to see CVE data that shows the data from SECUNIA is inaccurate!
... apk
It's not Linux being used for that @ NASDAQ, fact!
"Yeah, it's only what Google, Yahoo, Facebook, NYSE, NASDAQ, etc. use on their servers - by gottabeme (590848) on Wednesday July 06, @08:16AM (#36670630)
FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36670630
Instead - Try it's Windows Server 2003 + SQLServer acting as "the OFFICIAL TRADE DATA DISSEMINATION SYSTEM" @ NASDAQ instead!
---
NASDAQ Migrates to SQL Server 2005:
http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005
---
and here:
NASDAQ Uses SQL Server 2005 Ã" Reducing Costs through Better Data Management:
http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/
---
(In fact, It's been running 24x7 in fail-over clusters for coming up on a DECADE NOW in fact... check the Microsoft "GET THE FACTS" pages @ MS!)
---
"Until you're willing to argue logically and honestly, we can't make any progress in the discussion." - by gottabeme (590848) on Wednesday July 06, @08:27AM (#36670680)
Yea... tell me about it, & call me a hypocrite again (I called you a liar, because you ARE A LIAR on NASDAQ running Linux (epsecially when it fell "agreus style" FLAT ON ITS FACE 2nd day on the job @ LSE!)). I call a spade, a spade... simple!
You can "redeem yourself"... prove the data from SECUNIA.COM on Linux unpatched security vulnerabilities is indeed, inaccurate - show us the CVE's you said that show they are patched!
Again - "Put up, or SHUT UP"...
( & not your inaccurate LIES about things... I want to see CVE data that shows the data from SECUNIA is inaccurate!)
APK
P.S.=> "Put up or SHUT UP" & no more NASDAQ lies... or what I suspect is yet another lie out of you here next:
PROVE IT, because YOU SAID THIS:
---
"Secunia's statistics are incorrect and out-of-date. I checked some of the CVEs for Linux, and Secunia lists them as unpatched, while Googling the CVEs shows that they were patched a long time ago." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
---
Prove it... Show us that data then - why do you keep "RUNNING" from doing that? Because it's another LIE from you, like the one on NASDAQ??
In fact - I can show EASY workarounds for the 2 remote errs in Windows (they don't affect home PC's even if they're setup right for security, that is, or even corporate workstations) the same for the 3 local ones...
(Funny part is 1 is caused by Apple softwares!)
* SO - Can you show the same for the 17++ errors in Linux, WHICH DO HAVE A REMOTE SECURITY VULNERABILITY UNPATCHED ALSO! Because I can show this, from a source YOU TRIED TO USE WITH STALE OLD DATA from 2004, & here is more current info. on that note:
---
http://www.theregister.co.uk/2011/06/10/domains_lamped/
PERTINENT QUOTE:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"
---
... apk
It's not Linux being used for that @ NASDAQ, fact!
"Yeah, it's only what Google, Yahoo, Facebook, NYSE, NASDAQ, etc. use on their servers - by gottabeme (590848) on Wednesday July 06, @08:16AM (#36670630)
FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36670630
Instead - Try it's Windows Server 2003 + SQLServer acting as "the OFFICIAL TRADE DATA DISSEMINATION SYSTEM" @ NASDAQ instead!
---
NASDAQ Migrates to SQL Server 2005:
http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005
---
and here:
NASDAQ Uses SQL Server 2005 Ã" Reducing Costs through Better Data Management:
http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/
---
(In fact, It's been running 24x7 in fail-over clusters for coming up on a DECADE NOW in fact... check the Microsoft "GET THE FACTS" pages @ MS!)
---
"Until you're willing to argue logically and honestly, we can't make any progress in the discussion." - by gottabeme (590848) on Wednesday July 06, @08:27AM (#36670680)
Yea... tell me about it, & call me a hypocrite again!
(E.G./I.E.-> I called you a liar, because you ARE A LIAR on NASDAQ running Linux (epsecially when it fell "agreus style" FLAT ON ITS FACE 2nd day on the job @ LSE!)).
I call a spade, a spade... simple!
You can "redeem yourself" (lol, not - your blunder on NASDAQ alone blew you away)!
Go on... Prove the data from SECUNIA.COM on Linux unpatched security vulnerabilities is indeed, inaccurate - show us the CVE's you said that show they are patched!
I suspect that's another LIE from you, and you talked of "honesty"?? Please...
Again - "Put up, or SHUT UP"...
( & not your inaccurate LIES about things... I want to see CVE data that shows the data from SECUNIA is inaccurate!)
APK
P.S.=> "Put up or SHUT UP" & no more NASDAQ lies... or what I suspect is yet another lie out of you here next:
PROVE IT, because YOU SAID THIS:
---
"Secunia's statistics are incorrect and out-of-date. I checked some of the CVEs for Linux, and Secunia lists them as unpatched, while Googling the CVEs shows that they were patched a long time ago." - by gottabeme (590848) on Sunday July 03, @09:44PM (#36649602)
---
Prove it... Show us that data then - why do you keep "RUNNING" from doing that? Because it's another LIE from you, like the one on NASDAQ??
In fact - I can show EASY workarounds for the 2 remote errs in Windows (they don't affect home PC's even if they're setup right for security, that is, or even corporate workstations) the same for the 3 local ones...
(Funny part is 1 is caused by Apple softwares!)
* SO - Can you show the same for the 17++ errors in Linux, WHICH DO HAVE A REMOTE SECURITY VULNERABILITY UNPATCHED ALSO! Because I can show this, from a source YOU TRIED TO USE WITH STALE OLD DATA from 2004, & here is more current info. on that note:
---
http://www.theregister.co.uk/2011/06/10/domains_lamped/
PERTINENT QUOTE:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"
---
... apk
Ahem: *cough* (bullshit), **COUGH** (BULLSHIT):
"That you are a known troll and a waste of time has nothing to do with whether your arguments are valid, it's whether it's worth my time to find out." - by SanityInAnarchy (655584) on Wednesday July 06, @05:57PM (#36676092)
If THAT is not an ad hominem attack, I don't know what is (to the man, you're attacking MYSELF in that, just as you did "behind my back" in other posts in this thread). You can't even KEEP YOUR WORD you are gone or not... ever heard of honor or dignity?
---
"You've now written at least two posts to me stressing this point and asking this question, yet you can't be bothered to download it and find out for yourself? Why should I do your homework for you?" - by SanityInAnarchy (655584) on Wednesday July 06, @05:57PM (#36676092)
I have it, I just want to hear it FROM YOU (you were good enough to help me out with Chrome vs. Chromium before, so... why be "hesitant" to answer if either has a by SITE preferences ability vs. IFRAMES, PLUGINS, COOKIES, or JAVASCRIPT NOW? Hmmm??)
(Cat got your tongue???? Didn't before... "odd that" eh????? (not))
---
"I did answer. I pointed out that what you're doing now is an argument from authority." - by SanityInAnarchy (655584) on Wednesday July 06, @05:57PM (#36676092)
Yes, you're the "authority" on Chrome/Chromium, so answer the simple question on if they have "by site" preferences like Opera does then!
(Pretty simple!)
---
"You don't know that I've taken logic formally." - by SanityInAnarchy (655584) on Wednesday July 06, @05:57PM (#36676092)
I've asked you before IF you have in debates with you... you never answered iirc... & in fact? I'm fairly certain you never did! Doesn't matter though - you call me "troll" repeatedly thru this exchange, & you spoke behind my back to others as well on this page... good enough for me to KNOW you are performing "forums' 'illogic-logic'", in an adhominem attack on myself... rather than my points!
---
"What does that have to do with whether my argument is valid? If it doesn't have anything to do with that, it's a red herring. If you're trying to say it does, it's an argument from authority of the formally fallacious kind." - by SanityInAnarchy (655584) on Wednesday July 06, @05:57PM (#36676092)
Nothing - JUST ANSWER THE QUESTION ON CHROME/CHROMIUM PLEASE
(Man - YOU COULD GIVE AN ASPIRIN A HEADACHE!)
* I'll tell you right now, that Javascript, IFrames, & Plugins ARE a potential "major hazard" on the "Information Super-Highway" (but I don't think I have to tell YOU that, you alluded to Chrome being attacked that way already): Again - so it sinks in: DOES CHROME/CHROMIUM HAVE A BUILT IN "by site preferences" TO LIMIT USING THOSE POSSIBLE HAZARDS ON SITES YOU REALLY NEED IT FOR, ONLY!
APK
P.S.=> Thanks for your time in answering - a SIMPLE "Yes" or "No" will do...
... apk
http://it.slashdot.org/comments.pl?sid=2282088&cid=36621818
* For NON-DESTRUCTIVELY removing this "blended threat" combined rootkit/botnet, from an inviolable read-only media with proven tools for doing so by 1st destroying the hello_tt.sys driver it uses, & then reloading a correct bootsector afterwards (since it is no longer protected by said kernelmode/Ring 0/RPL 0 driver anymore).
Any malware it may haul in later?
Simple - Suspend sending HLT commands to it via ProcessExplorer in Ring 3/RPL 3/Usermode, to "mop it up", completely... even if it's an UNKNOWN one hiding beneath other processes as a child process!
("Here endeth the lesson")
APK
P.S.=> Call me what you like but... proof & truth's up there on that note AND "on topic" as well!
(Please - Just answer the question on Chrome, because I am genuinely interested @ this point - because IF Chrome/Chromium doesn't have it, then Opera IS @ the advantage, for security's sake on that note)
In fact, on that note? Well... that might be something to spend time on rather than uselessly debating me & not doing that well, on YOUR end via say, an addon of some sort actually since I know you code too, like myself (I *think* our "kind" around here's an actual rarity for the most part)...
Consider THAT suggestion, "Food 4 Thought" 4 U, & a useful something YOU, the Chrome Person, could contribute to society in general!
... apk
Respectively: You avoid my question on CHROME & if it has a "by site prefs" like Opera does (so you can set javascript, iframes/frames, cookies, plugins etc.) to run on SOME sites, & NOT others, for security's sake!
and
http://it.slashdot.org/comments.pl?sid=2282088&cid=36676422
* Kept it "short & sweet" for you...
APK
P.S.=> I.E.-> Kindly answer the 1st, & DO note the 2nd (it being the topic of this article, after all) - Thanks 4 UR time...
... apk
Facebook Trapped In MySQL Fate Worse Than Death http://developers.slashdot.org/story/11/07/09/1256241/Facebook-Trapped-In-MySQL-a-Fate-Worse-Than-Death
* "Read 'em & Weep"...
APK
1st of all - I don't get malware, ever, due to my guide's points I follow here -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
"No. You stated that "if" you were to suck in one of these" - by cbiltcliffe (186293) on Saturday July 02, @09:45PM (#36644570) Homepage
I don't ever GET malware in the 1st place though, ever... ever since I started doing "layered security" back in 1996 in fact to present! Even IF I did? It couldn't talk back to the mothership, because I am updated vs. known bogus DNS servers + botnet C&C servers, by overwrite of my HOSTS, every 15 minutes here, "automagically"!
Secondly, see above, "rinse, lather, & repeat", & I am not the only one experiencing freedom from infestation, others who follow its points do as well (even only those that use HOSTS):
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral
---
"then the update to Norton would prevent it from being able to talk back to it's C&C." - by cbiltcliffe (186293) on Saturday July 02, @09:45PM (#36644570) Homepage
Again -> My updates to my HOSTS & firewalls (in software, & in hardware) occur every 15 minutes from 17 reputable sources too... "automagically" by OVERWRITES, from a temp copy of the original, & not by appends, via a Python Script. No chance of poisoning them either.
And
My DNS serv
Mr. "FruStrAteD" troll? Case in point is your first sentence here quoted:
"Listen, you arrogant, obnoxious, simple-minded gimp." - by cbiltcliffe A FRUSTRATED TROLL (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage
Awwww.... poor little "1 hit wonder" (not even a hit, or I suspect, YOUR OWN WORK but the work of others you merely used) disk being shown to be "obsolete" & not needed/useless here got your gander, did it? LOL!
---
"I'm not asking you how to eliminate the rootkit. I never once asked you how to eliminate a rootkit.." - by cbiltcliffe A FRUSTRATED TROLL (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage
There's NO DENYING my technique will get rid of this rootkit and others like it, is there? Apparently not, because you avoid that like the plague when I ask the question if it works or not... lol!
---
"I already knew how to eliminate a rootkit.." - by cbiltcliffe A FRUSTRATED TROLL (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage
Sure, sure... then, why didn't you post the simple technique I did, of using PROVEN Recovery Console tools (not MSRT as you stated iirc), from an inviolate read only media in the Windows installation CD/DVD then?
---
"Stop harping on it, as you're making yourself look like a complete and total fool, by repeatedly answering a question that was never asked.." - by cbiltcliffe A FRUSTRATED TROLL (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage
NO, I will harp on it, and show that YOU are the "complete and total fool", because you're unable to answer a question put to you on if my technique for elimination rootkits works (and it does, no questions asked).
---
"My issue has always been with your claim that could detect a root kit with Process Explorer and TCPview.." - by cbiltcliffe A FRUSTRATED TROLL (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage
I never said that - they are useful for checking to see what your systems' communicating with in TcpView (netstat -ano will do that also from a DOS Windows/tty terminal/console session also) first of all...
AND
That ProcessExplorer is useful once rootkits driven by drivers or bootsector "VM's" (using the term loosely here) type rootkits use are destroyed, FIRST, & then if they haul in more malware, even UNKNOWN malware (which antivirus/antispyware would fail against because they don't have signatures or removal techniques for it (& their heuristics are not set "on" or "max" & they aren't usually by default)??
It can be used to destroy those, too... and it works (nothing can be hidden from it once a rootkit that performs API call hooking intercepts is gone).
---
"This is what I stated in my very first post to you, and the only thing I've repeatedly stated that you're wrong about.." - by cbiltcliffe A FRUSTRATED TROLL (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage
NO, I have answered it, and you either are just "conveniently trolling" or you are illiterate & skimmed over my points each time!
---
"This is also the only aspect of this rootkit removal that you haven't clarified.." - by cbiltcliffe A FRUSTRATED TROLL (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage
I said that IF you read my security guide for Windows? I list several reliable and reputable ROOTKIT DETECTING TOOLS THERE...
(Awful "convenient" that you seem to omit that point of mine, eh? NOT! It shows us all who the "total fool" is here, and it's NOT myself!)
---
"Instead, you choose to go off on irrelevant and off topic rants about how you're an expert because you're an expert" - by cbiltcliffe A FRUSTRA
First, see subject-line above:
"My issue has always been with your claim that could detect a root kit with Process Explorer and TCPview" - by cbiltcliffe (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage
Second: Produce proof of my stating that TcpView &/or ProcessExplorer are for detecting rootkits!
(I said they're respectively useful for detecting communications of botnets or malwares, and for eliminating them in UserMode/Ring3/RPL3 operations, once a rootkit's destroyed in Ring0/RPL0/Kernelmode (so it cannot perform deceiving API call intercepts on usermode wares))
Fact is - I never once did state what you "inferred" above, dolt! Learn to READ!!!
In fact - Here is where I mention TcpView & what I stated about it, AND ProcessExplorer also (not in regard to rootkits, but malwares rootkits can haul in as this one does):
---
PERTINENT QUOTE, VERBATIM FROM MYSELF:
"I can watch who/what/when/where/how my system "talks" to other systems online, & if I see one I am NOT talking to? It gets added to my firewall list (by IP address), and the offending unknown interloper malware/botnet gets "BLOWN AWAY" by ProcessExplorer.exe, as I noted in my last post/other post in reply to YOUR last post." - by Anonymous Coward on Saturday July 02, @11:35PM (#36644860)
FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36644860
---
And as to detecting rootkit's presence? I said this
---
PERTINENT QUOTE, VERBATIM FROM MYSELF:
"& in my guide? I post a NUMBER of reliable tools for rootkit detection:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]
(And, there you are - TcpView is only for checking WHERE it communicates back to... as a possible way of seeing that, for adding the bogus C&C server destinations to HOSTS &/or Firewall rules tables - that's all!)" - by Anonymous Coward on Sunday July 03, @03:08PM (#36647626)
FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36647626
---
Which now after your quoted statement @ the top of my reply here make you look to be either:
1.) ILLITERATE on, or skimming
or
2.) Just "trying to get the last word a week later" like a FOOL would when I said nothing of the KIND as you state!
APK
P.S.=> Go on though, show us a quote of my stating what you said I did... good luck - because I show QUITE OTHERWISE above, complete with quotes of myself and the links they came from in this very exchange (quit deluding yourself here - U "FAIL", badly, because putting words in others' mouths is NOT valid debate @ all, period!)
... apk
In regards to TcpView OR ProcessExplorer? No. So haha to you: See subject-line above...
U FAIL #1...
---
"Will it get rid of a driver-based rootkit that uses a patched tcpip.sys, or atapi.sys? No, because listsvc doesn't verify file signatures, and there's no way for you to do it manually using hashes, or the like, within the recovery console." -
The ONLY way to use those, would be to do what this botnet did, a filtering/hooking driver... otherwise, Windows SFP/WFP (Windows File & System File Protection) would detect for it & replace them IF they were bogusly replaced... period!
U FAIL #2...
---
"Ooooh! Ad hominem attacks!" - by cbiltcliffe (186293) on Tuesday July 12, @03:12PM (#36738656) Homepage
LMAO - you started it, & your mistakes here constantly DO make you out to be a DOLT, period... I only call a spade, a spade is all, & I fight fire WITH hotter fire, especially if it's done to myself, first...
U FAIL #3...
APK
P.S.=> This? This was just "too, Too, TOO EASY - just '2EZ'", as per my usual, vs. trolls like yourself...
... apk
Actually said, w/ backing quotes of myself http://it.slashdot.org/comments.pl?sid=2282088&cid=36731660 in regards to TcpView &/or ProcessExplorer, vs. your blunders & reading comprehension difficulties, lol...
* PLEASE - Either learn to read, OR, get "hooked on phonics" (you need it, lol).
APK
P.S.=> Ah, I just GOTTA say it, as-per-my-usual, vs. trolls like yourself: This? This was just "too, Too, TOO EASY - just '2EZ'", & your blunders, skimming, & technical knowledge inadequacy makes it so for me! Thank you for making ME, look GOOD, as usual vs. trolls like yourself!
... apk
On the subject of bypassing unsigned driver installs http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes...
There's possibly even a "Group Policy" entry for this as well, but I have not looked! If not, there should be (but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
However - The nice part is here?
Well - Windows "warns you" when you enter this mode!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..." (and endeth cbtcliffe the wannabe, too, lol!)
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus, son of Peleus, the INVINCIBLE WINNER (when middle names are usually those of the father or grandfather = APK):
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
... apk
Play 2:50 on, says it for me better than I can -> http://www.youtube.com/watch?v=SP74aJBbIoY
I.E.-> AKhilleus (greek spelling of Achilles) , son of Peleus (middle names are usually that of the father or paternal grandfather) "KNOCKS THE CHOCOLATE OUT OF YET ANOTHER /. OFF-TOPIC 'Boagrius' TROLL!", as-per-my-usual... in this case? cbtcliffe, the wannabe.
* You KNOW you've gotten the best of a troll, when trolls go "silent" - APK "FTW", as usual, vs. /. trolls...
APK (The "Invincible Winner" vs. /. trolls...)
P.S.=> This? Ah, I just GOTTA say it, as is my usual in my own INIMITABLE 'style' -> This was just "too, Too, TOO EASY - just '2EZ'"
... apk
First of all, PROVE your "anecdotal b.s." here:
(And, if that happened via malware code? No biggie: I showed a preventative method for THAT TOO, right here, days ago, vs. invalid installation turn off by an app's code -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36740882 )
U FAIL AGAIN!
(LMAO!)
"Once again, you're wrong. I've seen patches like this happen, and WFP did not fix it. The problem is, once the file is patched, and the hostile code loaded into memory, WFP can be disabled by that hostile code, even if only for that file." - by cbiltcliffe (186293) on Tuesday July 12, @10:29PM (#36744054) Homepage
First of all - Windows File Protection would reject it, just like is seen here:
http://www.msfn.org/board/topic/84128-windows-file-protection-popups-when-installing-drivers/
AND, the ONLY WAY you can get around a hassle like that, is to disable WFP, period...
Now - unlike yourself, & your "I've seen it" anecdotal b.s.?
Well - I can actually produce a result for a tool that shows that done (WinPCap driver, to use it, you have to ALLOW IT to disable the WFP protection)...
QUESTION FOR PROOF: Can you produce something that does it on its own proving it does via its own code??
Funny you omit any proofs, as per your usual!
So much for your usual b.s.!
* Once again, the "amateur" tries his best, has only "anecdotal b.s." as is cbtcliffe's usual, & FAILS!
APK
P.S.=> AND, if you do manage to produce a valid result of that as I have in WinPCap installations, or an actual malware that does it?
Again - SEE my FIRST link above @ the start of this reply, it will stop it by turning it on again... AND?
Then, guess what saves the day once again??
You guessed it - The Windows install media - it has the original files
OR
You can get latest service packed versions of them by manually extracting out the latest valid models from MS using the switches on Service Pack patch files OR open them with say, WinRAR, then extract them onto another form of media, preferably a CD (read only) & load them from a bootup into Recovery Console, flipping to the copy you have on CD!
(Again - using a CD is preferred because of read-only access AND, by default, unless you change it? RC only allows you to access the Windows ROOT folders %WinDir% & %SystemRoot% iirc)
AND... There you go...
All fixed once again (IF need be too in the case you're proposing!) - because, face it:
There's nothing "the likes of you" can *THINK* of, that I can't fix easily in a second's moment of thought!
SO, as usual for myself, vs. you? This?? This was just "too, Too, TOO EASY - just '2EZ'", lol...
... apk
Were for detecting rootkits can you? Nope... U FAIL!
LMAO - Man:
You screwed up TOTALLY saying I said TcpView + ProcessExplorer are for "detecting rootkits" & I NEVER SAID THAT EITHER!
In fact, I asked you to show where I did verbatim, literally, & I proved otherwise with MY OWN WORDS here:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36731660
(U FAIL AGAIN!)
---
Also - My telling U your "1 hit wonder" CD Isn't needed is not an adhominem attack! It's just truth! A truth you even ADMIT by saying my technique with proven RC read only tools works, no less!
(A CD that you use others' tools for I suspect, isn't useful here (and you didn't write the tools on it either completely yourself, I suspect))...
That's not an adhominem attack on my part - it's just truth!
Again - YOU EVEN ADMIT MY TECHNIQUE FOR KILLING THIS COMBINED ROOTKIT/BOTNET WORKS!
---
"* So, go "hawk" your essentially obsolete 'ware' in this situation & others like it vs. rootkits "1 hit wonder" disk elsewhere man!
Besides, I haven't used a single ad hominem attack. I've called you a douche, among other things, but I haven't said that you're incorrect because you're a douche. I've said that you're a douche because you're incorrect, but you can't see it. Do you even know what an ad hominem attack is? - by cbiltcliffe (186293) on Tuesday July 12, @10:29PM (#36744054) Homepage
Sure I do, and yes, you have, right here quoting you now in it:
---
"Listen, you arrogant, obnoxious, simple-minded gimp." - by cbiltcliffe (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage Journal
---
IF THAT'S NOT AN AD HOMINEM ATTACK, I DON'T KNOW WHAT IS!
(Your lies are once again your undoing boy!)
Besides - My technique works for burning away this rootkit, & you admitted that much - AND said rootkits' possible attendant malwares it can suck into Ring3/RPL3/Usermode can be killed off using ProcessExplorer.exe once you burn out the Ring0/RPL0/Kernel mode portions of this rootkit, AND YOU EVEN ADMITTED IT DOES!
(E.G.-> hello_tt.sys using listsvc + disable, & rebooting to RC again, then, burn the bogus bootsector using fixmbr from RC!)
* You also said I am wrong? HOW SO?? My stuff works, YOU ADMIT IT DOES, & your "1 hit wonder" (not), isn't even NEEDED @ ALL!
APK
P.S.=> LMAO - Your "1 claim to fame" (not even fame, especially if you didn't write the tools, & I've never heard of it (was it featured in any publications @ least, commercially sold wares, or even tech trade shows of great note like MS-TechEd as my work has been?)>?
Hey - it NOT needed here, period!
Face it - In comparison to MY technique for removing this rookit??
I.E.-> Your "1 hit wonder" is totally "obsoleted" by my proven technique with proven tools from the RC, on a read-only inviolate media... period!
... apk
Especially this since you admitted my technique 4 killing this works vs. this rootkit/botnet combo:
"If you're relying on Norton DNS to prevent such a "beastie" - as you so eloquently put it - from talking to its C&C server, how can you trust the DNS settings on the infected computer?" - by cbiltcliffe (186293) on Tuesday July 12, @10:29PM (#36744054) Homepage
Simple - again:
Kill it off using my technique that actually works & you EVEN ADMIT IT DOES, to kill this rootkit!
NO problem @ all then, because just like having to do so FIRST, so ProcessExplorer can't be deceived?
Again - You have to knock out the Ring0/RPL0/kernel mode stuff first, so it can't deceive Win32/64 API calls that apps in Ring3/RPL3/Usermode use!
(And, I even suggested to others here http://it.slashdot.org/comments.pl?sid=2306598&cid=36698436 that Dr. Mark Russinovich write up a protective driver for the bootsector, & to call it "APKBootSectorProtector.sys" in fact, using the mechanics of this very rootkit to protect against it!)
APK
P.S.=> There you go... once again, the final "nail in your coffin" was just TOO EASY to pound into place & you helped me do it (because you admit you KNOW my technique for removing this rootkit/botnet using RC tools & the malware afterwards, using ProcessExplorer, actually works!)
... apk
WARNS YOU IN WINDOWS: Says it's in "TEST MODE"... you'd KNOW if a program did it!
I already mentioned this, but as usual, like when you missed the fact I never ONCE stated ProcessExplorer or TcpView are for detecting rootkits, not once (only malwares)!
* In fact, as a test? Try what I said as an actual example you can SEE (unlike your "anecdotal b.s." of "I have seen it") install WinPCap as I noted
(E.G.-> You get warned when it tries to do an unsigned driver installation in fact as it tries - & it's used in various network sniffer type tools)
THEN, once you reboot? You get TOLD you are in "TEST MODE" (same as if you're developing drivers mind you)...
I.E.-> Which WOULD be your warning "something's up/not right"
(In my case, FOR SURE I'd know it, because my systems' NOT currently setup with a debug build of Windows nor the MS-DDK for driver development either!)
APK
P.S.=> Between this, and my last post on this here:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36744408
(Where I also show how to defend vs. this using bcdedit commandlines as well)?
You're "all done" @ this point!
Even though you've "wandered off topic" on other types of rootkit possibles, & admitted MY TECHNIQUE FOR REMOVING THIS ROOTKIT ACTUALLY WORKS, & your "1 hit wonder" CD? Is not needed, period...
Simply because RC's native proven tools from a read-only environs of the Windows install CD/DVD in listsvc, disable, & fixmbr do the job already - period!
... apk
As I originally noted was most likely possible, here:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36740882
Guess what? I was right yet again:
GROUP POLICY CAN STOP UNSIGNED DRIVER INSTALLS!
In fact, I'd use it in combination with the bcdedit commandlines I noted can (& WFP would protect vs it, and then Windows itself also SIGNALS you're in "TEST MODE" as well indicating something's "wrong" if you're not doing that kind of thing (like when doing driver dev work too!))
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
---
* Fact is, My last few posts have "done in" your GIANT "book sized" post, with ease, as per usual! This one only adds the "icing on the cake"!
Topping off GIANT BLUNDER/FAIL, in your stating I said TcpView &/or ProcessExplorer are for "detecting rootkits" & I NEVER EVEN STATED or IMPLIED THAT! Not once
Fact is - I explicitly stated, and had proof of that much quoting myself here as well:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36731660
(You did yourself in, nobody else, IN YOUR TRYING TO PUT WORDS IN MY MOUTH THAT I NEVER SAID EVEN ONCE or EVEN IMPLIED!!!)
Face it - "U FAIL"...
APK
P.S.=> Ah, yes... you KNOW I just GOTTA say it: This? This was just "too, Too, TOO EASY - just '2EZ'", always is... vs. noob amateurs like cbiltcliffe!/quote)... apk
Does, & you have 2 options (use both 4 "layered security protection" (bcdedit commandlines + Group Policy)):
Also - Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes...
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well! See my post parent to this one...
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes...
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well! See my post parent to this one...
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned device driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well! See my post parent to this one...
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned device driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well! See my post parent to this one...
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also easily!)
... apk
Unsigned device driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned device driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned device driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, since "Boagrius" there was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned device driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, since "Boagrius" there, was "SO 'bad'" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned device driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Unsigned device driver installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!
I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
---
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, mostly since "Boagrius" was "so bad" there, & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
You're the "desperate one", as you ADMITTED my technique for removing this rootkit, works (& your 'so-called tool' on CD isn't even NEEDED here, period):
Ahem: I'm also not the one running from this, YOU ARE where you tried putting words in my MOUTH I NEVER SAID (On TcpView &/or ProcessExplorer being used to "detect rootkits" which I never ONCE said (learn to read/get "hooked on phonics")):
http://it.slashdot.org/comments.pl?sid=2282088&cid=36744554
----
OR, this (Group Policy layered with bcedit commandline can stall unsigned driver signings in layered security protective manner):
http://it.slashdot.org/comments.pl?sid=2282088&cid=36745080
----
or this (WFP warning you & Windows says "TEST MODE" on unsigned drivers installed + WFP disabled):
http://it.slashdot.org/comments.pl?sid=2282088&cid=36745014
----
AND, this too (on DNS not being deceived if a rootkits "knocked-off" first in Ring0/RPL0/Kernelmode operations):
http://it.slashdot.org/comments.pl?sid=2282088&cid=36744624
---
* And, now you're also trying to "bury my replies" via doing nonsense posts with 2 words in them too, here tons of times (burning up your post limit too probably):
http://it.slashdot.org/comments.pl?sid=2282088&cid=36748960
http://it.slashdot.org/comments.pl?sid=2282088&cid=36748982
http://it.slashdot.org/comments.pl?sid=2282088&cid=36749052
http://it.slashdot.org/comments.pl?sid=2282088&cid=36749064
http://it.slashdot.org/comments.pl?sid=2282088&cid=36749144
http://it.slashdot.org/comments.pl?sid=2282088&cid=36749198
http://it.slashdot.org/comments.pl?sid=2282088&cid=36749220
http://it.slashdot.org/comments.pl?sid=2282088&cid=36749310
As you are now... pitiful!
AND, I have to post multiple times, because you write "book long" evasions & spin master b.s. trying to avoid the fact that you TRIED TO PUT WORDS IN MY MOUTH I NEVER SAID ONCE HERE!
(Where you thought I used ProcessExplorer &/or TcpView as "rootkit detectors" & when I confronted you on that? You could NOT produce a quote of my stating or even IMPLYING THAT!)
Pitiful on your part, in addition to accusing me of posting as others, when I clearly do NOT HAVE TO in the 1st place @ all!
---
Incorrect (I alway sign my posts) & Look at the time of that post for Pete's sake! I'm dead asleep @ that hour of the a.m.!
"That just shows how desperate you are." - by cbiltcliffe (186293) on Wednesday July 13, @11:22AM (#36748938) Homepage
"Run Forrest... RUN!"
APK
P.S.=> Please - talk about "getting desperate" - especially when you ADMITTED MY TECHNIQUE FOR REMOVING THIS ROOTKIT ACTUALLY WORKS here:
"Will it get rid of an MBR rootkit? Yes. Will it get rid of a driver-based rootkit with a discrete .sys file for the driver? Yes." - by cbiltcliffe (186293) on Tues
http://it.slashdot.org/comments.pl?sid=2282088&cid=36749334
AND?
"You say drivers cannot be patched without warnings." - by cbiltcliffe (186293) on Wednesday July 13, @11:59AM (#36749568) Homepage
1.) WFP is in the way, & if it gets "circumvented" (which this rootkit does), but the user MUST have consented to it as is shown when WinPCap is installed (Hooking/Filtering driver for tcpip.sys iirc))... that's a warning NOT TO DO IT in the 1st place, unless you KNOW what's going on & what the driver's for!
---
2.) Group Policy is set by default to NOT allow driver signings OR to warn, and you can BLOCK IT COMPLETELY even!
---
3.) bcedit commandlines I posted days ago here can act as another layer of defense vs. unsigned driver installs too if applied as I showed it (boot.ini work in older Windows versions prior to VISTA does the same also).
---
4.) DNS settings, if a rootkit is removed, can not be fooled (especially if rotated & checked on as I do it) + in combination with HOSTS files (especially mine, with 1,483,522++ KNOWN BAD sites/servers/hosts-domains blocked, botnet C&C servers blocked, bogus DNS servers blocked & even adbanners (that have had malicious code in them since 2004 many times)).
---
5.) My "layered security guides" if used, actually work to keep myself, & many others, 100% malware-in-general (inclusive of rootkits) FREE... the main weapons there are patching, using HOSTS, not using JAVA/Javascript "everywhere indiscriminately", firewalling + antivirus, & app patching too (and FAR more): BOTTOM-LINE on that much?
I NEVER HAVE TO REMOVE A DAMNED THING BECAUSE MY SYSTEMS NEVER GET INFESTED
(and, neither do those of my friends, family, or others I applied it to on paid contracts also... plus, many others in my guides attest to the same)
"Layered Security"? It WORKS!
---
So - Talk about "getting desperate" on YOUR part - Especially when you ADMITTED MY TECHNIQUE FOR REMOVING THIS ROOTKIT ACTUALLY WORKS here:
"Will it get rid of an MBR rootkit? Yes. Will it get rid of a driver-based rootkit with a discrete .sys file for the driver? Yes." - by cbiltcliffe (186293) on Tuesday July 12, @03:12PM (#36738656) Homepage Journal
QUOTED VERBATIM FROM and YOUR ADMITTANCE MY TECHNIQUE FOR REMOVAL OF THIS ROOTKIT/BOTNET WORKS -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36738656
---
AND, that your "1 hit wonder" disk is not even NEEDED in this case... period, as I said!
APK
P.S.=> Yes, "U FAIL" - badly: Most of all, in your trying to put words in my mouth I NEVER ONCE STATED, shown here:
YOU tried putting words in my MOUTH I NEVER SAID (On TcpView &/or ProcessExplorer being used to "detect rootkits" which I never ONCE said (learn to read/get "hooked on phonics")):
http://it.slashdot.org/comments.pl?sid=2282088&cid=36744554
AND, vs. that, here is what I actually said, proven in my OWN WORDS QUOTED HERE:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36731660
---
A.) I said that ProcessExplorer is for ONLY FOR REMOVING MALWARE running in Ring3/RPL3/Usermode NOT rootkit detection...
B.) I said that TcpView only shows what you are communicating with back & forth, not for rootkit detection as you said erroneously... period!
---
Above ALL else:
YOUR TRYING TO PUT WORDS IN MY MOUTH THAT I NEVER STATED or even IMPLIED? THAT ISN'T WINNING AN ARGUMENT - IT'S A SIGN OF DESPERATION & LOSING, OR ILLITERACY & SKIMMING ON YOUR PART, PERIOD!
... apk
It, even IF it slips past WFP & group policy (if not bcdedit commandline protections I showed also) & even with a "patched driver"!
(Which Windows would tell you that you are in TEST MODE in as well - First, You'd have to consent to it, stupidly I might add (especially if you don't know what the drivers' doing in the 1st place))?
Then, guess what saves the day once again??
---
1.) The Windows install media - it has the original files
OR
2.) You can get latest service packed versions of them by manually extracting out the latest valid models from MS using the switches on Service Pack patch files OR open them with say, WinRAR, then extract them onto another form of media, preferably a CD (read only) & load them from a bootup into Recovery Console, flipping to the copy you have on CD!
---
(Again - using a CD is preferred because of read-only access AND, by default, unless you change it? RC only allows you to access the CD/DVD itself, the Windows ROOT folders %WinDir% & %SystemRoot% iirc)
There you go - All fixed once again (IF need be too in the case you're proposing!)!
* Face it: There's nothing "the likes of you" can *THINK* of, that I can't fix easily in a second's moment of thought!
APK
P.S.=> Between this & my last post to you in reply here:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36750982
You're TOAST...
Especially for your trying to put words in my mouth I never even stated OR IMPLIED once on TcpView & ProcessExplorer being used as rootkit detectors... this disproved that easily with my OWN WORDS QUOTED no less:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36731660
SO, as usual for myself, vs. you? This?? This was just "too, Too, TOO EASY - just '2EZ'", & "U FAIL", lol...
... apk
You tried that with me on ProcessExplorer & TcpView saying I said they're for "rootkit detection" quoted here:
---
"My issue has always been with your claim that could detect a root kit with Process Explorer and TCPview." - by cbiltcliffe (186293) on Tuesday July 12, @06:04AM (#36731236) Homepage Journal
QUOTED VERBATIM IN YOUR OWN WORDS FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36731236
---
So - Show me where I said that TcpView &/or ProcessExplorer are for rootkit detection... ok?
(You can't, you know it, & I know it (others posting here do as well, which I think is hilariously funny too))...
AND, I never once said that OR even IMPLIED it, period & here is where my words were quoted with their sources at to what I actually SAID:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36731660
And my actual words stating TcpView &/or ProcessExplorer are respectively for:
---
A.) I said that ProcessExplorer is for ONLY FOR REMOVING MALWARE running in Ring3/RPL3/Usermode NOT rootkit detection...
B.) I said that TcpView only shows what you are communicating with back & forth, not for rootkit detection as you said erroneously... period!
---
Period!
You were then asked to show me stating EXPLICITLY that I said they were for rootkit detection, you INFERRED THAT YOURSELF - you could not do that & tried to say I "implied it", that's b.s.!
(Please - Learn to read, & stop skimming... it really "did you in" here, badly!)
---
"Stop putting words in my mouth, hypocrite." - by cbiltcliffe (186293) on Wednesday July 13, @02:19PM (#36752140) Homepage
See above in your own words captured in quotes where you tried to put words in my mouth I never ONCE STATED EXPLICITY or even IMPLIED!
U FAIL HUGELY THERE ALONE!
---
So, that all "said & aside":
What's the topic here? This particular rootkit/botnet right??
"I didn't agree that your method of removing rootkits would work." - by cbiltcliffe (186293) on Wednesday July 13, @02:19PM (#36752140) Homepage
Funny, but I have you quoted right here, saying it does and ON THE ROOTKIT/BOTNET IN QUESTION, the topic here in fact:
---
"Will it get rid of an MBR rootkit? Yes. Will it get rid of a driver-based rootkit with a discrete .sys file for the driver? Yes." - by cbiltcliffe (186293) on Tuesday July 12, @03:12PM (#36738656) Homepage Journal
QUOTED VERBATIM FROM and YOUR ADMITTANCE MY TECHNIQUE FOR REMOVAL OF THIS ROOTKIT/BOTNET WORKS -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36738656
---
Funny that, eh? You're being a HYPOCRITE to YOURSELF!
---
"I stated that it would work for certain types of rootkits, but not all." - by cbiltcliffe (186293) on Wednesday July 13, @02:19PM (#36752140) Homepage
Then, you're also going "off-topic"...period!
Plus, I have other methods for removing other types as well, using the Windows Install media, shown here:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36751240
U FAIL AGAIN
Using what's in that link above & in combination with my 1st method especially, this other technique can "wash clean" any rootkit (especially if you install the RC to HDD and use the CD/DVD installation media version, even IF can you manage to slip past Group Policy & WFP)
---
"You co
http://it.slashdot.org/comments.pl?sid=2282088&cid=36751240
Better luck next time, even IF something slips past WFP, Group Policy (and my bcdedit commandline layered protection method to top those off too) as well as Windows warning you are in "TEST MODE" if unsigned driver installation is set to be "ok" by a hacker/cracker!
APK
P.S.=> This 'takes the cake' lol:
"Whether you want to admit it or not, my statements regarding you implying TCPview could show connections from rootkits are true. You did imply it." - by cbiltcliffe (186293) on Wednesday July 13, @02:27PM (#36752240) Homepage
No, your reading comprehension obviously sucks... or you skimmed!
Simply because I can show, here, EXACTLY what I said EXPLICITY on this account also where you tried to put words into my mouth I NEVER SAID or even IMPLIED (quoting myself yet again to disprove you):
PERTINENT QUOTE, VERBATIM FROM MYSELF:
"I can watch who/what/when/where/how my system "talks" to other systems online, & if I see one I am NOT talking to? It gets added to my firewall list (by IP address), and the offending unknown interloper malware/botnet gets "BLOWN AWAY" by ProcessExplorer.exe, as I noted in my last post/other post in reply to YOUR last post." - by Anonymous Coward (Myself, APK) on Saturday July 02, @11:35PM (#36644860)
FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36644860
---
And as to detecting rootkit's presence? I said this
---
PERTINENT QUOTE, VERBATIM FROM MYSELF:
"& in my guide? I post a NUMBER of reliable tools for rootkit detection:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
(And, there you are - TcpView is only for checking WHERE it communicates back to... as a possible way of seeing that, for adding the bogus C&C server destinations to HOSTS &/or Firewall rules tables - that's all!)" - by Anonymous Coward (Myself, APK) on Saturday July 02, @11:35PM (#36644860)
FROM -> http://it.slashdot.org/comments.pl?sid=2282088&cid=36647626
---
Which now after your quoted statement @ the top of my reply here make you look to be either:
1.) ILLITERATE, or skimming
or
2.) Just "trying to get the last word a week later" like a FOOL would when I said nothing of the KIND as you state!
... apk
In a row here http://it.slashdot.org/comments.pl?sid=2282088&cid=36752608 (using your reading comprehension problems & quotes of YOUR WORDS, against you, vs. WHAT I ACTUALLY SAID about TcpView &/or ProcessExplorer (not for detecting rootkits on either one, just for checking usermode malware communications, & removing them respectively))
LOL - You, in your trying to put words in my mouth I never stated is LOSING badly (& you only did that to yourself)
And here too!
http://it.slashdot.org/comments.pl?sid=2282088&cid=36752716
(Where you went off the topic into other "theoretical rootkit methods" because you admitted my technique works vs. the botnet/rootkit @ hand):
AND I EVEN HAVE WORKING VALID METHODS vs. THOSE TOO, using the Windows Install Media or Service Pack files & a CD you burn proper versions on it & repatch your files (even IF a malware can slip past WFP, Windows warnings you are in "TEST MODE", Group Policy protection, or even extra layered protection via bcdedit commandlines I showed)...
* You fail, badly, on all accounts noted - period!
APK
P.S.=> "U FAIL", badly... & mostly because you skim and didn't read what I wrote on TcpView + ProcessExplorer stating I said they were for "rootkit detection" when I never ONCE said that EXPLICITY or inferred it (my own words quoted show that much in the 1st link above too, vs. yours quoted in erroneous reading comprehension difficulties you have)
... apk
It's what ProcessExplorer removes & TcpView can see what it talks to, period (I said that EXPLICITLY here many times - you inferred incorrectly & misinterpreted my words also (intentionally I think)) once you destroy the Ring 0/RPL0/kernel mode rootkit (which you admit here that my technique works for vs. this rootkit):
"That's not the TCPview/Process Explorer quote that I referred to" - by cbiltcliffe (186293) on Wednesday July 13, @03:22PM (#36752958) Homepage
Can you show me EXPLICITY stating that ProcessExplorer &/or TcpView are for "detecting rootkits" as you said I did? No, you cannot... period!
Please - DO PROVE OTHERWISE WITH A QUOTE OF MY OWN WORDS IN THIS EXCHANGE & THE SOURCE LINK FOR IT!
(You haven't managed that yet, because you cannot to do it!)
Fact is - I never even IMPLIED they are for "rootkit detection" or removal from Ring 0/RPL0/kernel mode operations of rootkits... only usermode/RPL3/Ring 3 malware operations, period!
And, you can remove usermode malwares then, which once you blow away the rookit in kernel mode?
You can do using ProcessExplorer to remove usermode malware... ( & even TcpView can show communications they use to block out in your firewalls or HOSTS files too!)
Prove otherwise... with a quote of MY OWN WORDS! I proved you wrong with YOUR WORDS and my actual words quoted too! Feel free to do the same to me, but then, I have asked you to many times here... you cannot!
---
"Sure, you said it there, but the one I responded to first, you didn't." - by cbiltcliffe (186293) on Wednesday July 13, @03:22PM (#36752958) Homepage
You've been asked to show myself EXPLICITLY STATING that ProcessExplorer &/or TcpView are for "detecting rootkits"... you can't, I never said it OR implied it... prove otherwise!
You have problems with either your reading, or memory, obviously... go on, show us where I said anything other than what I quoted myself in in the post you replied to, OR what I state above now in this reply to you!
---
"You stated "malware" which implies all malware, in a conversation about rootkits" - by cbiltcliffe (186293) on Wednesday July 13, @03:22PM (#36752958) Homepage
That's YOUR PROBLEM in reading comprehension & inferring that... not mine! I explained THOROUGHLY what I meant many times now, & You blew it... I mean, do I have to TELL YOU that ProcessExplorer &/or TcpView operate in UserMode/RPL3/Ring 3 & can be deceived by Ring 0/RPL 0/Kernel mode rootkits?
Ones I show can be blown away (as this one you admit my technique works perfectly for no less in your own words quoted) & even FURTHER methods using the Windows Install media & Service Pack files for even vs. your rather "off topic theoretical rootkits" too??
APK
P.S.=> Accept it, "U FAIL" vs. myself... badly! Putting words into my mouth I never once stated? POOR JOB OF DEBATE on your part...
... apk
Not ProcessExplorer parts: You are dead in the water right there - so who're U trying to fool? YOU ADMIT RC TOOLS I USE WORK VS. THE ROOTKIT PROCESS PARTS THAT RUN IN RING0/RPL0/KernelMode are RECOVERY CONSOLE TOOLS!
(Not ProcessExplorer - that's just for the usermode ring3/rpl3 parts)
---
"Yes, you do explicitly state that Process Explorer is a "big gun" for dealing with botnets (or even ROOTKITS)." - by cbiltcliffe (186293) on Wednesday July 13, @07:06PM (#36755834) Homepage
Again - The botnet part of it runs in Ring3/RPL3/Usermode, NOT THE ROOTKIT - what have I said I use to kill the rootkit? RC tools (listsvc, disable, fixmbr)...
What have I said I use to kill the malware it hauls in that runs in usermode/ring3/rpl3??
ProcessExplorer!
(But only AFTER you kill the rootkit first, so it cannot deceive ProcessExplorer by API call intercepts)!
What about that is "so difficult for you to understand"? Nothing I suspect...
You are only using it to try to "cover your ass" for putting words in my mouth I never stated once (see my ps below on that account).
First - I stated that I don't use the same tools everyone else does, quoted verbatim, here:
"Besides, there isn't a botnet (or even ROOTKIT) I can't deal with effectively for removal anyhow - & I don't use the same tools others do... Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them... Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them..." - by Anonymous Coward on Wednesday June 29, @09:11PM (#36618008)
Again - Does this rootkit haul in malware that runs in Usermode/Ring3/RPL3? Yes it does!
Recovery Console's 1 part I use (vs. rootkit portions in Ring0/RPL0/Kernel Mode parts)
&
Process Explorer's the other (vs. botnet malware running in Ring3/RPL3/Usermode)...
Once more/IMPORTANT:
1 (RC) is for the rootkit itself, which YOU ADMIT MY TECHNIQUE WORKS VS. THIS ROOTKIT FOR in listsvc, disable, fixbmr - ALL RC TOOLS, not those of ProcessExplorer!
And, Process Explorer is for dealing with the malware's that run in Ring 3/RPL 3/UserMode this rootkit (and others) haul in too!
* WHAT IS IT ABOUT THAT, THAT YOU CANNOT UNDERSTAND?
APK
P.S.=> Lastly: How come you cannot show us a direct quote of my stating that I use ProcessExplorer &/or TcpView to DETECT ROOTKITS as you also stated I said... & I never ONCE did... I didn't even IMPLY it, ever!
(Once more - putting words in others' mouths they never stated is a big FAIL on your end also)
... apk
Not ProcessExplorer parts: Thus, You're dead in the water right there - who're U trying to fool? YOU ADMIT RC TOOLS I USE WORK VS. THE ROOTKIT PROCESS PARTS THAT RUN IN RING0/RPL0/KernelMode are RECOVERY CONSOLE TOOLS!
(Not ProcessExplorer - that's just for the usermode ring3/rpl3 parts)
---
"Yes, you do explicitly state that Process Explorer is a "big gun" for dealing with botnets (or even ROOTKITS)." - by cbiltcliffe (186293) on Wednesday July 13, @07:06PM (#36755834) Homepage
Again - The botnet part of it runs in Ring3/RPL3/Usermode, NOT THE ROOTKIT - what have I said I use to kill the rootkit? RC tools (listsvc, disable, fixmbr)...
What have I said I use to kill the malware it hauls in that runs in usermode/ring3/rpl3??
ProcessExplorer!
(But only AFTER you kill the rootkit first, so it cannot deceive ProcessExplorer by API call intercepts)!
What about that is "so difficult for you to understand"? Nothing I suspect...
You are only using it to try to "cover your ass" for putting words in my mouth I never stated once (see my ps below on that account).
First - I stated that I don't use the same tools everyone else does, quoted verbatim, here:
"Besides, there isn't a botnet (or even ROOTKIT) I can't deal with effectively for removal anyhow - & I don't use the same tools others do... Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them... Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them..." - by Anonymous Coward on Wednesday June 29, @09:11PM (#36618008)
Again - Does this rootkit haul in malware that runs in Usermode/Ring3/RPL3? Yes it does!
Recovery Console's 1 part I use (vs. rootkit portions in Ring0/RPL0/Kernel Mode parts)
&
Process Explorer's the other (vs. botnet malware running in Ring3/RPL3/Usermode)...
Once more/IMPORTANT:
1 (RC) is for the rootkit itself, which YOU ADMIT MY TECHNIQUE WORKS VS. THIS ROOTKIT FOR in listsvc, disable, fixbmr - ALL RC TOOLS, not those of ProcessExplorer!
And, Process Explorer is for dealing with the malware's that run in Ring 3/RPL 3/UserMode this rootkit (and others) haul in too!
* WHAT IS IT ABOUT THAT, THAT YOU CANNOT UNDERSTAND?
APK
P.S.=> Lastly: How come you cannot show us a direct quote of my stating that I use ProcessExplorer &/or TcpView to DETECT ROOTKITS as you also stated I said... & I never ONCE did... I didn't even IMPLY it, ever!
(Once more - putting words in others' mouths they never stated is a big FAIL on your end also)
... apk
Right here, regarding my use of RC tools listsvc, disable, & fixmbr to KILL THE ROOTKIT PART:
"Will it get rid of an MBR rootkit? Yes. Will it get rid of a driver-based rootkit with a discrete .sys file for the driver? Yes." - by cbiltcliffe (186293) on Tuesday July 12, @03:12PM (#36738656) Homepage Journal
I don't mention ProcessExplorer in my technique on the rootkit portion of this botnet @ all...
NOW, since this rootkit:
---
1.) "Hauls in" other malware for the BOTNET portion running in Ring 2/RPL 2/Usermode?
2.) Once you kill the rootkit part in Ring 0/RPL 0/Kernel Mode, using RC tools which you ADMIT MY TECHNIQUE FOR WORKS ON THIS ROOTKIT/BOTNET COMBINATION (rootkit part)?
3.) Then, you "mop up" using ProcessExplorer once the rootkit's dead, to kill in the malware it hauls in, THAT RUNS THE BOTNET PORTION in Ring 3/RPL 3/UserMode!
---
No, your either trouble in reading comprehension, OR, simply trolling to cover your behind because of your false accusations & mistakes regarding both ProcessExplorer & TcpView stating I said I use them to "detect rootkits", when I use them BOTH vs. botnets & other malware in usermode, period!
Simply/Again, because you admit my technique WORKS FOR KILLING THE ROOTKIT PORTION using RECOVERY CONSOLE TOOLS!
(And I don't use ProcessExplorer for that @ all on the rootkit part)
In fact? Show me where I said I do use ProcessExplorer, explicitly, on the ROOTKIT PORTION of this rootkit/botnet!
Ok??
---
"Go back to updating your host file, little boy." - by cbiltcliffe (186293) on Wednesday July 13, @10:23PM (#36757884) Homepage
First of all? I'm 6' 2" & 230 lbs. currently... that's NOBODIES' "Little Boy" (are you larger? Doubt it!)
Secondly, I just did...
The commit to my HOSTS file now has me guaranteed protected vs. 1,483,950 known bad sites/servers/hosts-domains, botnet C&C servers, bogus DNS servers, & even adbanners in hosts-domain names
(Yes even adbanners on 2 accounts too - as they have been shown as infested with malicious scripts too & they slow you down for what you pay for online in bandwidth)...
So - Can you say the same without such a protective shield that also yields more speed?
Between my HOSTS file & Norton DNS (primary DNS here), and ScrubIT DNS (secondary DNS), & OpenDNS (third DNS), all of them do "filtering"?
* Well...If you're NOT doing the same, you're letting yourself down on protection... as well as speed online you pay for too!
Between HOSTS, DNS servers, & firewalls vs. IP address threats? It's no small wonder I never get infected/infested, & the rest of what's in my highly rated layered security guide for Windows does the rest:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
(Have YOU done a better guide for layered security than that?)
---
"There are thousands of malware domains registered daily, and according to a post of yours on another thread" - by cbiltcliffe (186293) on Wednesday July 13, @10:23PM (#36757884) Homepage
WTF? I never said that # are out there daily... your link doesn't show it either... that's quite old also - what are you doing??
Stalking me via diff. usernames???
The username/person I replied to was "Haedrian" & it is over 7 MONTHS OLD TOO!
---
"Maybe you don't get malware because, between the ungodly amount of time you must spend updating that hosts file" - by cbiltcliffe (186293) on Wednesday July 13, @10:23PM (#36757884) Homepage
I don't get malware, & neither do others I showed the effectiveness of my security guide to who apply it (posted that her
"Or is that why the list of previous accomplishments you're so fond of posting basically ends at 2003? Is that when you had the aneurysm that turned you into the psychotic raving lunatic you are today?" - by cbiltcliffe (186293) on Wednesday July 13, @10:23PM (#36757884) Homepage
Those were my shareware/freeware days, fresh out of my 2nd degree in CSC in Academia (first was way earlier with MIS minor)... I did well too!
I managed things, decades ago while you were probably STILL IN DIAPERS I wager, & things YOU haven't managed to do, that's certain, lol... and you most likely NEVER will either!
(If you have @ least 5 yrs. of time in this art & science, usually you do 'great things' by then @ least, or, you never will, ever!)
Also as to what I've been doing since those days (& my last noted accomplishments were last year, & 2008 before that, etc. - every once in awhile now, I have time for that stuff even now too!)?
I.E.-> Well - For instance: Ever been a customer of McDonalds, Burger King, or Boston Market? They have franchises out there by the many multiple thousands worldwide internationally...
Guess who wrote part of their Client-Server bump-bar system? Yours truly! I've been a Fortune 100-500 employee full-time or on contract more than a few times since 1994 professionally coding alone in fact!
APK
P.S.=> Still, You putting words in others mouth they never said, as you did to myself, which you ran from proving them? Bogus & lame...
That, as well as screwing up after admitting I use RC tools vs. Ring 0/RPL 0/kernel mode portions of this threat in its ROOTKIT portion which you admitted works, & then saying I use ProcessExplorer to kill the rootkit later when I don't @ all (ProcessExplorer's used for malware it hauls in that runs the botnet portion in Ring 3/RPL 3/Usermode)
Please... lol!
It's as bad as when you said I use TcpView &/or ProcessExplorer to DETECT ROOTKITS, which you cannot produce a quote of my saying THAT either!
Man... U FAIL, & that's all here in my last post to you with backing quotes from yourself & sources of my words too:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36758338
... apk
U FAIL #1: - I've been cutting OFF services I don't need since oh, 1994-1995 on Windows-NT based OS, for starters... & you say I haven't apparently (pure comedy GOLD):
"'ll tell you: Having programs or services running that are not necessary, have no function, and are not used. Every one is a potential security hole waiting to happen." - by cbiltcliffe (186293) on Thursday July 14, @06:43AM (#36760610) Homepage
So much for THAT statement from you, & the funniest part is, I can prove it with the ORIGINAL older model of my security guide too, @ Neowin (where it was picked up on in 2000-2001 no less) -> http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
AND I even noted why I do it, verbatim, here in another copy of the more current guide (same as the ones you saw):
http://www.pcreview.co.uk/forums/secure-windows-2000-xp-server-2003-and-even-vista-make-fun-do-t3511888p3.html
"services cutoffs for speed + security in DETAIL" - by APK
On that very page link url above... lol!
Fact is - Originally, I cut off services I don't need for SPEED though (to not consume RAM, CPU time, &/or other forms of I-O needlessly, but also later for security on the grounds you stated too (double BONUS)).
In fact?
Go over to the TechPowerUp forums also - while doing speed tests & benchmarks there, ScienceMark & WinTune tests?
Well - I showed their forums members how to get another 20%++ out of their scores BY CUTTING OFF SERVICES in our benchmark tests using ScienceMark &/or WinTune... in turn, they showed me how to FULLY OverClock AMD systems (I already knew how to do Intel ones).
---
U FAIL #2: - Why do you *THINK* I put "remote registry" running as a LocalService for? It can still function that way, but not as a SECURITY RISK anymore (I cut it off totally in fact, set disabled actually, but if it were to be activated again by some interloper malware, it'd be SAFE(r) because it was set as "LocalService" logon entity - "get it"?):
"Anyway, in this section, you say you've personally tested all these services, and know they run fine under the different account. One you list for running under LocalService is the Remote Registry service. I can guarantee you that this service does not run properly under LocalService. Sure, it will run, but its entire functionality is nullified, because the whole point of the service is to provide remote access to the registry in domain/remote admin situations, and the LocalService account has no network privileges" - by cbiltcliffe (186293) on Thursday July 14, @06:43AM (#36760610) Homepage
Hence, my point above, lol... SO, that all "said & aside": WHAT WAS YOUR "so-called POINT"?
---
"Of course not. You're not worth the effort, as you're an ineffectual, intellectually deficient waste of skin." - by cbiltcliffe (186293) on Thursday July 14, @06:43AM (#36760610) Homepage
LMAO - post the wrong link & tell another LIE here? Of course... that's just what you do!
---
"I have done some work for Seimens and BMW, though, both of which I'm sure you've heard of." - by cbiltcliffe (186293) on Thursday July 14, @06:43AM (#36760610) Homepage
Let's see, here is a list of mine (both fulltime & contract in LARGE companies, some are Fortune 100-500 over time):
Lockheed Martin (coding)
AXA MONY (forensics & security work)
NEC (coding)
NCR (coding)
CableVision (network technician @ NOC)
BellSouth (during Olympics 1996 contract to setup RAS gateways)
IKON (tech)
Goulds Pumps (coding)
BurgerKing
McDonalds
Boston Market
"Read 'em & weep" & from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml
(In fact, I was one of, IF NOT *THE* FIRST PERSON DOING IT OUT THERE + telling others to do so, for speed AND SECURITY GAINS, & have documented PROOF of it right there from "the wayback machine")
And, You're trying to "preach to me" on how/why it's done?
LMAO - UTTERLY Hilarious!
"I'll tell you: Having programs or services running that are not necessary, have no function, and are not used." - by cbiltcliffe (186293) on Thursday July 14, @06:43AM (#36760610) Homepage
You're "preaching to the choir" boy... &, I mean *THE* choir on THAT ACCOUNT (the original, here).
* Unbelievable...
(You are really messed up and cannot read properly, & say things that are such TOTAL bullshit, without thinking WHO IT IS YOU'RE SPEAKING TO, that it's unreal!)
MOST especially In THAT area?
I am probably THE ORIGINAL LITERAL AUTHORITY & can show it from way, Way, WAY BACK in time no less as I have now!
---
"While you've been reading this post, 43 new malware domains have been registered that you missed putting in your hosts file, because you were reading this post, instead. You're vulnerable. OH NOES!!!!" - by cbiltcliffe (186293) on Thursday July 14, @06:43AM (#36760610) Homepage
I don't miss any from 17 reputable & reliable sources for HOSTS &/or DNSBL data, and I don't even have to raise a finger anymore since I wrote the Python program automator of it for myself...
See - in case you haven't noticed and I doubtless doubt you have, since you've shown your reading comprehension sucks?
Since we've been in this debate for a few days now??
I've added like 4,000++ new known bad sites/servers/hosts-domains (and IP addresses to my firewall rules tables in software (Windows native one)) to my HOSTS file & I tend to post the # of blockages each time I post it...
It happens here, completely "AutoMagically" too, since I automated it years ago (Delphi first) & then into Python code (multiplatform too) months back!
(Yes - U FAIL AGAIN, per your usual, on ALL accounts noted, & with proofs showing, like below in my p.s. as well!)
APK
P.S.=> Still, You putting words in others mouth they never said, as you did to myself, which you ran from proving them? Bogus & lame...
That, as well as YOU screwing up after admitting I use RC tools vs. Ring 0/RPL 0/kernel mode portions of this threat in its ROOTKIT portion which you admitted works, & then saying I use ProcessExplorer to kill the rootkit later when I don't @ all (ProcessExplorer's used for malware it hauls in that runs the botnet portion in Ring 3/RPL 3/Usermode)
Please... lol!
It's as bad as when YOU said I use TcpView &/or ProcessExplorer to DETECT ROOTKITS, which you cannot produce a quote of my saying THAT either!
Man... U FAIL there and YET AGAIN HERE TOO, & that's all here in my last post to you with backing quotes from yourself & sources of my words too:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36758338
... apk
An even earlier link, from 1997-2001:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36761268
From "The wayback machine" no less...
"Guess neowin didn't think it was important enough to keep around, huh?" -
No biggie, it went on to "bigger & BETTER things:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
Much bigger & MUCH better... as well as more comprehensive: AND YOU CERTAINLY HAVE NOT DONE BETTER, now have you? Nope...
---
"Really? You're trying to secure telnet 3 years ago? Anybody with a lick of sense hasn't been using telnet at all in any environment with secure requirements for well over a decade, and 3 years ago you're giving advice on how to secure this decade-broken, unsecurable protocol?" - by cbiltcliffe (186293) on Thursday July 14, @10:10PM (#36771200) Homepage
Actually, that's a remnant of my OLDEST guide, see link @ the top, from 1997-2001, but, it's there "just in case", that's all... so, your "point" is again, moot.
AND YOU CERTAINLY HAVEN'T DONE BETTER YOURSELF IN SUCH A GUIDE, now have you?? Nope again...
---
"The first section of this thread shows this information actually comes from " a Mr. Markuss Jansson on his point on TELNET service", and "He also has more on things like "EFS" (encrypting filesystem) ". - by cbiltcliffe (186293) on Thursday July 14, @10:10PM (#36771200) Homepage
Yes, but the other methods are mine... & they work, just as his do. The point was NEVER ABOUT MYSELF, it was to help others vs. the possibility of attack on any front I could think of... that's all!
And, of course, once more - YOU CERTAINLY HAVEN'T DONE BETTER YOURSELF IN SUCH A GUIDE, now have you?? Nope yet again...
---
"In it, you recommend to run the Remote Registry, and telnet (which I didn't notice the first time) as the LocalService Account, rather than LocalSystem. You do not recommend to turn them off, as you claim in your post I'm replying to." - by cbiltcliffe (186293) on Thursday July 14, @10:10PM (#36771200) Homepage
NO, it's stated to turn it to "manual" which unless you INVOKE IT, does not run... trying to put words in my mouth I NEVER SAID YET AGAIN?
(You're so dumb you can't be real... lol, the "2 prime examples" of you doing that earlier are in my p.s. below & U RAN FROM THEM!
LMAO!
---
"But that's the whole point. It can't function that way. Its function requires network access, which running as LocalService denies. It will not work for it's intended function. Same with telnet. Both services cannot function that way, at all." - by cbiltcliffe (186293) on Thursday July 14, @10:10PM (#36771200) Homepage
Which IS MY POINT - to secure them, even if "set to manual", those services cannot be accessed remotely if set to another logon entity (in this case, LocalService).
So once again like usual, your "so-called point"? Moot & nullified, easily...
---
"let's assume for now that you completely messed up your security guide, and you actually meant to have people turn this service off, which is not at all what you said" - by cbiltcliffe (186293) on Thursday July 14, @10:10PM (#36771200) Homepage
No, let's not ASSUME anything - I show folks how to effectively nullify potentially dangerous services is all, & you even ADMIT that my methods do so, easily enough!
(This is your "big problem", you ASSUME things (see my p.s. below, those are your two HILARIOUS blunders!)).
---
"You really do have no comprehension of reality at all"
KNOWN bad sites/servers/hosts-domains, botnet C&C servers, & bogus DNS servers? I am, guaranteed...
Via layered security at the HOSTS file level alone!
The rest is done by:
Norton DNS (filters the SAME STUFF as my hosts does)
OpenDNS (another DNSBL filtering DNS system)
ScrubIT DNS (yet another filtering DNS system)
Firewall rules tables vs. IP address based examples of the same here...
My layered security guide's practices as well:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
Which produce results the likes of these testimonials attest to:
---
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral
AND
http://forums.theplanet.com/index.php?s=80bbbffc22d358de6b01b8450d596746&showtopic=89123&st=60&start=60
"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit