Slashdot Mirror
Massive Botnet "Indestructible," Say Researchers
CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"
Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.
Some operating system vendor is going to have to be sued for damages and lose before this ever stops.
Just wait for the next massive solar storm...
worldmobilenet.com -- World Prepaid Wireless Internet plans
Putting the thing in the MBR just means you can't intercept it during boot.
It doesn't for a second mean it's invisible.
Man, can't they detect a modified MBR nowadays? I even had mainboards which detected a modified MBR upon boot. So where's the problem?
Sounds like a challenge...
Reality has a liberal bias
Just wait till it faces blue kriptonite
Does it run Linux?
We don't see the world as it is, we see it as we are.
-- Anais Nin
Collect botnet creators. Apply one bullet to head. In public.
Repeat.
Nothing else will stop the leeches.
I do not fail; I succeed at finding out what does not work.
Somehow I think that's the least of their concerns.
Give me Classic Slashdot or give me death!
What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.
There's no -1 for "I don't get it."
And this is why. People are completely unable to understanding anything about the operation of their computers.
No, Linux would not solve this. If magically tomorrow every single Windows box was Linux instead, socially-engineered malware would appear the next day.
Apple tries to protect the system from its own user. That's probably the way of the future in general, as as it is to say.
Microsoft knows their OS better than anyone. For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines, disable the rootkit, and alert the user.
It would be a little bit of work for MS, but isn't this kind of service that you'd expect to get from a vendor that stands behind its products?
You were mistaken. Which is odd, since memory shouldn't be a problem for you
In 2004 my cousin had malware that hid in the partition table and even a fresh format and windows reinstall could get rid of it. Only a good dos fdisk that deleted the table with a format and reinstallation. Today evil malware can hide in both the shadow volumes of restore points to reinstall themselves and avoid detection and also system recovery partitions so a fresh os reinstallation will reinstall the malware. Fun times
http://saveie6.com/
Technically speaking, that's pretty awesome. I know they're bad guys, but some props to them. They're geek bad guys, and they've done some fine work here.
Isn't command and control the antithesis of indestructability? Any software that can be patched can be destroyed.
For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines
But how ? The virus hides its first stage in the MBR and is launched *before* the OS. By the time windows has started the computer is *already* compromised, the virus is already running and can do all the trick it wants to hide it self from the running system, or to alter the software being run.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The president and congress can just use the commerce clause in the constitution to force everybody to buy an officially approved operating system and anti virus program..
There, see? Problem solved
For justice, we must go to Don Corleone
I work at a computer repair shop.
We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...
Curious Yellow was bound to happen sooner or later. I was wondering what was taking botnet authors so long, and why they were relying on a centralized system like DNS for coordinating their bots.
Need a Python, C++, Unix, Linux develop
The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.
Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.
Think of how they get Al Capone. Noting would make federal prosecutors more interested in the GPL than if they thought it was the best way to nail a bad guy.
BTW, I like the idea of malware coming with a GPL license agreement and link to the source code.
All that law enforcement needs to do is to purchase payload delivery on the botnet and include commands to delete Windows from each offending PC. Alternatively, they just need to place copyrighted material on each host and send in the MPAA and RIAA with infringement notices. That should get the job done.
When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.
To detect it, run the latest version of GMER.
http://www.gmer.net/
To remove it, you need to run a series of three scanners in this order:
TDSSkiller
http://support.kaspersky.com/viruses/solutions?qid=208280684
Combofix
http://www.bleepingcomputer.com/download/anti-virus/combofix
and Malwarebytes' Antimalware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1
Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.
As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.
-Z
or something like that, because linux machines are constantly running grub to rewrite the bootsector
you could rewrite part of the kernel binary so that it would lie to grub i guess.
or you could rewrite the grub binary to lie to the user.
those two things are kind of non-trivial because linux is increidbly diverse.
now that i think of it, perhaps Windows becoming 'diverse' is a way to prevent some of this junk from happening.
I had a bit of trouble removing it with TDSS kiler a few weeks ago, but got there in about half an hour.
If it wont run you will need the file association reset tool.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Your posts read like mental disorder, but I think it'd be fascinating to hear if you actually speak aloud in stilted, gratuitous
. I imagine you sound something like a cross between William Shatner and the pork chop sandwiches kid.
Anyone else morbidly curious?
Z34107
PS => I'll pay for your bus ticket to come speak on the proper use of the hosts file.
...z34107
DATABASE WOW WOW
Infected emails?
Hacked website or ad provider serving out drive-by-downloads?
Compromised IM accounts?
All of the above?
Personally I think someone needs to write an "Internet Security for Dummies" book that uses real world analogies to explain internet security concepts to clueless people. For example, it could compare leaving your front door unlocked to not having a firewall. Or it could show real-world things that most people would never do (give their credit card or bank details to a total stranger because the total stranger promised money) and then explain that doing the same things on the Internet is just as dangerous.
Or it could show that buying pills from an online site advertized is a spam message is just as risky as buying them from a guy in a back alley. Or whatever.
Give it a scary sounding title and blurb to scare people into thinking the internet is really dangerous (which it is if you dont know what you are doing) and get them to pick up the book.
* Nice part about the "heart of it" in the HOSTS file + Norton DNS is that even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
Until you realize that malware can change the DNS settings of the interface directly, so while you think you're using Norton DNS, you're actually using InfectedSpywarePOS DNS.
"City hall" in German is "Rathaus" Kinda explains a few things......
That's OK. MS can just "lock'er down" like some of the competition, make 'er proprietary, claim IP, hire the codebreakers, turn-the-tables on the courts over accessibility and O/S binding and no-one can touch the MBR. Not allowed. But wait..... the MS whiners...
May the lies we live by make us strong, healthy, happy and wise - Kurt Vonnegut.
This is one option, but another is that people like the BSA will use it as an example of how "evil" free software is. When in doubt, public opinion tends to go the way of lobbyists.
Yet Another Tech Blog
(but so much more, including game and movie reviews)
http://yanteb.peasantoid.org
You could also run Grub from a LiveCD or a LiveUSB. If you are worried about the botware modifying the programs you use to create these then you could donate a few dollars to a distro you want to support and have them send you a LiveCD.
There is strength in this simple modularity as well as in diversity.
now that i think of it, perhaps Windows becoming 'diverse' is a way to prevent some of this junk from happening.
What better way to make Windows both diverse and modular than to make it open source?
We don't see the world as it is, we see it as we are.
-- Anais Nin
I would say it is the first of its kind, but you will only ever need one like it, so it is TEH botnet coded and maintained by Chuck Norris. Totally indestructible, Skynet is jealous. OMG phear dis one nothing will evar be betr lol
This is a hacked account, for which the owner can not be held responsible.
It's possible with an IOMMU. Most desktop systems don't have one, except for some Intel chipsets that are marketed to businesses.
For instance the Lenovo Thinkpad T400 has one.
http://en.wikipedia.org/wiki/IOMMU
You write like Steve Gibson on meth. Hey, you are an AC...
Sounds like you have a lot of fun maintaining your defenses. I remember keeping up with that sort of thing back in the day. Then in 2003 I switched to Debian and haven't had to worry about malware since.
I'm amazed by the time and effort people spend to defend against malware when the best solution is so obvious. 'You can lead a horse to water..."
Maybe the problem is that some people enjoy "the game" so much that they wouldn't know what to do if they stopped playing.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Don't hire any of the above bloodthirsty "Three infections, max - and then smoke 'em!" types. Won't do to be euthanizing people the third time they catch a cold...or a venereal disease.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Unless it's a massive bitcoin mining operation or some actual spyware of the sort which steals credit card data, there's not a lot I can think of that they would want those machines for which would be able to work with entirely encrypted communication. In particular, if they're spam zombies, the flood of email should be a clue.
Then again, there is the problem of knowing that a given attack was a DDoS, and knowing whether a given machine which participated in that attack was a botnet zombie or a legitimate user with bad timing.
Still, if there's a way to single these machines out, I agree with the original poster -- join a botnet, get disconnected.
Don't thank God, thank a doctor!
Virtual Machine
Religion is what happens when nature strikes and groupthink goes wrong.
I don't think they are distributing their code so are not in violation of the GPL, you may have their code on your computer but you cannot make use of it. It's more like you have provided them with CPU and ISP resources so let's hope you have the source code to all the GPL stuff you have distributed to them.
Actually the amount of copying between the various interlinked crossed messages indicate some sort of automated content generation.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
... Is always the people, not the technology.
Instead of spending time trying to disarm the worm, do a regular investigation (i.e. simulate that you are someone willing to pay to use the botnet) and get the name of one of the builders. Trying to attack the botnet itself is a waste of time and resources.
Those of us who have worked in the anti-spam world for decades have been predicting this for many years, so it's hardly surprising that we've turned out to be right. Again. It's the inevitable consequence of the non-security of Windows. There is of course no reason to believe that this is the ONLY such botnet. (And if it is? It won't be for long.) With something on the order of 200 million compromised systems on the Internet, botnet builders have plenty to work with. What IS surprising is that so very few have been able to wrap their heads around the obvious and direct consequences of this state of affairs. For example, all click-based metrics are complete nonsense: anyone in control of a botnet of substantial size can alter them at will. For another, it is ludicrous to pretend that any email address can be kept "private", once used. And for a third, courts really do need to recognize that "X's computer did something" is in no way indicative that "X did something" -- a fact that should significantly alter much of the litigation underway. And this is only the beginning. It's going to get much worse.
It seems to me the problem is really just that TDL-4 etc. can depend on the MBR being in the same place on all computers. Manufacturers should take a page from communications and "spread spectrum" the MBR over different sectors, and make those sectors unique to each drive. Make sure the sequence of sectors is not readable from the net. Perhaps change the sequence from power up to power up. End of problem.
E Proelio Veritas.
Just make everybody switch to apple computers and the botnet is immediately worthless, along with 99.9999% of the malware out there.
You're welcome.
-Steve
When did that happen? The original scanners checked only the MBR and now they do not look at all? That would be pretty stupid.
Also, what about alternative MBRs? Does this thing keep a GRUB installation intact? And how does it hide in memory?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
To everyone else, I give a Linux box.
];)
Regards;
Why sign all your messages but not make an account? Wouldn't an account make it much easier to keep track of what you've posted, and notify you when people respond?
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
From my windows experience with viruses, the safest way IS to nuke it from orbit, its the only way to be sure.
Clean install. It really is too bad you can get free updated install disks from MS... as a clean install isn't the pain in the ass, it is updating all your service packs and updates, and drivers, etc... which you have to connect to the internet for, exposing yourself before you're fully patched. Never made any sense to me considering MS business model.
Windows or any other OS can detect this on start-up
No.
At start-up the system is already compromised.
If the windows loader checks the MBR with BIOS calls, it might by getting translated. ...from here on it's a cat and mouse game between microsoft trying to come up with newer idea to check for presence, and the virus writer creating newer versions that can also circumvent this new check.
If the windows system tries to check some content, nothing guarantees you that the drivers (hard-disk, filesystem, etc.) used to do so aren't compromised too.
If the system tries to compare driver checksums, it's not guaranteed that the comparer itself isn't corrupted (that the "good checksum list" or the public key used to check signatures wasn't overwritten)....
And modern botnets have an additional advantage : they can update their code while running. That means that, as soon as the virus authors find that microsoft uses a new check, they can send the new virus version to all the already infected machines. Copies running "in the wild" can be upgraded to the latest circumvention scheme, at the same pace as microsoft is writing them.
Once again : a compromised system can't be trusted anymore. Anything you can come up as an idea, could have been overwritten by the version of the virus running on your machine.
unless it is a full-fledged blue-pill
Virtualisation is one solution. Corrupting drivers (and checksum lists and public keys is another).
But you cannot squeeze something like that into the MBR, far too little space.
You can't also fit GRUB in the MBR, nor the Windows kernel. You never could.
Booting is a staged process. MBR is defenitely too small but for everything including for legit usage.
MBR loads a later stage in a known fixed place (with DOS & Windows its a regular file in a fixed position) (with GRUB, patches to make BIOS support big drives, and viruses - its unused sectors between the MBR and the first partition).
This space is still too small for the whole stuff, but it can contain better file/data access features (that's GRUB's stage 1.5, or Linux's LILO).
So it can load the stage after that from any file, from a hidden file system, whatever the author chooses and that can contain everything you need (the whole GRUB, the whole virus, the OS kernel, etc.) including full R/W filesystem access.
From that point on, you can have enough complexity in place, either to fire up a hypervisor, or to overwrite some critical files in order to go undetected, or check to be sure that the network-payload is still on the "Run after start-up" list, etc.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
That's great, can you answer to me with more loghorrea please ?
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Here's a lesson for you:
#!/usr/env/python
print "How to reverse in Python"[::-1]
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Haha, I was actually going to refute some of your claims about Linux, but a few minutes of googling uncovered that you are an EPIC INTERNET TROLL!
So, APK, or cybordeath, or AlecStar, or Alex, or Alexander--I suspect APK are your initials, but I've had enough of googling you: game over.
No wonder you're an AC on here. I wonder how many times you've been banned from Slashdot. Your karma must be as low as possible.
You've been told this before on other forums, but I'll say it again: In all seriousness, you need to see a psychologist. We all have problems, but you show signs of extreme OCD, paranoia, egotism, delusion...I could go on. Your life would likely be much happier if you could get help to deal with these issues and overcome them. I suspect that you have so much free time to carry on these online campaigns because you have trouble holding down a job. Maybe you're on disability. I honestly feel sorry for you. I even wonder if you were in a wreck or something years ago and suffered brain damage, causing a severe personality change.
Anyway, I hope you will seek help and begin to change your life.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
You far overestimate what can be done from the MBR. The system is not "compromised" at all at that stage, the second step of the booting process is.
I'm not saying that you can completely hack a machine with the 200 free bytes for custom code in a boot sector.
What I'm saying is that if your code is running first, you can decide what will happen next.
Even if the "big stuff" only happens 7 stages later down the line, you get to chose what happens in the 5 stages in between, if you already control stage number 1.
Even if none of these stage can do great things for you, the same is also true for the legit code. A viral MBR can't do much except redirect the boot process to viral stages. A legit MBR can't do much either. Same for later stages. Except that your code was running first and you get to overwrite the legit code first, before it runs.
What it can actually do is limited. In Linux, e.g., it would need to uncompress and then patch the kernel in memory. This is slow and very, very difficult.
Sorry, no. *You* apparently have no idea.
Uncompressing the kernel is something which happens in a snap second at every boot.
The first 512bytes of a kernel (Linux, Memtest, and a few other) contains already enough code to do it without any problem. You can write the kernel directly on a bootable media (say on a floppy) and it will boot (used to be the case for the Linux kernel, before it became too complex to fit on a floppy. That's still one possible way to load memtest).
Something as small and as simple as GRUB can have already enough functionnality to freely read and (in-place) write any file on a partition. That's already enough functionality to make sure that the content of a few key ".SYS" files in Windows are overwritten with content coming from a few other files in viral origin. .SYS files before booting further.
These files can reside on the boot partition (and be subsequently hidden by the hacked file system drivers) or on a separate hidden partition (which could be hidden too, using a hacked disk driver) like overwriting the "System tool" partition that most modern boxes come with out of the factory.
All it takes is that, instead of running the vanilla NTLDR or Winload.exe, the previous viral stage (the one booting from the free sectors) load an alternate Boot loader, one that first overwrites critical
Again, GRUB is also able to load load and uncompress a kernel, then load and optionally uncompress modules (although this function isn't much used by Linux. ReactOS does use it extensively though), and finally load a ramdisk (which is quasi-instantly decompressed during boot).
A viral stage2 bootloader code could load the kernel, load and inject a special "root-kit" module, load the ram disk and let the whole stuff run.
The Linux kernel has several facilities to all modifying code in-place. Modules are a standard way. Root-kits as modules are a standard attack on Linux. Normally they are hard to do, because once Linux is running, you need privileges to load modules, and the module functionnality might have been disabled at this stage for security reason. Before booting, injecting a root-kit module is just trivially using the facility used to pre-load modules.
Counter measures could be disabling support for boatloader provided modules, or adding a checksum control in the first step of the kernel startup.
Evasion could be putting the root-kit module inside the ram-disk, or using an alternate kernel (with no checksum, or with root-kit build in statically).
The windows booting process even *COUNTS* on lots of files and modules being loaded. System .DLL files, SCSI miniport, other boot critical .SYS driver ... .SYS
Hacking windows's boot process is as simple as either making sure at a previous stage that the critical
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I'm curious: Please explain how quoting me backwards makes me look bad. And please explain how it is a form of reverse psychology.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Actually, I never mentioned Ars Technica--you did.
Actually, my typo was not in the Python code, but in the shebang. It's a Unix thing. The Python code works "JUST FINE".
Please explain which Python exceptions your code could raise.
Please explain how quoting me backwards makes me look bad. I think it makes you look silly and childish.
Please explain how typing in ALtErNaTiNG CaPs makes you appear mature.
I have a challenge for you: Write a reply: 1) without using bold text, 2) without using alternating caps, 3) without using @'s or ampersands, 4) without using horizontal lines, 5) without a postscript (those make no sense online because you can backspace--they are for paper correspondence where one can't change what he's written), 6) without claiming or insinuating that you are a superior being. In other words, write without vitriol, without hyperbole, without insults--the way a normal, reasonable person would write. I am skeptical that you can even do it.
By the way, what drugs do you use, and how long have you been using?
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Surely we only need your hosts file trick to fix this problem, right apk?
No?
One might think it was the cure-all for every IT issue, from the number of times you vomit that rubbish up.
..Mullah or Pope, Preacher or Poet, who was it wrote: "Give any one species too much rope and they'll fuck it up"?
No. You stated that "if" you were to suck in one of these, then the update to Norton would prevent it from being able to talk back to it's C&C.
Well, once you've got one, you can't trust the DNS servers that are shown in the NIC config GUI, because you're infected.
Admittedly, as you've said, the chances of you getting something is significantly diminished due to your diligence. But you're sounding a bit cocky right now, as if you think it's impossible for you to get infected, rather than just unlikely.
What you're forgetting is that Norton DNS updates, HOSTS file updates, and everything else you can do to prevent connecting to known malicious domains are all reactive. Meaning someone has to update that list between when the domain begins distributing malware and when you try to hit it. If you try to hit it before the list is updated, all bets are off.
"City hall" in German is "Rathaus" Kinda explains a few things......
You ignored my challenge, so I will ignore all of yours.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
... have YOU done better, troll?
You're a cocksucking douche. Yes, that sounds like flamebait.
It's not. It's the truth.
You know absolutely jack shit about me, and when I call you out on a completely illogical statement you made, you start going back to previous things that you've done, and how "you must be right because look at your credentials!"
Ever heard of the appeal to authority logical fallacy?
I don't give a damn what you've done, and how many security guides you've authored.
When your machine is infected, you can no longer trust your DNS settings. Period. End of story.
Saying that you check them is irrelevant.
Now, as to what I've done in this area? Well, let's see....I am the author of an anti-malware tool that uses 40+ different antivirus engines to scan a machine. It does this scan offline, rather than within the infected system, and I can do it remotely, over the Internet. This, of course, means I can use this system to remove rootkits remotely, even on a computer that will not boot.
Remote service on a computer where Windows (or for that matter OSX or Linux, too) will not start. Gee. Have you done better, troll?
"City hall" in German is "Rathaus" Kinda explains a few things......
You're still not getting it, because you're still running all your diagnostic utilities within the infected system.
How you you trust the TCP connections listed in TCPview (which is a great program, by the way) when TCPview itself is running on an infected system? A rootkit will hide its own network connections from this program.
"City hall" in German is "Rathaus" Kinda explains a few things......
"My code's in commercial software, so you must bow before me, as I know what I'm talking about, because my code's in commercial software."
Yet again, the appeal to authority logical fallacy.
Not only do you not understand how malware can screw with your system, but you can't argue for shit.
When you'd rather reverse the text of what I said than actually argue the point I've stated, repeatedly, and has been ignored by you every single time; instead preferring to rely on your record of software that you wrote years ago.....
You just don't get it. You can call me a troll all you want, but your head is in the sand. You refuse to even acknowledge my point, let alone refute it, which leads me to believe you either do not have facts to support your position, or maybe that you don't even understand my point.
If you refuse to debate the issue at hand, which has been repeatedly stated by myself, then you're not worth wasting /. database space on.
And in answer to your question "Is mine in commercial software?"
This particular software of mine is used in an entire commercial service, which has been used in various parts of the world, to clean malware from infected machines. This service/software is used by other commercial entities as a better alternative to virus scanners traditionally used on a single scan/online basis by computer service companies. This software and service hasn't been reviewed by some computer magazine editor who knows jack about the industry, but rather by techs who actually use this type of thing in the trenches, as one of the best, if not the best malware detection program they've ever seen.
As to other software? Yes, I've written a bunch. But your idiotic debate methods aren't worth wasting my time on.
"City hall" in German is "Rathaus" Kinda explains a few things......
I'm perfectly aware of DNS blacklists and the host file, thank you very much.
Apparently you can't read, however. My post had nothing to do with the hosts file. You keep harping on your custom hosts file, rather than actually READ what I WROTE.
Maybe you could actually TELL ME how YOU propose to detect a ROOTKIT running on an infected system with TCPview, which is what I asked in the first place.
And ON TOP of that , maybe YOU COULD stop with the annoying CAPS and bold changes, as they make your posts even harder to read than your tortured logic does.
"City hall" in German is "Rathaus" Kinda explains a few things......
Since this thing hauls in other malware to attack you with? It's "INSIDE" Troy, so-to-speak... & any LOCAL EXPLOITS, become ESSENTIALLY, remote ones
Nope, they don't magically become remote because you say so. They're still local, and they're still being exploited locally.
You still need to get inside troy first.
Plus - Rootkits ORIGINATED in UNIX, and they do exist for Linux...
Your point?
plus, ANDROID shows you all that Linux can be exploited as well
Android's a lot different than desktop Linux. Unless they're exploiting the kernel, I'm not sure I see your point here.
And how many Android exploits are actual drive-bys? How many could've been avoided simply by not installing something?
Don't thank God, thank a doctor!
You put a LOT OF FAITH in Chrome's sandbox?
I don't put faith in anything.
Hey - Sandboxes CAN and HAVE BEEN BROKEN (you even alluded to that much)!
Thus, layered security.
But then, what kind of breaks have we seen? Plugin exploits.
You're also NOT accounting for the other parts of Linux that come in the distro itself that have bugs that are NOT SANDBOXED!... All those things that come in a Linux distro, that YES, have security bugs/issues themselves that CAN be taken advantage of (remote AND LOCAL ones).
Be specific. Which of these actually have legitimate remote exploits? I mean, you mentioned Unity, which is laughable. What is Unity doing accessing the network in the first place?
And please try not to confuse local exploits with remote ones, or be specific about why this local exploit is a problem. Which can a sandboxed Chrome tab touch?
Let's compare HOW MANY security issues remain unpatched on Windows
Let's not.
Goodbye, troll. It's been fun, but this is entirely offtopic at this point, and not a discussion I'm interested in having right now. I have so many better things to spend my time on than dealing with you -- even responding to trolls with better manners than you. (I think your capslock key is broken, and I never once used M$ or any other pejorative, while you continue to use "open sores" at every opportunity.)
Don't thank God, thank a doctor!
Greek, eh?
Îá½ ÎÏ...νá ÏÎÎÎá-ν ÎÏOEÎÎν.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Aww, no Unicode on Slashdot. Oh well, you can see it here:
http://pastebin.com/E6HPwie1
You have still ignored my challenge, so I will ignore all of yours.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
I don't need to--The Register did years ago:
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/
"So why have there been so many credible-sounding claims that Linux is actually less secure than Windows? There are glaring logical holes in the reasoning behind the conclusion that Linux is less secure. It takes only a little scrutiny to debunk the myths and logical errors..."
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Also:
http://secunia.com/advisories/product/2719/?task=statistics_2011
"The most severe unpatched Secunia advisory affecting Linux Kernel 2.6.x, with all vendor patches applied, is rated Less critical "
http://secunia.com/advisories/product/27467/?task=advisories
"The most severe unpatched Secunia advisory affecting Microsoft Windows 7, with all vendor patches applied, is rated Highly critical"
Oops, your own source disproved your point.
Not only that, but Secunia's statistics are incorrect and out-of-date. I checked some of the CVEs for Linux, and Secunia lists them as unpatched, while Googling the CVEs shows that they were patched a long time ago.
You'll have to find a less erroneous source to support your erroneous claims.
Hm...I proved your wrong, using your own data. I guess I "win" now.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
You conveniently ignored the two quotes I put up from Secunia--"your" "far more current" data--because they prove you wrong. Again, the source you chose contradicts your assertion.
Regarding this LAMP article, the fact that LAMP-stack sites are often compromised has nothing to do with Linux. Most often, these sites are compromised because of insecure PHP code--nothing to do with Linux. In fact, there is even a comment on that article by a guy who runs a WAMP stack who says that his server was compromised. For example, WordPress is full of security holes and is constantly compromised and patched--and it can run on Windows, Linux, FreeBSD, Mac OS X, etc. The issue there is poorly-written PHP code, SQL injections, etc. Apache runs on Windows, too.
Also, it's highly likely that many of these sites were not current on patches and security updates--an issue irrelevant to the OS being used. Most of these sites are on shared hosting, with preconfigured "easy-install" packages of popular software like WordPress--setups that are often not kept up-to-date. The issue there is hosting companies with poor security practices--again, irrelevant to the OS being used.
In conclusion, your LAMP article doesn't support your assertion that Windows is more secure, because it's not relevant to the choice of OS. It's not even fair for you to compare Windows 7 to Linux in one comment, and then lump Apache, MySQL, and PHP--software that is also used on Windows servers--in with Linux in your next comment. You're being disingenuous.
Surely a knowledgeable person like yourself understands the difference between a security hole in the OS and a security hole in third-party software.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
You're a hypocrite, because you ignored the facts I pointed out from your own chosen sources.
You're a hypocrite, because you "ran from" my challenge.
You're a hypocrite, because you called me a "lying jackass", but you're pretending to be someone else. I can't even count how many times you have criticized others for impersonating you, and here you are pretending to be someone else.
If you think that people don't see through you, you are delusional.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
You seem to be conceding my point!
Ok. You win. Happy?
No, of course not.
See, when you make a valid point, I "concede". What's weird is that we start out agreeing on some things, and disagreeing on others. Then we spent days arguing over semantic bullshit like whether an attack is local or remote, because you want to point to some local escalation vulnerability as evidence of how bad Linux security is when Windows security has an actual remote exploit. If you can say they're both "remote" in some sense, that puts them on the same level, when we both know they're not.
So we actually agree on the fundamentals, I'm just pre-empting that trick.
I also don't have much patience for the Windows vs Linux thing right now.
They don't HAVE to exploit the kernel... they're exploiting JAVA mainly,
Since when is the actual Java language on Android? Wouldn't it more technically be a Dalvik exploit?
I'm not sure how this can end well for you. If you want to say that it's Java they're exploiting, then those exploits would work equally well anywhere Java has been ported to, and can trivially be avoided by not using Java. If it's the Dalvik VM, that's something which no one has ever suggested using in desktop Linux, which makes Android even farther removed from desktop Linux.
If you want to say that Android exploits prove something about Linux, you're going to have to show that they're exploiting the kernel, since that's about the only thing Android shares with the Linux running in my laptop right now. And you've just admitted (assuming you're correct) that they exploit the GUI shell and not the kernel.
So no, Android exploits prove nothing about "Linux" the operating system. Absolutely best case for you, they prove you can build an insecure system on top of the Linux kernel. I've never disputed that -- any kernel you can't build an insecure system on top of is likely useless.
But, really? Is that really happening? It seems like it's more this part:
Mostly "PEBKAC" type, users either unaware of what they're hauling in being bogus, I won't argue that much... but, that is the MAIN PROBLEM on WINDOWS TOO!
And what does this have to do with what we're discussing?
I'm really done reading or replying to your posts which seem so intent on picking up the argument we had before. It is true that users are the biggest security issue. It is not true that Linux vs Windows is interesting here, or relevant.
Ordinarily, I'll happily follow a digression, but you'd happily take days of my time, and it's hard to think of a less useful way to spend those days.
Especially since you're still doing this:
if it's ancestor could be taken advantage of? Don't think LINUX can't be...
That is at least two fallacies, one of them likely personal:
Non-sequitur. It's trivial to show a program (sufficiently simple) which once had a vulnerability and now has none. I am not claiming Linux is flawless, only that the origin of rootkits has zero to do with whether Linux has flaws or not.
Red herring. WTF does this have to do with anything any of us are talking about? I was talking about security, and why I think end-users should bear a bit of the responsibility. Now we're (unfortunately) discussing Linux security, and occasionally hinting at how it might compare to Windows security. Unless you mean to imply that I think Linux can't be taken advantage of, or was ever stating or implying anything of the sort, in which case, you're left with...
Strawman. When did I ever say Linux cannot ever be taken advantage of? Of course it can. I "concede" that. Go have your victory dance or whatever, but next time, deal with what I actually said, not what you wish I said so you can prove me wrong.
Otherwise, you're just playing with yourself, and I'm sorry, that's not my scene.
I'm done with you. Grow up, or don't write back.
Better yet, do both.
Don't thank God, thank a doctor!
I'm not going to post any more data to prove my assertions as long as you choose to ignore the data I pointed out from your own source that shows that Windows is less secure than the Linux kernel. If you're truly curious about that, search Google for some of the CVE numbers listed on Secunia, and you'll find ones that were patched in Linux distros a long time ago.
You also don't seem to understand that tracking current security vulnerabilities in "Linux" is not a matter of looking at a single list, and that compiling a single list is a real-time effort. It's disingenuous to compare the kernel.org kernel with Windows 7; one should instead compare security bugs in the kernel and GNU-type system utilities from specific Linux distros, like RHEL and Debian. You'd complain if people pointed out bugs in internal Windows development snapshots--and that's practically what the kernel.org kernels are, compared to ones prepared and constantly-patched by distros like RHEL and Debian. It's like comparing apples and oranges. You're either ignorant about this or dishonest about it.
Also, Secunia is not an impartial source. They are in the business of selling Windows security software--as far as I can tell, they don't even sell software for Linux. That necessarily makes them unsuitable as an impartial source for such data. Of course they wouldn't want Linux to appear more secure than Windows, because then people would have less incentive to use Windows and pay for Secunia's software. They also have no incentive to keep their data on Linux up-to-date, because they don't serve Linux users, and out-of-date Linux security info will serve their interests better.
Therefore, Secunia is an invalid source for the purposes of this debate. As I said before, you'll have to find a better source to support your assertions.
You also tried to sidestep the fact that MySQL and PHP run on Windows servers and can be compromised on those systems just as well as they can on Linux systems--and they are, as I mentioned. Buggy PHP code is buggy whether it's running on Linux or Windows. The difference, in fact, is that Linux systems' tend to keep all the software on the system up-to-date automatically, whereas Windows will not update MySQL or PHP automatically. Some Linux distros even have packages for software like WordPress, integrating security updates for it into the rest of the system's updates.
The article on The Register showed logical flaws in the Windows-is-more-secure arguments, flaws which are still valid today--those are not out-of-date.
It's also asserted that Microsoft often fixes more bugs in its patches than it publishes information about. Makes sense to me, since full-disclosure would only hurt Microsoft's image more.
A final anecdote: It's interesting that just in the past two weeks, my Windows 7 installation has installed more security updates for the OS than my Ubuntu 11.04 systems have installed. Doesn't prove anything, but it's interesting.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
You continue to neglect to comment on the much-higher severity of the unpatched Windows bugs as mentioned in your own source. You still haven't addressed that or offered a counter-argument for it. So I won't post any more data until you address that--since you ignore whatever data is inconvenient for your argument, it would be a waste of my time. I don't think you're after the truth here, only ego-inflating "wins" against "trolls"--wins and trolls as defined by you.
You also conveniently ignored the fact that you hypocritically called me a "lying jackass" and then lied about your identity. You then accuse me of ad hominem attacks while ignoring your own, unsubstantiated ad hominem attacks and your own hypocrisy. At least my pointing out your lack of credibility and integrity are based upon your actions here.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Linux is last in the PC-server world? LOL! You really are delusional. Yeah, it's only what Google, Yahoo, Facebook, NYSE, NASDAQ, etc. use on their servers, as well as the majority of web sites on the Internet. Not to mention that it runs on everything from DVRs to phones to automobiles.
You show your utter ignorance by comparing Android to any other form of Linux. Android is all about the Dalvik VM and is irrelevant to Linux on any other platform.
I already explained how Secunia is not a valid source for your arguments. I don't need to refute its data because it itself is invalid. It would be obvious to anyone that there are indeed plenty of bugs in the Microsoft server stack, and the fact that Secunia claims that there aren't any and haven't been for years shows how useless it is as a reference. It also has commercial interest in Windows software and none in Linux software--it's completely biased. You need to find another source for your claims.
You still won't admit that MySQL and PHP run on Windows and get compromised there--that they are irrelevant to the discussion of Linux vs. Windows. More delusion or dishonesty.
It's pointless to have a discussion when you won't be honest. It'd also be nice if you could discuss without hyperbole.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Didn't think you'd see it? Why am I posting here if I don't think you will see it? I might as well go yell in my bathroom. If you don't see it, who will? No one else is watching this conversation.
As I told you, I won't post any more data on that until you address Secunia's own data that shows Windows has higher severity bugs than Linux does. You continue to ignore that--at least I say why I'm not responding to your claim.
You continue to show hypocrisy by calling me a liar when you are the one who has posted pretending to be someone else.
You continue to show hypocrisy by criticizing me for ad hominem attacks when you continue to call me a liar, a bastard, and a fool.
We can't make any progress until you are willing to be honest and logical and stop acting hypocritically.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
LAMP sites are compromised because of insecurely-written PHP and MySQL code--it's irrelevant to Linux. You can pretend all you want that it's not--but it is. It makes as much sense to say that it is as it would for me to say that poorly-written ASP sites are compromised because of Windows itself, rather than because of bad ASP code.
Until you're willing to argue logically and honestly, we can't make any progress in the discussion.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
See this "adhominem attack adios" from you...
You keep using that word. I don't think it means what you think it means. From Wikipedia:
An ad hominem (Latin: "to the man"), short for argumentum ad hominem, is an attempt to link the truth of a claim to a negative characteristic or belief of the person advocating it.
I haven't done that. That you are a known troll and a waste of time has nothing to do with whether your arguments are valid, it's whether it's worth my time to find out. It really isn't, especially given how little respect you have for the time of others. For example:
YOU AVOIDED MY QUESTION ON CHROME COMPLETELY!
You've now written at least two posts to me stressing this point and asking this question, yet you can't be bothered to download it and find out for yourself? Why should I do your homework for you?
Then there's this:
have you even taken logic formally? I asked you that before, & You did not answer...
I did answer. I pointed out that what you're doing now is an argument from authority. You don't know that I've taken logic formally. What does that have to do with whether my argument is valid? If it doesn't have anything to do with that, it's a red herring. If you're trying to say it does, it's an argument from authority of the formally fallacious kind.
Oh, and it looks like you like YouTube videos? Have fun.
Don't thank God, thank a doctor!
Ahem: *cough* (bullshit), **COUGH** (BULLSHIT):
And here you just repeat yourself, clearly ignoring my actual response and the definition of ad-hominem, something you've done before, I might add. Did you even read my comment?
I certainly feel no need to read the rest of yours.
Don't thank God, thank a doctor!
"Here endeth the lesson"...
Listen, you arrogant, obnoxious, simple-minded gimp.
I'm not asking you how to eliminate the rootkit. I never once asked you how to eliminate a rootkit. I already knew how to eliminate a rootkit. Stop harping on it, as you're making yourself look like a complete and total fool, by repeatedly answering a question that was never asked.
My issue has always been with your claim that could detect a root kit with Process Explorer and TCPview. This is what I stated in my very first post to you, and the only thing I've repeatedly stated that you're wrong about. This is also the only aspect of this rootkit removal that you haven't clarified.
Instead, you choose to go off on irrelevant and off topic rants about how you're an expert because you're an expert, and how your instructions to remove a rootkit will work every time, and how this one guy left a comment about how he never got malware once he used a hosts file.
Guess what? I don't give a fuck about all that.
Here is the question I want you to answer, in plain English, that even, apparently, ACs can understand, but you can't:
How do you propose to detect a rootkit using Process Explorer and TCPview, when the output of these programs cannot be trusted when running in a rootkitted environment?
If you can't answer this question, then all your removal instructions are moot.
"City hall" in German is "Rathaus" Kinda explains a few things......
TcpView... now, say (as I did in my last post above) that while letting my nephew, brother (or even little niece, she's into computing too (good sign)) use my system, & say they infect it via a USB stick, and my antivirus/antispyware in place resident doesn't catch it? I can monitor who/what/when/where/how my system is "talking to" other machines online (inclusive of botnet C&C servers).
According to your statement here, said in a thread about rootkits, you can use TCPview to detect errant connections caused by malware. In the context of a rootkit conversation, it can only be assumed that you're talking about rootkits.
Again, I ask you: How do you detect a rootkit using TCPview. You maybe didn't state outright that you could, but you certainly strongly implied it with the context of your statement.
There's NO DENYING my technique will get rid of this rootkit and others like it, is there? Apparently not, because you avoid that like the plague when I ask the question if it works or not... lol!
Will it get rid of an MBR rootkit? Yes. Will it get rid of a driver-based rootkit with a discrete .sys file for the driver? Yes.
Will it get rid of a driver-based rootkit that uses a patched tcpip.sys, or atapi.sys? No, because listsvc doesn't verify file signatures, and there's no way for you to do it manually using hashes, or the like, within the recovery console.
You also claimed that:
even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
Notice that word "this"? That means you're specifically referring to the rootkit that was the topic of the conversation. This rootkit will be blocked by your Norton DNS settings. That's what you claimed. But you still haven't explained how you can trust the DNS settings on a rootkit infected computer, either.
I never once did state what you "inferred" above, dolt!
Ooooh! Ad hominem attacks!
<APK-like voice>I'm such a big man because I know how to spell ad hominem!!</APK-like voice>
BTW, it's two words, just in case you're interested. But you're not, because you're more interested in saying:
"Look at my commercial software! I've written security guides! I've shown you how to remove this rootkit 12 times, so why does it matter that I haven't given a reliable method to detect it!!! Shut up!"
"City hall" in German is "Rathaus" Kinda explains a few things......
"Ooooh! Ad hominem attacks!" - by cbiltcliffe (186293) on Tuesday July 12, @03:12PM (#36738656) Homepage
LMAO - you started it,
I started it? Really? You can't even remember what you've written in this thread, can you? The first insult to fly in this thread came from you, in the form of this comment:
* So, go "hawk" your essentially obsolete 'ware' in this situation & others like it vs. rootkits "1 hit wonder" disk elsewhere man!
Besides, I haven't used a single ad hominem attack. I've called you a douche, among other things, but I haven't said that you're incorrect because you're a douche. I've said that you're a douche because you're incorrect, but you can't see it. Do you even know what an ad hominem attack is?
I only call a spade, a spade is all, & I fight fire WITH hotter fire, especially if it's done to myself, first...
Your "hotter fire" is a sputtering candle, but you can't even see it's burning out.
* You KNOW you've gotten the best of a troll, when trolls go "silent" - APK "FTW", as usual, vs. /. trolls...
Are you hearing yourself? Obviously you can't hear anybody else, due to the sheer amount of self-cheerleading you do, so you assume they've all gone silent. Tell me, do you wear a skirt and wave pompoms when you do that? .APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.
APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.
cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!
Nope. Doesn't really do anything for me. I guess I don't feel my knowledge is so limited that I need to trumpet it to anybody who'll listed so as to try to make myself feel better about being borderline incompetent.
The ONLY way to use those, would be to do what this botnet did, a filtering/hooking driver... otherwise, Windows SFP/WFP (Windows File & System File Protection) would detect for it & replace them IF they were bogusly replaced... period!
Once again, you're wrong. I've seen patches like this happen, and WFP did not fix it. The problem is, once the file is patched, and the hostile code loaded into memory, WFP can be disabled by that hostile code, even if only for that file.
True, this does mean you have to get infected in the first place, and you've assured me that your m@d skillz would prevent anything like that from ever happening.
Did I use the word rootkit? No, not once.
In regards to TcpView OR ProcessExplorer? No. So haha to you: See subject-line above...
So basically, what you're saying is:
"I made a statement completely unrelated to the conversation, but made it sound like it was part of the conversation going on, and since you assumed I was actually talking about what everybody else was talking about, you must be an idiot."
That's even more childish than the rest of your fellow trolls, so you've mastered the art. At least I'm honest when I'm being childish, assmuncher. You'd probably be good in politics, because you can say something that has a totally different meaning than anybody listening will take from it, and then seem honestly surprised when people misinterpret you.
Now, since you've responded to my single post with 4 of your own, but still managed to avoid the very first question I asked you in this thread, I'm going to ask it one more time:
If you're relying on Norton DNS to prevent such a "beastie" - as you so eloquently put it - from talking to its C&C server, how can you trust the DNS settings on the infected computer?
Now, since you've spent the entire thread with your hands over your ears going "LALALALA
"City hall" in German is "Rathaus" Kinda explains a few things......
Hey, APK!
You didn't sign this post with apk!
You're slipping. Or are you just trying to astroturf, and make it seem like other ACs agree with you?
That just shows how desperate you are.
"City hall" in German is "Rathaus" Kinda explains a few things......
I think
"City hall" in German is "Rathaus" Kinda explains a few things......
you need to
"City hall" in German is "Rathaus" Kinda explains a few things......
form your thoughts
"City hall" in German is "Rathaus" Kinda explains a few things......
before you hit
"City hall" in German is "Rathaus" Kinda explains a few things......
submit so that you
"City hall" in German is "Rathaus" Kinda explains a few things......
don't have to put
"City hall" in German is "Rathaus" Kinda explains a few things......
so many replies to
"City hall" in German is "Rathaus" Kinda explains a few things......
cover your rambling, incoherent thoughts.
"City hall" in German is "Rathaus" Kinda explains a few things......
Anecdotal evidence, ad hominem attacks...all these words you are throwing around, and you don't even understand basic logic.
You say drivers cannot be patched without warnings. Well, it's a logical impossibility to prove a negative, because one weird edge case can throw your whole argument out the window.
There is no anecdotal evidence when you're proving a negative theory incorrect. A single data point completely invalidates the theory.
The question I have is, why do I need to provide you with proof when such flaws have been widely publicized regarding both Windows Vista and Windows 7. Do your own Googling.
Debating with someone who has such a tenuous grasp on reality is fruitless, as the most logical arguments will be completely ignored, some irrelevant BS thrown back, along with "IT's just too TOO eZ, 2EzZzZzzz121!!1111!11!!1111!!1eleevenety"
The only reason you think it was too easy, is because you're too simple to understand the argument. You don't even realize you've completely failed to counter anything at all.
"City hall" in German is "Rathaus" Kinda explains a few things......
Stop putting words in my mouth, hypocrite.
I didn't agree that your method of removing rootkits would work. I stated that it would work for certain types of rootkits, but not all. You conveniently left off the part of my quote about the type it wouldn't work on, so you could pretend that I completely agreed with you. I didn't, and you know it.
And are you trying to tell me that some AC just happened to be reading this thread from a story over 2 weeks old, and just decided randomly to agree with you? Bull.
And for your information, I don't have a post limit. Or at least, I've never run across it, as my karma is excellent. The only person on here who can't seem to wrap their head around the fact that I'm right is you.
"City hall" in German is "Rathaus" Kinda explains a few things......
The WinPCap driver gets installed using legitimate means. Of course it's going to give you the warning. What the hell has that got to do with rootkits?
As I stated, there have been plenty of reports of flaws with WFP and code signing, which I'm not going to point out to you, since you're obviously too lazy or braindead to find yourself.
Whether you want to admit it or not, my statements regarding you implying TCPview could show connections from rootkits are true. You did imply it. You injected the comment directly into a conversation about rootkits, and you in no way stated that you were only talking about malware other than rootkits. You either knowingly and disingenuously completely changed the subject, knowing it would be misinterpreted, or you meant it as I took it, and are now trying to backtrack.
In the first case, you're a childish ass. In the second, you're a wannabe noob.
"City hall" in German is "Rathaus" Kinda explains a few things......
Hey, APK. Good to see you astroturfing again...
"City hall" in German is "Rathaus" Kinda explains a few things......
That's not the TCPview/Process Explorer quote that I referred to. Sure, you said it there, but the one I responded to first, you didn't. You stated "malware" which implies all malware, in a conversation about rootkits. To a sane individual, that also implies rootkits. Obviously you are not sane, since it didn't imply that to you. However, now you'll claim that I'm ad hominem attacking you, because it's a word you know how to spell.
(others posting here do as well, which I think is hilariously funny too)
No....you know what's really funny? I mean, really, really, really funny?
All this time I've kept you spastically OCDing over this thread, when you could have been updating your hosts file.
Now THAT'S FUNNY!!!!
"City hall" in German is "Rathaus" Kinda explains a few things......
Can you show me EXPLICITY stating that ProcessExplorer &/or TcpView are for "detecting rootkits" as you said I did? No, you cannot... period!
Please - DO PROVE OTHERWISE WITH A QUOTE OF MY OWN WORDS IN THIS EXCHANGE & THE SOURCE LINK FOR IT!
(You haven't managed that yet, because you cannot to do it!)
Ok, fine. Since your memory is so short, and you can't seem to remember what you've said, here:
ahref=http://slashdot.org/comments.pl?sid=2282088&cid=36618008rel=url2html-5260http://slashdot.org/comments.pl?sid=2282088&cid=36618008>
This is the quote I originally responded to, which I then didn't find. In this post, you state:
Besides, there isn't a botnet (or even ROOTKIT) I can't deal with effectively for removal anyhow - & I don't use the same tools others do...
Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them...
Yes, you do explicitly state that Process Explorer is a "big gun" for dealing with botnets (or even ROOTKITS).
Let's see...I believe the words are:
Reading comprehensions.....hahaha.....lol...2ez....U FAIL!!
Fact is - I never even IMPLIED they are for "rootkit detection" or removal from Ring 0/RPL0/kernel mode operations of rootkits... only usermode/RPL3/Ring 3 malware operations, period!
You didn't start blathering on about Ring0 vs Ring3 until after I already had you on the defensive and reeling from a couple of well-placed hits. Your first mention of either term was in this post:
http://slashdot.org/comments.pl?sid=2282088&cid=36731660
and that was well after I'd already called you on your statement that I just proved you made, that Process Explorer was useful for removing rootkits.
So now, not only are you putting words in other's mouths, you're also attempting to retroactively put them into your own.
Reading comprehensions.....hahaha.....lol...2ez....U FAIL #2!!
See, the problem is, you've got such delusions of grandeur, that you can't entertain the possibility that you might actually be wrong. Even when it's a certainty.
"City hall" in German is "Rathaus" Kinda explains a few things......
/code fucked up the first URL in my last post.
http://slashdot.org/comments.pl?sid=2282088&cid=36618008
The rest of my comment stands.
"City hall" in German is "Rathaus" Kinda explains a few things......
What is it about "I use Process Explorer and Recovery Console for dealing with rootkits and botnets" that you can't understand means "I use Process Explorer and Recovery Console for dealing with rootkits and botnets"?
Admit it. You're wrong. You lost. Badly. Your statement that I quoted (which was not stated to be only for Ring3 malware at all, until well after you'd been called on it, and started backpedalling like an ass-covering politician) is as clear as day.
Go back to updating your host file, little boy. There are thousands of malware domains registered daily, and according to a post of yours on another thread, it takes you 30 seconds to add one to your hosts file. Since you're so fond of links back to those posts, even though you apparently cannot understand the very words you wrote, here's the link:
http://it.slashdot.org/comments.pl?sid=1932290&cid=34743648
Well, even 1000 hosts per day is over 20 per minute. You'd better get updating that hosts file, because even if you work on it 24 hours a day, you've got less than 3 seconds per host to get it into your file. If you want to do 2000 per day, you only get 1.4 seconds per host. Get typing!!
And that doesn't even take into account the ones that you have to verify are there, just to make sure you're protected from them.
Maybe you don't get malware because, between the ungodly amount of time you must spend updating that hosts file, and the amount of time you spend trolling and stalking on /., you don't have time to do anything else that could get you infected.
Just out of curiosity, how do you have time to do all that high end programming you claim to do, since hosts file editing and /. trolling is obviously taking up all your time? Or is that why the list of previous accomplishments you're so fond of posting basically ends at 2003? Is that when you had the aneurysm that turned you into the psychotic raving lunatic you are today?
P.S. => That last bit isn't an ad hominem attack. Ad hominem is attempting to invalidate the message due to some unrelated characteristic of the messenger. Your message (at least the part of it I was concerned with, as well as your irrational support of maintaining a hosts file which is provably unworkable) has already been completely invalidated due to being factually incorrect. That makes that last bit, rather than an ad hominem, just a plain old insult.
P.P.S => One more question: when you get all worked up, typing furiously into a /. post box, putting in your irrational formatting, and all the nonsensical b.s. that you do, do you actually start foaming at the mouth? Maybe you should get that looked at.
"City hall" in German is "Rathaus" Kinda explains a few things......
(Have YOU done a better guide for layered security than that?)
BWAHAHAHAHAHAH!!!! HOHOHOHEHEHLAOLOLOROFL!!
Wow...let me wipe the tears from my eyes here.....hang on....
BWAHAHAHAHAHAHAHA!
Wow....thanks for the laugh! I'll be chuckling for weeks over that one....
I just read part of your "highly rated security guide" and it's pure comedy gold. Most of it can't be used by anybody who actually uses a computer in a normal way, but aside from that, I then got to the section about running services as LocalService, rather than LocalSystem.
Let me ask you a question: What's the total antecedent to good security?
Any ideas?
I'll tell you: Having programs or services running that are not necessary, have no function, and are not used. Every one is a potential security hole waiting to happen.
Anyway, in this section, you say you've personally tested all these services, and know they run fine under the different account.
One you list for running under LocalService is the Remote Registry service. I can guarantee you that this service does not run properly under LocalService. Sure, it will run, but its entire functionality is nullified, because the whole point of the service is to provide remote access to the registry in domain/remote admin situations, and the LocalService account has no network privileges. So you've got a service running where the entire point of that service is killed by your stupid security permissions, but it's still running, providing the possibility of local exploits, and also taking up resources. So the way you're recommending to set up this particular service, the service provides zero benefit, and significant drawbacks. Yeah...great security advice, there, buddy.
Can you say "STUPID"? I quit reading after such an obvious and fundamental security failure. See, in order to properly secure technology, you have to actually understand what that technology is doing, and how it works. You fail at understanding, so you fail at security.
This service is recommended to be turned off in any security advice I've ever given, except in a domain environment. Maybe you need to go back to school.
FAIL #1
1.) "Hauls in" other malware for the BOTNET portion running in Ring 2/RPL 2/Usermode?
-------
3.) Then, you "mop up" using ProcessExplorer once the rootkit's dead, to kill in the malware it hauls in, THAT RUNS THE BOTNET PORTION in Ring 3/RPL 3/UserMode!
Make up your mind. Is Ring 2 usermode? Or is Ring 3 usermode? You seem to be getting flustered and confused with all the frantic backpedalling you're doing.
"There are thousands of malware domains registered daily, and according to a post of yours on another thread" - by cbiltcliffe (186293) on Wednesday July 13, @10:23PM (#36757884) Homepage
WTF? I never said that # are out there daily... your link doesn't show it either... that's quite old also - what are you doing??
Stalking me via diff. usernames???
Of course not. You're not worth the effort, as you're an ineffectual, intellectually deficient waste of skin.
I simply did a search for "apk troll" on google, to see how long you'd been pulling this BS. It was both enlightening, and hilarious. Seems you can't get into a conversation at all without pissing off just about everybody around you. Maybe that should tell you something.
Now, back to what you quoted me saying:
You've got a parsing error there. Reread it. I didn't say that you said there were thousands of malware domains registered daily. I'm telling you that there are thousands of malware domains registered daily. You obviously didn't know this, because it seems to have caught you completely by surprise. You said that it takes 30 seconds to add a new domain to your hosts file. That means, as I said, if you wanted to even remotely keep up, you'd have to be adding a new domain to your hos
"City hall" in German is "Rathaus" Kinda explains a few things......
Did you check your links?
Well, let's see, your first "proof" link, leads to:
"The page you were looking for could not be found"
Guess neowin didn't think it was important enough to keep around, huh?
And the second leads to a thread that starts out with a section on "securing telnet" that was posted in 2008.
Really? You're trying to secure telnet 3 years ago? Anybody with a lick of sense hasn't been using telnet at all in any environment with secure requirements for well over a decade, and 3 years ago you're giving advice on how to secure this decade-broken, unsecurable protocol?
ULTIMATE FAIL
There's really, absolutely nothing else that needs to be said. You are a complete and total loser when it comes to security. You know nothing. You understand nothing. You are incapable of doing anything technical with any competence whatsoever.
Not only that, but you bitched about my "1 hit wonder" cd (while knowing nothing at all about it) that "must have used other people's software", as if you wrote everything you've ever done from scratch, including all libraries, and probably your own compiler, FFS.
The first section of this thread shows this information actually comes from " a Mr. Markuss Jansson on his point on TELNET service", and "He also has more on things like "EFS" (encrypting filesystem) ".
Not only are you a complete loser, you're a complete hypocrite, also.
(BTW, my CD will let a tech run the recovery console on a machine remotely, over the Internet, with no KVM over IP hardware. No technical knowledge is required by the end user. Network connections, encryption, etc, are all handled automatically. It will also allow remote repair of corrupt filesystems that prevent the computer from booting with an UNMOUNTABLE_BOOT_VOLUME error. It can also do remote investigation on a computer, with forensically sound methods, transferring a hard drive image over the network from a remote PC for local analysis, if required. It can also do a pile of other things, most of which are probably beyond your comprehension. Even if it was the only thing I'd ever done, which it's not, it's so versatile, it could never be called "1 hit".)
The version of your guide that I read was the first link on your Bing search that you're ever so proud of. You know, this one?
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
This is the one I read:
http://forums.pcpitstop.com/index.php?showtopic=150310
This was posted in 2007, so it's not like it's really old, or anything.
In it, you recommend to run the Remote Registry, and telnet (which I didn't notice the first time) as the LocalService Account, rather than LocalSystem. You do not recommend to turn them off, as you claim in your post I'm replying to.
These services require, for their only functionality, to have network access. Running them as LocalService therefore kills their entire useful functionality, while still leaving the service running, taking resources, slowing the system down, and potentially offering local exploits.
Why do you *THINK* I put "remote registry" running as a LocalService for? It can still function that way,
But that's the whole point. It can't function that way. Its function requires network access, which running as LocalService denies. It will not work for it's intended function. Same with telnet. Both services cannot function that way, at all.
but if it were to be activated again by some interloper malware, it'd be SAFE(r) because it was set as "LocalService" logon entity - "get it"?):
Ok..so let's assume for now that you completely messed up your security guide, and you actually meant to have people turn this service off, whi
"City hall" in German is "Rathaus" Kinda explains a few things......