Slashdot Mirror
Microsoft: No Botnet Is Indestructible
CWmike writes "No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said Tuesday, countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically. Nothing is impossible. That's a pretty high standard.' Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated. 'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
Microsoft just put a challenge up to every botnet maker on the planet.
Thanks Balmer.
Alternate title:
"Microsoft Says: My Botnet is Bigger Than Yours"
"First they came for the slanderers and i said nothing."
While I believe that it's quite easy to remove individual nodes of the 'indestructible' botnet, I can't see a good way it could really be shut down other than by wiping it out node by node. And that's a losing strategy for the 'good guys'.
So, while I agree in principle that the word 'indestructible' is pretty strong, and likely not actually the case, that theoretical fact is useless without a concrete strategy for defeating it.
Need a Python, C++, Unix, Linux develop
I'm agree with the whole nothing is impossible thing, but if bad guys were dumber it wouldn't take smart guys so much time to take out a botnet in the first place would it?
It's the only way to be sure.
...He's right. Theoretically, we could nuke the earth from orbit, destroying all botnets. (and life) It's always a question whether it's worth it not.
I draw parallels to the illegal file-sharing issue: it's possible we could stop piracy dead in the water (pun intended) by monitoring and analysing everyone's transmitted information, everywhere, outlawing and banning cryptography from our networks etc... but would we want to?
In fact, I dare say that if we can't/won't stop illegal file-sharing, (and I think we can't/won't) we can't/won't stop botnets.
Microsoft and bot net operators... sorry, I am lost. Where are the good guys that were mentioned?
Nothing is impossible, eh? Lets try shifting the domain to something that lawyer might know about.
All crimes are solvable. All criminals are found guilty. All innocents are acquitted. All lawyers engage their brains every time before they open their mouths.
Oh and of course, the obligatory all Cretans are liars.
Another question, does anyone know when and why Microsoft decided to start taking on hackers? Do they get something out of it?
"First they came for the slanderers and i said nothing."
Damn, you more or less beat me to the obvious parody / analogy: "We can exterminate all cockroaches".
It's not just a question of intellect if one party is on the easy side of the trap door function, and their adversary isn't.
Given Microsoft's traditional shortcomings in mental subtlety, I'm not eager to concede they've properly thought this position through.
Just wait until bitcoin merges with the global ad hoc network. Even Microsoft will gulp at the rental fees on a fully commissioned Death Star.
Brilliant, Microsoft, just brilliant. Fight bot nets by patent trolling them. That will *totally* work.
Probably some secret defence contract deal to bring the anti-terrorist cyber warriors of USA into every Windows installation on the planet that secretly protect the Internet and USA against Anonymous.
Uh oh, now they've gone done it.
As in "This is not a POW; this is an enemy combatant" legal creativity?
To be honest, "Legally creative" are words I never want someone with power to utter.
They surely like to think about themselves as being the "god guys".
20:16 Thou shalt not bear false witness against thy neighbour.
20:17 Thou shalt not covet thy neighbour's house, thou shalt not covet
thy neighbour's wife, nor his manservant, nor his maidservant, nor his
ox, nor his ass, nor any thing that is thy neighbour's.
God says...
fiercely blending attended qualities under
Since malware is currently a Microsoft only problem there is a direct benefit to them to deal with it. Various fanboys will pretend they are unable to read the word "currently" so I'll add it again and pre-empt the crap about Apple, Linux, Solaris, Irix, AIX, BeOS, Amiga, Plan 9 or Atari being potentially vunerable sometime by saying the malware that is rampant NOW is more imporant than theoretical or historical threats.
Taking increased measures against malware doesn't really require a lot of resources and is definitely to their benefit.
Then creating an indestructible botnet is possible, right?
Microsoft: No Botnet Is Indestructible
They should know, they created most of them.
> 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
That was not a question.
As long as we control the IT desktop monoculture it will be always a better investment for botnet operators in searching new holes than in hardening their botnets.
cool bro thx 4 sharing
Oh I want to know more about these guys...lol /popcorn
Take the Red Pill.
Microsoft Windows et al IS the botnet.
rewriting history since 2109
"bricked for internet usage"
WTF does that even mean?
Stasis is death. Embrace change.
Let me start by saying every time you boot your system on Windows 7, data is sent to Microsoft to check whether your are online and for internet connectivity.
Now although you probably never gave it a second thought. NCSI is an active tool used by Microsoft to lead Boscovich to these comments.
I am not sure if this has been posted on /. before however this url http://blog.superuser.com/2011/05/16/windows-7-network-awareness maybe makes Boscovich feel all warm and fuzzy inside as they can do more with NCSI and cut out botnets. This can be defeated as in the URL above.
Whilst I am on a roll, http://www.microsoft.com/industry/government/solutions/cofee/default.aspx is nothing special the commands in COFEE with some extra switches are;
arp.exe -a /all /report %OUTFILE% /domain /query/v /svc
at.exe
autorunsc.exe
getmac.exe
handle.exe -a
hostname.exe
ipconfig.exe
msinfo32.exe
nbtstat.exe -n
nbtstat.exe -A 127.0.0.1
nbtstat.exe -S
nbtstat.exe -c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe -ao
netstat.exe -no
openfiles.exe
psfile.exe
pslist.exe
pslist.exe -t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck \127.0.0.1
tasklist.exe
whoami.exe
Awww how 31337 M$
All cows eat grass!
'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
This might be true - but the underlying assumption is that Microsoft has some of the good guys working for them... Microsoft seems to be chock full of barely competent guys these days. And the bad guys are easily smarter and better than those.
You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
Go for the people behind it!
The number of people writing bots and controlling them much be fairly limited, so just take them out. Yes, I do mean to hunt them down and kill them. That way they're permanently out of the picture, and it is most likely the rest will run and hide when the elimination starts, never again to be involved with botnets... Problem solved. If the action triggers some reaction from the crime organizations behind them, just take them out too. Let them lean that they're neither untouchable nor indestructible... Problem solved.
I would accept as an axiom that the bad guys are smarter, better. How else does one explain the world today ?
Is not the problem of securing botnets and DRMed media similar? For both, the "key" (the vital secret for (d/en)cryption) is on untrusted hardware. By that I mean hardware not directly under the supervision of botnet/DRM personnel. In my mind, that is the weakness of both.
Would TCP (trusted computing platforms) be the only end to botnets? I'm all for TCP if it could never be used to secure the hardware against me, the owner of the hardware.
20
I tell you, unless your righteousness surpasses that of the scribes and Pharisees, you will not enter into the kingdom of heaven.
21
15 16 "You have heard that it was said to your ancestors, 'You shall not kill; and whoever kills will be liable to judgment.'
22
17 But I say to you, whoever is angry 18 with his brother will be liable to judgment, and whoever says to his brother, 'Raqa,' will be answerable to the Sanhedrin, and whoever says, 'You fool,' will be liable to fiery Gehenna.
23
Therefore, if you bring your gift to the altar, and there recall that your brother has anything against you,
24
leave your gift there at the altar, go first and be reconciled with your brother, and then come and offer your gift.
25
Settle with your opponent quickly while on the way to court with him. Otherwise your opponent will hand you over to the judge, and the judge will hand you over to the guard, and you will be thrown into prison.
26
Amen, I say to you, you will not be released until you have paid the last penny.
27
19 "You have heard that it was said, 'You shall not commit adultery.'
28
But I say to you, everyone who looks at a woman with lust has already committed adultery with her in his heart.
29
20 If your right eye causes you to sin, tear it out and throw it away. It is better for you to lose one of your members than to have your whole body thrown into Gehenna.
30
And if your right hand causes you to sin, cut it off and throw it away. It is better for you to lose one of your members than to have your whole body go into Gehenna.
31
God says...
conceives cleaveth rejoices injurious callest approach
salted turning settling effaced finds sin replacement
babes dive studied corrupting walls bared last dying restest
forget fault ere bottomless embraces wherein heal Or ghastly
file basket fluctuating Vindicianus diversely mystically
saved abase random actual smiling bows enmities shonest
back companion soul ludicrous grossness old devour ostentation
unalterable battle stones recent shameful conventionally
forefathers admirable rapture contradicting sometime qualified
subsists knocking deliberating close Sacraments reading
arrived Project's Book useful allowed comprised intellectual
aim satiated gnashed easeful asking Deceased buzzed ruminate
unchangeably blending Spiritual wild elders
what's a botnet?
I suppose much like there's no 100% secure server there's no 100% invincible botnet. It's almost always easier to destroy than to create/build something.
Deltron 3030 - Virus (music video)
Botnet shuts-down You!
But seriously, this is scary stuff. I like the idea of a big IT house using the best and brightest to shut-down malware, but who decides what malware is? How are they making money from this?
-Matt
--- Need web hosting?
Stop trying to bait APK/HOSTS file guy. You're not any good at it.
Non impediti ratione cogitationus.
The best way to kill a botnet is to kill the botmasters. Follow the money trail to them and get rid of them extrajudically.
Why should hackers be immune? Are they different from the taliban, who are getting UAV-launched guided missiles up their rear orifice on a daily basis in Afghanistan? Sir Isaac Newton stopped forgery of money by hanging a bunch of the culprits in London streets. Muslims cut off the hand of thieves.
Act harsh unilaterally, oh Free World and the nasty Russia, China, Brazil will soon learn that they better put away their hackers into prison labor camps on their own accord, rather then wait for US missile strikes to occur. Be brave bold eagle, let freedom ring with the bang of explosives and not just on the 4th of July!
Botnets, like most criminal enterprises, have a distinct advantage in that the perpetrators consider themselves above the law.
Their biggest strength is their willingness to exploit weaknesses and perform actions not available to law abiding citizens. The are not, for example, averse to hijacking PCs, hooking up with shady providers, or even flaunting international borders and strongholding in countries like Iran that are outright hostile to US interests and could actually be anywhere from indifferent to outright supportive of their actions.
They are also able to move faster than law enforcement in many cases since they are not fettered by the courts or other bureaucratic machinations. If they want to relocate their CC servers, pass their holdings to someone else, or even shut down completely, they just do it, and they don't have to wait around for a court order or a subpoena to do it either.
Zaphod-AVA essentially summed it up @ http://it.slashdot.org/comments.pl?sid=2282088&cid=36618244 on June 30.
And Ram Herkanaidu, a Kaspersky Lab Expert confirmed it @ http://www.securelist.com/en/blog/516/TDL_4_Indestructible_or_not on July 4 that they do not believe the botnet is indestructible. Ram tried to downplay the sensationalist headline of it being indestructible by pointing out that they had used inverted comas around the word.
But almost anybody even remotely interested in computing can probably guess and those who are into encryption can state for a fact that nothing in this "virtual world" is indestructible --- things only get a little difficult.
So this is pretty much a lot of noise over the intended wit of an analyst.
The recent media hyperventilation over "indestructible" malware that hides in the master boot record and requires a wipe and reload of the OS to fix - who writes this stuff, and did they ask anyone who knows anything about it? Apparently not.
:
Oh noes; I've got a bad thing in my MBR; what shall I do? Tip: boot to command line (F8 at boot time) and a quick FDISK /MBR will take care of it. So much for that indestructible bullshit...
I think the meme of the "indestructible botnet" is just marketing, and people trying to make them or their research more important than it is. The sad thing is that the public seems to believe this nonsense.
In practice, there are problems and killing a large botnet can be difficult. However, once you throw enough resources at the problem. it becomes entirely feasible.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
'To say that it can't be done underestimates the ability of the "good" guys,' Boscovich said.
There, fixed that for Boscovich.
Hey, I have the entire public IPV4 address space in my hosts file you insensitive clod!
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
If the "good guys" in Redmond really were so smart, there wouldn't be botnets in the first place.
The best way to kill a botnet is to kill the botmasters. Follow the money trail to them and get rid of them extrajudically.
You are clearly insane. The best way to fix a problem is to prevent it from happening in the first place by fixing the dodgy software that some people insist on using.
Going on a killing spree is just going to get the wrong people murdered and not even fix the problem in the process.
MicroSoft: A networked system with no vulnerabilities is inconceivable!
The sad truth: it's actually quite conceivable that with decentralized C&C and proper crypto that there are no central vulnerabilities and the only way to clean up the mess is by hunting down nodes one at a time, or possibly one ISP at a time. I'm eager to hear MS's "legally and technically creative" way to take that on.
Windows does suck (or has sucked) for security, but the real issue is not so much the OS (it's possible to secure even Windows) but the average user. You sound like you have enough know-how not to fall for "Click the exe in this email to see hot chix" hoaxes. Lots of Windows users are far less tech savvy. Social engineering is still the number one attack vector for creating botnets, moving more Windows users onto OSX/Linux won't solve that, it will just move the war to three fronts instead of one.
In this case, the assertion that any individual botnet may be taken down by a combination of approaches is likely correct. However, it's worth noting that the action of taking down individual botnets -- no matter how large -- is unimportant. It simply doesn't matter to anyone but the PR departments of whoever claims responsibility for this latest "triumph".
The reality is that the systems constituting all such botnets are still compromised, still vulnerable, still running Windows, still operated by less-than-clueful users, and still available. They will therefore quickly be absorbed into either other existing botnets or newly-constructed ones...and the latter are of course more likely to be resilient against takedown attacks. Everyone knows this, including Microsoft, but they're not about to admit that they've been steadily losing ground for a decade.
As of the summer of 2011, any estimate of the worldwide population of compromised systems that's under 200 million should be discarded, along with the idiot giving that estimate. That's a floor value; the actual number is likely significantly higher. Nobody should be surprised by this: since bots/botnets were first observed, absolutely nothing of value has been done to reverse their growth trend. (Yes, yes, many people CLAIM to have done things, and some of those things actually happened: but none of them are of any lasting importance. They are band-aids haphazardly and temporarily slapped on the edges of a gaping wound.)
So while this carefully worded PR pronouncement may be correct in some aspects, it deliberately obfuscates the underlying truth: the problem continues to get worse and there is absolutely nothing on the horizon which provides any reason to think it will get better in the forseeable future.
Recommended supplemental reading: "The Shockwave Rider", by John Brunner.
I was with him until he said "People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no'." Until then, it was an obvious "Duh", similar to saying there is no 100% secure real system. And kind of sad that he had to actually tell the media that... how far the media has fallen.
But back to the point, the bad guys are smarter, and better than the good guys. History has proven that over and over again. Just cause you came in after the fact and cleaned up the mess doesn't mean you are better. If you prevented it in the first place, then you are better. But that is not the case. The bad guys have totally ripped apart in weeks what the good guys have created in months, sometimes years.
Good guys stick their head in the sand till something they can't ignore comes along. Then they try to solve it. If they can't do it technically (many cases), they fall back to legal means. This doesn't make the good guys better, but just competent enough. Thinking otherwise is just more sticking your head in the sand.
Shutting down a botnet can be rather straightforward, although not necessarily easy. As far as I know, all current botnets are designed to make money for their controllers. This means that shutting them down can be done in the same manner that most organized crime organizations get shutdown, by following the money. What makes this difficult is that many botnets will cross jurisdictional boundaries, at least some of which will not be inclined to be cooperative.
The truth is that all men having power ought to be mistrusted. James Madison
Instead of just saying no, show us no...!!!
Show us that it is indestructible by shutting another one down...each time they shut one down through their "special techniques" brings us closer to a spam free world.....so do it already and stop talking about it. Show us you mean business by taking down another botnet....then we can all look at M$ and think , wow...they were right....instead I read the post and thought....so what if they "SAY" no.....show me, was my first thought!!
about Technical stuff?
No offense there Boscovich, but um, do you know programming/computer science? Why are we listening to you?
Sigh, I gave up Moderator points for this?
Re-Image... Show everyone you know how to store a backup of their system partition. Teach them again what sites to ignore and what attachments to delete. Education is the real answer. Done.
Of course not. I highly doubt any of them will survive the heat death of the universe.
I think the original article was just saying that they're highly resilient to attack damage. Which is a reasonable statement.
Help! I'm a slashdot refugee.
Does this mean Windows will go away ...
I am pretty sure that the article didn't say that it was impossible, and only that it was "practically" indestructible or something like that.
The intent being that this would be a very tough nut to crack and that to beat it will take a lot of resources or some very smart people or both.
In fact if he only read his own sentence before uttering another, he would have seen his mistake.
Heck someone called the Titanic "unsinkable" and guess where its current location is? That wasn't even a "practically" unsinkable.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet]
"EnableActiveProbing"=dword:00000000
"ActiveWebProbeHost"="www.msftncsi.com"
"ActiveWebProbePath"=""
"ActiveWebProbeContent"="Microsoft NCSI"
"ActiveDnsProbeHost"="dns.msftncsi.com"
"ActiveDnsProbeContent"="0.0.0.0"
---
* "Here endeth the lesson"...
APK
P.S.=>
"Let me start by saying every time you boot your system on Windows 7, data is sent to Microsoft to check whether your are online and for internet connectivity." - by NSN A392-99-964-5927 (1559367) on Friday July 08, @03:48AM (#36691802) Homepage
And, let me "stop you", by posting that registry merge file set of entries that stop that behavior, cold (if you so wish, as I do)...
Many of the tools you list?
Are NOT "native" to Windows 7, as in the pstools suite by Dr. Mark Russinovich!
(You have to ADD those later, & they can be dangerous because "the good doctor" included argc/argv commandline arguments scriptability into them & which were abused by the COREFLOOD BOTNET recently -> http://www.installsoftware.com/microsoft-admin-tool-used-by-coreflood-to-infect-computer-networks/network_software )
So IF they are not there, & they are NOT by default? No problem!
... apk
Any software program more complicated than "Hello World" have exploitable weaknesses. If you were to demand that no software should be released until it is 100% exploit free there would be no software to release. While killing the bot masters is a little extreme to say the least the suggestion of following the money is a good strategy. Analyze the behavior of the bot and try to define the purpose of the bot, which is undoubtedly to make money for someone for something. Attacking the beneficiaries of the bot can be just as effective as attacking the bot itself.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet]
"EnableActiveProbing"=dword:00000000
"ActiveWebProbeHost"="www.nononosaysapk.org"
"ActiveWebProbePath"=""
"ActiveWebProbeContent"="Microsoft NCSI"
"ActiveDnsProbeHost"="dns.nononosaysapk.org"
"ActiveDnsProbeContent"="0.0.0.0"
---
* That "kills" the ability for active probing to work, should the user choose to use it... & do so, I do here.
APK
P.S.=> This model even redirects the DNS servers for it to "b.s." ones (the nononosaysapk.org ones, you can put anything in there as long as it's not a real DNS server, or just blank them)...
... apk
the bad guys ARE better and stronger than the good guys.
the good guys consist mostly of former military and corporate contractor goons with certification inferiority complexes. they exist only to make money and gain a spot on the rotating infosec convention speaker train. they will tell you anything and everything you want to hear, as long as you sign the SoW and pay with NET30.
the bad guys consist mostly of unemployed, highly educated, highly motivated, highly technical, pissed off young adults. they exist only to cause havoc in a world that has turned their collective backs and destroyed their financial futures by allowing government and corporations to loot and pillage from public coffers.
when a person extracts themselves from material needs they are capable of doing anything. this also makes them incredibly dangerous.
i'm rooting for the bad guys.
People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
If the good guys ever catch up with the bad guys, then the good guys have nothing more to do, because there will be no more plots to foil... until the bad guys get going again. But the bad guys never stop moving, so the good guys are always playing catch up, and so of course it looks like the bad guys are always winning.
But really, the bad guys only win when the good guys can't play catch up anymore. And that hasn't happened. In fact, that's why the bad guys keep moving.
Of course, we could try to pre-empt the bad guys by developing bug free designs and code in the first place. Heh, yeah that's pretty tough. But when a product does appear too hard to break, then you go around that brick wall. That's why we have trojans and phishing.
Sure, Microsoft has a pretty poor reputation for security (and too often deservedly so). But the statement holds. Bad guys, good guys... we're just people on different sides of the fence. Bad guys are clever enough to find new holes, and good guys are clever enough to plug them.
So sure, it's a big and tough botnet. But for some that just makes the challenge of breaking it all the more interesting.
You're right, the good guys are smarter -- the DOJ being the good guys, and MafiaSoft being the bad guys.
Oh wait a minute, I just said that a monolithic government bureaucracy is smarter than MafiaSoft.... Oh, well, I guess that shows just how dumb the bad guys at MafiaSoft really are.
On the "indestructible rootkit/botnet" article 2-4 days ago here?
I put up a way to destroy it non-destructively, in about 3 minutes time:
STEPS TO TAKE TO ERADICATE THIS ROOTKIT/BOTNET "blended-threat" tech one, NON-DESTRUCTIVELY:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* Which works against ANY rootkit, both bootsector originating type, or driver driven type (or like this one, a combination of BOTH), 100% guaranteed - NO QUESTIONS ASKED, period...
(IN FACT, the DAY this rootkit/botnet was announced? I had the way to "nuke it", 100% guaranteed, here http://it.slashdot.org/comments.pl?sid=2282088&cid=36621818 )
APK
P.S.=> Then, IF this thing "hauls in" any more malware, which it CAN do? Even IF an "unknown one" to antivirus/antispyware signatures DB's??
Then - You "mop it up" using Process Explorer completely once the rootkit is destroyed!
(ProcessExplorer.exe works vs. ANY malware, even hidden ones beneath other std. processes hooked by libs/dlls, or services even)
I.E./E.G. -> You use its "suspend" feature to send HLT instructions to the offending malware, & then? Then, you can delete it on disk & it's "Gone With The Dawn"...
This works too, when other "std. tools" fail miserably (such as antivirus/antispyware IF their signatures are not present to ID said malware, and if their removal process won't work vs. said malware also).
"Here endeth the lesson"... ... apk
I posted this the day it was announced, & yes, vs. this "blended threat" tech rootkit/botnet's CURRENT DESIGN (driver + bootsector originated) ? This works to NON-DESTRUCTIVELY REMOVE IT (and any designed like it):
STEPS TO TAKE TO ERADICATE THIS ROOTKIT/BOTNET "blended-threat" tech one, NON-DESTRUCTIVELY:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* Which works against ANY rootkit, both bootsector originating type, or driver driven type (or like this one, a combination of BOTH), 100% guaranteed - NO QUESTIONS ASKED, period...
(IN FACT, the DAY this rootkit/botnet was announced? I had the way to "nuke it", 100% guaranteed, here http://it.slashdot.org/comments.pl?sid=2282088&cid=36621818 )
APK
P.S.=> Then, IF this thing "hauls in" any more malware, which it CAN do? Even IF an "unknown one" to antivirus/antispyware signatures DB's??
Then - You "mop it up" using Process Explorer completely once the rootkit is destroyed!
(ProcessExplorer.exe works vs. ANY malware, even hidden ones beneath other std. processes hooked by libs/dlls, or services even)
I.E./E.G. -> You use its "suspend" feature to send HLT instructions to the offending malware, & then? Then, you can delete it on disk & it's "Gone With The Dawn"...
This works too, when other "std. tools" fail miserably (such as antivirus/antispyware IF their signatures are not present to ID said malware, and if their removal process won't work vs. said malware also).
"Here endeth the lesson"... ... apk
I work with some university professors on research projects regularly.
I don't want to use too many 'buzz-words' or anything, but I also don't want to give away our research before we publish it.
One of our projects (we have developed a patentable method) involves a method of distributing control messages of X length to N computers by using only X bandwidth on the sender side, with built-in error recovery and automatic redundancy by virtue of a propagating message source. Combine that with public-key crypto and you have a super-resilient propagating message with no 'source point'.
We make use of the DNS protocol to accomplish this.
You can see when we publish the paper, I will make it available to slashdot at that time. We've found that there is no clear way to stop the messages from reaching the destinations, and no way of impersonating the sender. There is also no way to detect the true source of the message.
Essentially, an alternative to P2P transmissions which is probably just as good.
There might be a flaw somewhere that we haven't noticed though, but at the moment it seems to be that we will finish the paper soon.
Installation media 4 Windows, because it's "inviolate" & read only!
APK
my ISP made the transition to IPv6, if yours did, time to update your HOSTS file...
Non impediti ratione cogitationus.
Installation media 4 Windows because it's "inviolate" & read only!
APK
The Lawyer has a point... I mean, with the botnets relying on Windows machines it is highly likely that they are destructible. It also explains why they require so many machines...
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
Microsoft has been ownin in the news lately. Still hate using Windows XP and will not ever upgrade to anything else, but still, this and what Gates said about nuclear being the only feasibly sustainable core energy source is pretty win.
Now, do I think that Microsoft is a bit responsible for some of these botnets? Yes. And no. But I tend to take their "nothing is impossible" approach to pretty much anything I do.
The eternal struggle of good vs. evil begins within one's self.
His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys, as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!
APK
P.S.=> Always a way to kill the "unkillable", even before it happens... & again:
That's JUST IN CASE the "indestructable rootkit/botnet" maker decides to alter his design of his current "indestructable rootkit/botnet" to also protect the hello_tty.sys initializing in the registry (he currently DOES NOT, but he may), & you can initialize what you cannot install in the 1st place!
... apk
His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!
APK
P.S.=> Always a way to kill the "unkillable", even before it happens... & again:
That's JUST IN CASE the "indestructable rootkit/botnet" maker decides to alter his design of his current "indestructable rootkit/botnet" to also protect the hello_tty.sys initializing in the registry (he currently DOES NOT, but he may), & you can initialize what you cannot install in the 1st place!
... apk
No one said TDL4 can't be cleaned from a single PC. Cleaning it from all of them near-simultaneously is what you would have to do to destroy this botnet. The MSRT tool is not capable of performing the steps you described.
BTW your steps could still leave malware on the system unless you are a forensic/malware expert and can tell good processes from bad in ProcessExplorer. It's not so easy as you make it seem. Even if you are that experienced in process analysis, there could still be other kernel-level rootkits hiding malicious processes from ProcessExplorer. It could take days to truly disinfect a TDL-4-infected system that had been downloading payloads for a while. That's why reformat/reinstall has become the best-practice for dealing with malware, even though it is anathema to most Windows users/admins.
Another thing to note is that Microsoft hasn't destroyed the Rustock botnet, they are merely suppressing it. They will never be able to clean all the infected Rustock PCs, because countless thousands of them don't get Windows updates (either because they are pirated copies of Windows or updates have been disabled by other malware) and thus will never run the MSRT tool. If MS ceases their efforts before every last machine is sitting in a dump somewhere, the botnet could return, however unlikely that the author would bother to restore control.
They'd best have not (even though the botnet was called "indestructable" & yes it was):
"No one said TDL4 can't be cleaned from a single PC." - by httptech (5553) on Friday July 08, @11:17AM (#36695052) Homepage
Because my technique absolutely WILL & DOES work to knockout the root of it (the rootkit itself), & from a READ ONLY inviolate media (Windows installation DVD/CD).
I.E.-> The rootkit driver & bootsector originator is the part that can "intercept to deceive" from Ring 0/RPL 0/kernel mode, via a drivers & rootkit tech, calls from apps like ProcessExplorer in Ring 3/RPL 3/Usermode...
SO, that all "said & aside"?
You kill the rootkit & driver, FIRST??
Then, You can't deceive Process Explorer... & it can dig into ANYTHING...
---
"Cleaning it from all of them near-simultaneously is what you would have to do to destroy this botnet." - by httptech (5553) on Friday July 08, @11:17AM (#36695052) Homepage
Do doctors immunize folks "ALL @ ONCE"? No. They do it 1 person @ a time... & that's how this has to be done, until a mass scripted way does so... period.
(Also - I never said this would kill ALL OF THEM @ ONCE, did I? Show me a quote of where I said I did... thanks & good luck - I never said that once!)
---
"The MSRT tool is not capable of performing the steps you described.d." - by httptech (5553) on Friday July 08, @11:17AM (#36695052) Homepage
First of all, it's the RC (recovery console)... secondly?
Again - SHOW ME A QUOTE OF MY EVEN IMPLYING THAT THIS WOULD DO ALL THE SYSTEMS INFESTED BY IT "EN MASSE/ALL @ ONCE"... Good luck, I never even IMPLIED it.
(You have to tackle it, 1 rig @ a time, on those infested/infected by it... just like doctors do with immunizations, or operations!)
---
"BTW your steps could still leave malware on the system unless you are a forensic/malware expert and can tell good processes from bad in ProcessExplorer." - by httptech (5553) on Friday July 08, @11:17AM (#36695052) Homepage
I am actually!
Profesionally & for YEARS (besides being a professional coder & network admin since 1994 & coding since 1982 here):
I've done forensics security work for Fortune 100-500 companies & I can tell you right now, point-blank, the driver name used in the "indestructible rootkit/botnet": hello_tt.sys!
Using listsvc alone can spot anything "odd", & then you can GOOGLE said "odd device driver name" & if it turns up unknown? You have your "culprits"... I've done it before vs. rootkits time & again...
---
"It's not so easy as you make it seem." - by httptech (5553) on Friday July 08, @11:17AM (#36695052) Homepage
It's even easier, if you look @ what I just wrote just above... GOOGLE's your pal!
---
"Even if you are that experienced in process analysis." - by httptech (5553) on Friday July 08, @11:17AM (#36695052) Homepage
Again, I am... for decades now in fact, professionally.
---
"there could still be other kernel-level rootkits hiding malicious processes from ProcessExplorer. ." - by httptech (5553) on Friday July 08, @11:17AM (#36695052) Homepage
See what I wrote about listsvc & GOOGLING above... thank you!
---
"It could take days to truly disinfect a TDL-4-infected system that had been downloading payloads for a while.." - by httptech (5553) on Friday July 08, @11:17AM (#36695052) Homepage
No, it would not - once you knockout the rootkit portion (which my technique indeed, does)?
Then, there's NOTHING to intercept API calls that ProcessExplorer uses to deceive i
Since malware is currently a Microsoft only problem
Let's be careful about saying "Microsoft only problem". There are "currently" malware problems on other platforms (not all), just not nearly as serious as on Windows. I do agree with the reasoning, though. They have the biggest malware problem by far (read: by 99% margin), so ya, they do have a lot to gain by working against it.
There are a few platforms that will most likely never have a virus problem (like most of the *nix platforms, including OSX), but if some of the others were to gain marketshare, then the "bigger target" reasoning might actually work.
See this, as to why DDoS cannot harm them:
http://www.networkworld.com/community/blog/microsoft-were-not-vulnerable-ddos-attacks
The "big sites" like AMAZON being another for instance?
Like MS is, they are SO "overbuilt" to compensate even vs. botnet DDoS that they'll know it's happening, while it's happening, to blockout @ the perimiter firewalls levels (or DNS, or HOSTS files even) any sources of attack... yes, may take time, but, that's HOW it's done!
---
AND, this registry setting for the IP Stack MS has for limiting Dos OR DDoS on ANY SYSTEM also (which they neglected to note):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
SynAttackProtect
---
(That, in combination with other parameters for setting "turn aside" limits, works to lessen + protect vs. DoS &/or DDoS)
---
* NOW - To kill this thing, guaranteed & HOW on any system? See my other posts here, starting here & the ones subsequently beneath it (even to a naysayer):
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694254
APK
P.S.=> It WORKS... & I've done it professionally, time & again by the 100's vs. rootkits operating in Ring 0/RPL 0/kernel mode, which IS what you have to "take down" first, so usermode tools are not deceived via API call hooking & intercepts (and in the 1,000's on std. Ring 3/RPL 3/Usermode malwares in combination with it, using ProcessExplorer.exe)...
... apk
Things like Norton DNS http://nortondns.com/ can help (they actively implement a constantly updated -> http://safeweb.norton.com/buzz via a DNSBL (DNS Block List) vs. malware threats their distributed antivirus/antispyware systems detect worldwide).
In fact?
I did a post on this the other day here, in my wondering WHY DNSBL vs. malware-in-general is NOT being implemented by ISP/BSP's worldwide in fact:
http://yro.slashdot.org/comments.pl?sid=2295168&cid=36657332
(For the purposes of STALLING OUT malwares-in-general infestations/infections possible vectors of known bad sites/servers/hosts-domains (even bogus DNS servers + botnet C&C servers too)).
* Doing THAT? It would 'cut down' on a good 90% of infestations/infections for 90% of folks that don't know HOW to get around it in the 1st place (hardcoded IP addresses OR HOSTS file circumventions being a couple easy ones), & thus?
PROTECTING THEM FROM INFESTATION/INFECTIONS by rootkits/botnets/virus/spyware/trojans/keyloggers/malware-in-general... & even bogus DNS servers + botnet C&C Servers as well!
APK
P.S.=> Now, in closing/bottom-line/above ALL else:
WHY a DNSBL worldwide has NOT been implemented worldwide @ ISP/BSP levels, "boggles my mind" but...
I do also go into WHY I think it's not being done in the link above too...
(I.E.-> Yes, it can affect PC Techies' jobs - STUPID!!!)
It's like saying "Yes, we can cure cancer or cut it down to almost nothing, but it would put doctors out of a job!"
SO, that "all said & aside"?
Well - what's the lesser of 2 evils?
PUTTING DOCTORS OUT OF THAT PORTION OF THEIR JOBS, by far!
(Because like PC techs? They have myriads of other tasks during the day/week/month/year to tackle, maladies-wise...))
... apk
Things like Norton DNS http://nortondns.com/ can help (they actively implement a constantly updated -> http://safeweb.norton.com/buzz via a DNSBL (DNS Block List) vs. malware threats their distributed antivirus/antispyware systems detect worldwide).
In fact?
I did a post on this the other day here, in my wondering WHY DNSBL vs. malware-in-general is NOT being implemented by ISP/BSP's worldwide in fact:
http://yro.slashdot.org/comments.pl?sid=2295168&cid=36657332
(For the purposes of STALLING OUT malwares-in-general infestations/infections possible vectors of known bad sites/servers/hosts-domains (even bogus DNS servers + botnet C&C servers too)).
* Doing THAT? It would 'cut down' on a good 90% of infestations/infections for 90% of folks that don't know HOW to get around it in the 1st place (hardcoded IP addresses OR HOSTS file circumventions being a couple easy ones), & thus?
PROTECTING THEM FROM INFESTATION/INFECTIONS by rootkits/botnets/virus/spyware/trojans/keyloggers/malware-in-general... & even bogus DNS servers + botnet C&C Servers as well!
APK
P.S.=> Now, in closing/bottom-line/above ALL else:
WHY a DNSBL worldwide has NOT been implemented worldwide @ ISP/BSP levels, "boggles my mind" but...
I do also go into WHY I think it's not being done in the link above too...
(I.E.-> Yes, it can affect PC Techies' jobs - STUPID!!!)
It's like saying "Yes, we can cure cancer or cut it down to almost nothing, but it would put doctors out of a job!"
SO, that "all said & aside"?
Well - what's the lesser of 2 evils?
PUTTING DOCTORS OUT OF THAT PORTION OF THEIR JOBS, by far!
(Because like PC techs? They have myriads of other tasks during the day/week/month/year to tackle, maladies-wise...))
... apk
Come on...read the Computerworld article. No he didn't.
He's worked on the legal side. And, there, I'll listen to him. But arguing that "TECHNICALLY" he knows what he's talking about - well, that's like me arguing I know what law is about. (Hint: it's a bad idea)
But I will listen to what Alex Lanstein has to say.
....countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically.
And how is it intellectually creative to reply to the phrase "practically indestructible" with that? They said PRACTICALLY, not "COMPLETELY INDESTRUCTIBLE" or anything like that. Way to miss the important quantifier in the statement they claim to be countering.
Reading comprehension FTW!
If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
Botnets are around in the first place strictly because of the monopoly's embarrassingly poor and harmful (in so many ways) software.
Play 2:50 on, says it for me better than I can -> http://www.youtube.com/watch?v=SP74aJBbIoY
I.E.-> AKhilleus (greek spelling of Achilles) , son of Peleus (middle names are usually that of the father or paternal grandfather) "KNOCKS THE CHOCOLATE OUT OF YET ANOTHER /. OFF-TOPIC 'Boagrius' TROLL!", as-per-my-usual...
* You KNOW you've gotten the best of a troll, when trolls go "silent" - APK "FTW", as usual, vs. /. trolls...
APK (The "Invincible Winner" vs. /. trolls...)
P.S.=> This? Ah, I just GOTTA say it, as is my usual in my own INIMITABLE 'style' -> This was just "too, Too, TOO EASY - just '2EZ'"
... apk
Play 2:50 on, says it for me better than I can -> http://www.youtube.com/watch?v=SP74aJBbIoY
I.E.-> AKhilleus (greek spelling of Achilles) , son of Peleus (middle names are usually that of the father or paternal grandfather) "KNOCKS THE CHOCOLATE OUT OF YET ANOTHER /. OFF-TOPIC 'Boagrius' TROLL!", as-per-my-usual...
* You KNOW you've gotten the best of a troll, when trolls go "silent" - APK "FTW", as usual, vs. /. trolls...
(See my other posts here in reply to NSN A392-99-964-5927 , on that VERY account vs. all he stated rather erroneously, & TOO hastily!)
APK (The "Invincible Winner" vs. /. trolls...)
P.S.=> This? Ah, I just GOTTA say it, as is my usual in my own INIMITABLE 'style' -> This was just "too, Too, TOO EASY - just '2EZ'"
... apk
See subject-line above... & yes, it's ENTIRELY doable too,
especially if Norton DNS type DNSBL's get implemented worldwide across ever DNS server that ISP/BSP's use!
Yes - that is what would stop 90% of most users from "blundering into" sites that house said threats!
(Thus, effectively stalling them from infecting others!)
Then, top that off, with stopping the indiscriminate use of javascript "everywhere" or JAVA & all its numerous bugs, helps also, since they're the "main diseases carriers" really, for decades now!
(OPERA can do this - on a "by site/site-by-site preferential level no less - you stall using them GLOBALLY, & only make them active where you MUST use them!)...
* More on this ALL, here (& in subsequent posts beneath it):
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694254
I.E.-> How to destroy ANY rootkit based botnet (most dangerous kind), 110% guaranteed in their current designs @ least (and even more advanced ones)... in 3-4 minutes of your time.
(As well as more on what I just *KNOW* would help, in DNSBL's vs. malwares-in-general... cutting the life out of them @ the roots (over the public internet as their C&C servers, infested nodes, & bogus DNS' they use as well)).
APK
P.S.=> Someone's got to do it, and MS isn't "alone" in it... there's plenty of, well, let's say "Watchmen" out there in the game too!
... apk
http://it.slashdot.org/comments.pl?sid=2306598&cid=36696390
I use it, it works (based on a constantly updated DNSBL as well by Norton Safeweb), in combination with HOSTS files usage for doing the same in "layered security fashion" here!
(Which my personal custom HOSTS file here updates every 15 minutes here from 17 reputable + reliable sources to supplement those from Norton DNS also, via a Python script system for that!)
It works, albeit @ a different level (right in the IP Stack itself, no added filtering drivers necessary either, as HOSTS are merely a filter for the IP stack itself, & running @ the FASTEST MOST EFFICIENT LAYER POSSIBLE, Ring 0/RPL 0/kernel mode (actually "PnP" level in Windows OS since XP onwards)).
ON HOSTS FILES AS A "LAYERED SECURITY SUPPLEMENT"?
How about DIRECT quotes from users here on /. that use HOSTS files instead:
---
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)
"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)
"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)
"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal
"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage
"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)
"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]" - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)
"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage
"put in your /etc/hosts:" - by Anonymous Coward on Friday December 03, @09:17AM (#34429688)
---
And, THERE YOU GO DIRECT QUOTES FROM SLASHDOT USERS TOO, & ON HOSTS FILES USEFULNESS TO THEY AS WELL!
---
Also, how about a DIRECT QUOTE from a respected security pro (from securityfocus.com, a division of SYMANTEC/NORTON) on the note of HOSTS files too?
Resurrecting the Killfile
Oliver Day, 2009-02-04
FROM -> http://www.securityfocus.com/columnists/491
---
PERINTENT QUOTES/EXCERPTS:
"The host file on
Yes, let's have a LAWYER tell us about how all botnets can be taken down. The phrase "If someone says that a botnet is indestructible, they are not being very creative legally" has got to be the goddamn funniest quote of the month! It's a botnet, not an ordinance. I don't give a damn how "legally creative" you get. You can't apply human laws as if they were universal laws of physics. Some young adult in China running a headless botnet via P2P C&C using anonymizing routers is beyond your insignificant "legal creativity".
IF you know who and where they are THEN you can use legal means to shut them down. But the point is you DONT know who they are OR where they are.
I8-D
Write Dr. Mark Russinovich, tell him to write a boot sector protecting filtering device driver (vs. rootkit/botnets like the "indestructable one" I have shown how to kill)...
* Tell him to call it "APKBootSectorProtector.sys"...
He knows who I am per ->
http://www.windowsitpro.com/article/internals-and-architecture/the-memory-optimization-hoax#feedbackAnchor
AND, because We used to work for the same company in the mid 1990's to 2000 or so... & I've corrected his work before too (he's good, heck great - but NOT "infallible" (none of us are)).
APK
P.S.=> Tell him I said "Hi there, & pagedefrag.exe also needs to remove a hardcode from registry eventlogs files movements possible"
Shown e.g. here:
---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
(And in the FILE entries you can add there... or are there by default! Mind you, that is only 1 possible there... there are others!)
---
Anyhow/anyways:
"The GOOD DOCTOR", Mr. Mark Russinovich of MS?
Hey - He's the "filtering drivers master"... & he works for the company concerned (Microsoft)!
Imo @ least?
Well, he's "the man" for the job in fact, imo @ least... on a guess?
He could write it up in under an hour, fully tested too (filtering drivers are NOT THAT TOUGH TO DO, & are like what the "indestructable botnet/rootkit" (lol, NOT) use in fact)!
This type of Ring 0/RPL 0/kernel mode protectant would "counteract" another "vector of infestation" by rootkits in general in fact... those that use drivers & bootsectors!
Some "Food 4 Thought" for you all...
... apk
To stall this & other threats like it, "en masse" pre-emptively, via "layered security concepts":
---
1.) DNSBL vs. malware-in-general such as Norton DNS -> http://it.slashdot.org/comments.pl?sid=2306598&cid=36696360 (if not HOSTS files such as I use, which currently in its "temp file" for actual HOSTS overwrite houses 1,468,088++ KNOWN bad sites/servers/hosts-domains & bogus DNS servers + botnet C&C servers too - it updates from 17 reputable sources online for that type of data, every 15 minutes here, "automagically"). Combining HOSTS, with DNSBL, & Firewall rules tables (@ both hardware & software levels)?? An excellent "pre-emptive move/strike" beforehand...
---
In fact, on HOSTS file efficacy?
2.) See this: How about DIRECT quotes from users here on /. that use HOSTS files instead:
---
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)
"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)
"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)
"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal
"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage
"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)
"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]" - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)
"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage
"put in your /etc/hosts:" - by Anonymous Coward on Friday December 03, @09:17AM (#34429688)
---
And, THERE YOU GO DIRECT QUOTES FROM SLASHDOT USERS TOO, & ON HOSTS FILES USEFULNESS TO THEY AS WELL!
---
Also, how about a DIRECT QUOTE from a respected security pro (from securityfocus.com, a division of SYMANTEC/NORTON) on the note of HOSTS files too?
Resurrecting the Killfile
Oliver Day, 2009-02-04
FROM -> http://www.securityfocus.com/columnists/491
---
PERINTENT QUOTES/EXCERPTS:
"The host file on my day-to-day lapt
See subject-line above, & how do you figure this:
"The part you are wrong about is being able to use ProcessExplorer to fully sanitize the PC of the remaining malware. - by httptech (5553) on Friday July 08, @03:18PM (#36698494) Homepage
See my original post!
(Because the ONLY thing that can "hide" processes from ProcessExplorer.exe IS a rootkit or driver operating "beneath the OS" in Ring 0/RPL0/Kernel Mode, as rootkits do)
SO - KILL THE ROOTKIT, 1st, as you concede my steps do in 3-4 minutes time? Nothing can deceive ProcessExplorer.exe!
Yes, it's THAT simple... &, it works!
---
"A P2P filesharing client and a P2P bot could share 99.999% of the same code, with only a single hidden malicious function. Tell me where in ProcessExplorer you would see the difference." - by httptech (5553) on Friday July 08, @03:18PM (#36698494) Homepage
LOL, come on - you're "getting desperate"!
I said this before:
I'd know because first I'd recognize some "StRaNgE" executable or sub-process/child process hooked to a parent via a lib/dll, or a service (yes, I've seen both & killed them with ProcessExplorer.exe before).
If in "total doubt"?
Then, I'd also look up on GOOGLE or BING for the weird executable, and if I didn't get a result OR a POSITIVE AS A MALWARE? "Bye-Bye Birdie" - She's be sent HLT commands from ProcessExplorer's DLL view to the offending process to "Freeze It" & then deleted on disk!
(Only takes seconds too... even the looking thru 100++ processes running!)
APK
P.S.=> Trust me on this - it's doable, & I've done it 100's of times professionally & in forensics capacities!
(No disassembly tracing or Virtual Machines required either, as antivirus folks HAVE to do to make signatures)...
A bit "off track here" but... on hiding stuff?
A more "effective way" I feel, & I've done so (albeit NOT for bogus purposes) was my Dr. Who ScreenSaver (uses the intro from new BBC series video) - it's a 10mb file, that is compressed to playback a 40mb sized video file!
I.E.-> I "pack" the entire .avi clip into the .scr executable as a "resource" & then play it back from memory on launch... it's awesome!
HOWEVER - think about it:
That same "Technique" can be utilized to deliver a "malware payload"... Especially in a compressed executable!
(Which confounds most disassemblers if combined with detection techniques for them, such as the debug privilege (highest in system) being invokved)
HOWEVER - ProcessExplorer can "see" an exe's content IN MEMORY vs. this too, so you know (it's a VERY versatile tool)...
... apk
Do us a favor: Write Dr. Mark Russinovich 4 a filtering device driver that PROTECTS THE $MBR (master boot record)!
* That's for the "security-minded" & security conscious of those amongst you around here...
APK
P.S.=> Basically, this would use the "physics & psychology" behind the "indestructable rootkit" (lol, not, I show how to nuke it 100% guaranteed here & days ago on /.) against itself, fighting "Fire with HOTTER FIRE"!!!
(Make sure he not only protects the master boot record, but that he also checks the registry area where it loads vs. disabling it too - Because that's how I kill this rootkit/botnet & others like it in the past & it works)...
... apk
What U mention, & WoW - You're REALLY getting "desperate" now, aren't you?
(I am also going to show you ANOTHER very, Very, VERY OLD "trick/technique" also for spotting malicious function use in my p.s. too below)
HOWEVER: That will have to wait until I work around & "overcome this objection" from you, first:
"What if it has borrowed the name of another legit third-party driver?" - by httptech (5553) on Friday July 08, @05:28PM (#36699878) Homepage
Windows VISTA onwards, has "built in protection" features vs. this in many folders beneath itself & subsystems protecting vs. it on std. libs & exe's, and also 3rd party driver installs that are NOT signed...
What do you think this SOME of the folders under Windows VISTA,7/Server2008 are for? Exactly this...
It maintains what are legit original drivers AND service pack models, as well as libs/dlls & exe's too!
(I also covered here HOW to stop unsigned drivers from loading in the first place, even installing @ all, see my other replies (bcdedit commandlines)).
---
"What if the rootkit code is just a stub inside another legit driver?" - by httptech (5553) on Friday July 08, @05:28PM (#36699878) Homepage
Stub? Stub functions DO NOT WORK... they are "deprecated as stubs"... I don't think you KNOW what the word/term actually means...
---
"This technique has been used by malware for years now." - by httptech (5553) on Friday July 08, @05:28PM (#36699878) Homepage
Not the way YOU say it... you may be hooking or filtering, or trying to put in place a BOGUS driver rather... I have answers for that too, see above... as does Windows already!
---
"Now, how do you tell which is the malicious driver and which is not?" - by httptech (5553) on Friday July 08, @05:28PM (#36699878) Homepage
By NOT allowing unsigned driver installations for one thing!
( & the bcdedit protective method via logons scripts or .bat/.cmd scripts run can help assure this that I noted in my other replies, or can help!)
Yes, the "unkillable rootkit/botnet" (which I show clearly is b.s. & you conceded that much via my technique for destroying it non-destructively earlier & DAYS ago here on this very website) uses bypass methods vs. unsigned driver installation (which hello_tty.sys is)...
I merely show how to stall that too, or attempt to.
Still - "layered security", per the guides I wrote to educate users decades ago & better still since 2008? The "best medicine" possible.
---
"How do you even tell if there is a rootkit in play at all?" - by httptech (5553) on Friday July 08, @05:28PM (#36699878) Homepage
Read my guide... because there?
I list SEVERAL decent & good rootkit detectors, including 1 from Dr. Mark Russinovich (I suggest using them ALL, as "2nd Doctor's Opinions" in fact).
---
"The answer is: other tools and techniques and most importantly, a lot of time spent." - by httptech (5553) on Friday July 08, @05:28PM (#36699878) Homepage
No, not really... in my security guide, in fact? Again:
I list SEVERAL good & reputable rootkit detectors!
(1 by Dr. Mark Russinovich in fact, whom I have mentioned here for GOOD REASONS (to yourself & others also in my other replies))
E.G.-> Yes... & even Linux has one I am aware of called chkrootkit iirc!
APK
P.S.=> Now, finally, as I noted earlier (just something for you & others to be aware of how to do, bit technical, & demands API knowledge but... doable)
As far as malicious functions you noted in your other replies?
Ok:
Well, have you EVER opened a lib/dll with a text editor?? Try it... you'll see functions/API's it calls!
(Ye
Of course no botnet is indistructible , they are running on windows after all duhhhhh.
Again: Listsvc can stop drivers AND SERVICES, & it lists them all by default (for 1st disabling vs. DISABLE RC command, & then DEL command to burn it on disk):
You have a chicken-and-the-egg problem. You said: "1.) Recovery Console bootup 2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)" - in this case you have prior knowledge. You knew there was a rootkit in play, and you knew what it was named. - by httptech (5553) on Friday July 08, @05:28PM (#36699878) Homepage
Once more - I've used this vs. OTHER ROOTKITS TOO, not just this one where I found it's name... anything that doesn't "seem right" & this you learn over time as to what the "std. drivers" look like in listsvc (they have descriptions fields, others that are 3rd party OFTEN don't)...
Then also, when/IF I am unsure?
Again - I look them up on GOOGLE, or BING etc./et al... IF I DON'T GET A VALID ANSWER ON THEM AS BEING PART OF A VALID WARE? Poof - they're "Gone with the Dawn" & destroyed 1st by disabling them, rebooting again to RC, & using its DEL command (just like DOS one pretty much).
APK
P.S.=> Between THAT & my other reply to you here:
http://it.slashdot.org/comments.pl?sid=2306598&cid=36700246
I really *THINK* that ought to do it (nice discussion though, I hope others have read it & gained by it as well)...
... apk
IF it were, It'd be a regular "boon-to-mankind" & if you saw my post the other day on that (I put a link in my last post to it)? I felt the same as you do, almost, in that ALL I SEE IS "protection" for "big business interests only" (ala the RIAA &/or MPAA):
"DNSBL used everywhere would be ripe for political/religious/idiological censorship" - by Anonymous Coward on Friday July 08, @07:10PM (#36700848)
Well, were I "in control of the world" etc./et al? It wouldn't be... MOST especially if taxpayer monies were funding it!
As, imo @ least - That makes it the property of the tax-paying constituency of a nation, imo @ least!
It would, by the same token, also "protect the big guys in business also" vs. malware (which DOES cost them)
( & would, again, be used to protect the "Joe Public" noobie type citizen of said world online most of all!)
* Just for his own good vs. malwares of ALL types!
APK
P.S.=> And, yes - the information for that? IT IS OUT THERE...
In fact, I populate a custom HOSTS file vs. it, since 1997 to present & my "temp file" also (what is used prior to commission to my ACTUAL HOSTS file here) currently has nearly 1.5 MILLION known bad sites/servers/hosts-domains, bogus DNS servers, + botnet C&C servers in it... to block users from them, and to even STALL malware that communicates back to the mothership...
(I do that, along with firewall rules tables vs. IP address based malware, usually the "minority" by FAR though from data I have seen on this since, oh, 1997 to present @ least (both in software + hardware NAT router types, using DNSBL from Norton DNS in the routers))...
Between those simple measures, & this guide for "layered security online" I first authored in 1998 & then later in 2008?
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
It works!
( & on the SIMPLEST PRINCIPLE OF ALL - "You can't get 'burned' if you can't go into the malware kitchen", so-to-speak... )
Between that, &:
Judicious usage of Javascript/IFrames/Plugins here (via Opera's "by site" preferences, globally disabling those for ALL sites, & only making "Exception Sites" that absolutely NEED them)?
Well - I have managed to keep myself, friends, family, & folks that have read my security guides online since 1997 malware infestation/infection FREE!)
... apk
It seems to me like there are still bots scanning MySQL/DCOM/LSASS/Old ones, so why aren't those gone, 5-6, even more, years from now? Blame the Chinese' (according to atlas.arbor.net) unmanaged servers with cracked windows versions vulnerable to those old exploits!
In addition to my LAST/OTHER reply 2 you here http://it.slashdot.org/comments.pl?sid=2306598&cid=36695566 that illustrated the DoS &/or DDoS (more importantly this one vs. botnet based "en masse" attacks) PLUS, the SynAttackProtect parameter (& others it interacts with for setting attack threshold limits in DDoS/DoS)?
MS is doing the BEST THING they can do now - setting a challenge to hacker/cracker types like Anonymous, LulzSec, etc. (why? Simple - it's the 1 thing hacker/crackers & yes, even malware makers are GOOD for - showing holes!)
* MS can ONLY GET STRONGER FOR THIS, because "that which does not kill you, can only make you STRONGER", period... holds true with people too!
APK
P.S.=> In fact, if you've read my other replies here? I designed "layered security guides" for Windows that do REALLY well online & for others (just as a "contribution to society" really, I could have authored a book instead, but to quote "the ULTIMATE AC" Rorschach from "The Watchmen"? I'm not in it for the ink!)...
First - I did a lot of research & went @ it... & to test it, as far back as 1994 when it was in "prototype" prior to my putting it out on forums? I went onto the IRC circuits... I even posted about te "hack/crack" wars that went on there between a channel I adminned on (OFFICIAL "Windows Help Channel" on Dalnet endorsed by no other than K. Mardem Bey, creator of MIRC), years ago on slashdot:
http://developers.slashdot.org/comments.pl?sid=167071&cid=13931198
Yes... it was truly, the ultimate test & we often brought it on ourselves, with good reason (testing security) there, just to see how it "stood up under fire"... no diff. than MS is doing now I say... good move (use the "enemy" and his ego tendencies to YOUR advantage vs. your defense systems to test them... just like "pen-testing" really, but more "real world" by FAR...!)
... apk
See subject-line above, & in regards to what you posted on Windows NCIS, see this to disable it also -> http://it.slashdot.org/comments.pl?sid=2306598&cid=36694060
* The one beneath it's even more "effective" when you come right down to it, but perhaps it's also "overkill" (blanks out all server names concerned).
(You may wish to perform a registry backup of that key before you merge in the new one also... just for caution's sake, even though you posted a link to its entries here!)
APK
P.S.=> That is, IF it "bothers you" (It's supposed to be "benign" but I disable it myself (& even apply Windows Security & other updates myself as well, manually))
... apk
See subject-line, & these links:
---
Windows File Protection/System File Protection (WFP/SFP):
http://msdn.microsoft.com/en-us/windows/hardware/gg463455
---
* GOOD read for you, I think...
(Hey - It was for me also! Why? Well, I must be "gettin' OLD & SENILE", lol, because I thought it was only for Windows VISTA onwards & stated that here in this exchange with yourself, so - GOOD REVIEW FOR ME TOO!)
I used to know better... (talk about forgetting more than most folks know to begin with!)
APK
P.S.=> Anyways/Anyhow - That's there in Windows NT-based modern OS, vs. your theoretical rootkit attack possibilities you noted...
... apk
Malware makers/hacker-crackers? They're just like pickpockets! They don't operate on "crowds of 1", but where the crowds of MANY are. Just like real pickpockets do in crowded city streets, train & bus stations, malls or other public throughfares.
That "train-of-thought" makes a LOT of sense from a criminal's point of view too, especially since these cracker/hacker/malware maker types nowadays are NOT "your dad's oldsmobile" brand varieties of the "halycyon days of yore" who were just out to mess up your system for the "lulz" of it. No, instead today? They are after your information and your money!
So - to maximize possible targets for a better return on investment (roi), from a single base of effort (in the case of online criminals, that's their attack code in malwares or maliciously scripted websites), they go after what comprises 94% of the PC to Server market mostly - Windows, & mostly end users who are NOT aware of how to secure themselves vs. it, or what to avoid online.
SO far, The Linux &/or MacOS X camp has experienced less on that very basis, & enjoy "security-by-obscurity" (for now), but the second that MacOS X went up in use? It too was hit!
What also shows that it can happen to Linux too?
ANDROID on mobile phones, as it too, is a Linux variant!
I.E.-> Once it got more 'usership/marketshare/mindshare' out there, it's been being "shredded" on the security-front.
APK
Every wondered what OS is in a lot of those ADSL modems in people's home that are on 24/7? Vast numbers of little linux boxes set up by the same people that get their MS Windows machines infected just by browsing with internet explorer to the wrong parts of the net. Now there's a juicy target for malware - but it's not so easy as getting crap onto unpatched XP boxes so it doesn't happen.
Then there's all those web servers out there. Last time I looked not a lot of them were MS boxes.
The market share argument of malware infection proved to be far too simplistic for reality probably about a decade ago. Why are you wasting everyone's time by pushing it now?
Using documented FACTS: 1st - Linux is sense 4 router maker CO$T$ WISE its ONLY ADVANTAGE! You can build routers that work using it, cheaper... the ONLY advantage it has, IS this.
Hence, why Linux HAS to find "alternate markets" other than the PC-Server world, where it's outnumber 94++% to what? 1-2% marketshare for Linux, & the rest goes to MacOS X?? Explain that, minus your "forums 'illogic-logic'" spinmaster unrealistic b.s. - you GIVE stuff away & still don't run the show overall! LMAO... pretty funny!
(Read on, it only gets better & STRONGER!)
LOL, it's almost funny (& yes, I use KUbuntu 10.10 myself here to "see how the other 1/2 lives)!
In fact? Time to BLOW your "forums 'Illogic-Logic'" spinmaster crap to hell with MORE facts & actual logic + documented facts! Ready? Read on:
---
2nd - Linux also doesn't have as high quality drivers or as many because board makers KNOW what is "running the show/market " out there, Windows - so, they cater to it immensely!
3rd: Nor does Linux have as many games, by FAR, either... this is mostly the home market in fact!)
"The market share argument of malware infection proved to be far too simplistic for reality probably about a decade ago. Why are you wasting everyone's time by pushing it now?" - by dbIII (701233) on Sunday July 10, @09:02AM (#36710686)
Because ALL OF WHAT I JUST WROTE throws your utter b.s. "spin master propoganda" into the waste bin is why!
---
4th: Not only that. but Linux, in its KERNEL ONLY mind you? Has 3.5x the unpatched security vulnerabilities Windows 7 has (which IS a complete "distro" with all of its parts, not just a kernel only)!
5th: Yes - Despite all those "Open 'SORES'" eyes (most of whom couldn't code to SAVE THEIR LIVES mind you) allegedly poring over Linux code, how come it has that many more unpatched bugs than Windows 7 has, hmmm??
Closed source is HARDER for hacker/crackers to attack as well, because you're stuck either disassembling it (especially tough with kernel level debuggers) OR fuzzing it, either is tougher than searching out problems in Linux, which you just load into a compiler & step trace its "Open 'SORES'" code with to find screwups in security... hence it still has more security bugs, AND, they are unpatched (despite all the "Open 'SORES'" eyes poring over it, lol!)
Fact, period!
In fact, Linux's kernel ALONE has 3.5x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!
Proof? Ok:
This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:
---
Vulnerability Report: Microsoft SQL Server 2008: (07/10/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (07/10/2011))
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (07/10/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (07/10/2011)
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (07/10/2011)
http://secunia.com/advisories/product/34343/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability
Linux got more marketshare, on ANY platform, it gets SHREDDED ON THE SECURITY FRONT (fact)... You obviously cannot read either! 1st, see subject-line above, & then this quote from yourself:
"Even with that avalanche of bullshit there was nothing about your simplistic "malware is a sign of popularity" idea which I questioned above." - by dbIII (701233) on Monday July 11, @03:23AM (#36717738)
Either you NEED to get "hooked on phonics", or you are just being the troll you are... period!
---
"If you were serious about your bug counts above and had any form of cross-platform background in the computer industry you would know that comparing those numbers is sheer numerology and no more accurate than guesses as to when the world is going to end." - " - by dbIII (701233) on Monday July 11, @03:23AM (#36717738)
Too bad: My source for the bugs present in Windows 7, an entire OS distro that's complete showing 3.5x LESS unpatched security vulnerabilities than the Linux kernel alone (minus the rest of itself in a complete distro mind you) did you in, badly...
Then, my showing that the rest of what Microsoft gives you for business & development has ZERO UNPATCHED SECURITY VULNERABILITIES (can MySQL, PHP, & Apache do the same? No!) has done GREAT in a HIGH TPM environs @ NASDAQ as well, whereas by comparison, the LAMP stack gets SHREDDED on the security-front & is the favorite of phishers + spammers to be abused & hacked/cracked into to do so.
(Yes, despite all those "Open 'SORES'" eyes allegedly poring over the completely out in the open Linux sourcecode, it has more unpatched security vulnerabilities in its KERNEL ALONE than does the entire gamut/array of what Microsoft gives folks for business & development... fact, based on documented evidences from a reputable respected website for such data)
* Lastly/in closing/BOTTOM-LINE, per my subject-line above (which you are obviously "loathe to admit")?
ANDROID only makes it worse, by proving that once Linux DOES GET MORE MARKET SHARE, it gets TORN UP on the security front... period & fact again.
APK
P.S.=> An application of "ReVeRsE-PsyChoLoGy" 4U & your trollish adhominem attack forums 'Illogic-logic':
".ni ti gnipyt emit detsaw fo daetsni parc hsidlihc fo elip taht detsap dna tuc uoy epoh I" - by dbIII ANOTHER DEFEATED /. "Pro-*NIX" obvious "ne'er-do-well" troll (701233) on Monday July 11, @03:23AM (#36717738)
"???"
Uhm... Could we get a translation of that off-topic "troll-speak" of yours, please?
* And, you're an off-topic troll - no questions asked...SEE MY SUBJECT LINE ABOVE!
APK
P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his off-topic b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!
("ReVeRsE-PsYcHoLoGy", for trolls - Courtesy of this code by "yours truly" in less than 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
Pre-emptive strike by accusing others of what you are doing I see, in fact it's so transparent I don't understand why you would possibly think anyone with the reading skill to read those words would be taken it by it.
Give it up kid - find something you are good at and do that instead. You couldn't possibly be bored enough to justify wasting time writing the stuff above.
http://it.slashdot.org/story/11/07/11/1620222/New-SMS-Trojan-Found-In-Android-Markets
* There you go... today's news!
APK
P.S.=> That's in regards to my last reply here -> http://it.slashdot.org/comments.pl?sid=2306598&cid=36718860 as I wouldn't want you to NOT have "absolutely current proof thereof" as to my initial posts here that Linux, once it gets out there, will be exploited & shown as insecure (because ANDROID is in fact, a Linux variant) - would you like more of the same? I can post around 50 more like it also if you wish!
... apk
"HOT OFF THE PRESSES" -> http://it.slashdot.org/comments.pl?sid=2306598&cid=36729164
APK
Why not devote some of that wasted time to getting a login for this site?
That nobody listens to, including myself, and get on topic? "Cat got your tongue" on the subject @ hand?? LMAO!
(Please - don't make ME, laugh...)
* Besides, I can post as much as any "Registered 'LUSER'" here, so what do I gain by being one of them? Nothing... I am not here living for "karma points" etc./et al, like you obviously are.
You also tried to "patronize" me & condescend to me, boy? I'd wager I am possibly your senior as well. Nearly 50 yrs. of age here, by the by... I am nobodies' "kid" as you called me here in this exchange. Get over yourself. Take your own advice, & grow up, & try something YOU are good at, because debating myself? You showed us all here you're not very good @ that, at all.
APK
P.S.=> Fact is, I put up information that BLEW YOU AWAY your b.s. that "malware is a microsoft problem" only, because ANDROID shows that once Linux gets a decent share of market on a platform, it has a TON of malware it's victim to & despite Linux being "Open 'SORES'", and having people see its sourcecode it's KERNEL ONLY (just a kernel & that's not an OS by itself), Linux has more UNPATCHED SECURITY BUGS in it than most ALL OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH... period, and I did so in each of my posts here, and you were unable to counter for my points afterwards!
Yes... because of the points in my posts, you have to be off-topic now, right?
(It shows us that You're nothing but a frustrated troll, and I know (and YOU know it, and so does anyone else reading... lol, NO questions asked!))
... apk
Especially regarding this "drivel" from you:
"What's your excuse for all the childish drivel then?" - by dbIII (701233) on Tuesday July 12, @07:30AM (#36731580)
Disprove my points here:
http://it.slashdot.org/comments.pl?sid=2306598&cid=36711088
here:
http://it.slashdot.org/comments.pl?sid=2306598&cid=36718860
---
"Why do you even assume I've been "blown away" instead of merely ignoring a pile of crap which can not by any stretch of the imagination be elevated to the status of "debate"?" - by dbIII (701233) on Tuesday July 12, @07:30AM (#36731580)
LOL, too easy Mr. Troll - because you ran from disproving the points I put out... simple!
(All I see from you is adhominem attacks directed my way, & running from documented evidences + obvious truths any coders knows that I put out, as well as ANDROID showing Linux is indeed, vulnerable (as well as bearing more unpatched vulnerabilities in its KERNEL ALONE, than most all of what MS gives you to do business & development with by 3.5 orders of magnitude no less)).
* SO - disprove my points in the links above - That'd be better than your b.s. & trolling, by far... good luck, YOU'LL NEED IT!
---
AND please - quit contradicting yourself!
(E.G.-> In your blatantly "illogical" forums' "illogic-logic" based attacks on myself, rather than the points I made above, which you RUN from, lol):
"So you are about the same age if you are telling the truth this time.... Give it up kid." - by dbIII (701233) on Tuesday July 12, @07:30AM (#36731580)
Why should I take your "orders"/suggestions when making you look like the fool you are is TOO easy?
I mean, hey:
First, you know now I am "relatively the same age" & I am probably your senior in fact!
(and I have accomplished far more in the art & science of computing to decent notoriety as well I strongly wager also... do you even HAVE a CSC degree I must ask? I think not, because you avoid my points above like mad, lol!)
Secondly, you know I am telling the truth (see links above, disprove them instead of using your adhominem illogical attacks on myself, rather than my points!)...
You're contradicting yourself on the "kid" thing as well.
---
"You are not fooling anybody since you write like a current teenager and not one caught in a mental time warp stuck at twelve for thirty-five years" - by dbIII (701233) on Tuesday July 12, @07:30AM (#36731580)
Ahem: Speak for yourself troll... because until you disprove the points I wrote above, with documented facts & other obvious truths I told in those links above?
Seriouly "LMAO @ U", because It's "too, Too, TOO EASY - just '2EZ'" to do... you make it so, in fact!
APK
P.S.=> Trolls like you? Easy to "blow away" & dispatch, every time, using facts & documented evidences as I did in the 3 url's above...
... apk
Installs, easily & even Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, this can also (as a "layered security defense" here too vs. unsigned drivers installations):
---
In fact?
I already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs
http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes...
(Group Policy can too, LAN/WAN wide if needed - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
However - The nicest part is here?
Well - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!" for what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!
... apk
That would include Microsoft.
Installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well! See my post parent to this one...
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
Installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!
(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))
---
AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well! See my post parent to this one...
---
(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)
However - The nicest part is here?
Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)
* Once more/Again? "Here endeth the lesson..."
APK
P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):
---
"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:
http://www.youtube.com/watch?v=SP74aJBbIoY
---
Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"
(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)
... apk
No. I'm a real engineer instead. Back in the day what you call CSC was called applied mathematics in some places anyway.
I can barely understand any of your "points" due to them not being in English and instead being in some teenage gamer dialect I assume is called 10s3r or similar. I accept that the language of the net is broken English but you could at least make some attempt to communicate instead of the deliberately obfiscated pile of crap you've unloaded in the posts above. It really is a weird and pointless game you are playing where the topic really doesn't appear to matter in any way at all, and yes, it's really obvious it's a game but I'm bored enough to push back a little bit at your bullshit.
It's easy enough to just indicate the malware swamp that infests the Microsoft platform you are raving about to show how little value your "points" have.
Because APK showed you can do workarounds to Windows 5 remaining unpatched security vulnerabilities shown at SECUNIA.COM here http://slashdot.org/comments.pl?sid=1267281&cid=28490013 and you could not do the same for all of the known unpatched security vulnerabilities on MacOSX. APK also showed things he's done in computing you've never managed to do yourself in being shown in respected publications in books/magazines/newspapers and more, plus tech trade shows as a finalist in Microsoft Tech Ed's hardest category of SQL Server Performance Enhancement for his work in code and ideas how to use them, and having code he wrote be in respected commercial software too here http://slashdot.org/comments.pl?sid=2014606&cid=35341516 You ran from that or tried spinmaster b.s. days to weeks later but you still fell short of the mark versus apk.
APK doesn't do that in his HOST file. He blocks botnet C&C servers, adbanners (because they slow you down, suck up bandwidth you pay for too, and have been shown many times since 2003 to have malicious script in them also), bogus DNS servers, and known sites-servers-hosts-domains that are known to be bad from 17 reputable sites for HOST file data and DNSBL lists also. APK doesn't try to put the internet into the HOSTS file. He uses it in conjunction with DNSBL using DNS servers like Norton DNS (which filters against malware and what I listed above), and firewall rules tables (in hardware routers and software firewalls also) to block out what I list above. What you're saying isn't what he does, and quite foolish of you to try also.
You're a fool like the other one posting then, and you need to see this http://it.slashdot.org/comments.pl?sid=2306598&cid=36746020 because trying to map the entire internet into a HOST file and hardcoding all of the host-domain names to ip addresses on your part would be a fool's move and APK doesn't do that (He only maps his favorites against DNS redirect poisonings or if the DNS he uses goes down (and he uses multiple DNS servers like Norton DNS, ScrubIT DNS, OpenDNS, and Google DNS too iirc) and he combines HOST files with reputable reliable more filtered secured DNS servers like Norton DNS (uses DNSBL versus malwares as noted above) to compliment them, and they his HOST file.
MY work, but I helped a LOT of engineers with theirs in AutoCAD as 1 example (VBA scripting it, repairing it, etc./et al) & yet you refuse to disprove the points I put down that were backed by documented facts from reputable sources, when challenged to do so?
(No wonder you're off-topic here nearly the ENTIRE TIME! You really don't know what you're talking about here... even though you shot your mouth off about the points I raised here earlier, backed by either documented facts from a reputable source, or just facts any coder or tech knows!)
* Please... Grow up, get a life, troll.
APK
P.S.=> Unbelievable - this site's become LITTERED the past year or two with people who actually "get off" on harassing/bothering/'trolling' others... Just like dbill's even admits he's doing here now, no questions asked!
... apk
Write about being a "real engineer"? Funny part's that I've never had an engineer help me w/ MY work, but I've helped plenty of them with theirs (in AutoCAD doing VBA scripting in it for them, as 1 example, & doing techwork on computers they use many times as well).
APK
Despite dbill's off-topic b.s. here and running away from disproving my points, You raised interesting ones I just used against him myself as well, with valid examples of where I helped literally "real engineers" more than a FEW TIMES, with computers they use.
(AutoCAD VBA scripting & also repairing the systems they use, setting them up... In fact - So many things I can't even begin to list them this early in the a.m. w/ out having had my coffee & thinking about it, first!)
APK
P.S.=> Now that he FINALLY admitted just what it is he does for a living that is, I can see WHY he refuses to disprove my points... he knows next to nothing on the subject-material @ hand is why - he's just another "ne'er-do-well" troll!
... apk