"Ooooh! Ad hominem attacks!" - by cbiltcliffe (186293) on Tuesday July 12, @03:12PM (#36738656) Homepage
LMAO - you started it,
I started it? Really? You can't even remember what you've written in this thread, can you? The first insult to fly in this thread came from you, in the form of this comment:
* So, go "hawk" your essentially obsolete 'ware' in this situation & others like it vs. rootkits "1 hit wonder" disk elsewhere man!
Besides, I haven't used a single ad hominem attack. I've called you a douche, among other things, but I haven't said that you're incorrect because you're a douche. I've said that you're a douche because you're incorrect, but you can't see it. Do you even know what an ad hominem attack is?
I only call a spade, a spade is all, & I fight fire WITH hotter fire, especially if it's done to myself, first...
Your "hotter fire" is a sputtering candle, but you can't even see it's burning out.
* You KNOW you've gotten the best of a troll, when trolls go "silent" - APK "FTW", as usual, vs./. trolls...
Are you hearing yourself? Obviously you can't hear anybody else, due to the sheer amount of self-cheerleading you do, so you assume they've all gone silent. Tell me, do you wear a skirt and wave pompoms when you do that?.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll. APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b. cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!
Nope. Doesn't really do anything for me. I guess I don't feel my knowledge is so limited that I need to trumpet it to anybody who'll listed so as to try to make myself feel better about being borderline incompetent.
The ONLY way to use those, would be to do what this botnet did, a filtering/hooking driver... otherwise, Windows SFP/WFP (Windows File & System File Protection) would detect for it & replace them IF they were bogusly replaced... period!
Once again, you're wrong. I've seen patches like this happen, and WFP did not fix it. The problem is, once the file is patched, and the hostile code loaded into memory, WFP can be disabled by that hostile code, even if only for that file. True, this does mean you have to get infected in the first place, and you've assured me that your m@d skillz would prevent anything like that from ever happening.
Did I use the word rootkit? No, not once. In regards to TcpView OR ProcessExplorer? No. So haha to you: See subject-line above...
So basically, what you're saying is: "I made a statement completely unrelated to the conversation, but made it sound like it was part of the conversation going on, and since you assumed I was actually talking about what everybody else was talking about, you must be an idiot."
That's even more childish than the rest of your fellow trolls, so you've mastered the art. At least I'm honest when I'm being childish, assmuncher. You'd probably be good in politics, because you can say something that has a totally different meaning than anybody listening will take from it, and then seem honestly surprised when people misinterpret you.
Now, since you've responded to my single post with 4 of your own, but still managed to avoid the very first question I asked you in this thread, I'm going to ask it one more time:
If you're relying on Norton DNS to prevent such a "beastie" - as you so eloquently put it - from talking to its C&C server, how can you trust the DNS settings on the infected computer?
Now, since you've spent the entire thread with your hands over your ears going "LALALALA
TcpView... now, say (as I did in my last post above) that while letting my nephew, brother (or even little niece, she's into computing too (good sign)) use my system, & say they infect it via a USB stick, and my antivirus/antispyware in place resident doesn't catch it? I can monitor who/what/when/where/how my system is "talking to" other machines online (inclusive of botnet C&C servers).
According to your statement here, said in a thread about rootkits, you can use TCPview to detect errant connections caused by malware. In the context of a rootkit conversation, it can only be assumed that you're talking about rootkits.
Again, I ask you: How do you detect a rootkit using TCPview. You maybe didn't state outright that you could, but you certainly strongly implied it with the context of your statement.
There's NO DENYING my technique will get rid of this rootkit and others like it, is there? Apparently not, because you avoid that like the plague when I ask the question if it works or not... lol!
Will it get rid of an MBR rootkit? Yes. Will it get rid of a driver-based rootkit with a discrete.sys file for the driver? Yes.
Will it get rid of a driver-based rootkit that uses a patched tcpip.sys, or atapi.sys? No, because listsvc doesn't verify file signatures, and there's no way for you to do it manually using hashes, or the like, within the recovery console.
You also claimed that:
even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
Notice that word "this"? That means you're specifically referring to the rootkit that was the topic of the conversation. This rootkit will be blocked by your Norton DNS settings. That's what you claimed. But you still haven't explained how you can trust the DNS settings on a rootkit infected computer, either.
I never once did state what you "inferred" above, dolt!
Ooooh! Ad hominem attacks!
<APK-like voice>I'm such a big man because I know how to spell ad hominem!!</APK-like voice>
BTW, it's two words, just in case you're interested. But you're not, because you're more interested in saying: "Look at my commercial software! I've written security guides! I've shown you how to remove this rootkit 12 times, so why does it matter that I haven't given a reliable method to detect it!!! Shut up!"
Listen, you arrogant, obnoxious, simple-minded gimp.
I'm not asking you how to eliminate the rootkit. I never once asked you how to eliminate a rootkit. I already knew how to eliminate a rootkit. Stop harping on it, as you're making yourself look like a complete and total fool, by repeatedly answering a question that was never asked.
My issue has always been with your claim that could detect a root kit with Process Explorer and TCPview. This is what I stated in my very first post to you, and the only thing I've repeatedly stated that you're wrong about. This is also the only aspect of this rootkit removal that you haven't clarified.
Instead, you choose to go off on irrelevant and off topic rants about how you're an expert because you're an expert, and how your instructions to remove a rootkit will work every time, and how this one guy left a comment about how he never got malware once he used a hosts file.
Guess what? I don't give a fuck about all that.
Here is the question I want you to answer, in plain English, that even, apparently, ACs can understand, but you can't:
How do you propose to detect a rootkit using Process Explorer and TCPview, when the output of these programs cannot be trusted when running in a rootkitted environment?
If you can't answer this question, then all your removal instructions are moot.
I'm perfectly aware of DNS blacklists and the host file, thank you very much.
Apparently you can't read, however. My post had nothing to do with the hosts file. You keep harping on your custom hosts file, rather than actually READ what I WROTE.
Maybe you could actually TELL ME how YOU propose to detect a ROOTKIT running on an infected system with TCPview, which is what I asked in the first place.
And ON TOP of that, maybe YOU COULD stop with theannoying CAPS and bold changes, as they make your posts even harder to read than your tortured logic does.
"My code's in commercial software, so you must bow before me, as I know what I'm talking about, because my code's in commercial software."
Yet again, the appeal to authority logical fallacy.
Not only do you not understand how malware can screw with your system, but you can't argue for shit. When you'd rather reverse the text of what I said than actually argue the point I've stated, repeatedly, and has been ignored by you every single time; instead preferring to rely on your record of software that you wrote years ago.....
You just don't get it. You can call me a troll all you want, but your head is in the sand. You refuse to even acknowledge my point, let alone refute it, which leads me to believe you either do not have facts to support your position, or maybe that you don't even understand my point.
If you refuse to debate the issue at hand, which has been repeatedly stated by myself, then you're not worth wasting/. database space on.
And in answer to your question "Is mine in commercial software?" This particular software of mine is used in an entire commercial service, which has been used in various parts of the world, to clean malware from infected machines. This service/software is used by other commercial entities as a better alternative to virus scanners traditionally used on a single scan/online basis by computer service companies. This software and service hasn't been reviewed by some computer magazine editor who knows jack about the industry, but rather by techs who actually use this type of thing in the trenches, as one of the best, if not the best malware detection program they've ever seen.
As to other software? Yes, I've written a bunch. But your idiotic debate methods aren't worth wasting my time on.
You're still not getting it, because you're still running all your diagnostic utilities within the infected system.
How you you trust the TCP connections listed in TCPview (which is a great program, by the way) when TCPview itself is running on an infected system? A rootkit will hide its own network connections from this program.
You're a cocksucking douche. Yes, that sounds like flamebait.
It's not. It's the truth.
You know absolutely jack shit about me, and when I call you out on a completely illogical statement you made, you start going back to previous things that you've done, and how "you must be right because look at your credentials!"
Ever heard of the appeal to authority logical fallacy?
I don't give a damn what you've done, and how many security guides you've authored.
When your machine is infected, you can no longer trust your DNS settings. Period. End of story. Saying that you check them is irrelevant.
Now, as to what I've done in this area? Well, let's see....I am the author of an anti-malware tool that uses 40+ different antivirus engines to scan a machine. It does this scan offline, rather than within the infected system, and I can do it remotely, over the Internet. This, of course, means I can use this system to remove rootkits remotely, even on a computer that will not boot.
Remote service on a computer where Windows (or for that matter OSX or Linux, too) will not start. Gee. Have you done better, troll?
No. You stated that "if" you were to suck in one of these, then the update to Norton would prevent it from being able to talk back to it's C&C.
Well, once you've got one, you can't trust the DNS servers that are shown in the NIC config GUI, because you're infected.
Admittedly, as you've said, the chances of you getting something is significantly diminished due to your diligence. But you're sounding a bit cocky right now, as if you think it's impossible for you to get infected, rather than just unlikely.
What you're forgetting is that Norton DNS updates, HOSTS file updates, and everything else you can do to prevent connecting to known malicious domains are all reactive. Meaning someone has to update that list between when the domain begins distributing malware and when you try to hit it. If you try to hit it before the list is updated, all bets are off.
It's more akin to suing Voxhaul for selling a Vectra that could be potentially used to take a sports shooter who will never shoot anyone to a gun shop.
This is obviously a false scenario mind you, as no one in their right mind would be caught dead driving a Vectra.
No one in their right mind would be caught dead spelling "Vauxhall" as "Voxhaul" either. Come on. I'm from Canada, and they don't even sell those cars in North America, and I knew it was spelled incorrectly....
* Nice part about the "heart of it" in the HOSTS file + Norton DNS is that even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
Until you realize that malware can change the DNS settings of the interface directly, so while you think you're using Norton DNS, you're actually using InfectedSpywarePOS DNS.
See, I thought that too. But then I got wondering:
Who the hell is going to take a common as dirt phrase like "Don't leave your item unattended" and turn it into something bizarre like "don't let anyone mess with your item when you're not there to stop them." It's just so out there that I can't imagine they actually meant the first one....
Your basis for this is that airplanes are falling out of the sky like hail from children rigged to explode?
I assume his basis is that it is true (which it is).
It's happened once. But it's in the news, as it was recent, so now you (I'm not an American) have to protect yourselves from all eight year olds, who are all potentially carrying bombs for terrorists.
But once you start checking all the eight year olds, then what happens when the terrorists use a nine year old? You'll completely miss it, because you're continually checking for what they've done once in the past, rather than figuring out what's likely or possible to happen next. Every time a new attack comes up, the talking heads say it was "completely unforeseeable," simply because nobody has the foresight to do anything beyond reactionary bullshit.
an artificial intelligence emerged from the... mass of knowledge amassed in it's (Facebook's) pages.
That would require Facebook's pages to actually contain...well...knowledge. Since it consists totally of inane drivel refined to its purest form, I doubt any AI that spawned from such would be able to do anything more than drool....
Slashdot Mirror
submit so that you
before you hit
form your thoughts
you need to
I think
Hey, APK!
You didn't sign this post with apk!
You're slipping. Or are you just trying to astroturf, and make it seem like other ACs agree with you?
That just shows how desperate you are.
"Ooooh! Ad hominem attacks!" - by cbiltcliffe (186293) on Tuesday July 12, @03:12PM (#36738656) Homepage
LMAO - you started it,
I started it? Really? You can't even remember what you've written in this thread, can you? The first insult to fly in this thread came from you, in the form of this comment:
* So, go "hawk" your essentially obsolete 'ware' in this situation & others like it vs. rootkits "1 hit wonder" disk elsewhere man!
Besides, I haven't used a single ad hominem attack. I've called you a douche, among other things, but I haven't said that you're incorrect because you're a douche. I've said that you're a douche because you're incorrect, but you can't see it. Do you even know what an ad hominem attack is?
I only call a spade, a spade is all, & I fight fire WITH hotter fire, especially if it's done to myself, first...
Your "hotter fire" is a sputtering candle, but you can't even see it's burning out.
* You KNOW you've gotten the best of a troll, when trolls go "silent" - APK "FTW", as usual, vs. /. trolls...
Are you hearing yourself? Obviously you can't hear anybody else, due to the sheer amount of self-cheerleading you do, so you assume they've all gone silent. Tell me, do you wear a skirt and wave pompoms when you do that? .APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.APK is a troll.
APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.APK is a n00b.
cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!cbiltcliffe is invincible!!
Nope. Doesn't really do anything for me. I guess I don't feel my knowledge is so limited that I need to trumpet it to anybody who'll listed so as to try to make myself feel better about being borderline incompetent.
The ONLY way to use those, would be to do what this botnet did, a filtering/hooking driver... otherwise, Windows SFP/WFP (Windows File & System File Protection) would detect for it & replace them IF they were bogusly replaced... period!
Once again, you're wrong. I've seen patches like this happen, and WFP did not fix it. The problem is, once the file is patched, and the hostile code loaded into memory, WFP can be disabled by that hostile code, even if only for that file.
True, this does mean you have to get infected in the first place, and you've assured me that your m@d skillz would prevent anything like that from ever happening.
Did I use the word rootkit? No, not once.
In regards to TcpView OR ProcessExplorer? No. So haha to you: See subject-line above...
So basically, what you're saying is:
"I made a statement completely unrelated to the conversation, but made it sound like it was part of the conversation going on, and since you assumed I was actually talking about what everybody else was talking about, you must be an idiot."
That's even more childish than the rest of your fellow trolls, so you've mastered the art. At least I'm honest when I'm being childish, assmuncher. You'd probably be good in politics, because you can say something that has a totally different meaning than anybody listening will take from it, and then seem honestly surprised when people misinterpret you.
Now, since you've responded to my single post with 4 of your own, but still managed to avoid the very first question I asked you in this thread, I'm going to ask it one more time:
If you're relying on Norton DNS to prevent such a "beastie" - as you so eloquently put it - from talking to its C&C server, how can you trust the DNS settings on the infected computer?
Now, since you've spent the entire thread with your hands over your ears going "LALALALA
TcpView... now, say (as I did in my last post above) that while letting my nephew, brother (or even little niece, she's into computing too (good sign)) use my system, & say they infect it via a USB stick, and my antivirus/antispyware in place resident doesn't catch it? I can monitor who/what/when/where/how my system is "talking to" other machines online (inclusive of botnet C&C servers).
According to your statement here, said in a thread about rootkits, you can use TCPview to detect errant connections caused by malware. In the context of a rootkit conversation, it can only be assumed that you're talking about rootkits.
Again, I ask you: How do you detect a rootkit using TCPview. You maybe didn't state outright that you could, but you certainly strongly implied it with the context of your statement.
There's NO DENYING my technique will get rid of this rootkit and others like it, is there? Apparently not, because you avoid that like the plague when I ask the question if it works or not... lol!
Will it get rid of an MBR rootkit? Yes. Will it get rid of a driver-based rootkit with a discrete .sys file for the driver? Yes.
Will it get rid of a driver-based rootkit that uses a patched tcpip.sys, or atapi.sys? No, because listsvc doesn't verify file signatures, and there's no way for you to do it manually using hashes, or the like, within the recovery console.
You also claimed that:
even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
Notice that word "this"? That means you're specifically referring to the rootkit that was the topic of the conversation. This rootkit will be blocked by your Norton DNS settings. That's what you claimed. But you still haven't explained how you can trust the DNS settings on a rootkit infected computer, either.
I never once did state what you "inferred" above, dolt!
Ooooh! Ad hominem attacks!
<APK-like voice>I'm such a big man because I know how to spell ad hominem!!</APK-like voice>
BTW, it's two words, just in case you're interested. But you're not, because you're more interested in saying:
"Look at my commercial software! I've written security guides! I've shown you how to remove this rootkit 12 times, so why does it matter that I haven't given a reliable method to detect it!!! Shut up!"
"Here endeth the lesson"...
Listen, you arrogant, obnoxious, simple-minded gimp.
I'm not asking you how to eliminate the rootkit. I never once asked you how to eliminate a rootkit. I already knew how to eliminate a rootkit. Stop harping on it, as you're making yourself look like a complete and total fool, by repeatedly answering a question that was never asked.
My issue has always been with your claim that could detect a root kit with Process Explorer and TCPview. This is what I stated in my very first post to you, and the only thing I've repeatedly stated that you're wrong about. This is also the only aspect of this rootkit removal that you haven't clarified.
Instead, you choose to go off on irrelevant and off topic rants about how you're an expert because you're an expert, and how your instructions to remove a rootkit will work every time, and how this one guy left a comment about how he never got malware once he used a hosts file.
Guess what? I don't give a fuck about all that.
Here is the question I want you to answer, in plain English, that even, apparently, ACs can understand, but you can't:
How do you propose to detect a rootkit using Process Explorer and TCPview, when the output of these programs cannot be trusted when running in a rootkitted environment?
If you can't answer this question, then all your removal instructions are moot.
I'm perfectly aware of DNS blacklists and the host file, thank you very much.
Apparently you can't read, however. My post had nothing to do with the hosts file. You keep harping on your custom hosts file, rather than actually READ what I WROTE.
Maybe you could actually TELL ME how YOU propose to detect a ROOTKIT running on an infected system with TCPview, which is what I asked in the first place.
And ON TOP of that , maybe YOU COULD stop with the annoying CAPS and bold changes, as they make your posts even harder to read than your tortured logic does.
"My code's in commercial software, so you must bow before me, as I know what I'm talking about, because my code's in commercial software."
Yet again, the appeal to authority logical fallacy.
Not only do you not understand how malware can screw with your system, but you can't argue for shit.
When you'd rather reverse the text of what I said than actually argue the point I've stated, repeatedly, and has been ignored by you every single time; instead preferring to rely on your record of software that you wrote years ago.....
You just don't get it. You can call me a troll all you want, but your head is in the sand. You refuse to even acknowledge my point, let alone refute it, which leads me to believe you either do not have facts to support your position, or maybe that you don't even understand my point.
If you refuse to debate the issue at hand, which has been repeatedly stated by myself, then you're not worth wasting /. database space on.
And in answer to your question "Is mine in commercial software?"
This particular software of mine is used in an entire commercial service, which has been used in various parts of the world, to clean malware from infected machines. This service/software is used by other commercial entities as a better alternative to virus scanners traditionally used on a single scan/online basis by computer service companies. This software and service hasn't been reviewed by some computer magazine editor who knows jack about the industry, but rather by techs who actually use this type of thing in the trenches, as one of the best, if not the best malware detection program they've ever seen.
As to other software? Yes, I've written a bunch. But your idiotic debate methods aren't worth wasting my time on.
You're still not getting it, because you're still running all your diagnostic utilities within the infected system.
How you you trust the TCP connections listed in TCPview (which is a great program, by the way) when TCPview itself is running on an infected system? A rootkit will hide its own network connections from this program.
... have YOU done better, troll?
You're a cocksucking douche. Yes, that sounds like flamebait.
It's not. It's the truth.
You know absolutely jack shit about me, and when I call you out on a completely illogical statement you made, you start going back to previous things that you've done, and how "you must be right because look at your credentials!"
Ever heard of the appeal to authority logical fallacy?
I don't give a damn what you've done, and how many security guides you've authored.
When your machine is infected, you can no longer trust your DNS settings. Period. End of story.
Saying that you check them is irrelevant.
Now, as to what I've done in this area? Well, let's see....I am the author of an anti-malware tool that uses 40+ different antivirus engines to scan a machine. It does this scan offline, rather than within the infected system, and I can do it remotely, over the Internet. This, of course, means I can use this system to remove rootkits remotely, even on a computer that will not boot.
Remote service on a computer where Windows (or for that matter OSX or Linux, too) will not start. Gee. Have you done better, troll?
No. You stated that "if" you were to suck in one of these, then the update to Norton would prevent it from being able to talk back to it's C&C.
Well, once you've got one, you can't trust the DNS servers that are shown in the NIC config GUI, because you're infected.
Admittedly, as you've said, the chances of you getting something is significantly diminished due to your diligence. But you're sounding a bit cocky right now, as if you think it's impossible for you to get infected, rather than just unlikely.
What you're forgetting is that Norton DNS updates, HOSTS file updates, and everything else you can do to prevent connecting to known malicious domains are all reactive. Meaning someone has to update that list between when the domain begins distributing malware and when you try to hit it. If you try to hit it before the list is updated, all bets are off.
It's more akin to suing Voxhaul for selling a Vectra that could be potentially used to take a sports shooter who will never shoot anyone to a gun shop.
This is obviously a false scenario mind you, as no one in their right mind would be caught dead driving a Vectra.
No one in their right mind would be caught dead spelling "Vauxhall" as "Voxhaul" either. Come on. I'm from Canada, and they don't even sell those cars in North America, and I knew it was spelled incorrectly....
* Nice part about the "heart of it" in the HOSTS file + Norton DNS is that even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
Until you realize that malware can change the DNS settings of the interface directly, so while you think you're using Norton DNS, you're actually using InfectedSpywarePOS DNS.
Yeah, because I still live in 1998 and work at a law firm, and thus have access to a fax machine
You got an all-in-one printer and a phone line? Then you've got a fax machine.
Because you're not Paris Hilton.
I'm happy with my hot geek wife
Pics or it didn't happen! :)
See, I thought that too. But then I got wondering:
Who the hell is going to take a common as dirt phrase like "Don't leave your item unattended" and turn it into something bizarre like "don't let anyone mess with your item when you're not there to stop them." It's just so out there that I can't imagine they actually meant the first one....
Your basis for this is that airplanes are falling out of the sky like hail from children rigged to explode?
I assume his basis is that it is true (which it is).
It's happened once. But it's in the news, as it was recent, so now you (I'm not an American) have to protect yourselves from all eight year olds, who are all potentially carrying bombs for terrorists.
But once you start checking all the eight year olds, then what happens when the terrorists use a nine year old? You'll completely miss it, because you're continually checking for what they've done once in the past, rather than figuring out what's likely or possible to happen next.
Every time a new attack comes up, the talking heads say it was "completely unforeseeable," simply because nobody has the foresight to do anything beyond reactionary bullshit.
selection technique known as "shocking nonsense." (Google)
Huh? How are you supposed to use Goatse as a passcode?!
Here's a clue: don't let anyone mess with your phone when you're not there to stop them.
Really? Do you hear what you're saying?
There was a lot of artistic license.
Yes...it was almost like they started from a blank page.
an artificial intelligence emerged from the... mass of knowledge amassed in it's (Facebook's) pages.
That would require Facebook's pages to actually contain...well...knowledge. Since it consists totally of inane drivel refined to its purest form, I doubt any AI that spawned from such would be able to do anything more than drool....