BlueCollarPCNet Weblog

Is Grisoft AVG Free Reverse Engineered by Botnets?

April 15, 2009 by bluecollarpc

Is Grisoft AVG Free Reverse Engineered by Botnets ? ….. Read up and make your own check and decision and don’t forget to read the information in replies here.

BCPCNet Community Portal Forums > Malware Adware Spyware Help M*A*S*H* > Malware Adware Spyware Help M*A*S*H* FORUM > Topic: Vista infection: detected: Win32.Outbreak!IK
http://bluecollarpc.net/smf/index.php?topic=389.0

Help Topic: Vista infection: detected: Win32.Outbreak!IK

SOURCE: http://bluecollarpc.net/smf/index.php?topic=389.0
COPIES: http://tech.groups.yahoo.com/group/Vista-Group/message/1283
(I am Group Owner: http://tech.groups.yahoo.com/group/Vista-Group/ )

Partial Scan Results / Detection: AVG ANTIVIRUS SHOWING “Trojan Horse Injector.CZ” QUARANTINED…. It may be posible this is what was detected. Deleted easily and successfully – performing entirely new full scans. Returning. ….
————————————————

LINE: Symantec 1.4.4.12 2009.03.26 Infostealer
MINE – Ikarus Antivirus part of A-Squared Anti-Malware
Ikarus T3.1.1.48.0 2009.03.26 Win32.Outbreak
SEE
InfoStealer, Zeus,Zbot,Nethell,Ambler Destroy what Conficker does not
April 13, 2009 by bluecollarpc
http://bluecollarpc.wordpress.com/2009/04/13/infostealer-zeuszbotnethellambler-destroy-what-conficker-does-not/

————————————————

a-squared Anti-Malware – Version 4.0
Last update: 4/13/2009 9:45:09 AM

[ NOTES: Partial Scan - stopped to perform Quarantine of found item.]
Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 4/13/2009 9:46:25 AM

C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe detected: Win32.Outbreak!IK
C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe detected: Win32.Outbreak!IK

Scanned

Files: 183254
Traces: 532386
Cookies: 13
Processes: 90

Found

Files: 2
Traces: 0
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 4/13/2009 11:14:15 AM
Scan time: 1:27:50

C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe Quarantined Win32.Outbreak!IK
C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe Quarantined Win32.Outbreak!IK

Quarantined

Files: 2
Traces: 0
Cookies: 0

———————————-
NOTES:
SEE –
Virustotal. MD5: d33cdfe402789dc4ed1050e393a107cd Infostealer … a-squared, 4.0.0.101, 2009.03.26, Win32.Outbreak!IK. AhnLab-V3, 5.0.0.2, 2009.03.26, -. AntiVir, 7.9.0.129, 2009.03.26, -. Antiy-AVL, 2.0.3.1, 2009.03.26, – …
http://www.virustotal.com/analisis/10234f1b07a8851c708f7e4f384f1736

File dhl_n756512.zip received on 03.26.2009 23:53:19 (CET)
Current status: finished

Result: 9/39 (23.08%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.26 Win32.Outbreak!IK
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.129 2009.03.26 -
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.26 W32/Trojan3.AKD
Avast 4.8.1335.0 2009.03.26 -
AVG 8.5.0.283 2009.03.26 Pakes.CZX
BitDefender 7.2 2009.03.26 -
CAT-QuickHeal 10.00 2009.03.26 (Suspicious) – DNAScan
ClamAV 0.94.1 2009.03.26 -
Comodo 1085 2009.03.26 -
DrWeb 4.44.0.09170 2009.03.26 -
eSafe 7.0.17.0 2009.03.26 -
eTrust-Vet 31.6.6418 2009.03.26 -
F-Prot 4.4.4.56 2009.03.26 W32/Trojan3.AKD
Fortinet 3.117.0.0 2009.03.26 -
GData 19 2009.03.26 -
Ikarus T3.1.1.48.0 2009.03.26 Win32.Outbreak
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.26 -
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 -
McAfee-GW-Edition 6.7.6 2009.03.26 -
Microsoft 1.4502 2009.03.26 -
NOD32 3966 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.26 -
Rising 21.22.32.00 2009.03.26 -
Sophos 4.40.0 2009.03.26 Troj/Agent-JJP
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.26 Infostealer
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 PAK_Generic.001
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 -
Additional information
File size: 72765 bytes
MD5…: d33cdfe402789dc4ed1050e393a107cd
SHA1..: 9230358ec5ad2e2234bcdac5106e9598de6da9de
SHA256: 8b2c8c36f8b38bb4d2059a1605c7facd035b57b995ed4ace36bebde92240acea
SHA512: 73f53b5ed61a495dcfc298f8ce8a46ba0b41a4910f500d87d5f16808f657d596
b073f61f8e8a8512f97a28c7c7609e776f6e080102c2cd85e1d7430b25ce51b0
ssdeep: 1536:z2iwln152KEYRs99KNGHV/iDUAUZHL1cl7yU4xcc1qDD9FZ+Nq5h:Iln1AK
0v1ioPct94/qP9FZ+Nqr

PEiD..: -
TrID..: File type identification
ZIP compressed archive (100.0%)
PEInfo: -
RDS…: NSRL Reference Data Set

Tags: AVG Free, avg8, botnets, Grisoft AVG Free, reverse engineered, security software disabler
Posted in BCPCNet WebLog | 10 Comments »

Poverty Package: Security Defense Freewares with Real Time Protection needed

April 13, 2009 by bluecollarpc

Poverty Package – Security Defense Freewares with Real Time
Protection Added….
Genuine Defense Freewares with Real Time Protection Added (needed)

http://bluecollarpc.wordpress.com/2009/04/13/poverty-package-security-defense-freewares-with-real-time-protection-needed/

ALL WITH REAL TIME PROTECTION NOW – FULL OR PARTIAL….
(The star ratings are the combined prevention and detection ability
from personal experience)

Microsoft AntiSpyware is now Windows Defender 4-5*Stars (FULL)
[working-freeware from Microsoft]
http://www.microsoft.com/athome/security/spyware/software/default.mspx

SUPERAntiSpyware 4* (PARTIAL)
[working-freeware, and premium version]
http://www.superantispyware.com/

Spyware Terminator [working-freeware] 4* (FULL)
(Antispyware and antivirus. Real time protection added ! )
http://www.spywareterminator.com/

Google Pack with PCTools Spyware Doctor 4* (PARTIAL – ALSO GET NORTON
FREE ANTIVIRUS WEEKLY HERE)
http://pack.google.com/intl/en/pack_installer.html?hl=en&gl=us

Transaction Guard 5* (FULL)
http://www.trendsecure.com/portal/en-
US/tools/security_tools/transaction_guard

Trend Micro RUBotted (free) 4-5* (FULL – DETECTION ONLY)
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted

a-squared Anti-Dialer [working-freeware] 5* (FULL)
(Dial Up Modems – not broadband/dsl/cable/satellite)
http://www.emsisoft.com/en/software/antidialer/

AVG Anti-Virus Free Edition [working-freeware] 5* (PARTIAL)
http://www.grisoft.com/

ThreatFire AntiVirus 4-5* (FULL)
http://www.threatfire.com/

Windows One-Care (90 Day Free Trial !) 5* (FULL)
http://onecare.live.com/site/en-us/default.htm?s_cid=sah

6* STARS ! ! ! BEST (FULL)
Comodo Personal Firewall
(Genuine Freeware, and rated by international tests as about world’s
best – now includes antivirus real time)
http://www.personalfirewall.comodo.com/
Firewall Protection:
A firewall is your first line of defense in protecting private
information. Our award-winning firewall is designed to prevent
unauthorized hackers from obtaining your private information.
AntiVirus Software
Prevent, Protect and Defend your computer against attacks. Comodo’s
AntiVirus Software will scan your computer AND remove viruses on a
schedule that works for you.
Free Firewall Software Download by Comodo Comodo’s free firewall
protects against malware and is the best on the Internet totally free
for advanced users and beginners computer security.
http://www.personalfirewall.comodo.com/

ZoneAlarm Free Firewall 4-5* (PARTIAL)
Protect your PC with #1 Free Firewall
http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-
firewall.htm
ZoneAlarm Free Firewall blocks hackers from infiltrating your home PC
by hiding your computer from unsolicited network traffic. By
detecting and preventing intrusions, ZoneAlarm Free Firewall keeps
your PC free from viruses that slow down performance, and spyware
that steals your personal information, passwords, and financial data.
. Essential firewall protection
. Be invisible to others online
. New interface makes it even easier-smaller size keeps it light

Sygate Personal Firewall Free 5.6.2808 (FULL, DISCONTINUED – NO MORE
UPDATES – SYMANTEC OWNS IT, GET THE FREE ORIGINAL VERSION)
Downloads: 166,860
User Rating:
Rated by: 518 user(s)
Very Good (4.3/5)
Developer: Sygate Technologies, Inc.
License / Price: Freeware
Size / OS: 8.8 MB / Windows All
Last Updated: October 29th, 2004
Freeware / FREE
http://www.softpedia.com/get/Security/Firewall/Sygate-Personal-
Firewall-Free.shtml

Ashampoo FireWall Free 1.2
License: Free
Editor’s Rating: Not rated
Average User Rating: 3.5 stars (out of 625 votes) Rate it!
Downloads: 1,144,972
Requirements: Windows 2000/XP
Limitations: No limitations
Date Added: April 18, 2007
http://www.download.com/Ashampoo-FireWall-Free/3000-10435_4-
10575187.html

Webroot Desktop Free Firewall New Version 5.8!
(From the makers of the Legendary and Industry
Leader – Webroot Spysweeper)
http://www.webroot.com/En_US/consumer-downloads.html
Better protection than Windows firewall! Protect your identity
and data from hackers and other unauthorized access.

SEE THIS “CLEARING HOUSE” WEBSITE FOR BAD PRODUCTS LIST….
Title: The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites
Description: Bad, False, Fake products
URL: http://www.spywarewarrior.com/rogue_anti-spyware.htm

BCPCGroup ~ The BlueCollarPC.Net Website Security Group
——————————————————
MEMBERS AREA:
http://www.bluecollarpc.net/joingroup.html
Mail domain bluecollarpc.net
Live List Owner: bcpcgroup-listowners@bluecollarpc.net
Service List Owner: bcpcgroup-owner@bluecollarpc.net
Post to Group (Members Only): bcpcgroup@bluecollarpc.net
Help address bcpcgroup-help@bluecollarpc.net
Subscription address: bcpcgroup-subscribe@bluecollarpc.net
Unsubscription address: bcpcgroup-unsubscribe@bluecollarpc.net
#Sender Policy Framework (SPF, http://spf.pobox.com) Protected
#ALL Posts Moderated and List Protected with Antivirus Service.
*Guard archive (message digests). Archive access requests from
unrecognized SENDERs will be rejected.
*Subscription requires confirmation by reply to a message sent to the
subscription address.
*Unsubscribe requires confirmation by a reply to a message sent to
the subscription address.

Tags: anti malware, antispyware, antivirus, heuristics, real time protection
Posted in BCPCNet WebLog | Leave a Comment »

InfoStealer, Zeus,Zbot,Nethell,Ambler Destroy what Conficker does not

April 13, 2009 by bluecollarpc

The Malware that Murders Windows (PC Magazine)

Malware usually makes Windows run badly, but it usually wants to keep it alive. Not always. The S21sec Labs blog details a few examples of malware that deliberately kills Windows.

PM Read more | Open in browser

http://www.pcmag.com/article2/0,2817,2344677,00.asp?kc=PCRSS03069TX1K0001121

The Malware that Murders Windows 04.08.09

“….three examples are InfoStealer, Zeus/Zbot and Nethell/Ambler. All are bot software in which the botnet actually has a command to kill the operating system. Nethell deletes Windows loader files NTDETECT.COM and NTLDR after clearing their Hidden/System/Read-Only attribute bits and then reboots.

InfoStealer deletes every driver in the System32 directory and a few critical registry keys for good measure. Zeus/Zbot deletes the entirety of these registry hives and branches:

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE\software

HKEY_LOCAL_MACHINE\system

Then it fills memory with nulls, eventually causing a BSOD (Blue Screen Of Death)….. ” ……MORE http://www.pcmag.com/article2/0,2817,2344677,00.asp?kc=PCRSS03069TX1K0001121

[ NOTES: The above are Windows Registry and see easily and understand this here : http://www.bluecollarpc.net/registry.html

TIP: You need Registry Clean Up software utilities that have the “Restore Registry” feature. The newer quality ones have this and older and inferior ones do not. Any type back ups will probably do nothing for this – just restoring files. This is worthless without corresponding registry keys – nothing will work. What restores Registry is the Windows Disaster Revocery Repair CD retoring to factory fresh condition – or using registry restore from restore points you set in the Registry Clean Up utility products. For partial damages, reinstalling software from back up CDs and reinstalling it from the installer packages will rewrite their registry keys. However here it is clearly pointing out you won’t have Windows itself to do that with.

TIP: Open the Windows Registy and click “Export” which will copy the entire Registry into a text file you save and clicking retores the registry. They will know the file extension and delete it so put on the thinking cap to hide it. Here, reinstall Windows is the only way out obviously. SEE Disaster Revovery themes.

Tags: botnets, disaster recovery, reinstall windows, windows registry, Windows Repair CD
Posted in BCPCNet WebLog | 2 Comments »

Security Tip: Conficker creating Windows TEMP files – Use Clean Up utility software

April 12, 2009 by bluecollarpc

Security Tip: Conficker creating Windows TEMP files – Use Clean Up utility software …..

READ ABOUT WINDOWS TEMP FILES CREATED BY CONFICKER….

Trend Micro (a top world company like Symantec Norton)
http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
READ ABOUT WINDOWS TEMP FILES CREATED BY CONFICKER….
“…Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder. Checking on the file properties reveals that the file was created exactly on April 7, 2009 at 07:41:21.
Checking also on traffic captures show that there was no HTTP download that occurred somewhere around that time frame, which was from April 7, 2009 at 07:40:00 up to April 7, 2009 at 07:42:00. However, we noticed a huge encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea…..”

Now here we go – needed is the quick computing lesson about what Temporary Files are safe to delete and not. The one piece of information in all my years around forums and personal websites (Community Help) was about software Temporary Files via software programs created was never mentioned or explained. This is by people that don’t know and never asked yet have great looking websites with plenty of other great information. How they all seem to miss this simplicity is a mystery and for all these years.

To clean up and why….. All the “clean up your tracks” and the “clean up your browsing history” and the “clean up your temporary computer history files” and all the like (and for personal security reasons) are all these various clean up utilities and many free for download and how to get to and clean up in a click the Windows / Temp files. HOWEVER, please read and for a trusted safe utility for these – I am only going to mention one of the most trusted and used and is actually Genuine Freeware (no ads, not ad-driven) and that is CCleaner HERE: ……(used it myself and on Vista)

CCleaner – Home CCleaner created by Piriform authors of the hugely popular freeware tools CCleaner, Recuva and Defraggler.
http://www.ccleaner.com/

What is always safe to delete are “Internet Temporary Files” like when you open Internet Explorer (others – Firefox, Chrome) > Click Tools > Internet Options > Browsing History…… These are Windows magic, which makes computing fast. These are all the like graphics images and pictures an gif (cartoon/animated) stored on the PC from each website you visit -continually but not doubles – and with each visit these are about instantly pulled up rather than redownloading them which really has helped with Dial Up connection computing. If these are not deleted, they just keep piling up and piling up and are literally trash files – worthless other than for the speed afforded. Security wise if these are tapped by some spyware etc, they can see browsing history like financial logos or even password protected sites visited just by the graphics and pictures, images from the visit. You can plainly see this in their several folders – click View these. Also you may come across Windows Media movie files if you downloaded to view or there may have been an embedded player play one – but the entire copy of the movie is here. (You are not going to see all the text on pages here).

PART TWO….. is the software and Windows temporary files. WINDOWS TEMP FILES ARE TO BE TREATED LIKE SOFTWARE INSTALLATION TEMPORARY FILES WHICH ARE NOT TO BE IMMEDIATELY DELETED ! The software temporary files from installations are found when using Disk Clean Up (part of Windows). If you run Windows Disk Cleanup these will be presented as a menu item. You never delete these as you will see by highlighting them and click once to show the information about these at bottom and Windows explains like “these are safe to delete…. not used in 2 weeks or so…”. Softwares may or may not use these but after installation and after first usage. If the software is working just fine and on your way – that is when these are safe to delete. They are kind of like the “Repair Software” process many softwares have built into then rather than delete/reinstall a software with problem. These are usually special type or shareware software programs with Repair – not like little free utilities or Solitaire games etc. These softwares have built into them to bug fix and restore missing program files in Repair (saves the time of uninstall / reinstall). This is why you wait for new softwares to convince themselves they are installed correctly and working properly before deleting their Temporary files. THIS is how Windows TEMP files are to be treated. DO NOT simply click Delete in clean up utilities and certainly NEVER manually delete their Folders and make sure these are NOT included in clean up utilities that have the “Delete All Zero Content (empty) Folders” – uncheck this – it is VERY irresponsible as there can even be Log Files Folders as part of an installation that just happened to be empty (zero content) or security Log folders and so on. Uninstalled software many, many times leaves an empty folder in Windows / Program Files. These are trash and is what those utilities features were referring to but will delete the others being part of the software.

To delete Windows / TEMP files best practices are to be in a low/no lot of activity going on with softwares and the internet and on and on. If you are going to run this clean up it should after like when you are shutting down for the day – everything closed and after a fresh reboot from this. Let the PC sit for at least 5 minutes after it has started and all loaded ready to go – and observe any scheduled feature you may have (calendar reminder etc). Close down all programs you can from start up tray. Keep it calm and wait a minute and more with these actions. You don’t want Windows running to perform this. You have things shut down NOTHING running and waiting a few moments and your PC is on and very still and quiet….. NOW run the Windows TEMP clean up. Otherwise there may be mistaken deletions or rather error messages that certain of these files are in use – “can not delete the selected files” and the bang noise (fatal error bang) even.

Along all these clean up lines there all also the Windows Logs and Error Reporting etc. Do not delete these unless any bug or glitch or notification of Windows sending out an error report and so on is days past like at least a week or so. Over cleaning can actually back fire and slow down the computer if and when replacement files need to be created. Certainly after cleaning up the Temporary Internet Files – the first couple clicks to websites take that nano second extra because it can not fetch the temporaries and has to download them.

POINT OF THIS EXERCISE…..
The whole point of this is that if you have visited our security information sites or professional ones and read up on Conficker and all like threats – these bastards are breaking into ANYTHING and everything. I even was notified of a trojan found in Windows Error logs….. I mean that is ridiculous but Conficker shows at the Microsoft site that these are indeed dumping or disabling Windows Error Reports that get sent out or are timed to be sent out. I mean up until recently this was absurd. Not anymore. The word is in other words – empty your Windows Temp Files time to time and keep a watch on them. Crimeware anymore is launching from anywhere and doing anything.

RANT: Said all that to say this….. some groups or forums or people would have just answered “yeah, they are definitely trash and safe to delete – just click delete all” .There was nothing further from the truth. You then go to the next one to see the person asking how to fix missing files. Two, three paragraphs are necessary to answer most security and computer help questions …. not a text messaging group with one liners that grew out of pay per minute internet from Usenet days before Windows 95.

BCPCGroup ~ The BlueCollarPC.Net Website Security Group
——————————————————————————————
MEMBERS AREA:
http://www.bluecollarpc.net/joingroup.html
Mail domain bluecollarpc.net
Live List Owner: bcpcgroup-listowners@bluecollarpc.net
Service List Owner: bcpcgroup-owner@bluecollarpc.net
Post to Group (Members Only): bcpcgroup@bluecollarpc.net
Help address bcpcgroup-help@bluecollarpc.net
Subscription address: bcpcgroup-subscribe@bluecollarpc.net
Unsubscription address: bcpcgroup-unsubscribe@bluecollarpc.net
#Sender Policy Framework (SPF, http://spf.pobox.com) Protected
#ALL Posts Moderated and List Protected with Antivirus Service.
*Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected.
*Subscription requires confirmation by reply to a message sent to the subscription address.
*Unsubscribe requires confirmation by a reply to a message sent to the subscription address.

Tags: Conficker, temporary files
Posted in BCPCNet WebLog | 1 Comment »

Conficker type threats change Community Help forever

April 11, 2009 by bluecollarpc

Conficker type threats change Community Help forever

To all our Community Help brothers and sisters, to understand this you ARE going to have read any typical payload delivered by these and specifically referring to the Windows Updates, System Restore, and Safe Mode of Windows features inboard. These are the traditional well proven areas of use in Community and commercial Professional and Expert help for malware blocking, removal, and discovery. These are destroyed and/or booby trapped in these specific type botnets. As a good source to understanding this visit my Personal Website written up page on this at our net and org domains HERE:

Resume / Amatuer PC Security Forensics
((( FORENSICS – BUILD )))
AMATUER PC SECURITY FORENSICS
TITLE: “Pseudo 14 Teredo Trojan Botnet Attack”
http://www.bluecollarpc.org/_mgxroot/page_10751.html

AND

Amatuer Forensics Resume
((( FORENSICS – BUILD )))
AMATUER PC SECURITY FORENSICS
TITLE: “Pseudo 14 Teredo Trojan Botnet Attack”
http://www.bluecollarpc.net/forensics.html

SECURITY HORIZON ……

These abilities frequenting may became in part or full in any variants as a standard payload. Conficker Worm Botnet is a prime example as a close cousin here. Obviously these new times is these new deadly criminal botnets have changed Malware Removal Help….. No longer in caution or common sense can Community….

# Giving Help Instructions for Malware Removals to reboot into diagnostics Safe Mode for removals can not safely be advised. If Safe Mode is not blocked, it may intentionally
give access but is booby trapped to disallow regaining rebooting into Normal Mode.

# Obviously Windows System Restore and Restore Points are rendered inoperable, deleted.

# Windows Updates and Security Software websites are blocked. Windows Installer may well be rendered inoperable denying download / install abilities.

# Windows Remote Invitations help may not be possible if client infected with keyloggers and crimeware culprits intercepting Password are entering first. May be inoperable. Also via encapsulated (or similar deceits) payloads may act as in the wild threats undetectable destroying both computer systems or engaging help in botnet via infection.

# Mobile portable thumb drive (others) anti-malware may be needed to replace mentioned standard help avenues – and may need be prepared for Windows Installer repair.

# More…..

What I discovered in a devastating catastrophic virtually successful Conficker type botnet attack
is that actually the Windows Firewall (XP, and Vista has the upgraded one)
was that one last little piece of defense beyond all that did in fact BLOCK
reconnection and re-connectivity by the successful botnet installation.

There are mysterious defenses in Microsoft Windows and they are the top
programmers of the world – their system being Unix Certified (google it) .
No one is going to find out all except perhaps in a reaction by the system
in a severe case as this. Windows code is and has always been secret. A good
part of it has been compromised when you see the millions of piracy copies
available illegally. This is the “anti cracking” technologies area that
Windows and most decent software have in them to prevent this. Quite
obviously in other words, Windows anti cracking was obviously compromised a
long time ago. What are you going to do…..well

But my amendment is that I discovered Windows Firewall kind of acts like the
Windows Data Execution Prevention – DEP. This is Windows and built in and
on by default though some idiot may tell you to turn it off. In a nutshell
DEP is about the last standing defense in an unprotected or compromised
machine hit by specific viruses and worms that are designed specifically to
actually destroy files and delete the entire Windows Operating System
(worms). These are those threats not designed as like mass mailing spam
worms or password stealing viruses and on an on. These are those that are
created to quite intentionally destroy computers and computer equipment.
There is a difference. I found therein that the Windows Firewall acts like
DEP in a totally compromised PC that I personally just recently suffered.
From experience I saw this right in front of my face in action.

So my security advice is to disregard talk just here that it is strongly not
recommended to have two firewalls running as they can conflict. Generally
that means like at the Airports now getting “shook down” and with 2
firewalls everything is like being put through that twice and can hang up
and can cause freezing up even of the system or even a crash and reboot.
THIS has been extremely rare if ever through the years since XP Firewall was
released as even myself have tried it on and with different other firewalls
like older Norton Personal Firewall, McAfee Personal Firewall, Sygate
Personal Firewall, Trend Micro Suite Personal Firewall, and others I may
have forgotten …. and point…. ever a conflict ? NO never actually.

Said all that to say this that the Windows Firewall (XP, Vista) is actually
part of the Windows Operating System just like Internet Explorer and Outlook
Express (XP) and Windows Mail (Vista) are. That being said – there IS a
SECRET here with the further abilities of Windows Firewall (and crimeware
will not find out) as such being an incorporated actual part of the Windows
OS (operating system) as best described as acting like DEP techno and has
indeed DENIED a crimeware botnet unknown from establishing a hijacked
spoofed broadband connection illegally. I indeed have this first hand
experience and was in front of me and happened in approximately 6 to 7
seconds after the complete devastation and destruction by the included worms
and wiping of DNS and browser informations. My entire Registry was exported
and Microsoft sent in the Dr.Watson Debugger which failed. Mine on my PC was
intentionally disabled after years of use as one “reputable” software
company that misused it to corrupt other software. I reestablished
connectivity after rebuilding System Restore and then restoring Network
Integrity.

My bottom line is leave Windows Firewall ON ALL THE TIME !!! This is why.
Disregard ALL else.

Me as a “source”…. the bluecollarpc.net domain has been accepted kind of
as the poor man’s CastleCops.

SOURCE
Data Execution Prevention: frequently asked questions
(Applies to all editions of Windows Vista)
http://windowshelp.microsoft.com/Windows/en-US/help/186de3d0-01af-4d4c-981d-674637d2f4bf1033.mspx

Microsoft: Data Execution Prevention (DEP) feature in Windows XP Service
A detailed description of the Data Execution Prevention (DEP …
Describes the Data Execution Prevention (DEP) feature in Windows XP Service

In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet
http://support.microsoft.com/kb/875352

gerald philly pa usa
webmaster www.BlueCollarPC.Net

BCPCGroup ~ The BlueCollarPC.Net Website Security Group
——————————————————————————————
MEMBERS AREA:
http://www.bluecollarpc.net/joingroup.html
Mail domain bluecollarpc.net
Live List Owner: bcpcgroup-listowners@bluecollarpc.net
Service List Owner: bcpcgroup-owner@bluecollarpc.net
Post to Group (Members Only): bcpcgroup@bluecollarpc.net
Help address bcpcgroup-help@bluecollarpc.net
Subscription address: bcpcgroup-subscribe@bluecollarpc.net
Unsubscription address: bcpcgroup-unsubscribe@bluecollarpc.net
#Sender Policy Framework (SPF, http://spf.pobox.com) Protected
#ALL Posts Moderated and List Protected with Antivirus Service.
*Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected.
*Subscription requires confirmation by reply to a message sent to the subscription address.
*Unsubscribe requires confirmation by a reply to a message sent to the subscription address.

#####BlueCollarPC.Net Memberships: #####
BlueCollarPC.Net Website Help Group
http://www.bluecollarpc.net/joingroup.html
BlueCollarPC.Net Portal Forums
http://bluecollarpc.net/smf/index.php
http://bcpcnet-com-portal.forumotion.net/forum.htm
BlueCollarPC Yahoo Group
http://tech.groups.yahoo.com/group/BlueCollarPC/
BlueCollarPC.Net WebLog
http://bluecollarpc.net/wordpress/
Spy-Lerts Mail Lists
http://www.bluecollarpc.net/spy-lerts.html
Subscribe: spy-lerts-subscribe@bluecollarpc.net
RSS: http://groups.google.com/group/spylerts/feed/rss_v2_0_msgs.xml?num=50
RSS: http://rss.groups.yahoo.com/group/Spy-Lerts/rss
Dial Up Friendly http://www.bluecollarpc.org/

Tags: best practices, botnet, Community, crimeware, malware removal, Restore Points, safe mode, safe practices, security software, system restore, worm
Posted in BCPCNet WebLog, SpyLerts | 1 Comment »

Resume: Amatuer Forensics Build “Pseudo 14 Teredo Trojan Botnet Attack”

April 11, 2009 by bluecollarpc

Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”

SOURCE:
Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”…..
http://bluecollarpc.net/smf/index.php?topic=380.0

Resume: Amatuer Forensics Build “Pseudo 14 Teredo Trojan Botnet Attack”…..
_________________________________________________________________________.

A ~ W O R K - IN - P R O G R E S S …..
(”Knowledge shall be the stability of thy times…”)

Logs: Botnet Attack-Denial Of Service,Catastophic damage,MSN.com subscribers targeted
http://tech.groups.yahoo.com/group/BlueCollarPC/message/2450
“Pseudo 14 Teredo Trojan Botnet Attack” – Botnet Attack-Denial Of Service,Catastophic damage,MSN.com subscribers targeted
http://groups.google.com/group/BlueCollarPC/browse_thread/thread/3228b2bc1ca5da8e
BLOG:
Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack
January 28, 2009
http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/
Tags: malware, trojan, botnet, pseudo, 14, IPv4, IPv6, tunneling, attack, worm, virus
Posted in BCPCNet WebLog | 2 Comments »

RESUME:
WEBMASTER BLUECOLLARPC.NET DOMAIN / AMATUER SECURITY FORENSICS
BCPCGroup ~ The BlueCollarPC.Net Website Security Group
——————————————————————————————
MEMBERS AREA:
http://www.bluecollarpc.net/joingroup.html
Mail domain bluecollarpc.net
Live List Owner: bcpcgroup-listowners@bluecollarpc.net
Service List Owner: bcpcgroup-owner@bluecollarpc.net
Post to Group (Members Only): bcpcgroup@bluecollarpc.net
Help address bcpcgroup-help@bluecollarpc.net
Subscription address: bcpcgroup-subscribe@bluecollarpc.net
Unsubscription address: bcpcgroup-unsubscribe@bluecollarpc.net
#Sender Policy Framework (SPF, http://spf.pobox.com) Protected
#ALL Posts Moderated and List Protected with Antivirus Service.
*Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected.
*Subscription requires confirmation by reply to a message sent to the subscription address.
*Unsubscribe requires confirmation by a reply to a message sent to the subscription address.

((( FORENSICS – BUILD )))—> building pc incident security forensics

temporary amatuer build of a full amatuer forensics submission, ongoing to finish \ this text will be removed upon completion !

AMATUER PC SECURITY FORENSICS
TITLE: “Pseudo 14 Teredo Trojan Botnet Attack”

INFECTION DATE Scan Time: 12/18/2008 4:02:15 PM

ESTIMATE:
[Transport Bug in the Enviroment] …

DEFINITION—->
bug
Last modified: Wednesday, July 16, 2003
http://www.webopedia.com/TERM/b/bug.html
An error or defect in software or hardware that causes a program to malfunction. Often a bug is caused by conflicts in software when applications try to run in tandem. According to folklore, the first computer bug was an actual bug. Discovered in 1945 at Harvard, a moth trapped between two electrical relays of the Mark II Aiken Relay Calculator caused the whole machine to shut down.
NON SAMPLE—>
Unix transport bug (and a possible fix) Unix transport bug (and a possible fix). 20 Jun 2003 15:58:02 +0200. Previous message: couple of trivial patches …
http://lists.freedesktop.org/archives/dbus/2003-June/000389.html

SYMPTYMOLOGY:
All System Restore Points deleted (several) Windows System Restore access blocked (blank white pages). Access in all browsers blocked to security sites (blank white pages) and also MSN.com customer customer settings (blank white pages) along with blocking Internet Explorer from installation finalization in retrograde from version 7 back to 6 and back again creating their circle jerk game for MSN Customers (blank white pages) via the Run Once webpage needing 2 clicks to complete installation – with all identity wiped in the browser and DNS information, no connectivity (broadband/dsl). Blocking meaning these were all blank white browser page including the Google Pack panel and Trend Micro Internet 2009 panel. Help files booby trapped with virus. Access blocked to Computer shortcuts and browsers online to Windows Updates. Some log files deleted. Windows > Search function feature acces blocked – blank white page. Control Panel > Users access blocked as blank white page. Others…. able to access Microsoft Baseline Analyzer online – visible, but radio buttons access blocked – kept clicking button nothing happened, cursor mouse inoperative just on button clicks at website for scan begin. More…..

SYNOPSIS:
[Apparent rootkit technologies in partiality are mechanism performing registry injection of false keys and files and payload facilitation - affording creation of a false positive detection and payload entry and transport via subsequent restore action as vehicle. The command registry injection by the limited rootkit technologies (stripped version apparently) and upload payload files constitute a "transport bug in the enviroment - matrix" as absense precludes delivery detection malicious and operative upon action taken. There were no valid detections basis for triggering false positive offered.]

DIAGNOSIS
# Injection 14 values here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\15 (Apparently causing blank white background on shells, browsers). Apparent encasulated payload delivery and encapsulated ‘kiddie script’ as registry injection mini-load creating many type above and other keys in the various affected places to fake the appearence as a trojan via visual navigation behaviors.
# Worm present as all System Restore Points deleted.
# DNS broadband/dsl connectivity information wiped in system, connectivity destroyed, several security softwares disabled….
# Security scan logs do indicate major worm, traces of another major worm, spyware packages installed, additional viruses activated in Help Files and Downloader Trojan reported as installed.
# Apparent encapsulated payload delivery.
# SUMMATION: Damages 99.999 Percent of time defines a criminal botnet attack attempting even ’spoofing’ of broadband/dsl connection and hijacking the computer immersing in crimeware botnet.
PAYLOAD DETECTED:
a-squared free v. 4.0.0.21
(C) 2003-2008 Emsi Software GmbH – www.emsisoft.com
ID Object
C:\WINDOWS\Explorer.EXE Worm.Win32.Otwycal.c
C:\Program Files\NetMeeting\wb32.exe Trojan-Downloader.Win32.Agent.bkw
Trace.Registry.Blubster
Trace.Registry.SpyPc 8.0!A2
Trace.File.Borzoi
Trace.Registry.SpyPc 8.0!A2
Trace.Registry.Internet Cleanup 5.0

STATUS: [Restored, Windows Installer remains damaged – inoperative after several fix attempts

CLARIFICATION…..
Clarification – “psuedo trojan” is my term for a fake trojan unique to this infection payload.

RELATED:
MAJOR ZERO DAY THREATS -
WINDOWS UPDATES PATCHES ISSUED FOR:
# WMF meta file Zero Day
# .AniCursor Zero Day
# VML Zero Day (Vector Mark Up)

BLOGS ~ LISTS ~ GROUPS…..

Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack
January 28, 2009 by bluecollarpc
http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/
I guess a good name for this one is “Death Of A Sails man” ….. in referring to all the fun years on my Windows XP
Home Edition Personal Computer. Sailing, surfing – you get it.
Conficker Worm Targets Microsoft Windows Systems – Overblown?
March 30, 2009 by bluecollarpc
http://bluecollarpc.wordpress.com/2009/03/30/conficker-worm-targets-microsoft-windows-systems-overblown/
Security tip for Vista Firewall, others, against Conficker threats (Symantec)…..
April 8, 2009
http://bluecollarpc.wordpress.com/2009/04/08/security-tip-for-vista-firewall-others-against-conficker-threats-symantec/
Tags: Conficker, firewall, open port, Port 5357, teredo, Vista Firewall
Posted in BCPCNet WebLog | No Comments »
Restoring false positive threat from Quarantine, Safe Mode dangers
April 3, 2009
http://bluecollarpc.wordpress.com/2009/04/03/restoring-false-positive-threat-from-quarantine-safe-mode-dangers/
Tags: back up, botnets, fasle positive, kiddie scripts, registry, restore point, safe mode, safe practices, system restore, worms
Posted in BCPCNet WebLog | 1 Comment »
Conficker Worm Targets Microsoft Windows Systems – Overblown?
March 30, 2009
Tags: botherder, botlord, botmaster, botnet, IPv4, IPv6, kiddie scripts, psuedo teredo, teredo, tunneling, worm, zombie, zombie networks
Posted in BCPCNet WebLog, SpyLerts | 4 Comments »
BCPCNet-Modcasts: “Malware Botnet Cartel” by BlueCollarPC.Net
February 12, 2009 by bluecollarpc
PLAY))) Malware Botnet Cartel (BCPCNet-Modcasts)
http://www.bluecollarpc.net/downloads/DestroyBotnetCartel.wma
COMMENTS: (bluecollarpc) http://www.bluecollarpc.net/
Cybercrime Treaty Gains Momentum…
Article: http://www.networkworld.com/news/2008/040108-cybercrime-treaty-gains-more-interest.html?fsrc=rss-security
Council Of Europe:
http://www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG
Vista User Account Control gets perfect score – rootkits – use disabling tweaks ?
By bluecollarpc
http://bluecollarpc.wordpress.com/2008/08/28/vista-user-account-control-gets-perfect-score-rootkits-use-disabling-tweaks/
Freeware security was a solution – once upon a time…..
August 29, 2008 by bluecollarpc
http://bluecollarpc.wordpress.com/2008/08/29/freeware-security-was-a-solution-once-upon-a-time/

COMMENTS ~ PUBS

LET’S AVOID…..
US Consumers robbed: $8.5 Billion by online threats – throw PCs in trash
August 11, 2008 by bluecollarpc
http://bluecollarpc.wordpress.com/2008/08/11/us-consumers-robbed-85-billion-by-online-threats-throw-pcs-in-trash/
U.S. Consumers Lost Nearly $8.5 Billion to Online Threats (Kansas City InfoZine)
Spyware accounts for $3.6 B in losses; 2.1 million computers replaced due to malware 8/8/2008 5:44 AM
Read more| Open in browser
http://www.infozine.com/news/stories/op/storiesView/sid/29832/
Tunneling to circumvent firewall policy
http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall_policy

Group Email Addresses
Related Link: http://bluecollarpc.net/
Post message: BlueCollarPC@yahoogroups.com
Subscribe: BlueCollarPC-subscribe@yahoogroups.com
Unsubscribe: BlueCollarPC-unsubscribe@yahoogroups.com
List owner: BlueCollarPC-owner@yahoogroups.com

#####SPY-LERTS FROM BLUECOLLARPC.NET#####
Mail List: spy-lerts@bluecollarpc.net
Join List: spy-lerts-subscribe@bluecollarpc.net
Unsubscribe: spy-lerts-unsubscribe@bluecollarpc.net
List Owner: postmaster@bluecollarpc.net
List Information:
http://www.bluecollarpc.net/spy-lerts.html
SPF Protected (Sender Authentication)
http://spf.pobox.com
MODERATOR ANNOUNCEMENT ONLY LIST / NO REPLY
*****Moderated List, Internal Anti-Virus Protected*****

#####OUR ~ ALTERNATES#####
PDA Mobile Cafe Homepage
http://www.pdamobilecafe.bluecollarpc.net/index.html
Website Group/Join:
http://www.pdamobilecafe.bluecollarpc.net/members1.html
pdamobilecafe-subscribe@pdamobilecafe.bluecollarpc.net
PDA Mobile Cafe Yahoo Group
http://tech.groups.yahoo.com/group/PDAMobileCafe/
PDAMobileCafe-subscribe@yahoogroups.com
PDA Mobile Cafe Forums
http://pdamobilecafe.freeforums.org/index.php
Mobile PC and everything wireless – cell, pda, laptop
Linux OS for older Windows Machines
http://www.bluecollarpc.net/linux-ducks.html
Linux-Ducks Yahoo Group
http://tech.groups.yahoo.com/group/Linux-Ducks/
Linux-Ducks-subscribe@yahoogroups.com
#####BCPCNET ALTERNATE GROUPS#####

_____PRESS_____
Security Software Disabler Trojan
http://inews.webopedia.com/TERM/S/security_software_disabler_Trojan.html
Botnet – Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Botnet

botnet Definition: TechEncyclopedia
http://www.techweb.com/encyclopedia/defineterm.jhtml?term=botnet

Botnet : Definition From Webopedia
http://www.webopediacom/TERM/b/botnet.html

Article: Battling the Botnet Pandemic
Lavasoft News – March 2007
http://www.lavasoft.com/company/newsletter/2007/2_28/article2.html
Battling the Botnet Pandemic. Your home computer may be among the millions of PCs that are under the control of criminals, and worse yet, you may not even be aware of it.

Article: Botnet – CNET News.com
http://news.com.com/Security+from+A+to+Z+Botnet/2100-7355_3-6138435.html
Security from A to Z: Botnet | CNET News.com
Security from A to Z: Botnet | These armies of zombie PCs are used by cybercriminals for sending spam .. These armies of zombie PCs are used by cybercriminals for sending spam. Part of a series on …

Article: Botnet Basics
http://www.eweek.com/article2/0,1895,2097976,00.asp
Botnet Basics
Bots are software applications that run automated tasks over the Internet. A network of bots working under a central command and control center is a botnet. This eVideo seminar looks at the basic …

Article: Botnet Battle Already Lost?
http://www.eweek.com/article2/0,1759,2029720,00.asp
Is the Botnet Battle Already Lost?
Botnets have become a big underground business, and the security industry has few answers. eWEEK … It’s dress-down Friday at Sunbelt Software’s Clearwater, Fla., headquarters. In a bland cubicle on …

MSNBC: The lowdown on ‘Bots’
http://www.msnbc.msn.com/id/17805145/
The lowdown on ‘Bots’
What are ‘bots’?
“Bots” – short for robots – are hijacked computers that are infected by computer viruses and then used by criminals and pranksters for a variety of criminal and malicious purposes.
Who controls ‘bots’?
The criminals behind “bots,” known as “bot herders,” assemble armies of infected computers — often between 50,000 and 70,000 PCs strong — that they can then charge customers for the use of. The going rate for sending spam is $5,000 a day or more, according to Howard Schmidt, former White House cyberczar.
What are ‘bots’ used for?
“Bots” are used to spread malicious programs, send spam, fuel “pump-and-dump stock schemes and launch denial-of-service attacks, among other things.
How many ‘bots” are there?
Internet founding father Vint Cerf recently estimated that 150 million computers have been hijacked. Most other experts believe that figure is too high, but there is general agreement that “bots” number in the millions, if not the tens of millions.
How can I tell if my computer is a ‘bot’?
You can’t necessarily. Antivirus software will catch most known viruses, but new ones are being created all the time. It used to be that poor performance often tipped off users that their computers had been infected, but “bot herders” now distribute tasks among thousands of computers to avoid tell-tale crashes.

How big is the botnet problem?
Feature By Julie Bort, Network World, 07/06/07
http://www.networkworld.com/research/2007/070607-botnets-side.html?fsrc=rss-security

Types of attacks: Botnets

Cross-site scripting: Inserting malicious JavaScript into the header of an otherwise legitimate Web site.
DNS cache poisoning: Hacking a DNS so that it directs people who enter legitimate URLs to the hacker’s malicious Web site.
iFrames: Invisible frames capable of executing malware.
Pharming: Creating an illegitimate copy of a real Web site and redirecting traffic to the phony site to obtain information or download malicious code.
Pretexting: Pretending to be a legitimate entity to lure people to malicious sites.
Toxic blogs: Uploading links to malicious Web sites, or when blogs support HTML or scripts, uploading malicious code or using iFrames.

AMATUER FORENSICS SYNOPSIS – NOTE – DEFINING TERM USED “ENCAPSULATION” – CLARIFICATION…

This was, of origin, declared an “in the wild threat” by me. The original posts defined that, in detail, blow by blow – and finally easily understood line by line. This began with the incorrect (false positive) and partial “detection” as a trojan as the threat payload which in reality was a full blown Conficker worm type botnet (worst). One and two parts and so on of the highly deceitful payload where as an enormous skyscraper size threat/damage which in reality to Advanced Users was an ant size minimal “joke program” threat – the lethal “kiddie script” added.

Encapsualtion, in my best guess opinion as my “Amatuer Forensics”, in – two manners – caused, first, the trojan false positive and second ALSO getting the unknown in the wild virus (lethal kiddie script) under the wire undetected by other exisiting real time antivirus that was in place and running up to date when the payload hit (while security suite was in uninstall/renewal state). That (lethal kiddie script) did the registry changes (malicious changes). But it goes a little further – A LOT FURTHER….. Also disguised and delivered were at least one well known worm and three other viruses which FINALLY were detected by scans before executing. Now, how the hell did that happen. Right, IMPOSSIBLE. So in real world, although the lethal kiddie script had basically only performed all the result/symptom “blank white pages” which are the blocking of getting to security sites as well acting very much like ‘Restricted Sites” feature of Windows and behavior result of a trojan — in real world the entire payoad was disguised (encapsulated) and this was one small part of the whole package. It (lethal kiddie script) ran first and was instantaneous. The worm ran simultaneously but took at least 4 seconds minimal to 6 to delete the several System Restore Points in Windows System Restore – and which was now blocked via the malicious registry changes already performed by the “lethal kiddie script”.

“Malicious Encapsulation” in computers is simply attempting to put a detectable malicious malware threat inside a package best disguising it and passing off as safe or okay communication. Or even more simply – like the infamous Unibomber that tragically sent out “mail bombs” to several persons. These got past everyone appearing as friendly normal safe mail packages on the outside and of course a nigfhtmare was inside.

It is entirely unfathomable to believe that exisiting real time protection antivirus in place running (proactive – not reactive stand alone free scanner) and, even a firewall to some extent, did not block (antivirus) or in the least detect (firewall) malicious behavior and/or malicious content of the major part of the payload delivered as the “same-name threat” – that old and well known worm file called “Explorer.exe”. This is a “same-name threat” meaning it has the same file process name as one in Windows (other softwares) and here, Explorer.exe which of course is Windows Explorer (where you access all files on the computer and the Windows Operating system files). And so here we are. An older than the hills recrafted worm introduced with and by an unknown malicious script (lethal kiddie script) that was “encapsulated” to appear as a false positive trojan or downloader trojan. In the very least one must admit there were two malicious mechanisms of deceit – one being the one that caused a false positive to make the package look like a downloader trojan to a well known antispyware program and the other that disguised a large enough worm and at least 3 viruses to install without detection. In reality, could be the same as one mechanism. Like I said this is best shot as “Amatuer Computer Security Forensics” – this entitling me. LOL.

ALL “ENCAPSULATION” MEANS HERE – IDENTIFIED BY ME – IS AS BEST GUESS AMATUER FORENSICS THAT ENCAPSULATION CODING WAS USED TO FOOL KNOWN ANTISPYWARE AND WENT UNDETECTED BY ANTIVIRUS PROGRAMS AS UNDER THE WIRE DISGUISING – AND PAST TWO EXISITING UNDAMAGED FIREWALLS, ONE BEING WINDOWS XP FIREWALL. GRANTED COMODO FIREWALL MAY HAVE NOT BEEN FULLY CONFIGURED YET BY ME FOR FULL PORT STEALTH AND RECOMMENDED SECURITY LEVELS. I WAS VERY BUSY PAST HORRIFIED MAKING ALL NOTES DURING INVESTIGATION WHILE REPAIRS ONGOING AND AS BEST POSSIBLE AND NOW NOTICING A COUPLE DETAILS LIKE THAT WERE NOT NOTED. THIS IS NOT ABOUT A BLAME GAME SO THAT LINE IS INSIGNIFICANT HERE. WHAT THIS IS – IS THE “ANATOMY OF A BOTNET HIT- HOW AND WHAT FOR SAKE OF A BETTER HOME SECURITY DEFENSE ON THE AVERAGE PC WORLDWIDE AND AS WELL TO ANSWER THE QUESTION “WHAT THE HELL DOES A BOTNET DO ONCE INFECTING THE COMPUTER AND HOW THE HELL DOES IT GET THERE IN THE FIRST PLACE?” – THE ANSWER BEING – HERE YOU ARE LOOKING RIGHT AT ONE !

This (encapsulation – computer) is perhaps a fancy way to describe a typical new unknown virus in the wild – OR may be even a new coding completely unknown to any coventional malicious script disguising. In the very least, I think it must be agreed that the Comodo Suite Firewall/Antivirus would have CERTAINLY detected the all too common all too used malicious “explorer.exe” payload. Perhaps it (Comodo Antivirus) is not even “West Coast Certified” yet in its infancy even. That’s disasterous, as famous and like top three worldwide antispyware “Counterspy” has added antivirus that wasn’t (West Coast Certified) and created the “Vipre” suite minus firewall. I have tried Vipre recently (Holidays 2008) and found that out and as fast as I was reading that I seen they are now certified I believe. Look it up. I am looking up Comodo Antivirus for certifications. For we students in the College of Hard Knocks – once certified you are no longer called “crapware” publically. Once certified enables the program as a contender in the major market – the coveted accomplishments. Certification brings proven factual trust opposed to a “false sense of security” – example: one with crapware antivirus telling everyone, being a newbie, “yeah I am full protected with my AV”. There are now over 1 million viruses. If the antivirus does not have these signature detection and removal defintions – duhh, you are NOT protected.

SEE….. ….. …..

West Coast Labs West Coast Labs (WCL) is one of the world’s leading independent test facilities.
We are a global leader in research, testing and certification for …
www.westcoastlabs.org/

ALSO…..
Process name: Windows Explorer
Product: Windows
Company: Microsoft
File: explorer.exe
Security Rating:
http://www.neuber.com/taskmanager/process/explorer.exe.html
This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn’t as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.
Note: The explorer.exe file is located in the folder C:\Windows. In other cases, explorer.exe is a virus, spyware, trojan or worm!
Virus with same name:
W32.MyDoom.B – Symantec Corporation
and other…

NOTES: “LETHAL KIDDIE SCRIPT” IS MY TERM AS MEANING THE REAL KIDDIE SCRIPTS THAT WERE AMONG THE ORIGINAL VIRUSES WERE PRODUCED GENERALLY BY YOUNG AGED PERSONS AS A SHOW OFF TO HURT OR BREAK INTO A SYSTEM AS HACKER BUT MORE AS A SHOW OFF OR PROOF OF CONCEPT EVEN. HERE – SAME TYPE OF MALWARE BUT NOW WRITTEN UP TO INTENTIONALLY CAUSE MALICIOUS DAMAGE – “LETHAL”.

SEE…… terms – malicous code malicious script etc.
Malware
From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Malware

What is script kiddie? – A Word Definition From the Webopedia … This page describes the term script kiddie and lists other pages on the Web where you can find additional information.
http://webopedia.com/TERM/S/script_kiddie.html

BOTTOM LINE…. This is my first and probably last (maybe first of many?) actual “botnet attack” malware installations I have ever given any Malware Removal Help for – ironically being in my own machine. Best first hand example for experience and as Microsoft websites tell you in malware area webs to ‘don’t get all hung up in where this that and the otherthing or how and why and so on – but rather concentrate on best effort of full clean removal and just move on’ – …..along those lines. That’s great advice except for Helpers who need to be on top as much as anyone in IT Security to be credible or trusted.

ENCAPSULATION – GOOD GUYS AND SEE “REAL TIME PROTECTION” AND “HEURISTICS” IN ANTIVIRUS AND ANTISPYWARE AND BEHAVIOR DETECTION…. rtc.

EXAMPLE:
“System and method for providing exploit protection with message tracking …… determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment…..”

System and method for providing exploit protection with message tracking – A method and system for providing protection from exploits to devices connected to a network. The system and method include a component for determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment, and a component that performs at least one decompression …
http://www.patentsurf.net/6,993,660
FULL http://www.patentsurf.net/6,941,478

MORE…..

NOW…. TO ADD TO MY AMATUER FORENSICS …..

YOU ARE GOING TO SEE ONE OF THE SECRETS OF THIS DARK SIDE OF THE INTERNET CRIMEWARE MALWARE BOTNET HERE…..

IF YOU WILL REMEMBER THE “SHELL” REGISTRY KEYS STRAIGHT ACROS THE BOARD THAT MADE ALL THE BROWSER AND SHELL WINDOWS TO DISPLAY BLANK WHITE PAGES….. HERE:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\15

SEE…..
Most Recently Used – Wikipedia, the free encyclopedia Jun 15, 2007 … Most Recently Used (MRU) may refer to: A specific menu in Microsoft Windows, see Common menus in Microsoft Windows; An uncommon method of …
http://en.wikipedia.org/wiki/Most_Recently_Used
http://en.wikipedia.org/wiki/Common_menus_in_Microsoft_Windows

That is a proper key with an additional copycat 14 value key. This corruption / rewrite of the key was extremely odd as kind of seeing doubles. One key, split, both values like seeing doubles of the key itself. SHOTZIE….. BINGO ….. GOTCHA….

HERE IS THE SECRET — THEY ARE USING TEMPORARY FILES BECAUSE LOOK AT THE KEY AND EVERYONE SHOULD KNOW THAT “MRU” MEANS “MOST RECENTLY USED” WHICH ARE TEMPORARY FILES AND CALLED YOUR TRACKS ON THE INTERNET – YOUR PC HISTORY OF NAVIGATIO YOU DO NOT WANT CRIMEWARE TO GET AHOLD OF AND IS WHY EVERYONE SAYS TO USE THE HISTORY CLEAN UP UTILITIES…. BUT THERE IS MORE…..

THE TEMPORARY FILES OF TIS PAYLOAD HAD THE KIDDIE SCRIPTS TO CREATE LIKE A THREE DOOR CHOICE FOR FORENSICS AS TO THE FOLLOWING….

IS THE KEY A FABRICATED WINDOWS EXPLORER WEBSITE PAGE DISPLAYING A FAKE PAGE AS SUCH AS THE BLANK WHITE PAGE OF IT – FAKE SHELL ?

IS IT AN ACTUAL SHELL OF LIKE A SOFTWARE CONTROL PANEL FOR EXAMPLE THAT IS FORCED TO DISPLAY JUST THE BLANK WHITE PAGE BECAUSE THIS IS THE DEFAULT OF WINDOWS WHEN SUCH A KEY IS CORRUPTED ?

SO IT MOVES SIMPLY TO ARE THEY A FAKE SHELL EVEN OR ACTUAL AND VARIATIONS ON THE THEME OBVIOUSLY. SO THIS IS NEITHER HERE NOR THERE EXCEPT TO MOVE TO RESTORE THE REGISTRY IS THE ONLY WAY OUT IF THERE ARE THE HANDFULS AND HANDFULS AND HANDFULS OF THESE ENTRIES….

BUT…… HERE IS THE BANG….. YOU DID NOT CONSIDER THIS ….

ARE THEY INJECTED TEMPORARY FILES REGISTRY ENTRIES FROM YOUR TRASH OR THEIRS ? IN OTHER WORDS RETREIVING THE GRAPHICS IMAGES OF A SHELL WITH —- HERE YOU GO BINGO —- REGISTRY INJECTION ?

IN OTHER WORDS THE KEYS THEMSELVES ARE REGISTRY INJECTION OF CRAP THAT DOES NOT EVEN EXIST AND ARE CAUSING BLANK WHITE PAGES DISPLAY… ACTUALLY THE PAYLOAD JUST MASS INJECTS THE REGISTRY FOR ALL THE AREAS CAUSING THE DENIAL TO SECURITY WEBSITES WITH ANY BROWSER AND WHATEVER ELSE IS THE TARGET SUCH AS MSN CUSTOMERS AS WAS MINE.

IT JUST IS VERY STRANGE THEY WOULD MASS INJECT FALSE KEYS PARTICLULARLY MOST RECENTLY USED (MRU) TEMPORARY HISTORIES.

POINT ? THEY ARE USING MASS REGISTRY INJECTION FOR TEMPORARY FILES RETRIEVAL AND DISPLAY, MANIPULATED BY THE FALSE KEYS.

YOU THINK I DON’T KNOW WHAT I AM TALKING ABOUT ? LOOK HERE AND TELL ME WHY THIS WAS CREATED AND WHY IT HAS SETTINGS TO DELETE ALL TEMPORARY MRU FILES AND KEYS TO BE SET FOR EVERY MINUTE, EVERY FEW MINUTES, EVERY HOUR, EVERY FEW HOURS AND SO ON….. WELL KNOWN POPULAR TRUSTED BEEN AROUND FOR YEARS JavaCoolSoftware.com …..

MRU Blaster
http://www.javacoolsoftware.com/mrublaster.html
Protect your privacy, and keep your PC free from clutter. Find and remove over 30,000 MRU lists. Version: 1.5
Free for personal & business use. http://www.javacoolsoftware.com/mrublaster.html
MRU-Blaster works on Windows 95, 98, ME, NT, 2000, XP, or Vista.
(Simply put: we need money to pay the bills. If you use MRU-Blaster, and are happy with it, we’d love if you would consider donating.)
http://www.javacoolsoftware.com/mrublaster.html

BUT WHAT IF THE MRUs ARE FAKE REGISTRY INJECTION ” YOU SEE ? AND HOW THE HELL DO YOU CLEAN THEM UP (DELETE) IF THEY ARE CORRPUTED TOO ? SHOOTING BLANKS THINKING YOU ARE GOOD TO GO… BUT NONE THE LESS IS RECOMMEMDED SOFTWARE OBVIOUSLY ! ! ! DO IT ! ! AND ADD ALL TRACKS CLEAN UP ANDS RUN THEM CONTINUALLY TO GET RID OF ALL TEMPORARY HISTORY TRACKS….

SEE IT ? THE KEYS ARE FAKE KEYS MASS INJECTED AND NOT REALLY CORRUPTED / CHANGED / RE-WRITTEN KEYS AT ALL ! (POINT – BINGO) SEE IT ? HOW THE HELL IS ANY TRACKS CLEANING SOFTWARE GOING TO GET RID OF THEM ? THEY CAN’T BECAUSE THEY ARE NOT REAL FILES KEYS — GET IT ?

SO FOR THE EXERCISE, WE ARE TALKING HEADS UP TO “REGISTRY MASS FAKE KEYS INJECTION” ….. GET IT ? GOOD.

IT IS ALL OF THE MAGIC OF WINDOWS AT CORE ISSUE….. INDEXING, PREFETCH ALL THE TEMPORARY INTERNET FILES THAT MAKE WINDOWS SO FAST AND SO GRAPHICALLY VISUAL…. THESE PARTS ARE INDEXED FOR LIGHTENING SPEED AND ALL THEMSELVES ARE CONTINUALLY CREATING TEMPORARY FILES AND LOGS ALL OVER WINDOWS IN THEIR PROPER PLACES….. IN OTHER WORDS TURNING ALL THESE FEATURES OFF LEAVES YOU IN THE STONE AGE WITH EACH SIMPLE CLICK AND TASK TAKING UP TO 5 MINUTES EACH (dramatized). SO YOU MOVE FROM WINDOWS OR PC OR FIGHT.

Tags: amatuer security forensics, blank white pages, botherder, botmaster, botnet, DNS, downloader trojan, encapsulation, false positive, kiddie scripts, rootkit, virus, zombie, zombie networks
Posted in BCPCNet WebLog, SpyLerts, Uncategorized | 13 Comments »

Security tip for Vista Firewall, others, against Conficker threats (Symantec)…..

April 8, 2009 by bluecollarpc

Security tip for Vista Firewall (or other) against Conficker threats (Symantec)…..

SEE:

Who Left the Tunnel Door Open (in Windows Firewall for Vista)?
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/windows_vista/article-id/10

REVIEW INFORMATION AND USE SETTINGS TO CLOSE OPEN PORT (FIREWALL)

SEE Port 5357 is left open by Microsoft on Vista and check your PC with Emsi A-Squared Hi-Jack Free http://www.hijackfree.com/en/ (genuine freeware no catches)…. it shows all ports and what’s communicating out and back. Depending on brand of firewall – go to ports settings, some may have automatic settings – make sure. Why is this important…. well take a look at the damage from one or any variants or cousins of Conficker I suffered first hand and is making me almost expert on these worst imagined and created threats from the worst cyber criminal gangs you can invison HERE:
SEE: Pseudo 14 Teredo Trojan Botnet Attack
http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/ ….
AND ALSO: Logs: Botnet Attack-Denial Of Service,Catastophic damage,MSN.com subscribers targeted
http://tech.groups.yahoo.com/group/BlueCollarPC/message/2450

In a nut shell, this payload deletes all System Restore Points and disables access to System Restore. It changes the registry in manipulation to block any browser from going to any of the top popular security sites for antivirus and antispyware. It blocks Windows Updates shortcuts in the computer and any browser from accessing them at the Microsoft site. It also wipes browser identity and DNS identity and internet connectivity virtually destroying your ISP Account with no connectivity – can not get internet access ever again unless botnet is successful in spoofing the information and then regain connectivity but you are now in the botnet – spoofing in all false information and hijacking connection as now immersed it into the criminal botnet with a “phantom browser” (no ID). On MSN.com it blocks all access to all Customer Accounts and Settings leaving only the email client (actually MSN Browser is email client as about only HTML Email in world built into the browser). Booby traps many Help Files with viruses that execute upon opening. Windows > Search is rendered inaccessible. Google Pack is innaccessable to download free versions of Norton and PC Tools Spyare Doctor. Prevents new security suite software from being installed by blocking the firewall part of the suite from installing. Can disable exisiting antivirus updates. This walked right through the finest firewall known to man/woman kind – Comodo – which for several years in all known tests has consistently been rated as best against intrusions – penetration and leak tests. Rated virtually best. Trend Micro Internet 2009 – just after 2008 version which wan top awards in the VB 100 Award as the top coveted prize of the entire world indutry of antivirus beating the next 28 products (Norton, Kaspersky, NOD32, etc) — stopped it dead in its tracks at the firewall part install and rendered installation inoperative. Did you just read that – it walked through Comodo like it wasn’t even there ! What stopped this ? Windows XP Firewall….”last man standing” but after connectivity was already destroyed by the DNS information on the PC wiped.

I got out of this with three clicks – Detachable Hard Drive (all files ) Click (1) Restore. Uniblue Registry software Click (2) Restore Registry. Uniblue SppedUpMyPC has a Click (3) Restore Network….. Trend Micro has this inboard as well. Never got there …. Do Not Let This Happen to your Vista ! Good luck… Webmaster www.BlueCollarPC.Net …. “For what it’s Worth….”

FUD ? bull…. When you read the Symantec write up and fix above at top you will immedaitely think – my god, Microsoft turned us all over to the russian/terrorist cyber criminal gangs with Port 5357 Wide Open and exposing all. Good luck. Again – the ONLY reason right now my XP ‘puter is not in a zombie network (malware botnet such as Conficker Worm Botnet) is Windows XP Firewall. They have to get to IPv4 and IPv6 and they have to destroy the firewall to do it. Good Luck…. I am out of here…..

#####BlueCollarPC.Net Memberships: #####
BlueCollarPC.Net Website Help Group
http://www.bluecollarpc.net/joingroup.html
BlueCollarPC.Net Forums
http://bluecollarpc.net/smf/indexphp
BlueCollarPC Yahoo Group
http://tech.groups.yahoo.com/group/BlueCollarPC/
Live Chat Room: (3)
http://bluecollarpc.net/phpmychat/
BlueCollarPC.Net WebLog
http://bluecollarpc.net/wordpress/
Spy-Lerts Mail Lists
http://www.bluecollarpc.net/spy-lerts.html
RSS: http://bluecollarpc.net/wordpress/?feed=rss2
(We have same-content type groups and lists at our .Org site)
Dial Up Friendly http://www.bluecollarpc.org/

Tags: Conficker, firewall, open port, Port 5357, teredo, Vista Firewall
Posted in BCPCNet WebLog | 2 Comments »

Restoring false positive threat from Quarantine, Safe Mode dangers

April 3, 2009 by bluecollarpc

Restoring false positive threat from Quarantine, Safe Mode dangers

When one gets what is apparently a false positive – general Safe Practices are to leave it in quarantine and submit it to the company that detected it with any information showing it is a false positive – simply, technical elaboration is not necessary. Like if you have like cool program .exe and it gets detected as a spyware installation – you simply submit back “no, this is my media player jukebox (example) I installed – it is not spyware and here are the files I show….”. When they go through things and discover indeed there was a valid situation as this mistaken as a threat and for what reasons – they will correct the false positive in a new set of latest defintions download/install. This could take up to a month, and note we are not talking here where there has been found spyware or adware bundled in a download. Also note there are same-name threats that have the same file names as valid software/processes – but in all traditional sense a false positive is referred to as detecting a valid known legitimate software, or part therein, as a threat by mistake. It is generally some muff up in definitions that are correctable upon investigation by the security software company.

Now that only works in spyware catagory threats – NOT ANTIVIRUS INSTANCES ! What you would do if you did not hear back personally from the company is then wait until at least 1 to 4 weeks of new definitions (which are way less frequent then antivirus) and click Restore and immediately scan again with the new defintions. (BUT read on about the dangers of that ! ). If it did not detect again as before – then no doubt corrective defintions were issued. If it does, and you know it is a false positive by checking your files and registry keys – then the best you can do is either whitelist it, try other quality security products or some free stand alone scanners to match results and then either whitelist or delete it according to results. Now that means if more than one reputable antispyware is telling you the item is malware, then you are probably wrong and they are right. However, you should double check things by location. Location of where the antispyware says it found something and where what you think or know is valid and its normal location. Most basic is all the software you install creates its files in a new folder it creates in Windows / Program Files. This is the tip. If the antispyware shows the threat in some obscure place or where it is not supposed to be – it may well be a file/process from either something valid or usually is indeed a found malware. You must check location to verify correct files/processes in their correct places.

You need know that antivirus and antispyware programs protect themselves against scan intrusions. If one program has a Quarantined item – others cannot scan that as like a double check from another antispyware program. Think of the security softwares as cops patrolling for criminals. The quarantined criminal is like in jail and the patrol is told like “move along – this is in jail”. Conflictions can occur in this very instance and is one of the reasons why you hear all the hoopla about NOT using multiple shareware antispywares or antivirus programs as they may conflict and even cause corruption to one another (antivirus, antispyware) rendering one or both inoperable – aside from the serious memory consumption this will run up in the real time detection processes running part of them - another story (reduces to a crawl or frozen). Now, here is where quality software comes into play as they are to be secure that disallow such intrusions silently without corruption. A couple years ago I was shocked that shareware Webroot on a PC was corrupted partially by Superantispyware free home scanner. The quality security software (antivirus and antispyware) are made that this does not happen. The intrusion by one into the other at “sniffing” the process/file in the other’s quarantine folder or some log record within - is not supposed to happen. Neither should one zap the other as some threat intrusion. It should all be silently dismissed on both sides. Of course the best area I have seen with this is with Symantec Norton Antivirus which I have noticed over the years as superb here and best. Never heard a peep or corruption. Best.

Now these Safe Practices apply ONLY with antispyware products. You hit Restore or whitelist a worm or virus (antivirus catagory threats) – you just sufferd catastrophic damage no doubt and may have just destroyed your PC. With spyware, if it is culprit and you have restored it for a re-scan, then the worst is it could introduce some instability but you realize too if it is culprit it may have full capability of transmitting everything you see and type back to cyber criminals so that you certainly do nothing else until scans finish. BUT again this only applies if you are like low profile like not having valuable sensitive documents and so on or running home business even, or do any type of financial things with files records and so on – because in hitting Restore for re-scan and the reported threat was indeed a spyware installation - then you have just comprimised all that protection of the Quarantine. Worst is that most lethal type spyware installations can be very violent with the system in performing these spying tasks – and when active and transmitting may suddenly perform mini dumps of information to hide tracks and suddenly reboot the computer and then performing more – start eating up memory and bogging down the system so that it almost becomes impossible to complete a full scan wrestling with it even for hours and days.

Solution…. this is when and why you are directed to reboot the computer into Safe Mode and perform your security scans. Rebooting Windows into the diagnostic Safe Mode only allows a basic start up of services and is for performing security scans because it will not allow any running processes or programs to run - and stops such an installtion (threat processes) from running. If and when detected, it can safely be removed not having any running processes that when in Normal Mode as such – Windows will not allow to be deleted / uninstalled generally because running processes generally are involving even several system processes and these could be corrupted / damaged which is why the single running process (here the suspect threat) needs to be stopped first before Windows will allow to delete or uninstall. This is why Safe Mode is used when normal scanning and removing threats will not work and you may generally get some message like “cannot remove threat” or something similar. HOWEVER read on to the recent evolved threats whereby they do indeed destroy now even using Safe Mode. That’s the ballgame and move onto re-install Windows to factory fresh. TIP – if you are involved in any really warned bad threat and generally as a very severe worm and/or virus I would recommend not to dare attempt Safe Mode. You may end up not even recognizing where in the hell you are on a reboot or may even never reboot (uh-oh). This is what happened to my only devastation ever experienced which was from a massive malware payload very much like the warnings of the potential destruction by the current Conficker Worm botnet or worst.

Things are getting hairy and hairyer. I just read up on Conficker at Symantec and these type threat may also contain blocking using Safe Mode. OMG (oh my god / gosh). This is what is meant if you see an Security Community publication around talking about todays threats are becoming more and more dangerous. Or threats are evolving rapidly worst and worst and more deadly.

I guess through it all, this lends credence to persons who just say heck with it and opt to simply re-install Windows wiping everything clean first and reinstall. End of story. Threats have never in the history of the internet actually broke through to be able to delete System Restore Points and block using Safe Mode being part of Windows inboard diagnostics modes – or perhaps cyber crime was not thinking that way at those times past. So in closing, read up here where I am posting this catastrophic destruction suffered at the hand of a virtually successful massive botnet attack which was miraculously hidden in a fake trojan detection. Apparently a kiddie script virus disguised itself as a trojan – BUT had the associated botnet payload in associated temporary files in quarantine with the actual falsely detected trojan which didn’t even exist. Safe Practices on a False Positive ? I did not do that being in a hurry. It showed at least 4 to 5 registry keys with “teredo” in them and identified of about the 15 item installation (files and keys) that it was a trojan package and had several temporary files associated unobserved. Since that area (teredo) is too highly sensitive for your ISP Account even itself, or messing up your entire broadband and router set up and so on, and there were none of the registry keys it said it found in my computer — this is why I went ahead and said ya ya ya to the false positive and clicked Restore (and which was all she wrote). This is another degree from the College of Hard Knocks – there is no such thing as System Restore or Safe Mode any longer as we know it in today’s most lethal threats and will grow and spread most likely as a standard add-on to ALL threats as fast as it spreads across the cyber criminal underground no doubt. Forget it. Like I said, the www.BlueCollarPC.Net is promoting the year of 2009 as the Year of Back Up… back up, back up, back up everything and the Windows System itself. Get busy and shop of how to do this and with what and be prepared for a sobering project and don’t skimp ! I know it is Recession 2009 so – TIP – simply Go To > Start (lower left) > Run > type in regedit > Windows Registry opens > click Export > to My Documents or wherever safe > wait a few minutes until done. With the entire Registry in a file you can now click it to automatically restore the registry. This will take several minutes to complete and DON’T DARE TOUGH ANYTHING UNTIL DONE !!!! This is performing basically a Restore operation of the Registry when you like buy a quality Registry Cleaner that has the restore feature. Cheap ones don’t have that, today’s quality ones do. Note that as often as you would set a Restore Point is how often you would Export (copy contents to a file) the Registry. In other words this is NOT a one time deal. You install / remove software then you must update by deleting the old export and perform another. This is all generally 10 minutes.

THE STORY

BLOG:
Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack
By bluecollarpc
http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/
I guess a good name for this one is “Death Of A Sails man” ….. in referring to all the fun years on my Windows XP Home Edition Personal Computer. Sailing, surfing – you get it.
HELP FORUM:
Botnet Attack-Denial Of Service,Catastophic damage,MSN.com subscribers targeted
http://bluecollarpc.net/smf/index.php?topic=346.0
HELP GROUP:
Logs: Botnet Attack-Denial Of Service,Catastophic damage,MSN.com subscribers targeted
http://tech.groups.yahoo.com/group/BlueCollarPC/message/2450

#####BlueCollarPC.Net Memberships: #####
BlueCollarPC.Net Website Help Group
http://www.bluecollarpc.net/joingroup.html
BlueCollarPC.Net Forums
http://bluecollarpc.net/smf/index.php
BlueCollarPC Yahoo Group
http://tech.groups.yahoo.com/group/BlueCollarPC/
Live Chat Room: (3)
http://bluecollarpc.net/phpmychat/
BlueCollarPC.Net WebLog
http://bluecollarpc.net/wordpress/
Spy-Lerts Mail Lists
http://www.bluecollarpc.net/spy-lerts.html
RSS: http://bluecollarpc.net/wordpress/?feed=rss2
(We have same-content type groups and lists at our .Org site)
Dial Up Friendly http://www.bluecollarpc.org/

Tags: botnets, kiddie scripts, fasle positive, system restore, restore point, registry, back up, safe practices, safe mode, worms
Posted in BCPCNet WebLog | 1 Comment »

Conficker Worm Targets Microsoft Windows Systems – Overblown?

March 30, 2009 by bluecollarpc

Conficker Worm Targets Microsoft Windows Systems – Overblown?

US-CERT – Conficker Worm Targets Microsoft Windows Systems (FOLLW UP )….. See Conficker warnings

This was a total surprise and from such the source ! ….

April Fool’s Conficker Threat is Likely Hype

There’s some serious FUD out there right now about what the Conficker worm will do on April 1. But according to those in the know, you probably don’t have to worry. Read full story….
http://www.networkworld.com/news/2009/032709-april-fools-conficker-threat-ishtml?nlhtsec=ts_033009&nladname=033009securityal

[ FUD ? > Fear, uncertainty and doubt - Wikipedia, the free encyclopedia Fear, uncertainty and doubt (FUD) is a tactic of rhetoric and fallacy used in sales, marketing, public relations, [1] [2] politics and propaganda. … http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt ]

The above article is a great surprise from this domain. As was mentioned, Microsoft and the entire security industry are watching this one that has such a massive payload. It is not just the worm but the additions in the payload including kiddie scripts made lethal and spyware category threats. By the exact nature of what has been found out and published is that the major concern is the hijacking of PCs and enslaved in a very large malware botnet, or slang – “zombie network”. (google it). These then, besides all the individual ID Thefts of the individual PC users, are amassed to commit Denial Of Service Attacks for Extortion of companies and corporations.

This is not FUD as I personally have just been hit by one of these on my XP machine. It is such a massive payload and that can even be crafted for spear phishing. This Conficker threat has all the abilities of the threat I was hit with that includes in the worm the ability to delete all Restore Points in Windows System Restore. The “kiddie script” (here meaning the lessor threat involved actually and turned lethal – past proof of concept messing around) then re-writes Windows Registry entries to deny access to System Restore and actual security websites URLs (website address) and a lot more such as I was targeted as an MSN.com customer and these areas were made inaccessible by this corruption and a handful of others.

It is not just the Conficker worm – but this threat as now named and its entire payload that is the rest of the story. In my case, actually PC Tools Spyware Doctor themselves were used as dummies or “packet punks” which detected a teredo area trojan – but as a false threat. The “kiddie script” in the payload had changed registry entries from 15 to 14 in many “ShellNoRoam” areas of the Registry which then by behavior made it appear as a trojan when in reality it was the malware script kiddie script damage to the registry which appeared as the strong arm hold of a typical potent trojan and that way fooled PC Tools. I wrote a Blog Entry….

Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack
January 28, 2009 by bluecollarpc
http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/
“I guess a good name for this one is “Death Of A Sails man” ….. in referring to all the fun years on my Windows XP Home Edition Personal Computer. Sailing, surfing – you get it.”
http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/

Forgive me for the expounding – but I just know there are going to be perhaps thousands and yes even millions of PCs that are going to be destroyed unless they are protected. Too many people claim it is all FUD and are feeding into the cyber crime with these attitudes that actually aid cyber crime by the “clients” playing Ostrich. Saturation is the only way to reach everyone on the Net and with good information. There is no such thing as FUD anymore and tat term is archaic and goes back to years 2002, 2003, 2004 actually during the security software boom in the XP Years.

BUT SAID ALL THAT TO SAY THIS…..

One of the greatest assets is Vista and IPv6 in computing security. This is the teredo area that crimeware tunnels through in. Below is a current article. This is the area that “bot herders” are looking for entry in the rest of the payload which includes DNS poisoning and hijacking of the broadband connection and to avoid detection by the ISP and the Law. Vista and many use IPv6 which is new after IPv4 in the XP Years. When these “tunnel rats” come in on IPv6 they are sticking out like a sore thumb. So the security is to deal through IPv6 connectivity in that sense. IPv6 not being “backwards compatible” has been one of the greatest assets in new security computing actually in Vista, as XP and IPv4 are their wasteland (crimeware and cyber crime – viruses, worms, trojans, spyware used to perform illegal activities – crimeware).

ARTICLE
Biggest mistake for IPv6: It’s not backwards compatible, developers admit
Network World , 03/25/2009
http://www.networkworld.com/news/2009/032509-ipv6-mistake.html?t51hb&nlhtsec=mr_033009&nladname=033009securityal

MICROSOFT http://support.microsoft.com/kb/962007

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

Account lockout policies are being tripped.

Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.

Domain controllers respond slowly to client requests.

The network is congested.

Various security-related Web sites cannot be accessed.

SYMANTEC http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp+link_conficker_worm

Symantec has a detailed technical analysis of the threat here.

What does the Conficker worm do?

We don’t know the purpose of the Conficker worm. Today the worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

My bottom line is I hope anyone and everyone that heard anything about this does indeed move to immediately install security softwares in full force – which is also needed to defend one’s self. You see it is the rest of the payload and this one is as massive as the one I am describing – and that includes worm, virus, and most likely trojan and spyware. It is as a corporate “blended threat” that is hitting people and is the exact nature of Conficker as well. This is like a bunch of kids got hold of a botnet and are using it to commit a simple ID Theft to max out someone’s credit card. I am sorry, but that is what the average person is getting hit with here. And just think of all the new PCs everyone got on Christmas and the new Owners are brand new to the world wide web – in real world a cyber crime ghetto. As if all that isn’t bad enough – did I mention the other threat in these ? They are called Rootkits (malware) which have the ability to hide and install malware at will and are the worst threat, and consider that the most lethal strong arm Downloader Trojans are nothing more than the poor man’s rootkit in malware. There was the big fight called “Vista Bashing” which is prohibited as dangerous information and practices advised in it whereby one of their biggest FUDs to throw on the people was calling UAC Vista User Account Control as Micro$oft idiocracy. The security industry has published Vista’s Secret…. and that is that UAC detects ALL rootkits and disallows them from running beating your best names – Symantec Norton, Kaspersky, NOD32, AVG, and ALL other rootkit detection softwares. They (the security industry world labs) could not even get a rootkit to run on Vista. When they disabled, turned off, UAC – they could only get 4 rootkits to try to run of all known in the world. STILL WANT TO TURN OF VISTA UAC ? Don’t be a fool and listen to FUD people screaming “scam, scam, scam…. all anti-malware products are a scam…”.

BCPCNet-Modcasts: “Malware Botnet Cartel” by BlueCollarPC.Net

February 12, 2009 by bluecollarpc

PLAY))) Malware Botnet Cartel (BCPCNet-Modcasts)
http://www.bluecollarpc.net/downloads/DestroyBotnetCartel.wma
COMMENTS: (bluecollarpc) http://www.bluecollarpc.net/

Cybercrime Treaty Gains Momentum…
Article: http://www.networkworld.com/news/2008/040108-cybercrime-treaty-gains-more-interest.html?fsrc=rss-security
Council Of Europe:
http://www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG
As concise as possible, this is a very, very great news story. Personally as an Advanced User average consumer on PC – I launched this personal community website for malware removal and computing safety ongoing to best save a lot of aggravation and time for the newer community members of the world web, as we all have gone through with the advent of spyware from early adware days (lost innocense). Actually with 4 million (hits) visitors in just 2 years and various groups and forums I have been to – it is almost too easy to conclude that malware and the removal and protection against it is practically too much of a learning curve for a major percentage of home and even office computer users, and I mean that includes the most simple basic protection of antivirus softwares. In 2007, the best of the best (including Serf) estimated 7 to 11 percent of world computers were hijacked into malware botnets (zombie networks / slang). In year 2008 now, the estimate has dramatically increased to 1 out of 4 (yes 25 percent) are hijacked by malware botnet crimewares including the infections (virus/worm) and infestations (spyware/trojans/rootkits). Looking at that – yes real numbers have almost doubled in one year ! (Finally peaked ?).

This is an impossible subject to cover in one paragraph, but… to roughly sum up – I concluded over a year ago with personal experience and others that it will take a concerted World Government empowered legally to smash what I call the “Malware Botnet Cartel”. I think even the newbie immediately perceives the internet does not exist without internet commerce, and that is what is in danger beyond all the horrifying tragedies of individual incidents of IDTheft directly attributed to cyber crime and crimewares employed (not even mentioning businesses hacked) – and these are in part and wholly being swallowed up by the ‘botmasters’ (or bot herders) who are engaging “Bot Lord” Wars like an American Mafia movie in today’s terms of Gang Wars – the end of cyber crime itself. This news story is perhaps the heart of this and perhaps the real and actual light at the end of the tunnel. There comes the point when the various Governments are going to have to be trusted to “purge the system” of all malwares and rouge computers of criminals with wholesale arrests of the cyber criminals. Laws will need to be temporarily suspended to accomplish this or, otherwise, it will take more and more years of legislation with all the arguements to get it passed at the expense of all the not-so- advanced users. Case in point, USA Better Business Bureau places crimeware IDTheft in the USA alone at 45 Billion dollars for just year 2007 ! This “Cyber Crime Treaty” may actually be that ’silver bullet’ the security industry and users have longed for blindly even.
PLAY))) Malware Botnet Cartel (BCPCNet-Modcasts)
http://www.bluecollarpc.net/downloads/DestroyBotnetCartel.wma

FILES SOURCE http://www.bluecollarpc.net/modcasts.html

Tags: botnet, crimeware, cyber-geddeon, malware, zombie
Posted in BCPCNet Modcasts, BCPCNet WebLog, SpyLerts | 1 Comment »

BlueCollarPCNet Weblog

Is Grisoft AVG Free Reverse Engineered by Botnets?

Poverty Package: Security Defense Freewares with Real Time Protection needed

InfoStealer, Zeus,Zbot,Nethell,Ambler Destroy what Conficker does not

Security Tip: Conficker creating Windows TEMP files – Use Clean Up utility software

Conficker type threats change Community Help forever

Resume: Amatuer Forensics Build “Pseudo 14 Teredo Trojan Botnet Attack”

Security tip for Vista Firewall, others, against Conficker threats (Symantec)…..

Restoring false positive threat from Quarantine, Safe Mode dangers

Conficker Worm Targets Microsoft Windows Systems – Overblown?

What does the Conficker worm do?

BCPCNet-Modcasts: “Malware Botnet Cartel” by BlueCollarPC.Net

Archives

Pages

Blogroll

Community

OUR LINKS

Recent Posts

Categories

Categories

BlueCollarPCNet Weblog RSS

Blog Stats

Top Posts