How can I tell if a keylogger got added to my PC while I was in Beijing?

November 3, 2008

"Paul Adare" <pkadare@gmail.com> wrote in message

news:1lva5wb1hygef.1p65qj3dzrtf6.dlg@40tude.net...

> On Thu, 30 Oct 2008 11:29:51 -0300, Juan I. Cahis wrote:

>

>> Unless you have set the BIOS password, which any respectable SysAdmin

>> of any respectable business corporation doing international business

>> should always have set.

>

> BIOS passwords are trivial to bypass. Any sys admin, respectable or not,

> who relies on those for security should be fired.

I'd far rather educate people than fire them - of course, it's nice to think

that all the people you ever hire will have been educated before you hired

them, but very few of us are born with perfect knowledge.

Alun.

~~~~

--

Texas Imperial Software | Web: http://www.wftpd.com/

23921 57th Ave SE | Blog: http://msmvps.com/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.

November 3, 2008

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:uxKEc0SPJHA.4776@TK2MSFTNGP05.phx.gbl...

> "~BD~" <~BD~@no.mail.afraid.com> wrote in message

> news:OfumkgMPJHA.4700@TK2MSFTNGP03.phx.gbl...

>>

>> If you know that malicious code can be (and is) able to be stored in a

>> 'computer' - other than on a hard drive - I firmly believe that you

>> should share that knowledge with everyone, FTR.

>

> I have been doing just that! If you choose to ignore it, or are unable to

> retain it for very long, or just sweep it aside as you appear to do, then

> that is of no concern to me.

Do I need to apologise, FTR? If so ......... I do so unreservedly! Lack of

retention? A result of advancing years, I fear!

As it seems that you agree that, even if a new hard drive be installed, a

computer may remain infected - please offer your thoughts as to where you

believe malicious code may hide, ready to infect the hard drive again

whenever it so choses. Thanks

>> Whilst the prime purpose of malware nowadays is to steal money, if this

>> money is then used to fund terrorist activities around the world it is

>> your duty to help to stop it IMO. Tell your 'stories' to EVERYONE!

>

> My 'stories' are from outside of what we discuss here (crypto, ecm, sonar,

> radar, and weapons systems). It is my patriotic duty to keep things from

> the terrorists - an idea that our 'press' can't seem to fathom.

So ..... where can we discuss your stories, FTR? Another newsgroup/forum?

Email?

Dave

--

November 3, 2008

Donna Ohl <donna.ohl@sbcglobal.net> writes:

> I was in Beijing, and I used my Windows PC there with a freeware firewall

> and freeware anti virus and freeware malware scanners.

>

> Recently a friend said nearly all American travelers were to be warned by

> the State Department that their laptops, if left in the hotel, were almost

> certainly compromised.

>

> How could I tell if a keylogger or other spyware was inserted onto my

> laptop by the Chinese?

recent news with more sophisticated flavor ... which mentions having

lots of countermeasures against detection:

Three Year Old Trojan Compromised Half Million Banking Details - The

exact origins of the Trojan have not been determined yet

http://news.softpedia.com/news/Three-Years...ils-96953.shtml

Trojan steals 500,000+ bank and card details

http://www.finextra.com/fullstory.asp?id=19217

'Ruthless' Trojan horse steals 500k bank, credit card log-ons

http://www.computerworld.com/action/articl...ticleId=9118718

Advanced Trojan Virus Compromises Bank Info

http://www.redorbit.com/news/technology/15...info/index.html

Sinowal data-stealing trojan has infected half million PCs

http://www.scmagazineus.com/Sinowal-data-s...article/120243/

part of archived (linkedin) thread (regarding article from Kansas City

FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that

includes discussion of countermeasures for compromised PCs

http://www.garlic.com/~lynn/2008p.html#28

http://www.garlic.com/~lynn/2008p.html#32

--

40+yrs virtualization experience (since Jan68), online at home since Mar70

November 3, 2008

"Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message

news:m33ai8ucdd.fsf@garlic.com...

>

> Donna Ohl <donna.ohl@sbcglobal.net> writes:

>> I was in Beijing, and I used my Windows PC there with a freeware firewall

>> and freeware anti virus and freeware malware scanners.

>>

>> Recently a friend said nearly all American travelers were to be warned by

>> the State Department that their laptops, if left in the hotel, were

>> almost

>> certainly compromised.

>>

>> How could I tell if a keylogger or other spyware was inserted onto my

>> laptop by the Chinese?

>

> recent news with more sophisticated flavor ... which mentions having

> lots of countermeasures against detection:

>

> Three Year Old Trojan Compromised Half Million Banking Details - The

> exact origins of the Trojan have not been determined yet

> http://news.softpedia.com/news/Three-Years...ils-96953.shtml

> Trojan steals 500,000+ bank and card details

> http://www.finextra.com/fullstory.asp?id=19217

> 'Ruthless' Trojan horse steals 500k bank, credit card log-ons

> http://www.computerworld.com/action/articl...ticleId=9118718

> Advanced Trojan Virus Compromises Bank Info

> http://www.redorbit.com/news/technology/15...info/index.html

> Sinowal data-stealing trojan has infected half million PCs

> http://www.scmagazineus.com/Sinowal-data-s...article/120243/

>

> part of archived (linkedin) thread (regarding article from Kansas City

> FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that

> includes discussion of countermeasures for compromised PCs

> http://www.garlic.com/~lynn/2008p.html#28

> http://www.garlic.com/~lynn/2008p.html#32

>

> --

> 40+yrs virtualization experience (since Jan68), online at home since Mar70

Thanks for your post - I very nearly posted a similar article about the

Sinowal virus this morning!

My understanding is that this virus can, and indeed does, install itself

silently - without the knowledge of the user of the computer.

If the machine continues to all intents and purposes to 'work' the malware

is unlikely to be discovered. However, let's suppose that I mention this

'nastie' to a friend and he says "How can I check to see if I have been

infected?".

What answer should I give him?

Dave

November 3, 2008

From: "~BD~" <~BD~@no.mail.afraid.com>

| "Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message

| news:m33ai8ucdd.fsf@garlic.com...

>> Donna Ohl <donna.ohl@sbcglobal.net> writes:

>>> I was in Beijing, and I used my Windows PC there with a freeware firewall

>>> and freeware anti virus and freeware malware scanners.

>>> Recently a friend said nearly all American travelers were to be warned by

>>> the State Department that their laptops, if left in the hotel, were

>>> almost

>>> certainly compromised.

>>> How could I tell if a keylogger or other spyware was inserted onto my

>>> laptop by the Chinese?

>> recent news with more sophisticated flavor ... which mentions having

>> lots of countermeasures against detection:

>> Three Year Old Trojan Compromised Half Million Banking Details - The

>> exact origins of the Trojan have not been determined yet

>> http://news.softpedia.com/news/Three-Years...illion-Banking-

>> Details-96953.shtml

>> Trojan steals 500,000+ bank and card details

>> http://www.finextra.com/fullstory.asp?id=19217

>> 'Ruthless' Trojan horse steals 500k bank, credit card log-ons

>> http://www.computerworld.com/action/articl...asic&articleId=

>> 9118718

>> Advanced Trojan Virus Compromises Bank Info

>> http://www.redorbit.com/news/technology/15...mpromises_bank_

>> info/index.html

>> Sinowal data-stealing trojan has infected half million PCs

>> http://www.scmagazineus.com/Sinowal-data-s...lf-million-PCs/

>> article/120243/

>> part of archived (linkedin) thread (regarding article from Kansas City

>> FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that

>> includes discussion of countermeasures for compromised PCs

>> http://www.garlic.com/~lynn/2008p.html#28

>> http://www.garlic.com/~lynn/2008p.html#32

>> --

>> 40+yrs virtualization experience (since Jan68), online at home since Mar70

| Thanks for your post - I very nearly posted a similar article about the

| Sinowal virus this morning!

| My understanding is that this virus can, and indeed does, install itself

| silently - without the knowledge of the user of the computer.

| If the machine continues to all intents and purposes to 'work' the malware

| is unlikely to be discovered. However, let's suppose that I mention this

| 'nastie' to a friend and he says "How can I check to see if I have been

| infected?".

| What answer should I give him?

| Dave

Leave to people with a greater understanding.

The Sinowal is a trojan NOT a virus !

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 3, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:eEa$T%23fPJHA.1160@TK2MSFTNGP02.phx.gbl...

> From: "~BD~" <~BD~@no.mail.afraid.com>

<snip>

> | Thanks for your post - I very nearly posted a similar article about the

> | Sinowal trojan this morning!

>

> | My understanding is that this trojan can, and indeed does, install

> itself

> | silently - without the knowledge of the user of the computer.

>

> | If the machine continues to all intents and purposes to 'work' the

> malware

> | is unlikely to be discovered. However, let's suppose that I mention this

> | 'nastie' to a friend and he says "How can I check to see if I have been

> | infected?".

>

> | What answer should I give him?

>

> | Dave

--

(I'm sure you don't mean that I should say this to my friend!)

> Leave to people with a greater understanding.

Might that be you, Mr Lipman? I saw this item after exploring the link in

your 'signature' block:-

Written by: Frederic Bonroy

(Minor contribution by: Clay)

In order to protect yourself from malicious programs, you should obtain

information. The Internet is a rich source of information - the problem is

that there isn't only good advice out there ........... and at first sight

bad advice isn't always recognizable.

1. The "False Authority Syndrome"

Don't believe everything. Some people talk or write about viruses as if they

were an authority in this field, but in fact they are often not.

Ref: http://www.claymania.com/info-fas.html

I know absolutely nothing about you. Are you an authority in this field?

> The Sinowal is a trojan NOT a virus !

You are right, of course .......... but it's semantics really (IMO).

--

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

I had hoped that you might have said something along these lines:-

"If you suspect that you have a system that is infected with this rootkit,

to prevent it from loading, all that is required is to write a known-good

copy of a master boot record back to the disk to prevent the rootkit driver

from being loaded on the next reboot! Fortunately, we have made that a

fairly painless process with the Windows Recovery Console and the 'fixmbr'

command!

Here are some instructions for using the Windows Recovery Console:

Windows XP instructions: http://support.microsoft.com/kb/314058 (just type

'fixmbr' in the console)

Windows Vista instructions: http://support.microsoft.com/kb/927392 (just

type 'bootrec.exe /fixmbr' at the console)

After restoring a known-good MBR to the hard drive, you should be able to

start Windows and perform an on-line antivirus scan to detect and remove any

of the malware components or any other malware that may have been installed

on the system and hidden by the rootkit. You can use the Windows Live

OneCare Safety Scanner at http://safety.live.com to perform such a scan. It

includes all the signatures for this malware"

Ref:

http://blogs.technet.com/antimalware/archi...l-a-report.aspx

FWIW

Dave

--

November 3, 2008

From: "~BD~" <~BD~@no.mail.afraid.com>

| I had hoped that you might have said something along these lines:-

| "If you suspect that you have a system that is infected with this rootkit,

| to prevent it from loading, all that is required is to write a known-good

| copy of a master boot record back to the disk to prevent the rootkit driver

| from being loaded on the next reboot! Fortunately, we have made that a

| fairly painless process with the Windows Recovery Console and the 'fixmbr'

| command!

| Here are some instructions for using the Windows Recovery Console:

| Windows XP instructions: http://support.microsoft.com/kb/314058 (just type

| 'fixmbr' in the console)

| Windows Vista instructions: http://support.microsoft.com/kb/927392 (just

| type 'bootrec.exe /fixmbr' at the console)

| After restoring a known-good MBR to the hard drive, you should be able to

| start Windows and perform an on-line antivirus scan to detect and remove any

| of the malware components or any other malware that may have been installed

| on the system and hidden by the rootkit. You can use the Windows Live

| OneCare Safety Scanner at http://safety.live.com to perform such a scan. It

| includes all the signatures for this malware"

| http://blogs.technet.com/antimalware/archi...-virtool-winnt-

| sinowal-a-report.aspx

| FWIW

| Dave

No it is NOT semantcs.

Just like it was not semantics when you could self determine that; news.microsoft.com ==

msnews.microsoft.com

This was never a virus, calling it such is like calling a Ford Escort a Cadillilac Coupe

deVille. Both are cars but they are not synonymous. Trojans and visrus are both malware

but they are not synonymous.

As for the set of instructions...

Again leave it to the more knowledgable instead of copying and pasting.

Gmer has the tools to deal with this Trojan RootKit.

Additionally, going to web site such as http://safety.live.com to perform a scan only

complicates matters. The problem here is that you are using a high level function

(Browser and ActiveX control) with a low level modification. The best utilities for

such are those that work and operate at a lower level.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 4, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:OvR3hqgPJHA.4136@TK2MSFTNGP02.phx.gbl...

> From: "~BD~" <~BD~@no.mail.afraid.com>

>

> | I had hoped that you might have said something along these lines:-

>

> | "If you suspect that you have a system that is infected with this

> rootkit,

> | to prevent it from loading, all that is required is to write a

> known-good

> | copy of a master boot record back to the disk to prevent the rootkit

> driver

> | from being loaded on the next reboot! Fortunately, we have made that a

> | fairly painless process with the Windows Recovery Console and the

> 'fixmbr'

> | command!

>

> | Here are some instructions for using the Windows Recovery Console:

>

> | Windows XP instructions: http://support.microsoft.com/kb/314058 (just

> type

> | 'fixmbr' in the console)

>

> | Windows Vista instructions: http://support.microsoft.com/kb/927392 (just

> | type 'bootrec.exe /fixmbr' at the console)

>

> | After restoring a known-good MBR to the hard drive, you should be able

> to

> | start Windows and perform an on-line antivirus scan to detect and remove

> any

> | of the malware components or any other malware that may have been

> installed

> | on the system and hidden by the rootkit. You can use the Windows Live

> | OneCare Safety Scanner at http://safety.live.com to perform such a scan.

> It

> | includes all the signatures for this malware"

>

> |

> http://blogs.technet.com/antimalware/archi...-virtool-winnt-

> | sinowal-a-report.aspx

> | FWIW

> | Dave

>

> No it is NOT semantcs.

>

> Just like it was not semantics when you could self determine that;

> news.microsoft.com ==

> msnews.microsoft.com

>

> This was never a virus, calling it such is like calling a Ford Escort a

> Cadillilac Coupe

> deVille. Both are cars but they are not synonymous. Trojans and visrus

> are both malware

> but they are not synonymous.

>

> As for the set of instructions...

> Again leave it to the more knowledgable instead of copying and pasting.

>

> Gmer has the tools to deal with this Trojan RootKit.

>

> Additionally, going to web site such as http://safety.live.com to perform

> a scan only

> complicates matters. The problem here is that you are using a high level

> function

> (Browser and ActiveX control) with a low level modification. The best

> utilities for

> such are those that work and operate at a lower level.

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

Thank you for your reply, Mr Lipman.

You have once again carefully avoided telling me and other readers anything

at all about you and/or your technical expertise/qualifications.

I'd given an example only - not a solution to a specific scenario. So, I'll

ask again ................

If a computer shows NO sign of infection but a user wishes to check that

there is, indeed, no malware present WHAT action should the PC user take?

Dave

--

November 4, 2008

From: "~BD~" ~BD~@no.mail.afraid.com

| Thank you for your reply, Mr Lipman.

| You have once again carefully avoided telling me and other readers anything

| at all about you and/or your technical expertise/qualifications.

| I'd given an example only - not a solution to a specific scenario. So, I'll

| ask again ................

| If a computer shows NO sign of infection but a user wishes to check that

| there is, indeed, no malware present WHAT action should the PC user take?

| Dave

Once again Mr. Troll you are hijacking someone else's thread.

I have been in this thread since it was cross-posted by Donna Ohl on 10/26 to...

alt. internet.wireless,

alt. privacy.spyware

microsoft.public.security

It was you who altered the header to post to

microsoft.public.security.homeusers

microsoft.public.security.virus

EoD

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 4, 2008

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:O9cumwbPJHA.4372@TK2MSFTNGP04.phx.gbl...

>

> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

> news:uxKEc0SPJHA.4776@TK2MSFTNGP05.phx.gbl...

>> "~BD~" <~BD~@no.mail.afraid.com> wrote in message

>> news:OfumkgMPJHA.4700@TK2MSFTNGP03.phx.gbl...

>>>

>>> If you know that malicious code can be (and is) able to be stored in a

>>> 'computer' - other than on a hard drive - I firmly believe that you

>>> should share that knowledge with everyone, FTR.

>>

>> I have been doing just that! If you choose to ignore it, or are unable to

>> retain it for very long, or just sweep it aside as you appear to do, then

>> that is of no concern to me.

> Do I need to apologise, FTR?

Not to me.

> If so ......... I do so unreservedly! Lack of retention? A result of

> advancing years, I fear!

That I can understand. style_emoticons/)

> As it seems that you agree that, even if a new hard drive be installed, a

> computer may remain infected ...

I am not personally aware of any case where the modified code (external

to the harddrive) can serve any useful purpose once 'disconnected' from

the rest of the code on the affected harddrive. It is however theoretically

possible.

In case you didn't follow the link I posted previously on this subject, here

it is again:

http://www.ngssoftware.com/research/papers...PCI_Rootkit.pdf

The code that runs before the code on the harddrive runs, can be used

by malware to 'get in front of' other code during the OS loading process.

That is - it pays to be first - but only a fragment of the malware 'program'

is able to fit in there. Once the harddrive is clean you may still have

the

malware fragment 'doing something' - but it may be severely limited now

that the rest of the malicious program's code is missing.

So, even replacing an affected harddrive with one shiny new from the

box does not completely clean a computer. It doesn't necessarily

follow that the remaining code can rejuvenate the malware responsible

for the initial infestation either though.

> - please offer your thoughts as to where you believe malicious code may

> hide, ready to infect the hard drive again whenever it so choses. Thanks

Code doesn't have to infect, infest, or respawn to be considered

'malicious'.

Let's just assume the computer won't boot properly now, or your graphics

card won't get the resolution it used to. The malware relocated some of the

card's code so that it could have this 'front row seat' for nefarious

purposes.

Now that the rest of the code has been removed from the harddrive by

format, fdisk /mbr, or replacement of the harddrive you lose whatever

functionality it had.

[snip]

> So ..... where can we discuss your stories, FTR? Another

> newsgroup/forum? Email?

That's just it - we can't - because I can't - under penalty of

imprisonment

or worse. I take my promises seriously, and so does my government. style_emoticons/)

November 4, 2008

> Thanks for your post - I very nearly posted a similar article about the

> Sinowal virus this morning!

Despite what you may find experts saying, this is not a virus. A virus is

a very specific type of malware - this does not qualify.

> My understanding is that this virus can, and indeed does, install itself

> silently - without the knowledge of the user of the computer.

It is a trojan horse program - to begin with.

....then, once installed, it is many other things.

> If the machine continues to all intents and purposes to 'work' the malware

> is unlikely to be discovered. However, let's suppose that I mention this

> 'nastie' to a friend and he says "How can I check to see if I have been

> infected?".

>

> What answer should I give him?

The most important aspect of the program (once installed) is its ability

to hide - it uses the MBR to implement a 'rootkit' - you need to detect

this rootkit.

David Lipman recommends GMER often enough for me to think that

it is a good rootkit detector. I suspect he would know better than most

posters here.

- just a hunch ;-)

November 4, 2008

> I had hoped that you might have said something along these lines:-

>

> "If you suspect that you have a system that is infected with this rootkit,

> to prevent it from loading, all that is required is to write a known-good

> copy of a master boot record back to the disk to prevent the rootkit

> driver from being loaded on the next reboot! Fortunately, we have made

> that a fairly painless process with the Windows Recovery Console and the

> 'fixmbr' command!

That may work well for this malware, but care should be taken when

attempting to remove small fragments of malware while other larger

fragments can still execute. Retaliatory payloads could easily be added

to its current functionality.

If it was able to modify the MBR in the first place, what's to stop it

from modifying it again after you have fixmbr'ed and rebooted? The

fragment in the MBR is usually just there to help it hide, so you have

not de-fanged it by fixmbring - you have only uncloaked it.

November 4, 2008

From: "FromTheRafters" <erratic@nomail.afraid.org>

>> Thanks for your post - I very nearly posted a similar article about the

>> Sinowal virus this morning!

| Despite what you may find experts saying, this is not a virus. A virus is

| a very specific type of malware - this does not qualify.

>> My understanding is that this virus can, and indeed does, install itself

>> silently - without the knowledge of the user of the computer.

| It is a trojan horse program - to begin with.

| ...then, once installed, it is many other things.

>> If the machine continues to all intents and purposes to 'work' the malware

>> is unlikely to be discovered. However, let's suppose that I mention this

>> 'nastie' to a friend and he says "How can I check to see if I have been

>> infected?".

>> What answer should I give him?

| The most important aspect of the program (once installed) is its ability

| to hide - it uses the MBR to implement a 'rootkit' - you need to detect

| this rootkit.

| David Lipman recommends GMER often enough for me to think that

| it is a good rootkit detector. I suspect he would know better than most

| posters here.

| - just a hunch ;-)

http://www2.gmer.net/mbr/

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 4, 2008

On Mon, 3 Nov 2008 22:19:57 -0500, FromTheRafters wrote:

>> Thanks for your post - I very nearly posted a similar article about the

>> Sinowal virus this morning!

>

> Despite what you may find experts saying, this is not a virus. A virus is

> a very specific type of malware - this does not qualify.

>

>> My understanding is that this virus can, and indeed does, install itself

>> silently - without the knowledge of the user of the computer.

>

> It is a trojan horse program - to begin with.

>

> ...then, once installed, it is many other things.

>

>> If the machine continues to all intents and purposes to 'work' the malware

>> is unlikely to be discovered. However, let's suppose that I mention this

>> 'nastie' to a friend and he says "How can I check to see if I have been

>> infected?".

>>

>> What answer should I give him?

>

> The most important aspect of the program (once installed) is its ability

> to hide - it uses the MBR to implement a 'rootkit' - you need to detect

> this rootkit.

>

> David Lipman recommends GMER often enough for me to think that

> it is a good rootkit detector. I suspect he would know better than most

> posters here.

>

> - just a hunch ;-)

Educational viewing!

Mark Russinovich - Advanced Malware Cleaning

http://www.microsoft.com/emea/spotlight/se...spx?videoid=359

(Rootkit issues are discussed towards to the end of the presentation).

November 4, 2008

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:eR3RtRhPJHA.4372@TK2MSFTNGP04.phx.gbl...

>

> Thank you for your reply, Mr Lipman.

>

> You have once again carefully avoided telling me and other readers

> anything at all about you and/or your technical expertise/qualifications.

>

Just as you did in a earlier post

--

Sandy

November 4, 2008

It really is quite tiresome how you keep goading, (or 'trolling' if you

prefer), David H. Lipman, though it is quite amusing - in that you seem to

completely lack the very small quantity of brain power required, to deduce

that he is light years ahead of yourself, ...in every regard :-)

regards, Richard

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:eR3RtRhPJHA.4372@TK2MSFTNGP04.phx.gbl...

>

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

> news:OvR3hqgPJHA.4136@TK2MSFTNGP02.phx.gbl...

>> From: "~BD~" <~BD~@no.mail.afraid.com>

>>

>> | I had hoped that you might have said something along these lines:-

>>

>> | "If you suspect that you have a system that is infected with this

>> rootkit,

>> | to prevent it from loading, all that is required is to write a

>> known-good

>> | copy of a master boot record back to the disk to prevent the rootkit

>> driver

>> | from being loaded on the next reboot! Fortunately, we have made that a

>> | fairly painless process with the Windows Recovery Console and the

>> 'fixmbr'

>> | command!

>>

>> | Here are some instructions for using the Windows Recovery Console:

>>

>> | Windows XP instructions: http://support.microsoft.com/kb/314058 (just

>> type

>> | 'fixmbr' in the console)

>>

>> | Windows Vista instructions: http://support.microsoft.com/kb/927392

>> (just

>> | type 'bootrec.exe /fixmbr' at the console)

>>

>> | After restoring a known-good MBR to the hard drive, you should be able

>> to

>> | start Windows and perform an on-line antivirus scan to detect and

>> remove any

>> | of the malware components or any other malware that may have been

>> installed

>> | on the system and hidden by the rootkit. You can use the Windows Live

>> | OneCare Safety Scanner at http://safety.live.com to perform such a

>> scan. It

>> | includes all the signatures for this malware"

>>

>> |

>> http://blogs.technet.com/antimalware/archi...-virtool-winnt-

>> | sinowal-a-report.aspx

>> | FWIW

>> | Dave

>>

>> No it is NOT semantcs.

>>

>> Just like it was not semantics when you could self determine that;

>> news.microsoft.com ==

>> msnews.microsoft.com

>>

>> This was never a virus, calling it such is like calling a Ford Escort a

>> Cadillilac Coupe

>> deVille. Both are cars but they are not synonymous. Trojans and visrus

>> are both malware

>> but they are not synonymous.

>>

>> As for the set of instructions...

>> Again leave it to the more knowledgable instead of copying and pasting.

>>

>> Gmer has the tools to deal with this Trojan RootKit.

>>

>> Additionally, going to web site such as http://safety.live.com to

>> perform a scan only

>> complicates matters. The problem here is that you are using a high level

>> function

>> (Browser and ActiveX control) with a low level modification. The best

>> utilities for

>> such are those that work and operate at a lower level.

>>

>> --

>> Dave

>> http://www.claymania.com/removal-trojan-adware.html

>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>>

>>

>

> Thank you for your reply, Mr Lipman.

>

> You have once again carefully avoided telling me and other readers

> anything at all about you and/or your technical expertise/qualifications.

>

> I'd given an example only - not a solution to a specific scenario. So,

> I'll ask again ................

>

> If a computer shows NO sign of infection but a user wishes to check that

> there is, indeed, no malware present WHAT action should the PC user take?

>

> Dave

>

> --

>

>

November 4, 2008

"RJK" <notatospam@hotmail.com> wrote in message

news:O$V$%23XsPJHA.576@TK2MSFTNGP04.phx.gbl...

> It really is quite tiresome how you keep goading, (or 'trolling' if you

> prefer), David H. Lipman, though it is quite amusing - in that you seem to

> completely lack the very small quantity of brain power required, to deduce

> that he is light years ahead of yourself, ...in every regard :-)

>

> regards, Richard

>

Hello Richard style_emoticons/

Sorry - don't mean to be tiresome - just trying to get Mr Lipman to give me

a straight answer to my question(s)!

BTW - I think you exagerate a little!

Dave

PS Remind me of your experience at Aumha - did you get straight answers

there?

November 4, 2008

On Tue, 4 Nov 2008 23:20:09 -0000, ~BD~ wrote:

> Sorry - don't mean to be tiresome

Of course you did, you're a troll, that's what trolls do.

> - just trying to get Mr Lipman to give me

> a straight answer to my question(s)!

You of all posters here, have no right to demand anything of anyone.

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

November 4, 2008

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:ea$HJ4iPJHA.4304@TK2MSFTNGP03.phx.gbl...

> That may work well for this malware, but care should be taken when

> attempting to remove small fragments of malware while other larger

> fragments can still execute. Retaliatory payloads could easily be added

> to its current functionality.

>

> If it was able to modify the MBR in the first place, what's to stop it

> from modifying it again after you have fixmbr'ed and rebooted? The

> fragment in the MBR is usually just there to help it hide, so you have

> not de-fanged it by fixmbring - you have only uncloaked it.

>

Of whom are you asking this question FTR? (or perhaps it was rhetorical)

You will appreciate that I simply quoted from the source - Microsoft TechNet

http://blogs.technet.com/antimalware/archi...l-a-report.aspx

Thank you for your comments though!

Dave

November 5, 2008

.....oooh, had just finished a major fight with a PC (I won !) ,...didn't

mean to be so horrid :-)

regards, Richard

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:uP%23GjPtPJHA.4848@TK2MSFTNGP03.phx.gbl...

>

> "RJK" <notatospam@hotmail.com> wrote in message

> news:O$V$%23XsPJHA.576@TK2MSFTNGP04.phx.gbl...

>> It really is quite tiresome how you keep goading, (or 'trolling' if you

>> prefer), David H. Lipman, though it is quite amusing - in that you seem

>> to completely lack the very small quantity of brain power required, to

>> deduce that he is light years ahead of yourself, ...in every regard :-)

>>

>> regards, Richard

>>

>

> Hello Richard style_emoticons/

>

> Sorry - don't mean to be tiresome - just trying to get Mr Lipman to give

> me a straight answer to my question(s)!

>

> BTW - I think you exagerate a little!

>

> Dave

>

> PS Remind me of your experience at Aumha - did you get straight answers

> there?

>

November 5, 2008

Many thanks for your reply FTR. My responses are in-line.

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:OhegyaiPJHA.4504@TK2MSFTNGP02.phx.gbl...

> "~BD~" <~BD~@no.mail.afraid.com> wrote in message

> news:O9cumwbPJHA.4372@TK2MSFTNGP04.phx.gbl...

>>

>> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

>> news:uxKEc0SPJHA.4776@TK2MSFTNGP05.phx.gbl...

>>> "~BD~" <~BD~@no.mail.afraid.com> wrote in message

>>> news:OfumkgMPJHA.4700@TK2MSFTNGP03.phx.gbl...

>>>>

>>>> If you know that malicious code can be (and is) able to be stored in

>>>> a 'computer' - other than on a hard drive - I firmly believe that you

>>>> should share that knowledge with everyone, FTR.

>>>

>>> I have been doing just that! If you choose to ignore it, or are unable

>>> to

>>> retain it for very long, or just sweep it aside as you appear to do,

>>> then

>>> that is of no concern to me.

>

>> Do I need to apologise, FTR?

>

> Not to me.

Thanks - but I didn't want you to feel that I'm not taking note of your

posts!

>> If so ......... I do so unreservedly! Lack of retention? A result of

>> advancing years, I fear!

>

> That I can understand. style_emoticons/)

Do YOU have grandchildren too?

>> As it seems that you agree that, even if a new hard drive be installed, a

>> computer may remain infected ...

>

> I am not personally aware of any case where the modified code (external

> to the harddrive) can serve any useful purpose once 'disconnected' from

> the rest of the code on the affected harddrive. It is however

> theoretically

> possible.

A certain Mr Bill Castner at Aumha became extremely agitated when I

suggested to someone who had experienced the dreaded BSOD that it may have

been caused by a 'duff' (or 'infected'?) Memory stick. I was surprised by

his attitude. I'd personally experienced such a phenomena and had eventually

determined the cause simply by trial and error.

> In case you didn't follow the link I posted previously on this subject,

> here

> it is again:

>

> http://www.ngssoftware.com/research/papers...PCI_Rootkit.pdf

I had followed the link you had posted before FTR - and had saved the PDF

document for later study. Thanks, though, for the 'reminder'! It was a busy

'family' time last week and I hadn't got round to reviewing same. Even now

I've only had time for a cursory look, but it seems very interesting. I

really appreciate your help with this. Thank you.

> The code that runs before the code on the harddrive runs, can be used

> by malware to 'get in front of' other code during the OS loading process.

> That is - it pays to be first - but only a fragment of the malware

> 'program'

> is able to fit in there. Once the harddrive is clean you may still have

> the

> malware fragment 'doing something' - but it may be severely limited now

> that the rest of the malicious program's code is missing.

No doubt it can take its time ........ and grow slowly!

> So, even replacing an affected harddrive with one shiny new from the

> box does not completely clean a computer. It doesn't necessarily

> follow that the remaining code can rejuvenate the malware responsible

> for the initial infestation either though.

No, true ........ but it might !!!!

>> - please offer your thoughts as to where you believe malicious code may

>> hide, ready to infect the hard drive again whenever it so choses. Thanks

>

> Code doesn't have to infect, infest, or respawn to be considered

> 'malicious'.

> Let's just assume the computer won't boot properly now, or your graphics

> card won't get the resolution it used to. The malware relocated some of

> the

> card's code so that it could have this 'front row seat' for nefarious

> purposes.

Maybe that explains why the picture on my CRT monitor became somewhat

blurred from time to time during my experimentation! Vee..ery interesting!

> Now that the rest of the code has been removed from the harddrive by

> format, fdisk /mbr, or replacement of the harddrive you lose whatever

> functionality it had.

That's understandable. The harddrive might well pick up new, unwanted, code

during further travels around the Internet though - and mate with any left

lurking within a machine. That's my supposition anyway! style_emoticons/

>> So ..... where can we discuss your stories, FTR? Another

>> newsgroup/forum? Email?

>

> That's just it - we can't - because I can't - under penalty of

> imprisonment

> or worse. I take my promises seriously, and so does my government. style_emoticons/)

I know not to which Government you refer. For my part I am bound by the

British Official Secrets Act. You may find the somewhat OT information here

of some interest:-

http://www.espionageinfo.com/Ul-Vo/United-...d-Security.html

Cheers

Dave

--

November 5, 2008

"Paul Adare" <pkadare@gmail.com> wrote in message

news:1kgkg0u2ljpnx$.86v74sinknt9$.dlg@40tude.net...

> On Tue, 4 Nov 2008 23:20:09 -0000, ~BD~ wrote:

>> - just trying to get Mr Lipman to give me

>> a straight answer to my question(s)!

>

> You of all posters here, have no right to demand anything of anyone.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

I have every right to ask questions, Mr Paul Adare.

Indeed, I feel it my duty to do so.

I have made no demands of anyone. Are you feeling guilty?

D.

--

November 5, 2008

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:usoXkXtPJHA.1164@TK2MSFTNGP03.phx.gbl...

>

> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

> news:ea$HJ4iPJHA.4304@TK2MSFTNGP03.phx.gbl...

>

>> That may work well for this malware, but care should be taken when

>> attempting to remove small fragments of malware while other larger

>> fragments can still execute. Retaliatory payloads could easily be added

>> to its current functionality.

>>

>> If it was able to modify the MBR in the first place, what's to stop it

>> from modifying it again after you have fixmbr'ed and rebooted? The

>> fragment in the MBR is usually just there to help it hide, so you have

>> not de-fanged it by fixmbring - you have only uncloaked it.

>>

>

> Of whom are you asking this question FTR? (or perhaps it was rhetorical)

It was rhetorical, I attempted to point out that such an approach could be

dangerous. If someone attempted to use this method against the wrong

malware (or perhaps a wrong variant of this malware), bad things could

happen.

This one uses the MBR both as a way to add stealth and as a way to

start the program. It is not necessary that the autostart method for the

bulk of a malware's payload be in the MBR. Replacing the MBR will

inhibit the program from starting. But if the rootkit used the MBR

only for the stealth function and some other method was used for the

persistence, simple replacement of the MBR could prove a disaster

if retaliatory payloads are used.

November 5, 2008

My replies in-line!

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:ONiG5wiPJHA.4576@TK2MSFTNGP03.phx.gbl...

>> Thanks for your post - I very nearly posted a similar article about the

>> Sinowal virus this morning!

>

> Despite what you may find experts saying, this is not a virus. A virus is

> a very specific type of malware - this does not qualify.

My bad. Sorry!

>> My understanding is that this virus can, and indeed does, install itself

>> silently - without the knowledge of the user of the computer.

>

> It is a trojan horse program - to begin with.

>

> ...then, once installed, it is many other things.

My bad x2. Sorry!

>> If the machine continues to all intents and purposes to 'work' the

>> malware is unlikely to be discovered. However, let's suppose that I

>> mention this 'nastie' to a friend and he says "How can I check to see if

>> I have been infected?".

>>

>> What answer should I give him?

>

> The most important aspect of the program (once installed) is its ability

> to hide - it uses the MBR to implement a 'rootkit' - you need to detect

> this rootkit.

>

> David Lipman recommends GMER often enough for me to think that

> it is a good rootkit detector. I suspect he would know better than most

> posters here.

>

> - just a hunch ;-)

>

So ......... now what many will think a stupid question.

How can one be certain that GMER is simply a great tool to detect rootkits?

(and doesn't damage a machine!)

I caught this item 'in passing' as it were:-

Sanctuary (thank you Paul Vixie and ISC) welcomes gmer.net.

I also thank Matt Jonkman for his excellent assistance,

and Register.com for being on the phone all day with us.

gmer, this one is for you brother.

GMER Application: download

Catchme: download

gmer has asked that this page remain, so to visit the site, click here.

-Paul Laudanski, 12:55PM EST Sunday, 21Jan2007

If there are problems with the site, please contact me.

So then a trip here: http://www.linkedin.com/pub/1/49a/17b to dicover lots

about Paul Laudanski.

Seems pretty conclusive to me!