Re: How can I tell if a keylogger got added to my PC while I was in Beijing?

November 3, 2008

"Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message

news:m33ai8ucdd.fsf@garlic.com...

>

> Donna Ohl <donna.ohl@sbcglobal.net> writes:

>> I was in Beijing, and I used my Windows PC there with a freeware firewall

>> and freeware anti virus and freeware malware scanners.

>>

>> Recently a friend said nearly all American travelers were to be warned by

>> the State Department that their laptops, if left in the hotel, were

>> almost

>> certainly compromised.

>>

>> How could I tell if a keylogger or other spyware was inserted onto my

>> laptop by the Chinese?

>

> recent news with more sophisticated flavor ... which mentions having

> lots of countermeasures against detection:

>

> Three Year Old Trojan Compromised Half Million Banking Details - The

> exact origins of the Trojan have not been determined yet

> http://news.softpedia.com/news/Three-Years...ils-96953.shtml

> Trojan steals 500,000+ bank and card details

> http://www.finextra.com/fullstory.asp?id=19217

> 'Ruthless' Trojan horse steals 500k bank, credit card log-ons

> http://www.computerworld.com/action/articl...ticleId=9118718

> Advanced Trojan Virus Compromises Bank Info

> http://www.redorbit.com/news/technology/15...info/index.html

> Sinowal data-stealing trojan has infected half million PCs

> http://www.scmagazineus.com/Sinowal-data-s...article/120243/

>

> part of archived (linkedin) thread (regarding article from Kansas City

> FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that

> includes discussion of countermeasures for compromised PCs

> http://www.garlic.com/~lynn/2008p.html#28

> http://www.garlic.com/~lynn/2008p.html#32

>

> --

> 40+yrs virtualization experience (since Jan68), online at home since Mar70

Thanks for your post - I very nearly posted a similar article about the

Sinowal virus this morning!

My understanding is that this virus can, and indeed does, install itself

silently - without the knowledge of the user of the computer.

If the machine continues to all intents and purposes to 'work' the malware

is unlikely to be discovered. However, let's suppose that I mention this

'nastie' to a friend and he says "How can I check to see if I have been

infected?".

What answer should I give him?

Dave

November 3, 2008

From: "~BD~" <~BD~@no.mail.afraid.com>

| "Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message

| news:m33ai8ucdd.fsf@garlic.com...

>> Donna Ohl <donna.ohl@sbcglobal.net> writes:

>>> I was in Beijing, and I used my Windows PC there with a freeware firewall

>>> and freeware anti virus and freeware malware scanners.

>>> Recently a friend said nearly all American travelers were to be warned by

>>> the State Department that their laptops, if left in the hotel, were

>>> almost

>>> certainly compromised.

>>> How could I tell if a keylogger or other spyware was inserted onto my

>>> laptop by the Chinese?

>> recent news with more sophisticated flavor ... which mentions having

>> lots of countermeasures against detection:

>> Three Year Old Trojan Compromised Half Million Banking Details - The

>> exact origins of the Trojan have not been determined yet

>> http://news.softpedia.com/news/Three-Years...illion-Banking-

>> Details-96953.shtml

>> Trojan steals 500,000+ bank and card details

>> http://www.finextra.com/fullstory.asp?id=19217

>> 'Ruthless' Trojan horse steals 500k bank, credit card log-ons

>> http://www.computerworld.com/action/articl...asic&articleId=

>> 9118718

>> Advanced Trojan Virus Compromises Bank Info

>> http://www.redorbit.com/news/technology/15...mpromises_bank_

>> info/index.html

>> Sinowal data-stealing trojan has infected half million PCs

>> http://www.scmagazineus.com/Sinowal-data-s...lf-million-PCs/

>> article/120243/

>> part of archived (linkedin) thread (regarding article from Kansas City

>> FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that

>> includes discussion of countermeasures for compromised PCs

>> http://www.garlic.com/~lynn/2008p.html#28

>> http://www.garlic.com/~lynn/2008p.html#32

>> --

>> 40+yrs virtualization experience (since Jan68), online at home since Mar70

| Thanks for your post - I very nearly posted a similar article about the

| Sinowal virus this morning!

| My understanding is that this virus can, and indeed does, install itself

| silently - without the knowledge of the user of the computer.

| If the machine continues to all intents and purposes to 'work' the malware

| is unlikely to be discovered. However, let's suppose that I mention this

| 'nastie' to a friend and he says "How can I check to see if I have been

| infected?".

| What answer should I give him?

| Dave

Leave to people with a greater understanding.

The Sinowal is a trojan NOT a virus !

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 3, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:eEa$T%23fPJHA.1160@TK2MSFTNGP02.phx.gbl...

> From: "~BD~" <~BD~@no.mail.afraid.com>

<snip>

> | Thanks for your post - I very nearly posted a similar article about the

> | Sinowal trojan this morning!

>

> | My understanding is that this trojan can, and indeed does, install

> itself

> | silently - without the knowledge of the user of the computer.

>

> | If the machine continues to all intents and purposes to 'work' the

> malware

> | is unlikely to be discovered. However, let's suppose that I mention this

> | 'nastie' to a friend and he says "How can I check to see if I have been

> | infected?".

>

> | What answer should I give him?

>

> | Dave

--

(I'm sure you don't mean that I should say this to my friend!)

> Leave to people with a greater understanding.

Might that be you, Mr Lipman? I saw this item after exploring the link in

your 'signature' block:-

Written by: Frederic Bonroy

(Minor contribution by: Clay)

In order to protect yourself from malicious programs, you should obtain

information. The Internet is a rich source of information - the problem is

that there isn't only good advice out there ........... and at first sight

bad advice isn't always recognizable.

1. The "False Authority Syndrome"

Don't believe everything. Some people talk or write about viruses as if they

were an authority in this field, but in fact they are often not.

Ref: http://www.claymania.com/info-fas.html

I know absolutely nothing about you. Are you an authority in this field?

> The Sinowal is a trojan NOT a virus !

You are right, of course .......... but it's semantics really (IMO).

--

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

I had hoped that you might have said something along these lines:-

"If you suspect that you have a system that is infected with this rootkit,

to prevent it from loading, all that is required is to write a known-good

copy of a master boot record back to the disk to prevent the rootkit driver

from being loaded on the next reboot! Fortunately, we have made that a

fairly painless process with the Windows Recovery Console and the 'fixmbr'

command!

Here are some instructions for using the Windows Recovery Console:

Windows XP instructions: http://support.microsoft.com/kb/314058 (just type

'fixmbr' in the console)

Windows Vista instructions: http://support.microsoft.com/kb/927392 (just

type 'bootrec.exe /fixmbr' at the console)

After restoring a known-good MBR to the hard drive, you should be able to

start Windows and perform an on-line antivirus scan to detect and remove any

of the malware components or any other malware that may have been installed

on the system and hidden by the rootkit. You can use the Windows Live

OneCare Safety Scanner at http://safety.live.com to perform such a scan. It

includes all the signatures for this malware"

Ref:

http://blogs.technet.com/antimalware/archi...l-a-report.aspx

FWIW

Dave

--

November 3, 2008

From: "~BD~" <~BD~@no.mail.afraid.com>

| I had hoped that you might have said something along these lines:-

| "If you suspect that you have a system that is infected with this rootkit,

| to prevent it from loading, all that is required is to write a known-good

| copy of a master boot record back to the disk to prevent the rootkit driver

| from being loaded on the next reboot! Fortunately, we have made that a

| fairly painless process with the Windows Recovery Console and the 'fixmbr'

| command!

| Here are some instructions for using the Windows Recovery Console:

| Windows XP instructions: http://support.microsoft.com/kb/314058 (just type

| 'fixmbr' in the console)

| Windows Vista instructions: http://support.microsoft.com/kb/927392 (just

| type 'bootrec.exe /fixmbr' at the console)

| After restoring a known-good MBR to the hard drive, you should be able to

| start Windows and perform an on-line antivirus scan to detect and remove any

| of the malware components or any other malware that may have been installed

| on the system and hidden by the rootkit. You can use the Windows Live

| OneCare Safety Scanner at http://safety.live.com to perform such a scan. It

| includes all the signatures for this malware"

| http://blogs.technet.com/antimalware/archi...-virtool-winnt-

| sinowal-a-report.aspx

| FWIW

| Dave

No it is NOT semantcs.

Just like it was not semantics when you could self determine that; news.microsoft.com ==

msnews.microsoft.com

This was never a virus, calling it such is like calling a Ford Escort a Cadillilac Coupe

deVille. Both are cars but they are not synonymous. Trojans and visrus are both malware

but they are not synonymous.

As for the set of instructions...

Again leave it to the more knowledgable instead of copying and pasting.

Gmer has the tools to deal with this Trojan RootKit.

Additionally, going to web site such as http://safety.live.com to perform a scan only

complicates matters. The problem here is that you are using a high level function

(Browser and ActiveX control) with a low level modification. The best utilities for

such are those that work and operate at a lower level.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 4, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:OvR3hqgPJHA.4136@TK2MSFTNGP02.phx.gbl...

> From: "~BD~" <~BD~@no.mail.afraid.com>

>

> | I had hoped that you might have said something along these lines:-

>

> | "If you suspect that you have a system that is infected with this

> rootkit,

> | to prevent it from loading, all that is required is to write a

> known-good

> | copy of a master boot record back to the disk to prevent the rootkit

> driver

> | from being loaded on the next reboot! Fortunately, we have made that a

> | fairly painless process with the Windows Recovery Console and the

> 'fixmbr'

> | command!

>

> | Here are some instructions for using the Windows Recovery Console:

>

> | Windows XP instructions: http://support.microsoft.com/kb/314058 (just

> type

> | 'fixmbr' in the console)

>

> | Windows Vista instructions: http://support.microsoft.com/kb/927392 (just

> | type 'bootrec.exe /fixmbr' at the console)

>

> | After restoring a known-good MBR to the hard drive, you should be able

> to

> | start Windows and perform an on-line antivirus scan to detect and remove

> any

> | of the malware components or any other malware that may have been

> installed

> | on the system and hidden by the rootkit. You can use the Windows Live

> | OneCare Safety Scanner at http://safety.live.com to perform such a scan.

> It

> | includes all the signatures for this malware"

>

> |

> http://blogs.technet.com/antimalware/archi...-virtool-winnt-

> | sinowal-a-report.aspx

> | FWIW

> | Dave

>

> No it is NOT semantcs.

>

> Just like it was not semantics when you could self determine that;

> news.microsoft.com ==

> msnews.microsoft.com

>

> This was never a virus, calling it such is like calling a Ford Escort a

> Cadillilac Coupe

> deVille. Both are cars but they are not synonymous. Trojans and visrus

> are both malware

> but they are not synonymous.

>

> As for the set of instructions...

> Again leave it to the more knowledgable instead of copying and pasting.

>

> Gmer has the tools to deal with this Trojan RootKit.

>

> Additionally, going to web site such as http://safety.live.com to perform

> a scan only

> complicates matters. The problem here is that you are using a high level

> function

> (Browser and ActiveX control) with a low level modification. The best

> utilities for

> such are those that work and operate at a lower level.

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

Thank you for your reply, Mr Lipman.

You have once again carefully avoided telling me and other readers anything

at all about you and/or your technical expertise/qualifications.

I'd given an example only - not a solution to a specific scenario. So, I'll

ask again ................

If a computer shows NO sign of infection but a user wishes to check that

there is, indeed, no malware present WHAT action should the PC user take?

Dave

--

November 4, 2008

From: "~BD~" ~BD~@no.mail.afraid.com

| Thank you for your reply, Mr Lipman.

| You have once again carefully avoided telling me and other readers anything

| at all about you and/or your technical expertise/qualifications.

| I'd given an example only - not a solution to a specific scenario. So, I'll

| ask again ................

| If a computer shows NO sign of infection but a user wishes to check that

| there is, indeed, no malware present WHAT action should the PC user take?

| Dave

Once again Mr. Troll you are hijacking someone else's thread.

I have been in this thread since it was cross-posted by Donna Ohl on 10/26 to...

alt. internet.wireless,

alt. privacy.spyware

microsoft.public.security

It was you who altered the header to post to

microsoft.public.security.homeusers

microsoft.public.security.virus

EoD

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 4, 2008

> Thanks for your post - I very nearly posted a similar article about the

> Sinowal virus this morning!

Despite what you may find experts saying, this is not a virus. A virus is

a very specific type of malware - this does not qualify.

> My understanding is that this virus can, and indeed does, install itself

> silently - without the knowledge of the user of the computer.

It is a trojan horse program - to begin with.

....then, once installed, it is many other things.

> If the machine continues to all intents and purposes to 'work' the malware

> is unlikely to be discovered. However, let's suppose that I mention this

> 'nastie' to a friend and he says "How can I check to see if I have been

> infected?".

>

> What answer should I give him?

The most important aspect of the program (once installed) is its ability

to hide - it uses the MBR to implement a 'rootkit' - you need to detect

this rootkit.

David Lipman recommends GMER often enough for me to think that

it is a good rootkit detector. I suspect he would know better than most

posters here.

- just a hunch ;-)

November 4, 2008

> I had hoped that you might have said something along these lines:-

>

> "If you suspect that you have a system that is infected with this rootkit,

> to prevent it from loading, all that is required is to write a known-good

> copy of a master boot record back to the disk to prevent the rootkit

> driver from being loaded on the next reboot! Fortunately, we have made

> that a fairly painless process with the Windows Recovery Console and the

> 'fixmbr' command!

That may work well for this malware, but care should be taken when

attempting to remove small fragments of malware while other larger

fragments can still execute. Retaliatory payloads could easily be added

to its current functionality.

If it was able to modify the MBR in the first place, what's to stop it

from modifying it again after you have fixmbr'ed and rebooted? The

fragment in the MBR is usually just there to help it hide, so you have

not de-fanged it by fixmbring - you have only uncloaked it.

November 4, 2008

From: "FromTheRafters" <erratic@nomail.afraid.org>

>> Thanks for your post - I very nearly posted a similar article about the

>> Sinowal virus this morning!

| Despite what you may find experts saying, this is not a virus. A virus is

| a very specific type of malware - this does not qualify.

>> My understanding is that this virus can, and indeed does, install itself

>> silently - without the knowledge of the user of the computer.

| It is a trojan horse program - to begin with.

| ...then, once installed, it is many other things.

>> If the machine continues to all intents and purposes to 'work' the malware

>> is unlikely to be discovered. However, let's suppose that I mention this

>> 'nastie' to a friend and he says "How can I check to see if I have been

>> infected?".

>> What answer should I give him?

| The most important aspect of the program (once installed) is its ability

| to hide - it uses the MBR to implement a 'rootkit' - you need to detect

| this rootkit.

| David Lipman recommends GMER often enough for me to think that

| it is a good rootkit detector. I suspect he would know better than most

| posters here.

| - just a hunch ;-)

http://www2.gmer.net/mbr/

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 4, 2008

On Mon, 3 Nov 2008 22:19:57 -0500, FromTheRafters wrote:

>> Thanks for your post - I very nearly posted a similar article about the

>> Sinowal virus this morning!

>

> Despite what you may find experts saying, this is not a virus. A virus is

> a very specific type of malware - this does not qualify.

>

>> My understanding is that this virus can, and indeed does, install itself

>> silently - without the knowledge of the user of the computer.

>

> It is a trojan horse program - to begin with.

>

> ...then, once installed, it is many other things.

>

>> If the machine continues to all intents and purposes to 'work' the malware

>> is unlikely to be discovered. However, let's suppose that I mention this

>> 'nastie' to a friend and he says "How can I check to see if I have been

>> infected?".

>>

>> What answer should I give him?

>

> The most important aspect of the program (once installed) is its ability

> to hide - it uses the MBR to implement a 'rootkit' - you need to detect

> this rootkit.

>

> David Lipman recommends GMER often enough for me to think that

> it is a good rootkit detector. I suspect he would know better than most

> posters here.

>

> - just a hunch ;-)

Educational viewing!

Mark Russinovich - Advanced Malware Cleaning

http://www.microsoft.com/emea/spotlight/se...spx?videoid=359

(Rootkit issues are discussed towards to the end of the presentation).

November 4, 2008

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:eR3RtRhPJHA.4372@TK2MSFTNGP04.phx.gbl...

>

> Thank you for your reply, Mr Lipman.

>

> You have once again carefully avoided telling me and other readers

> anything at all about you and/or your technical expertise/qualifications.

>

Just as you did in a earlier post

--

Sandy

November 4, 2008

It really is quite tiresome how you keep goading, (or 'trolling' if you

prefer), David H. Lipman, though it is quite amusing - in that you seem to

completely lack the very small quantity of brain power required, to deduce

that he is light years ahead of yourself, ...in every regard :-)

regards, Richard

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:eR3RtRhPJHA.4372@TK2MSFTNGP04.phx.gbl...

>

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

> news:OvR3hqgPJHA.4136@TK2MSFTNGP02.phx.gbl...

>> From: "~BD~" <~BD~@no.mail.afraid.com>

>>

>> | I had hoped that you might have said something along these lines:-

>>

>> | "If you suspect that you have a system that is infected with this

>> rootkit,

>> | to prevent it from loading, all that is required is to write a

>> known-good

>> | copy of a master boot record back to the disk to prevent the rootkit

>> driver

>> | from being loaded on the next reboot! Fortunately, we have made that a

>> | fairly painless process with the Windows Recovery Console and the

>> 'fixmbr'

>> | command!

>>

>> | Here are some instructions for using the Windows Recovery Console:

>>

>> | Windows XP instructions: http://support.microsoft.com/kb/314058 (just

>> type

>> | 'fixmbr' in the console)

>>

>> | Windows Vista instructions: http://support.microsoft.com/kb/927392

>> (just

>> | type 'bootrec.exe /fixmbr' at the console)

>>

>> | After restoring a known-good MBR to the hard drive, you should be able

>> to

>> | start Windows and perform an on-line antivirus scan to detect and

>> remove any

>> | of the malware components or any other malware that may have been

>> installed

>> | on the system and hidden by the rootkit. You can use the Windows Live

>> | OneCare Safety Scanner at http://safety.live.com to perform such a

>> scan. It

>> | includes all the signatures for this malware"

>>

>> |

>> http://blogs.technet.com/antimalware/archi...-virtool-winnt-

>> | sinowal-a-report.aspx

>> | FWIW

>> | Dave

>>

>> No it is NOT semantcs.

>>

>> Just like it was not semantics when you could self determine that;

>> news.microsoft.com ==

>> msnews.microsoft.com

>>

>> This was never a virus, calling it such is like calling a Ford Escort a

>> Cadillilac Coupe

>> deVille. Both are cars but they are not synonymous. Trojans and visrus

>> are both malware

>> but they are not synonymous.

>>

>> As for the set of instructions...

>> Again leave it to the more knowledgable instead of copying and pasting.

>>

>> Gmer has the tools to deal with this Trojan RootKit.

>>

>> Additionally, going to web site such as http://safety.live.com to

>> perform a scan only

>> complicates matters. The problem here is that you are using a high level

>> function

>> (Browser and ActiveX control) with a low level modification. The best

>> utilities for

>> such are those that work and operate at a lower level.

>>

>> --

>> Dave

>> http://www.claymania.com/removal-trojan-adware.html

>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>>

>>

>

> Thank you for your reply, Mr Lipman.

>

> You have once again carefully avoided telling me and other readers

> anything at all about you and/or your technical expertise/qualifications.

>

> I'd given an example only - not a solution to a specific scenario. So,

> I'll ask again ................

>

> If a computer shows NO sign of infection but a user wishes to check that

> there is, indeed, no malware present WHAT action should the PC user take?

>

> Dave

>

> --

>

>

November 4, 2008

"RJK" <notatospam@hotmail.com> wrote in message

news:O$V$%23XsPJHA.576@TK2MSFTNGP04.phx.gbl...

> It really is quite tiresome how you keep goading, (or 'trolling' if you

> prefer), David H. Lipman, though it is quite amusing - in that you seem to

> completely lack the very small quantity of brain power required, to deduce

> that he is light years ahead of yourself, ...in every regard :-)

>

> regards, Richard

>

Hello Richard style_emoticons/

Sorry - don't mean to be tiresome - just trying to get Mr Lipman to give me

a straight answer to my question(s)!

BTW - I think you exagerate a little!

Dave

PS Remind me of your experience at Aumha - did you get straight answers

there?

November 4, 2008

On Tue, 4 Nov 2008 23:20:09 -0000, ~BD~ wrote:

> Sorry - don't mean to be tiresome

Of course you did, you're a troll, that's what trolls do.

> - just trying to get Mr Lipman to give me

> a straight answer to my question(s)!

You of all posters here, have no right to demand anything of anyone.

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

November 4, 2008

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:ea$HJ4iPJHA.4304@TK2MSFTNGP03.phx.gbl...

> That may work well for this malware, but care should be taken when

> attempting to remove small fragments of malware while other larger

> fragments can still execute. Retaliatory payloads could easily be added

> to its current functionality.

>

> If it was able to modify the MBR in the first place, what's to stop it

> from modifying it again after you have fixmbr'ed and rebooted? The

> fragment in the MBR is usually just there to help it hide, so you have

> not de-fanged it by fixmbring - you have only uncloaked it.

>

Of whom are you asking this question FTR? (or perhaps it was rhetorical)

You will appreciate that I simply quoted from the source - Microsoft TechNet

http://blogs.technet.com/antimalware/archi...l-a-report.aspx

Thank you for your comments though!

Dave

November 5, 2008

.....oooh, had just finished a major fight with a PC (I won !) ,...didn't

mean to be so horrid :-)

regards, Richard

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:uP%23GjPtPJHA.4848@TK2MSFTNGP03.phx.gbl...

>

> "RJK" <notatospam@hotmail.com> wrote in message

> news:O$V$%23XsPJHA.576@TK2MSFTNGP04.phx.gbl...

>> It really is quite tiresome how you keep goading, (or 'trolling' if you

>> prefer), David H. Lipman, though it is quite amusing - in that you seem

>> to completely lack the very small quantity of brain power required, to

>> deduce that he is light years ahead of yourself, ...in every regard :-)

>>

>> regards, Richard

>>

>

> Hello Richard style_emoticons/

>

> Sorry - don't mean to be tiresome - just trying to get Mr Lipman to give

> me a straight answer to my question(s)!

>

> BTW - I think you exagerate a little!

>

> Dave

>

> PS Remind me of your experience at Aumha - did you get straight answers

> there?

>

November 5, 2008

"Paul Adare" <pkadare@gmail.com> wrote in message

news:1kgkg0u2ljpnx$.86v74sinknt9$.dlg@40tude.net...

> On Tue, 4 Nov 2008 23:20:09 -0000, ~BD~ wrote:

>> - just trying to get Mr Lipman to give me

>> a straight answer to my question(s)!

>

> You of all posters here, have no right to demand anything of anyone.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

I have every right to ask questions, Mr Paul Adare.

Indeed, I feel it my duty to do so.

I have made no demands of anyone. Are you feeling guilty?

D.

--

November 5, 2008

"~BD~" <~BD~@no.mail.afraid.com> wrote in message

news:usoXkXtPJHA.1164@TK2MSFTNGP03.phx.gbl...

>

> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

> news:ea$HJ4iPJHA.4304@TK2MSFTNGP03.phx.gbl...

>

>> That may work well for this malware, but care should be taken when

>> attempting to remove small fragments of malware while other larger

>> fragments can still execute. Retaliatory payloads could easily be added

>> to its current functionality.

>>

>> If it was able to modify the MBR in the first place, what's to stop it

>> from modifying it again after you have fixmbr'ed and rebooted? The

>> fragment in the MBR is usually just there to help it hide, so you have

>> not de-fanged it by fixmbring - you have only uncloaked it.

>>

>

> Of whom are you asking this question FTR? (or perhaps it was rhetorical)

It was rhetorical, I attempted to point out that such an approach could be

dangerous. If someone attempted to use this method against the wrong

malware (or perhaps a wrong variant of this malware), bad things could

happen.

This one uses the MBR both as a way to add stealth and as a way to

start the program. It is not necessary that the autostart method for the

bulk of a malware's payload be in the MBR. Replacing the MBR will

inhibit the program from starting. But if the rootkit used the MBR

only for the stealth function and some other method was used for the

persistence, simple replacement of the MBR could prove a disaster

if retaliatory payloads are used.

November 5, 2008

My replies in-line!

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:ONiG5wiPJHA.4576@TK2MSFTNGP03.phx.gbl...

>> Thanks for your post - I very nearly posted a similar article about the

>> Sinowal virus this morning!

>

> Despite what you may find experts saying, this is not a virus. A virus is

> a very specific type of malware - this does not qualify.

My bad. Sorry!

>> My understanding is that this virus can, and indeed does, install itself

>> silently - without the knowledge of the user of the computer.

>

> It is a trojan horse program - to begin with.

>

> ...then, once installed, it is many other things.

My bad x2. Sorry!

>> If the machine continues to all intents and purposes to 'work' the

>> malware is unlikely to be discovered. However, let's suppose that I

>> mention this 'nastie' to a friend and he says "How can I check to see if

>> I have been infected?".

>>

>> What answer should I give him?

>

> The most important aspect of the program (once installed) is its ability

> to hide - it uses the MBR to implement a 'rootkit' - you need to detect

> this rootkit.

>

> David Lipman recommends GMER often enough for me to think that

> it is a good rootkit detector. I suspect he would know better than most

> posters here.

>

> - just a hunch ;-)

>

So ......... now what many will think a stupid question.

How can one be certain that GMER is simply a great tool to detect rootkits?

(and doesn't damage a machine!)

I caught this item 'in passing' as it were:-

Sanctuary (thank you Paul Vixie and ISC) welcomes gmer.net.

I also thank Matt Jonkman for his excellent assistance,

and Register.com for being on the phone all day with us.

gmer, this one is for you brother.

GMER Application: download

Catchme: download

gmer has asked that this page remain, so to visit the site, click here.

-Paul Laudanski, 12:55PM EST Sunday, 21Jan2007

If there are problems with the site, please contact me.

So then a trip here: http://www.linkedin.com/pub/1/49a/17b to dicover lots

about Paul Laudanski.

Seems pretty conclusive to me!