Anti-Spyware Forums


Reply
Thread Tools Display Modes

Newfangled rootkits survive hard disk wiping

 
 
~BD~
Guest
Posts: n/a

 
      04-04-2009, 09:37 AM

"Tim Jackson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) et...
> ~BD~ wrote:
>> Tim Jackson wrote:
>>> BoaterDave wrote:
>>>
>>>> FYI - I started responding to you using Thunderbird but an error
>>>> message from Thunderbird appeared before I had completed all I had to
>>>> say. The only way out was to force the programme to quit, thus losing
>>>> all I had written. It has happened before. It's as if someone is
>>>> reviewing my message as I write it to decide if I should or should not
>>>> be allowed to send it. That could never be the case ........ could it?
>>>
>>>
>>> Set a short auto-save period in Thunderbirds options
>>> (composition/general), or use File/Save regularly to ensure a copy of
>>> what you were typing is retained in Drafts if it crashes.
>>>
>>> If the error is repeatable maybe you could track down the event that
>>> causes the crash, and report it.
>>>
>>>
>>> Tim Jackson

>>
>> Thanks for the advice, Tim.
>>
>> Auto-save was set to the default of 5 mins - I've reduced it to 2 mins.
>>
>> The drop-down 'error' message was something like "this message cannot be
>> saved in you Drafts folder" - but wouldn't let me cancel *or* continue.
>> i.e. not crashed exactly - but stuffed!
>>
>> --
>> Dave

>
> That's usually something to do with embedded images getting screwed up, eg
> if you copy one out of another message it only copies the link, not the
> image body, but the link is intra-message so it gets left hanging and
> can't be attached on save. (You have to save a copy to your HD and attach
> from there.) But that shouldn't happen in a Usenet post.
>
> It could possibly having two edited versions of the same message open,
> contending for the same Drafts file.
>
> You could always try sending it to yourself instead of saving it.
>
>
> Tim


I missed your reply, Tim - sorry for not responding.

I'll bear in mind what you have said. It did happen again and this is
exactly what happened:-

A dropdown window said 'Confirm' "There was an error coppying the message to
the Sent folder. Retry?" Options were 'Cancel' or 'OK'

Clicking on 'OK' just re-issued the same 'Confirm' dropdown window.

Clicking on 'Cancel' initiated another dropdown window - 'Save Draft Error'
"Unable to save your message as a draft. Please verify that your Mail and
Newsgroup account settings are correct and try again". Only one option 'OK'

Clicking 'OK' resulted in the previous 'Confirm' dropdown window!!

Stuck in a loop - the only way out was to shut down Thunderbird (and lose
what had been written - grrr!)

Cheers

David


 
Reply With Quote
 
 
 
 
~BD~
Guest
Posts: n/a

 
      04-04-2009, 11:53 AM
My thanks to 'Unruh' for his/her comments.

Maybe I have misunderstood - but I thought that a NAT router provided a
complete barrier between a computer and the Internet - a hardware firewall.

You seem to suggest that a software firewall is needed too. Is that correct?

--
Dave

"Unruh" <(E-Mail Removed)> wrote in message
newsqNAl.19551$Db2.864@edtnps83...
> BoaterDave <(E-Mail Removed)> writes:
>
>>On Apr 1, 11:30=A0am, "FromTheRafters" <(E-Mail Removed)>
>>wrote:
>>> "BoaterDave" <(E-Mail Removed)> wrote in message
>>>
>>> news:(E-Mail Removed)...
>>>
>>> > This article
>>> >http://www.theregister.co.uk/2009/03...bios_rootkits/
>>> > refers to "unfettered root access"
>>>
>>> > Perhaps a silly question - if one connects to another server
>>> > deliberately for the purpose of sending and receiving messages in a
>>> > newsgroup (thus making a hole in one's defences?)
>>>
>>> When a legitimate path is made, I wouldn't call it a hole in one
>>> defenses.
>>>

>
>>Just to be clear about this, FTR - if I connect to the newsgroups at
>>annexcafe.com (a private server) using Outlook Express, or any another
>>Newreader, have I a created a 'way in' to my computer in spite of
>>having a NAT router between me and the Internet?

>
> A NAT router is not very much of a protection. You should also have a
> firewall on your computer or on your router.
>
>
>>> > might this be
>>> > giving =A0"unfettered root access" if one is operating with
>>> > Administrator privileges?

>
> Yes, it might be. Anything you download and which runs runs as
> administrator and can thus do anything. Now usually news is not that that
> dangerous-- it tends not to run things. But if there is a bug in your
> newsreader, all bets are off. It is called defence in depth. You do not
> rely on just one thing to defend you.
>
>
>>>
>>> This is why you should *not* be running with administrative privileges
>>> unless you are doing administrative tasks.

>
>>So, again to be clear, is your answer "yes"?

>
>>I value your opinions, FTR - thank you for posting in reply to my
>>queries.

>
>>FYI - I started responding to you using Thunderbird but an error
>>message from Thunderbird appeared before I had completed all I had to
>>say. The only way out was to force the programme to quit, thus losing
>>all I had written. It has happened before. It's as if someone is
>>reviewing my message as I write it to decide if I should or should not
>>be allowed to send it. That could never be the case ........ could it?

>
> Who knows. Yes, you could be running a rogue version of Thunderbird.
>
>
>>*This* message is being sent through Google groups using the Internet
>>rather than from a newsreader - that's why I use BoaterDave when
>>posting from Google Groups and ~BD~ when using a newsreader - it helps
>>me to remember from whence I actually posted!

>



 
Reply With Quote
 
 
 
 
~BD~
Guest
Posts: n/a

 
      04-04-2009, 05:14 PM
Tim Jackson wrote:
> ~BD~ wrote:
>> "Tim Jackson" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) et...
>>> ~BD~ wrote:
>>>> Tim Jackson wrote:
>>>>> BoaterDave wrote:
>>>>>
>>>>>> FYI - I started responding to you using Thunderbird but an error
>>>>>> message from Thunderbird appeared before I had completed all I had to
>>>>>> say. The only way out was to force the programme to quit, thus losing
>>>>>> all I had written. It has happened before. It's as if someone is
>>>>>> reviewing my message as I write it to decide if I should or should
>>>>>> not
>>>>>> be allowed to send it. That could never be the case ........ could
>>>>>> it?
>>>>>
>>>>> Set a short auto-save period in Thunderbirds options
>>>>> (composition/general), or use File/Save regularly to ensure a copy
>>>>> of what you were typing is retained in Drafts if it crashes.
>>>>>
>>>>> If the error is repeatable maybe you could track down the event
>>>>> that causes the crash, and report it.
>>>>>
>>>>>
>>>>> Tim Jackson
>>>> Thanks for the advice, Tim.
>>>>
>>>> Auto-save was set to the default of 5 mins - I've reduced it to 2 mins.
>>>>
>>>> The drop-down 'error' message was something like "this message
>>>> cannot be saved in you Drafts folder" - but wouldn't let me cancel
>>>> *or* continue. i.e. not crashed exactly - but stuffed!
>>>>
>>>> --
>>>> Dave
>>> That's usually something to do with embedded images getting screwed
>>> up, eg if you copy one out of another message it only copies the
>>> link, not the image body, but the link is intra-message so it gets
>>> left hanging and can't be attached on save. (You have to save a copy
>>> to your HD and attach from there.) But that shouldn't happen in a
>>> Usenet post.
>>>
>>> It could possibly having two edited versions of the same message
>>> open, contending for the same Drafts file.
>>>
>>> You could always try sending it to yourself instead of saving it.
>>>
>>>
>>> Tim

>>
>> I missed your reply, Tim - sorry for not responding.
>>
>> I'll bear in mind what you have said. It did happen again and this is
>> exactly what happened:-
>>
>> A dropdown window said 'Confirm' "There was an error coppying the
>> message to the Sent folder. Retry?" Options were 'Cancel' or 'OK'
>>
>> Clicking on 'OK' just re-issued the same 'Confirm' dropdown window.
>>
>> Clicking on 'Cancel' initiated another dropdown window - 'Save Draft
>> Error' "Unable to save your message as a draft. Please verify that
>> your Mail and Newsgroup account settings are correct and try again".
>> Only one option 'OK'
>>
>> Clicking 'OK' resulted in the previous 'Confirm' dropdown window!!
>>
>> Stuck in a loop - the only way out was to shut down Thunderbird (and
>> lose what had been written - grrr!)
>>
>> Cheers
>>
>> David
>>

> It's not system-modal, or it shouldn't be. you can open another window
> to fix the problem, then come back and retry. I think you can even get
> back to the "Mail and Newsgroups" window.
>
> If not, the only way to debug it is to try lopping off bits of the
> message until it stops happening. Preferably with "save" rather than
> "send".
>
> Also try shutting the message box by the "X" in the corner
> Are you sure it said the "Sent" folder? At that point it should already
> have sent the file. You said "Drafts" before. I just wonder because I'm
> sure it didn't actually say "coppying" either.
>
> You must be doing something a bit obscure. The only time I've seen
> Thunderbird do this sort of thing is when I try to edit a previously
> sent message to resend it (eg mistyped address), or to copy and paste it
> into a new message AND the copied message contains embedded objects.
> When it saves or sends the message it tries to append the hyperlink
> targets,but it fails because the links are pointing to temporary files
> (which may have used to create the original). The syntax doesn't exist
> to make a hyperlink point to a message in a TBird folder.
>
> Tim


I didn't expect a reply from you today!

This probably sounds silly - but I do not have an "X" in the corner!

The version of Thunderbird I'm using is 2.0.0.21

I'll load it onto my XP machine and see if it looks different.

I'm also quite certain that the messages were exactly as I described - I
wrote each one down as it happened.

Please refresh your mind on my query at the start of this thread!

--
Dave
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a

 
      04-04-2009, 07:34 PM
"~BD~" <(E-Mail Removed)> writes:

> My thanks to 'Unruh' for his/her comments.
>
> Maybe I have misunderstood - but I thought that a NAT router provided a
> complete barrier between a computer and the Internet - a hardware firewall.
>
> You seem to suggest that a software firewall is needed too. Is that
> correct?


Hi BD,

The only thing that provides a complete barrier between your computer
and the internet is a scissors... to cut the connection physically.

While a hardware firewall does a rather good job of thwarting network
based attacks from the Internet into your network, it doesn't
completely protect you by any means.

A hardware firewall allows outbound traffic to the websites you view.
Websites containing code that exploits browser vulnerabilities are
among the threats a hardware firewall doesn't solve. Avoiding use
of Internet Explorer, using Firefox perhaps with the NoScript and
FlashBlock extensions are among some of the things you can do to make
that activity safer, as well as using signature and behavioral
analysis anti-malware software on the client side (i.e. your Windows
machine).

To be even safer, do your browsing in a virtual machine running
something other than Windows, and roll that virtual machine back every
hour or so to a known state.

The value of a host based firewall is debateable in your environment.
They're a useful thing to have however when a mobile computer is
joining hostile networks (think wireless hotspots) though.

Hope this helps some.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
~BD~
Guest
Posts: n/a

 
      04-04-2009, 08:03 PM
"Todd H." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "~BD~" <(E-Mail Removed)> writes:
>
>> My thanks to 'Unruh' for his/her comments.
>>
>> Maybe I have misunderstood - but I thought that a NAT router provided a
>> complete barrier between a computer and the Internet - a hardware
>> firewall.
>>
>> You seem to suggest that a software firewall is needed too. Is that
>> correct?

>
> Hi BD,
>
> The only thing that provides a complete barrier between your computer
> and the internet is a scissors... to cut the connection physically.
>
> While a hardware firewall does a rather good job of thwarting network
> based attacks from the Internet into your network, it doesn't
> completely protect you by any means.
>
> A hardware firewall allows outbound traffic to the websites you view.
> Websites containing code that exploits browser vulnerabilities are
> among the threats a hardware firewall doesn't solve. Avoiding use
> of Internet Explorer, using Firefox perhaps with the NoScript and
> FlashBlock extensions are among some of the things you can do to make
> that activity safer, as well as using signature and behavioral
> analysis anti-malware software on the client side (i.e. your Windows
> machine).
>
> To be even safer, do your browsing in a virtual machine running
> something other than Windows, and roll that virtual machine back every
> hour or so to a known state.
>
> The value of a host based firewall is debateable in your environment.
> They're a useful thing to have however when a mobile computer is
> joining hostile networks (think wireless hotspots) though.
>
> Hope this helps some.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/




Many thanks for taking the time and trouble to respond in a sensible manner,
Todd H - it's much appreciated!

Scissors won't do the job nowadays though - I'm connected wirelessly to my
router (but I get your drift!)

I've always used a firewall - at first Zone Alarm and then, with the advent
of XP SP2, the Windoze firewall.

I've played around with Virtual Machine 'stuff' but decided to go the Apple
Mac route for now. It 'feels' safer, even if it isn't!

Warm regards to you,
--
Dave


 
Reply With Quote
 
~BD~
Guest
Posts: n/a

 
      04-04-2009, 09:24 PM
Todd H. wrote:
> "~BD~" <(E-Mail Removed)> writes:
>
>> My thanks to 'Unruh' for his/her comments.
>>
>> Maybe I have misunderstood - but I thought that a NAT router provided a
>> complete barrier between a computer and the Internet - a hardware firewall.
>>
>> You seem to suggest that a software firewall is needed too. Is that
>> correct?

>
> Hi BD,
>
> The only thing that provides a complete barrier between your computer
> and the internet is a scissors... to cut the connection physically.
>
> While a hardware firewall does a rather good job of thwarting network
> based attacks from the Internet into your network, it doesn't
> completely protect you by any means.
>
> A hardware firewall allows outbound traffic to the websites you view.
> Websites containing code that exploits browser vulnerabilities are
> among the threats a hardware firewall doesn't solve. Avoiding use
> of Internet Explorer, using Firefox perhaps with the NoScript and
> FlashBlock extensions are among some of the things you can do to make
> that activity safer, as well as using signature and behavioral
> analysis anti-malware software on the client side (i.e. your Windows
> machine).
>
> To be even safer, do your browsing in a virtual machine running
> something other than Windows, and roll that virtual machine back every
> hour or so to a known state.
>
> The value of a host based firewall is debateable in your environment.
> They're a useful thing to have however when a mobile computer is
> joining hostile networks (think wireless hotspots) though.
>
> Hope this helps some.
>
> Best Regards,


I went to explore your web pages ('cause I can!)and intended to watch
your video clips. Regrettably I received this message:-

"The requested URL /users/kmorgan/todd/hike_back.avi was not found on
this server."

None of the links worked for me. Just thought you might like to know!

I loved your rabbit piccies!

--
Dave
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a

 
      05-04-2009, 04:59 AM
"~BD~" <(E-Mail Removed)> writes:

>
> Many thanks for taking the time and trouble to respond in a sensible manner,
> Todd H - it's much appreciated!
>
> Scissors won't do the job nowadays though - I'm connected wirelessly to my
> router (but I get your drift!)


Hee hee. Would a scissors between the router and the wall at least
do it? :-)

> I've played around with Virtual Machine 'stuff' but decided to go the Apple
> Mac route for now. It 'feels' safer, even if it isn't!


It's a less popular target for now at least, and your typical user
doesn't run as an administrator, so ... it is safer in a number of
ways. But it's far from impervious.

You can still play with virtualization on the mac too. Give a look at
VMWare Fusion if you want a throwback.

You may want to look with suspicion on Safari as much as one does with
Internet Explorer. It's proven itself pretty darned pourous over the
years.

Enjoy!

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
BoaterDave
Guest
Posts: n/a

 
      07-04-2009, 07:27 AM
On Apr 5, 5:59 am, (E-Mail Removed) (Todd H.) wrote:
> "~BD~" <(E-Mail Removed)> writes:
>
> > Many thanks for taking the time and trouble to respond in a sensible manner,
> > Todd H - it's much appreciated!

>
> > Scissors won't do the job nowadays though - I'm connected wirelessly tomy
> > router (but I get your drift!)

>
> Hee hee. Would a scissors between the router and the wall at least
> do it? :-)



Most certainly!



> > I've played around with Virtual Machine 'stuff' but decided to go the Apple
> > Mac route for now. It 'feels' safer, even if it isn't!

>
> It's a less popular target for now at least, and your typical user
> doesn't run as an administrator, so ... it is safer in a number of
> ways. But it's far from impervious.



I do understand.



> You can still play with virtualization on the mac too. Give a look at
> VMWare Fusion if you want a throwback.



I may experiment later - for now I have enough new things to learn!



> You may want to look with suspicion on Safari as much as one does with
> Internet Explorer. It's proven itself pretty darned pourous over the
> years.



OK - thanks for the warning!


> Enjoy!
>
> Best Regards,
> --
> Todd H.http://www.toddh.net/


Did you note that the links on your web site to your bunnie video
clips no longer 'work' - not here on my computer, anyway?

Cheers
--
Dave

 
Reply With Quote
 
Dustin
Guest
Posts: n/a

 
      24-07-2011, 01:52 PM
~BD~ <~BD~@nomail.afraid.com> wrote in
news:(E-Mail Removed):

> FromTheRafters wrote:
>> "BoaterDave"<(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)
>> m...
>>> This article
>>> http://www.theregister.co.uk/2009/03...bios_rootkits/
>>> refers to "unfettered root access"
>>>
>>> Perhaps a silly question - if one connects to another server
>>> deliberately for the purpose of sending and receiving messages in
>>> a newsgroup (thus making a hole in one's defences?)

>>
>> When a legitimate path is made, I wouldn't call it a hole in one
>> defenses.
>>
>>> might this be
>>> giving "unfettered root access" if one is operating with
>>> Administrator privileges?

>>
>> This is why you should *not* be running with administrative
>> privileges unless you are doing administrative tasks.
>>
>>

>
> Isn't this *exactly* what Dustin Cook has recently discovered *can*
> now be done - and quite easily?
>
> See: Message-ID: <Xns9F22D625590D9HHI2948AJD832@no>
>
> **
>
> As the Apple OS X operating system doesn't actually /have/ a BIOS,
> as such, will Macs be unaffected, or be just as vulnerable as any
> other computer? http://wiki.osx86project.org/wiki/index.php/EFI


BD, some pc/macs do indeed contain a BIOS. As far as the mac version of
lojack, I don't have a copy of it to play with.




--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware Overwrote Name of Primary Hard Disk Shneor Spyware 0 22-07-2006 10:09 PM
Wiping data from drive question Doofus McFly Security Software 73 02-07-2006 02:01 PM
wiping backup tapes Dan Getz Security Software 2 14-06-2006 04:46 PM
Disk Drive A: (Floppy Disk) =?Utf-8?B?Q29tcHV0ZXJfTWFu?= Computer Security 5 06-02-2006 08:19 AM
Can trojan, EliteBar for example, survive disk formating ? Mario Anti-Virus 4 06-09-2005 11:18 PM


All times are GMT. The time now is 06:09 AM.