Discussion in 'Spyware' started by Jeff T, Jun 1, 2011.

  1. Jeff T

    G. Morgan Guest

    I wish I took pictures now. That's not what happened. My desktop icons
    were present, all files were visible. When I checked the security
    attributes "System and Admin" had no control. Here is a pic to explain
    a little better:

    I ran TDSS killer, nothing. Sas and MBAM, nothing.

    What's next for rootkit detection and removal, GMER?
    G. Morgan, Jun 13, 2011
    1. Advertisements

  2. Jeff T

    G. Morgan Guest

    YW. But I did it for myself, trying to figure out how these scanners
    work (or don't work) on a low-level. I'm pretty sure there is some
    ..dll(s) that are hooking into the memory I/O, filesystem, and disk I/O.
    Somehow doing it without Windows letting the user know. It's possible
    they have a trust agreement with MS, like any program that can be
    submitted for 'vetting'. Some programs have permission from M$ to alter
    the Windows Firewall w/o any user notification or confirmation. There
    are key loggers that get by MBAM, SaS, and Windows Defender.

    Spector Pro Keylogger is one such program. Why do companies like MBAM,
    SaS, and M$, ignore this very serious threat? Are they in bed with the
    manufacturer to buy their way out of being on the detection list?

    Or are the malware companies too scared to include commercial products
    in the list for fear of legal reasons?

    Maybe they are not able to figure out how to detect and remove it?

    What's the deal Dustin and David? Why won't MBAM detect Spector Pro?
    No, the machine still had another OS on it, and personal files on other

    I'm not sure my forensic investigation would be very thorough. I'm not
    trained for that. I'm having to start from -zero- and hope these guys
    here will help me along my learning journey.
    This is where I'll post it.
    Nor have I. My business card has my title as "Computer Wizard"!
    Oh really? Was he the really nice guy I have the impression he is?

    Oh shit. Come on David, please don't ruin this thread by bring up
    Oh shit. Come on David, please don't ruin this thread by bring up
    G. Morgan, Jun 13, 2011
    1. Advertisements

  3. Jeff T

    Dustin Guest

    LOL. Why do you think you deserve any answers? Why do you feel so
    If you think MBAM and SAS are "bad guys", or have hinky feelings about
    them, you are being paranoid. Both programs have been peer reviewed
    dude, nothing malicious has ever cropped up. Same with BugHunter.
    Believe you me, if somebody could find something wrong with any of
    those they'd be bragging about it until hell froze over.
    LOL! I was there, You're just a banned forum user. I owe you no
    explanation. I will provide you no explanation.
    Continue to dazzle us with more of your stupidity, really. It's funny.
    Malware is automagically created these days live, so that users get a
    different one each time they download. It wouldn't matter if you had
    100,000 researchers working on this fulltime 24/7/365, you still

    You implied I was fired or something, newsflash, I wasn't.
    It's not an opinion, moron. I'm a former employee, I had access to a
    lot more than you. ;p That fact is based on information I have that you
    do not. One of the perks of the job. lol. You however have nothing more
    than an opinion and it's a shady one. With nothing to support it
    whatsoever. It's time you learnt your place, BD. lol.
    You implied I had been fired, I wasn't. You've implied malwarebytes may
    install a rootkit when you think your clean because it said you were,
    it doesn't. Those aren't searching questions, they're slimeball antics.

    It's part of why you were removed from the forums. You're a slimeball,
    and every day, more people learn that about you. Kudos for the good job
    of pissing so many people off.
    What trumped up charges? This is just too funny.
    Are you going to try and get dirt on me like you did with David? Are
    you going to expose the poor bastard again, like you did last time? Go
    ahead, you'll find nothing bad on me. Only good things and you won't
    like having to repeat them. LOL!

    I own you BD, I always will.
    Dustin, Jun 13, 2011
  4. Jeff T

    Dustin Guest

    Hmm. I've yet to run across one quite like this that's just a main
    executable on it's own. Likely something else present that set the
    if tdl4 rootkit was active, you wouldn't have loaded tdsskiller
    successfully. The programmers made it very easy to get itself marked
    and killed when it loads in memory.
    Doubtful rootkit is present...
    Wish I could have seen that box man.
    Dustin, Jun 13, 2011
  5. Jeff T

    Dustin Guest

    Must be an American only it.
    I would tend to dispute that. If you really understand the software and
    the hardware and you don't buy into the movie BS, you know that's
    simply NOT really possible.

    I have the skill to enter a courtroom as an expert witness in computer
    forensics, yes. In fact, I have done so. You already know this. digital
    Forensics, shithead, is digital forensics.

    Stop being anal. Malwarebytes is NOT malicious.
    Not an opinion. Again you confuse opinion with fact. Fact, the licensee
    didn't have the legal right to "loan" you a copy. Once you took that
    disc, you had warez. When you actually made use of it and discussed it,
    you violated forum policies and the rest is history. Your "opinion"
    which has no facts to support it is that you had the permission. LOL.
    You didn't, dude, as he didn't have it to give you in the first place.
    Dustin, Jun 13, 2011
  6. Jeff T

    Dustin Guest

    If you have viable samples and want to contribute to their demise, send
    them along to me. I'll pass them to the MBAM team and I might even do a
    bughunter update just for shits and giggles.
    BugHunter already knows various versions of the spectorsoft commercial
    keylogger. Despite legal threats, I never removed the definitions. MBAM
    also recognizes some versions. They update the software often to keep
    out of our databases tho. heh. I thought you knew that, since you seem
    to know so much now...
    LOL! Not hardly.
    Dude, seriously? Spectorsoft is a well behaved semi stealthed (not
    really) program. It's childsplay to detect and remove. Don't buy it's
    nonsense sales hype. It does routinely provide newer executable builds
    which evade the known definitions. It's a cat/mouse game and since it's
    commercial, maybe they just aren't interested in buying it to detect it
    for a week or two?

    When I worked there, we did. You can ask that question in the forums
    and one of the people can explain things.
    Dustin, Jun 13, 2011
  7. Jeff T

    ~BD~ Guest

    *FAR CANAL*!!!!
    ~BD~, Jun 13, 2011
  8. Jeff T

    Dustin Guest

    submission to 0wnage accepted.
    Now, go make me some fresh coffee.
    Dustin, Jun 13, 2011
  9. Jeff T

    G. Morgan Guest

    I wish I saved an image of it now for analysis.

    Making matters worse is I can't find the notes. I wrote down the .exe
    name and 3 files it created.

    Okay, I'll try again. Please tell me your method for documenting stuff
    and the order you look for things. Since this was my first 'malware
    research', I was playing it all by best guesses and happenstance.

    I was just looking at running processes and services from "all users",
    and examined the ones I didn't recognize. I found the .exe when I got
    the pop-up, ran taskman and right clicked the "Windows Anti-Spyware" and
    go to file location. It brought me to the download directory, but was
    not there. I had not yet set Windows to show hidden and system files,
    but when I did, there they were. I killed the .exe just to begin to see
    the damage. If I didn't the pop-up would not allow me to get anything
    done, it was very persistent.
    G. Morgan, Jun 14, 2011
  10. Jeff T

    G. Morgan Guest

    Spector was the only one I tested. I posed this same question back when
    Good for you! I'm glad you didn't cave. If they had taken you to court
    and you won, it would set a great precedent. Maybe that's why they
    never pursued it?
    Actually, I did not know that a 'respected security' company would
    intentionally evade malware scanners so often.

    What is a sysadmin to do if there is no reliable way to detect and
    remove? I had root access to lots of computers in an HP lab, I could
    have easily installed it. How would the admin know his system was 100%

    I guess the answer is, he can't.
    It's a commercial spyware program that should be detectable. Microsoft
    should include it's newest signature in every pushed update of the "
    malicious removal tool".

    Meh.. maybe later.
    G. Morgan, Jun 14, 2011
  11. Jeff T

    Dustin Guest

    Hmm. I doubt that's the reason. More likely, BugHunter is completely
    free and I have nothing they could take. lol. :) BugHunter isn't as
    mainstream as the others tho, either. In any event, I don't care much
    for lawyers and I tend to tell them as much.
    LOL, they have too. Imagine you purchased it, you load it on your wifes
    laptop (you think she's fucking around). She scans the box, the damn
    thing gets caught... before it can transfer it's goodies over to you.
    An admin with the proper tools can have a nice look around that box and
    know for reasonable certainty that it's clean.
    For some, I suppose. For example, if I don't trust this box OS, I boot
    bart. try hiding from me then, when your codebase isn't running. The
    thing is, you can't then. Your wide open, I *will* find you. You forget
    the side of the tracks I come from I guess. trojans, stealth... nice n
    all, but I know the tricks too.
    Dustin, Jun 14, 2011
  12. Jeff T

    Buffalo Guest

    Hey Bulltinkle, you are even a bigger neurotic a-hole here than you are in
    the 24hr ng.
    Ask your mental dr for help, or, if you don't have one yet, GET ONE, ASAP!!!
    Buffalo, Jun 14, 2011
  13. Jeff T

    G. Morgan Guest

    What tools? Spector changes and morphs, so there is no guarantee. I
    suppose the admin could white list services and processes, but that
    would impede the work that has to be done. Besides, I was a admin
    member on some machines.
    G. Morgan, Jun 14, 2011
  14. Jeff T

    Dustin Guest

    While spector does change and morph, not ALL of the executable does so.
    I don't know why you want to get cheeky with me, but you're going to be
    sorry you did...Evidently you don't write code or study it, so here's a
    schooling for you.

    Boot bart, ensure OS environment is under my rules. Backup the systems
    registry hive files to say, C:\HOLD1. Next, mount the local system
    registry hive SOFTWARE, examine ALL of the possible load points for any
    executables. Examine them with snoop and if necessary, IDA

    Unload said hive, making changes as needed (I'll find spector this way
    alone, but I want you to understand your lesson well, so we're going

    Load SYSTEM hive, examine ALL load points (drivers baby!). Spector
    isn't here, I'm doing this for your education. Take notes. Unload
    system hive.

    SAM hive contains security/passwords. If you need to hack your way past
    admin pass, thats the file you **** with. IPSec issues are dealt with
    in this file too. Take notes.

    Once you find spector, (It's a telltale giveaway, it'll be sitting on
    some hidden folder with a funny executable name. Should that not be
    enough of an eye glaring catcher, when you open it in snoop and start
    viewing the text sections only, it'll mention it's companies copyrights
    and a slew of other things. When I said it changed to avoid sig scans,
    It does, but not everything changes and when it changes, it's really
    just being moved from one place to another. Shuffle the code around in
    the editor, recompile kinda deal. Same program, different executable.

    Once I'm done playing in the registry, it's time to look on root for a
    fake explorer.exe (windows will autoload it if it's present). Next I
    purose the startup folders where I know for sure windows will
    automagically run things. Finally, the temp folders, just in case the
    executables I found have friends they'll shell out too later.

    I may even have a looksee in the drivers folder, as the rootkit won't
    be resident and able to hide from me. I do a digital signature
    verificaton via command line on all windows folders. Any dlls which
    fail it are plucked for a closer examination. Unless, I already know
    the dll by it's hash. I have a large database, doing this for such a
    long time n all.

    Okay.. That covers the majority of getting dirty. I'm leaving a few
    things out, but I think you get the point now... Eh?
    Dustin, Jun 14, 2011
  15. Jeff T

    G. Morgan Guest

    Dustin wrote:

    I don't know why you thought I was being "cheeky", I certainly didn't
    mean anything smart-ass. I already told you (I thought) I don't write

    [ lesson cut, pasted, and saved as .txt local]
    Yes, you have given me a lot to go on there. I do appriciate it, there
    are some real gems in there.
    G. Morgan, Jun 15, 2011
  16. Jeff T

    Dustin Guest

    I didn't remember you mentioning that.. Sorry. It just seemed cheeky to
    Dustin, Jun 15, 2011
  17. Jeff T

    ~BD~ Guest

    Dustin - you obviously know your stuff. No one is challenging you on that.

    Have you *ever*, though, loaded MBAM onto a fresh/clean computer and
    then run the programme? (the result should of course be that nothing
    untoward would have been found).

    Have you then uninstalled MBAM and then *forensically examined* the
    machine to determine if MBAM has, possibly, surrupticially installed
    it's very own malware - maybe a rootkit?

    Have you ever tested SuperAntispyware in a similar manner?

    If you have *not* done so ..... how can you be *certain* that nothing
    has been 'left behind'?

    Nobody has so far claimed that this exercise *has* been carried out. It
    appears that everyone simply assumes all is above board, so to speak. It
    may not be!

    ~BD~, Jun 15, 2011
  18. Jeff T

    Dustin Guest

    Yes, arsehole, I do. I told you I did in the beginning. In fact, I've
    told you how I operate. I want you to know what I'm holding so that
    when you do do something stupid, or get somebody else too, they can't
    say they weren't warned that I'd pull and use the double barrel and cut
    them in half. I play fair in that regard. You aren't challenging me on
    it now, and Graham I doubt will be again anytime soon. I liked him,
    considered him a techie fellow. Now, I consider him one of your lackies
    so won't be talking to him anymore. Did you enjoy his schooling? That
    was your fault, David. I know you prodded him into challenging me here,
    I fucking know you did. You cost me a potentially useful associate down
    the road.
    Of course I have.
    Yes, I have.
    Again, YES I have.
    Because I've fucking done those things.
    I just wanted to see how far this would have to go before I actually
    said something about it. Some people just don't learn.
    Dustin, Jun 15, 2011
  19. Jeff T

    G. Morgan Guest

    If you think David prodded me into asking you anything you're mistaken.
    G. Morgan, Jun 15, 2011
  20. Jeff T

    ~BD~ Guest

    Black hats know their stuff too, Dustin. <grin>

    However, my comments are *not* intended to be a wind-up in any way.
    You've asked me to be straight-forward and ask you questions directly
    with no double-meaning or innuendo, so the following are just that -
    direct questions, answers to which may be of interest to others reading
    here, not just me.
    I like Graham too - but he's certainly *not* "one of my lackies"!
    I did find what you said interesting.
    You are wrong about that. I urge you to reconsider cutting Graham from
    *Why* did you do so?
    *Why* did you? Were you suspicious about something?
    What made you decide to do so, Dustin?
    An explanation of your reasons for so doing will be appreciated.
    Out of interest, *when* did you look so closely at these products?

    Please clarify what you mean by this, Dustin. I'm trying *not* to read
    between the lines! TIA.

    ~BD~, Jun 16, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.