Resume:AmatuerForensics Resume: AmatuerForensics
(old: http:// www .bluecollarpc.net/forensics.html [All closed Fall 2009]
Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”
SOURCE: Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”….. http: // bluecollarpc.net/smf/index.php?topic=380.0CLOSED
[NOTE this is in no way a “job interview” but meant in the sentiment by Beatle John Lennon at Let IT Be (rooftop) at the end saying, “I would like to say thank you on behalf of the group and myself and I hope we passed the audition” LOL Resume: Amatuer Forensics Build “Pseudo 14 Teredo Trojan Botnet Attack”….. _________________________________________________________________________. A ~ W O R K – IN – P R O G R E S S …..
(“Knowledge shall be the stability of thy times…”)
Logs: Botnet Attack-Denial Of Service,Catastrophic damage,MSN.com subscribers targeted http://tech.groups.yahoo.com/group/BlueCollarPC/message/2450 “Pseudo 14 Teredo Trojan Botnet Attack” – Botnet Attack-Denial Of Service,Catastrophic damage,MSN.com subscribers targeted http://groups.google.com/group/BlueCollarPC/browse_thread/thread/3228b2bc1ca5da8e BLOG: Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack January 28, 2009 http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/ Tags: malware, trojan, botnet, pseudo, 14, IPv4, IPv6, tunneling, attack, worm, virus Posted in BCPCNet WebLog | 2 Comments »
RESUME: WEBMASTER BLUECOLLARPC.NET DOMAIN / AMATUER SECURITY FORENSICS
BCPCGroup ~ The BlueCollarPC.Net Website Security Group ——————–MEMBERS AREA: http://www.bluecollarpc.net/joingroup.html Mail domain bluecollarpc.net Live List Owner: firstname.lastname@example.org Service List Owner: email@example.com Post to Group (Members Only): firstname.lastname@example.org Help address email@example.com Subscription address: firstname.lastname@example.org Unsubscription address: email@example.com #Sender Policy Framework (SPF, http://spf.pobox.com) Protected #ALL Posts Moderated and List Protected with Antivirus Service. *Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected. *Subscription requires confirmation by reply to a message sent to the subscription address. *Unsubscribe requires confirmation by a reply to a message sent to the subscription address.
((( FORENSICS – BUILD )))—>
building pc incident security forensics temporary amatuer build of a full amatuer forensics submission, ongoing to finish \ this text will be removed upon completion !
AMATUER PC SECURITY FORENSICS TITLE: “Pseudo 14 Teredo Trojan Botnet Attack”
INFECTION DATE Scan Time: 12/18/2008 4:02:15 PM
ESTIMATE: [transport Bug in the Environment] …
Last modified: Wednesday, July 16, 2003 http://www.webopedia.com/TERM/b/bug.html
An error or defect in software or hardware that causes a program to malfunction. Often a bug is caused by conflicts in software when applications try to run in tandem. According to folklore, the first computer bug was an actual bug. Discovered in 1945 at Harvard, a moth trapped between two electrical relays of the Mark II Aiken Relay Calculator caused the whole machine to shut down.
NON SAMPLE—> Unix transport bug (and a possible fix)
Unix transport bug (and a possible fix). 20 Jun 2003 15:58:02 +0200. Previous message: couple of trivial patches … http://lists.freedesktop.org/archives/dbus/2003-June/000389.html
All System Restore Points deleted (several) Windows System Restore access blocked (blank white pages). Access in all browsers blocked to security sites (blank white pages) and also MSN.com customer customer settings (blank white pages) along with blocking Internet Explorer from installation finalization in retrograde from version 7 back to 6 and back again creating their circle jerk game for MSN Customers (blank white pages) via the Run Once webpage needing 2 clicks to complete installation – with all identity wiped in the browser and DNS information, no connectivity (broadband/dsl). Blocking meaning these were all blank white browser page including the Google Pack panel and Trend Micro Internet 2009 panel. Help files booby trapped with virus. Access blocked to Computer shortcuts and browsers online to Windows Updates. Some log files deleted. Windows > Search function feature access blocked – blank white page. Control Panel > Users access blocked as blank white page. Others…. able to access Microsoft Baseline Analyzer online – visible, but radio buttons access blocked – kept clicking button nothing happened, cursor mouse inoperative just on button clicks at website for scan begin. More…..
[Apparent rootkit technologies in partiality are mechanism performing registry injection of false keys and files and payload facilitation – affording creation of a false positive detection and payload entry and transport via subsequent restore action as vehicle. The command registry injection by the limited rootkit technologies (stripped version apparently) and upload payload files constitute a “transport bug in the environment – matrix” as absence precludes delivery detection malicious and operative upon action taken. There were no valid detections basis for triggering false positive offered.]
# Injection 14 values here: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\15 (Apparently causing blank white background on shells, browsers). Apparent encapsulated payload delivery and encapsulated ‘kiddie script’ as registry injection mini-load creating many type above and other keys in the various affected places to fake the appearance as a trojan via visual navigation behaviors.
# Worm present as all System Restore Points deleted.
# DNS broadband/dsl connectivity information wiped in system, connectivity destroyed, several security softwares disabled….
# Security scan logs do indicate major worm, traces of another major worm, spyware packages installed, additional viruses activated in Help Files and Downloader Trojan reported as installed.
# Apparent encapsulated payload delivery.
# SUMMATION: Damages 99.999 Percent of time defines a criminal botnet attack attempting even ‘spoofing’ of broadband/dsl connection and hijacking the computer immersing in crimeware botnet.
Trace.Registry.SpyPc 8.0!A2 (several)
Win32.Agent.bkw Trace.Registry.Internet Cleanup 5.0 (couple)
[Restored, Windows Installer remains damaged – inoperative after several fix attempts
Clarification – “psuedo trojan” is my term for a fake trojan unique to this infection payload.
MAJOR ZERO DAY THREATS – WINDOWS UPDATES PATCHES ISSUED FOR: # WMF meta file Zero Day # .AniCursor Zero Day # VML Zero Day (Vector Mark Up)
BLOGS ~ LISTS ~ GROUPS….. Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack January 28, 2009 by bluecollarpc http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/ I guess a good name for this one is “Death Of A Sails man” ….. in referring to all the fun years on my Windows XP Home Edition Personal Computer. Sailing, surfing – you get it. Conficker Worm Targets Microsoft Windows Systems – Overblown? March 30, 2009 by bluecollarpc http://bluecollarpc.wordpress.com/2009/03/30/conficker-worm-targets-microsoft-windows-systems-overblown/ Security tip for Vista Firewall, others, against Conficker threats (Symantec)….. April 8, 2009 http://bluecollarpc.wordpress.com/2009/04/08/security-tip-for-vista-firewall-others-against-conficker-threats-symantec/ Tags: Conficker, firewall, open port, Port 5357, teredo, Vista Firewall Posted in BCPCNet WebLog | No Comments » Restoring false positive threat from Quarantine, Safe Mode dangers April 3, 2009 http://bluecollarpc.wordpress.com/2009/04/03/restoring-false-positive-threat-from-quarantine-safe-mode-dangers/ Tags: back up, botnets, false positive, kiddie scripts, registry, restore point, safe mode, safe practices, system restore, worms Posted in BCPCNet WebLog | 1 Comment » Conficker Worm Targets Microsoft Windows Systems – Overblown? March 30, 2009 Tags: botherder, botlord, botmaster, botnet, IPv4, IPv6, kiddie scripts, psuedo teredo, teredo, tunneling, worm, zombie, zombie networks Posted in BCPCNet WebLog, SpyLerts | 4 Comments » BCPCNet-Modcasts: “Malware Botnet Cartel” by BlueCollarPC.Net February 12, 2009 by bluecollarpc PLAY))) Malware Botnet Cartel (BCPCNet-Modcasts) http: // www. bluecollarpcnet/downloads/DestroyBotnetCartel.wCLOSEDma
COMMENTS: (bluecollarpc) http://www.bluecollarpc.net/ Cybercrime Treaty Gains Momentum… Article: http://www.networkworld.com/news/2008/040108-cybercrime-treaty-gains-more-interest.html?fsrc=rss-security
Vista User Account Control gets perfect score – rootkits – use disabling tweaks ? By bluecollarpc http://bluecollarpc.wordpress.com/2008/08/28/vista-user-account-control-gets-perfect-score-rootkits-use-disabling-tweaks/ Freeware security was a solution – once upon a time….. August 29, 2008 by bluecollarpc http://bluecollarpc.wordpress.com/2008/08/29/freeware-security-was-a-solution-once-upon-a-time/
COMMENTS ~ PUBS
LET’S AVOID….. US Consumers robbed: $8.5 Billion by online threats – throw PCs in trash August 11, 2008 by bluecollarpc http://bluecollarpc.wordpress.com/2008/08/11/us-consumers-robbed-85-billion-by-online-threats-throw-pcs-in-trash/ U.S. Consumers Lost Nearly $8.5 Billion to Online Threats (Kansas City InfoZine) Spyware accounts for $3.6 B in losses; 2.1 million computers replaced due to malware 8/8/2008 5:44 AM Read more| Open in browser http://www.infozine.com/news/stories/op/storiesView/sid/29832/
Tunneling to circumvent firewall policy http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall_policy
CLOSED—-Group Email Addresses Related Link: http://bluecollarpc.net/ Post message: BlueCollarPC@yahoogroups.com Subscribe: BlueCollarPCfirstname.lastname@example.org Unsubscribe: BlueCollarPCemail@example.com List owner: BlueCollarPCfirstname.lastname@example.org #####BlueCollarPC.Net Memberships: ##### BlueCollarPC.Net Website Help Group http://www.bluecollarpc.net/joingroup.html BlueCollarPC.Net Portal Forums http://bluecollarpc.net/smf/index.php http://bcpcnet-com-portal.forumotion.net/forum.htm BlueCollarPC Yahoo Group http://tech.groups.yahoo.com/group/BlueCollarPC/ BlueCollarPC.Net WebLog http://bluecollarpc.net/wordpress/ Spy-Lerts Mail Lists http://www.bluecollarpc.net/spy-lerts.html Subscribe: email@example.com RSS: http://groups.google.com/group/spylerts/feed/rss_v2_0_msgs.xml?num=50 RSS: http://rss.groups.yahoo.com/group/Spy-Lerts/rss Dial Up Friendly http://www.bluecollarpc.org/ #####SPY-LERTS FROM BLUECOLLARPC.NET##### Mail List: firstname.lastname@example.org Join List: email@example.com Unsubscribe: firstname.lastname@example.org List Owner: email@example.com List Information: http://www.bluecollarpc.net/spy-lerts.html SPF Protected (Sender Authentication) http://spf.pobox.com MODERATOR ANNOUNCEMENT ONLY LIST / NO REPLY *****Moderated List, Internal Anti-Virus Protected***** #####OUR ~ ALTERNATES##### PDA Mobile Cafe Homepage http://www.pdamobilecafe.bluecollarpc.net/index.html Website Group/Join: http://www.pdamobilecafe.bluecollarpc.net/members1.html firstname.lastname@example.org PDA Mobile Cafe Yahoo Group http://tech.groups.yahoo.com/group/PDAMobileCafe/ PDAMobileCafeemail@example.com PDA Mobile Cafe Forums http://pdamobilecafe.freeforums.org/index.php Mobile PC and everything wireless – cell, pda, laptop Linux OS for older Windows Machines http://www.bluecollarpc.net/linux-ducks.html Linux-Ducks Yahoo Group http://tech.groups.yahoo.com/group/Linux-Ducks/ Linux-Ducksfirstname.lastname@example.org #####BCPCNET ALTERNATE GROUPS##### BCPCGroup ~ The BlueCollarPC.Net Website Security Group —————————————————————————————— MEMBERS AREA: http://www.bluecollarpc.net/joingroup.html Mail domain bluecollarpc.net Live List Owner: email@example.com Service List Owner: firstname.lastname@example.org Post to Group (Members Only): email@example.com Help address firstname.lastname@example.org Subscription address: email@example.com Unsubscription address: firstname.lastname@example.org #Sender Policy Framework (SPF, http://spf.pobox.com) Protected #ALL Posts Moderated and List Protected with Antivirus Service. *Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected. *Subscription requires confirmation by reply to a message sent to the subscription address. *Unsubscribe requires confirmation by a reply to a message sent to the subscription address. ——————————————————————-/.
COMMENTS ATTACHED: (REPLIES) “~~~ BUILD NOTES…..~~~” .
Security Software Disabler Trojan http://inews.webopedia.com/TERM/S/security_software_disabler_Trojan.html
Botnet – Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Botnet
botnet Definition: TechEncyclopedia http://www.techweb.com/encyclopedia/defineterm.jhtml?term=botnet Botnet : Definition From Webopedia http://www.webopediacom/TERM/b/botnet.html
Article: Battling the Botnet Pandemic Lavasoft News – March 2007 http://www.lavasoft.com/company/newsletter/2007/2_28/article2.html Battling the Botnet Pandemic. Your home computer may be among the millions of PCs that are under the control of criminals, and worse yet, you may not even be aware of it.
Article: Botnet – CNET News.com http://news.com.com/Security+from+A+to+Z+Botnet/2100-7355_3-6138435.html Security from A to Z: Botnet | CNET News.com Security from A to Z: Botnet | These armies of zombie PCs are used by cybercriminals for sending spam .. These armies of zombie PCs are used by cybercriminals for sending spam. Part of a series on …
Article: Botnet Basics http://www.eweek.com/article2/0,1895,2097976,00.asp Botnet Basics Bots are software applications that run automated tasks over the Internet. A network of bots working under a central command and control center is a botnet. This eVideo seminar looks at the basic …
Article: Botnet Battle Already Lost? http://www.eweek.com/article2/0,1759,2029720,00.asp Is the Botnet Battle Already Lost? Botnets have become a big underground business, and the security industry has few answers. eWEEK … It’s dress-down Friday at Sunbelt Software’s Clearwater, Fla., headquarters. In a bland cubicle on …
MSNBC: The lowdown on ‘Bots’ http://www.msnbc.msn.com/id/17805145/ The lowdown on ‘Bots’ What are ‘bots’? “Bots” – short for robots – are hijacked computers that are infected by computer viruses and then used by criminals and pranksters for a variety of criminal and malicious purposes. Who controls ‘bots’? The criminals behind “bots,” known as “bot herders,” assemble armies of infected computers — often between 50,000 and 70,000 PCs strong — that they can then charge customers for the use of. The going rate for sending spam is $5,000 a day or more, according to Howard Schmidt, former White House cyberczar. What are ‘bots’ used for? “Bots” are used to spread malicious programs, send spam, fuel “pump-and-dump stock schemes and launch denial-of-service attacks, among other things. How many ‘bots” are there? Internet founding father Vint Cerf recently estimated that 150 million computers have been hijacked. Most other experts believe that figure is too high, but there is general agreement that “bots” number in the millions, if not the tens of millions. How can I tell if my computer is a ‘bot’? You can’t necessarily. Antivirus software will catch most known viruses, but new ones are being created all the time. It used to be that poor performance often tipped off users that their computers had been infected, but “bot herders” now distribute tasks among thousands of computers to avoid tell-tale crashes.
More: How big is the botnet problem? Feature By Julie Bort, Network World, 07/06/07 http://www.networkworld.com/research/2007/070607-botnets-side.html?fsrc=rss-security
by gerald309 » ——————————————————————————– BCPCNet Community Portal Administrator http://bluecollarpc.net/smf/index.php Webmaster BlueCollarPC.Net / .Org http://www.BlueCollarPC.Net http://www.BlueCollarPC.Org ~~~
BUILD NOTES…..~~~ AMATUER FORENSICS SYNOPSIS – NOTE – DEFINING TERM USED “ENCAPSULATION” – CLARIFICATION…
This was, of origin, declared an “in the wild threat” by me. The original posts defined that, in detail, blow by blow – and finally easily understood line by line. This began with the incorrect (false positive) and partial “detection” as a trojan as the threat payload which in reality was a full blown Conficker worm type botnet (worst). One and two parts and so on of the highly deceitful payload where as an enormous skyscraper size threat/damage which in reality to Advanced Users was an ant size minimal “joke program” threat – the lethal “kiddie script” added. Encapsulation, in my best guess opinion as my “Amatuer Forensics”, in – two manners – caused, first, the trojan false positive and second ALSO getting the unknown in the wild virus (lethal kiddie script) under the wire undetected by other existing real time antivirus that was in place and running up to date when the payload hit (while security suite was in uninstall/renewal state). That (lethal kiddie script) did the registry changes (malicious changes). But it goes a little further – A LOT FURTHER…..
Also disguised and delivered were at least one well known worm and three other viruses which FINALLY were detected by scans before executing. Now, how the hell did that happen. Right, IMPOSSIBLE. So in real world, although the lethal kiddie script had basically only performed all the result/symptom “blank white pages” which are the blocking of getting to security sites as well acting very much like ‘Restricted Sites” feature of Windows and behavior result of a trojan — in real world the entire payload was disguised (encapsulated) and this was one small part of the whole package. It (lethal kiddie script) ran first and was instantaneous. The worm ran simultaneously but took at least 4 seconds minimal to 6 to delete the several System Restore Points in Windows System Restore – and which was now blocked via the malicious registry changes already performed by the “lethal kiddie script”.
“Malicious Encapsulation” in computers is simply attempting to put a detectable malicious malware threat inside a package best disguising it and passing off as safe or okay communication. Or even more simply – like the infamous Unibomber that tragically sent out “mail bombs” to several persons. These got past everyone appearing as friendly normal safe mail packages on the outside and of course a nightmare was inside. It is entirely unfathomable to believe that existing real time protection antivirus in place running (proactive – not reactive stand alone free scanner) and, even a firewall to some extent, did not block (antivirus) or in the least detect (firewall) malicious behavior and/or malicious content of the major part of the payload delivered as the “same-name threat” – that old and well known worm file called “Explorer.exe”. This is a “same-name threat” meaning it has the same file process name as one in Windows (other softwares) and here, Explorer.exe which of course is Windows Explorer (where you access all files on the computer and the Windows Operating system files).
And so here we are. An older than the hills recrafted worm introduced with and by an unknown malicious script (lethal kiddie script) that was “encapsulated” to appear as a false positive trojan or downloader trojan. In the very least one must admit there were two malicious mechanisms of deceit – one being the one that caused a false positive to make the package look like a downloader trojan to a well known antispyware program and the other that disguised a large enough worm and at least 3 viruses to install without detection. In reality, could be the same as one mechanism. Like I said this is best shot as “Amatuer Computer Security Forensics” – this entitling me. LOL.
ALL “ENCAPSULATION” MEANS HERE – IDENTIFIED BY ME – IS AS BEST GUESS AMATUER FORENSICS THAT ENCAPSULATION CODING WAS USED TO FOOL KNOWN ANTISPYWARE AND WENT UNDETECTED BY ANTIVIRUS PROGRAMS AS UNDER THE WIRE DISGUISING – AND PAST TWO EXISITING UNDAMAGED FIREWALLS, ONE BEING WINDOWS XP FIREWALL. GRANTED COMODO FIREWALL MAY HAVE NOT BEEN FULLY CONFIGURED YET BY ME FOR FULL PORT STEALTH AND RECOMMENDED SECURITY LEVELS. I WAS VERY BUSY PAST HORRIFIED MAKING ALL NOTES DURING INVESTIGATION WHILE REPAIRS ONGOING AND AS BEST POSSIBLE AND NOW NOTICING A COUPLE DETAILS LIKE THAT WERE NOT NOTED. THIS IS NOT ABOUT A BLAME GAME SO THAT LINE IS INSIGNIFICANT HERE. WHAT THIS IS – IS THE “ANATOMY OF A BOTNET HIT- HOW AND WHAT FOR SAKE OF A BETTER HOME SECURITY DEFENSE ON THE AVERAGE PC WORLDWIDE AND AS WELL TO ANSWER THE QUESTION “WHAT THE HELL DOES A BOTNET DO ONCE INFECTING THE COMPUTER AND HOW THE HELL DOES IT GET THERE IN THE FIRST PLACE?” – THE ANSWER BEING – HERE YOU ARE LOOKING RIGHT AT ONE !
This (encapsulation – computer) is perhaps a fancy way to describe a typical new unknown virus in the wild – OR may be even a new coding completely unknown to any conventional malicious script disguising. In the very least, I think it must be agreed that the Comodo Suite Firewall/Antivirus would have CERTAINLY detected the all too common all too used malicious “explorer.exe” payload. Perhaps it (Comodo Antivirus) is not even “West Coast Certified” yet in its infancy even. That’s disastrous, as famous and like top three worldwide antispyware “Counterspy” has added antivirus that wasn’t (West Coast Certified) and created the “Vipre” suite minus firewall. I have tried Vipre recently (Holidays 2008) and found that out and as fast as I was reading that I seen they are now certified I believe. Look it up. I am looking up Comodo Antivirus for certifications. For we students in the College of Hard Knocks – once certified you are no longer called “crapware” publicly. Once certified enables the program as a contender in the major market – the coveted accomplishments. Certification brings proven factual trust opposed to a “false sense of security” – example: one with crapware antivirus telling everyone, being a newbie, “yeah I am full protected with my AV”. There are now over 1 million viruses. If the antivirus does not have these signature detection and removal definitions – duhh, you are NOT protected.
SEE….. ….. ….. West Coast Labs West Coast Labs (WCL) is one of the world’s leading independent test facilities. We are a global leader in research, testing and certification for … http://www.westcoastlabs.org/
ALSO….. Process name: Windows Explorer Product: Windows Company: Microsoft File: explorer.exe Security Rating: http://www.neuber.com/taskmanager/process/explorer.exe.html This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn’t as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system. Note: The explorer.exe file is located in the folder C:\Windows. In other cases, explorer.exe is a virus, spyware, trojan or worm! Virus with same name: W32.MyDoom.B – Symantec Corporation and other…
“LETHAL KIDDIE SCRIPT” IS MY TERM AS MEANING THE REAL KIDDIE SCRIPTS THAT WERE AMONG THE ORIGINAL VIRUSES WERE PRODUCED GENERALLY BY YOUNG AGED PERSONS AS A SHOW OFF TO HURT OR BREAK INTO A SYSTEM AS HACKER BUT MORE AS A SHOW OFF OR PROOF OF CONCEPT EVEN. HERE – SAME TYPE OF MALWARE BUT NOW WRITTEN UP TO INTENTIONALLY CAUSE MALICIOUS DAMAGE – “LETHAL”.
SEE…… terms – malicious code malicious script etc. Malware From Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Malware What is script kiddie? – A Word Definition From the Webopedia … This page describes the term script kiddie and lists other pages on the Web where you can find additional information. http://webopedia.com/TERM/S/script_kiddie.html
This is my first and probably last (maybe first of many?) actual “botnet attack” malware installations I have ever given any Malware Removal Help for – ironically being in my own machine. Best first hand example for experience and as Microsoft websites tell you in malware area webs to ‘don’t get all hung up in where this that and the other thing or how and why and so on – but rather concentrate on best effort of full clean removal and just move on’ – …..along those lines. That’s great advice except for Helpers who need to be on top as much as anyone in IT Security to be credible or trusted.
ENCAPSULATION – GOOD GUYS AND SEE “REAL TIME PROTECTION” AND “HEURISTICS” IN ANTIVIRUS AND ANTISPYWARE AND BEHAVIOR DETECTION…. etc.
EXAMPLE: “System and method for providing exploit protection with message tracking …… determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment…..” System and method for providing exploit protection with message tracking – A method and system for providing protection from exploits to devices connected to a network. The system and method include a component for determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment, and a component that performs at least one decompression … http://www.patentsurf.net/6,993,660
NOW…. TO ADD TO MY AMATUER FORENSICS ….. YOU ARE GOING TO SEE ONE OF THE SECRETS OF THIS DARK SIDE OF THE INTERNET CRIMEWARE MALWARE BOTNET HERE….. IF YOU WILL REMEMBER THE “SHELL” REGISTRY KEYS STRAIGHT ACROS THE BOARD THAT MADE ALL THE BROWSER AND SHELL WINDOWS TO DISPLAY BLANK WHITE PAGES….. HERE: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\15 SEE….. Most Recently Used – Wikipedia, the free encyclopedia Jun 15, 2007 … Most Recently Used (MRU) may refer to: A specific menu in Microsoft Windows, see Common menus in Microsoft Windows; An uncommon method of … http://en.wikipedia.org/wiki/Most_Recently_Used http://en.wikipedia.org/wiki/Common_menus_in_Microsoft_Windows
That is a proper key with an additional copycat 14 value key. This corruption / rewrite of the key was extremely odd as kind of seeing doubles. One key, split, both values like seeing doubles of the key itself. SHOTZIE….. BINGO ….. GOTCHA…. HERE IS THE SECRET — THEY ARE USING TEMPORARY FILES BECAUSE LOOK AT THE KEY AND EVERYONE SHOULD KNOW THAT “MRU” MEANS “MOST RECENTLY USED” WHICH ARE TEMPORARY FILES AND CALLED YOUR TRACKS ON THE INTERNET – YOUR PC HISTORY OF NAVIGATIO YOU DO NOT WANT CRIMEWARE TO GET AHOLD OF AND IS WHY EVERYONE SAYS TO USE THE HISTORY CLEAN UP UTILITIES…. BUT THERE IS MORE….. THE TEMPORARY FILES OF TIS PAYLOAD HAD THE KIDDIE SCRIPTS TO CREATE LIKE A THREE DOOR CHOICE FOR FORENSICS AS TO THE FOLLOWING…. IS THE KEY A FABRICATED WINDOWS EXPLORER WEBSITE PAGE DISPLAYING A FAKE PAGE AS SUCH AS THE BLANK WHITE PAGE OF IT – FAKE SHELL ? IS IT AN ACTUAL SHELL OF LIKE A SOFTWARE CONTROL PANEL FOR EXAMPLE THAT IS FORCED TO DISPLAY JUST THE BLANK WHITE PAGE BECAUSE THIS IS THE DEFAULT OF WINDOWS WHEN SUCH A KEY IS CORRUPTED ? SO IT MOVES SIMPLY TO ARE THEY A FAKE SHELL EVEN OR ACTUAL AND VARIATIONS ON THE THEME OBVIOUSLY. SO THIS IS NEITHER HERE NOR THERE EXCEPT TO MOVE TO RESTORE THE REGISTRY IS THE ONLY WAY OUT IF THERE ARE THE HANDFULS AND HANDFULS AND HANDFULS OF THESE ENTRIES…. BUT…… HERE IS THE BANG….. YOU DID NOT CONSIDER THIS …. ARE THEY INJECTED TEMPORARY FILES REGISTRY ENTRIES FROM YOUR TRASH OR THEIRS ? IN OTHER WORDS RETREIVING THE GRAPHICS IMAGES OF A SHELL WITH —- HERE YOU GO BINGO —- REGISTRY INJECTION ? IN OTHER WORDS THE KEYS THEMSELVES ARE REGISTRY INJECTION OF CRAP THAT DOES NOT EVEN EXIST AND ARE CAUSING BLANK WHITE PAGES DISPLAY… ACTUALLY THE PAYLOAD JUST MASS INJECTS THE REGISTRY FOR ALL THE AREAS CAUSING THE DENIAL TO SECURITY WEBSITES WITH ANY BROWSER AND WHATEVER ELSE IS THE TARGET SUCH AS MSN CUSTOMERS AS WAS MINE. IT JUST IS VERY STRANGE THEY WOULD MASS INJECT FALSE KEYS PARTICLULARLY MOST RECENTLY USED (MRU) TEMPORARY HISTORIES. POINT ? THEY ARE USING MASS REGISTRY INJECTION FOR TEMPORARY FILES RETRIEVAL AND DISPLAY, MANIPULATED BY THE FALSE KEYS. YOU THINK I DON’T KNOW WHAT I AM TALKING ABOUT ? LOOK HERE AND TELL ME WHY THIS WAS CREATED AND WHY IT HAS SETTINGS TO DELETE ALL TEMPORARY MRU FILES AND KEYS TO BE SET FOR EVERY MINUTE, EVERY FEW MINUTES, EVERY HOUR, EVERY FEW HOURS AND SO ON….. WELL KNOWN POPULAR TRUSTED BEEN AROUND FOR YEARS JavaCoolSoftware.com ….. MRU Blaster http://www.javacoolsoftware.com/mrublaster.html Protect your privacy, and keep your PC free from clutter. Find and remove over 30,000 MRU lists. Version: 1.5 Free for personal & business use. http://www.javacoolsoftware.com/mrublaster.html MRU-Blaster works on Windows 95, 98, ME, NT, 2000, XP, or Vista. (Simply put: we need money to pay the bills. If you use MRU-Blaster, and are happy with it, we’d love if you would consider donating.) http://www.javacoolsoftware.com/mrublaster.html
BUT WHAT IF THE MRUs ARE FAKE REGISTRY INJECTION ” YOU SEE ? AND HOW THE HELL DO YOU CLEAN THEM UP (DELETE) IF THEY ARE CORRPUTED TOO ? SHOOTING BLANKS THINKING YOU ARE GOOD TO GO… BUT NONE THE LESS IS RECOMMEMDED SOFTWARE OBVIOUSLY ! ! ! DO IT ! ! AND ADD ALL TRACKS CLEAN UP ANDS RUN THEM CONTINUALLY TO GET RID OF ALL TEMPORARY HISTORY TRACKS…. SEE IT ? THE KEYS ARE FAKE KEYS MASS INJECTED AND NOT REALLY CORRUPTED / CHANGED / RE-WRITTEN KEYS AT ALL ! (POINT – BINGO) SEE IT ? HOW THE HELL IS ANY TRACKS CLEANING SOFTWARE GOING TO GET RID OF THEM ? THEY CAN’T BECAUSE THEY ARE NOT REAL FILES KEYS — GET IT ? SO FOR THE EXERCISE, WE ARE TALKING HEADS UP TO “REGISTRY MASS FAKE KEYS INJECTION” ….. GET IT ? GOOD. IT IS ALL OF THE MAGIC OF WINDOWS AT CORE ISSUE….. INDEXING, PREFETCH ALL THE TEMPORARY INTERNET FILES THAT MAKE WINDOWS SO FAST AND SO GRAPHICALLY VISUAL…. THESE PARTS ARE INDEXED FOR LIGHTENING SPEED AND ALL THEMSELVES ARE CONTINUALLY CREATING TEMPORARY FILES AND LOGS ALL OVER WINDOWS IN THEIR PROPER PLACES….. IN OTHER WORDS TURNING ALL THESE FEATURES OFF LEAVES YOU IN THE STONE AGE WITH EACH SIMPLE CLICK AND TASK TAKING UP TO 5 MINUTES EACH (dramatized). SO YOU MOVE FROM WINDOWS OR PC OR FIGHT. —————————————————————————————————————
CLARIFICATION….. The continual references of the IPv6 is the area of the attack actually is existing IPv4. This is the direct route to connectivity and malware disabling firewalls and the then counterfeit attempts at hijacking the broadband connection – or in others immersing the infected PC into a malware botnet – “zombie network”. IPv6 is the new scarcely used, I believe, internet services of the world web. Then in this light of course is what the reference to the IPv6 as here and future are the newer attacks and for future. All in all – this is all about the Windows XP Years and all the malware devastations the world has heard of or experienced. The idea of research here is checking out connectivity information between the PC and the ISP (Internet Service Provider like AOL,MSN, Earthlink etc) like your IP Number area and also firewalls. Connectivity area and firewalls. Anti-modem defense software like in dial up certainly enters the picture. It is not hard to know why the cyber criminal would prefer broadband – duhh! [innocent sarcasm].
So for the exercise here we are looking at these areas and how they are manipulated, counterfeited, hijacked, etc – and meaning particularly by a malware botnet. Everything is basically in the IPv4 areas in reality where the world web is in now and has been for years. Sorry for the several misquoted times early on. ————————————————————————————————————-
These abilities frequenting may became in part or full in any variants as a standard payload. Conficker Worm Botnet is a prime example as a close cousin here. Obviously these new times is these new deadly criminal botnets have changed Malware Removal Help….. No longer in caution or common sense can Community….
# Giving Help Instructions for Malware Removals to reboot into diagnostics Safe Mode for removals can not safely be advised. If Safe Mode is not blocked, it may intentionally give access but is booby trapped to disallow regaining rebooting into Normal Mode.
# Obviously Windows System Restore and Restore Points are rendered inoperable, deleted.
# Windows Updates and Security Software websites are blocked. Windows Installer may well be rendered inoperable denying download / install abilities.
# Windows Remote Invitations help may not be possible if client infected with keyloggers and crimeware culprits intercepting Password are entering first. May be inoperable. …..Also via encapsulated (or similar deceits) payloads may act as in the wild threats undetectable destroying both computer systems or engaging help in botnet via infection. # Mobile portable thumb drive (others) anti-malware may be needed to replace mentioned standard help avenues – and may need be prepared for Windows Installer repair.