Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”

Resume:AmatuerForensics Resume: AmatuerForensics

http://bluecollarpc.webs.com/amateurforensics.htm

(old: http:// www .bluecollarpc.net/forensics.html [All closed Fall 2009]

Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”

SOURCE: Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”….. http: // bluecollarpc.net/smf/index.php?topic=380.0CLOSED

[NOTE this is in no way a “job interview” but meant in the sentiment by Beatle John Lennon at Let IT Be (rooftop) at the end saying, “I would like to say thank you on behalf of the group and myself and I hope we passed the audition” LOL Resume: Amatuer Forensics Build “Pseudo 14 Teredo Trojan Botnet Attack”….. _________________________________________________________________________. A ~ W O R K – IN – P R O G R E S S …..

(“Knowledge shall be the stability of thy times…”)

Logs: Botnet Attack-Denial Of Service,Catastrophic damage,MSN.com subscribers targeted http://tech.groups.yahoo.com/group/BlueCollarPC/message/2450 “Pseudo 14 Teredo Trojan Botnet Attack” – Botnet Attack-Denial Of Service,Catastrophic damage,MSN.com subscribers targeted http://groups.google.com/group/BlueCollarPC/browse_thread/thread/3228b2bc1ca5da8e BLOG: Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack January 28, 2009 http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/ Tags: malware, trojan, botnet, pseudo, 14, IPv4, IPv6, tunneling, attack, worm, virus Posted in BCPCNet WebLog | 2 Comments »

RESUME: WEBMASTER BLUECOLLARPC.NET DOMAIN / AMATUER SECURITY FORENSICS

BCPCGroup ~ The BlueCollarPC.Net Website Security Group ——————–MEMBERS AREA: http://www.bluecollarpc.net/joingroup.html Mail domain bluecollarpc.net Live List Owner: bcpcgroup-listowners@bluecollarpc.net Service List Owner: bcpcgroup-owner@bluecollarpc.net Post to Group (Members Only): bcpcgroup@bluecollarpc.net Help address bcpcgroup-help@bluecollarpc.net Subscription address: bcpcgroup-subscribe@bluecollarpc.net Unsubscription address: bcpcgroup-unsubscribe@bluecollarpc.net #Sender Policy Framework (SPF, http://spf.pobox.com) Protected #ALL Posts Moderated and List Protected with Antivirus Service. *Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected. *Subscription requires confirmation by reply to a message sent to the subscription address. *Unsubscribe requires confirmation by a reply to a message sent to the subscription address.

((( FORENSICS – BUILD )))—>

building pc incident security forensics temporary amatuer build of a full amatuer forensics submission, ongoing to finish \ this text will be removed upon completion ! 

AMATUER PC SECURITY FORENSICS TITLE: “Pseudo 14 Teredo Trojan Botnet Attack”

INFECTION DATE Scan Time: 12/18/2008 4:02:15 PM

ESTIMATE: [transport Bug in the Environment] …

DEFINITION—-> bug

 Last modified: Wednesday, July 16, 2003 http://www.webopedia.com/TERM/b/bug.html  

An error or defect in software or hardware that causes a program to malfunction. Often a bug is caused by conflicts in software when applications try to run in tandem. According to folklore, the first computer bug was an actual bug. Discovered in 1945 at Harvard, a moth trapped between two electrical relays of the Mark II Aiken Relay Calculator caused the whole machine to shut down.

NON SAMPLE—> Unix transport bug (and a possible fix)

Unix transport bug (and a possible fix). 20 Jun 2003 15:58:02 +0200. Previous message: couple of trivial patches … http://lists.freedesktop.org/archives/dbus/2003-June/000389.html

 SYMPTYMOLOGY:

All System Restore Points deleted (several) Windows System Restore access blocked (blank white pages). Access in all browsers blocked to security sites (blank white pages) and also MSN.com customer customer settings (blank white pages) along with blocking Internet Explorer from installation finalization in retrograde from version 7 back to 6 and back again creating their circle jerk game for MSN Customers (blank white pages) via the Run Once webpage needing 2 clicks to complete installation – with all identity wiped in the browser and DNS information, no connectivity (broadband/dsl). Blocking meaning these were all blank white browser page including the Google Pack panel and Trend Micro Internet 2009 panel. Help files booby trapped with virus. Access blocked to Computer shortcuts and browsers online to Windows Updates. Some log files deleted. Windows > Search function feature access blocked – blank white page. Control Panel > Users access blocked as blank white page. Others…. able to access Microsoft Baseline Analyzer online – visible, but radio buttons access blocked – kept clicking button nothing happened, cursor mouse inoperative just on button clicks at website for scan begin. More…..

SYNOPSIS:

[Apparent rootkit technologies in partiality are mechanism performing registry injection of false keys and files and payload facilitation – affording creation of a false positive detection and payload entry and transport via subsequent restore action as vehicle. The command registry injection by the limited rootkit technologies (stripped version apparently) and upload payload files constitute a “transport bug in the environment – matrix” as absence precludes delivery detection malicious and operative upon action taken. There were no valid detections basis for triggering false positive offered.]

DIAGNOSIS

# Injection 14 values here: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\15 (Apparently causing blank white background on shells, browsers). Apparent encapsulated payload delivery and encapsulated ‘kiddie script’ as registry injection mini-load creating many type above and other keys in the various affected places to fake the appearance as a trojan via visual navigation behaviors.

# Worm present as all System Restore Points deleted.

# DNS broadband/dsl connectivity information wiped in system, connectivity destroyed, several security softwares disabled….

# Security scan logs do indicate major worm, traces of another major worm, spyware packages installed, additional viruses activated in Help Files and Downloader Trojan reported as installed.

# Apparent encapsulated payload delivery.

# SUMMATION: Damages 99.999 Percent of time defines a criminal botnet attack attempting even ‘spoofing’ of broadband/dsl connection and hijacking the computer immersing in crimeware botnet.

PAYLOAD DETECTED:

Trace.Registry.Blubster (several)

Trace.Registry.SpyPc 8.0!A2 (several)

Worm.Win32.Otwycal.c

Trace.File.Borzoi Trojan-Downloader.

Win32.Agent.bkw Trace.Registry.Internet Cleanup 5.0 (couple)

 Trojan.Small.jhy.5632

Virus.Win32.Patched.B!IK

Virus.Win32.Patched.B!IK

Win32.Luder!IK (several)

Virus.Win32.Nsag.A!IK (several)

Virus.Win32.Virut.q!IK (several)

Trojan.Win32.Anomaly.D!IK

Virus.Win32.Virut.bo!IK

Win32.Virtob.8!IK (couple)

Virus.Win32.Virut.ar!IK

Virus.Win32.Virut.as!IK (couple)

Virus.Win32.Luder.B!IK

Win32.Luder!IK (several)

Virus.Win32.Nsag.A!IK (several)

Trojan-Downloader.Win32.Small!IK

Trojan-Dropper.Agent!IK

Trojan-Downloader.Win32.Agent.bkw

STATUS:

[Restored, Windows Installer remains damaged – inoperative after several fix attempts

CLARIFICATION…..

Clarification – “psuedo trojan” is my term for a fake trojan unique to this infection payload.

RELATED:

MAJOR ZERO DAY THREATS – WINDOWS UPDATES PATCHES ISSUED FOR: # WMF meta file Zero Day # .AniCursor Zero Day # VML Zero Day (Vector Mark Up)

BLOGS ~ LISTS ~ GROUPS….. Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack January 28, 2009 by bluecollarpc http://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/ I guess a good name for this one is “Death Of A Sails man” ….. in referring to all the fun years on my Windows XP Home Edition Personal Computer. Sailing, surfing – you get it. Conficker Worm Targets Microsoft Windows Systems – Overblown? March 30, 2009 by bluecollarpc http://bluecollarpc.wordpress.com/2009/03/30/conficker-worm-targets-microsoft-windows-systems-overblown/ Security tip for Vista Firewall, others, against Conficker threats (Symantec)….. April 8, 2009 http://bluecollarpc.wordpress.com/2009/04/08/security-tip-for-vista-firewall-others-against-conficker-threats-symantec/ Tags: Conficker, firewall, open port, Port 5357, teredo, Vista Firewall Posted in BCPCNet WebLog | No Comments » Restoring false positive threat from Quarantine, Safe Mode dangers April 3, 2009 http://bluecollarpc.wordpress.com/2009/04/03/restoring-false-positive-threat-from-quarantine-safe-mode-dangers/ Tags: back up, botnets, false positive, kiddie scripts, registry, restore point, safe mode, safe practices, system restore, worms Posted in BCPCNet WebLog | 1 Comment » Conficker Worm Targets Microsoft Windows Systems – Overblown? March 30, 2009 Tags: botherder, botlord, botmaster, botnet, IPv4, IPv6, kiddie scripts, psuedo teredo, teredo, tunneling, worm, zombie, zombie networks Posted in BCPCNet WebLog, SpyLerts | 4 Comments » BCPCNet-Modcasts: “Malware Botnet Cartel” by BlueCollarPC.Net February 12, 2009 by bluecollarpc PLAY))) Malware Botnet Cartel (BCPCNet-Modcasts) http: // www. bluecollarpcnet/downloads/DestroyBotnetCartel.wCLOSEDma

COMMENTS: (bluecollarpc) http://www.bluecollarpc.net/ Cybercrime Treaty Gains Momentum… Article: http://www.networkworld.com/news/2008/040108-cybercrime-treaty-gains-more-interest.html?fsrc=rss-security  

Council Of Europe: http://www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG  

Vista User Account Control gets perfect score – rootkits – use disabling tweaks ? By bluecollarpc http://bluecollarpc.wordpress.com/2008/08/28/vista-user-account-control-gets-perfect-score-rootkits-use-disabling-tweaks/ Freeware security was a solution – once upon a time….. August 29, 2008 by bluecollarpc http://bluecollarpc.wordpress.com/2008/08/29/freeware-security-was-a-solution-once-upon-a-time/

COMMENTS ~ PUBS

LET’S AVOID….. US Consumers robbed: $8.5 Billion by online threats – throw PCs in trash August 11, 2008 by bluecollarpc http://bluecollarpc.wordpress.com/2008/08/11/us-consumers-robbed-85-billion-by-online-threats-throw-pcs-in-trash/  U.S. Consumers Lost Nearly $8.5 Billion to Online Threats (Kansas City InfoZine) Spyware accounts for $3.6 B in losses; 2.1 million computers replaced due to malware 8/8/2008 5:44 AM Read more| Open in browser http://www.infozine.com/news/stories/op/storiesView/sid/29832/

 Tunneling to circumvent firewall policy http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall_policy  

CLOSED—-Group Email Addresses Related Link: http://bluecollarpc.net/ Post message: BlueCollarPC@yahoogroups.com Subscribe: BlueCollarPC-subscribe@yahoogroups.com Unsubscribe: BlueCollarPC-unsubscribe@yahoogroups.com List owner: BlueCollarPC-owner@yahoogroups.com #####BlueCollarPC.Net Memberships: ##### BlueCollarPC.Net Website Help Group http://www.bluecollarpc.net/joingroup.html BlueCollarPC.Net Portal Forums http://bluecollarpc.net/smf/index.php http://bcpcnet-com-portal.forumotion.net/forum.htm BlueCollarPC Yahoo Group http://tech.groups.yahoo.com/group/BlueCollarPC/ BlueCollarPC.Net WebLog http://bluecollarpc.net/wordpress/ Spy-Lerts Mail Lists http://www.bluecollarpc.net/spy-lerts.html Subscribe: spy-lerts-subscribe@bluecollarpc.net RSS: http://groups.google.com/group/spylerts/feed/rss_v2_0_msgs.xml?num=50 RSS: http://rss.groups.yahoo.com/group/Spy-Lerts/rss Dial Up Friendly http://www.bluecollarpc.org/ #####SPY-LERTS FROM BLUECOLLARPC.NET##### Mail List: spy-lerts@bluecollarpc.net Join List: spy-lerts-subscribe@bluecollarpc.net Unsubscribe: spy-lerts-unsubscribe@bluecollarpc.net List Owner: postmaster@bluecollarpc.net List Information: http://www.bluecollarpc.net/spy-lerts.html SPF Protected (Sender Authentication) http://spf.pobox.com MODERATOR ANNOUNCEMENT ONLY LIST / NO REPLY *****Moderated List, Internal Anti-Virus Protected***** #####OUR ~ ALTERNATES##### PDA Mobile Cafe Homepage http://www.pdamobilecafe.bluecollarpc.net/index.html Website Group/Join: http://www.pdamobilecafe.bluecollarpc.net/members1.html pdamobilecafe-subscribe@pdamobilecafe.bluecollarpc.net PDA Mobile Cafe Yahoo Group http://tech.groups.yahoo.com/group/PDAMobileCafe/ PDAMobileCafe-subscribe@yahoogroups.com PDA Mobile Cafe Forums http://pdamobilecafe.freeforums.org/index.php Mobile PC and everything wireless – cell, pda, laptop Linux OS for older Windows Machines http://www.bluecollarpc.net/linux-ducks.html Linux-Ducks Yahoo Group http://tech.groups.yahoo.com/group/Linux-Ducks/ Linux-Ducks-subscribe@yahoogroups.com #####BCPCNET ALTERNATE GROUPS##### BCPCGroup ~ The BlueCollarPC.Net Website Security Group —————————————————————————————— MEMBERS AREA: http://www.bluecollarpc.net/joingroup.html Mail domain bluecollarpc.net Live List Owner: bcpcgroup-listowners@bluecollarpc.net Service List Owner: bcpcgroup-owner@bluecollarpc.net Post to Group (Members Only): bcpcgroup@bluecollarpc.net Help address bcpcgroup-help@bluecollarpc.net Subscription address: bcpcgroup-subscribe@bluecollarpc.net Unsubscription address: bcpcgroup-unsubscribe@bluecollarpc.net #Sender Policy Framework (SPF, http://spf.pobox.com) Protected #ALL Posts Moderated and List Protected with Antivirus Service. *Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected. *Subscription requires confirmation by reply to a message sent to the subscription address. *Unsubscribe requires confirmation by a reply to a message sent to the subscription address. ——————————————————————-/.

COMMENTS ATTACHED: (REPLIES) “~~~ BUILD NOTES…..~~~” .

_____PRESS_____

Security Software Disabler Trojan http://inews.webopedia.com/TERM/S/security_software_disabler_Trojan.html

Botnet – Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Botnet 

botnet Definition: TechEncyclopedia http://www.techweb.com/encyclopedia/defineterm.jhtml?term=botnet  Botnet : Definition From Webopedia http://www.webopediacom/TERM/b/botnet.html 

Article: Battling the Botnet Pandemic Lavasoft News – March 2007 http://www.lavasoft.com/company/newsletter/2007/2_28/article2.html  Battling the Botnet Pandemic. Your home computer may be among the millions of PCs that are under the control of criminals, and worse yet, you may not even be aware of it.

Article: Botnet – CNET News.com http://news.com.com/Security+from+A+to+Z+Botnet/2100-7355_3-6138435.html  Security from A to Z: Botnet | CNET News.com Security from A to Z: Botnet | These armies of zombie PCs are used by cybercriminals for sending spam .. These armies of zombie PCs are used by cybercriminals for sending spam. Part of a series on …

Article: Botnet Basics http://www.eweek.com/article2/0,1895,2097976,00.asp  Botnet Basics Bots are software applications that run automated tasks over the Internet. A network of bots working under a central command and control center is a botnet. This eVideo seminar looks at the basic …

Article: Botnet Battle Already Lost? http://www.eweek.com/article2/0,1759,2029720,00.asp  Is the Botnet Battle Already Lost? Botnets have become a big underground business, and the security industry has few answers. eWEEK … It’s dress-down Friday at Sunbelt Software’s Clearwater, Fla., headquarters. In a bland cubicle on …

MSNBC: The lowdown on ‘Bots’ http://www.msnbc.msn.com/id/17805145/  The lowdown on ‘Bots’ What are ‘bots’? “Bots” – short for robots – are hijacked computers that are infected by computer viruses and then used by criminals and pranksters for a variety of criminal and malicious purposes. Who controls ‘bots’? The criminals behind “bots,” known as “bot herders,” assemble armies of infected computers — often between 50,000 and 70,000 PCs strong — that they can then charge customers for the use of. The going rate for sending spam is $5,000 a day or more, according to Howard Schmidt, former White House cyberczar. What are ‘bots’ used for? “Bots” are used to spread malicious programs, send spam, fuel “pump-and-dump stock schemes and launch denial-of-service attacks, among other things. How many ‘bots” are there? Internet founding father Vint Cerf recently estimated that 150 million computers have been hijacked. Most other experts believe that figure is too high, but there is general agreement that “bots” number in the millions, if not the tens of millions. How can I tell if my computer is a ‘bot’? You can’t necessarily. Antivirus software will catch most known viruses, but new ones are being created all the time. It used to be that poor performance often tipped off users that their computers had been infected, but “bot herders” now distribute tasks among thousands of computers to avoid tell-tale crashes.

More: How big is the botnet problem? Feature By Julie Bort, Network World, 07/06/07 http://www.networkworld.com/research/2007/070607-botnets-side.html?fsrc=rss-security  

Types of attacks: Botnets Cross-site scripting: Inserting malicious JavaScript into the header of an otherwise legitimate Web site. DNS cache poisoning: Hacking a DNS so that it directs people who enter legitimate URLs to the hacker’s malicious Web site. iFrames: Invisible frames capable of executing malware. Pharming: Creating an illegitimate copy of a real Web site and redirecting traffic to the phony site to obtain information or download malicious code. Pretexting: Pretending to be a legitimate entity to lure people to malicious sites. Toxic blogs: Uploading links to malicious Web sites, or when blogs support HTML or scripts, uploading malicious code or using iFrames. « Last Edit: Today at 08:48:54 AM

by gerald309 » ——————————————————————————– BCPCNet Community Portal Administrator http://bluecollarpc.net/smf/index.php Webmaster BlueCollarPC.Net / .Org http://www.BlueCollarPC.Net http://www.BlueCollarPC.Org ~~~

BUILD NOTES…..~~~ AMATUER FORENSICS SYNOPSIS – NOTE – DEFINING TERM USED “ENCAPSULATION” – CLARIFICATION…

This was, of origin, declared an “in the wild threat” by me. The original posts defined that, in detail, blow by blow – and finally easily understood line by line. This began with the incorrect (false positive) and partial “detection” as a trojan as the threat payload which in reality was a full blown Conficker worm type botnet (worst). One and two parts and so on of the highly deceitful payload where as an enormous skyscraper size threat/damage which in reality to Advanced Users was an ant size minimal “joke program” threat – the lethal “kiddie script” added. Encapsulation, in my best guess opinion as my “Amatuer Forensics”, in – two manners – caused, first, the trojan false positive and second ALSO getting the unknown in the wild virus (lethal kiddie script) under the wire undetected by other existing real time antivirus that was in place and running up to date when the payload hit (while security suite was in uninstall/renewal state). That (lethal kiddie script) did the registry changes (malicious changes). But it goes a little further – A LOT FURTHER…..

Also disguised and delivered were at least one well known worm and three other viruses which FINALLY were detected by scans before executing. Now, how the hell did that happen. Right, IMPOSSIBLE. So in real world, although the lethal kiddie script had basically only performed all the result/symptom “blank white pages” which are the blocking of getting to security sites as well acting very much like ‘Restricted Sites” feature of Windows and behavior result of a trojan — in real world the entire payload was disguised (encapsulated) and this was one small part of the whole package. It (lethal kiddie script) ran first and was instantaneous. The worm ran simultaneously but took at least 4 seconds minimal to 6 to delete the several System Restore Points in Windows System Restore – and which was now blocked via the malicious registry changes already performed by the “lethal kiddie script”.

“Malicious Encapsulation” in computers is simply attempting to put a detectable malicious malware threat inside a package best disguising it and passing off as safe or okay communication. Or even more simply – like the infamous Unibomber that tragically sent out “mail bombs” to several persons. These got past everyone appearing as friendly normal safe mail packages on the outside and of course a nightmare was inside. It is entirely unfathomable to believe that existing real time protection antivirus in place running (proactive – not reactive stand alone free scanner) and, even a firewall to some extent, did not block (antivirus) or in the least detect (firewall) malicious behavior and/or malicious content of the major part of the payload delivered as the “same-name threat” – that old and well known worm file called “Explorer.exe”. This is a “same-name threat” meaning it has the same file process name as one in Windows (other softwares) and here, Explorer.exe which of course is Windows Explorer (where you access all files on the computer and the Windows Operating system files).

And so here we are. An older than the hills recrafted worm introduced with and by an unknown malicious script (lethal kiddie script) that was “encapsulated” to appear as a false positive trojan or downloader trojan. In the very least one must admit there were two malicious mechanisms of deceit – one being the one that caused a false positive to make the package look like a downloader trojan to a well known antispyware program and the other that disguised a large enough worm and at least 3 viruses to install without detection. In reality, could be the same as one mechanism. Like I said this is best shot as “Amatuer Computer Security Forensics” – this entitling me. LOL.

ALL “ENCAPSULATION” MEANS HERE – IDENTIFIED BY ME – IS AS BEST GUESS AMATUER FORENSICS THAT ENCAPSULATION CODING WAS USED TO FOOL KNOWN ANTISPYWARE AND WENT UNDETECTED BY ANTIVIRUS PROGRAMS AS UNDER THE WIRE DISGUISING – AND PAST TWO EXISITING UNDAMAGED FIREWALLS, ONE BEING WINDOWS XP FIREWALL. GRANTED COMODO FIREWALL MAY HAVE NOT BEEN FULLY CONFIGURED YET BY ME FOR FULL PORT STEALTH AND RECOMMENDED SECURITY LEVELS. I WAS VERY BUSY PAST HORRIFIED MAKING ALL NOTES DURING INVESTIGATION WHILE REPAIRS ONGOING AND AS BEST POSSIBLE AND NOW NOTICING A COUPLE DETAILS LIKE THAT WERE NOT NOTED. THIS IS NOT ABOUT A BLAME GAME SO THAT LINE IS INSIGNIFICANT HERE. WHAT THIS IS – IS THE “ANATOMY OF A BOTNET HIT- HOW AND WHAT FOR SAKE OF A BETTER HOME SECURITY DEFENSE ON THE AVERAGE PC WORLDWIDE AND AS WELL TO ANSWER THE QUESTION “WHAT THE HELL DOES A BOTNET DO ONCE INFECTING THE COMPUTER AND HOW THE HELL DOES IT GET THERE IN THE FIRST PLACE?” – THE ANSWER BEING – HERE YOU ARE LOOKING RIGHT AT ONE !

This (encapsulation – computer) is perhaps a fancy way to describe a typical new unknown virus in the wild – OR may be even a new coding completely unknown to any conventional malicious script disguising. In the very least, I think it must be agreed that the Comodo Suite Firewall/Antivirus would have CERTAINLY detected the all too common all too used malicious “explorer.exe” payload. Perhaps it (Comodo Antivirus) is not even “West Coast Certified” yet in its infancy even. That’s disastrous, as famous and like top three worldwide antispyware “Counterspy” has added antivirus that wasn’t (West Coast Certified) and created the “Vipre” suite minus firewall. I have tried Vipre recently (Holidays 2008) and found that out and as fast as I was reading that I seen they are now certified I believe. Look it up. I am looking up Comodo Antivirus for certifications. For we students in the College of Hard Knocks – once certified you are no longer called “crapware” publicly. Once certified enables the program as a contender in the major market – the coveted accomplishments. Certification brings proven factual trust opposed to a “false sense of security” – example: one with crapware antivirus telling everyone, being a newbie, “yeah I am full protected with my AV”. There are now over 1 million viruses. If the antivirus does not have these signature detection and removal definitions – duhh, you are NOT protected.

SEE….. ….. ….. West Coast Labs West Coast Labs (WCL) is one of the world’s leading independent test facilities. We are a global leader in research, testing and certification for … http://www.westcoastlabs.org/  

ALSO….. Process name: Windows Explorer Product: Windows Company: Microsoft File: explorer.exe Security Rating: http://www.neuber.com/taskmanager/process/explorer.exe.html  This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn’t as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system. Note: The explorer.exe file is located in the folder C:\Windows. In other cases, explorer.exe is a virus, spyware, trojan or worm! Virus with same name: W32.MyDoom.B – Symantec Corporation and other…

NOTES:

“LETHAL KIDDIE SCRIPT” IS MY TERM AS MEANING THE REAL KIDDIE SCRIPTS THAT WERE AMONG THE ORIGINAL VIRUSES WERE PRODUCED GENERALLY BY YOUNG AGED PERSONS AS A SHOW OFF TO HURT OR BREAK INTO A SYSTEM AS HACKER BUT MORE AS A SHOW OFF OR PROOF OF CONCEPT EVEN. HERE – SAME TYPE OF MALWARE BUT NOW WRITTEN UP TO INTENTIONALLY CAUSE MALICIOUS DAMAGE – “LETHAL”.

SEE…… terms – malicious code malicious script etc. Malware From Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Malware  What is script kiddie? – A Word Definition From the Webopedia … This page describes the term script kiddie and lists other pages on the Web where you can find additional information. http://webopedia.com/TERM/S/script_kiddie.html  

BOTTOM LINE….

This is my first and probably last (maybe first of many?) actual “botnet attack” malware installations I have ever given any Malware Removal Help for – ironically being in my own machine. Best first hand example for experience and as Microsoft websites tell you in malware area webs to ‘don’t get all hung up in where this that and the other thing or how and why and so on – but rather concentrate on best effort of full clean removal and just move on’ – …..along those lines. That’s great advice except for Helpers who need to be on top as much as anyone in IT Security to be credible or trusted.

ENCAPSULATION – GOOD GUYS AND SEE “REAL TIME PROTECTION” AND “HEURISTICS” IN ANTIVIRUS AND ANTISPYWARE AND BEHAVIOR DETECTION…. etc.

EXAMPLE: “System and method for providing exploit protection with message tracking …… determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment…..” System and method for providing exploit protection with message tracking – A method and system for providing protection from exploits to devices connected to a network. The system and method include a component for determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment, and a component that performs at least one decompression … http://www.patentsurf.net/6,993,660  

FULL http://www.patentsurf.net/6,941,478  

MORE…..

NOW…. TO ADD TO MY AMATUER FORENSICS ….. YOU ARE GOING TO SEE ONE OF THE SECRETS OF THIS DARK SIDE OF THE INTERNET CRIMEWARE MALWARE BOTNET HERE….. IF YOU WILL REMEMBER THE “SHELL” REGISTRY KEYS STRAIGHT ACROS THE BOARD THAT MADE ALL THE BROWSER AND SHELL WINDOWS TO DISPLAY BLANK WHITE PAGES….. HERE: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\15 SEE….. Most Recently Used – Wikipedia, the free encyclopedia Jun 15, 2007 … Most Recently Used (MRU) may refer to: A specific menu in Microsoft Windows, see Common menus in Microsoft Windows; An uncommon method of … http://en.wikipedia.org/wiki/Most_Recently_Used  http://en.wikipedia.org/wiki/Common_menus_in_Microsoft_Windows

That is a proper key with an additional copycat 14 value key. This corruption / rewrite of the key was extremely odd as kind of seeing doubles. One key, split, both values like seeing doubles of the key itself. SHOTZIE….. BINGO ….. GOTCHA…. HERE IS THE SECRET — THEY ARE USING TEMPORARY FILES BECAUSE LOOK AT THE KEY AND EVERYONE SHOULD KNOW THAT “MRU” MEANS “MOST RECENTLY USED” WHICH ARE TEMPORARY FILES AND CALLED YOUR TRACKS ON THE INTERNET – YOUR PC HISTORY OF NAVIGATIO YOU DO NOT WANT CRIMEWARE TO GET AHOLD OF AND IS WHY EVERYONE SAYS TO USE THE HISTORY CLEAN UP UTILITIES…. BUT THERE IS MORE….. THE TEMPORARY FILES OF TIS PAYLOAD HAD THE KIDDIE SCRIPTS TO CREATE LIKE A THREE DOOR CHOICE FOR FORENSICS AS TO THE FOLLOWING…. IS THE KEY A FABRICATED WINDOWS EXPLORER WEBSITE PAGE DISPLAYING A FAKE PAGE AS SUCH AS THE BLANK WHITE PAGE OF IT – FAKE SHELL ? IS IT AN ACTUAL SHELL OF LIKE A SOFTWARE CONTROL PANEL FOR EXAMPLE THAT IS FORCED TO DISPLAY JUST THE BLANK WHITE PAGE BECAUSE THIS IS THE DEFAULT OF WINDOWS WHEN SUCH A KEY IS CORRUPTED ? SO IT MOVES SIMPLY TO ARE THEY A FAKE SHELL EVEN OR ACTUAL AND VARIATIONS ON THE THEME OBVIOUSLY. SO THIS IS NEITHER HERE NOR THERE EXCEPT TO MOVE TO RESTORE THE REGISTRY IS THE ONLY WAY OUT IF THERE ARE THE HANDFULS AND HANDFULS AND HANDFULS OF THESE ENTRIES…. BUT…… HERE IS THE BANG….. YOU DID NOT CONSIDER THIS …. ARE THEY INJECTED TEMPORARY FILES REGISTRY ENTRIES FROM YOUR TRASH OR THEIRS ? IN OTHER WORDS RETREIVING THE GRAPHICS IMAGES OF A SHELL WITH —- HERE YOU GO BINGO —- REGISTRY INJECTION ? IN OTHER WORDS THE KEYS THEMSELVES ARE REGISTRY INJECTION OF CRAP THAT DOES NOT EVEN EXIST AND ARE CAUSING BLANK WHITE PAGES DISPLAY… ACTUALLY THE PAYLOAD JUST MASS INJECTS THE REGISTRY FOR ALL THE AREAS CAUSING THE DENIAL TO SECURITY WEBSITES WITH ANY BROWSER AND WHATEVER ELSE IS THE TARGET SUCH AS MSN CUSTOMERS AS WAS MINE. IT JUST IS VERY STRANGE THEY WOULD MASS INJECT FALSE KEYS PARTICLULARLY MOST RECENTLY USED (MRU) TEMPORARY HISTORIES. POINT ? THEY ARE USING MASS REGISTRY INJECTION FOR TEMPORARY FILES RETRIEVAL AND DISPLAY, MANIPULATED BY THE FALSE KEYS. YOU THINK I DON’T KNOW WHAT I AM TALKING ABOUT ? LOOK HERE AND TELL ME WHY THIS WAS CREATED AND WHY IT HAS SETTINGS TO DELETE ALL TEMPORARY MRU FILES AND KEYS TO BE SET FOR EVERY MINUTE, EVERY FEW MINUTES, EVERY HOUR, EVERY FEW HOURS AND SO ON….. WELL KNOWN POPULAR TRUSTED BEEN AROUND FOR YEARS JavaCoolSoftware.com ….. MRU Blaster http://www.javacoolsoftware.com/mrublaster.html  Protect your privacy, and keep your PC free from clutter. Find and remove over 30,000 MRU lists. Version: 1.5 Free for personal & business use. http://www.javacoolsoftware.com/mrublaster.html  MRU-Blaster works on Windows 95, 98, ME, NT, 2000, XP, or Vista. (Simply put: we need money to pay the bills. If you use MRU-Blaster, and are happy with it, we’d love if you would consider donating.) http://www.javacoolsoftware.com/mrublaster.html  

BUT WHAT IF THE MRUs ARE FAKE REGISTRY INJECTION ” YOU SEE ? AND HOW THE HELL DO YOU CLEAN THEM UP (DELETE) IF THEY ARE CORRPUTED TOO ? SHOOTING BLANKS THINKING YOU ARE GOOD TO GO… BUT NONE THE LESS IS RECOMMEMDED SOFTWARE OBVIOUSLY ! ! ! DO IT ! ! AND ADD ALL TRACKS CLEAN UP ANDS RUN THEM CONTINUALLY TO GET RID OF ALL TEMPORARY HISTORY TRACKS…. SEE IT ? THE KEYS ARE FAKE KEYS MASS INJECTED AND NOT REALLY CORRUPTED / CHANGED / RE-WRITTEN KEYS AT ALL ! (POINT – BINGO) SEE IT ? HOW THE HELL IS ANY TRACKS CLEANING SOFTWARE GOING TO GET RID OF THEM ? THEY CAN’T BECAUSE THEY ARE NOT REAL FILES KEYS — GET IT ? SO FOR THE EXERCISE, WE ARE TALKING HEADS UP TO “REGISTRY MASS FAKE KEYS INJECTION” ….. GET IT ? GOOD. IT IS ALL OF THE MAGIC OF WINDOWS AT CORE ISSUE….. INDEXING, PREFETCH ALL THE TEMPORARY INTERNET FILES THAT MAKE WINDOWS SO FAST AND SO GRAPHICALLY VISUAL…. THESE PARTS ARE INDEXED FOR LIGHTENING SPEED AND ALL THEMSELVES ARE CONTINUALLY CREATING TEMPORARY FILES AND LOGS ALL OVER WINDOWS IN THEIR PROPER PLACES….. IN OTHER WORDS TURNING ALL THESE FEATURES OFF LEAVES YOU IN THE STONE AGE WITH EACH SIMPLE CLICK AND TASK TAKING UP TO 5 MINUTES EACH (dramatized). SO YOU MOVE FROM WINDOWS OR PC OR FIGHT. —————————————————————————————————————

CLARIFICATION….. The continual references of the IPv6 is the area of the attack actually is existing IPv4. This is the direct route to connectivity and malware disabling firewalls and the then counterfeit attempts at hijacking the broadband connection – or in others immersing the infected PC into a malware botnet – “zombie network”. IPv6 is the new scarcely used, I believe, internet services of the world web. Then in this light of course is what the reference to the IPv6 as here and future are the newer attacks and for future. All in all – this is all about the Windows XP Years and all the malware devastations the world has heard of or experienced. The idea of research here is checking out connectivity information between the PC and the ISP (Internet Service Provider like AOL,MSN, Earthlink etc) like your IP Number area and also firewalls. Connectivity area and firewalls. Anti-modem defense software like in dial up certainly enters the picture. It is not hard to know why the cyber criminal would prefer broadband – duhh! [innocent sarcasm].

So for the exercise here we are looking at these areas and how they are manipulated, counterfeited, hijacked, etc – and meaning particularly by a malware botnet. Everything is basically in the IPv4 areas in reality where the world web is in now and has been for years. Sorry for the several misquoted times early on. ————————————————————————————————————-

SECURITY HORIZON

These abilities frequenting may became in part or full in any variants as a standard payload. Conficker Worm Botnet is a prime example as a close cousin here. Obviously these new times is these new deadly criminal botnets have changed Malware Removal Help….. No longer in caution or common sense can Community….

# Giving Help Instructions for Malware Removals to reboot into diagnostics Safe Mode for removals can not safely be advised. If Safe Mode is not blocked, it may intentionally give access but is booby trapped to disallow regaining rebooting into Normal Mode.

# Obviously Windows System Restore and Restore Points are rendered inoperable, deleted.

# Windows Updates and Security Software websites are blocked. Windows Installer may well be rendered inoperable denying download / install abilities.

# Windows Remote Invitations help may not be possible if client infected with keyloggers and crimeware culprits intercepting Password are entering first. May be inoperable. …..Also via encapsulated (or similar deceits) payloads may act as in the wild threats undetectable destroying both computer systems or engaging help in botnet via infection. # Mobile portable thumb drive (others) anti-malware may be needed to replace mentioned standard help avenues – and may need be prepared for Windows Installer repair.

# More…..

Advertisements

One Response to “Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack””

  1. bluecollarpc Says:

    SCRATCH NOTES….. [best estimates, ballpark figure]

    THESE WILL SHOW THE NOW NEW MAC AND LINUX COMPUTERS USED AND HOW and note they
    are even saying it is possible the first mobile phone botnets have arrived.

    Still don’t believe we are in “Cyber-Geddeon” – or would you like to call this FUD ?

    First tip = the Unix-Like systems are using the “pipes” software uploading.

    DEFINTION: Windows is the only Unix Certified disk computer as secure and stable. Mac and Linux have achieved “Unix-Like Certification”.

    SOME OF THIS MAY REVEAL THE DEVIL’S TOY STORE (piracy items, reverse engineered)

    Tunnel Broker
    http://en.wikipedia.org/wiki/Tunnel_broker
    A tunnel broker is a service which provides a network tunnel. These tunnels can provide encapsulated connectivity over existing infrastructure to a new
    infrastructure.

    There are a variety of tunnel brokers, though most commonly the term is used to refer to an IPv6 tunnel broker, as defined in RFC:3053. These commonly provide IPv6 tunnels to endusers/endsites using either manual, scripted or automatic configuration. In general tunnel brokers offer so called ‘protocol 41′ or
    proto-41 tunnels. These are tunnels where IPv6 is tunneled directly inside IPv4 by having the protocol field set to ’41’ (IPv6) in the IPv4 packet.

    Tunneling protocol
    http://en.wikipedia.org/wiki/Network_tunnel

    Computer networks use a tunneling protocol when one network protocol (the
    delivery protocol) encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network.

    Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The tunnel protocol usually (but not always) operates at a higher
    level in the model than does the payload protocol, or at the same level.
    Protocol encapsulation carried out by conventional layered protocols, in accordance with the OSI model or TCP/IP model (for example: HTTP over TCP over
    IP over PPP over a V.92 modem) does not count as tunneling.

    To understand a particular protocol stack, network engineers must understand \both the payload and delivery protocol sets.

    Command Prompt (Windows)
    http://en.wikipedia.org/wiki/Command_Prompt_(Windows)
    cmd.exe or command prompt is the command-line interpreter on OS/2, Windows CE and on Windows NT-based operating systems (including Windows 2000, XP, Vista, 7, Server 2003 and Server 2008). It is the analog of COMMAND.COM in MS-DOS and Windows 9x systems, or of the Unix shells used on Unix-like systems.

    Unix-Like Botnets… (pipelining payloads Mac/Linux botnets
    http://en.wikipedia.org/wiki/Command_Prompt_(Windows)
    In Unix-like computer operating systems, a pipeline is the original software pipeline: a set of processes chained by their standard streams, so that the output of each process (stdout) feeds directly as input (stdin) of the next one.
    Each connection is implemented by an anonymous pipe. Filter programs are often used in this configuration. The concept was invented by Douglas McIlroy for Unix shells and it was named by analogy to a physical pipeline.

    Mac/Linux Botnets
    http://en.wikipedia.org/wiki/Command_Prompt_(Windows)
    command prompt is the command-line …. It is the analog of COMMAND.COM in MS-DOS and Windows 9x systems, or of the Unix shells used on Unix-like
    systems……

    )))NOTE the bad command is instantly transmitted with any debugging to continue successfuly past arguments – “Command And Control” (botherder) instantl ((( Both the OS/2 and the Windows NT versions of cmd.exe have more detailed error
    messages than the blanket “Bad command or file name” (in the case of malformed commands) of command.com. In the OS/2 version of cmd.exe, errors are reported in the current language of the system, their text being taken from the system message files. The help command can then be issued with the error message number to obtain further information.

    The Argument (communications, entry) ENCAPSULATION

    echo (block echo requests with your firewall – original anti-botnet defenses existential – they call the “arguement” defense, transmit and return)
    http://en.wikipedia.org/wiki/List_of_DOS_commands
    Prints its own arguments back out to the DOS equivalent of the standard output stream. Usually, this means directly to the screen, but the output of echo can
    be redirected like any other command. Often used in batch files to print text out to the user.

    See
    http://en.wikipedia.org/wiki/Command_Prompt_(Windows)
    Both the OS/2 and the Windows NT versions of cmd .exe have more detailed error messages than the blanket “Bad command or file name” (in the case of malformed commands) of command.com. In the OS/2 version of cmd.exe, errors are reported in the current language of the system, their text being taken from the system message files. The help command can then be issued with the error message number to obtain further information.

    The Worm (deletes System Restore back up files)

    format
    http://en.wikipedia.org/wiki/List_of_DOS_commands
    Delete all the files on the disk and reformat it for MS-DOS In most cases, this should only be used on floppy drives or other removable media. This command can potentially erase everything on a
    computer’s hard disk. /autotest and /backup are undocumented features. Both will format the drive without a confirmation prompt.

    FUTURE IS HERE – XML….
    Apr 28, 2005
    http://www.networkcomputing.com/showitem.jhtml;jsessionid=CF0AMTU0VPK0QQSNDL
    RSKH0CJUNN2JVN?docid=1608f3
    “….Forum Vulcon, a subscription service offering notification of XML vulnerabilities using a Web services interface, is tracking more than 100
    vulnerabilities. This may sound minuscule compared with the thousands of known attacks threatening Web applications and back-end servers, but the danger is
    that a successful XML-based attack can act as a master key, exposing any number of those application vulnerabilities….”


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: