New Amatuer Forensics Build in Progress – “Nimrod Botnet”

New Amatuer Forensics Build in Progress – “Nimrod Botnet”

This is the preliminary notes of the build with an important Estimate.

[NOTE WE CLOSED BLUECOLLARPC.NET OCT 2009 / DEAD LINKS] ———————————

Amatuer Forensics Build – Nimrod Botnet

History: Is Grisoft AVG Free Reverse Engineered by Botnets? By bluecollarpc http://bluecollarpc.wordpress.com/2009/04/15/is-grisoft-avg-free-reverse-enginee\ red-by-botnets/

(((Forensics Build – Nimrod Botnet))) Date: July 30 2009

——- THIS IS A SCRATCH BUILD – ADDING DAILY ——

AMATUER PC SECURITY FORENSICS

Title: “Nimrod Botnet” (Nimrod was a hunter)

Infection Date:

a-squared Anti-Malware – Version 4.0 Last update: 4/13/2009 9:45:09 AM

Entry Threat: Win32.Outbreak!IK

(Adding report on trojan found in Windows Error Reporting)

ESTIMATE: Virtualization Comprimise

——— NOTES

NON SAMPLE…. US labs virtualise 1m Linux kernels (anti-botnet research) ZDNet UK Wed, 29 Jul 2009 08:37 AM PDT Sandia National Labs have simultaneously run more than a million Linux kernels on a single cluster, an accomplishment that could prove useful for anti-botnet research…. http://news.zdnet.co.uk/software/0,1000000121,39698952,00.htm

 TARGET: Windows Server 2008 http://en.wikipedia.org/wiki/Windows_Server_2008  

Windows Server 2008 is the most recent release of Microsoft Windows’ server line of operating systems. Released to manufacturing on February 4, 2008 and officially released on February 27, 2008, it is the successor to Windows Server 2003, released nearly five years earlier. A second release, named Windows Server 2008 R2, was released to manufacturing on July 22, 2009.

Like Windows Vista and Windows 7, Windows Server 2008 is built on Windows NT 6.x. Self-healing NTFS In previous Windows versions, if the operating system detected corruption in the file system of an NTFS volume, it marked the volume “dirty”; to correct errors on the volume, it had to be taken offline.

With self-healing NTFS, an NTFS worker thread is spawned in the background which performs a localized fix-up of damaged data structures, with only the corrupted files/folders remaining unavailable without locking out the entire volume and needing the server to be taken down. The operating system now features S.M.A.R.T. detection techniques to help determine when a hard disk may fail. This feature was first presented within Windows Vista.[10]

Best guess….. with Disk Defragger and Disk Check inoperative (begins and moment later progress vanishes – reboot unable to run), and with System Restore corupted – this seemed the target is to hide a dirty disk.

Apparently trial runs on personal Vista PCs (Ho Prem) through the “reverse engineering” of the anitvirus product broken into. Why would they do that…. to install counterfiet components of Unix-Like for example to even run dual server communication undetected.

In other words Windows Server 2008 and Self-healing NTFS are “cracked” and thus the Windows Server 2008 R2 was released to manufacturing on July 22, 2009.

Recommendation – upgrade.

ADDITIONAL SOURCES:

Additional sources… news.admin.net-abuse.sightings http://groups.google.com/group/news.admin.net-abuse.sightings/msg/c26324447d0f23ef  

Webmaster BlueCollarPC.Org http://www.BlueCollarPC.Org

and now I know my Vista like the back of my hand.

Advertisements

16 Responses to “New Amatuer Forensics Build in Progress – “Nimrod Botnet””

  1. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    I am only amatuer and fully admit how off base this is as a wild conspiracy theory. I am offering the anatomy of this unknown “botnet” as possible targeting as to the symptomology of the attack. The 9 million Windows TEMP files at 2 Gigs plus suggest either a messaging to bots or finally destroying the machine out of \memory. Toast. In other words what would “call up” 9 million tasks, or what 9 million tasks were performed ? Phony TEMP files.

  2. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    This infection may or may not be an actual botnet infection that will have to be determined by the Experts.

    SEE

    InfoStealer, Zeus,Zbot,Nethell,Ambler Destroy what Conficker does not
    April 13, 2009 by bluecollarpc
    http://bluecollarpc.wordpress.com/2009/04/13/infostealer-zeuszbotnethellambler-destroy-what-conficker-does-not/

    It may have been, as example, like the handful of certain worst severe worms that are designed intentionally to delete file after file, directory after
    directory, to eventually delete the Windows Operating System itself – the above mention which on the other side deletes two thirds of the Windows Registry
    rendering it inoperable.

  3. bluecollarpc Says:

    Re: [Anti-Botnet] Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    How Windows Vista Helps Protect Computers From Malware Windows Vista
    Anti-malware Features … online experiences, some malicious developers have co-opted the platform to write …
    http://technet.microsoft.com/en-us/appcompat/aa940967.aspx

    How Windows Vista Helps Protect Computers From Malware
    … online experiences, some malicious developers have co-opted the platform to write
    http://technet.microsoft.com/en-us/library/cc507867.aspx

    How Windows Vista Helps Protect Computers From Malware Under normal circumstances, the RPC Service never needs to write such a file to the … Security and Protection How Windows Vista Helps Protect Computers From Malware
    http://technet.microsoft.com/en-us/appcompat/aa940984.aspx

    Understanding and Working in Protected Mode Internet Explorer
    … restricted privileges on Windows Vista. While Protected Mode does not protect against all forms of attack, it significantly reduces the ability of
    an attack to write, alter …
    http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx

  4. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    If you missed the point of this excersise it is that cyber criminals were infecting the averaqe consumer home PC to test their crimeware against that part
    of Vista which would be here:

    http://en.wikipedia.org/wiki/Windows_Server_2008
    “Windows Server 2008 is built from the same code base as Windows Vista; therefore, it shares much of the same architecture and functionality. Since the
    code base is common, it automatically comes with most of the technical, security, management and administrative features new to Windows Vista such as
    the rewritten networking stack (native IPv6, native wireless, speed and security improvements); improved image-based installation,…”

    See it ?

    PS… forgot…

    If you missed the point of this excersise it is that cyber criminals were infecting the averaqe consumer home PC…

    …. the rest is to then go after the virtualization machines generally used by businesses to then even engage in DDOS – Distributed Denial of Service
    (corporate level) for extortion plots. See “Blended Threats”

    You may see for the average user whereby a dangerous threat is described as being able to create a DOS Denial Of Service which generally means on the
    average consumer PC.

    Get it ?

  5. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    Is Grisoft AVG Free Reverse Engineered by Botnets?
    By bluecollarpc
    http://bluecollarpc.wordpress.com/2009/04/15/is-grisoft-avg-free-reverse-enginee
    red-by-botnets/

    Is Grisoft AVG Free Reverse Engineered by Botnets ? ….. Read up and make your own check and decision and don’t forget to read the information in replies here.

    BCPCNet Community Portal Forums > Malware Adware Spyware Help M*A*S*H* > Malware
    Adware Spyware Help M*A*S*H* FORUM > Topic: Vista infection: detected:
    Win32.Outbreak!IK
    http://bluecollarpc.net/smf/index.php?topic=389.0

    Help Topic: Vista infection: detected: Win32.Outbreak!IK

    SOURCE: http://bluecollarpc.net/smf/index.php?topic=389.0
    COPIES: http://tech.groups.yahoo.com/group/Vista-Group/message/1283
    (I am Group Owner: http://tech.groups.yahoo.com/group/Vista-Group/ )

    Partial Scan Results / Detection: AVG ANTIVIRUS SHOWING “Trojan Horse
    Injector.CZ” QUARANTINED…. It may be posible this is what was detected. Deleted
    easily and successfully – performing entirely new full scans. Returning. ….
    ————————————————
    LINE: Symantec 1.4.4.12 2009.03.26 Infostealer
    MINE – Ikarus Antivirus part of A-Squared Anti-Malware
    Ikarus T3.1.1.48.0 2009.03.26 Win32.Outbreak
    SEE
    InfoStealer, Zeus,Zbot,Nethell,Ambler Destroy what Conficker does not
    April 13, 2009 by bluecollarpc
    http://bluecollarpc.wordpress.com/2009/04/13/infostealer-zeuszbotnethellambler-d
    estroy-what-conficker-does-not/
    ————————————————
    a-squared Anti-Malware – Version 4.0
    Last update: 4/13/2009 9:45:09 AM
    [ NOTES: Partial Scan – stopped to perform Quarantine of found item.]

    Scan settings:

    Objects: Memory, Traces, Cookies, C:\
    Scan archives: On
    Heuristics: Off
    ADS Scan: On

    Scan start: 4/13/2009 9:46:25 AM

    C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe detected:
    Win32.Outbreak!IK
    C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe detected:
    Win32.Outbreak!IK

    Scanned

    Files: 183254
    Traces: 532386
    Cookies: 13
    Processes: 90

    Found

    Files: 2
    Traces: 0
    Cookies: 0
    Processes: 0
    Registry keys: 0

    Scan end: 4/13/2009 11:14:15 AM
    Scan time: 1:27:50

    C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe Quarantined
    Win32.Outbreak!IK
    C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe Quarantined
    Win32.Outbreak!IK

    {If you are new, these two threats are Avg itself being detected by IK = Ikarus Antivirus declaring them as threat “Win32.Outbreak!”….. THIS is the shock, AVG Quarantine process comprimised and malware is running from inside it attempting to hide}.

    Quarantined

    Files: 2
    Traces: 0
    Cookies: 0

    ———————————-

    NOTES:
    SEE –
    Virustotal. MD5: d33cdfe402789dc4ed1050e393a107cd Infostealer … a-squared,
    4.0.0.101, 2009.03.26, Win32.Outbreak!IK. AhnLab-V3, 5.0.0.2, 2009.03.26, -.
    AntiVir, 7.9.0.129, 2009.03.26, -. Antiy-AVL, 2.0.3.1, 2009.03.26, – …
    http://www.virustotal.com/analisis/10234f1b07a8851c708f7e4f384f1736

    File dhl_n756512.zip received on 03.26.2009 23:53:19 (CET)
    Current status: finished

    Result: 9/39 (23.08%)
    Compact Print results
    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.03.26 Win32.Outbreak!IK
    AhnLab-V3 5.0.0.2 2009.03.26 –
    AntiVir 7.9.0.129 2009.03.26 –
    Antiy-AVL 2.0.3.1 2009.03.26 –
    Authentium 5.1.2.4 2009.03.26 W32/Trojan3.AKD
    Avast 4.8.1335.0 2009.03.26 –
    AVG 8.5.0.283 2009.03.26 Pakes.CZX
    BitDefender 7.2 2009.03.26 –
    CAT-QuickHeal 10.00 2009.03.26 (Suspicious) – DNAScan
    ClamAV 0.94.1 2009.03.26 –
    Comodo 1085 2009.03.26 –
    DrWeb 4.44.0.09170 2009.03.26 –
    eSafe 7.0.17.0 2009.03.26 –
    eTrust-Vet 31.6.6418 2009.03.26 –
    F-Prot 4.4.4.56 2009.03.26 W32/Trojan3.AKD
    Fortinet 3.117.0.0 2009.03.26 –
    GData 19 2009.03.26 –
    Ikarus T3.1.1.48.0 2009.03.26 Win32.Outbreak
    K7AntiVirus 7.10.682 2009.03.26 –
    Kaspersky 7.0.0.125 2009.03.26 –
    McAfee 5565 2009.03.26 –
    McAfee+Artemis 5565 2009.03.26 –
    McAfee-GW-Edition 6.7.6 2009.03.26 –
    Microsoft 1.4502 2009.03.26 –
    NOD32 3966 2009.03.26 –
    Norman 6.00.06 2009.03.26 –
    nProtect 2009.1.8.0 2009.03.26 –
    Panda 10.0.0.10 2009.03.26 –
    PCTools 4.4.2.0 2009.03.26 –
    Prevx1 V2 2009.03.26 –
    Rising 21.22.32.00 2009.03.26 –
    Sophos 4.40.0 2009.03.26 Troj/Agent-JJP
    Sunbelt 3.2.1858.2 2009.03.26 –
    Symantec 1.4.4.12 2009.03.26 Infostealer
    TheHacker 6.3.3.7.292 2009.03.26 –
    TrendMicro 8.700.0.1004 2009.03.26 PAK_Generic.001
    VBA32 3.12.10.1 2009.03.26 –
    ViRobot 2009.3.26.1664 2009.03.26 –
    VirusBuster 4.6.5.0 2009.03.26 –
    Additional information
    File size: 72765 bytes
    MD5…: d33cdfe402789dc4ed1050e393a107cd
    SHA1..: 9230358ec5ad2e2234bcdac5106e9598de6da9de
    SHA256: 8b2c8c36f8b38bb4d2059a1605c7facd035b57b995ed4ace36bebde92240acea
    SHA512: 73f53b5ed61a495dcfc298f8ce8a46ba0b41a4910f500d87d5f16808f657d596
    b073f61f8e8a8512f97a28c7c7609e776f6e080102c2cd85e1d7430b25ce51b0
    ssdeep: 1536:z2iwln152KEYRs99KNGHV/iDUAUZHL1cl7yU4xcc1qDD9FZ+Nq5h:Iln1AK
    0v1ioPct94/qP9FZ+Nqr

    PEiD..: –
    TrID..: File type identification
    ZIP compressed archive (100.0%)
    PEInfo: –
    RDS…: NSRL Reference Data Set

    Tags: AVG Free, avg8, botnets, Grisoft AVG Free, reverse engineered, security
    software disabler

    This entry was posted on April 15, 2009 at 3:07 pm and is filed under BCPCNet WebLog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

  6. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    11 Responses to “Is Grisoft AVG Free Reverse Engineered by Botnets?”
    bluecollarpc Says:

    April 15, 2009 at 3:09 pm |
    Emsi Anti Malware reports can not quarantine – to seek online professional manual removal help. I have already been hit on XP by a botnet worm through a
    false positive from PC Tools Spyware Doctor (free Google Pack edition). Here is \the home free version of popualr awarded Grisoft AVG Antivirus where the
    infection resides. Is this the tip of the iceburg with “reverse engineering” of all known security products by botnets ?

    Comodo Antivirus was first scan and was abruptly shut down – even though they are West Coast Certified. They were blocked during definitions updates in the other attack as well.

    FLASH …. EDIT:

    AVG ANTIVIRUS SHOWING “Trojan Horse Injector.CZ” QUARANTINED…. It may be posible this is what was detected. Deleted easily and successfully – performing entirely new full scans. Returning.

    bluecollarpc Says:

    April 15, 2009 at 3:09 pm | Log in to Reply
    AVG set with email scanning plug ins, Windows Live Mail is bugged with error messages, hung application scenario.

    Opened AVG and disengaged emal scanner and Windows Live Mail is working fine. Good tip to the new “cyber-geddeon” – apparently are definately “reverse engineering” vulnerable security softwares. This is a complete surprise with AVG
    which has soooo many Awards !

    If this is the kill the pc botnets – their message “Certify This punk”. (AVG has certification stamp it places on incoming / outgoing email ).

    In other words, if successful this apparent botnet hooked in AVG is about to
    delete two thirds of my Vista Registry – DEAD !

    This just happened to my XP machine through PC Tools Spyware Doctor (free Google Pack version) false positive of a trojan when in fact was a full blown botnet that destroyed the PC and was Denial Of Service.

    THREATS:
    LINE: Symantec 1.4.4.12 2009.03.26 Infostealer
    MINE – Ikarus Antivirus part of A-Squared Anti-Malware
    Ikarus T3.1.1.48.0 2009.03.26 Win32.Outbreak

    SEE
    InfoStealer, Zeus,Zbot,Nethell,Ambler Destroy what Conficker does not
    April 13, 2009 by bluecollarpc
    http://bluecollarpc.wordpress.com/2009/04/13/infostealer-zeuszbotnethellambler-d
    estroy-what-conficker-does-not/

    The Malware that Murders Windows (PC Magazine)

    bluecollarpc Says:
    April 15, 2009 at 3:10 pm | Log in to Reply
    Rescanning….. still there. Uh oh…. read this:

    AVG Antivirus Installed Files Show:

    avg8
    C:\ProgramData
    Size: 1.46 GB (1,569,353,717 bytes)
    Size on disk; 1.46 GB (1,571,082,240 bytes)

    There is no way in Hell an antvirus program is over 1 Gig in hard drive memory. This is a botnet and AVG is reverse engineered to deliver it. Manual removal was
    blocked. Tryin others…. If you have this don’t move and go to their forums for removal. !!! I am declaring AVG as reverse engineered… I have seen this before
    READ:

    Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”

    SOURCE:
    Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”…..
    http://bluecollarpc .net/smf/index.php?topic=380.0

  7. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    bluecollarpc Says:

    April 15, 2009 at 3:10 pm | Log in to Reply
    NEW PARTIAL SCAN

    QUARANTINED REPORT:

    a-squared Anti-Malware v. 4.0.0.79
    (C) 2003-2009 Emsi Software GmbH – http://www.emsisoft.com

    ID Object
    0 C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    1 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    2 C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    3 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    4 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    5 C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK

  8. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    bluecollarpc Says:

    April 15, 2009 at 3:10 pm | Log in to Reply
    MORE NOTES….

    I thought there was something very, very wrong as in days ago I had run CCleaner for clen up of Windows TEMP files and there were over 9 million !

    This looks like the other threat rather than the “destroy the pc” threat with what looks to me like a text 1.46 Gig botnet text Console through AVG with the associated 9 million temp files as a like cheap ass text server and console OR more commonly known as a botnet master console and program – meaning as opposed
    to physical servers and consoles running them – text programming in the infected PC. ?
    Botent/ rotnet.

    In the other XP trouble was noticed in researches about animation manipulation to perhaps the very first text “plasma virus” ? I will add links.

    Other symprtoms….

    Constant crashes of Internet Explorer. Some start up freezes for minutes. AVG tray continually shutting down with error messsages. More…. PS running Microsoft
    Malicious Software Remover Tool…

    OK…. and back. Just ran CCleaner “Analyze” and the Windows Temp files look normal in normal amounts so that if there was any reload of same (above) then it
    is at worst than a snail’s pace.

    LOOKS LIKE THIS ONE WAS BUILT AS SLOW BOAT TO CHINA …..LOL

  9. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    bluecollarpc Says:

    April 15, 2009 at 3:11 pm | Log in to Reply
    NEW PARTIAL SCAN – NEW THREAT…..

    C:\Users\gerald309\AppData\Local\Microsoft\Windows Live Mail\Bluecollarp
    256\Junk E-mail0990124-00000591.eml/UPS_NR1.exe

    This looks like perhaps the first rootkit to run on Vista ? It is reinstalling old threats apparently. Could be still another Downloader Trojan. Apparently may
    be currently possible to uninstall AVG to be done with it. Too too too dangerous obviously to even touch !

    RECOMMENDATIONS – GET RID OF AVG UNTIL YOU HEAR BETTER – OR DON’T DARE TOUCH THIS AND GO TO THEIR FORUMS FOR REMOVAL INSTRUCTIONS…
    ——————–

    a-squared Anti-Malware – Version 4.0
    Last update: 4/13/2009 1:49:33 PM

    Scan settings:

    Objects: Memory, Traces, Cookies, C:\
    Scan archives: On
    Heuristics: Off
    ADS Scan: On

    Scan start: 4/13/2009 1:53:46 PM

    C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe detected:
    Win32.Outbreak!IK
    C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe detected:
    Win32.Outbreak!IK
    C:\Users\gerald309\AppData\Local\Microsoft\Windows Live Mail\Bluecollarp
    256\Junk E-mail0990124-00000591.eml/UPS_NR1.exe detected: Win32.Outbreak!IK

    Scanned

    Files: 188462
    Traces: 532757
    Cookies: 27
    Processes: 82

    Found

    Files: 3
    Traces: 0
    Cookies: 0
    Processes: 0
    Registry keys: 0

    Scan end: 4/13/2009 3:20:10 PM
    Scan time: 1:26:24

    C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe Quarantined
    Win32.Outbreak!IK
    C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc/UPS_NR1.exe Quarantined
    Win32.Outbreak!IK
    C:\Users\gerald309\AppData\Local\Microsoft\Windows Live Mail\Bluecollarp
    256\Junk E-mail0990124-00000591.eml/UPS_NR1.exe Quarantined Win32.Outbreak!IK

    Quarantined

    Files: 3
    Traces: 0
    Cookies: 0

  10. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    bluecollarpc Says:

    April 15, 2009 at 3:11 pm | Log in to Reply
    Something was absolutely wrong with Grisoft AVG….. free home version

    Went through the normal process finally of Add/Remove the software in Vista and all the normal expected small panel windows showed the uninstall was successful and the final window to “Restart Computer Now” and yes.

    You guessed it. On reboot it was right back as if never touched. Again, and noticed the dialouge it was setting restore points but not Windows Restore points. That program was owned and even perhaps cloned and counterfeited into a fake AVG in some fashion even. Unbelievable.

    The freeze ups after start up are making sense and apparently it is quite possible the defintions were actually botnet files being installed to build the
    monster. It may even be that spam emails with viruses were actually the botnet files when it showed a positive as the email plug in scanner.

    Whatever…. moving on. I have manually deleted all of AVG by going to Registry first and then Files and then reboot and remaining files that could not be deleted in the first attempt (running processes). The controlling registry keys removed rendered running processes inoperative after reboot.

    A couple full scans left to do to confirm all malware removed. Will give final report.

  11. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    bluecollarpc Says:

    April 15, 2009 at 3:11 pm | Log in to Reply
    Final quarantine report…..

    a-squared Anti-Malware v. 4.0.0.79
    (C) 2003-2009 Emsi Software GmbH – http://www.emsisoft.com

    ID Object
    0 C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    1 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    2 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    3 C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    4 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    5 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    6 C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    7 C:\Users\All Users\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    8 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc Win32.Outbreak!IK
    9 C:\Users\gerald309\AppData\Local\Microsoft\Windows Live Mail\Bluecollarp
    256\Junk E-mail0990124-00000591.eml Win32.Outbreak!IK

  12. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    bluecollarpc Says:

    April 15, 2009 at 3:12 pm | Log in to Reply Final comment …… the return after deletion of items is one of several instances in malware. One obvious is the self replicating worm. A trojan, and nowadays the dime a dozen Downloader Trojan (adds more malware) can be culprit residing in the Registry – reinstalls a deletion. Lastly the dreaded rootkit which is above the downloader trojan and can hide from all known security software eventually.

    —–
    AND
    ——

    Apparently self replicating worm…… jumped to Windows Temp Files:

    a-squared Anti-Malware – Version 4.0
    Last update: 4/13/2009 8:18:06 PM

    Scan settings:

    Objects: Memory, Traces, Cookies, C:\
    Scan archives: On
    Heuristics: Off
    ADS Scan: On

    Scan start: 4/13/2009 8:18:13 PM

    C:\Windows\Temp\9fd76836-bb0a-494b-a49c-d91fc6183fa1.tmp/UPS_NR1.exe detected:
    Win32.Outbreak!IK
    C:\Windows\Temp\b85d63a4-53a1-4a34-8522-4bc2f838c081.tmp/UPS_NR1.exe detected:
    Win32.Outbreak!IK

    Scanned

    Files: 288656
    Traces: 532757
    Cookies: 2
    Processes: 75

    Found

    Files: 2
    Traces: 0
    Cookies: 0
    Processes: 0
    Registry keys: 0

    Scan end: 4/13/2009 10:25:06 PM
    Scan time: 2:06:53

    C:\Windows\Temp\9fd76836-bb0a-494b-a49c-d91fc6183fa1.tmp/UPS_NR1.exe Quarantined
    Win32.Outbreak!IK
    C:\Windows\Temp\b85d63a4-53a1-4a34-8522-4bc2f838c081.tmp/UPS_NR1.exe Quarantined
    Win32.Outbreak!IK

    Quarantined

    Files: 2
    Traces: 0
    Cookies: 0
    ——————————

    This is crazy…. back to back botnet infestation by back to back security software entry through reverse engineering….. I think the world web just got
    aids. I think there is a big dark hidden secret. I think all the destruction of the computers from Symantec Norton like over ayear or so ago (goolge it) is one
    of these episodes and nobody told – and they remain a multibllion dollar industry. This may be the beginning of then end for `don’t ask don’t tell’. I have 2 botnet infestastions on 2 computers and they definately came form two famous security products…. you tell me. AIDS ! CU

  13. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    bluecollarpc Says:

    April 15, 2009 at 3:13 pm | Log in to Reply
    ANOTHER WORM !

    a-squared Free – Version 4.0
    Last update: 4/14/2009 8:02:56 PM

    Scan settings:

    Objects: Memory, Traces, Cookies, C:\
    Scan archives: On
    Heuristics: Off
    ADS Scan: On

    Scan start: 4/15/2009 3:21:05 PM

    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\Doc31_saisei\saisei02.htm detected:
    Worm.Win32.Fujack!IK

    Scanned

    Files: 145820
    Traces: 532757
    Cookies: 12
    Processes: 75

    Found

    Files: 1
    Traces: 0
    Cookies: 0
    Processes: 0
    Registry keys: 0

    Scan end: 4/15/2009 3:53:39 PM
    Scan time: 0:32:34

    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\Doc31_saisei\saisei02.htm
    Quarantined Worm.Win32.Fujack!IK

    Quarantined

    Files: 1
    Traces: 0
    Cookies: 0

  14. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    bluecollarpc Says:

    July 31, 2009 at 10:44 am | Log in to Reply
    Hello all….. Let me introduce this with a little background. There is plain reason things were not mentioned publically by me – along the lines you don’t
    put out like “proof of concept” details on the world web or get arrested. This is no where in that same ballpark but you will get the idea. There is no way in hell this is some “proof of concept” as I am not a programmer. Just experience from an average consumer – Advanced User, Windows.

    The threat discovered is listed below in the amatuer forensics build – basically a type of destructive severe trojan infection BUT in an apparent reverse engineering of a popular well awarded and certified antivirus product – home free version. The incredible thing is that it was discovered by another highly rated product that removed the infection that was running from the Quarantine component of this well known antivirus product – right, you se it – like a “biometrics” failure outbreak. What ? Right, without the Quarantine process of antivirus – the world web gets the equivalent of “aids” and has ended as we know it. The “biometrics” failure (quarantine component cracked, failed) enabled the break in and under the wire of the Real Time Protection (heuristics, intrusion
    prevention) of a quality product running.

    Damages (mentioned in the build) on Toshiba Satellite Vista Home Premium included corruption of Windows System Restore – inoperable. Damaged inoperable Windows Disk Defrag, and Disk Check. Windows Live updates / upgrades inoperable.
    OUCH ! Because of the GREAT volatility of cyber crime I have promoted from the beginning to “shut your mouth publically with any Vista infections”. You will
    see why in this build and it is over. Every cyber criminal in the world has been trying to kill Vista with the help of the entire environment of “Vista Bashing”.

    They got what they were looking for. As United States Armed Forces have been upgraded to using Vista now (I believe US Army) – this can be clearly even part of the the great cyber wars against the American Gov’t. I believe that is all the China vs. USA at Cyber-Geddeon. It is all over the internet and Evening News
    in USA. Attacking the under belly through consumer PCs for Vista structure may have been the intent of the following…..

    ————————————————————————————————————————>

    Amatuer Forensics Build – Nimrod Botnet

    [[[New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    This is the preliminary notes of the build with an important Estimate.]]]

    History:
    Is Grisoft AVG Free Reverse Engineered by Botnets?
    By bluecollarpc
    http://bluecollarpc.wordpress.com/2009/04/15/is-grisoft-avg-free-reverse-enginee
    red-by-botnets/

    (((Forensics Build – Nimrod Botnet)))

    Date: July 30 2009

    ——-
    THIS IS A SCRATCH BUILD – ADDING DAILY
    ——

    AMATUER PC SECURITY FORENSICS
    Title: “Nimrod Botnet”
    (Nimrod was a hunter)

    Infection Date:
    a-squared Anti-Malware – Version 4.0
    Last update: 4/13/2009 9:45:09 AM
    Entry Threat: Win32.Outbreak!IK

    (Adding report on trojan found in Windows Error Reporting)

    ESTIMATE: Virtualization Comprimise

    ———

    NOTES

    NON SAMPLE….
    US labs virtualise 1m Linux kernels (anti-botnet research)
    ZDNet UK Wed, 29 Jul 2009 08:37 AM PDT
    Sandia National Labs have simultaneously run more than a million Linux kernels
    on a single cluster, an accomplishment that could prove useful for anti-botnet
    research….
    http://news.zdnet.co.uk/software/0,1000000121,39698952,00.htm

    TARGET:

    Windows Server 2008
    http://en.wikipedia.org/wiki/Windows_Server_2008

    Windows Server 2008 is the most recent release of Microsoft Windows’ server line
    of operating systems. Released to manufacturing on February 4, 2008 and
    officially released on February 27, 2008, it is the successor to Windows Server
    2003, released nearly five years earlier. A second release, named Windows Server
    2008 R2, was released to manufacturing on July 22, 2009. Like Windows Vista and
    Windows 7, Windows Server 2008 is built on Windows NT 6.x.

    Self-healing NTFS
    In previous Windows versions, if the operating system detected corruption in the
    file system of an NTFS volume, it marked the volume “dirty”; to correct errors
    on the volume, it had to be taken offline. With self-healing NTFS, an NTFS
    worker thread is spawned in the background which performs a localized fix-up of
    damaged data structures, with only the corrupted files/folders remaining
    unavailable without locking out the entire volume and needing the server to be
    taken down. The operating system now features S.M.A.R.T. detection techniques to
    help determine when a hard disk may fail. This feature was first presented
    within Windows Vista.[10]

    Best guess….. with Disk Defragger and Disk Check inoperative (begins and moment
    later progress vanishes – reboot unable to run), and with System Restore
    corrupted – this seemed the target is to hide a dirty disk. Apparently trial
    runs on personal Vista PCs (Ho Prem) through the “reverse engineering” of the
    anitvirus product broken into. Why would they do that…. to install counterfeit
    components of Unix-Like for example to even run dual server communication
    undetected. In other words Windows Server 2008 and Self-healing NTFS are
    “cracked” and thus the Windows Server 2008 R2 was released to manufacturing on
    July 22, 2009. Recommendation – upgrade.

    ADDITIONAL SOURCES:
    Additional sources…
    news.admin.net-abuse.sightings
    http://groups.google.com/group/news.admin.net-abuse.sightings/msg/c26324447d0f23
    efThis infection may or may not be an actual botnet infection that will have to
    be determined by the Experts. SEE
    ———-

    This infection may or may not be an actual botnet infection that will have to be
    determined by the Experts. SEE

    InfoStealer, Zeus,Zbot,Nethell,Ambler Destroy what Conficker does not
    April 13, 2009 by bluecollarpc
    http://bluecollarpc.wordpress.com/2009/04/13/infostealer-zeuszbotnethellambler-d
    estroy-what-conficker-does-not/

    It may have been, as example, like the handful of certain worst severe worms
    that are designed intentionally to delete file after file, directory after
    directory, to eventually delete the Windows Operating System itself – the above
    mention which on the other side deletes two thirds of the Windows Registry
    rendering it inoperable.

    ——————-
    I am only amatuer and fully admit how off base this is as a wild conspiracy
    theory. I am offering the anatomy of this unknown “botnet” as possible targeting
    as to the symptomology of the attack. The 9 million Windows TEMP files at 2 Gigs
    plus suggest either a messaging to bots or finally destroying the machine out of
    memory. Toast. In other words what would “call up” 9 million tasks, or what 9
    million tasks were performed ? Phony TEMP files.

    Did you miss ? This may be the world’s first “biometrics” (for lack of better
    term) break out as the infection was running from the QUARANTINE COMPONENT OF
    AVG Antivirus…. the end of Quarantine as we know it ? Doubtful. Repaired by now.

  15. bluecollarpc Says:

    Re: New Amatuer Forensics Build in Progress – “Nimrod Botnet”

    CLARIFICATION….

    This Comment: ….

    <<>>>

    ….Meant to join a private help group so as to not let cyber criminals seeing things publically even as like “confirmation” of their “hits” – attacks successful. Vista has been a “hail mary” to save Internet commerce itself (insider). “Vista Bashing” was anti-security and criminal.

    EXAMPLE:
    The BlueCollarPC.Net Web Group
    Members: http://www.bluecoll arpc.net/joingroup.html

    …..as opposed to
    BlueCollarPC · Post HiJackThis Logs, Others – Get Help
    http://tech.groups.yahoo.com/ group/BlueCollarPC/

  16. bluecollarpc Says:

    IF YOU DID NOT GET THIS …..

    THESE ARE AVG FILES INSIDE THE AVG PROGRAM ….
    1 C:\ProgramData\avg8\emc\Queue\TEMP\18E2822677.emc

    AND ARE BEING DECLARED THREATS AS
    Win32.Outbreak!

    BY…
    IK

    WHICH IS IKARUS ANTIVIRUS IN THE EMSI A-SQUARED AND ANTIMALWARE SOFTWARE PROGRAMS. I AM VERY IMPRESSED WITH IKARUS AS INDEED DETECTING AND REMOVING BOT PROGRAM INFECTIONS. it detected and removed the entire bot program from my XP Machine which is why it is recommended obviously. In the Emsi Antimalware program both their antispyware and Ikarus antivirus are full versions with Real Time Protection activated. Emsi A-Squared is the free home version with both but no real time protection. Best stand alone scanner you will find everywhere.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: