«

"Sebastian Gottschalk" wrote:

>>>> I had a couple of nasties sneak in a long time ago, but I wasn't
>>>> ****ed off. They were temporary interruptions which I quickly fixed.
>>>
>>> This is, of course, nonsense.
>>
>> No, it isn't.
>
> It is. As long as you don't have strict evidence that no data were altered,
> you should assume it being so.

I do assume the worst until I've investigated.

>>> Without any baseline system as comparison (f.e. cryptographic
>>> checksums), every data the user had access to might be and should
>>> reasonably be assumed as being compromised.
>>
>> Yes, that's reasonable for unknown malware. However, I knew what hit
>> me, knew how far it got into the system and what it did, and knew how
>> to clean it up.
>
> I claim that you really don't know the malware.

I know you are wrong.

> Some suggestions:
> - The malware did something special, then modified itself to represent a
> known malware.

It did not.

> - You only compared by signatures, leaving out minor modifications.

I did not.

> - Most malware downloads additional malware.

These did not.

> - Most malware opens backdoors, which then allow the attacker to do any
> kind of modification, add new code, ...

These did not.

> - The malware itself used a vulnerability. You should assume that other,
> unknown malware used the very same one.

One got in by my having port 445 listening for SMB & RPC (now closed),
another by clicking on something when I should have known better, and
the last by me fooling around with a known malware sample from my
collection.

In all cases I knew immediately what had happened and cleaned up there
and then.

>>> There is no such thing like a quick fix.
>>
>> For me, there was.
>
> Well, you should reflect about the meaning of "fix".

No need. I know my system inside-out.

>>> Your system is most likely still compromised without you having any
>>> chance to detect it.
>>
>> It most certainly is not.
>
> So, do you have any evidence to delude the null hypothesis?

I don't see how I can can give evidence of a clean machine; you would
have to inspect it. Having years of experience with computers and
software (before MS entered the field), and complete familiarity with
my system, I know I'm not compromised. In addition, I connect to the
net for very short periods with an external dial-up modem and watch
the (slow) traffic. Any unusual activity, and I can hit the "off"
button and investigate.

Since I've tightened up my security, restricting what IE can do, and
generally being more careful, I've had no problems at all.

Ant wrote:

>> - The malware itself used a vulnerability. You should assume that other,
>> unknown malware used the very same one.
>
> One got in by my having port 445 listening for SMB & RPC (now closed),
> another by clicking on something when I should have known better, and
> the last by me fooling around with a known malware sample from my
> collection.

The first ones provided full system access to the malware, your claims
therefore are delusive and nothing else.

>>>> Your system is most likely still compromised without you having any
>>>> chance to detect it.
>>>
>>> It most certainly is not.
>>
>> So, do you have any evidence to delude the null hypothesis?
>
> I don't see how I can can give evidence of a clean machine; you would
> have to inspect it.

I was asking if you had evidence. Evidence for a clean machine f.e. would
be a successful comparison of all system binaries and data against a
well-known clean state with giving reasonable explanations for all
differences.

> Since I've tightened up my security, restricting what IE can do, and
> generally being more careful, I've had no problems at all.

No this is where you lost every sound of professionality. There is no way
to configure MSIE to be safe just even against all known unpatched
vulnerabilities, not even talking about being usable.

"Sebastian Gottschalk" wrote:

> Ant wrote:
>> One got in by my having port 445 listening for SMB & RPC (now closed),
>> another by clicking on something when I should have known better, and
>> the last by me fooling around with a known malware sample from my
>> collection.
>
> The first ones provided full system access to the malware, your claims
> therefore are delusive and nothing else.

Rubbish. I know how my system behaves and what's running on it.

>> I don't see how I can can give evidence of a clean machine; you would
>> have to inspect it.
>
> I was asking if you had evidence. Evidence for a clean machine f.e. would
> be a successful comparison of all system binaries and data against a
> well-known clean state with giving reasonable explanations for all
> differences.

I've compared enough system files and checked all registry entries
from which stuff can be launched to satisfy myself that all is well.

>> Since I've tightened up my security, restricting what IE can do, and
>> generally being more careful, I've had no problems at all.
>
> No this is where you lost every sound of professionality. There is no way
> to configure MSIE to be safe just even against all known unpatched
> vulnerabilities, not even talking about being usable.

It's safe enough given the the configuration of my O/S and my surfing
habits. If this were a business-critical machine, I might be more
concerned. However, it's a home PC which contains nothing of value and
no sensitive information. It goes online for only very brief periods,
and during that time I know it's not transmitting rogue packets.

Ant wrote:

> and checked all registry entries from which stuff can be launched

Now you've lost the last sound of professionality.

>> No this is where you lost every sound of professionality. There is no way
>> to configure MSIE to be safe just even against all known unpatched
>> vulnerabilities, not even talking about being usable.
>
> It's safe enough given the the configuration of my O/S and my surfing
> habits.

Bullshit. It's unsafe at any rate.

> However, it's a home PC which contains nothing of value and
> no sensitive information.

Stupid. What about resources?

> It goes online for only very brief periods,
> and during that time I know it's not transmitting rogue packets.

You should refrain from claiming that you know something that can't be
known ever.

It is possible to insert a piece of malicious code, subsequent to gaining
access via the initial exploit code, and that such code can hidden by a
rootkit, and can sit as a hidden process or as a time activated piece of
code, and wait till an internet connection is available to stream out cached
keystroke logs or any other local data via http to a remote server.

It would be virtually undetectable without running process mons, rootkit
mons, file mons, network mons 24x7 and ananylsing every single file touch,
reg touch and byte sent. Even then... it may check for the presence of such
tools and not acivate or send data when present.

The bottom line is this.

The machine had this vulnerabilty SINCE THE DAY YOU BUILT IT.

Exploit code was used to compromise this machine.

You have no idea how many times (above the single detected instance) this
vulnerable machine has been compromised using this, or any other
vulnerability both current known, or yet to be announced.

All code changes made since the machine was built are not known, since you
have not been monitoring every single byte of code change, and even then,
the code changes may have been hidden from such tools.

QED - a machine hosting vulnerable code, once compromised, remains
compromised even after the vulnerability is closed, and the known exploit
code removed.

I re-iterate:

1. Format
2. Rebuild the os
3. Patch to the latest
4. Ensure firewall policies lock access

This is the only way to clean such an exploit infection. Even this will not
prevent the next 0day exploit.

Do you have any idea how much exploitable code Microsoft have released
patches for since the initial release of their o/s. Think about it. This
exploitable code has been in existance, on every single machine with this
build, since day one.

The fact that someone has announced it to M$, and M$ release a patch, means
only that the hole is now closed. That window of opportunity for exploit has
exisited SINCE DAY ONE to the latest 'patch tuesday'.

Do you have any idea how long hackers are using malicious code to exploit
vulnerable M$ code, roaming undetected before such a hole becomes noticed or
announced, and then a fix is put in place? Thats YEARS of opportuntiy to
exploit such holes.

Your assertion that you 'know your machine' and are emphatic about its
current trustworthy state is both naive, untenable and illogical given the
above.

"Sebastian Gottschalk" wrote:

> Ant wrote:
>> and checked all registry entries from which stuff can be launched
>
> Now you've lost the last sound of professionality.

Funny, that. I enter this thread to explain some Javascript, and you
accuse me of not being professional. Where did I say that computer
security was my profession?

>> It's safe enough given the the configuration of my O/S and my surfing
>> habits.
>
> Bullshit. It's unsafe at any rate.

Bullshit to you as well. I have no problems.

>> However, it's a home PC which contains nothing of value and
>> no sensitive information.
>
> Stupid. What about resources?

What about them?

>> It goes online for only very brief periods,
>> and during that time I know it's not transmitting rogue packets.
>
> You should refrain from claiming that you know something that can't be
> known ever.

You should refrain from trolling.

erewhon wrote:

> It is possible to insert a piece of malicious code, subsequent to gaining
> access via the initial exploit code, and that such code can hidden by a
> rootkit, and can sit as a hidden process or as a time activated piece of
> code, and wait till an internet connection is available to stream out cached
> keystroke logs or any other local data via http to a remote server.
>
> It would be virtually undetectable without running process mons, rootkit
> mons, file mons, network mons 24x7 and ananylsing every single file touch,
> reg touch and byte sent.

Even then it could be undetectable, since it could shove the entire system
into a virtual instance. Or, depending on the focus of the kernel function
monitoring, a sufficiently deep kernel modification is already enough.

Monitoring network traffic won't help. You can easily relay data with
almost any host, including legitimate ones like Google, Yahoo, MSN,
nytimes.com, whitehouse.gov, ...

> Even then... it may check for the presence of such tools and not acivate
> or send data when present.

Not to mention tunneling like f.e. with slight variations in TCP ISNs.

> Do you have any idea how long hackers are using malicious code to exploit
> vulnerable M$ code, roaming undetected before such a hole becomes noticed or
> announced, and then a fix is put in place? Thats YEARS of opportuntiy to
> exploit such holes.

At least for MSIE, the situation is way worse: Holes are found, become
noticed or announced, get exploited for years, and Microsoft still won't
put a fix in place.

> Your assertion that you 'know your machine' and are emphatic about its
> current trustworthy state is both naive, untenable and illogical given the
> above.

And especially without any evidence.

Ant wrote:

> "Sebastian Gottschalk" wrote:
>
>> Ant wrote:
>>> and checked all registry entries from which stuff can be launched
>>
>> Now you've lost the last sound of professionality.
>
> Funny, that. I enter this thread to explain some Javascript, and you
> accuse me of not being professional. Where did I say that computer
> security was my profession?

Well, so now it's safe to call you an amateur who has obviously no clue
what he's talking about and making nonsensical claims.

> Bullshit to you as well. I have no problems.

You being unable to notice your problems doesn't mean that they don't
exist.

>>> However, it's a home PC which contains nothing of value and
>>> no sensitive information.
>>
>> Stupid. What about resources?
>
> What about them?

This is something valuable, to the malicious guys of course. And that's why
you're an interesting target.

And it's definitely your problem, because you'll be held responsible for
your computer being abused to attack other ones.

>>> It goes online for only very brief periods,
>>> and during that time I know it's not transmitting rogue packets.
>>
>> You should refrain from claiming that you know something that can't be
>> known ever.
>
> You should refrain from trolling.

Wise men stick to their own advise as well. Nuff said.

Sebastian Gottschalk wrote:

>>>> However, it's a home PC which contains nothing of value and
>>>> no sensitive information.
>>>
>>> Stupid. What about resources?
>>
>> What about them?
>
> This is something valuable, to the malicious guys of course. And that's
> why you're an interesting target.
>
> And it's definitely your problem, because you'll be held responsible for
> your computer being abused to attack other ones.

He means often Windows Desktop Computers belonging to normal Users @ Home
who just want to use their Computer for surfing the Web (often via MSIE
thats the sad truth) and doing some mails and stuff like that, dont even
care about having Bots, Trojans and other Malware on their machine unless
it disturbs them.
And that is why there are so large botnets which use the resources of some
"small" home computer with your 1 or 2 mbit connection.
but if you replace "some" by "thousands" you'll end up with a capacity high
above some GBits which are commonly used to f.ex. DDOS homepages (learn
more at wikipedia en.wikipedia.org/wiki/DDOS)
I hope I was able to show you that your way if dealin' with the
"trojan-thing" is pretty wrong and harms loads of people out there.

cheers benjamin

"erewhon" wrote:

> Do you have any idea how much exploitable code Microsoft have released
> patches for since the initial release of their o/s. Think about it. This
> exploitable code has been in existance, on every single machine with this
> build, since day one.
>
> The fact that someone has announced it to M$, and M$ release a patch, means
> only that the hole is now closed. That window of opportunity for exploit has
> exisited SINCE DAY ONE to the latest 'patch tuesday'.

In which case all Windows installations should be rebuilt every time a
patch is released, because there is no knowing what might have sneaked
in before. The same goes for any other operating system.

> Your assertion that you 'know your machine' and are emphatic about its
> current trustworthy state is both naive, untenable and illogical given the
> above.

Given that I've monitored my system with a variety of tools and
techniques since day one, and kept my eye on the latest exploit
developments, I'll trust my own judgement rather than be swayed by
someone else's paranoia.