Re: New Hand of Thief trojan does Linux but not windows!
- If you missed, these .Dat engineered media files also contained the infamous IRChat Relay dialogue between cyber criminal Bot Masters (nics BotLord, BotHerder etc). These were that hard to crack many times by the Law - Cyber Agencies internationally - and contained the "chatter".
gerald philly pa usa
--- In LINUX_Newbies@yahoogroups.com, "LinuxDucks" <g.linuxducks@...> wrote:
> One last security mention here and I will back off a does not seem to
> grab much interest, responses. Here is an example of what I was
> mentioning about inaccessible Root of the Linux system by a user. .....
> Fw: US-CERT Current Activity - Linux Root Access Vulnerabilities
> IN FULL:
> JUMP TO:
> The first of these vulnerabilities is due to a flaw in the
> implementation of the Reliable Datagram Sockets (RDS) protocol in Linux
> kernel versions 2.6.30 through 2.6.36-rc8. By sending a specially
> crafted socket function call, an attacker may be able to write
> arbitrary values into kernel memory and escalate privileges to
> Now in Windows and several years ago I did an Amateur Forensics write up
> of an actual Botnet Infection Payload executed on my Windows XP desktop.
> I disected about all of it and had reported and kept logs at a forum etc
> toi finally just leaving it as a webpage for posterity as a sort of
> Anatomy of a Botnet Infection.
> What I discovered in this massive, massive malware payload was several
> Windows media icon files. In actually they were .DAT files which is data
> being stored in media format files. Now this was in Date of Infection
> approx December 2008 - before today as when you see a movie file in like
> Videos folder they have a thumbnail snapshot from the movie.
> So what I discovered were these several .DAT files that were not media
> (movies) at all but engineered apparently as Datagrams.....
> From http://bluecollarpc.us/forensics/ ......
> JUMP TO.....
> Below you will understand the importance. There is incidence of data
> files or .DAT translated into media image files to hide by crimeware.
> NON SAMPLE DAT file manipulation Reading and writing Isis image
> buffers. The objects defined below may be used to read and write images
> to and from two-dimensional DAT files.
> TWO high qulaity players were unaffected which too legitmately guard
> particular .dat files.
> REFERENCE (Symantec above) " .Blubster is a peer-to-peer
> filesharing client which is based on MP2P a propietary UDP
> transport protocol ."
> User Datagram Protocol
> <http://en.wikipedia.org/wiki/User_Datagram_Protocol> User Datagram
> Protocol (UDP) is one of the core members of the Internet Protocol
> Suite, the set of network protocols used for the Internet. With UDP,
> computer applications can send messages, in this case referred to as
> datagrams, to other hosts on an Internet Protocol (IP) network without
> requiring prior communications to set up special transmission channels
> or data paths. UDP is sometimes called the Universal Datagram Protocol.
> [sidebar - IP Spoofing, piping and PS.. IRCChat Relay is Pergamos -
> busted ! See IRC in IRS]
> UDP uses a simple transmission model without implicit hand-shaking
> dialogues for guaranteeing reliability, ordering, or data integrity.
> Thus, UDP provides an unreliable service and datagrams may arrive out of
> order, appear duplicated, or go missing without notice. UDP assumes
> that error checking and correction is either not necessary or performed
> in the application, avoiding the overhead of such processing at the
> network interface level. Time-sensitive applications often use UDP
> because dropping packets is preferable to waiting for delayed packets,
> which may not be an option in a real-time system. If error correction
> facilities are needed at the network interface level, an application
> may use the Transmission Control Protocol (TCP) or Stream Control
> Transmission Protocol (SCTP) which are designed for this purpose.
> Now this deals a lot with the BOTNETS and they hijack the computer
> spoofing internet connectivity to fool ISP and Law and use it for
> storage and sharing of illegal pirated copies of movies and software
> etc. You see they installed the P2P (peer to peer file swapping
> software) program as part of this massive payload called Blubster and
> much more including illicit malware transmission and that nine yards.
> (Of course they fell just short of re-connectivity and I had the entire
> machine diqagnosed and cleaned and running in about 58 minutes later!)
> INFO http://www.ehow.com/about_5031424_blubster.html
> Blubster uses a protocol called MP2P, which stands for Manolito Peer to
> Peer. This is an offshoot of the P2P, or Peer to Peer protocol. MP2P is
> based on the User Datagram Protocol, or UDP. Basing MP2P on UDP allows
> the Blubster service to remain anonymous. This means that users can
> upload or download files anonymously and cannot be tracked down and
> prosecuted for copyright infringement.
> Now go back up top and see and understand the hole found in Linux and
> equals apparently that Linux was fully open to botnet infection which
> would have been easily stopped by any real quality antimalware such as
> ESET NOD32 now.
> THIS is what I mentioned and meant about SECURITY in Linux that there
> are parts of Linux the user can not access for inspection as manually
> aiding antimalware in manual hunts for infections and really is
> disturbing to myself. Linux prides itself as Open Code and booos Windows
> for being Micro$oft Closed Code but there is virtually nothing Closed in
> Windows except for some crytopgraphic stuff such as Administrator
> Password etc etc etc. you just cant walk up and read in the Windows
> Oh well, just wanted to clarify my comments with some intelligent
> dialouge so that no one walked away with the impression that I was
> simply ranting and raving mindlessly, or trolling, or Linux-Bashing at
> all. I hope this post hit the mark!
> gerald philly pa usa
> Owner/Webmaster proudly of the BlueCollarPC.US
> (Over 8.5 million Visitors/Users since 2005,
> Completely non-commercial Free Community Help Site)
> --- In LINUX_Newbies@yahoogroups.com, "LinuxDucks" wrote:
> > Follow Up..... ( if bored with security just delete this)
> > Questions Linger About New Linux 'Hand of Thief' Trojan
> > Threatpost
> > In reviewing this informative press release it is apparent or really
> seems this piece of malware is actually checking security and
> prosecution involved in Linux. I say that because being in Windows
> security going back to the very first adware infections/infestations -
> much of that was actually testing the system.
> > Originally, a good portion of adware infection payloads actually
> included Uninstall packages with it, whereby you could navigate to the
> uninstallation of software (Add/Remove Programs - XP) and uninstall it
> like other normal legit softwares. Some even went to court saying they
> were not breaking laws, that the user gave permission and etc etc etc.
> None of that held water.
> > This was also the birth of spyware for Windows about year 2001 forward
> with A LOT of adware packages proceeding it. Once spyware and
> antispyware companies (such as Webroot) and laws were being born. it
> became quite apparent the adware was just the clever way of testing the
> waters to now bombard with spyware - the actual real threats to personal
> information (ID Thefts) and introducing brute force instability into the
> system and even damage. Of course it really took a lot of persuading and
> petitioning and complaints to get todays modern laws in effect against
> spyware and in all states in the USA and most all of the world. One
> place that sprung up and really evolved into otherwise was
> https://www.stopbadware.org/ - originally helping to get laws passed
> turned into clearing peoples websites from bad reports in search engines
> from Google blah blah blah.
> > THIS looks so eerily familiar now with this first-days piece of Linux
> malware. I will bet this is nothing more than cyber criminals testing
> the waters in Linux, but nevertheless is apparently waiting to become
> fully active.
> > What I had also posted about Linux having unaccessible areas kind of
> leaves a head scratch. With windows some areas were restricted as Hidden
> Files - the operating system files etc. However, a simple permissions
> click allowed complete access which was extremely necessary to access
> \system32 in Windows and the Downloaded Program Files (active x items)
> to discover malware infestation. Linux has no access to Root and seems
> some antivirus can not scan either.
> > So like I said I am far from an Advanced User on Linux but not in
> windows malware. That's why I made this post and my opinion about this
> particular piece of Linux malware. I think its just an expendable
> offered dummy load like a criminal stake out op. ThAT was very prevalent
> in numbers and growing numbers in the birth of adware/spyware days on
> Windows. Perhaps towards the end of this decade will their be any real
> concern by virtually all users of Linux over malware because it will be
> there. Just opinions.
> > Some pieces are like POST Data seems more the server side of things as
> improper sanitation areas of data transferred from the desktop and as a
> Data Scraping type area function. The absense apparent of their
> Injection process claimed as not making it fully functional and more
> dangerous may possibly be achieved at a bad infected website running a
> buffer overflow attack perhaps to grab the private database contents and
> even destroy the website application leaving it in a DOS denial of
> service state? If they are toying with researchers.
> > All just opinion.
> > gerald philly pa usa
> > http://bluecollarpc.us/
> > --- In LINUX_Newbies@yahoogroups.com, "Joe PM" jpmcsale@ wrote:
> > >
> > > goto
> > >
> > >
> [Non-text portions of this message have been removed]