Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Do you know much about Rootkits?


  • This topic is locked This topic is locked
7 replies to this topic

#1 BoaterDave

BoaterDave

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 16 February 2006 - 09:52 AM

:unsure:

If you don't actually know, can you please point me in the right direction?

Why?

My final suspicion regarding all my PC problems is now the Windows XP SP2 CD which I obtained by post from Microsoft (??? ...... or from a spoof web site???) in August 2004. I carried out my last re-installation of my operating system (six times since Christmas!) last weekend without using this disc and then downloaded all updates, including SP2, from the Internet - everything is working just as it should now!

I read about rootkits in connection with Sony. Is there any way for me to check if the CD actually contains something "nasty"? (Nothing found by virus scanning).

I'm suspicious for a couple of reasons other than just my having PC being high-jacked. On close examination of the packaging sent by (supposedly!) Microsoft, the Part Number printed on the packaging is X10-72919 but on the disc label it is Part Number X10-80291. The disc certainly looks genuine. However, in the centre (silver) part of the disc is printed X10-58085! Not only that, but the address label is a UK pre-paid 2nd-class business item. However, the address, at the end (after my Postcode) says not Great Britain, but the German equivalent - GROBBITANNIEN. Rather strange!

I have had contact with Systernals SysInternals . I helped their Bryce Cogswel ("the man") investigate a false positive returned when I scanned my machine a couple of weeks ago (and posted the result in their forum; they asked me to help!). Of course this scanning tool inspects only the Registry and cannot include the CD (at least I don't believe so). I have, though, emailed Bryce to ask what I might do to check this CD.

Do you have any suggestions?

My thoughts turn to sending the CD to the detective on our high-tech crime unit who discussed matters with me following the theft of my identity (PayPal/eBay) last spring. (I'm pleased to say that I did get my money back - eventually!).

David B.

    Advertisements

Register to Remove


#2 Doug

Doug

    Retired Administrator -Tech Team

  • Tech Team
  • 10,057 posts

Posted 16 February 2006 - 04:22 PM

You're already working with some "big guns" with regard to the knowledge base of rootkits!

Lavasoft has a related tool you may wish to consider.
http://www.lavasoftu...ftware/rootkit/

F-Secure offers some information here
http://www.f-secure....ive-112005.html

The matter of a potentially "counterfeit" SP2 disk would presumably be of interest to Microsoft.
You may report suspected piracy and maybe even get a little help here:
http://www.microsoft.../Reporting.mspx

My own SP2 CD obtained from Microsoft in the United States 0704 PART# X10-80291 is "stamped" with the word Canada on the inner rim as read from the reverse side. Also read from the reverse side are some patterned holographic image prints, then a phase-shift print of Microsoft/Genuine visable on top of each other when read from different angles, then "very small print" IFPI LB41 + A06 + D9196 X10-58085 (ZM03) followed by some apparent "optical scan" hashes.

The numbers on my SP2 disk X10-80291 and X10-58085 are the same as what you report.
Did you simply decide not to report the letters and numbers in smaller print and the holographic Microsoft/Genuine print image? If the holograph is missing, I'd be suspect of piracy, since that is the Microsoft "trademark" insignia for genuine part.

I have not seen any tools to scan CD's for rootkit components.
The "revealer" protocols seem to be focused on restoring machines of users who have already fallen victim to rootkit infection.

Though in many cases, rootkit revealer protocols help identify and remove rootkit infection, I am not aware of any sure fire solutions short of complete reformating of the hard drive and starting over from a clean machine.

I'm sure that Members here would appreciate learning about any new information and innovations that you may discover in addition to hearing how you successfully resolve your current situation.

Best Regards

Edited by dough, 16 February 2006 - 04:34 PM.

The help you receive here is free.
If you wish, you may Donate to help keep us online.

#3 BoaterDave

BoaterDave

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 22 February 2006 - 10:26 AM

Hello Dough

I'm sorry for the delay in responding to your comprehensive reply to my submission.

The response I received from Systernals was a simple .......

If the CD is from MS then everything on it should be properly signed,
but I don't think there is an easy way of verifying the signatures.
--
Bryce Cogswell
Winternals Software


You asked:-

"The numbers on my SP2 disk X10-80291 and X10-58085 are the same as what you report.
Did you simply decide not to report the letters and numbers in smaller print and the holographic Microsoft/Genuine print image? If the holograph is missing, I'd be suspect of piracy, since that is the Microsoft "trademark" insignia for genuine part."


Indeed, I simply omitted to mention the smaller print and the holographic Microsoft/Genuine print image in the centre of the disk - it is there. However ...........

I've now had the opportunity to carefully examine this "hidden" information with the aid of a brightly lit magnifying glass - fascinating things, aren't they, holograms? It does seem to be real - in fact there is a word "GENUINE" there - by slightly twisting it, it changes to Microsoft! Well ....... almost! Additionally, there is ASP 5025 , the IFPI number 0786 and it also has RSN6 and 01 (+ a few tiny numbers too small for me to read accurately)

It reads more like "MEcrosof:" - this could just be my failing eyesight, though! Or it could be some distortion because of the GE of GENUINE on the ...... I'll call it the reverse.

Intrigued, I had a look at my Windows XP Home (genuine!!) CD. Although markings are very different, in the centre there are similar markings. However, there is the word VALID and the "Microsoft" marking is just as I've typed here.

As it would appear that no-one knows how I could check the disk itself (and I'm not going to use it again!) it does seem appropriate to bring this matter to the direct attention of Microsoft. I think my police Detective is on leave again! As I'm sure you are well aware, there has been a terrific increase in Cyber Crime since ........... well, the issue of SP2 on disk ? ..... now, I wonder! If terrorists can fly into the Twin Towers no doubt they could, indeed, coerce others to forge CD's and implant a Rootkit just like Sony! Then set about stealing a relatively small sum of money from many, many people - crime too insignificant for the police to worry about, even if an individual were to notice a small sum missing from their bank account or credit card. What then? Why ........... massive funds to perpetuate their terrorist activities!

Or perhaps I've just become totally paranoid!

Thanks for reading this.

David B.

Edited by BoaterDave, 22 February 2006 - 10:48 AM.


#4 Doug

Doug

    Retired Administrator -Tech Team

  • Tech Team
  • 10,057 posts

Posted 22 February 2006 - 11:33 AM

Well, as they say, "Just because you're Paranoid, it doesn't mean that you're not being followed." Keep your own machine secure, and be careful who you do business with. The worst "attacks" have been against the "information warehouses" like CitiCorp, and the Phone Companies. CyperTerrorists (malware and bloatware pushers) are less interested in what you have, than in what a few hundred thousand bank card numbers, taken in one fell-swoop, can get for them. It is shocking what errors and omissions are occurring at the corporate level of failing to protect our information. Still, malware infections can go unattended after they are released. And the bad-guys can then come back and "harvest" their gains by sending out activating routines to turn hundreds and even thousands of home-user machines into "zombie" extension. No telling how many are involved, but I sure don't want to be one. More to the point of "greatest risk". Your greatest identity theft and financial theft risk is still from hard-copy paper and people who know you well enough to piece together your profile. Shred what you throw away into the trash can. And be careful not to disclose phone numbers and bank card/account information to strangers. Thanks for your response. Hope all goes well for you! Best Regards, Doug
The help you receive here is free.
If you wish, you may Donate to help keep us online.

#5 BoaterDave

BoaterDave

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 22 February 2006 - 12:01 PM

Thank you for your advice Dough - very sound!

I didn't start my story at the beginning ................. some background!

Whist I was away from home on my boat last year (my adult daughter was house-sitting and was occasionally using my PC) I had my identity stolen and £245 paid by PayPal for a 'phone I had allegedly purchased through eBay.

I was eventually repaid my money by PayPal - but on the same day as it was paid, I received emails from the "aggrieved party" asking me to make a payment to them directly. As I had neither ordered a 'phone, nor received one, I politely declined the invitation. A torrent of messages followed and, when I perceived that they were becoming threatening I contacted our Police. Whist I was given good advice and some insight into what is going on, the Police were not really interested because, as they saw it, no crime had been committed - I'd not actually lost any money!

However, the "perpetrator" knew my name, the full name of my wife, knew my daughter's full name and that she was living at this address, knew the full name of my next-door neighbour, knew when I'd bought my house and exactly how much I had paid for it!

I'm aware that all such information is in the public domain ........... but it does make one think!

When large sums are stolen, major Bank robberies and the like, everyone is up-in-arms. Small amounts go un-noticed - no-one really cares. That was the point I tried to make.

Cheers

D.

#6 Doug

Doug

    Retired Administrator -Tech Team

  • Tech Team
  • 10,057 posts

Posted 22 February 2006 - 12:26 PM

Sounds like you had an "actual" attack related to you PayPal.

PayPal also suffers periodic "flurries" of scam phishing attacks.
Don't respond to emails that tell you PayPal is updating their user information, or that your account has been subject to "suspicious useage". I get dozens of these at a time, and then nothing for a few months.

PayPal should always be accessed by browser and manually entering the URL.
PayPal does a fair job of alerting their members about fraud, here:
https://www.paypal.c...tySpoof-outside

HEY!!! You almost clicked that link!
Remember, always access your PayPal via your browser and manually enter the URL.
(just kidding and using this correspondence as a lesson in security)

PayPal gets hit so often that they have a Reporting Tool page:
https://www.paypal.com/ewf/f=pps_spf

(again, it is safer to browse manually to PayPal and then search for Security Center, and then click on Spoof/Fraud)

Yep, all that information is in the "public domain" for those determined to search and find it.

Sorry you had that difficulty about the alleged "phone purchase" but glad you got it sorted and recovered.
I've had the same lack of interest from law enforcement myself.
Can't say as how I blame them, with the volume of internet fraud occurring, and much of it nearly invited by shoddy user practices.
But it is good users like yourself, who will carry the burden, and hopefully we will all help the internet become a safeer and more useful environment.

Best Regards,
Doug
The help you receive here is free.
If you wish, you may Donate to help keep us online.

#7 BoaterDave

BoaterDave

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 22 February 2006 - 12:34 PM

Thanks again Dough - you speak the words of the wise! Perhaps it will help others should they pass by here! David PS You'll be pleased to learn that I didn't click on that link (not even in Outlook Express when I couldn't see your "warning" in the preview pane!

Edited by BoaterDave, 22 February 2006 - 12:35 PM.


#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 22 February 2006 - 11:39 PM

SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won't notice the incorrect URL and give away important information. This practice is sometimes known as “phishing".

http://www.corestreet.com/spoofstick/

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users