Archive for April, 2007

The incredible Coulomb Dialer

April 29, 2007

This beasty was developed around 2003-2004 as a porn dialer and I’m sure it’s still in the inbdustry and mine is setting up group meetings on the Internet through my DSL. This machine has never been on dialup. I’m sure it’s dowloaded porn and probably acted as a server. I just can’t catch the contact points although it might connect to some sort of dns server based on all the hits I get when I tighten my firewall.

Now why it’s incredible is I can’t figure out how to shake it. I just removed all partitions with a Win 98 disk using the Fdisk command, wiped the hard drive with a triple DOD pass and a zero overwrite and then reinstalled the operating system from the recovery disk. You got it, an adaware scan showed that I was still infected.

Now thats a persistent beast.

You just got to love it.

Advertisements

Military Trojan Slams Motherboard

April 17, 2007

Tigers Tail #1 was slammed in front of the defense attorney and the expert witness for the defense. The prosecutor dared us to go to US Cert Archives and pull a copy of an article which I’m sure we had already printed but in the heat of the trial could not find.

I was reluctant to do it because I said it could be a set up – if I was right about the Government being a distributor of military strength Trojans. Of course everybody in the room said I was paranoid so I went there and BAM!

I lost control of the video screen and was hammered. Everything shifted to the right on the screen and I couldn’t control the print menu nor could I surf the web for more information. We tried to adjust the mechanical controls on the monitor (Remember the defense expert was an Electrical Engineer who wrote assembly language for device drivers.) I finally remembered the techie said he used his head and readjusted the screen setting.

I tried to readjust the screen settings and the monitor would go black and give the now famous phrase “monitor out of range 74 kHz”. Finally, when I adjusted the screen down to the very old standard of 800X600, it worked.

I hadn’t looked carefully at the machine until I got my new toy, the POST Card. I put it in an available PCI slot and turned it on. It ran through so many error codes that I couldn’t read them. When I went to take it off energy saver mode and use verbose mode, I found that I couldn’t enter BIOS, I couldn’t enter safe mode and I couldn’t use search for files from the startup menu.

So in essence my hardware and software are so slammed that I can’t restore the BIOS to its default values, I can’t start up from a CD, I can’t search my machine to find what is stored on it to wipe it, I can’t delete programs from safe mode and I can’t control my screen settings. I have no idea of whats been planted and no way to fid out except by the use of very expensive forensic tools.

WOW! This is really cool technology and all from friendly Uncle Sam.

So my two choices are take it to a repair shop and incriminate myself or keep on Tickling the Tigers Tail until I figure this thing out.

Maybe we should just save it for the retrial and have the Techie show us how he fixed the machine as a demonstration for the jury.

BIOS Virus or FAT Partition (Part 2)

April 16, 2007

Each piece of knowledge adds to the picture. I know I have some world class US and Russian Trojans on Tigers Tail #2 which I got in a very new way – by pissing people off and keeping track of which sites have hit me with a shit storm.

These military strength bad boys have incredible power to disrupt your machines and survive drive scrubbing and reformatting. I’m still trying to find out where they reside and what they are doing. I bought one of those POST cards but didn’t learn much. It seems that it went through a fairly normal start up checking everything too fast to read any of the codes. When you entered the BIOS, it stopped at code 75 meaning it had not checked the IDE devices which is correct. Of course, the BIOS was set for verbose mode so I could check all that. Seems that new machines are so fast, it challenged my old eyes. At the end of the BIOS start-up the code was FF which is fairly normal and regestered sending the Boot signal which is correct. Other codes like F5 and OO awake from sleep and kill were noticed.

What ever it is, if its residing in the BIOS, it’s a very passive neighbor not doing much damage to operations. Yet!

I’ve thought of one more experiment to test it’s resiliency without killing it. Hell, it if I killed it I’d have to waste a day trying to capture these bad boys again.

ET Call Home (Part 2)

April 11, 2007

Well yesterday was a mess. I went to music and game sites – anything a 15 year old kid might do. When ever I hit an offer for free porn I took it, along the way I was getting offers for porn file removal and new antivirus to save me from those dread hidden porn files. I took most of them just to “save my skin”.

I had so much crap on the machine that the Trojans got sick from the Virus and the whole thing shut down. It would even seem that a Trojan ate my old Trojan, Dialer-Coulomb, as there is now no sign of it and its been replaced with 3 versions of an unremovable win32.Trojandownloader.Zlob

In two hours time I logged in a couple of thousand URL’s in the index.dat files with non related to pop-ups (HAHA), I downloaded (involuntarily) about 700 jpgs (pictures) of reasonable quality with 15 being young enough to make me nervous. Qualitatively these kids are reasonably attractive and not anorexic like the ones at trial but if it’s an involuntary download, it’s all beyond my control.

At the end I had 76 spyware objects including 14 Trojans and and 54 more critical items as measured by Adaware. Of this, 3 could not be removed by either Norton or Adaware so time for another 7 past wipe to see who came to visit and stayed.

The only interesting things that is consistent with past experience is that the logs start over at about 8:30 yesterday and if I hadn’t printed them before I started at 7:30, I wouldn’t have been able to do the first contact IP number.

Big news yesterday is that the Trojan tried to set up a IGMP connection at 224.0.0.2 which is a different address that the day before and that connection was through UDP so we are moving up the Internet Protocol food chain. I probably will let the malware weaken my Norton and break out so I can see who ET is calling every morning. I had to turn on the Norton Firewall 3 times yesterday in the course of the two hour session which is something a 15 year old probably would not have noticed.

I picked up more crap yesterday than I did when surfing the kiddie porn sites mentioned in the newspaper. All and all, a fine day for solving the mysteries of who is fucking with my machines.

ET Call Home!

April 9, 2007

When the Government Wonks went after poor ET, he was at his weakest. He had been wandering in an Alien environment and was out of touch with his Master Ship.

So now I have this computer with a military strength Trojan hiding in the deepest darkest part of the system. I assault it by doing a 7 pass wipe of the hard drive guaranteed to wipe out all virus and spyware. When reinstalling the operating system, I re-formated the disc. Next, I installed Norton Antivirus and personal firewall. On top of that I installed the professional version of Adaware. Next a virus scan by Norton shows the system is safe. Now the system has never been on line so it’s looking clean.

Then I run my Adaware pro to find that it has an Alternate Browser module which is part of the Coulomb Dialer and if you can believe their log, it is copyrighted by peoplepc. Imagine that, a copyright on a fucking Trojan. The sweep shows that the Dialer is still active so I remove it or that’s at least what I’m led to believe by the software.

Now the way to fuck up poor ET is to put it insight of a phantom mother ship and that’s what I did. I pugged the computer into a router that was not connected to the Internet and the Trojan went nuts and started calling home. I found out from prior experience that once it makes contact with it’s master, it wipes out the log. So in this experiment,. I printed and preserved the logs before I went on line. In both cases I found ET issuing the exact same sets of commands.

The first is almost obvious. The computer is trying to make contact with the router through IP 0.0.0.0 port 1044. For those who don’t know the IP address 0,0.0.0 is the port which avoids any DMZ established by your router. It would make a direct connection with the net with no router firewall. Port 1044 is in the range associated with the BLA Trojan. This is definitely not a legitimate software request.

The next event is that the Trojan tries to make contact with your computer at Port 1040 or 1041 to send a UDP packet to 239.255.255.250 Both times the machine was wiped clean, the startup contact was the same so the instructions are not random but part of the initial programming for the Trojan. The only thing that changed between the first and second log was that the first time it tried to make contact with the same IP at ports 1042 and 1043.

The executable making the request is the famous scvhost.exe which is necessary to connect to networks. Now my Adaware scan shows five different versions of this executable file operating with the same name and file version operating using different process ID numbers. It’s a logical assumption that at least one is associated with a Trojan. Since there are duplicate requests being made it’s possible that there is more than one Trojan operating and trying to make contact with the same IP.

So who is the contact? Is it Elbonia or some other third world eastern European nation. Not a Chance This is good old USA technology we can all be proud of. A traceroute to the IP is blocked but the whois result shows that the number is reserved for use by the Internet Assigned Numbers Registry for special use related to RFC 3171.

Of course everyone will recognize this as the RFC number for establishing group protocols on the Internet. This is the same technology I described in an earlier blog on the shutdown procedure to establish the number of kiddie porn pictures on Mr. Stefanos machine.

Nice Huh? Everything is in place even before I have connected the machine to the Internet and started my search at the fringe area of kiddie porn. They will track my every move in my quest for knowledge.

Now you may understand why I turned lots wife to salt and when something goes wrong and I don’t know what’s on the disc, I wipe it with a 7 pass Military Erase.

Forget Everything You Know!

April 8, 2007

When it comes to Trojans, forget everything you know. Stupid things to believe include:

1. Trojans don’t work on dial up.

2. Trojans don’t deliver porn.

3. Trojans don’t create porn delivery networks.

4. Trojan’s don’t shut down machines.

5. Trojans don’t hide in the motherboard.

6. Trojans don’t hide in the FAT partition.

7. Trojans don’t masquerade as device drivers.

8. You should never retaliate against a Trojan because the source may be an innocent bystander.

Let’s consider point 8 first. For a Trojan to have any value and open a back door, it must contact someone. The program must be small or it can’t hide. It will only have one or two contact points or chances. So, if it calls the last machine which had a new antivirus installed, it’s worthless. If it called back the source of the infection from dial up and it’s off line, it’s worthless. If it came from a government machine or the Russian Mafia and the source became public knowledge and everybody nuked it, its worthless. Seems to me if a Trojan controlled machine has benefit, everybody wins if nobody nukes it. So everybody should say to never retaliate against a Trojan because you may target an innocent victim. (HAHAHAHA)

Bios Virus or Fat Partition?

April 5, 2007

During the course of the trial, the Defense Expert was talking about Trojans that were so deeply embedded in the machine that after a re-installation of the operating system, with Adaware and Norton Antivirus and then everything up-dated, it would remain active. In other words, what ever was on the machine would reactivate and conduct business as usual despite the properly re- installed and updated protection.

The Government Expert defeated the presentation by the Defense Expert with one word – Preposterous and the explanation that things don’t work that way in the real world.

Tiger’s Tail #2 is on a quest to prover her wrong and to get a good idea of how a military strength computer infection works and what the pieces are called (if they have been named).

Step 1. I did a 7 pass drive wipe with Iolo Technologies Drive Scrubber and then overwrote the complete scrubbing with all zero’s. I felt that a well scrubbed drive was necessary as a first step because of the sissy porn pictures that were on the machine. While I had tried to erase everything that had been picked up in the original assault on my machine but you can never be sure.

Step 2. When the machine was restarted, the Bios was entered and all default conditions were restored.

Step 3. The operating system was restored using the manufacturers restore disc while selecting the format the hard drive option.

Step 4. Adaware plus second edition was installed and Norton Internet Security and Antivirus were installed and activated. Before the machine was placed on line, a Norton Antivirus scan was run and nothing detected while the Adaware scan picked up Coulomb_Dailer and eliminated it (HAHAHA).

So our experts opinion was correct, embedded Trojans could survive a drive wipe, reformatting and a re installation of the operating system.

Step 5. We went on-line and updated all systems including the operating system, antivirus and spyware. Now all we have is a web browser and operating system which is really not much of a computer.

At this point the update is done and other than the web pages accessed while updating, I had not surfed the net. Still I wanted to see the ground zero state.

Now this is the zero-day perfect state. Completely updated and protected. I pulled it off line killed the Norton Antivirus and firewall and installed Pccillin Antivirus and firewall to check the system. Now remember this is an out of date product on a CD compared to the updated Norton and Adaware so I shouldn’t pick up anything. I didn’t want to update the Pccillin because if I went on line I might pick up something.

Wat did I find?

7 cookies including three nasty ones.
Dialer Coulomb was back.
MS Vulnerability MS05-004 was there.

This is really cool technology, not only does the dialer reinstall itself under the most adverse conditions, but it prevents complete updating and leaves a vulnerability open for the Trojan’s Master to exploit.

Who said a military strength Trojan was preposterous. Christ, the first Trojan Horse was a military tool so why shouldn’t there be others??

Tickling the Tiger’s Tail

April 2, 2007

For those who don’t know the game, the concept of tickling the tigers tail is you keep on playing why the untamed beast to enrage him without getting harmed. In the history of science, it was the name of the experiment which was used to confirm the critical mass of uranium needed for an atomic bomb. In the movie Fat Man and Little Boy, a defining moment was when the experiment got screwed up and Los Alamos suffered the first causality of the nuclear age if you don’t count Madam Curie, the Polish woman who died from radiation poisoning.

Well I played with the computer Innocent Victim #2 (the one I found the sissy pictures on) and had it near perfect. From about a dozen, I got it down to one open exploit and dumped a few Trojans along the way. Not being satisfied, I decided to push a little harder and did a military wipe on the hard drive to get rid of any weird pictures and reinstall the operating system and antivirus.

What a stupid move!!!!

Now I had an older versions of the operating system and when I went on line for updates, I was blocked and/or sent to a phishing msn.com look alike site for false updates. Really cool technology!!

I’ve definitely renamed the machine Tigers Tail #2 and intend to scientifically describe my capture of world class jumbieware and describe it in detail.

So without going on line, I did another DOD wipe of the hard drive and and reinstalled Windows XP. The install was performed with a requested reformatting of the hard drive. I then did an exam and found I had 58 MS Vulnerabilities and Dialer_Coulomb. This confirmed the reproducibility of the infection as hardware based and not software based.

So as not to alter the state of the machine I once again did a DOD wipe of the hard drive. After reformatting and reinstalling, I intend to go on line with a dial-up account and update the computer. I will then upload the software to measure the changes, rewipe, reinstall, update and start surfing for the bad guys

I don’t think I’ll have to do much to find them. I notice that if you do a Google search on mk:@MSITStore + dial-up, a couple of nasty porn sites make the top three pages of results and when you click on them, they start loading crap on your computer.

Hello world!

April 2, 2007

I intend this site to be a log of the activity of Tiger’s Tail #2. This computer will be engaged in the activity of capturing world class Trojans from the dark side of the net and trying to get rid of them using commercial products.

When I got slammed with my first set of jumbieware, I thought my machines were protected. Now they are being wiped clean and all software is being reinstalled. The infection and it’s progress are being logged at every step of the way.

I will be carefully monitoring the machine and it might get a little technical – so I decided to post all activity in this area on my new blog – Tickling the Tiger’s Tail

Fat Savage