ET Call Home!

When the Government Wonks went after poor ET, he was at his weakest. He had been wandering in an Alien environment and was out of touch with his Master Ship.

So now I have this computer with a military strength Trojan hiding in the deepest darkest part of the system. I assault it by doing a 7 pass wipe of the hard drive guaranteed to wipe out all virus and spyware. When reinstalling the operating system, I re-formated the disc. Next, I installed Norton Antivirus and personal firewall. On top of that I installed the professional version of Adaware. Next a virus scan by Norton shows the system is safe. Now the system has never been on line so it’s looking clean.

Then I run my Adaware pro to find that it has an Alternate Browser module which is part of the Coulomb Dialer and if you can believe their log, it is copyrighted by peoplepc. Imagine that, a copyright on a fucking Trojan. The sweep shows that the Dialer is still active so I remove it or that’s at least what I’m led to believe by the software.

Now the way to fuck up poor ET is to put it insight of a phantom mother ship and that’s what I did. I pugged the computer into a router that was not connected to the Internet and the Trojan went nuts and started calling home. I found out from prior experience that once it makes contact with it’s master, it wipes out the log. So in this experiment,. I printed and preserved the logs before I went on line. In both cases I found ET issuing the exact same sets of commands.

The first is almost obvious. The computer is trying to make contact with the router through IP 0.0.0.0 port 1044. For those who don’t know the IP address 0,0.0.0 is the port which avoids any DMZ established by your router. It would make a direct connection with the net with no router firewall. Port 1044 is in the range associated with the BLA Trojan. This is definitely not a legitimate software request.

The next event is that the Trojan tries to make contact with your computer at Port 1040 or 1041 to send a UDP packet to 239.255.255.250 Both times the machine was wiped clean, the startup contact was the same so the instructions are not random but part of the initial programming for the Trojan. The only thing that changed between the first and second log was that the first time it tried to make contact with the same IP at ports 1042 and 1043.

The executable making the request is the famous scvhost.exe which is necessary to connect to networks. Now my Adaware scan shows five different versions of this executable file operating with the same name and file version operating using different process ID numbers. It’s a logical assumption that at least one is associated with a Trojan. Since there are duplicate requests being made it’s possible that there is more than one Trojan operating and trying to make contact with the same IP.

So who is the contact? Is it Elbonia or some other third world eastern European nation. Not a Chance This is good old USA technology we can all be proud of. A traceroute to the IP is blocked but the whois result shows that the number is reserved for use by the Internet Assigned Numbers Registry for special use related to RFC 3171.

Of course everyone will recognize this as the RFC number for establishing group protocols on the Internet. This is the same technology I described in an earlier blog on the shutdown procedure to establish the number of kiddie porn pictures on Mr. Stefanos machine.

Nice Huh? Everything is in place even before I have connected the machine to the Internet and started my search at the fringe area of kiddie porn. They will track my every move in my quest for knowledge.

Now you may understand why I turned lots wife to salt and when something goes wrong and I don’t know what’s on the disc, I wipe it with a 7 pass Military Erase.

Advertisements

One Response to “ET Call Home!”

  1. ET Call Home! « The Gonzo Fat Savage Lifestyle Says:

    […] So now I have this computer with a military strength Trojan hiding in the deepest darkest part of the system. I assault it by doing a 7 pass wipe of the hard drive…..(Continued) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: