"Kerry Brown" <kerry*a*m> wrote in message
news:2788
> "FromTheRafters" <erratic> wrote in message
> news:1144
>> Interesting reading but as I read it the techniques used would be very
> specific to a limited number of systems (i.e. no generic attack) and
> blocked by the use of a TPM.

Yes. But a targeted attack against some very common traveling laptops
like "Toughbook" or "Thinkpad" could yield quite a lot of compromised
systems when they get back home.

Maybe it seems just a little 'over the top' to some people, but this is just
the sort of thing that makes the TPM necessary.

> The attacker would have to have some pre-existing knowledge of the target
> (or be very lucky) and the target couldn't be using a TPM. For anyone that
> would be a target of this kind of sophisticated attack I doubt they would
> leave a laptop with critical data on it unattended or even that they would
> be carrying a laptop with this kind of data on it. Anyone targeted this
> way would probably be as sophisticated as the attacker.

What data - it is not about data. It is about compromising the laptop's
security. Maybe even compromising the 'system' it might be attached
to back home. Maybe data is the final objective, but not necessarily
data on that laptop.

> Paranoia abounds, but in real life it's rarely justified. In the context
> of the original question - we don't have enough data. If bitlocker or some
> other form of disk encryption wasn't in use and the OP is worried the
> solution is to wipe the hard drive and restore from a backup taken before
> travelling to China.

Yes, as reluctant as many people are to do this, it is often the best
choice.
Unfortunately, any forensic evidence would be lost in this case.

"David H. Lipman" <DLipman~nospam~> wrote in message
news:nz2d
> From: "FromTheRafters" <erratic>
>
> | Yes, it would be naive to think such things don't happen.
>
> | It's funny how "paranoid" one seems once he knows such things do happen.
>
> | I could tell you stories ... but I value my freedom. :o)
>
> *Its happening !*
>
> You said... "I could tell you stories".
>
> I am BARRED from saying what I know.

We're in the same boat in that respect. I won't even discuss that which
I know to be declassified - it just ain't worth it.

> Since this is pulic knowledge...
> [..]

Thanks for the link - interesting the eavesdropping aspect.

"FromTheRafters" <erratic> wrote in message
news:a144
>
> Yes, it would be naive to think such things don't happen.
>
> It's funny how "paranoid" one seems once he knows such things do happen.
>
> I could tell you stories ... but I value my freedom. :o)
>

One line from the link provided by Mr Lipman:- "I considered it my
patriotic duty to bring it to the attention of some slightly scary
government friends I have in Washington".

If you *know* that malicious code can be (and is) able to be stored in a
'computer' - other than on a hard drive - I firmly believe that you should
share that knowledge with everyone, FTR.

Whilst the prime purpose of malware nowadays is to steal money, if this
money is then used to fund terrorist activities around the world it is
*your* duty to help to stop it IMO. Tell your 'stories' to EVERYONE!

Dave

--

"~BD~" <~BD~> wrote in message
news:4700
>
> "FromTheRafters" <erratic> wrote in message
> news:a144
>
> One line from the link provided by Mr Lipman:- "I considered it my
> patriotic duty to bring it to the attention of some slightly scary
> government friends I have in Washington".
>
> If you *know* that malicious code can be (and is) able to be stored in a
> 'computer' - other than on a hard drive - I firmly believe that you should
> share that knowledge with everyone, FTR.

I have been doing just that! If you choose to ignore it, or are unable to
retain it for very long, or just sweep it aside as you appear to do, then
that is of no concern to me.

There *is* a reason for 'wiping' a drive using multiple pass overwrites of
random 1s and 0s. There *is* a reason to adopt boot axis validation of
some kind (TPM). There *is* a need for encryption.

> Whilst the prime purpose of malware nowadays is to steal money, if this
> money is then used to fund terrorist activities around the world it is
> *your* duty to help to stop it IMO. Tell your 'stories' to EVERYONE!

My 'stories' are from outside of what we discuss here (crypto, ecm, sonar,
radar, and weapons systems). It is my patriotic duty to keep things *from*
the terrorists - an idea that our 'press' can't seem to fathom.

its not only money that can be stolen, what more your personal data being
used and or your companies data stored in your notebook. If you're that
willing proceed to your nearest law enforcement cyber crime unit and file
such as for forensic examination. Federal Satellite offices Units are
available look them up in your yellow pages a much better option than their
local Police counterparts.

They can trace it back if you still have some viable specimen of that
keylogger


"~BD~" <~BD~> wrote in message
news:4700
[..]

"Paul Adare" <pkadare> wrote in message
news:6dlg
> On Thu, 30 Oct 2008 11:29:51 -0300, Juan I. Cahis wrote:
>
>> Unless you have set the BIOS password, which any respectable SysAdmin
>> of any respectable business corporation doing international business
>> should always have set.
>
> BIOS passwords are trivial to bypass. Any sys admin, respectable or not,
> who relies on those for security should be fired.

I'd far rather educate people than fire them - of course, it's nice to think
that all the people you ever hire will have been educated before you hired
them, but very few of us are born with perfect knowledge.

Alun.
~~~~

"FromTheRafters" <erratic> wrote in message
news:4776
> "~BD~" <~BD~> wrote in message
> news:4700
>>
>> If you *know* that malicious code can be (and is) able to be stored in a
>> 'computer' - other than on a hard drive - I firmly believe that you
>> should share that knowledge with everyone, FTR.
>
> I have been doing just that! If you choose to ignore it, or are unable to
> retain it for very long, or just sweep it aside as you appear to do, then
> that is of no concern to me.


Do I need to apologise, FTR? If so ......... I do so unreservedly! Lack of
retention? A result of advancing years, I fear!

As it seems that you agree that, even if a new hard drive be installed, a
computer may remain infected - please offer your thoughts as to where you
believe malicious code may hide, ready to infect the hard drive again
whenever it so choses. Thanks



>> Whilst the prime purpose of malware nowadays is to steal money, if this
>> money is then used to fund terrorist activities around the world it is
>> *your* duty to help to stop it IMO. Tell your 'stories' to EVERYONE!
>
> My 'stories' are from outside of what we discuss here (crypto, ecm, sonar,
> radar, and weapons systems). It is my patriotic duty to keep things *from*
> the terrorists - an idea that our 'press' can't seem to fathom.


So ..... where *can* we discuss your stories, FTR? Another newsgroup/forum?
Email?

Dave

--

Donna Ohl <donna.ohl> writes:
> I was in Beijing, and I used my Windows PC there with a freeware firewall
> and freeware anti virus and freeware malware scanners.
>
> Recently a friend said nearly all American travelers were to be warned by
> the State Department that their laptops, if left in the hotel, were almost
> certainly compromised.
>
> How could I tell if a keylogger or other spyware was inserted onto my
> laptop by the Chinese?

recent news with more sophisticated flavor ... which mentions having
lots of countermeasures against detection:

Three Year Old Trojan Compromised Half Million Banking Details - The
exact origins of the Trojan have not been determined yet
[url down]
Trojan steals 500,000+ bank and card details
[url down]
'Ruthless' Trojan horse steals 500k bank, credit card log-ons
http://www.computerworld.com/action/...leId=9118 718
Advanced Trojan Virus Compromises Bank Info
http://www.redorbit.com/news/technol...nfo/index.html
Sinowal data-stealing trojan has infected half million PCs
[url down]

part of archived (linkedin) thread (regarding article from Kansas City
FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that
includes discussion of countermeasures for compromised PCs
http://www.garlic.com/~lynn/2008p.html#28
[url down]

"Anne & Lynn Wheeler" <lynn> wrote in message
news:dfsf
[..]
> [..]
>
> part of archived (linkedin) thread (regarding article from Kansas City
> FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that
> includes discussion of countermeasures for compromised PCs
> [..]
> [..]
>
> --
> 40+yrs virtualization experience (since Jan68), online at home since Mar70


Thanks for your post - I very nearly posted a similar article about the
Sinowal virus this morning!

My understanding is that this virus can, and indeed does, install itself
silently - without the knowledge of the user of the computer.

If the machine continues to all intents and purposes to 'work' the malware
is unlikely to be discovered. However, let's suppose that I mention this
'nastie' to a friend and he says "How can I check to see if I have been
infected?".

What answer should I give him?

Dave

From: "~BD~" <~BD~>

| "Anne & Lynn Wheeler" <lynn> wrote in message
| news:dfsf

>> Donna Ohl <donna.ohl> writes:
>>> I was in Beijing, and I used my Windows PC there with a freeware firewall
>>> and freeware anti virus and freeware malware scanners.

>>> Recently a friend said nearly all American travelers were to be warned by
>>> the State Department that their laptops, if left in the hotel, were
>>> almost
>>> certainly compromised.

>>> How could I tell if a keylogger or other spyware was inserted onto my
>>> laptop by the Chinese?

>> recent news with more sophisticated flavor ... which mentions having
>> lots of countermeasures against detection:


>> part of archived (linkedin) thread (regarding article from Kansas City
>> FED: Can Smart Cards Reduce Payments Fraud and Identity Theft?) that
>> includes discussion of countermeasures for compromised PCs
>> [..]
>> [..]

>> --
>> 40+yrs virtualization experience (since Jan68), online at home since Mar70


| Thanks for your post - I very nearly posted a similar article about the
| Sinowal virus this morning!

| My understanding is that this virus can, and indeed does, install itself
| silently - without the knowledge of the user of the computer.

| If the machine continues to all intents and purposes to 'work' the malware
| is unlikely to be discovered. However, let's suppose that I mention this
| 'nastie' to a friend and he says "How can I check to see if I have been
| infected?".

| What answer should I give him?

| Dave


Leave to people with a greater understanding.

The Sinowal is a trojan NOT a virus !

"David H. Lipman" <DLipman~nospam~> wrote in message
news:1160
[..]

From: "~BD~" <~BD~>



| I had hoped that you might have said something along these lines:-

| "If you suspect that you have a system that is infected with this rootkit,
| to prevent it from loading, all that is required is to write a known-good
| copy of a master boot record back to the disk to prevent the rootkit driver
| from being loaded on the next reboot! Fortunately, we have made that a
| fairly painless process with the Windows Recovery Console and the 'fixmbr'
| command!


| Here are some instructions for using the Windows Recovery Console:

| Windows XP instructions: [url down] (just type
| 'fixmbr' in the console)

| Windows Vista instructions: [url down] (just
| type 'bootrec.exe /fixmbr' at the console)

| After restoring a known-good MBR to the hard drive, you should be able to
| start Windows and perform an on-line antivirus scan to detect and remove any
| of the malware components or any other malware that may have been installed
| on the system and hidden by the rootkit. You can use the Windows Live
| OneCare Safety Scanner at [url down] to perform such a scan. It
| includes all the signatures for this malware"

| [url down]
| sinowal-a-report.aspx
| FWIW
| Dave



No it is NOT semantcs.

Just like it was not semantics when you could self determine that; news.microsoft.com ==
msnews.microsoft.com

This was never a virus, calling it such is like calling a Ford Escort a Cadillilac Coupe
deVille. Both are cars but they are not synonymous. Trojans and visrus are both malware
but they are not synonymous.

As for the set of instructions...
Again leave it to the more knowledgable instead of copying and pasting.

Gmer has the tools to deal with this Trojan RootKit.

Additionally, going to web site such as [url down] to perform a scan only
complicates matters. The problem here is that you are using a high level function
(Browser and ActiveX control) with a low level modification. The *best* utilities for
such are those that work and operate at a lower level.

"David H. Lipman" <DLipman~nospam~> wrote in message
news:4136
[..]
> such are those that work and operate at a lower level.
>>
> --
> Dave
> [..]
> Multi-AV - [..]
>
Thank you for your reply, Mr Lipman.

You have once again carefully avoided telling me and other readers anything
at all about you and/or your technical expertise/qualifications.

I'd given an example only - not a solution to a specific scenario. So, I'll
ask again ................

If a computer shows NO sign of infection but a user wishes to check that
there is, indeed, no malware present WHAT action should the PC user take?

Dave

--

From: "~BD~" ~BD~

| Thank you for your reply, Mr Lipman.

| You have once again carefully avoided telling me and other readers anything
| at all about you and/or your technical expertise/qualifications.

| I'd given an example only - not a solution to a specific scenario. So, I'll
| ask again ................

| If a computer shows NO sign of infection but a user wishes to check that
| there is, indeed, no malware present WHAT action should the PC user take?

| Dave

Once again Mr. Troll you are hijacking someone else's thread.

I have been in this thread since it was cross-posted by Donna Ohl on 10/26 to...
alt. internet.wireless,
alt. privacy.spyware
microsoft.public.security

It was you who altered the header to post to
microsoft.public.security.homeusers
microsoft.public.security.virus

EoD

"~BD~" <~BD~> wrote in message
news:4372
>
> "FromTheRafters" <erratic> wrote in message
> news:4776
>> "~BD~" <~BD~> wrote in message
>> news:4700
>>>
>>> If you *know* that malicious code can be (and is) able to be stored in a
>>> 'computer' - other than on a hard drive - I firmly believe that you
>>> should share that knowledge with everyone, FTR.
>>
>> I have been doing just that! If you choose to ignore it, or are unable to
>> retain it for very long, or just sweep it aside as you appear to do, then
>> that is of no concern to me.

> Do I need to apologise, FTR?

Not to me.

> If so ......... I do so unreservedly! Lack of retention? A result of
> advancing years, I fear!

*That* I can understand. :o)

> As it seems that you agree that, even if a new hard drive be installed, a
> computer may remain infected ...

I am not personally aware of any case where the modified code (external
to the harddrive) can serve any useful purpose once 'disconnected' from
the rest of the code on the affected harddrive. It is however theoretically
possible.

In case you didn't follow the link I posted previously on this subject, here
it is again:

[url down]

The code that runs before the code on the harddrive runs, can be used
by malware to 'get in front of' other code during the OS loading process.
That is - it pays to be first - but only a fragment of the malware 'program'
is able to fit in there. Once the harddrive is *clean* you may still have
the
malware fragment 'doing something' - but it may be severely limited now
that the rest of the malicious program's code is missing.

So, even replacing an affected harddrive with one shiny new from the
box does not completely *clean* a computer. It doesn't necessarily
follow that the remaining code can rejuvenate the malware responsible
for the initial infestation either though.

> - please offer your thoughts as to where you believe malicious code may
> hide, ready to infect the hard drive again whenever it so choses. Thanks

Code doesn't have to infect, infest, or respawn to be considered
'malicious'.
Let's just assume the computer won't boot properly now, or your graphics
card won't get the resolution it used to. The malware relocated some of the
card's code so that *it* could have this 'front row seat' for nefarious
purposes.
Now that the rest of the code has been removed from the harddrive by
format, fdisk /mbr, or replacement of the harddrive you lose whatever
functionality it had.

[snip]

> So ..... where *can* we discuss your stories, FTR? Another
> newsgroup/forum? Email?

That's just it - we can't - because *I* can't - under penalty of
imprisonment
or worse. I take my promises seriously, and so does my government. :o)