Forensics

Forensics

Resume:AmatuerForensics

Resume: AmatuerForensics

(old: http:// ww w .blue collar pc .net /forensics.html [All BlueCollarPC.Net Created Oct 2005 closed Oct 2009]

Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”

SOURCE: Resume: AmatuerForensics Build “Pseudo 14 Teredo Trojan Botnet Attack”….. htt p :/ / CLOSED bluecolla rpc .net/smf /index.php?topic=380.0

[NOTE this is in no way a “job interview” but meant in the sentiment by Beatle John Lennon at Let IT Be (rooftop) at the end saying, “I would like to say thank you on behalf of the group and myself and I hope we passed the audition” LOL

Resume: Amatuer Forensics Build “Pseudo 14 Teredo Trojan Botnet Attack”….. _________________________________________________________________________.

A  ~  W O R K  –  IN  –  P R O G R E S S ….. (“Knowledge shall be the stability of thy times…”)

Logs: Botnet Attack-Denial Of Service,Catastrophic damage,MSN.com subscribers targeted http://tech.groups.yahoo.com/group/BlueCollarPC/message/2450 “Pseudo 14 Teredo Trojan Botnet Attack” – Botnet Attack-Denial Of Service,Catastrophic damage,MSN.com subscribers targeted htt p : / / CLOSED groups.google.com/ group/Blue CollarPC/br owse_thread/thread/3228b2bc1ca5da8e BLOG: Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack January 28, 2009 htt p :/ / CLOSED bluecolla rpc.wo rdpress.com/20 09/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/ Tags: malware, trojan, botnet, pseudo, 14, IPv4, IPv6, tunneling, attack, worm, virus Posted in BCPCNet WebLog | 2 Comments »

RESUME: WEBMASTER BLUECOLLARPC.ORG DOMAIN / AMATUER SECURITY FORENSICS BCPCGroup ~ The BlueCollarPC.Org Website Security Group NOTICE BlueCollarpc.Net CLOSED OCT 2009 ! ——————————————————————————————

((( FORENSICS – BUILD )))—> building pc incident security forensics

temporary amatuer build of a full amatuer forensics submission, ongoing to finish this text will be removed upon completion !

AMATUER PC SECURITY FORENSICS TITLE: “Pseudo 14 Teredo Trojan Botnet Attack”

INFECTION DATE Scan Time: 12/18/2008 4:02:15 PM

ESTIMATE: [transport Bug in the Environment] …

DEFINITION—-> bug Last modified: Wednesday, July 16, 2003  http://www.webopedia.com/TERM/b/bug.html An error or defect in software or hardware that causes a program to malfunction. Often a bug is caused by conflicts in software when applications try to run in tandem. According to folklore, the first computer bug was an actual bug. Discovered in 1945 at Harvard, a moth trapped between two electrical relays of the Mark II Aiken Relay Calculator caused the whole machine to shut down. NON SAMPLE—> Unix transport bug (and a possible fix)  Unix transport bug (and a possible fix). 20 Jun 2003 15:58:02 +0200. Previous message: couple of trivial patches … http://lists.freedesktop.org/archives/dbus/2003-June/000389.html

SYMPTYMOLOGY: All System Restore Points deleted (several) Windows System Restore access blocked (blank white pages). Access in all browsers blocked to security sites (blank white pages) and also MSN.com customer customer settings (blank white pages) along with blocking Internet Explorer from installation finalization in retrograde from version 7 back to 6 and back again creating their circle jerk game for MSN Customers (blank white pages) via the Run Once webpage needing 2 clicks to complete installation – with all identity wiped in the browser and DNS information, no connectivity (broadband/dsl). Blocking meaning these were all blank white browser page including the Google Pack panel and Trend Micro Internet 2009 panel. Help files booby trapped with virus. Access blocked to Computer shortcuts and browsers online to Windows Updates. Some log files deleted. Windows > Search function feature access blocked – blank white page. Control Panel > Users access blocked as blank white page. Others…. able to access Microsoft Baseline Analyzer online – visible, but radio buttons access blocked – kept clicking button nothing happened, cursor mouse inoperative just on button clicks at website for scan begin. More…..

SYNOPSIS: [Apparent rootkit technologies in partiality are mechanism performing registry injection of false keys and files and payload facilitation – affording creation of a false positive detection and payload entry and transport via subsequent restore action as vehicle. The command registry injection by the limited rootkit technologies (stripped version apparently) and upload payload files constitute a “transport bug in the environment – matrix” as absence precludes delivery detection malicious and operative upon action taken. There were no valid detections basis for triggering false positive offered.]

DIAGNOSIS # Injection 14 values here: HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamBagMRU15 (Apparently causing blank white background on shells, browsers). Apparent encapsulated payload delivery and encapsulated ‘kiddie script’ as registry injection mini-load creating many type above and other keys in the various affected places to fake the appearance as a trojan via visual navigation behaviors. # Worm present as all System Restore Points deleted. # DNS broadband/dsl connectivity information wiped in system, connectivity destroyed, several security softwares disabled…. # Security scan logs do indicate major worm, traces of another major worm, spyware packages installed, additional viruses activated in Help Files and Downloader Trojan reported as installed. # Apparent encapsulated payload delivery. # SUMMATION: Damages 99.999 Percent of time defines a criminal botnet attack attempting even ‘spoofing’ of broadband/dsl connection and hijacking the computer immersing in crimeware botnet.

PROGNOSIS: Hijacking of PC into botnet for illegal piracy software exchange – foiled ! # Windows Installer corrupted by viruses all the way back through Service Packs to veriosn 2.0. thus denying installation and uninstalltion ability.  # Peer To Peer (P2P) package installed.  # Windows NetMeeting hijacked to perform file swap and possible IRCrelay communications – “Command and Control”. (original blast – “chatter detected”).

PAYLOAD DETECTED:

Worm (exlorer .exe) http://www.neuber.com/taskmanager/process/explorer.exe.html
Trace.Registry.Blubster (several)
Trace.Registry.SpyPc 8.0!A2 (several)
Worm.Win32.Otwycal.c
Trace.File.Borzoi
Trojan-Downloader.Win32.Agent.bkw
Trace.Registry.Internet Cleanup 5.0 (couple)
Trojan.Small.jhy.5632
Virus.Win32.Patched.B!IK
Virus.Win32.Patched.B!IK
Win32.Luder!IK (several)
Virus.Win32.Nsag.A!IK (several)
Virus.Win32.Virut.q!IK (several)
Trojan.Win32.Anomaly.D!IK
Virus.Win32.Virut.bo!IK
Win32.Virtob.8!IK (couple)
Virus.Win32.Virut.ar!IK
Virus.Win32.Virut.as!IK (couple)
Virus.Win32.Luder.B!IK
Win32.Luder!IK (several)
Virus.Win32.Nsag.A!IK (several)
Trojan-Downloader.Win32.Small!IK
Trojan-Dropper.Agent!IK
Trojan-Downloader.Win32.Agent.bkw

 

STATUS: [Restored, Windows Installer remains damaged – inoperative after several fix attempts

CLARIFICATION….. Clarification – “psuedo trojan” is my term for a fake trojan unique to this infection payload.

RELATED: MAJOR ZERO DAY THREATS – WINDOWS UPDATES PATCHES ISSUED FOR:
# WMF meta file Zero Day
# .AniCursor Zero Day
# VML Zero Day (Vector Mark Up)

BLOGS ~ LISTS ~ GROUPS…..

Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack
January 28, 2009 by bluecollarpc
htt p CLOSED ://bluecollarpc.wordpress.com/2009/01/28/death-of-a-sails-man-pseudo-14-teredo-trojan-botnet-attack/
I guess a good name for this one is “Death Of A Sails man” ….. in referring to all the fun years on my Windows XP
Home Edition Personal Computer. Sailing, surfing – you get it.
Conficker Worm Targets Microsoft Windows Systems – Overblown?
March 30, 2009 by bluecollarpc
htt p CLOSED ://bluecollarpc.wordpress.com/2009/03/30/conficker-worm-targets-microsoft-windows-systems-overblown/
Security tip for Vista Firewall, others, against Conficker threats (Symantec)…..
April 8, 2009
htt p CLOSED://bluecollarpc.wordpress.com/2009/04/08/security-tip-for-vista-firewall-others-against-conficker-threats-symantec/
Tags: Conficker, firewall, open port, Port 5357, teredo, Vista Firewall
Posted in BCPCNet WebLog | No Comments »
Restoring false positive threat from Quarantine, Safe Mode dangers
April 3, 2009
htt p CLOSED ://bluecollarpc.wordpress.com/2009/04/03/restoring-false-positive-threat-from-quarantine-safe-mode-dangers/
Tags: back up, botnets, false positive, kiddie scripts, registry, restore point, safe mode, safe practices, system restore, worms
Posted in BCPCNet WebLog | 1 Comment »
Conficker Worm Targets Microsoft Windows Systems – Overblown?
March 30, 2009
Tags: botherder, botlord, botmaster, botnet, IPv4, IPv6, kiddie scripts, psuedo teredo, teredo, tunneling, worm, zombie, zombie networks
Posted in BCPCNet WebLog, SpyLerts | 4 Comments »
BCPCNet-Modcasts: “Malware Botnet Cartel” by BlueCollarPC.Net
February 12, 2009 by bluecollarpc
PLAY))) Malware Botnet Cartel (BCPCNet-Modcasts)
htt——-CLOSED
COMMENTS: (bluecollarpc) htt p CLOSED ://ww w. bluec ollarpc.net/

Cybercrime Treaty Gains Momentum…
Article: http://www.networkworld.com/news/2008/040108-cybercrime-treaty-gains-more-interest.html?fsrc=rss-security
Council Of Europe:
http://www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG
Vista User Account Control gets perfect score – rootkits – use disabling tweaks ?
By bluecollarpc
ht t p CLOSED ://bluecollarpc.wordpress.com/2008/08/28/vista-user-account-control-gets-perfect-score-rootkits-use-disabling-tweaks/
Freeware security was a solution – once upon a time…..
August 29, 2008 by bluecollarpc
htt p CLOSED ://bluecollarpc.wordpress.com/2008/08/29/freeware-security-was-a-solution-once-upon-a-time/

COMMENTS ~ PUBS

LET’S AVOID…..
US Consumers robbed: $8.5 Billion by online threats – throw PCs in trash August 11, 2008 by bluecollarpc
ht tp CLOSED ://bluecollarpc.wordpress.com/2008/08/11/us-consumers-robbed-85-billion-by-online-threats-throw-pcs-in-trash/ U.S. Consumers Lost Nearly $8.5 Billion to Online Threats (Kansas City InfoZine)
Spyware accounts for $3.6 B in losses;
2.1 million computers replaced due to malware 8/8/2008 5:44 AM Read more| Open in browser http://www.infozine.com/news/stories/op/storiesView/sid/29832/
Tunneling to circumvent firewall policy
http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall_policy

——————————————————————-/.

COMMENTS ATTACHED: (REPLIES) “~~~ BUILD NOTES…..~~~” .

_____PRESS_____

Security Software Disabler Trojan http://inews.webopedia.com/TERM/S/security_software_disabler_Trojan.html

Botnet – Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Botnet

botnet Definition: TechEncyclopedia http://www.techweb.com/encyclopedia/defineterm.jhtml?term=botnet

Botnet : Definition From Webopedia http://www.webopediacom/TERM/b/botnet.html

Article: Battling the Botnet Pandemic Lavasoft News – March 2007

http://www.lavasoft.com/company/newsletter/2007/2_28/article2.html

Battling the Botnet Pandemic. Your home computer may be among the millions of PCs that are under the control of criminals, and worse yet, you may not even be aware of it.

Article: Botnet – CNET News.com

http://news.com.com/Security+from+A+to+Z+Botnet/2100-7355_3-6138435.html

Security from A to Z: Botnet | CNET News.com Security from A to Z: Botnet | These armies of zombie PCs are used by cybercriminals for sending spam .. These armies of zombie PCs are used by cybercriminals for sending spam. Part of a series on …

Article: Botnet Basics http://www.eweek.com/article2/0,1895,2097976,00.asp

Botnet Basics Bots are software applications that run automated tasks over the Internet. A network of bots working under a central command and control center is a botnet. This eVideo seminar looks at the basic …

Article: Botnet Battle Already Lost? http://www.eweek.com/article2/0,1759,2029720,00.asp

Is the Botnet Battle Already Lost? Botnets have become a big underground business, and the security industry has few answers. eWEEK … It’s dress-down Friday at Sunbelt Software’s Clearwater, Fla., headquarters. In a bland cubicle on …

MSNBC: The lowdown on ‘Bots’ http://www.msnbc.msn.com/id/17805145/

The lowdown on ‘Bots’ What are ‘bots’? “Bots” – short for robots – are hijacked computers that are infected by computer viruses and then used by criminals and pranksters for a variety of criminal and malicious purposes. Who controls ‘bots’? The criminals behind “bots,” known as “bot herders,” assemble armies of infected computers — often between 50,000 and 70,000 PCs strong — that they can then charge customers for the use of. The going rate for sending spam is $5,000 a day or more, according to Howard Schmidt, former White House cyberczar. What are ‘bots’ used for? “Bots” are used to spread malicious programs, send spam, fuel “pump-and-dump stock schemes and launch denial-of-service attacks, among other things. How many ‘bots” are there? Internet founding father Vint Cerf recently estimated that 150 million computers have been hijacked. Most other experts believe that figure is too high, but there is general agreement that “bots” number in the millions, if not the tens of millions. How can I tell if my computer is a ‘bot’? You can’t necessarily. Antivirus software will catch most known viruses, but new ones are being created all the time. It used to be that poor performance often tipped off users that their computers had been infected, but “bot herders” now distribute tasks among thousands of computers to avoid tell-tale crashes.

More:

How big is the botnet problem? Feature By Julie Bort, Network World, 07/06/07

http://www.networkworld.com/research/2007/070607-botnets-side.html?fsrc=rss-security

Types of attacks: Botnets

Cross-site scripting: Inserting malicious JavaScript into the header of an otherwise legitimate Web site.

DNS cache poisoning: Hacking a DNS so that it directs people who enter legitimate URLs to the hacker’s malicious Web site.

iFrames: Invisible frames capable of executing malware.

Pharming: Creating an illegitimate copy of a real Web site and redirecting traffic to the phony site to obtain information or download malicious code.

Pretexting: Pretending to be a legitimate entity to lure people to malicious sites.

Toxic blogs: Uploading links to malicious Web sites, or when blogs support HTML or scripts, uploading malicious code or using iFrames.

——————————————————————————–
~~~ BUILD NOTES…..~~~

AMATUER FORENSICS SYNOPSIS – NOTE – DEFINING TERM USED “ENCAPSULATION” – CLARIFICATION…

This was, of origin, declared an “in the wild threat” by me. The original posts defined that, in detail, blow by blow – and finally easily understood line by line. This began with the incorrect (false positive) and partial “detection” as a trojan as the threat payload which in reality was a full blown Conficker worm type botnet (worst). One and two parts and so on of the highly deceitful payload where as an enormous skyscraper size threat/damage which in reality to Advanced Users was an ant size minimal “joke program” threat – the lethal “kiddie script” added.

Encapsulation, in my best guess opinion as my “Amatuer Forensics”, in – two manners – caused, first, the trojan false positive and second ALSO getting the unknown in the wild virus (lethal kiddie script) under the wire undetected by other existing real time antivirus that was in place and running up to date when the payload hit (while security suite was in uninstall/renewal state). That (lethal kiddie script) did the registry changes (malicious changes). But it goes a little further – A LOT FURTHER….. Also disguised and delivered were at least one well known worm and three other viruses which FINALLY were detected by scans before executing. Now, how the hell did that happen. Right, IMPOSSIBLE. So in real world, although the lethal kiddie script had basically only performed all the result/symptom “blank white pages” which are the blocking of getting to security sites as well acting very much like ‘Restricted Sites” feature of Windows and behavior result of a trojan — in real world the entire payload was disguised (encapsulated) and this was one small part of the whole package. It (lethal kiddie script) ran first and was instantaneous. The worm ran simultaneously but took at least 4 seconds minimal to 6 to delete the several System Restore Points in Windows System Restore – and which was now blocked via the malicious registry changes already performed by the “lethal kiddie script”.

“Malicious Encapsulation” in computers is simply attempting to put a detectable malicious malware threat inside a package best disguising it and passing off as safe or okay communication. Or even more simply – like the infamous Unibomber that tragically sent out “mail bombs” to several persons. These got past everyone appearing as friendly normal safe mail packages on the outside and of course a nightmare was inside.

It is entirely unfathomable to believe that existing real time protection antivirus in place running (proactive – not reactive stand alone free scanner) and, even a firewall to some extent, did not block (antivirus) or in the least detect (firewall) malicious behavior and/or malicious content of the major part of the payload delivered as the “same-name threat” – that old and well known worm file called “Explorer.exe”. This is a “same-name threat” meaning it has the same file process name as one in Windows (other softwares) and here, Explorer.exe which of course is Windows Explorer (where you access all files on the computer and the Windows Operating system files). And so here we are. An older than the hills recrafted worm introduced with and by an unknown malicious script (lethal kiddie script) that was “encapsulated” to appear as a false positive trojan or downloader trojan. In the very least one must admit there were two malicious mechanisms of deceit – one being the one that caused a false positive to make the package look like a downloader trojan to a well known antispyware program and the other that disguised a large enough worm and at least 3 viruses to install without detection. In reality, could be the same as one mechanism. Like I said this is best shot as “Amatuer Computer Security Forensics” – this entitling me. LOL.

ALL “ENCAPSULATION” MEANS HERE – IDENTIFIED BY ME – IS AS BEST GUESS AMATUER FORENSICS THAT ENCAPSULATION CODING WAS USED TO FOOL KNOWN ANTISPYWARE AND WENT UNDETECTED BY ANTIVIRUS PROGRAMS AS UNDER THE WIRE DISGUISING – AND PAST TWO EXISITING UNDAMAGED FIREWALLS, ONE BEING WINDOWS XP FIREWALL. GRANTED COMODO FIREWALL MAY HAVE NOT BEEN FULLY CONFIGURED YET BY ME FOR FULL PORT STEALTH AND RECOMMENDED SECURITY LEVELS. I WAS VERY BUSY PAST HORRIFIED MAKING ALL NOTES DURING INVESTIGATION WHILE REPAIRS ONGOING AND AS BEST POSSIBLE AND NOW NOTICING A COUPLE DETAILS LIKE THAT WERE NOT NOTED. THIS IS NOT ABOUT A BLAME GAME SO THAT LINE IS INSIGNIFICANT HERE. WHAT THIS IS – IS THE “ANATOMY OF A BOTNET HIT- HOW AND WHAT FOR SAKE OF A BETTER HOME SECURITY DEFENSE ON THE AVERAGE PC WORLDWIDE AND AS WELL TO ANSWER THE QUESTION “WHAT THE HELL DOES A BOTNET DO ONCE INFECTING THE COMPUTER AND HOW THE HELL DOES IT GET THERE IN THE FIRST PLACE?” – THE ANSWER BEING – HERE YOU ARE LOOKING RIGHT AT ONE !

This (encapsulation – computer) is perhaps a fancy way to describe a typical new unknown virus in the wild – OR may be even a new coding completely unknown to any conventional malicious script disguising. In the very least, I think it must be agreed that the Comodo Suite Firewall/Antivirus would have CERTAINLY detected the all too common all too used malicious “explorer.exe” payload. Perhaps it (Comodo Antivirus) is not even “West Coast Certified” yet in its infancy even. That’s disastrous, as famous and like top three worldwide antispyware “Counterspy” has added antivirus that wasn’t (West Coast Certified) and created the “Vipre” suite minus firewall. I have tried Vipre recently (Holidays 2008) and found that out and as fast as I was reading that I seen they are now certified I believe. Look it up. I am looking up Comodo Antivirus for certifications. For we students in the College of Hard Knocks – once certified you are no longer called “crapware” publicly. Once certified enables the program as a contender in the major market – the coveted accomplishments. Certification brings proven factual trust opposed to a “false sense of security” – example: one with crapware antivirus telling everyone, being a newbie, “yeah I am full protected with my AV”. There are now over 1 million viruses. If the antivirus does not have these signature detection and removal definitions – duhh, you are NOT protected.

SEE….. ….. …..

West Coast Labs West Coast Labs (WCL) is one of the world’s leading independent test facilities. We are a global leader in research, testing and certification for … http://www.westcoastlabs.org/

ALSO….. Process name: Windows Explorer Product: Windows Company: Microsoft File: explorer.exe Security Rating: http://www.neuber.com/taskmanager/process/explorer.exe.html

This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn’t as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system. Note: The explorer.exe file is located in the folder C:Windows. In other cases, explorer.exe is a virus, spyware, trojan or worm! Virus with same name: W32.MyDoom.B – Symantec Corporation and other…

*
Related botnet activities information ….. SEE ….. (related botnet activites possible)

Tunneling to circumvent firewall policy

http://en.wikipedia.org/wiki/Tunneling_protocol#Tunneling_to_circumvent_firewall_policy

IP spoofing http://www.webopedia.com/TERM/I/IP_spoofing.html

(î-pç spoof´ing) (n.) A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. Newer routers and firewall arrangements can offer protection against IP spoofing.

US-CERT Vulnerability Note VU#800113 http://www.kb.cert.org/vuls/id/800113

DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique … all rely on an attacker’s ability to predictably spoof traffic,… DNS cache poisoning – Wikipedia, the free encyclopedia Aug 18, 2008 … China has been accused of engaging in DNS poisoning, as part of the Golden Shield Project, for particular sites or networks which violate … http://en.wikipedia.org/wiki/DNS_cache_poisoning

Shocker DNS spoofing vuln discovered three years ago by a student … http://www.theregister.co.uk/2008/07/09/dns_bug_student_discovery/ Jul 9, 2008 … In order to spoof a DNS request it’s necessary to “guess” both the Query … Vendors form alliance to fix DNS poisoning flaw (9 July 2008) …

 

NOTES: “LETHAL KIDDIE SCRIPT” IS MY TERM AS MEANING THE REAL KIDDIE SCRIPTS THAT WERE AMONG THE ORIGINAL VIRUSES WERE PRODUCED GENERALLY BY YOUNG AGED PERSONS AS A SHOW OFF TO HURT OR BREAK INTO A SYSTEM AS HACKER BUT MORE AS A SHOW OFF OR PROOF OF CONCEPT EVEN. HERE – SAME TYPE OF MALWARE BUT NOW WRITTEN UP TO INTENTIONALLY CAUSE MALICIOUS DAMAGE – “LETHAL”.

SEE…… terms – malicious code malicious script etc. Malware From Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Malware

What is script kiddie? – A Word Definition From the Webopedia … This page describes the term script kiddie and lists other pages on the Web where you can find additional information. http://webopedia.com/TERM/S/script_kiddie.html

BOTTOM LINE…. This is my first and probably last (maybe first of many?) actual “botnet attack” malware installations I have ever given any Malware Removal Help for – ironically being in my own machine. Best first hand example for experience and as Microsoft websites tell you in malware area webs to ‘don’t get all hung up in where this that and the other thing or how and why and so on – but rather concentrate on best effort of full clean removal and just move on’ – …..along those lines. That’s great advice except for Helpers who need to be on top as much as anyone in IT Security to be credible or trusted.

ENCAPSULATION – GOOD GUYS AND SEE “REAL TIME PROTECTION” AND “HEURISTICS” IN ANTIVIRUS AND ANTISPYWARE AND BEHAVIOR DETECTION…. rtc.

EXAMPLE: “System and method for providing exploit protection with message tracking …… determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment…..”

System and method for providing exploit protection with message tracking – A method and system for providing protection from exploits to devices connected to a network. The system and method include a component for determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment, and a component that performs at least one decompression … http://www.patentsurf.net/6,993,660 FULL http://www.patentsurf.net/6,941,478

MORE…..

NOW…. TO ADD TO MY AMATUER FORENSICS …..

YOU ARE GOING TO SEE ONE OF THE SECRETS OF THIS DARK SIDE OF THE INTERNET CRIMEWARE MALWARE BOTNET HERE…..

IF YOU WILL REMEMBER THE “SHELL” REGISTRY KEYS STRAIGHT ACROS THE BOARD THAT MADE ALL THE BROWSER AND SHELL WINDOWS TO DISPLAY BLANK WHITE PAGES….. HERE:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamBagMRU15

SEE….. Most Recently Used – Wikipedia, the free encyclopedia Jun 15, 2007 … Most Recently Used (MRU) may refer to: A specific menu in Microsoft Windows, see Common menus in Microsoft Windows; An uncommon method of … http://en.wikipedia.org/wiki/Most_Recently_Used http://en.wikipedia.org/wiki/Common_menus_in_Microsoft_Windows

That is a proper key with an additional copycat 14 value key. This corruption / rewrite of the key was extremely odd as kind of seeing doubles. One key, split, both values like seeing doubles of the key itself. SHOTZIE….. BINGO ….. GOTCHA….

HERE IS THE SECRET — THEY ARE USING TEMPORARY FILES BECAUSE LOOK AT THE KEY AND EVERYONE SHOULD KNOW THAT “MRU” MEANS “MOST RECENTLY USED” WHICH ARE TEMPORARY FILES AND CALLED YOUR TRACKS ON THE INTERNET – YOUR PC HISTORY OF NAVIGATIO YOU DO NOT WANT CRIMEWARE TO GET AHOLD OF AND IS WHY EVERYONE SAYS TO USE THE HISTORY CLEAN UP UTILITIES…. BUT THERE IS MORE…..

THE TEMPORARY FILES OF TIS PAYLOAD HAD THE KIDDIE SCRIPTS TO CREATE LIKE A THREE DOOR CHOICE FOR FORENSICS AS TO THE FOLLOWING….

IS THE KEY A FABRICATED WINDOWS EXPLORER WEBSITE PAGE DISPLAYING A FAKE PAGE AS SUCH AS THE BLANK WHITE PAGE OF IT – FAKE SHELL ?

IS IT AN ACTUAL SHELL OF LIKE A SOFTWARE CONTROL PANEL FOR EXAMPLE THAT IS FORCED TO DISPLAY JUST THE BLANK WHITE PAGE BECAUSE THIS IS THE DEFAULT OF WINDOWS WHEN SUCH A KEY IS CORRUPTED ?

SO IT MOVES SIMPLY TO ARE THEY A FAKE SHELL EVEN OR ACTUAL AND VARIATIONS ON THE THEME OBVIOUSLY. SO THIS IS NEITHER HERE NOR THERE EXCEPT TO MOVE TO RESTORE THE REGISTRY IS THE ONLY WAY OUT IF THERE ARE THE HANDFULS AND HANDFULS AND HANDFULS OF THESE ENTRIES….

BUT…… HERE IS THE BANG….. YOU DID NOT CONSIDER THIS ….

ARE THEY INJECTED TEMPORARY FILES REGISTRY ENTRIES FROM YOUR TRASH OR THEIRS ? IN OTHER WORDS RETREIVING THE GRAPHICS IMAGES OF A SHELL WITH —- HERE YOU GO BINGO —- REGISTRY INJECTION ?

IN OTHER WORDS THE KEYS THEMSELVES ARE REGISTRY INJECTION OF CRAP THAT DOES NOT EVEN EXIST AND ARE CAUSING BLANK WHITE PAGES DISPLAY… ACTUALLY THE PAYLOAD JUST MASS INJECTS THE REGISTRY FOR ALL THE AREAS CAUSING THE DENIAL TO SECURITY WEBSITES WITH ANY BROWSER AND WHATEVER ELSE IS THE TARGET SUCH AS MSN CUSTOMERS AS WAS MINE.

IT JUST IS VERY STRANGE THEY WOULD MASS INJECT FALSE KEYS PARTICLULARLY MOST RECENTLY USED (MRU) TEMPORARY HISTORIES.

POINT ? THEY ARE USING MASS REGISTRY INJECTION FOR TEMPORARY FILES RETRIEVAL AND DISPLAY, MANIPULATED BY THE FALSE KEYS.

YOU THINK I DON’T KNOW WHAT I AM TALKING ABOUT ? LOOK HERE AND TELL ME WHY THIS WAS CREATED AND WHY IT HAS SETTINGS TO DELETE ALL TEMPORARY MRU FILES AND KEYS TO BE SET FOR EVERY MINUTE, EVERY FEW MINUTES, EVERY HOUR, EVERY FEW HOURS AND SO ON….. WELL KNOWN POPULAR TRUSTED BEEN AROUND FOR YEARS JavaCoolSoftware.com …..

MRU Blaster http://www.javacoolsoftware.com/mrublaster.html Protect your privacy, and keep your PC free from clutter. Find and remove over 30,000 MRU lists. Version: 1.5 Free for personal & business use. http://www.javacoolsoftware.com/mrublaster.html MRU-Blaster works on Windows 95, 98, ME, NT, 2000, XP, or Vista. (Simply put: we need money to pay the bills. If you use MRU-Blaster, and are happy with it, we’d love if you would consider donating.) http://www.javacoolsoftware.com/mrublaster.html

BUT WHAT IF THE MRUs ARE FAKE REGISTRY INJECTION ” YOU SEE ? AND HOW THE HELL DO YOU CLEAN THEM UP (DELETE) IF THEY ARE CORRPUTED TOO ? SHOOTING BLANKS THINKING YOU ARE GOOD TO GO… BUT NONE THE LESS IS RECOMMEMDED SOFTWARE OBVIOUSLY ! ! ! DO IT ! ! AND ADD ALL TRACKS CLEAN UP ANDS RUN THEM CONTINUALLY TO GET RID OF ALL TEMPORARY HISTORY TRACKS….

SEE IT ? THE KEYS ARE FAKE KEYS MASS INJECTED AND NOT REALLY CORRUPTED / CHANGED / RE-WRITTEN KEYS AT ALL ! (POINT – BINGO) SEE IT ? HOW THE HELL IS ANY TRACKS CLEANING SOFTWARE GOING TO GET RID OF THEM ? THEY CAN’T BECAUSE THEY ARE NOT REAL FILES KEYS — GET IT ?

SO FOR THE EXERCISE, WE ARE TALKING HEADS UP TO “REGISTRY MASS FAKE KEYS INJECTION” ….. GET IT ? GOOD.

IT IS ALL OF THE MAGIC OF WINDOWS AT CORE ISSUE….. INDEXING, PREFETCH ALL THE TEMPORARY INTERNET FILES THAT MAKE WINDOWS SO FAST AND SO GRAPHICALLY VISUAL…. THESE PARTS ARE INDEXED FOR LIGHTENING SPEED AND ALL THEMSELVES ARE CONTINUALLY CREATING TEMPORARY FILES AND LOGS ALL OVER WINDOWS IN THEIR PROPER PLACES….. IN OTHER WORDS TURNING ALL THESE FEATURES OFF LEAVES YOU IN THE STONE AGE WITH EACH SIMPLE CLICK AND TASK TAKING UP TO 5 MINUTES EACH (dramatized). SO YOU MOVE FROM WINDOWS OR PC OR FIGHT. —————————————————————————————————————

CLARIFICATION…..

The continual references of the IPv6 is the area of the attack actually is existing IPv4. This is the direct route to connectivity and malware disabling firewalls and the then counterfeit attempts at hijacking the broadband connection – or in others immersing the infected PC into a malware botnet – “zombie network”.

IPv6 is the new scarcely used, I believe, internet services of the world web. Then in this light of course is what the reference to the IPv6 as here and future are the newer attacks and for future.

All in all – this is all about the Windows XP Years and all the malware devastations the world has heard of or experienced. The idea of research here is checking out connectivity information between the PC and the ISP (Internet Service Provider like AOL,MSN, Earthlink etc) like your IP Number area and also firewalls. Connectivity area and firewalls. Anti-modem defense software like in dial up certainly enters the picture.

It is not hard to know why the cyber criminal would prefer broadband – duhh! [innocent sarcasm].

So for the exercise here we are looking at these areas and how they are manipulated, counterfeited, hijacked, etc – and meaning particularly by a malware botnet. Everything is basically in the IPv4 areas in reality where the world web is in now and has been for years.

Sorry for the several misquoted times early on. ————————————————————————————————————-   SECURITY HORIZON     These abilities frequenting may became in part or full in any variants as a standard payload. Conficker Worm Botnet is a prime example as a close cousin here. Obviously these new times is these new deadly criminal bo tnets have changed Malware Removal Help….. No longer in caution or common sense can Community….
# Give Help Instructions for Malware Removals to reboot into diagnostics Safe Mode for removals can not safely be advised. If Safe Mode is not blocked, it may intentionally give access but is booby trapped to disallow regaining rebooting into Normal Mode.   # Obviously Windows System Restore and Restore Points are rendered inoperable, deleted.   # Windows Updates and Security Software websites are blocked. Windows Installer may well be rendered inoperable denying download / install abilities.   # Windows Remote Invitations help may not be possible if client infected with keyloggers and crimeware culprits intercepting Password are entering first. May be inoperable. …..Also via encapsulated (or similar deceits) payloads may act as in the wild threats undetectable destroying both computer systems or engaging help in botnet via infection.   # Mobile portable thumb drive (others) anti-malware may be needed to replace mentioned standard help avenues – and may need be prepared for Windows Installer repair.   # More….. Disaster Recovery – Prevention http://www.smfgratuit.com/forums/bluecollarpc/index.php/board,11.0.html

*
(((PROLOUGE)))
NOW DISCLOSED…… APPARENT ATTEMPT TO INFECT PLASMA SERVERS AS WELL…. Optical buffer http://en.wikipedia.org/wiki/Optical_buffer NON Sample – http://www.sun.com/customers/servers/pppl.xml

The attempted area to infect plasma servers ? Like I said – “watch the plasma burns Mr. 14 !” I found your little infected gif – your z’text” was discovered. PBMF! [much of the above will be more concise and cleaned up – a build, here preliminary Prolouge adding…]
a-squared Anti-Malware – Version 4.0 Last update: 4/19/2009 5:06:37 PM 12:32 AM 4/20/2009

Scan settings:

Objects: Memory, Traces, Cookies, C:WINDOWS, C:Program Files Scan archives: On Heuristics: Off ADS Scan: On

Scan start: 4/19/2009 5:31:46 PM

C:WINDOWS$NtUninstallKB834707$wininet.dll  detected: Virus.Win32.Nsag.A!IK

C:WINDOWS$NtUninstallKB867282$wininet.dll  detected: Virus.Win32.Nsag.A!IK

C:WINDOWS$NtUninstallKB883939$wininet.dll  detected: Virus.Win32.Nsag.A!IK

C:WINDOWS$NtUninstallKB890923$wininet.dll  detected: Virus.Win32.Nsag.A!IK

C:WINDOWSI386AGENTSVR.EX_/agentsvr.exe  detected: Virus.Win32.Luder.B!IK

C:WINDOWSI386BCKGZM.EX_/bckgzm.exe  detected: Virus.Win32.Virut.q!IK

C:WINDOWSI386CMSTP.EX_/cmstp.exe  detected: Trojan.Win32.Anomaly.D!IK

C:WINDOWSI386DEFRAG.EX_/defrag.exe  detected: Win32.Luder!IK

C:WINDOWSI386DIANTZ.EX_/diantz.exe  detected: Win32.Luder!IK

C:WINDOWSI386HRTZZM.EX_/hrtzzm.exe  detected: Virus.Win32.Virut.q!IK

C:WINDOWSI386MSCONFIG.EX_/msconfig.exe  detected: Win32.Luder!IK

C:WINDOWSI386NETDDE.EX_/netdde.exe  detected: Win32.Luder!IK

C:WINDOWSI386NSLOOKUP.EX_/nslookup.exe  detected: Win32.Luder!IK

C:WINDOWSI386ODBCCONF.EX_/odbcconf.exe  detected: Virus.Win32.Virut.bo!IK

C:WINDOWSI386OEMIG50.EX_/oemig50.exe  detected: Win32.Virtob.8!IK

C:WINDOWSI386OSK.EX_/osk.exe  detected: Virus.Win32.Luder.B!IK

C:WINDOWSI386RDSHOST.EX_/rdshost.exe  detected: Win32.Luder!IK

C:WINDOWSI386RSVP.EX_/rsvp.exe  detected: Win32.Luder!IK

C:WINDOWSI386SESSMGR.EX_/sessmgr.exe  detected: Win32.Luder!IK

C:WINDOWSI386SETUP50.EX_/setup50.exe  detected: Virus.Win32.Virut.as!IK

C:WINDOWSI386WBEMTEST.EX_/wbemtest.exe  detected: Virus.Win32.Luder.B!IK

C:WINDOWSI386WINHLP32.EX_/winhlp32.exe  detected: Virus.Win32.Virut.ar!IK

C:Program FilesCommon FilesAdaptec SharedSystemWininet.dll  detected: Virus.Win32.Nsag.A!IK

C:Program FilesCOMPAQWorks6.0RedistIE5Iemil_3.cab/WININET.DLL  detected: Virus.Win32.Nsag.A!IK

C:Program FilesCOMPAQWorks6.0RedistIE5Iew2k_3.cab/wininet.dll  detected: Virus.Win32.Nsag.A!IK

C:Program FilesCOMPAQWorks6.0RedistIE5Vbscript.cab/wshext.dll  detected: Trojan-Downloader.Win32.Small!IK

C:Program FilesPCCloneEXrsspublisher.msi  detected: Trojan-Dropper.Agent!IK

Scanned

Files:  91029 Traces:  629588 Cookies:  54 Processes:  48

Found

Files:  27 Traces:  0 Cookies:  0 Processes:  0 Registry keys:  0

Scan end: 4/19/2009 10:48:25 PM Scan time: 5:16:39

C:Program FilesPCCloneEXrsspublisher.msi Quarantined Trojan-Dropper.Agent!IK

C:Program FilesCOMPAQWorks6.0RedistIE5Vbscript.cab/wshext.dll Quarantined Trojan-Downloader.Win32.Small!IK

C:WINDOWSI386WINHLP32.EX_/winhlp32.exe Quarantined Virus.Win32.Virut.ar!IK

C:WINDOWSI386SETUP50.EX_/setup50.exe Quarantined Virus.Win32.Virut.as!IK

C:WINDOWSI386OEMIG50.EX_/oemig50.exe Quarantined Win32.Virtob.8!IK

C:WINDOWSI386ODBCCONF.EX_/odbcconf.exe Quarantined Virus.Win32.Virut.bo!IK

C:WINDOWSI386DEFRAG.EX_/defrag.exe Quarantined Win32.Luder!IK

C:WINDOWSI386DIANTZ.EX_/diantz.exe Quarantined Win32.Luder!IK

C:WINDOWSI386MSCONFIG.EX_/msconfig.exe Quarantined Win32.Luder!IK

C:WINDOWSI386NETDDE.EX_/netdde.exe Quarantined Win32.Luder!IK

C:WINDOWSI386NSLOOKUP.EX_/nslookup.exe Quarantined Win32.Luder!IK

C:WINDOWSI386RDSHOST.EX_/rdshost.exe Quarantined Win32.Luder!IK

C:WINDOWSI386RSVP.EX_/rsvp.exe Quarantined Win32.Luder!IK

C:WINDOWSI386SESSMGR.EX_/sessmgr.exe Quarantined Win32.Luder!IK

C:WINDOWSI386CMSTP.EX_/cmstp.exe Quarantined Trojan.Win32.Anomaly.D!IK

C:WINDOWSI386BCKGZM.EX_/bckgzm.exe Quarantined Virus.Win32.Virut.q!IK

C:WINDOWSI386HRTZZM.EX_/hrtzzm.exe Quarantined Virus.Win32.Virut.q!IK

C:WINDOWSI386AGENTSVR.EX_/agentsvr.exe Quarantined Virus.Win32.Luder.B!IK

C:WINDOWSI386OSK.EX_/osk.exe Quarantined Virus.Win32.Luder.B!IK

C:WINDOWSI386WBEMTEST.EX_/wbemtest.exe Quarantined Virus.Win32.Luder.B!IK

C:WINDOWS$NtUninstallKB834707$wininet.dll Quarantined Virus.Win32.Nsag.A!IK

C:WINDOWS$NtUninstallKB867282$wininet.dll Quarantined Virus.Win32.Nsag.A!IK

C:WINDOWS$NtUninstallKB883939$wininet.dll Quarantined Virus.Win32.Nsag.A!IK

C:WINDOWS$NtUninstallKB890923$wininet.dll Quarantined Virus.Win32.Nsag.A!IK

C:Program FilesCommon FilesAdaptec SharedSystemWininet.dll Quarantined Virus.Win32.Nsag.A!IK

C:Program FilesCOMPAQWorks6.0RedistIE5Iemil_3.cab/WININET.DLL Quarantined Virus.Win32.Nsag.A!IK

C:Program FilesCOMPAQWorks6.0RedistIE5Iew2k_3.cab/wininet.dll Quarantined Virus.Win32.Nsag.A!IK

Quarantined

Files:  27 Traces:  0 Cookies:  0
There are many reasons basic information was posted. Number one, this was an “in the wild attack” in nature meaning obviously unknown to antivirus and antispyware companies runnning as Trend Micro, Comodo, McAfee, PC Tools etc.

The nature of bot (the payload package) cyber crime is very much like the average consumerism going crazy over FREE STUFF all over the internet. “Bot World” is a gigantic underworld shopping mall. We don’t want what works and what doesn’t posted publically. We don’t want anything helpful to them in other words posted immediately until defenses are in place across the board – is a basic attitude. In other words, in the Security Community you want to aiding security not crimewares.

No doubt Visitors passing by have scratched their heads at all of this and the “final submission” idea was never meant as imminent. It was more a look see laugh for those involved in this.

As for those involved in many “pro” forums – you know where you always end up for help instead of places like our forums and pay donations for crap help – this was a next phase as many of those would not allow me in past their training boot camps with my superior removal abilities and recommendations of removals which are proved and tried and diluted from the experts which they are obviously not and have been a laughing stock to companies like Trend Micro and Emsi.com and an annoyance and irritation. Coinicidental many of them own PC Repair Shops ? If you smell scam….

So the point was they would make personal attacks on me and accuse me of “parroting” and “regurgitation” meaning “hey dude you are just like a talking parrot repeating everything you hear” and “you just puke up everyhting you swallow down” (information wise) – “who are you and let’s see some imperical data” and on and on.

Well, number one – let’s see them show forensics as I did with a little gif image containing a text virus to infect Verizon plasma servers in this payload ! Had somethoing to do with a little word “particle” and I won’t go further LOL.

No doubt behind my back somewhere in their circles they may have claimed I was making wild eyed claims for attention as they do. An old drug rehab theraputic tool is the saying “We see in others what we dimly perceive in ourselves” with this type behavior or as God says – the mouth boasts the heart, talking about the drunkards of evil.

What may have been missed is that the Diagnosis as in epilouge and prolouge is that this attack is classified as “Spear Phished – Known Product Trust” meaning the payload was delivered thorugh “Spear Phished – titulation” meaning the culprit cyber stalked my activities, got my ‘flavors’ and hit my computer with the package right from the company – the well knwo company who is very, very reputible and well known and trusted. Did the departmenals have Bin Laden’s gun to their head. Maybe. Maybe it was some rich “Botlord” meaning as a “God Father of crime”. I have many enemies. I turned many of them in when discovering secret “codes” as Yahoo ID screen names in the mobile computer groups. A sh*tload of mobile piracy wares for sale right in the public and the groups. The “codes” uncovered where the ID names ALL indicated they were working for Bin Laden and terrorism at large where all the gains were to go. This is quite public as the FBI arrest which also is not public. You see I could have gotten one million dollars each for the f**king bastards but at the time our USA rate was 40 percent of all American software was pirated and resold or given away. This was Homeland Defense et al. I donated the million dollars each for each of the arrests back to the Software Business Alliance giving them full disclosure so they could investigate in such a high profile end that it was that succesful. Of course, President Bush (Jr) had full power of the “Suspension of the Writ of Habeas Corpus” as the best tool. In USA, that means ain’t nothing here any of your business and lawfully never will be. This is why I say to my detractors – kiss my Anglican Jew ass – not my hand ! Ass is in the Bible you know….

WHY WAS THIS SPEAR PHISHING BY TRUSTED KNOWN PRODUCT EMPLOYEES… This is a new event… “Spear Phished – Known Product Trust” that has now happened twice to me and my equipment. The only thing close to this as believeable is the Cyber Security Agencies publishing that IT Employees are a worst security threat than malware as a type “disgruntled employee” syndrome. Forensics by the way is sort of like Psychology that diagnosis symptoms for the Pshychiatrist to treat. Here, Forensics is as a “Probable Cause” for Cyber Security Agencies such as the USA FBI to then take action for arrest. Christ, the other involved biometrics break out, are you serious? Yep !

So the payload here executing in approxiamately under 6 seconds indicates NO COMMAND AND CONTROL ACTIONS when attacking and disabling Trend Micro Suite, Comodo Suite, McAfee Antivirus/Firewall, PC Tools itself – ALL running simultyaneouly as explained and why this incredibly packed protection was active for that just one moment and purley NOT any regular practice (renewing Trend Micro Suite with opther protections in place and test trial wrap up).

Let’s take a look at a Botmaster or Botheder NON SAMPLE of what may criminally used as a Command and Control Console to get an idea of how long the “hang time” is to discover exisiting protections and then attack them as unautomated or partially – needing human interaction….

Take a look at www.openfiler.com…. the first intro paragraph (Products) is kind of the “meta data” of a BotMaster / BitHerder Console.

SO NOW UNDERSTAND THIS PAYLOAD EXECUTED WITH ABSOLUTELY NO HUMAN INTERACTION BY A BOTMASTER / BOTHERDER AND THUS REVEALS A PRE-PACKAGED CRIMEWARE VIA CYBER STALKING AND SOCIAL ENGINEERING TACTICS…. get it, publically it was known what I was doing at the time and on the other end of the PC Tools product at end of a scan – the “pipe line”.

This equates SPEAR PHISHING BY TRUSTED KNOWN PRODUCT     ADDITIONALS

Amatuer Forensics Build in Progress – “Nimrod Botnet”

http://bluecollarpc.us/2010/01/07/new-amatuer-forensics-build-in-progress-nimrod-botnet/

AmatuerForensics-Mobile: USB stick MP3 Player (apparent cross infection – PC / Mobile PC)……

http://bluecollarpc.us/2010/01/07/amatuerforensics-mobile-usb-stick-mp3-player-apparent-cross-infection/


AGAIN THIS WAS WHEN OUR BLUECOLLARPC.NET WAS STILL RUNNING WITH 6 MIILION VISITORS/USERS FROM 2005 TO 2009 [closed] …..
THIS IS TO AGAIN CLEAR MY NAME WHO MANY OF THE FORUMS YOU ARE GOING TO FOR HELP HAVE JOINED MANY PLACES LIKE MICROSOFT NEWS ROOMS AND YAHOO ANTISPY AND YAHOO ANSERS AND ON AND ON AND USED DUMMY DISPOSABLE ACCOUNTS AND KEPT POSTING “THAT BLUECOLLARPC GUY SPAMS THE LIVING PEE OUT OF YOU – DON’T JOIN ANY OF HIS GROUPS” AND ON AND ON CONTINUAL PERSONAL ATTACKS IN VIOLATION OF TOS AND ON AND ON AND — JEALOUSY ? AS THEY HAVE LIKE 30,000 POSTS AND HANDFULS OF MEMBERS BUT SHOW UP TO A COUPLE THOUSAND INACTIVE DEAD ACCOUNTS TO APPEAR AS “WOW – THIS MUST BE THE PLACE TO JOIN” PRESENTATIONS AND ON AND ON CANDY MAN TACTICS EMPLOYING WELL KNWON INFERIOR PRODUCTS AS YOU SECURITY SOLUTYIONS AND HOW MANY TIMES HAVE YOU RETURNED TO DONATE FOR MORE INFECTION DOWN THE ROAD ??? OR ELSEWHERE ???
HERE IS THE LEVEL OF ATTACK AGAINST ME – A SIMPLE COMMUNITY PERSONAL WEBSITE AS INNOCENT AS SOME ‘SOCKER MOMS SITE” — ON THE LEVEL OF CORPORATE SPEAR PHISHING…..
[NOTE… the Windows Installer was attacked by many viruses and Forensics Build in Full here… http://www.smfgratuit.com/forums/bluecollarpc/index.php/topic,13.0.html ….the viruses attacking the Windows Service Packs all the way back to Windows installer Version 2 destroying all versions in deletion and corruptions leaving the following Peer 2 Peer application as virtually the only “download” capability of the computer which attempt into the botnert failed miserably anyway thanks to Windows DEP and other…]
Symantec.com > Business > Security Response > Attack Signatures > P2P Blubster Download Setup http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20562

P2P Blubster Download Setup: Attack Signature – Symantec Corp. P2P Blubster Download Setup This signature detects attempts to download the Blubster P2P music sharing software.

Severity: MediumThis attack could pose a moderate security threat. It does not require immediate action.DescriptionThis signature detects attempts to download the Blubster P2P music sharing software.Additional InformationBlubster uses basic peer-to-peer structured software without a central server, running a private UDP transport protocol: The MP2P Protocol. The system is designed to allow a user?s identity to remain private, which tries to make all the file-sharing process completely anonymous. Over 2 Years after its inception, MP2P claims to be a super-scalable and ultra-fast network. Blubster is a peer-to-peer filesharing client which is based on MP2P – a propietary UDP transport protocol. peer-to-peer sharing software allows for ease of file distribution between networked users – including potentially copyright protected material.
DID YOU MISS THIS….
Symantec.com > Business THIS ATTACK WAS ON THE LEVEL OF A CORPORATE CEO ATTACK AND I AM A SIMPLE XP USER WITH A PERSONAL WEBSITE – ALTHOUGH I HAVE GONE WELL BEYOND “ADVANCED USER’ THROUGH THE PROCESS LOL. DO YOU UNDERSTAND WHAT I FIXED AS FAST AS IT WAS MESSED UP ? THIS WAS A MASSIVE MASSIVE MASSIVE ATTACK WITH CATASTROPHIC DAMAGES THAT I FIXED AND HAD FULL REPORTED FORENSICS TO ALL AGENCIES WITHIN THE HOUR….. SO NEVER NEVER NEVER BELIEVE ANYONE WHO HAS BACK HANDED BAD MOUTHED THE BLUECOLLARPC.NET WEBMASTER BEHIND MY BACK AND I LAUGH IN THEIR FACE.
LET’S SEE YOU GET THIS LEVEL OF HELP AT THEIR FORUMS…
GO AHEAD TO UNITE FORUMS…. I HAVE APPLIED THERE RESPECTIVELY AND SINCERELY AS AN ADDITIONAL CATAGORY HELP FOR BOTNET INFECTION OF THE WHICH FRANKLY THEY HAVE NO CLUE AS IT IS REPORTED CURRENTLY FEB 2010 THAT 41 PERCENT OF WORLD 800,000 PLUS COMUTERS ARE CURRENTLY BOTNET INFECTED.
LIKE IS SAID “I HOPE WE PASSED THE AUDITON” LOL !!!!
YOU SECURITY PEOPLE NEED TO GET VERY VERY VERY BUSY OPENING BOTNET DETECTION, PREVENTION, AND REPAIR AND REPMOVAL ASAP !!!!
SEE YOU HAVE BEEN TOLD !!!! BlueCollarPC.Org said that !
NOW YOU PROBABLY MISSED THIS AS WELL ….
“BOTNETS BOT WORLD GET FREE MUSIC SUCKS !!!! HOW ??? (maybe they will come forward about the crap products they got for free)
NOTE: Unfortunately the original full forensics build was lost due to the failure of an SMF Forums upgrade. However, there was the original notes of the few media players that were corrupted. Below you will understand the importance. There is incidence of data files or .DAT translated into media image files to hide by crimeware.

NON SAMPLE DAT file manipulation   Reading and writing Isis image buffers. The objects defined below may be used to read and write images to and from two-dimensional DAT files. … http://web.media.mit.edu/~stefan/isis/software/dat-files.html
TWO high qulaity players were unaffected which too legitmately guard particular .dat files.

REFERENCE (Symantec above) “….Blubster is a peer-to-peer filesharing client which is based on MP2P – a propietary UDP transport protocol….”

User Datagram Protocol http://en.wikipedia.org/wiki/User_Datagram_Protocol User Datagram Protocol (UDP) is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network without requiring prior communications to set up special transmission channels or data paths. UDP is sometimes called the Universal Datagram Protocol. [sidebar – IP Spoofing, piping and PS.. IRCChat Relay is Pergamos – busted ! See IRC in IRS]

UDP uses a simple transmission model without implicit hand-shaking dialogues for guaranteeing reliability, ordering, or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated, or go missing without notice. UDP assumes that error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level. Time-sensitive applications often use UDP because dropping packets is preferable to waiting for delayed packets, which may not be an option in a real-time system. If error correction facilities are needed at the network interface level, an application may use the Transmission Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP) which are designed for this purpose.
# “may arrive out of order,” you will notice in newer state of the art software wireless modems since the Vista release notebooks and laptops avoid “packet crashing” to keep a nice continual connection and communicaton.
# If you entered a botnet intentionally or not seeking FREE MP3 crap – no doubt the MP3 Files were crap as seemingly very poor copies as like “skipping” as a CD on a CD Player or “scratchy” like on a vinyl recording record and player or actual missing parts as skipping to the end. Crap recordings because “may arrive out of order, appear duplicated, or go missing without notice.” Note the news pubs about College Kids are the worst offenders in this area. They got what they paid for. This is INSTABILITY that was the EXACT reason I ended up discovering all the pirated softwares when unknowingly I downloaded the ONLY pirated copy of softtware ever that was in mobile computer form which introduced TERRIBLE INSTABILITY in my Windows Mobile Computer and upon investigation discovered parts of the software certifications and copyrightables removed and IMMEDIATELY realized it was a pirated copy and was LUCKY enough to be able to remove it entirely IMMEDIATELY. PIRACY PRODUCTS INTRODUCE GREAT INSTABILITY INTO THE SYSTEM…. Now the whole public knows like in intravenous drug users you are called the Pillsbury DoughBoy meaning you got handed a BEAT BAG of drugs that was actually 90 percent baby powder (cake mix powder) and we had a good LOL. No doubt as a “new botworld member” they purposely first sent you the “beat bag” to see if you would keep your mouth shut or go running all over the internet blabbering away about their products and who was listening or watching (internet police). To shut you up or introduce you to”option 2 good stuff” as an apology you no doubt have been there ever since as a “preferred customer” and a good little biddtch that knows how to keep their mouth shut….. READ ON…. and “God Damn The Pusher” (SteppenWolf Classic Rock)….
# Time-sensitive applications often use UDP because dropping packets is preferable to waiting for delayed packets, …. Now all Outlook Users are well aware of Email publishing that can be set to what time you want them sent automatically. this is much a tactic here no doubt of some product deliveries going on by criminals to criminals – you if you are recipient knowingly.
# “Preferred Customers” no doubt get this service…… in a real-time system. If error correction facilities are needed at the network interface level, an application may use the Transmission Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP) which are designed for this purpose.
File swapping through Peer To Peer (P2P) should be banned from the world web and left as normal traditional downloading from legitimate sites. This will cure many, many ills.
POST NOTES…..
As well there was a trojan detected and removed attempting hijacking Windows Net meeting on the pc as an apparent additional file swapping more likely as an IRCRelay stealth Botmaster / Botherder  communication.

Microsoft NetMeeting – Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Microsoft_NetMeeting “”…..Protocol for whiteboarding, application sharing, desktop sharing, remote desktop sharing (RDS) and file transfers……”” Microsoft NetMeeting was a VoIP and multi-point videoconferencing client included in many versions of Microsoft Windows (from Windows 95 OSR2 to Windows XP) …

This may lead to further investigations into…..

Windows Meeting Space http://www.microsoft.com/windows/windows-vista/features/meeting-space.aspx Explore the features: Windows Meeting SpaceWindows Meeting Space—and the entire peer-to-peer developer platform in Windows … Both Windows Meeting Space and Microsoft Office Live Meeting help you …