I
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
F
FromTheRafters
Lil' Abner said:Yeah, right. That's so obvious it stinks!
TR/Dropper.Gen.Trojan
Huh?
Are you saying that your antibadware program detects a threat on that
site?
I
idbeholda
Huh?
Are you saying that your antibadware program detects a threat on that
site?
Yes, it looks like everyone is entitled to Lil'Abner's opinion, no
matter how outlandish or farcical it may actually be. I'm wonder who
will step forward next, saying after they ran TT Livescan or The
Security Suite that they were abducted by space aliens and woke up
naked in a cornfield covered in rum. Really, if you're going to make
an accusation, back it up with statistical fact.
http://virusscan.jotti.org/en/scanresult/05c4a970207047724ed2f0581332800bf5f5ab5b
http://www.virustotal.com/analisis/...63bdf3222628a163474bfe88dccfd4ca35-1279472728
Symantec picks up just about anything with a .vbs extension as
hostile. For instance, in The Security Suite, it uses vbscript to do
a quick 80MB defrag of the ram. How hostile is this piece of code,
you ask? Let's see.
Mystring = Space(80000000)
Yeah, that's really gonna hose your system. Way to go, Symantec.
a-squared, AntiVir, and Ikarius, from personal experience, usually cry
wolf on just about anything, which is why I avoid using them.
Anyone got any more questions they'd like cleared up?
F
FromTheRafters
Huh?
Are you saying that your antibadware program detects a threat on that
site?
Yes, it looks like everyone is entitled to Lil'Abner's opinion, no
matter how outlandish or farcical it may actually be. I'm wonder who
will step forward next, saying after they ran TT Livescan or The
Security Suite that they were abducted by space aliens and woke up
naked in a cornfield covered in rum. Really, if you're going to make
an accusation, back it up with statistical fact.
http://virusscan.jotti.org/en/scanresult/05c4a970207047724ed2f0581332800bf5f5ab5b
http://www.virustotal.com/analisis/...63bdf3222628a163474bfe88dccfd4ca35-1279472728
Symantec picks up just about anything with a .vbs extension as
hostile. For instance, in The Security Suite, it uses vbscript to do
a quick 80MB defrag of the ram. How hostile is this piece of code,
you ask? Let's see.
Mystring = Space(80000000)
Yeah, that's really gonna hose your system. Way to go, Symantec.
a-squared, AntiVir, and Ikarius, from personal experience, usually cry
wolf on just about anything, which is why I avoid using them.
Anyone got any more questions they'd like cleared up?
***
I just wanted to know what piece of crap antibadware application Lil'
Abner was using, if indeed he was getting that alert.
***
I
idbeholda
Yes, it looks like everyone is entitled to Lil'Abner's opinion, no
matter how outlandish or farcical it may actually be. I'm wonder who
will step forward next, saying after they ran TT Livescan or The
Security Suite that they were abducted by space aliens and woke up
naked in a cornfield covered in rum. Really, if you're going to make
an accusation, back it up with statistical fact.
http://virusscan.jotti.org/en/scanr...m/analisis/40fcde139401b4a87156512de00d7163bd...
Symantec picks up just about anything with a .vbs extension as
hostile. For instance, in The Security Suite, it uses vbscript to do
a quick 80MB defrag of the ram. How hostile is this piece of code,
you ask? Let's see.
Mystring = Space(80000000)
Yeah, that's really gonna hose your system. Way to go, Symantec.
a-squared, AntiVir, and Ikarius, from personal experience, usually cry
wolf on just about anything, which is why I avoid using them.
Anyone got any more questions they'd like cleared up?
***
I just wanted to know what piece of crap antibadware application Lil'
Abner was using, if indeed he was getting that alert.
***
Obviously, not a very good one.
F
FromTheRafters
Lil' Abner said:Avira
On other people's computers I use Malwarebytes, SuperAntispyware,
GMer,
HijackThis, ComboFix and a variety of other tools as needed.
I may be a dumb shit but I'm not going to use a tool that raises that
many flags unless I have been convinced by someone I trust that these
are
all false positives.
What do you mean by "that many"? You only mentioned one alert, and it
was apparently from heuristic methods. I would always treat such alert
with suspicion (that is to say I would suspect a false positive). Avira
is good, but in my experience has been exhibiting a rather high FP rate
if set for high heuristic weighting.
F
FromTheRafters
Lil' Abner said:OK, for starters, I downloaded Security Suite.rar and ran it through
VirusTotal. Results:
http://www.virustotal.com/analisis/40fcde139401b4a87156512de00d7163bdf32226
28a163474bfe88dccfd4ca35-1279512757
or http://tinyurl.com/284wms2 .
Then, when I unrared it, Avira popped up
http://mewnlite.com/PortStub.gif
With all the rogue antimalware/antivirus that is being put out,
"Security Suite" sounds suspicious in the first place.
Avira has always gotten pretty good reviews. Are you telling me that
PortStub.exe is just a false positive?
And that a-squared, AntiVir, Ikarus, and Symantec are all full of it
as
well?
Yes, I strongly suspect that this is the case.
I
idbeholda
The alert you're getting for PortStub.exe would be a false positive.
When the scanner initializes, PortStub.exe is activated, which
produces a list of ACTIVE processes, and their active port numbers,
then it exits. The items in this list are checked against the online
whitelist database. The reason both The Security Suite and TT
Livescan are as small as they are is because a full local install of
the database AND the application will be close to 2GB. The only way
for me to make my project available to the public, is to make it to
where the current database format is remotely accessed.
The experimental, unreleased version that I have at my own personal
disposal has database access times that are only limited by the
physical speed of the hardware architecture that it's installed on.
The downside is, the way the unreleased database is formatted, it
takes up nearly 160GB. Yes, you read that correctly, and no, it's not
science fiction or an urban legend. The reason I bring this up, is
that if it were commercially viable for me to make this version
available to the public, I would. Unfortunately, I have neither the
time OR the resources to do so at this point in time. In the future,
it's a possibility.
Now, onto the second part... Since the last time I explained
something similar to this (the ftp uploader), and was accused of
writing a worm, again, unlike other companies, I will OPENLY discuss
my work if asked politely. The following code is the only part of the
code that "drops" anything. And yes, it was modified from a project
on pscode that I downloaded quite some time ago. The dropped file in
question being ports.map, as we can see below.
If Not Privilege Then
If Not (LoadPrivilege(SE_DEBUG_NAME)) Then
End
End If
End If
Privilege = True
If OpenPort() Then
For i = 0 To 65535
If ResultPorts(0, i) Then
PPCode = Replace(Str(i) + vbTab +
ProcessPathByPID(ResultPorts(0, i)), " ", "")
If InStr(PPCode, "SYSTEM") < 1 Then
Open "ports.map" For Append As #2
Print #2, PPCode
Close #2
End If
End If
If ResultPorts(1, i) Then
PPCode = Replace(Str(i) + vbTab +
ProcessPathByPID(ResultPorts(1, i)), " ", "")
If InStr(PPCode, "SYSTEM") < 1 Then
Open "ports.map" For Append As #2
Print #2, PPCode
Close #2
End If
End If
Next i
End If
Unload Me
End Sub
Gathering the list of processes by port, and then outputting the
results to a plain text file. There it is. There is the so-called
"hostile" code.
If you have any more questions, I'll be more than happy to answer them.
When the scanner initializes, PortStub.exe is activated, which
produces a list of ACTIVE processes, and their active port numbers,
then it exits. The items in this list are checked against the online
whitelist database. The reason both The Security Suite and TT
Livescan are as small as they are is because a full local install of
the database AND the application will be close to 2GB. The only way
for me to make my project available to the public, is to make it to
where the current database format is remotely accessed.
The experimental, unreleased version that I have at my own personal
disposal has database access times that are only limited by the
physical speed of the hardware architecture that it's installed on.
The downside is, the way the unreleased database is formatted, it
takes up nearly 160GB. Yes, you read that correctly, and no, it's not
science fiction or an urban legend. The reason I bring this up, is
that if it were commercially viable for me to make this version
available to the public, I would. Unfortunately, I have neither the
time OR the resources to do so at this point in time. In the future,
it's a possibility.
Now, onto the second part... Since the last time I explained
something similar to this (the ftp uploader), and was accused of
writing a worm, again, unlike other companies, I will OPENLY discuss
my work if asked politely. The following code is the only part of the
code that "drops" anything. And yes, it was modified from a project
on pscode that I downloaded quite some time ago. The dropped file in
question being ports.map, as we can see below.
If Not Privilege Then
If Not (LoadPrivilege(SE_DEBUG_NAME)) Then
End
End If
End If
Privilege = True
If OpenPort() Then
For i = 0 To 65535
If ResultPorts(0, i) Then
PPCode = Replace(Str(i) + vbTab +
ProcessPathByPID(ResultPorts(0, i)), " ", "")
If InStr(PPCode, "SYSTEM") < 1 Then
Open "ports.map" For Append As #2
Print #2, PPCode
Close #2
End If
End If
If ResultPorts(1, i) Then
PPCode = Replace(Str(i) + vbTab +
ProcessPathByPID(ResultPorts(1, i)), " ", "")
If InStr(PPCode, "SYSTEM") < 1 Then
Open "ports.map" For Append As #2
Print #2, PPCode
Close #2
End If
End If
Next i
End If
Unload Me
End Sub
Gathering the list of processes by port, and then outputting the
results to a plain text file. There it is. There is the so-called
"hostile" code.
If you have any more questions, I'll be more than happy to answer them.
D
Dustin
(e-mail address removed):
OK. Please accept my apologies. I leaped before I looked. "Security
Suite" was a red flag for me and I was bound and determined to prove
myself right. And a few false positives were all it took. And yes, I
am quite aware that false positives exist. Other people's
antiviruses are always wiping legitimate tools off my memory stick.
I was also not aware that the OP (you) was the author of the app.
Then when some of the others for whom I have a great deal of respect
started slamming me, I knew I'd been had!
So again, sorry to all of you. I'll be more careful in my future
assessments!
I should have spoken up earlier myself. The software and it's author
are legit. Apologies for ignoring this...
--
Too cold to start a fire. I'm burning diesel burning dinosaur bones.
I'll take the river down to still water and ride a pack of dogs!
But I'm gonna break. I'm gonna break my... I'm gonna break my rusty
cage and run.. Yea i'm gonna break.. I'm gonna break my... I'm gonna
break my rusty cage... and run!
I
idbeholda
I should have spoken up earlier myself. The software and it's author
are legit. Apologies for ignoring this...
--
Too cold to start a fire. I'm burning diesel burning dinosaur bones.
I'll take the river down to still water and ride a pack of dogs!
But I'm gonna break. I'm gonna break my... I'm gonna break my rusty
cage and run.. Yea i'm gonna break.. I'm gonna break my... I'm gonna
break my rusty cage... and run!
(e-mail address removed):
OK. Please accept my apologies. I leaped before I looked. "Security Suite"
was a red flag for me and I was bound and determined to prove myself right.
And a few false positives were all it took. And yes, I am quite aware that
false positives exist. Other people's antiviruses are always wiping
legitimate tools off my memory stick.
I was also not aware that the OP (you) was the author of the app. Then when
some of the others for whom I have a great deal of respect started slamming
me, I knew I'd been had!
So again, sorry to all of you. I'll be more careful in my future
assessments!
No worries.
I
idbeholda
(e-mail address removed):
OK. Please accept my apologies. I leaped before I looked. "Security Suite"
was a red flag for me and I was bound and determined to prove myself right.
And a few false positives were all it took. And yes, I am quite aware that
false positives exist. Other people's antiviruses are always wiping
legitimate tools off my memory stick.
I was also not aware that the OP (you) was the author of the app. Then when
some of the others for whom I have a great deal of respect started slamming
me, I knew I'd been had!
So again, sorry to all of you. I'll be more careful in my future
assessments!