Re: Cryptolocker vs MalwareBytes AntiMalware

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Virus Guy explained on 4/15/2014 :
Quoted text here. Click to load it

Is that what you think a virus is?



Re: Cryptolocker vs MalwareBytes AntiMalware


Quoted text here. Click to load it

Incorrect.
  


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Cryptolocker vs MalwareBytes AntiMalware

Dustin wrote:
  
Quoted text here. Click to load it

You only have to give one answer to prove me wrong.

Describe or disclose a specific example of ransomware that contains code
to detect whether it is running on a win-9x/me or NT-based system.  
That's the only criteria your answer needs to meet if, say, such
ransomware was ever distributed via email attachment.  It proves that
indeed there was ransomware specifically designed to work on a win-9x/me
system.

You must point to a posted technical description of the ransomware
example where the author points out the code where the ransomware
attempts to detect what OS it's running on, and that it does something
more than just exiting if it detects win-9x/me.

If you (or anyone else) chooses not to (or simply can't) provide this
level of evidence, then at best this is argument is at a stalemate.

Re: Cryptolocker vs MalwareBytes AntiMalware

It happens that Virus Guy formulated :
Quoted text here. Click to load it

That's a better question. This time, you didn't suggest that it had to  
be exploit based either, but the whole thing about being specifically  
targeting Win9x narrowed it down enough anyway. I know of no  
*ransomware* written to specifically target Win9x. Most malware back  
then didn't give the user a choice about getting their files back by  
paying money. Malware became more commercially motivated after Win9x  
was sent out to pasture.



Re: Cryptolocker vs MalwareBytes AntiMalware

FromTheRafters wrote:
  
Quoted text here. Click to load it

It could enter a system via email attachment - but there should be some
reasonable evidence that it was distributed via email.  If the example
was not known to be distributed via email, but instead by browser
exploit, then that does open a whole other dimension of whether or not
the exploit could work against a 9x/me system.

Quoted text here. Click to load it

It's not that the hypothetical example needs to target win-9x/me, it
just has to show some awareness or planning as to how to take into
account which OS it's running on, unless it could be written generically
enough to use calls and functions that are common to both NT and 9x/me.

Quoted text here. Click to load it

I would argue that as XP replaced 9x/me during 2002 through 2004,
hackers finally had systems they could exploit and install more
sophisticated malware (such as spam relays) and thus was born the
commercial spam industry, and more generally professional hacking.  

The amount of spam growth from the years 1999 to the present clearly
shows a correlation with the adoption of XP - I've seen it on my own
SMTP server.

So as exploits against NT-based systems became more numerous and
effective, the code base for the installed payload quickly or
immediately became NT-specific, even though by 2004 there were still
significant numbers of home and soho PC's running 9x/me.

And yet Microsoft, the media and PC industry was beating the "XP is more
secure" drum louder and louder.

Re: Cryptolocker vs MalwareBytes AntiMalware

Virus Guy expressed precisely :
Quoted text here. Click to load it

NT has more security features than Microsoft's previous OSes, so it  
should be no surprise that there are more exploits against it.

With your question about ransomware, you should be aware that the  
ransomware itself is just a program. The method used to deliver it,  
such as a drive-by download, is disconnected from the malware itself  
although it may be associated with it. Many times you could find an  
exploit kit like Blackhole, Sweet Orange, Angler, and a host of others  
being used to distribute *any* kind of malware such as bots, rogue  
security (FakeAV or YouHavePorn) or cryptolocker which is also  
distributed through spambots as email links to exploit landing pages,  
or as attachments meant to exploit the user's naivete about clicking  
things in e-mail that *look* safe.

Some malware is written before an OS becomes released and you cannot  
expect something written for WFW311 to check what OS it is now trying  
to run on if said OS wasn't even conceived of at the time. Such a  
program (such as written for DOS before Windows even existed) may be a  
threat to a new OS just because the new OS features backward  
compatibility. If someone wrote something for Win98, but not  
*specifically* for Win98 by using features only Win98 had, it could  
still be a threat for future systems. It could be a worm in some  
environments, a virus in others, and just a logic bomb in still others,  
and still be a worthy threat in all of those systems.

The ransomware itself may work the same no matter what distribution or  
ingress vector it used to have the opportunity to trick something or  
someone into running it.



Re: Cryptolocker vs MalwareBytes AntiMalware

@news2.open-news-network.org:

Quoted text here. Click to load it

Try explaining that to Pooh. :)
  
Quoted text here. Click to load it

The FBI antipiracy ransomeware moneypak malware does work on win9x,me,NT.  
It does nothing specific so as to exclude itself from any of them. It even  
uses OS variables that are standard.

It also uses a standard run key in the registry that all three  
aforementioned OS's support, to this day.



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Cryptolocker vs MalwareBytes AntiMalware

Dustin wrote:
  
Quoted text here. Click to load it

Bull shit it works on 9x.

As I've just explained to you, because the fools that wrote the web-page
material (that you keep referencing) simply threw in the generic
explanation of where the system folder is on 9x is in no way solid proof
that they know that the malware can run properly on a 9x system.

And also in your example they mention a system variable
(%CommonAppData%) that doesn't exist on a 9x system.  So how do you
explain that?

Re: Cryptolocker vs MalwareBytes AntiMalware


Quoted text here. Click to load it

    File Location Notes:

    %Windir% refers to the Windows installation folder. By default, this is  
C:\Windows for Windows 95/98/ME/XP/Vista/7/8 or C:\Winnt for Windows  
NT/2000.

    %CommonAppData% refers to the Application Data folder for the All Users  
Profile. By default, this is C:\Documents and Settings\All Users
\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista,  
Windows 7, and Windows 8.

    %CommonAppData% refers to the Application Data folder in the All Users  
profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents  
and Settings\All Users\Application Data\, and for Windows Vista, Windows 7,  
and Windows 8 it is C:\ProgramData.

  

Associated FBI Anti-Piracy Warning MoneyPak Ransomware Windows Registry  
Information:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  
"<random>" = "C:\WINDOWS\<random&gt.exe;"  

Since you moved the goal posts again and included the last line, I believe  
these ransomware programs meet the criteria. These are NOT the ones that  
actually encrypt your files, so don't have to make NT specific calls.

http://preview.tinyurl.com/pvz3oad

Thanks for making me waste a few minutes of my time, by entering  
"ransomeware windows98" into google. Hardly rocket science, here.

The lock screen from this infection pretends to be an alert from the  
Federal Bureau of Investigations (FBI) who has detected that your computer  
contains illegal and copyrighted software. It then states that due to this  
illegal content your computer has been locked until you pay a fine of $400  
in the form of a MoneyPak voucher payment. They also state that if you do  
not pay the payment in 48 hours, you will face legal action from FBI. Once  
you send them the MoneyPak voucher code your computer would then be  
unlocked and the infection deleted. Last, but not lease, this infection  
will continuously play a fake recording from the FBI. The reality is that  
this is a computer infection and has nothing to do with the FBI or any  
other legal authority. Therefore, please ignore anything the lock screen  
says.

Quoted text here. Click to load it

See above.
  
Quoted text here. Click to load it

See above.
  
Quoted text here. Click to load it

XP isn't the issue in many cases, not by itself.
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Cryptolocker vs MalwareBytes AntiMalware

@news2.open-news-network.org:

Quoted text here. Click to load it

http://preview.tinyurl.com/pvz3oad

I guess this is going to be an eye opener for you and virus guy. Atleast  
one FBI ransomeware trojan was designed to work on both OSes [g]

    File Location Notes:

    %Windir% refers to the Windows installation folder. By default, this is  
C:\Windows for Windows 95/98/ME/XP/Vista/7/8 or C:\Winnt for Windows  
NT/2000.

    %CommonAppData% refers to the Application Data folder for the All Users  
Profile. By default, this is C:\Documents and Settings\All Users
\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista,  
Windows 7, and Windows 8.

    %CommonAppData% refers to the Application Data folder in the All Users  
profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents  
and Settings\All Users\Application Data\, and for Windows Vista, Windows 7,  
and Windows 8 it is C:\ProgramData.

  

Associated FBI Anti-Piracy Warning MoneyPak Ransomware Windows Registry  
Information:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  
"<random>" = "C:\WINDOWS\<random&gt.exe;"  

In fact, most of the FBI antipiracy moneypak programs are NOT windows NT  
specific. It tries to scare you into sending them money and tries to lock  
you out of the computer. It's quite effective at doing this to most home  
users.

So... there ya go! A specific win9x family ransomware, modern.


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Cryptolocker vs MalwareBytes AntiMalware

Dustin wrote :
Quoted text here. Click to load it

Don't be silly, this is the reason that I used the word "specifically"  
- to mean that a ransomware sample was designed for *only* Win9x as  
opposed to being designed (more logically) for more platform variety.  
Why would a malware author want to unnecessarily limit the target space  
by being totally dependent upon locations and environment variables  
that *only* Win9x has.

[...]



Re: Cryptolocker vs MalwareBytes AntiMalware

Dustin wrote:
  
Quoted text here. Click to load it

What a load of horse shit.

Giving a generic explanation of where Windir is on a 9x/me system is
hardly indicative that the malware in question was written to actually
function on a 9x/me system.

There is NO HINT that the binary files were taken apart in any way to
determine that they performed a check to see what OS they were running
on.

And I point out that 9x/me is NOT MENTIONED in the "Automated Removal
Instructions" section of the page you quoted. The boot screen they show
is for an NT system, with NO INSTRUCTIONS for 9x.
  
Quoted text here. Click to load it

I don't know why you quoted that.  Twice.

CommonAppData isin't even a win-9x system variable.

So if this MoneyPak needs a working %CommonAppData%, it's not going to
find one on a 9x/me system.

You should have realized 5 years ago that 9x/me was simply thrown into
lists of OS's on pages like the one you quoted simply because of
inertia.  There was no actual checking done to see if the item being
described ACTUALLY FUNCTIONED on a 9x/me system.

Quoted text here. Click to load it

How does it lock you out of the computer?  How exactly does it mess with
your system files or settings?

And tell me how it can do that in a way that would work exactly the same
way on a 9x/me AND NT system.

Re: Cryptolocker vs MalwareBytes AntiMalware

@news2.open-news-network.org:

Quoted text here. Click to load it

Not all ransomware actually tries to do anything with your files. Some of  
it tries to scare you with bogus information screens. FBI moneypak trojans.  
And those are win9x designed. Nothing NT specific about them.

--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Cryptolocker vs MalwareBytes AntiMalware

After serious thinking Dustin wrote :
Quoted text here. Click to load it

Yeah, I know. Considering who we are discussing this with, I took  
specific to mean something other than what you seem to think it means.  
VG wanted to exclude those previously written which *still affect*  
Win9x even though not written *for* that platform specifically (i.e.,  
to the exclusion of all others) so I took the move to mean that he will  
eventually move the goalposts in a way to exclude ransomware written  
for any other OSes that just happen to work on Win98. He's asking for  
ransomware written to be "OS specific" IOW.

Maybe I'm wrong, but it does seem that this is where he was heading.  
There's a chance that he doesn't understand malware well enough to  
state his position clearly enough.



Re: Cryptolocker vs MalwareBytes AntiMalware

FromTheRafters wrote:
  
Quoted text here. Click to load it

The example of the ransom-ware distributed by postal mail in 1989 would
not have worked on 9x for a couple of reasons.

For one thing, no 9x systems would even have a 5.25" floppy drive to
stick the disk into.

Second, you can't rename system files that are in use by the OS.

I also doubt the code would have correctly handled large file names,
especially for directorys like "program files".

Re: Cryptolocker vs MalwareBytes AntiMalware


Quoted text here. Click to load it

I observed answers FTR already provided. I noticed that instead of the  
score board incrementing as I expected, you called a time out and had the  
goal posts moved outside the hockey pucks landing area.

FTR provided two. The first one you claimed didn't apply because it was DOS  
based, even tho your OS actually runs on DOS. The second you claimed didn't  
apply because of it's wildlist status. I'm sure you can see the  
pointlessness in my hunting down a third example for you?
  
Quoted text here. Click to load it

Hmm? This is a new requirement. Why does it need to detect? I'd have to do  
a bit of looking to find one that matches your new goal post, but I don't  
think it's impossible. It would make sense to know which OS you're using,  
so that you don't call API's that aren't going to be available to you.

Quoted text here. Click to load it

Oh wait, I see. You realized malware (ransomware flavor) has been written  
for win9x, so now you're new requirement. It must distinguish between the  
OS or it doesn't count, right? LOL.
  
Quoted text here. Click to load it

Well, not really. At best, Several of us have wasted our time. At worst,  
someone else reading actually believes you.

thanks anyway.


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Cryptolocker vs MalwareBytes AntiMalware

Dustin was thinking very hard :
Quoted text here. Click to load it

LOL, I guess I should have read all of this thread before responding.



Re: Cryptolocker vs MalwareBytes AntiMalware


Quoted text here. Click to load it

K. FBI Ransomware MoneyPak trojan. Win9x/NT friendly. Still, ITW.
  
Quoted text here. Click to load it

See above.
  
Quoted text here. Click to load it

See previous post for semi technical description. It shows where file  
locations are as well as the specific run key in the registry. The author  
doesn't provide a disassembly of the binary. It uses standard windows API  
calls for file functions.

It makes no effort to detect OS, that doesn't matter. It runs on your OS,  
just fine.
  
Quoted text here. Click to load it

See previous replies concerning this.

And finally,

You're an idiot.
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Cryptolocker vs MalwareBytes AntiMalware

FromTheRafters wrote:

Quoted text here. Click to load it

It's what a virus could do.  But that wasn't the point.

The point being discussed is how a given OS can or can't facilitate the
entry and execution of malicious code.

Quoted text here. Click to load it

And you, like Dustin, don't seem to want to discuss the aspect of how
malicious code finds itself running on any given version of Windoze -
let alone whether or not it will actually run correctly.

Re: Cryptolocker vs MalwareBytes AntiMalware


Quoted text here. Click to load it

Jax doesn't have any idea about anything we've been discussing. I'm not  
going to hold your hand and teach you how to exploit windows and cause  
unwanted code execution. I'm not going to hold your hand and teach you how  
to write in machine langauge to take advantage of the code execution,  
either. I do not contribute to the script kiddie problem.



  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Site Timeline