Strategies For Locating Malware?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Emails are being sent from a friend's AOL account with her
address in From: and always eight address in "To:" (at least in
the ones I've seen).

I'm running MalwareBytes and McAfee's scans on the PC now. Dunno
about a boot-time scan yet, since I can't be there physically.

When I spot-check the nine spams I have on hand, most of the
"TO:" addresses can be found in the person's AOL address book.
The few that cannot look like they might be "From:" addresses in
emails that she has received (e.g.
postmaster@e-statements.ezpassnj.com)

I just edited her AOL address book and changed my own address to
one that I will receive - but know it could have come from only
one place.


But what now?

Suppose I start getting spammed at the new address?

Would that strongly suggest that the culprit is running on her
PC?    Or could the AOL address book be in the cloud?

Does anybody have any suggestions for finding this thing and
driving a stake through it's heart?
--
Pete Cresswell

Re: Strategies For Locating Malware?


Quoted text here. Click to load it

Change the AOL account password and make is a Strong Password.
http://en.wikipedia.org/wiki/Password_strength



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: Strategies For Locating Malware?


Quoted text here. Click to load it

Amazing (sadly) how users think they need software to compensate for
 laziness or lack of initiative to come up with their own password
 algorithm based on their own personal data (that they will always
 remember) and which uses the domain to modify their password so it is
 unique at every domain where they login.

There are lots of personal sources for components that you could use in
 building your password:

- The constonants of your middle and last name up to, say, 4 chars long.
   Reverse them if you like (probably not needed).
 - Middle, last, and first initials of your name (or some other order).
 - A couple digits from your birthdate, like last digit for the month and
   last digit of your birthyear (e.g., 03/04/1980 use 30).  Or use your
   birthday and birthmonth in reverse order.
 - The 2 contiguous digits in the middle of your SSN, or the 3rd digit
   and the 7th digit, or more digits if you want more, and even reverse
   them if you like.
 - Just the constonants or just the vowels from your eye color shown on
   your driver's license (versus what you'd like to have described as
   your color) up to, say, a max of 3 characters long.

Lots of other components can be used to build the password all of which
 come from your personal information that you will always remember.  If
 you chose to reverse order some of the components, do it on all
 components so you don't have to remember which are forward or reverse
 ordered.  You might use 3 pieces of personal info which comprise 3
 components or substrings of your password.  Each uses the same scheme to
 obfuscate from where that substring was derived.  The order of these
 components is always the same so not much to remember there (I'd suggest
 the first component be alphabetic since some sites don't like passwords
 that begin with numbers).  Your personalized password would be all
 lowercase.  Some sites want a couple uppercase characters in the
 password, so pick a 2 or 3 characters that you uppercase.  If the 1st
 entry doesn't work, capitalize those fixed selection of characters and
 try again.  2 tries and you'll get into a site that you don't remember
 wants some uppercase characters in it.

Okay, so now you have a jumbled mess of characters based on personal
 info which doesn't look like anything recognizable to others but is
 always static (because that personal info is for your entire lifetime so
 don't use a street address because you may move or a phone number that
 may change).  However, you don't want to use the same static password on
 every site.  You want to use the domain for the site to modify your
 otherwise static string.  

- Last N characters of the domain portion of the site's URL.
 - First 2 characters and last 2 characters of their domain.
 - For a really short domain (e.g., ibm.com), use some portion of the TLD
   (.com, .net, .org, etc).  Don't use the hostname ("www" is way too
   common and the hostname may change at a domain but the domain is very
   likely to remain the same for a long time or as long as you use it).

You use this domain-specific string, always the same for the domain
 because your algorithm always picks the same set of characters from it,
 to modify your otherwise static personal-info string.  You could append
 the domain modifier, append it, stick it in the middle, or something
 crazy like insert each character from the domain string in every other
 character position in the personal string.  

Once you get used to this, it takes all of a couple of seconds to
 cogitate when visiting a site as to what is your password there.  Faster
 than having to install or call up software to retrieve stored passwords.
 You don't need to tote around the software on a laptop or thumb drive or
 its database.  You don't lose your password database because you lost
 your USB memory stick.  It's in your head.  It's based on info that you
 will always remember.  Once you come up with the pieces of personal info
 to use and in what order for each piece and for what order the pieces
 are in your string, that pretty much becomes engrained in your memory.
 Then you just add in the domain to modify this string somehow (which is
 always the same way) to make it unique at each site.  

Considering how popular is software like this, it's sad that users are
 incapable of remembering algorithms or that they think they have to
 memorize multiple strings for unique passwords at different sites.  I
 use a password scheme that has just 2 components in it based on my
 personal info and a 3rd component based on the domain where I am logging
 in.  The scheme gives me a strong password.  At sites that require some
 uppercase characters, it's always the same 2 eligible characters that I
 use in my 2nd login attempt (because the 1st attempt was all lowercase).  

It's so damn simple that it seems trivial to anyone to whom I explain
 how I came up with my password.  Without knowing the algorithm used to
 build the password, it looks like garbage that varies with each domain.
 It's sad users need software to do this.

--
Bear
http://bearware.info

Re: Strategies For Locating Malware?

wrote:

Quoted text here. Click to load it

    Probably won't have to go that far unless it's a vampire.
    Li'll old trick I learnt, works for goo...gle aagghhh, and
probably others.

    Send yourself a letter addressed to

    PeteCresswell+somerandomletters@your.email.server.com

    Don't forget the "+" between your username and the random
letters.

    see if you receive it, look at the headers.

    Get the idea ?

    []'s
    

    
--
Don't be evil - Google 2004
We have a new policy - Google 2012

Re: Strategies For Locating Malware?

Per Shadow:
Quoted text here. Click to load it

That one whizzed right over my head.

I tried sending an email to Peter_CresswellXYZ@FatBelly.com and
AOL's address check popped a dialog saying that "XYZ" was
suspicious.

I overrode the warning and told it to just send the message.

Then another dialog popped saying the message was not sent and I
should go to a "Challenge" page.

But when it tried to open the challenge page
(http://challenge.aol.com/en/us/spam.html ) it threw "570 User
Identification Failed".

What would have been the implication of it had gone through and
appeared in my inbox?   FWIW, I have a GoldList that would have
weeded out that "To:" address - or would I be looking for
somebody extracting my fake-but-deliverable address from the AOL
address book?
--
Pete Cresswell

Re: Strategies For Locating Malware?

(PeteCresswell) wrote:

Quoted text here. Click to load it

I do not see the plus sign (+) in your test address.

--
   -bts
   -One must not skip steps.

Re: Strategies For Locating Malware?

Per Beauregard T. Shagnasty:
Quoted text here. Click to load it

Mea Culpa - didn't realize it was literally supposed tb there.

Just sent one to "PeteCresswell+somerandomletters@FatBelly.com"
and it did not get to me.

FWIW, one of those fake-but-deliverable addresses that I
substituted for my "real" address in the affected person's AOL
address book just received a spam: same deal as the others - 8
addrs in "To:", and just two lines in the body: an admonition to
check something out, and an accompanying link.

viz:
========================================================
..Choose the easiest way to earn money  
http://www.marinadiportotorres.it/viev.site.php?jbSubCategoryId=46ce9
========================================================


I think I need to find out where this person's AOL address book
resides: in the cloud, or on her C: drive.

Would anybody agree?
--
Pete Cresswell

Re: Strategies For Locating Malware?

Per (PeteCresswell):
Quoted text here. Click to load it

I think I have tentatively answered my own question: it seems to
reside in the cloud per
http://forums.mozillazine.org/viewtopic.php?f=39&t=2456369

Maybe I'm too immersed in this stuff for my own good, but that
looks butt-fugly to me.

So... I guess I still have no clue as to whether the culprit is
running on the user's PC or is hitting AOL from afar.

Now I'm thinking the next step sb to follow David's advice and
change the user's PW.   Didn't want to do that at first bco
intruducing additional user-confusion....

--
Pete Cresswell

Site Timeline