lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40DEAFA2.28275.AE53713@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: "Sample" not running but preventing Win2k from
 Shutdown

Marcel Krause <marcel_k@....de> wrote:

> I was fishing for some nice MSIE "plugins" on some porn sites and
> found a mysterious one. It does not appear anywhere, neither in my
> Firewall nor as a toolbar, and there is no new process running on
> the sandbox machine. But whenever I try to shut it down or reboot
> it, an application called "sample" does not want to terminate
> voluntarily. As said before, there is no such app in the process
> list before shutting down, and there is no unknown sample*.* file
> on any of the sandbox'es hard disks.  ...

Jeeeez...

The lameness exhibited here just keeps getting more and more 
unbelievable.

What in the world possessed you to "go fishing" for something that you 
are clearly entirely inadequate to handle?  How you could even consider 
doing this without, obviously, the most basic grasp of modern malware 
techniques is astounding.

Have you not heard of process injection?

Or even "browser helper objects"?

And that you would try this on a machine that is clearly not suitably 
prepared for file system, registry and process "diff analysis" is only 
more astounding than that you are gormless enough to admit to all those 
inadequacies by posting about it here...

> ...  Does anyone know this "sample"?

Not necessarily that specific one, but it is almost certainly very like 
many others that have been using process injection techniques or the 
BHO method of "injecting" themselves into Explorer...

If you tell us the URL you got it from someone who can spell "clue" may 
spend two minutes working it out for you though...


Regards,

Nick FitzGerald


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ