On Sun, 06 Nov 2005 14:45:02 GMT, Jeffrey F. Bloss wrote:
> traveler wrote:
>
>>> If *I* were ever to locate a rootkit on one of my PCs, then the first
>>> stop would be my AV provider.. after all, removing nasties is what I pay
>>> them for. And what they do for a living.
>>>
>>> Oh, and most vendors put out free worm removal tools, even to
>>> non-subscribers. I daresay a bit of a rummage through the appropriate
>>> web site would do the same for known rootkits.
>>>
>>> Not that I'm dissing a tool that I haven't even looked at, of course...
>>
>> The reason ant-virus products don't catch it is because it's not a virus,
>> or a trojan. It's software of sorts
>
> There's no "of sorts" about it, they're software. Period. The reason
> mainstream AV software doesn't detect them (some are) is probably more a
> matter of money and politics than anything else. They're just recently
> becoming "popular" in the world of Window$, and until recently the ROI
> just wasn't there. No financial benefit for investing the time and effort
> into designing ways to ferret out something that only had a one in a
> billion chance of being a problem.
>
> Root kits aren't some mysterious magical incantation uttered by long
> bearded mages who live under ancient trees. Viruses have been using
> similar or identical "stealth" techniques for many years to hide their
> presence from AV software and things like the task manager. Detecting
> them isn't rocket surgery if you know what you're doing. The problem with
> root kits is that they generally *replace* critical system files with
> total rewrites. You can't typically "disinfect" a system that falls victim
> to many/most root kits, and anyone or any software that claims to be able
> to do so reliably is lying or severely misinformed. Thus the "political"
> problem of detecting something and then telling the customer "nothing I
> can do... sorry about you luck". ;)
>
>> designed to hide something like a
>> trojan. Windows removal tool and even the best virus/trojan scanner
>> wouldn't find it, you need a specialized product like the F- Secure to
>
> Think about what you're saying... "one piece of software can't find it but
> another can". This is obviously nothing more than a matter of adding the
> code and methods from one software to another, not some magical quality
> that software assumes if it's given the "Anti Virus" moniker. Root kit
> detection has been thus far left to specialized software because there was
> no pressing reason to detect them. Although I know I've read through lists
> of "trojans" that mainstream AV softwares detect and seen rot kit names.
> So AV software peddlers obviously do add detection for such things if and
> when they become a problem in the mind of the peddler.
>
>> detect it, and just as important to SAFELY remove it without any
>> hassles,
>
> How do you remove something that replaces critical files with completely
> different versions?
>
> Short answer... you can't. You're left restoring from backups or
> reinstalling. No anti-rootkit software in the universe is going to be able
> to do this alone.
On Sun, 6 Nov 2005 02:04:47 -0800, traveler <noreply@nym.alias.net> wrote:
>The reason ant-virus products don't catch it is because it's not a virus,
>or a trojan. It's software of sorts designed to hide something like a
It is a trojan by every definition of the word. The user insert a CD to
play music, not to install software to limit the number of times he can
copy a music file.
Here's the analogy in case you can't fathom:
trojan horse; desirable object == music CD
greek army hidden inside trojan horse; malicious component == root kit
>trojan. Windows removal tool and even the best virus/trojan scanner
>wouldn't find it, you need a specialized product like the F- Secure to
So fucking what? That just means that rootkits are a recent discovery and
most virus/trojan scanners don't have the capability to handle rootkits yet.
>> "traveler" <noreply@nym.alias.net> wrote in message
>> If you would like to try something that's more than a "revealer",
>> that can safely remove the root kit for you, if in fact you want to
>> remove it rather than keeping it, that's a safe product and produced
>> by a leading computer security company, that's free to use until
>> January 1st, 2006, then go to the general technology section at:
>> www.privacy.li/forum
>> Or just keep what you have, just don't delete anyhting.
> ..or just go to Windows Update and run the Malicious Software Removal
> Tool.
Totally different situation, and the MSRT is incapable of finding let alone
removing rootkits.....
The reason for that is because Microsoft did NOT design/program the MSRT to
find/deal with rootkits.
"Max Burke" <mlvburke@xxxxxxxxx.nz> wrote in message
news:436edc46@clear.net.nz...
>
> > Hairy One Kenobi scribbled:
>
> >> "traveler" <noreply@nym.alias.net> wrote in message
>
> >> If you would like to try something that's more than a "revealer",
> >> that can safely remove the root kit for you, if in fact you want to
> >> remove it rather than keeping it, that's a safe product and produced
> >> by a leading computer security company, that's free to use until
> >> January 1st, 2006, then go to the general technology section at:
> >> www.privacy.li/forum
> >> Or just keep what you have, just don't delete anyhting.
>
> > ..or just go to Windows Update and run the Malicious Software Removal
> > Tool.
>
> Totally different situation, and the MSRT is incapable of finding let
alone
> removing rootkits.....
> The reason for that is because Microsoft did NOT design/program the MSRT
to
> find/deal with rootkits.
Erm.. I believe that you snipped a little too much.
I'd also suggest that you take-up the definition of "rootkit" with
Microsoft - I stopped when I hit the first one listed as being handled by
MSRT. In the KB article.
"Not" is a very strong word to use, particularly since MS /did/ specifically
design the MSRT to deal with malicious software. There's even a clue in the
name ;o)
As I said in the snipped portion, I personally prefer full-time AV vendor
support - not just someone that MS happened to have borged.
On Mon, 07 Nov 2005 09:38:34 +0100, Jim Watt <jimwatt@aol.no_way> wrote:
>On Sun, 06 Nov 2005 23:22:36 GMT, AZ Nomad <aznomad@PmunOgeBOX.com>
>wrote:
>>It is a trojan by every definition of the word.
>no its not, the basis of a trojan is to insert enemy forces
>and in computer terms provide remote access.
NO. A trojan is a friendly looking object with a hidden malicious component.
It is shorthand for 'trojan horse'. Think about your history if you can.
Remote access is irrelevent. The greeks during the trojan war, last time I
checked, didn't have internet access.
If I put a statement "If user == Jim Watt and date = 11/8/2005 then
erase the hard drive" into a word processor and you get a copy and proceed to
blow away your hard drive thinking you were just doing some word processing,
it is a trojan. Remote access had nothing to do with it.
>Its yet another threat, like diallers, spyware and the other
>malware.
and rootkits installed by audio CDs.
"Jim Watt" <jimwatt@aol.no_way> wrote in message
news:jdlvm1dos7l3i1gvitm7qfe22s4s8ldr0e@4ax.com...
> On Mon, 07 Nov 2005 20:34:21 GMT, AZ Nomad <aznomad@PmunOgeBOX.com>
> wrote:
>
> >>no its not, the basis of a trojan is to insert enemy forces
> >>and in computer terms provide remote access.
> >
> >NO. A trojan is a friendly looking object with a hidden malicious
component.
> >It is shorthand for 'trojan horse'. Think about your history if you can.
>
> wheras thanking you for your advice, having had a classical education
> as a child and read the story in ins original form, your ill informed
> comments are inappropriate.
I'd say that you're both right - the original definition of a Trojan was the
sort of thing described (if I'd ever have written one, it would have been
something written at college to look like a fake login screen for the
mainframe, used to collect a password couplet, to store it in another
compromised account, and then logout in a way that was untraceable to anyone
below middle-admin level. Lucky I never did it, then..)
Anyway.
The more modern (and, strictly speaking, inaccurate) term is to describe the
payload, rather than the method used to deliver it.
Personally, the "login to our website" crap that one gets on TV adverts is a
damned sight (site?) more offensive to me, lexagrammatically. Ditto hacker
vs. cracker.
Wonder if there's an alt.pointless.semantics froup? ;o)
On Tue, 08 Nov 2005 01:35:10 +0100, Jim Watt <jimwatt@aol.no_way> wrote:
>On Tue, 08 Nov 2005 00:08:01 GMT, "Hairy One Kenobi"
><abuse@[127.0.0.1]> wrote:
>>The more modern (and, strictly speaking, inaccurate) term is to describe the
>>payload, rather than the method used to deliver it.
>The original story was about the introduction of a payload by
>stealthy means. The elements involved in the process are
>deception, acceptance, the hidden delivery of something
>unexpected which then compromises security.
>A few soldiers walking around the city themselves not a
>problem until they open the gates.
The key is that the soldiers wouldn't be in the city unless they were
brought in when the trojan horse was taken into the city.
>Then the analogy is complete.
Funny. That part of the story is never told. We don't hear about what the
soldiers had for lunch either.
"AZ Nomad" <aznomad@PmunOgeBOX.com> wrote in message
news:slrndn07dl.gic.aznomad@ip70-176-155-130.ph.ph.cox.net...
> On Tue, 08 Nov 2005 01:35:10 +0100, Jim Watt <jimwatt@aol.no_way> wrote:
> >On Tue, 08 Nov 2005 00:08:01 GMT, "Hairy One Kenobi"
> ><abuse@[127.0.0.1]> wrote:
>
> >>The more modern (and, strictly speaking, inaccurate) term is to describe
the
> >>payload, rather than the method used to deliver it.
>
> >The original story was about the introduction of a payload by
> >stealthy means. The elements involved in the process are
> >deception, acceptance, the hidden delivery of something
> >unexpected which then compromises security.
>
> >A few soldiers walking around the city themselves not a
> >problem until they open the gates.
> The key is that the soldiers wouldn't be in the city unless they were
> brought in when the trojan horse was taken into the city.
Always a problem if you use rabbits instead of horses...
Re: Privacy.LIE scamming you again! 
Linear Mode
