The Security Suite/TT Livescan
in [Viruses]
|
Prev: Weird spam
Next: Anti-Virus Best one
From: idbeholda on 13 Jul 2010 21:52 http://www.tot-ltd.org Details are available on the front page. Enjoy.
From: Lil' Abner on 18 Jul 2010 13:21 idbeholda <idbeholda(a)gmail.com> wrote in news:36ed32ff-f024-48fb-8309- 0fdfd966e7f1(a)41g2000yqn.googlegroups.com: > hxxp://www.tot-ltd.org > > Details are available on the front page. > > Enjoy. Yeah, right. That's so obvious it stinks! TR/Dropper.Gen.Trojan -- --- Everybody has a right to my opinion. ---
From: FromTheRafters on 18 Jul 2010 14:32 "Lil' Abner" <blvstk(a)dogpatch.com> wrote in message news:Xns9DB97DC6897Dbutter(a)wefb973cbe498... > idbeholda <idbeholda(a)gmail.com> wrote in news:36ed32ff-f024-48fb-8309- > 0fdfd966e7f1(a)41g2000yqn.googlegroups.com: > >> hxxp://www.tot-ltd.org >> >> Details are available on the front page. >> >> Enjoy. > > Yeah, right. That's so obvious it stinks! > TR/Dropper.Gen.Trojan Huh? Are you saying that your antibadware program detects a threat on that site?
From: idbeholda on 19 Jul 2010 00:18 On Jul 18, 1:32 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Lil' Abner" <blv...(a)dogpatch.com> wrote in message > > news:Xns9DB97DC6897Dbutter(a)wefb973cbe498... > > > idbeholda <idbeho...(a)gmail.com> wrote in news:36ed32ff-f024-48fb-8309- > > 0fdfd966e...(a)41g2000yqn.googlegroups.com: > > >> hxxp://www.tot-ltd.org > > >> Details are available on the front page. > > >> Enjoy. > > > Yeah, right. That's so obvious it stinks! > > TR/Dropper.Gen.Trojan > > Huh? > > Are you saying that your antibadware program detects a threat on that > site? Yes, it looks like everyone is entitled to Lil'Abner's opinion, no matter how outlandish or farcical it may actually be. I'm wonder who will step forward next, saying after they ran TT Livescan or The Security Suite that they were abducted by space aliens and woke up naked in a cornfield covered in rum. Really, if you're going to make an accusation, back it up with statistical fact. http://virusscan.jotti.org/en/scanresult/05c4a970207047724ed2f0581332800bf5f5ab5b http://www.virustotal.com/analisis/40fcde139401b4a87156512de00d7163bdf3222628a163474bfe88dccfd4ca35-1279472728 Symantec picks up just about anything with a .vbs extension as hostile. For instance, in The Security Suite, it uses vbscript to do a quick 80MB defrag of the ram. How hostile is this piece of code, you ask? Let's see. Mystring = Space(80000000) Yeah, that's really gonna hose your system. Way to go, Symantec. a-squared, AntiVir, and Ikarius, from personal experience, usually cry wolf on just about anything, which is why I avoid using them. Anyone got any more questions they'd like cleared up?
From: idbeholda on 19 Jul 2010 20:39
The alert you're getting for PortStub.exe would be a false positive. When the scanner initializes, PortStub.exe is activated, which produces a list of ACTIVE processes, and their active port numbers, then it exits. The items in this list are checked against the online whitelist database. The reason both The Security Suite and TT Livescan are as small as they are is because a full local install of the database AND the application will be close to 2GB. The only way for me to make my project available to the public, is to make it to where the current database format is remotely accessed. The experimental, unreleased version that I have at my own personal disposal has database access times that are only limited by the physical speed of the hardware architecture that it's installed on. The downside is, the way the unreleased database is formatted, it takes up nearly 160GB. Yes, you read that correctly, and no, it's not science fiction or an urban legend. The reason I bring this up, is that if it were commercially viable for me to make this version available to the public, I would. Unfortunately, I have neither the time OR the resources to do so at this point in time. In the future, it's a possibility. Now, onto the second part... Since the last time I explained something similar to this (the ftp uploader), and was accused of writing a worm, again, unlike other companies, I will OPENLY discuss my work if asked politely. The following code is the only part of the code that "drops" anything. And yes, it was modified from a project on pscode that I downloaded quite some time ago. The dropped file in question being ports.map, as we can see below. If Not Privilege Then If Not (LoadPrivilege(SE_DEBUG_NAME)) Then End End If End If Privilege = True If OpenPort() Then For i = 0 To 65535 If ResultPorts(0, i) Then PPCode = Replace(Str(i) + vbTab + ProcessPathByPID(ResultPorts(0, i)), " ", "") If InStr(PPCode, "SYSTEM") < 1 Then Open "ports.map" For Append As #2 Print #2, PPCode Close #2 End If End If If ResultPorts(1, i) Then PPCode = Replace(Str(i) + vbTab + ProcessPathByPID(ResultPorts(1, i)), " ", "") If InStr(PPCode, "SYSTEM") < 1 Then Open "ports.map" For Append As #2 Print #2, PPCode Close #2 End If End If Next i End If Unload Me End Sub Gathering the list of processes by port, and then outputting the results to a plain text file. There it is. There is the so-called "hostile" code. If you have any more questions, I'll be more than happy to answer them. |