Virusburst
in [Spyware]
|
From: Dustin Cook on 6 Jan 2007 20:25 "pcbutts1" <pcbutts1(a)leythosthestalker.com> wrote in news:VeOdnUfap6yAXADYnZ2dnUVZ_revnZ2d(a)giganews.com: > Dustin the files are analyzed and checked and verified here in my > office test lab. Then why do you release a simple script file, instead of an actual program which could do real content analysis, to be sure it's getting the right file in it's crosshairs? I don't know of any serious office test labs which release mass deletion scripts.... What's the name of this office? > Our test boxes are infected for weeks at a time and > then checked for changes they are constantly monitored and not with > just one infection but two and three at a time. We know what these > files are and what they do and how they change. I understand what you > are saying but you need to understand what we do to prevent from > happening what you say can happen. Yes it can happen but we guard > against it. Monitored for what and how? And what are you infecting them with in the first place? Virus's infect, trojans are not capable of infection. They'd be viruses if they could....Trojans.. ehh, you know as adware, spyware, riskware.. heh, etc... they're all trojans when it comes right down to it. > For example. a few months ago we found a file that is not > a windows file but a legitimate file if it is deleted it will break > your system, however only if you have certain software installed. We > find these all the time. This is normal in the study of malware and systems which may have some on them. It's not something to brag about. :) > If the malware can be removed safely without > deleting that file then spyerase will not delete that file. If it > cannot then it will be deleted and replaced on reboot with a good > clean file or the file is replaced before scanning and it will not be > included in the detection database. We did however use this method to detection database? What detection database? Your file is a long batch file that occasionally calls 3rd party programs (Strange, one would think a lab would develop their own software for that)... to delete files and stop processes which may be running in memory. I don't see any references to any database of any kind in your script.... No file io calls to any files of any kind, except for deletion... Your script is incapable of deciding whether or not a file is malware because it does not do any kind of analysis, it simply deletes any files that match hard coded names... Any malware that's released that goes for common names has the benefit of making sure your script trashes the host in the process of removal... It's one thing to have false alarms as all programs occasionally do, but it's never okay to treat a file as bad simply because of it's name! > set traps for the thieves who try to steal spyerase. I will send you > one such file, you analyze it and tell me if bug hunter detects it or Pcbutts, a question if you will... You mentioned spyerase was developed in 2005, correct? If that's the case, why do several roguefix versions I have at the shop predate it, and practically match several lines for lines in your spyerase? I've tried to be as civil with you as I possibly know how, but I'm convinced you've stolen those routines and don't really understand what's going on in the code; hence your need to release a script, and depend on other programs to do everything for you. > if you know what the file does and what program uses it. You can post > your answer here but don't name the file. The file is common with several programs, one of which is acs... It's a library often mistaken for being malware. :( -- Dustin Cook Author of BugHunter - MalWare Removal Tool -V2.0 web: http://bughunter.it-mate.co.uk email: bughunter.dustin(a)gmail.com.removethis Last updated: January 4th, 2007
From: pcbutts1 on 6 Jan 2007 22:01 You asked when I started writing spyerase only. That was in June 2005 Zlob was discovered in March of 2005, I've been around much longer then that. You should know all my scripts are similar. You talk about databases and software, I have all that but I work for the government and my programs are used only on government systems it is not available to the public. The government does not use COTS unless it is cheaper for specialized software. We write our own software. 5 years ago I wrote a tech paper on Spyware and submitted it to my boss. Although it was hard to believe at that time he took my word for it and purchased Spysweeper. That did not last long because it was ineffective and incompatible. I started writing my own removal scripts and they have since been adopted by my job. Now if you get the same spam email over and over again are you going to scan it or read it every single time before you delete it just to make sure it is spam? or are you going to just delete it. If you know a file is bad there is no reason to have to waste time scanning it. For example if you download a file called Leythosisastalkingasshole.jpg.pif you know by the name and extension that it is bad. Why scan it? We scan it anyways just to verify then we add it to my Spyerase for deletion. If we come across a file with the same name like appwiz.cpl, which is a legitimate windows file we don't delete it we replace it with a know good file. This is done before Spyerase is run during the install process and that file is not added to the list in Spyerase. As far as roguefix goes I did not know Stuart has stolen any of my scripts until it was brought to my attention by a friend of mine. My scripts have been out there for a long time and I never used to post them to the NG's just in the forums. To this date there are 4 people who use my scripts as their own with my permission simply because they asked first and did not steal it. So you will find it out there. I have about 20 or so scripts that do just about anything to a windows system. Don't ask what the name of the program is that I wrote for my job because I won't tell you. I am under contract and it has just been renewed for another 5 years so it will be a while. -- Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads The list grows. Leythos the stalker http://www.leythosthestalker.com, David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell "Dustin Cook" <spamfilterineffect.see.sig(a)nowhere.com> wrote in message news:Xns98B0D022D498EHHI2948AJD832(a)69.28.186.121... > "pcbutts1" <pcbutts1(a)leythosthestalker.com> wrote in > news:VeOdnUfap6yAXADYnZ2dnUVZ_revnZ2d(a)giganews.com: > >> Dustin the files are analyzed and checked and verified here in my >> office test lab. > > Then why do you release a simple script file, instead of an actual > program which could do real content analysis, to be sure it's getting the > right file in it's crosshairs? > > I don't know of any serious office test labs which release mass deletion > scripts.... What's the name of this office? > >> Our test boxes are infected for weeks at a time and >> then checked for changes they are constantly monitored and not with >> just one infection but two and three at a time. We know what these >> files are and what they do and how they change. I understand what you >> are saying but you need to understand what we do to prevent from >> happening what you say can happen. Yes it can happen but we guard >> against it. > > Monitored for what and how? And what are you infecting them with in the > first place? Virus's infect, trojans are not capable of infection. They'd > be viruses if they could....Trojans.. ehh, you know as adware, spyware, > riskware.. heh, etc... they're all trojans when it comes right down to > it. > >> For example. a few months ago we found a file that is not >> a windows file but a legitimate file if it is deleted it will break >> your system, however only if you have certain software installed. We >> find these all the time. > > This is normal in the study of malware and systems which may have some on > them. It's not something to brag about. :) > >> If the malware can be removed safely without >> deleting that file then spyerase will not delete that file. If it >> cannot then it will be deleted and replaced on reboot with a good >> clean file or the file is replaced before scanning and it will not be >> included in the detection database. We did however use this method to > > detection database? What detection database? Your file is a long batch > file that occasionally calls 3rd party programs (Strange, one would think > a lab would develop their own software for that)... to delete files and > stop processes which may be running in memory. I don't see any references > to any database of any kind in your script.... No file io calls to any > files of any kind, except for deletion... > > Your script is incapable of deciding whether or not a file is malware > because it does not do any kind of analysis, it simply deletes any files > that match hard coded names... Any malware that's released that goes for > common names has the benefit of making sure your script trashes the host > in the process of removal... > > It's one thing to have false alarms as all programs occasionally do, but > it's never okay to treat a file as bad simply because of it's name! > > >> set traps for the thieves who try to steal spyerase. I will send you >> one such file, you analyze it and tell me if bug hunter detects it or > > > Pcbutts, a question if you will... > > You mentioned spyerase was developed in 2005, correct? If that's the > case, why do several roguefix versions I have at the shop predate it, and > practically match several lines for lines in your spyerase? > > I've tried to be as civil with you as I possibly know how, but I'm > convinced you've stolen those routines and don't really understand what's > going on in the code; hence your need to release a script, and depend on > other programs to do everything for you. > >> if you know what the file does and what program uses it. You can post >> your answer here but don't name the file. > > The file is common with several programs, one of which is acs... It's a > library often mistaken for being malware. :( > > > -- > Dustin Cook > Author of BugHunter - MalWare Removal Tool -V2.0 > web: http://bughunter.it-mate.co.uk > email: bughunter.dustin(a)gmail.com.removethis > Last updated: January 4th, 2007
From: Chaz P. Klinder on 6 Jan 2007 23:39 pcbutts1 wrote: > You asked when I started writing spyerase only. That was in June 2005 Zlob > was discovered in March of 2005, I've been around much longer then that. You > should know all my scripts are similar. You talk about databases and > software, I have all that but I work for the government and my programs are > used only on government systems it is not available to the public. The > government does not use COTS unless it is cheaper for specialized software. > We write our own software. 5 years ago I wrote a tech paper on Spyware and > submitted it to my boss. Although it was hard to believe at that time he > took my word for it and purchased Spysweeper. That did not last long because > it was ineffective and incompatible. I started writing my own removal > scripts and they have since been adopted by my job. Now if you get the same > spam email over and over again are you going to scan it or read it every > single time before you delete it just to make sure it is spam? or are you > going to just delete it. If you know a file is bad there is no reason to > have to waste time scanning it. For example if you download a file called > Leythosisastalkingasshole.jpg.pif you know by the name and extension that it > is bad. Why scan it? We scan it anyways just to verify then we add it to my > Spyerase for deletion. If we come across a file with the same name like > appwiz.cpl, which is a legitimate windows file we don't delete it we replace > it with a know good file. This is done before Spyerase is run during the > install process and that file is not added to the list in Spyerase. > > As far as roguefix goes I did not know Stuart has stolen any of my scripts > until it was brought to my attention by a friend of mine. My scripts have > been out there for a long time and I never used to post them to the NG's > just in the forums. To this date there are 4 people who use my scripts as > their own with my permission simply because they asked first and did not > steal it. So you will find it out there. I have about 20 or so scripts that > do just about anything to a windows system. Don't ask what the name of the > program is that I wrote for my job because I won't tell you. I am under > contract and it has just been renewed for another 5 years so it will be a > while. > What a crock of sh1t ! Since Clinton became president COTS/GOTS was the preferred way to go. Numerous Gov't. programs were cut and/or their budgets slashed because they were too bloody costly. Clinton mandated that COTS solutions were to be found and used wherever and whenever possible. When Bush came in to the Whitehouse he reinforced that mandate. It has been the law of the land ever since. You say "all my scripts are similar" yet you falsely accuse noahdfear, S!ri and Stuart as stealing from you. The fact is all three have created original code. NONE are similar with S!Ri's being the most eloquent and complex at the same time. S!Ri's SmitfraudFix generation of registry fix files and VBS script files created on-the-fly are both advanced and yet simple and thus eloquent. Noahdfear's SmitRem use of peer utilities for the killing of running processes and working with the registry was done in a symbiotic relationship. Noahdfear had permission to use Bobbi Flekman's SWREG and Peacock's PROCESS utilities. Stuart was considered a mere "copy cat" but used his own style and coding methodology and used the Windows XP stock TSKILL utility. The fact is in Oct 2005 you were hosting Noahdfear's SmitRem utility and posting the suggestion for its use and you did NOT perform a complete Search & Replace of all occurances of 'noahdfear' replacing it with PCBUTTS1 and the following was easily found... echo.>>%systemdrive%\smitfiles.txt echo by noahdfear>>%systemdrive%\smitfiles.txt echo.>>%systemdrive%\smitfiles.txt You were confronted about this, edited the file, and then conveniently dropped hosting the file or suggesting its use. Since all there mentioned utilities target the same malware family, there should be convergence in programming structure. There is no convergence and the only similarity is in the targeted malware family. You also are clueless about malware. Any file can have any name. All too often an innocuous JPG file is downloaded off a web site that is a binary executable file not a true JPEG file. The same goes for a TXT file. Any file can be loaded as a "AppInit_DLLs" or "Winlogon\Notify" and NOT be a file named as a DLL. The file could be an innocuous TXT file and loaded and still perform its payload. Don't tell us the following is really a MP3 file ! h**p:// www.hothotmodels.net /live.mp3 You also have a fixation on HiJack This logs. However they are incomplete as many forms of malware hide from HiJack This or will NEVER be shown in a log. Take the Trojan-Downloader.Win32.Agent.awf as an example. In a Hijack This log file you may see the QuickTime stub "C:\Program Files\QuickTime\qttask.exe" being loaded and you'll say it legitimate. However HiJack This won't show you that "C:\Program Files\QuickTime\bak\qttask.exe" was created which is the real QuickTime stub and "C:\Program Files\QuickTime\qttask.exe" is the Trojan-Downloader.Win32.Agent.awf as noted by its date and file size. Points NOT shown in a HiJack This log. Now lets talk about the supposed theft by Stuart. Stuart is in London and you are in California. You have NEVER posted any links in public where Stuart could have found out anything of a supposed source code to SuperFix or SpyErase. If you were using it at NASA Stuart would have no way if having access to it and Stuart doesn't even access Usenet. His base and following was/is totally European. There is no connection or mention of anything prior to August 26 when http://www.internetinspiration.co.uk/roguefix.htm was posted with the suggestion of using RogueFix in alt.comp.virus . Subsequently you posted in 24hoursupport.helpdesk on September 3 to use SuperFix. Since you have been found to plagiarise so many other's code, SuperFix was examined and it was found to be RougeFix to a tee with a complete Search and Replace performed changing the name to SuperFix and attributes to you. The same pattern as seen with other utilities you have been found to have plagiarised. You were confronted with the facts and denied the facts and changed it from SuperFix to SpyErase and password protected the file with a approx. 55 char password. However you continued to deny the theft of Stuart's work. Then on September 20 you announced SpyErase and that it was Windows 2000 compliant (which it never was) that it had "1100+ signatures" (where it does NOT find malware via signature detection but by name and path location) and you posted a laundry list of rogue anti malware targets. In reality you went back to Stuart's web page and copied his target list including all the spelling errors (which was one of several anti-Butts detectors Stuart used) such as "Spyshefiff" instead of "SpySheriff". You can't state that Stuart plagiarised you when the web page was hosting the web page with the target name "Spyshefiff" PRIOR to September 20th when you copied and pasted it into your post. You are a fraud Christopher Butts ! Oh, lets not forget that /YOU/ don't have a contract with NASA JPL. You are an employee of Lockheed Martin Information Technology (LMIT) and as such you are contracted to JPL by LMIT.
From: pcbutts1 on 7 Jan 2007 00:51 You have no idea what you are talking about. I wrote the original code that noahdfear stole and modified, he improved it. I had no problem with that until he claimed it was his. He didn't and still don't know who I am because I don't post as pcbutts1 in the forums nor do I use pcbutts1.com in the forums. He challenged me on the ownership and lost. S!ri then used noahdfears code and modified that claiming it was his. I don't know where Stuart came from or how long he has been using my code. I then modified Spyerase to fully support and work on Windows 2000. I also set traps in the program itself so I can tell the forgery. Stuarts latest version 1.92 still has all the traps in it. Spyerase started at version 1.0 it is now at version 8.5. That BS about COTS you spewed out is just that ...BS. And I don't know what makes you think I use Spyerase at work. My tool that I use at work is much better. For the last time I am not Christopher Butts. You don't know me so you might as well stop trying to identify me. You also know nothing about NASA. JPL, or LMIT. Now lets take a good look at what we have so far, lets bring everybody up to date. You are a troll, Everyone in my sig and on my website are trolls and thieves. You all have failed to shut me down or stop me. You failed because you lie and lies do not work. You have no proof of anything so that's why you lie. I have proof of everything that why I'm still here. Spyerase is mine. Spyerase works even on 2000. Spyerase has never ruined any system. I have never ruined any system with my HJT advice. Leythos the stalker is so obsessed with me that he thinks I am talking to him because of my sig and he obeys, maybe I should tell him to go play on the freeway. He is so obsessed that he really thinks posting links to my website will be a shock to me, like I don't know what's there when I wrote it. what an idiot. Trolls are dumb. I am smart. All you dumbass trolls please keep trying to shut me down. -- Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads The list grows. Leythos the stalker http://www.leythosthestalker.com, David H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell "Chaz P. Klinder" <dont-spam.me(a)charter.net.invalid> wrote in message news:enptho$qv4$1(a)aioe.org... > pcbutts1 wrote: >> You asked when I started writing spyerase only. That was in June 2005 >> Zlob was discovered in March of 2005, I've been around much longer then >> that. You should know all my scripts are similar. You talk about >> databases and software, I have all that but I work for the government and >> my programs are used only on government systems it is not available to >> the public. The government does not use COTS unless it is cheaper for >> specialized software. We write our own software. 5 years ago I wrote a >> tech paper on Spyware and submitted it to my boss. Although it was hard >> to believe at that time he took my word for it and purchased Spysweeper. >> That did not last long because it was ineffective and incompatible. I >> started writing my own removal scripts and they have since been adopted >> by my job. Now if you get the same spam email over and over again are you >> going to scan it or read it every single time before you delete it just >> to make sure it is spam? or are you going to just delete it. If you know >> a file is bad there is no reason to have to waste time scanning it. For >> example if you download a file called Leythosisastalkingasshole.jpg.pif >> you know by the name and extension that it is bad. Why scan it? We scan >> it anyways just to verify then we add it to my Spyerase for deletion. If >> we come across a file with the same name like appwiz.cpl, which is a >> legitimate windows file we don't delete it we replace it with a know good >> file. This is done before Spyerase is run during the install process and >> that file is not added to the list in Spyerase. >> >> As far as roguefix goes I did not know Stuart has stolen any of my >> scripts until it was brought to my attention by a friend of mine. My >> scripts have been out there for a long time and I never used to post them >> to the NG's just in the forums. To this date there are 4 people who use >> my scripts as their own with my permission simply because they asked >> first and did not steal it. So you will find it out there. I have about >> 20 or so scripts that do just about anything to a windows system. Don't >> ask what the name of the program is that I wrote for my job because I >> won't tell you. I am under contract and it has just been renewed for >> another 5 years so it will be a while. >> > > > What a crock of sh1t ! > > Since Clinton became president COTS/GOTS was the preferred way to go. > Numerous Gov't. programs were cut and/or their budgets slashed because > they were too bloody costly. Clinton mandated that COTS solutions were to > be found and used wherever and whenever possible. When Bush came in to > the Whitehouse he reinforced that mandate. It has been the law of the > land ever since. > > You say "all my scripts are similar" yet you falsely accuse noahdfear, > S!ri and Stuart as stealing from you. The fact is all three have created > original code. NONE are similar with S!Ri's being the most eloquent and > complex at the same time. > > S!Ri's SmitfraudFix generation of registry fix files and VBS script files > created on-the-fly are both advanced and yet simple and thus eloquent. > > Noahdfear's SmitRem use of peer utilities for the killing of running > processes and working with the registry was done in a symbiotic > relationship. Noahdfear had permission to use Bobbi Flekman's SWREG and > Peacock's PROCESS utilities. > > Stuart was considered a mere "copy cat" but used his own style and coding > methodology and used the Windows XP stock TSKILL utility. > > The fact is in Oct 2005 you were hosting Noahdfear's SmitRem utility and > posting the suggestion for its use and you did NOT perform a complete > Search & Replace of all occurances of 'noahdfear' replacing it with > PCBUTTS1 and the following was easily found... > > echo.>>%systemdrive%\smitfiles.txt > echo by noahdfear>>%systemdrive%\smitfiles.txt > echo.>>%systemdrive%\smitfiles.txt > > You were confronted about this, edited the file, and then conveniently > dropped hosting the file or suggesting its use. Since all there mentioned > utilities target the same malware family, there should be convergence in > programming structure. There is no convergence and the only similarity is > in the targeted malware family. > > You also are clueless about malware. Any file can have any name. All too > often an innocuous JPG file is downloaded off a web site that is a binary > executable file not a true JPEG file. The same goes for a TXT file. Any > file can be loaded as a "AppInit_DLLs" or "Winlogon\Notify" and NOT be a > file named as a DLL. The file could be an innocuous TXT file and loaded > and still perform its payload. > > Don't tell us the following is really a MP3 file ! > > h**p:// www.hothotmodels.net /live.mp3 > > > You also have a fixation on HiJack This logs. However they are incomplete > as many forms of malware hide from HiJack This or will NEVER be shown in a > log. Take the Trojan-Downloader.Win32.Agent.awf as an example. In a > Hijack This log file you may see the QuickTime stub "C:\Program > Files\QuickTime\qttask.exe" being loaded and you'll say it legitimate. > However HiJack This won't show you that "C:\Program > Files\QuickTime\bak\qttask.exe" was created which is the real QuickTime > stub and "C:\Program Files\QuickTime\qttask.exe" is the > Trojan-Downloader.Win32.Agent.awf as noted by its date and file size. > Points NOT shown in a HiJack This log. > > Now lets talk about the supposed theft by Stuart. Stuart is in London and > you are in California. You have NEVER posted any links in public where > Stuart could have found out anything of a supposed source code to SuperFix > or SpyErase. If you were using it at NASA Stuart would have no way if > having access to it and Stuart doesn't even access Usenet. His base and > following was/is totally European. There is no connection or mention of > anything prior to August 26 when > http://www.internetinspiration.co.uk/roguefix.htm was posted with the > suggestion of using RogueFix in alt.comp.virus . Subsequently you posted > in 24hoursupport.helpdesk on September 3 to use SuperFix. Since you have > been found to plagiarise so many other's code, SuperFix was examined and > it was found to be RougeFix to a tee with a complete Search and Replace > performed changing the name to SuperFix and attributes to you. The same > pattern as seen with other utilities you have been found to have > plagiarised. > > You were confronted with the facts and denied the facts and changed it > from SuperFix to SpyErase and password protected the file with a approx. > 55 char password. However you continued to deny the theft of Stuart's > work. Then on September 20 you announced SpyErase and that it was > Windows 2000 compliant (which it never was) that it had "1100+ signatures" > (where it does NOT find malware via signature detection but by name and > path location) and you posted a laundry list of rogue anti malware > targets. In reality you went back to Stuart's web page and copied his > target list including all the spelling errors (which was one of several > anti-Butts detectors Stuart used) such as "Spyshefiff" instead of > "SpySheriff". You can't state that Stuart plagiarised you when the web > page was hosting the web page with the target name "Spyshefiff" PRIOR to > September 20th when you copied and pasted it into your post. > > You are a fraud Christopher Butts ! > > Oh, lets not forget that /YOU/ don't have a contract with NASA JPL. You > are an employee of Lockheed Martin Information Technology (LMIT) and as > such you are contracted to JPL by LMIT. >
From: Dustin Cook on 7 Jan 2007 20:05
"pcbutts1" <pcbutts1(a)leythosthestalker.com> wrote in news:q4adnULc6PSLEjzYnZ2dnUVZ_vCknZ2d(a)giganews.com: > Don't give me credit It was not me. I don't steal. I suggest you try > to find who did it and let me know because it has happened to me > before. Start with how you found out. I think it's Nick because some > of the things that were done to one of my programs was very slick. > Password it and put traps in it. It will make it somewhat easier to > track.Now you know how I feel. You don't steal? Hmm...Strange, the evidence would indicate otherwise... Your programs are.. ehh, scripts.. They aren't the same, not even in the same league. PcButts, you claim to be a programmer, yes? Well then, I present you a very simple source code snippit below. The code is quiet harmless. I'd like for you to tell me what each set of instructions is doing. If you do understand whats going on in the pc, than this code should be a cinche for you to figure it out. If you really do write real applications and don't just steal scripts from people, what does the code below do? mov ax,5301 xor bx,bx int 15 mov ax,530e mov cx,0102 int 15 mov ax,5307 mov bl,01 mov cx,0003 int 15 -- Dustin Cook Author of BugHunter - MalWare Removal Tool -V2.0 web: http://bughunter.it-mate.co.uk email: bughunter.dustin(a)gmail.com.removethis Last updated: January 4th, 2007 |