Blogwitchhttp://bogwitch.blog.co.uk/en-EUhourly82000-01-01T12:00+00:00Blogwitchhttp://bogwitch.blog.co.uk/http://data5.blog.de/design/preview/90/cb363726741b8da7ed6be84e228627_160x200.jpgUSBDumper - analysishttp://bogwitch.blog.co.uk/2006/10/04/usbdumper_analysis~1187123/2006-10-04T14:05:01+02:00 <p>Test platform MS Win2k.<br> The executable is distributed with source code. I did not re-compile but gave the source a very cursory glance over. Nothing immeditately jumped out at me but remember, I am not a hugely experienced programmer.<br> InCtrl5 listed no registry entries changed and no files added. The USBDumper executable is clearly visible in Task Manager.<br> The process has not shown any signs thus far of attempting to access any network facilities.<br> It does what it claims. In the directory from which it was executed, it creates a folder of todays date and copies the information from the USB memory device into it. If the folder exists the files from the key are copied into it.<br> It does not always work. My Dell 16MB key - it always copies the data off. My 1GB key - no joy. Both are FAT formatted, I will need to find my NTFS formatted key before I can test.</p> <p>Requires a little more investigation.</p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/10/04/usbdumper_analysis~1187123/#comments">Comments</a> </small> </p>Test platform MS Win2k.
The executable is distributed with source code. I did not re-compile but gave the source a very cursory glance over. Nothing immeditately jumped out at me but remember, I am not a hugely experienced programmer.
InCtrl5 listed no registry entries changed and no files added. The USBDumper executable is clearly visible in Task Manager.
The process has not shown any signs thus far of attempting to access any network facilities.
It does what it claims. In the directory from which it was executed, it creates a folder of todays date and copies the information from the USB memory device into it. If the folder exists the files from the key are copied into it.
It does not always work. My Dell 16MB key - it always copies the data off. My 1GB key - no joy. Both are FAT formatted, I will need to find my NTFS formatted key before I can test.

Requires a little more investigation.

Comments

]]>Not happy with McAfeehttp://bogwitch.blog.co.uk/2006/10/03/not_happy_with_mcafee~1184688/2006-10-03T18:26:59+02:00 <p>OK, McAfee has been detecting the 'psexec.exe' tool from Sysinternals (http://www.sysinternals.com) as 'Unwanted Programs' and as default, automatically deleting it. Since I am using a corporate license at work, I do not have a support contract number easily available to me so I emailed 'Customer Service' to explain that they were detecting (now) Microsoft software as malware. Apparently it is a job for technical support and they were unable, or more likely unwilling, to pass the information on.<br> So, that will be the last time I contact McAfee directly and they will be removed from my malicious code submission list. I don't suppose they are bothered.</p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/10/03/not_happy_with_mcafee~1184688/#comments">Comments</a> </small> </p>OK, McAfee has been detecting the 'psexec.exe' tool from Sysinternals (http://www.sysinternals.com) as 'Unwanted Programs' and as default, automatically deleting it. Since I am using a corporate license at work, I do not have a support contract number easily available to me so I emailed 'Customer Service' to explain that they were detecting (now) Microsoft software as malware. Apparently it is a job for technical support and they were unable, or more likely unwilling, to pass the information on.
So, that will be the last time I contact McAfee directly and they will be removed from my malicious code submission list. I don't suppose they are bothered.

Comments

]]>USBDumperhttp://bogwitch.blog.co.uk/2006/10/03/usbdumper~1184280/2006-10-03T16:22:40+02:00 <p>Not the easiest bit of software to find, I got it here: <a href="http://www.secuobs.com/USBDumper.rar">http://www.secuobs.com/USBDumper.rar</a></p> <p>I have not subjected it to my usual testing as my sandbox is not available to me right now, I'll get it tested hopefully by tomorrow. Until then, treat as highly suspicious!</p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/10/03/usbdumper~1184280/#comments">Comments</a> </small> </p>Not the easiest bit of software to find, I got it here: http://www.secuobs.com/USBDumper.rar

I have not subjected it to my usual testing as my sandbox is not available to me right now, I'll get it tested hopefully by tomorrow. Until then, treat as highly suspicious!

Comments

]]>Infomation Assurancehttp://bogwitch.blog.co.uk/2006/09/12/infomation_assurance~1119758/2006-09-12T17:25:28+02:00 <p>I am on an Information Assurance course this week so I doub't I'll see any new software this week.</p> <p>I was pointed to Google mirror today.</p> <p><a href="http://elgoog.rb-hosting.de/index.cgi">http://elgoog.rb-hosting.de/index.cgi</a></p> <p>When I get back to work, I'd better check our content filter has this at least categorised and hopefully blocked! </p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/09/12/infomation_assurance~1119758/#comments">Comments</a> </small> </p>I am on an Information Assurance course this week so I doub't I'll see any new software this week.

I was pointed to Google mirror today.

http://elgoog.rb-hosting.de/index.cgi

When I get back to work, I'd better check our content filter has this at least categorised and hopefully blocked!

Comments

]]>HIjackThishttp://bogwitch.blog.co.uk/2006/09/07/hijackthis~1106741/2006-09-07T23:57:04+02:00 <p><a href="http://www.merijn.org/files/hijackthis.zip">http://www.merijn.org/files/hijackthis.zip</a></p> <p>HijackThis, don't forget ibprocman while you're there. </p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/09/07/hijackthis~1106741/#comments">Comments</a> </small> </p>http://www.merijn.org/files/hijackthis.zip

HijackThis, don't forget ibprocman while you're there.

Comments

]]>Tiny KeyLoggerhttp://bogwitch.blog.co.uk/2006/09/07/tiny_keylogger~1105168/2006-09-07T14:58:11+02:00 <p><a href="http://home.rochester.rr.com/artcfox/TinyKL/TinyKL.exe">http://home.rochester.rr.com/artcfox/TinyKL/TinyKL.exe</a></p> <p>Watch out! Make sure you have written consent for the installation of ANY keylogger. This one is great as it's: 1. free 2. small 3. can be easily renamed.</p> <p>Downside is, some AV software identifies it as a virus/ malware. </p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/09/07/tiny_keylogger~1105168/#comments">Comments</a> </small> </p>http://home.rochester.rr.com/artcfox/TinyKL/TinyKL.exe

Watch out! Make sure you have written consent for the installation of ANY keylogger. This one is great as it's: 1. free 2. small 3. can be easily renamed.

Downside is, some AV software identifies it as a virus/ malware.

Comments

]]>Atguard personal firewallhttp://bogwitch.blog.co.uk/2006/09/06/atguard_personal_firewall~1103580/2006-09-06T22:17:26+02:00 <p><a href="http://www.es.embnet.org/Services/ftp/misc/Crypt/ftp.hacktic.nl/security/firewall/at_guard/atgd322.exe">http://www.es.embnet.org/Services/ftp/misc/Crypt/ftp.hacktic.nl/security/firewall/at_guard/atgd322.exe</a></p> <p>NB AtGuard will probably seriously affect your http transfers with Windows2000 SP4 unless you copy the SP3 tcpip.sys over the SP4 versions. I've read that it loses the logging function under XP too but I'm not using XP so I don't care! </p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/09/06/atguard_personal_firewall~1103580/#comments">Comments</a> </small> </p>http://www.es.embnet.org/Services/ftp/misc/Crypt/ftp.hacktic.nl/security/firewall/at_guard/atgd322.exe

NB AtGuard will probably seriously affect your http transfers with Windows2000 SP4 unless you copy the SP3 tcpip.sys over the SP4 versions. I've read that it loses the logging function under XP too but I'm not using XP so I don't care!

Comments

]]>Inctrl5http://bogwitch.blog.co.uk/2006/09/06/inctrl5~1103533/2006-09-06T22:00:52+02:00 <p><a href="http://www.devhood.com/tools/tool_details.aspx?tool_id=432">http://www.devhood.com/tools/tool_details.aspx?tool_id=432</a></p> <p>Inctrl5 - system changes monitor.</p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/09/06/inctrl5~1103533/#comments">Comments</a> </small> </p>http://www.devhood.com/tools/tool_details.aspx?tool_id=432

Inctrl5 - system changes monitor.

Comments

]]>Why am I trying to blog again?http://bogwitch.blog.co.uk/2006/09/06/why_am_i_trying_to_blog_again~1103515/2006-09-06T21:53:37+02:00 <p>Yes again. I started a blog before, updated it only a couple of times and now I can't even remember where it was!<br> OK, so this time I'm planning to go for a security type blog. I'm not intending to publish this to anyone in particular but if you find the information helpful, so much the better.<br> The real purpose of this will be to keep a record of stuff I need that I can access from wherever I am. </p> <p> <small> <a href="http://bogwitch.blog.co.uk/2006/09/06/why_am_i_trying_to_blog_again~1103515/#comments">Comments</a> </small> </p>Yes again. I started a blog before, updated it only a couple of times and now I can't even remember where it was!
OK, so this time I'm planning to go for a security type blog. I'm not intending to publish this to anyone in particular but if you find the information helpful, so much the better.
The real purpose of this will be to keep a record of stuff I need that I can access from wherever I am.

Comments

]]>