Pirated Windows 7 Builds Botnet with Trojan

[Satch]

Hi all

Why don't people EVER give PROPER info for this stuff

1) If MS knows that these are "Infected" - give the hashes for the "Infected" builds -- we've all got the hashes for the Official builds so it's easy to check.

2) Say WHAT BUILDS are infected. Microsoft has been burying its head like an Osterich in the sand even refusing to ACKNOWLEGE any builds other than the BETA 7000 and the official 7100 EVEN EXIST.

3) If this stuff has a botnet / trojan in it publish a method of detection -- some people will ALWAYS use stuff from "dubious" sources -- and in doing so can transmit stuff to software obtained Legitimately.
By just saying certain downloads might contain a Botnet etc without publishing methods of detection etc is just being PLAIN IRRESPONSIBLE.

Information such as saying "XXXX" might contain a virus / malware etc doesn't actually help ANYBODY and merely re-inforces the perception that they are just scaremongering.

If your build matches the Official one it WON'T contain anything it shouldn't.

Of course with the Official RC being easily (and quickly) available it really doesn't make any sense to download it from a torrent -- but that is a TOTALLY different issue.

Cheers
jimbo

I agree 100% mate. But this has allowed Night Hawk to get going again! Still waiting for him to explain the hashes thing. He can't, therefore that's why he hasn't tried.

 

[Plantje]

I agree 100% mate. But this has allowed Night Hawk to get going again! Still waiting for him to explain the hashes thing. He can't, therefore that's why he hasn't tried.

Just READ the posts! In post #17 I have included a link to hash calculators. Just download one of them, select the file you want to be checked and have the programm calculate the hash value.
This value should be the same as the value that is available as "safe".

How hard can it be?!?

 

[mxosder16]

Just READ the posts! In post #17 I have included a link to hash calculators. Just download one of them, select the file you want to be checked and have the programm calculate the hash value.
This value should be the same as the value that is available as "safe".

How hard can it be?!?

no no. Satch is referring to when Night Hawk was going on about some windows.old file and some russian stuff in it or something, which then led to him saying even if the hashes match up from a leaked build to a MS released build there can be a difference...
logic says there can't be a difference.
Satch is waiting for Night Hawk to prove logic wrong.
Correct me if i'm wrong Satch

edit: i don't want to be dragged into the whole Night Hawk/Satch thing.
i was just trying to clear up what i saw satch as saying

 

[Plantje]

no no. Satch is referring to when Night Hawk was going on about some windows.old file and some russian stuff in it or something, which then led to him saying even if the hashes match up from a leaked build to a MS released build there can be a difference...
logic says there can't be a difference.
Satch is waiting for Night Hawk to prove logic wrong.
Correct me if i'm wrong Satch

edit: i don't want to be dragged into the whole Night Hawk/Satch thing.
i was just trying to clear up what i saw satch as saying

Ok, sorry, my bad

 

[PhreePhly]

no no. Satch is referring to when Night Hawk was going on about some windows.old file and some russian stuff in it or something, which then led to him saying even if the hashes match up from a leaked build to a MS released build there can be a difference...
logic says there can't be a difference.
Satch is waiting for Night Hawk to prove logic wrong.
Correct me if i'm wrong Satch

To be fair, logically, there can be a difference, it's just astronomically difficult to do. I don't think Night Hawk has a great understanding of hashing functions, however, he's right to be concerned. Installing an already rootkitted OS is a great way to setup a botnet.

PhreePhly

 

[mxosder16]

To be fair, logically, there can be a difference

i know, maybe logically was a bad choice of word...but...

it's just astronomically difficult to do.

that's the point

 

[andych]

To be fair, logically, there can be a difference, it's just astronomically difficult to do. I don't think Night Hawk has a great understanding of hashing functions, however, he's right to be concerned. Installing an already rootkitted OS is a great way to setup a botnet.

PhreePhly

Maybe not as difficult as we might think.
Peter Selinger: MD5 Collision Demo

 

[holo88]

just asking here ... where is this # that determine legitimacy?
and how in the world would you know if your copy is infected?

-btw-
some people use torrent sites for thing like this (win 7 iso) for d/l speed.
i had my copy in 17 minutes, where as it would've taken 1-2 hours from M$ directly.

 

[PhreePhly]

Maybe not as difficult as we might think.
Peter Selinger: MD5 Collision Demo

From Software Integrity Checksum and Code Signing Vulnerability which is one of the exploits referenced from your reference:

Excerpt:
"It is important to note that the hash value shared by the two different files is a result of the collision construction process. We cannot target a given hash value, and produce a (meaningful) input bit string hashing to that given value. In cryptographic terms: our attack is an attack on collision resistance, not on preimage or second preimage resistance. This implies that both colliding files have to be specially prepared by the attacker, before they are published on a download site or presented for signing by a code signing scheme. Existing files with a known hash that have not been prepared in this way are not vulnerable."

Basically the MD5 exploit can create two files with the same hash, but it can't produce a file to match a given hash.

PhreePhly

 

[jimbo45]

Hi all
It CAN be done using modern cryptology methods
BUT you need these in place to be able to do it.

1) The ENTIRE computing resources of the planet at your disposal
2) A time period longer than the estimated remaining lifetime of the Sun (around 4.5 Billion years - but mankind will be extinct LONG LONG before that).

Once we get into the realms of "Quantum Computing" then it can be done quickly and easily --in fact any current encryption - even DES 128 bit stuff etc etc can be broken -- the problem is that nobody has built a Quantum computer yet that contain more than a few "Qubits" which have a "coherence" i.e lifetime of more than a few seconds.

As far as people on these Forums are concerned if the set of Hashes match then the image is 100% OK. No if's, no Buts. It's just a fact - unless you've found a way of circumventing the laws of Physics and Mathematics.

Cheers
jimbo

 

[andych]

From Software Integrity Checksum and Code Signing Vulnerability which is one of the exploits referenced from your reference:

Excerpt:
"It is important to note that the hash value shared by the two different files is a result of the collision construction process. We cannot target a given hash value, and produce a (meaningful) input bit string hashing to that given value. In cryptographic terms: our attack is an attack on collision resistance, not on preimage or second preimage resistance. This implies that both colliding files have to be specially prepared by the attacker, before they are published on a download site or presented for signing by a code signing scheme. Existing files with a known hash that have not been prepared in this way are not vulnerable."

Basically the MD5 exploit can create two files with the same hash, but it can't produce a file to match a given hash.

PhreePhly

Cleared that one up then.....lol

It did make for interesting reading.....and now my head hurts...

 

[darkassain]

and that is where SHA-1 comes into play....
my source is my own knowledge and one of my favorite podcasts...
security now (link)...
specifically episode 35 where he explains crypto hashes...
basically while md5 collisions may take place
SHA-1 collisions are next to impossible....
remember 2^63 is alot of numbers...
but like always we are talking about probability...
there is a very very very very very very small chance that the hash is collisional and that you can build from there...
but the chance is so small that you might as well give up...

there is a saying that amateurs go to cryptography and professionals goes into stats...

Hi all
It CAN be done using modern cryptology methods
BUT you need these in place to be able to do it.

1) The ENTIRE computing resources of the planet at your disposal
2) A time period longer than the estimated remaining lifetime of the Sun (around 4.5 Billion years - but mankind will be extinct LONG LONG before that).

Once we get into the realms of "Quantum Computing" then it can be done quickly and easily --in fact any current encryption - even DES 128 bit stuff etc etc can be broken -- the problem is that nobody has built a Quantum computer yet that contain more than a few "Qubits" which have a "coherence" i.e lifetime of more than a few seconds.

As far as people on these Forums are concerned if the set of Hashes match then the image is 100% OK. No if's, no Buts. It's just a fact - unless you've found a way of circumventing the laws of Physics and Mathematics.

Cheers
jimbo

im pretty sure you are talking about triple DES as a old plain DES key is only 56 bits long

 

[Win7User512]

This is ingenious. Much like that Conficker thing.

 

[holo88]

I have NO IDEA what you guys are babbling about
oh well.

i guess logically people who even suspect their version is infected should just go to M$ and get a new clean copy and reinstall. and hope to whichever divinity they believe in, that their precious information hasn't been stolen.

 

[darkassain]

I have NO IDEA what you guys are babbling about
oh well.

i guess logically people who even suspect their version is infected should just go to M$ and get a new clean copy and reinstall. and hope to whichever divinity they believe in, that their precious information hasn't been stolen.

just look at the link i gave and listen to that podcast Crypto Issues (30), Crypto 102 (31), Symmetric Block Ciphers (33), and Public Key Cryptography (34) finally ending up with Cryptographic Hashes (35)....
that will give a good basic understanding of crypto (i like to think of it more like a crash course..) and will not be too hard to follow as they have transcripts so can follow along with what they say...

 

[holo88]

wut?


lol.
guess im just tired, its 5am on my block.

 

[DrWho]

I'm with 'holo88'......wazzzzzzz Upppppp?

 

[Satch]

no no. Satch is referring to when Night Hawk was going on about some windows.old file and some russian stuff in it or something, which then led to him saying even if the hashes match up from a leaked build to a MS released build there can be a difference...
logic says there can't be a difference.
Satch is waiting for Night Hawk to prove logic wrong.
Correct me if i'm wrong Satch

edit: i don't want to be dragged into the whole Night Hawk/Satch thing.
i was just trying to clear up what i saw satch as saying

Yep, you are correct redsoxm16. And there is no Night Hawk/Satch thing! I've just simply asked a question (or proof) that I'm not getting a straight answer for.

Ok, sorry, my bad

No worries.