Beta
×

### Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

# Inside the Duqu Worm's Source Code

#### samzenpus posted more than 2 years ago | from the taking-a-closer-look dept.

157

angry tapir writes "Wrapped in the code the Duqu worm uses to infect computers is the message: 'Copyright (c) 2003 Showtime Inc. All rights reserved. DexterRegularDexter.' An analysis of the worm has also revealed that Duqu, which is similar to Stuxnet and may even have been written by the same developers, may be four years old and that it generally tries to steal information on Wednesdays."

cancel ×

### well.. (5, Funny)

#### Anonymous Coward | more than 2 years ago | (#38045222)

count (duqu); :(){ :|:&};:

### Re:well.. (0)

#### Anonymous Coward | more than 2 years ago | (#38045380)

Which operating system does this run on?

### Re:well.. (2)

#### linuxgeek64 (1246964) | more than 2 years ago | (#38045444)

It's a bash/similar shells command. Theoretically, it can work on almost any OS.

### Re:well.. (0)

#### Anonymous Coward | more than 2 years ago | (#38046140)

Which operating system does Duqu run on?

### Re:well.. (1)

#### rylin (688457) | more than 2 years ago | (#38046870)

Seriously? That was one of the worst characters in the Star Wars saga!

### I know how to find the authors! (5, Funny)

#### Anonymous Coward | more than 2 years ago | (#38045246)

Pirate it and see who sues you.

### Re:I know how to find the authors! (-1, Offtopic)

#### Anonymous Coward | more than 2 years ago | (#38045430)

You can say what you like about Microsoft, but you can't deny they've become a litigious patent troll that makes more money as a parasite on Android than they do form their competing product.

They'd sue anyone.

### Re:I know how to find the authors! (4, Funny)

#### Dexter Herbivore (1322345) | more than 2 years ago | (#38045534)

I swear it had nothing to do with me!

### But Dexter didn't debut until Oct 2006 (1)

#### Anonymous Coward | more than 2 years ago | (#38045256)

I think someone is fibbing!

### The way it works though, via Word docs? (-1, Offtopic)

#### Anonymous Coward | more than 2 years ago | (#38045260)

Via email attachments?? Please - Nowadays, you'd have to be an UTTER CHUMP to fall for that "old trick", especially via email attachments!

* MOST FOLKS should also KNOW that macros, especially autoexec macros in MS' OLE structured compound document types, can be avoided by pressing SHIFT while opening said docs - this stops autoexec macros from "firing", period... & iirc? Modern versions of Office, even older ones? They have options for disabling them too!

(Not that great for Access forms though since most are automated to open to various dataprocessing functionality type systems for end-users/workers, but still a safety measure that SHOULD be used... especially in today's "malware-ridden world"!)

* Now, it's being called "beautiful" in its interior code work, & it very well MAY BE quite elegant but... its deliver mechanism is "2nd rate", imo @ least.

APK

P.S.=> Seriously folks - if you fall for that, opening up attached documents from those you DO NOT KNOW, or @ least having antivirus/antimalware programs that are updated & current set to SCAN said attachments?

Man - honestly: You probably had it coming & especially IF you don't run antivirus/antispyware @ THE VERY LEAST, that's updated & current vs. this + other threats online (if not disable scripting in email period & doing text only) - Personally, I have its known C&C servers blocked out in firewalls & hosts files here too, in addition to using MS Security Essentials which afaik IS aware of it & has signatures vs. it...

... apk

### Re:The way it works though, via Word docs? (-1)

#### Anonymous Coward | more than 2 years ago | (#38045272)

No, using hosts file for that purpose is completely idiocy. Install a real firewall. Noob.

### Others disagree with you (security pros included) (-1, Offtopic)

#### Anonymous Coward | more than 2 years ago | (#38045322)

In my init. post you replied to? There, I note I use a firewall too (learn to read) & per my subject-line above? Ok, here goes:

E.G. #1 - The words of a security expert, Oliver Day (SECUNIA) CLEARLY disagree w/ you:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less...

Additionally - Guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly!

(& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm [furtherleft.net] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html [ntcompatible.com]

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also)

PLUS?

Well, you'll also get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS [slashdot.org] & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL [wikipedia.org] as well - DOUBLE-BONUS!

---

Slashdotters've "modded up" my posts on HOSTS files in these posts also - you're outnumbered approximately 23:1 in them:

HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]

HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]

HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]

HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]

HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]

HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]

HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]

APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]

HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org]

HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]

HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]

HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]

HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]

HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]

HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org]

HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org]

HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org]

0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org]

0.0.0.0 IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org]

0.0.0.0 in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org]

---

SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] [mvps.org]" - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"put in your /etc/hosts:" - by Anonymous Coward on Friday December 03, @09:17AM (#34429688)

---

* The ONLY PEOPLE THAT THINK HOSTS FILES "SUCK" AS YOU SAY, ARE MALWARE MAKERS (& perhaps webmasters who lose revenues, but they're forgetting that adbanners cut into users' money, by sucking up bandwidth they pay for, and that they've been infected NUMEROUS TIMES over the years also, see my p.s. below!)

APK

P.S.=> ADBANNERS HOUSING MALICIOUS EXPLOITS LIST BELOW:

---

Yahoo, Microsoft's Bing display toxic ads:

---

---

http://www.theregister.co.uk/2009/02/24/doubleclick_distributes_malware/ [theregister.co.uk]

---

Rogue ads infiltrate Expedia and Rhapsody:

---

---

http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/ [theregister.co.uk]

---

Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:

---

Real Media attacks real people via RealPlayer:

http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/ [theregister.co.uk]

---

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

---

Hackers Respond To Help Wanted Ads With Malware:

---

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/article.pl?sid=09/09/13/2346229 [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

---

ISP's INJECTING ADS AND ERRORS INTO THE WEB:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

---

London Stock Exchange Web Site Serving Malware:

---

... apk http://tech.slashdot.org/comments.pl?sid=1490078T [slashdot.org] BANDWIDTH CAP:2011/b

### Re:Others disagree with you (security pros include (-1)

#### Anonymous Coward | more than 2 years ago | (#38045338)

WALLOFTEXT!!!!!111ONESEVEN!!!three

### Off-Topic trolls, like yourself? (-1)

#### Anonymous Coward | more than 2 years ago | (#38045442)

You're MORE than welcome to disprove the data in my init. post here http://it.slashdot.org/comments.pl?sid=2523490&cid=38045322 [slashdot.org] and GOOD LUCK (you WILL need it, along with contrary facts supporting you vs. the facts & data I posted there...).

* "Layered-Security"/"Defense-In-Depth" IS "where it's at" today, & the BEST DEFENSE WE HAVE GOING currently... no questions asked, & HOSTS files are or CAN BE, a good part of that!

APK

P.S.=> LOL, you (& "your kind" online)? Heh - make me laugh!

(All the while, while you & your trollish off topic b.s. replies only make me look good @ the same time, in your evading disproving the concrete, verifiable, & visible facts I posted, all backed by reputable sources + other members here on /. too, no less (& more I listed there))...

... apk

### Re:Off-Topic trolls, like yourself? (-1)

#### Anonymous Coward | more than 2 years ago | (#38045452)

You are an idiot apk. Please leave the internet. You haven't accomplished anything in your life. Even my 3 year old kid is better coder than you.

### More troll off-topic illogical adhominem attacks? (-1)

#### Anonymous Coward | more than 2 years ago | (#38045522)

You're 3 yr. old MUST be a "prodigy" then, because I haven't met any kids that age who have commercially sold code for certified Microsoft partners to their name (I do), or that are multiply internationally published for their works in software for over a 10++ yrs. span of time as I have been, or that have had their ideas place as finalists in technical trade shows like MS-Tech Ed 2000-2002 in the hardest category there: SQLServer Performance Enhancement!

(When I still gave a hoot about doing that, which was early on in my professional career)...

NOW, again/once more:

Off-topic illogical adhominem attack utilizing trolls such as yourself?

Please - You're MORE than welcome to disprove the data in my post on HOSTS here:

GOOD LUCK (you WILL need it, along with contrary facts supporting you vs. the facts & data I posted there...).

APK

P.S.=> This? Ah, man... you KNOW I've just GOTTA SAY IT, as-is-per-my-usual-style, vs. trolls such as yourself:

THIS was just "too, Too, TOO EASY - just '2EZ'"

(Your kind ALWAYS makes it thus for me, & you make me look good @ the same time - thanks!)

... apk

### Re:More troll off-topic illogical adhominem attack (-1)

#### Anonymous Coward | more than 2 years ago | (#38045562)

So it's your fault Windows is full of security holes?

### Actually, for decades now? (-1)

#### Anonymous Coward | more than 2 years ago | (#38045626)

I have done my BEST to help try to educate & inform users VS. problems in security (& all OS have them, see my p.s. below regarding LINUX "fine showing" (not) recently on that very front, security, for example & for comparison!):

E.G. -> To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml [archive.org] which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...

Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ [pcpitstop.com] (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:

---

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

---

"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK." - Kings Joker, user of my guide @ THE PLANET

(Those results are only a SMALL SAMPLING TOO, mind you - I can produce more such results, upon request, from other users & sites online)

HOWEVER - There's ONLY 1 WEAKNESS TO IT: Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... King's Joker above tends to "2nd that motion" (& there is NOTHING I can do about that! Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS helps -> http://nortondns.com/ [nortondns.com] ...

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

I also do extra "layered security" work above Norton DNS/OpenDNS/ScrubIT DNS too, in HOSTS files usage, that layer on to that! I noted firewalls, antivirus, antispyware, & more in my init. post in fact also...

AND, HOSTS files are COMPLETELY under MY personal control as well, for better speed, security, & even "anonymity" to a degree (vs DNSBL of all things) here..

In fact, my HOSTS file here has well over 1.5 million entries worth vs. adbanners (because they have had malicious code in them @ times since 2004), bogus DNS Servers, botnet C&C servers, & known maliciously scripted websites + servers/hosts-domains that are KNOWN to serve up malware.

(I, and my friends + family that use it, along with Norton DNS/OpenDNS/ScrubIT DNS? Haven't been infected ONCE, since 1996!)

Still - like other trolls here?

Well - you're MORE than welcome to disprove the points I made, backed by security pros (regarding more speed AND SECURITY online using HOSTS), your peers here on /. & more, here -> http://it.slashdot.org/comments.pl?sid=2523490&cid=38045322 [slashdot.org] GOOD LUCK (you'll NEED it, & your adhominem attacks + off topic trolling b.s. NEED NOT APPLY, thank you)...

APK

P.S.=> PER MY POINTS ON LINUX & RECENT SECURITY BREACHES ON IT?

IF Linux = secure, as is often said here on this site, explain this (recent verifiable data on Linux security breaches)

KERNEL.ORG COMPROMISED: (very, Very, VERY BAD - this is the sourcecode repository for Linux!)

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Mysql.com Hacked, Made To Serve Malware:

---

Linux's showing in CA's breached recently too? Also very, Very, VERY BAD - this is SSL security oriented:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

Those CA's (for SSL) got breached & RUN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/ [itproafrica.com]

and

---

* Additionally, there's also ANDROID'S (yes, it's a Linux, & uses a Linux kernel) "fine security track-record" (lol, NOT) also...

(Why's that, as to all of the above? LOL, we KNOW why... see my ps below!)

All those years of hearing the typical FUD of "Linux = SECURE, & Windows != Secure" around here on /., only to see recent history (VERY recently in those above no less) show QUITE OTHERWISE!

... apk

### Re:More troll off-topic illogical adhominem attack (0)

#### Anonymous Coward | more than 2 years ago | (#38045592)

Wow you put a lot of work into this. Too bad that it essentially means nothing.

### An application of "ReVeRsE-PsyChoLoGy"... (-1)

#### Anonymous Coward | more than 2 years ago | (#38045644)

".gnihton snaem yllaitnesse ti taht dab ooT .siht otni krow fo tol a tup uoy woW" - by Anonymous Coward ANOTHER "ne'er-do-well" /. OFF-TOPIC TROLL on Monday November 14, @12:45AM (#38045592)

"???"

Uhm... Could we get a translation of that off-topic "troll-speak/trolllanguage" of yours, please?

* And, you're an off-topic troll - no questions asked...SEE MY SUBJECT LINE ABOVE!

APK

P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his off-topic b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!

("ReVeRsE-PsYcHoLoGy", for trolls - Courtesy of this code by "yours truly" in less than 1 second flat):

---

#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)

def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring

s = ""
print reverse(s)

try:
s = "Insert whatever 'trollspeak/trolllanguage' gibberish occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)

---

... apk

### Re:Off-Topic trolls, like yourself? (0)

#### Again (1351325) | more than 2 years ago | (#38045546)

You're MORE than welcome to disprove the data in my init. post here http://it.slashdot.org/comments.pl?sid=2523490&cid=38045322 [slashdot.org] and GOOD LUCK (you WILL need it, along with contrary facts supporting you vs. the facts & data I posted there...).

Oh no. My wall of text comment was of two purposes. One to point out that you posted a giant wall of text. I was mocking your format not the content. I didn't bother to read it. Second point was to see if I could look more inane than you. I don't think I did.

Also, how in the world did you come up with all that text in 15 minutes?! I am astounded, alarmed and slightly impressed. I didn't read it or anything but that is a long chunk of text!

### As to looking "inane"? LMAO, please... (-1)

#### Anonymous Coward | more than 2 years ago | (#38045712)

See subject-line above... & again, you're MORE than welcome to disprove the facts + concrete, verifiable, SOLID factual data from reputable sources & testimonials galore in the URL below in my p.s....

* After all - IF you don't do that? You're the one looking "inane" here...

APK

P.S.=> Additionally, per the data backing my points on HOSTS files' abilities to gain you more SPEED online (plus bandwidth YOU PAY FOR?) here:

Well, then? I am even F A S T E R... by far!

... apk

tl;dr

### Did U forget ur "hooked on phonics" lessons? (-1)

#### Anonymous Coward | more than 2 years ago | (#38045454)

You're MORE than welcome to disprove the data in my init. post here http://it.slashdot.org/comments.pl?sid=2523490&cid=38045322 [slashdot.org] and GOOD LUCK (you WILL need it, along with contrary facts supporting you vs. the facts & data I posted there...).

* "Layered-Security"/"Defense-In-Depth" IS "where it's at" today, & the BEST DEFENSE WE HAVE GOING currently... no questions asked, & HOSTS files are or CAN BE, a good part of that!

APK

P.S.=> LOL, you (& "your kind" online)? Heh - make me laugh!

(All the while, while you & your trollish off topic b.s. replies only make me look good @ the same time, in your evading disproving the concrete, verifiable, & visible facts I posted, all backed by reputable sources + other members here on /. too, no less (& more I listed there))...

... apk

### Re:Did U forget ur "hooked on phonics" lessons? (0)

#### Anonymous Coward | more than 2 years ago | (#38045636)

A HOSTS file can't do anything to block something new. New malware overwrites HOSTS file.

### Not mine (ACL + ReadOnly protected) and... (-1)

#### Anonymous Coward | more than 2 years ago | (#38045676)

Plus, my HOSTS file is updated EVERY 15 minutes via a Python script my nephew & I wrote up (which I refined far more) - & because of this I am protected BY FRESH OVERWRITES, constantly, & from a "temp/scratch" copy that is and cannot be "altered"...

* To the tune of 1,623,647++ entries of known malicious sites, servers, hosts/domains & what-not currently, & constantly growing from 17++ reputable & reliable sources no less... guaranteed!

Are you? Doubt it...

APK

P.S.=> Then, there's that ACL + ReadOnly protection too I use & noted in my subject-line above!

HOWEVER, impersonation escalations can be possible or ReadOnly removals (takes around 10 lines of code on the latter tops) but... Priv. escalation, possible via buffer overflows?

Possible, but then again, my system's currently patched & security hardened too -> http://it.slashdot.org/comments.pl?sid=2523490&cid=38045626 [slashdot.org]

Per that, you're practically talking to the guy that "wrote the book" on that type of thing, per that link above...

So, so much for THAT!

Yes - I keep patched & secure myself vs. that type of crap too via MULTIPLE LAYERS OF SECURITY, "defense-in-depth"/"layered-security", best thing we have going along with user awareness/education...

I've been "into that" for decades now & gave my 1st presentation on computer security as far back as 1984 @ LeMoyne College!

(Oh, & I literally haven't been infested/infected since 1996 in fact, when I truly REALLY got into security hardening Windows...))

... apk

### Re:Not mine (ACL + ReadOnly protected) and... (1)

#### zoloto (586738) | more than 2 years ago | (#38046096)

I run OS X. No worries here.

### MacOS X, Linux, etc. AREN'T "PROOF" (-1)

#### Anonymous Coward | more than 2 years ago | (#38046154)

Vs. exploits... far from it! RECENT SECURITY PROBLEMS DATA on MacOS X as of today:

(There's many more too over time I could post, but that's just to make a point on what my subject-line states!)

HOWEVER... imo @ least, on MacOS X, since it has more usershare/marketshare than Linux does (especially with end users that are the types for being "suckered" by a email attached word doc this thing employs, weak though that method is imo)?

MacOS X's BETTER THAN LINUX OVERALL LATELY, on security... in fact, see below, VERY current data on that note!)

IF Linux = secure, as is often said here on this site, explain this (recent verifiable data on Linux security breaches)

KERNEL.ORG COMPROMISED: (very, Very, VERY BAD - this is the sourcecode repository for Linux!)

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Mysql.com Hacked, Made To Serve Malware:

---

Linux's showing in CA's breached recently too? Also very, Very, VERY BAD - this is SSL security oriented:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

Those CA's (for SSL) got breached & RUN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/ [itproafrica.com]

and

---

* Additionally, there's also ANDROID'S (yes, it's a Linux, & uses a Linux kernel) "fine security track-record" (lol, NOT) also...

(Why's that, as to all of the above? LOL, we KNOW why... see my ps below!)

All those years of hearing the typical FUD of "Linux = SECURE, & Windows != Secure" around here on /., only to see recent history (VERY recently in those above no less) show QUITE OTHERWISE!

APK

P.S.=> Besides, here in this very thread exchange?

Well - I list a RELIABLE & PROVEN way to detect AND REMOVE Duqu, and data for its current build's drivers & libs too, here -> http://it.slashdot.org/comments.pl?sid=2523490&cid=38046054 [slashdot.org]

(YES, it works... in 3-5 minutes time tops, & with tools a Windows user already owns that are proven to "NUKE" even the worst current botnets/rootkits... easily!)

... apk

### Re:Others disagree with you (security pros include (0)

#### Anonymous Coward | more than 2 years ago | (#38045382)

Oh my. An excited 12 year old. Lordy.

### Re:Others disagree with you (security pros include (1)

#### Anonymous Coward | more than 2 years ago | (#38045462)

I never understood why old people gave up on the desire to change things for the better. While I still think this is generally true the 12 year old here makes something clear. You can't win every argument alone with an abundance of facts. Clear and concise wins every time if you are going to convince others they or some other party is wrong. I question the value or significance of hosts files in any serious way when used large scale. As a minority user they can have a positive impact on your browsing experience from a performance perspective. Do they work to secure your system? Not for a second. Anti-virus is a crutch to the lack of security. It does not work in any significant way if at the end of the day any breach is a serious threat. You will be infected eventually and when that happens all bets are off. Stop using the non-free software and lets get back to real security. Fixing holes in the fence.

#### Anonymous Coward | more than 2 years ago | (#38045502)

In my init. post I note antivirus/antispyware, firewalls etc. but... again:

You're MORE than welcome to disprove the data in my replies to trolls on HOSTS files post here:

GOOD LUCK (you WILL need it, along with contrary facts supporting you vs. the facts & data I posted there...).

* "Layered-Security"/"Defense-In-Depth" IS "where it's at" today, & the BEST DEFENSE WE HAVE GOING currently... no questions asked, & HOSTS files are or CAN BE, a good part of that!

APK

P.S.=> Lastly - in regards to this b.s. from you? LMAO:

"You can't win every argument alone with an abundance of facts." - by Anonymous Coward on Monday November 14, @12:13AM (#38045462)

Oh, really? LMAO, unbelievable... see above!

Clear and concise BULLSHIT that you're spewing now doesn't outweigh concrete, visible & verifiable data I listed BY THE TRUCKLOAD in my posts here, especially in the URL above - and FACTS + TRUTHS do outweigh b.s., everytime!

(Hence all the off topic illogical adhominem attacks & the like trolls are posting vs. the facts in the URL above)...

... apk

### Re:Others disagree with you (security pros include (1)

#### hairyfeet (841228) | more than 2 years ago | (#38045848)

Oh please! you think linux is a magical woobie that scares away the hackers? Did you forget kernel.org got hacked not too long ago? or the KDElook malware, the Q3 malware that was hosted for SIX MONTHS on a major repo for anybody caught it, that nasty Debian bug a year and a half ago, hell I could go on all day.

And Antivirus DOES work if you actually have a decent one like Avast or Comodo. I honestly haven't seen a bug in ANY of my returning customers that they didn't install on purpose, in fact the only bug I've seen in the past 2 years from a machine where I had set it up and installed AV was one where a braintrust UNINSTALLED THE AV because it wouldn't let him install "The new limewire" which you guessed it was just a pile of malware wrapped around a gnucleus client.

As for APK's HOSTS file? If it works for him I say more power to him. i run my own recursive DNS but then again I get my electricity as part of the rent and have tons of spare boxes. If he wants to take the time to update the HOSTS file and it works for him? More power to the guy I say. I'd rather have my own DNS tied into several of the root servers so if any one goes down i can still get a connection and that way I have my most used sites stored in my own DNS, but that's just me.

But to act like Linux is some instant security blankie is just "magical thinking" and we have seen that fail time after time AFTER time. Hell I bet even APK could probably post a dozen links of Linux hacks just by spending 3 minutes with Google, i know i could.

Clear and concise enough for you?

### Thanks Hairyfeet & I have already (lol) (-1)

#### Anonymous Coward | more than 2 years ago | (#38046274)

RECENT SECURITY BREACHES ON LINUX LIST HERE, BAD ONES, & YOU HIT ON ONE (the worst imo):

AND, HOW TO REMOVE THIS ROOTKIT & OTHERS LIKE IT OF LIKE DESIGN WITH TOOLS WINDOWS FOLKS ALREADY HAVE IN 3-5 MINUTES TIME EASILY:

* Yes, it REALLY WORKS, vs. current rootkit designs that use "blended threat" tech (bogus drivers that protect bogus bootsectors etc.)... & with tools a Windows guy already owns that are free for them & work!

APK

P.S.=> Plus, MS has a FIXIT Tool already out for this thing & iirc, it was patched for LAST PATCH TUESDAY last week too, see here:

(Yea, these Linux puppies/penguins - Ah, when WILL they ever learn they are facing "Windows gurus" here & NOT "NOOBZ" like themselves? LOL!)

They make it just (you KNOW I gotta say it) "too, Too, TOO EASY - just '2EZ'" to get the best of them, everytime!

... apk

### On HOSTS & "spending time"? (-1)

#### Anonymous Coward | more than 2 years ago | (#38046348)

I don't & automated it almost a decade ago in Delphi code, but more recently in multiplatform Python http://it.slashdot.org/comments.pl?sid=2523490&cid=38045676 [slashdot.org]

* Heh, it's working "around the clock" & refreshing my HOSTS file for me, "auto-magically" every 15 minutes from a guaranteed PRISTINE temp/scratch file that is fed from 17++ reputable & reliable sources for HOSTS data vs. malware & adbanners...

(I don't raise a finger to do so, & haven't since... oh, 2002 or thereabouts?)

You're right MOST antivirus programs are aware of Duqu too, & as I noted in my other reply to you? You can REMOVE DUQU easily with tools you already own, plus, MS has FIX IT tools that cut the font problem, & patched it last tuesday too, no less (iirc).

APK

P.S.=> Thanks for the "thumbs up" though, either method works, DNS or HOSTS (preferably BOTH really & here's WHY I STATE THAT TOO)

Me? Well - I just use HOSTS as an added measure, & one NOT prone to DNS shortcomings & there ARE those (recursive mode redirects, Kaminsky bugs & the like) but... I still use DNS too, not a local one though (don't want to waste cpu cycles, ram, & other forms of I/O on it really)...

E.G.-> Yes, sure, I also use DNS (external ones, but ones "better than the usual norm" from most ISP/BSP's out there)

I.E.-> I use OpenDNS, NortonDNS, ScrubIT DNS as my external 'secured vs. malware' DNS servers (since they filter bogus known hosts/domains/sites/servers vs. malware, AND PHISHERS TOO) in my Windows IP settings for DNS in triumvirate formation, as well as in my router NAT true stateful packet inspecting LinkSys firewall hardware unit)... apk

#### Anonymous Coward | more than 2 years ago | (#38045474)

You're MORE than welcome to disprove the data in my init. post here http://it.slashdot.org/comments.pl?sid=2523490&cid=38045322 [slashdot.org] and GOOD LUCK (you WILL need it, along with contrary facts supporting you vs. the facts & data I posted there...).

* "Layered-Security"/"Defense-In-Depth" IS "where it's at" today, & the BEST DEFENSE WE HAVE GOING currently... no questions asked, & HOSTS files are or CAN BE, a good part of that!

APK

P.S.=> LOL, you (& "your kind" online)? Heh - TRULY do make me laugh!

(All the while, while you & your trollish off topic b.s. replies only make me look good @ the same time, in your evading disproving the concrete, verifiable, & visible facts I posted, all backed by reputable sources + other members here on /. too, no less (& more I listed there))...

... apk

### Re:Others disagree with you (security pros include (1)

#### sortius_nod (1080919) | more than 2 years ago | (#38045508)

Someone learnt how to use bold on slashdot, want a medal or something?

### Re:Others disagree with you (security pros include (0)

#### Anonymous Coward | more than 2 years ago | (#38045530)

Gold star to you sir. Insightful comment of the day.

### Re:Others disagree with you (security pros include (-1)

#### Anonymous Coward | more than 2 years ago | (#38045590)

Disprove the data I put up on HOSTS files here won't you:

And, in every point made by myself there, w/ backing facts from security pros, & even other /. testimonials on HOSTS files' value as a "layered-security"/"defense-in-depth" tool that can also yield FAR BETTER SPEED ONLINE as well?

Good luck, you'll really TRULY need it...

* You only make ME look good - just because you're yet another EASILY FLOORED TROLL that you are demonstrating yourself to be!

APK

P.S.=> Ah, man... This? THIS WAS JUST "too, Too, TOO EASY - just '2EZ'", as it always is vs. trolls like youself that utilizing off topic illogical adhominem attacks when they're confronted with facts from reputable sources & their peers on this website also + more... apk

### 1 thing is for SURE (on medals, lol) (-1)

#### Anonymous Coward | more than 2 years ago | (#38045558)

Until YOU can disprove the data I put up on HOSTS files here:

And, in every point made by myself there, w/ backing facts from security pros, & even other /. testimonials on HOSTS files' value for BOTH added speed & security online, as a valuable "layered-security"/"defense-in-depth" measure?

* YOU DON'T WIN ANY MEDALS, lol... well perhaps you do - For you being another EASILY FLOORED TROLL vs. facts, that you are demonstrating yourself to be!

APK

P.S.=> Ah, man... This? THIS WAS JUST "too, Too, TOO EASY - just '2EZ'", as it always is vs. trolls like youself that utilizing off topic illogical adhominem attacks when they're confronted with facts from reputable sources & their peers on this website also + more... apk

### Re:Others disagree with you (security pros include (0)

#### cheeks5965 (1682996) | more than 2 years ago | (#38045650)

wow man, you're hard core. i can't write a post that long. i have a girlfriend. btw, tl;dr.

### Your right hand != a girlfriend (lmao) (-1)

#### Anonymous Coward | more than 2 years ago | (#38045750)

Try using your left hand then, & see subject-line above (your merely projecting your own issues about NOT having a human girlfriend is all, lol!)

APK

P.S.=> Yes, once more to YOU & "your kind" (off topic illogical adhominem attack utilizing trolls):

ARE MORE THAN WELCOME TO TRY & DISPROVE THE FACTS + DATA I USE FROM REPUTABLE SOURCES & even your own peers here on /. then...

(Good Luck, you WILL need it... many have tried, all have failed, especially trolls like yourself!)

... apk

### Re:The way it works though, via Word docs? (5, Informative)

#### Fluffeh (1273756) | more than 2 years ago | (#38045288)

Via email attachments?? Please - Nowadays, you'd have to be an UTTER CHUMP to fall for that "old trick"..........

Are you kidding me? While I agree that most people reading /. wouldn't fall for that trick, I can assure you that the company I work in (multinational retailer, I work in their head office) nine out of ten people wouldn't hesitate to open a Word attachment from someone they didn't know. Actually, I think the ratio may well be higher.

Now, it's being called "beautiful" in its interior code work, & it very well MAY BE quite elegant but... its deliver mechanism is "2nd rate", imo @ least.

Actually, I would disagree with that. Just because there are nicer ways to do it, doesn't mean that you need to use them. If you can send a single .doc attachment to a user within an organisation to get into it, why isn't that a perfect way to do it? There isn't anything wrong with spearphising. To use the car analogy, if you want to get to your letterbox, there isn't any point in driving a supercar to get to it - just walk from the front door.

### Nope, not kidding you (-1)

#### Anonymous Coward | more than 2 years ago | (#38045416)

You WOULD have to be a CHUMP/NOOB, period... in regards to this statement of yours quoted next:

"Are you kidding me? While I agree that most people reading /. wouldn't fall for that trick, I can assure you that the company I work in (multinational retailer, I work in their head office) nine out of ten people wouldn't hesitate to open a Word attachment from someone they didn't know. Actually, I think the ratio may well be higher." - by Fluffeh (1273756) on Sunday November 13, @11:30PM (#38045288)

Especially w/ all the fanfare modern exploits on the web have (even in the "mainstream news")...

HOWEVER?

I agree - Yes, you're most likely correct though, many folks WILL FALL FOR THAT!

Well, then it's sort of your "civic responsibility" to EDUCATE said "chumps/noobs" vs. this type of threat...

Yes, even IF you're only a co-worker, but especially IF YOU ARE A TECHIE or NETWORK ADMIN or CODER in said organization.

(Some "Food 4 Thought" there on that note... & no, I am NOT "cutting down noobs" because in other fields of endeavour, let's use "nuclear medicine" for example? I AM A NOOB THERE... we all start someplace, & the best teachers ARE those who are "masters of the art"... per my suggestion above to educate others!)

---

"There isn't anything wrong with spearphising." - by Fluffeh (1273756) on Sunday November 13, @11:30PM (#38045288)

Heh, here I MUST ABSOLUTELY DISAGREE WITH YOU: It's bogus, and illegal (afaik)...

APK

P.S.=> There you go... apk

### Re:Nope, not kidding you (2)

#### Fluffeh (1273756) | more than 2 years ago | (#38045472)

Well, then it's sort of your "civic responsibility" to EDUCATE said "chumps/noobs" vs. this type of threat.

I agree and I try to educate as many people as I can on as much as I can and hope that the majority of /. uers would, but most of my time is spent teaching people to run analysis, or how to write some basic SQL so that our IT folks aren't being constantly hounded by ad-hoc requests, but most of all I try to teach people to think for themselves and look at a business from a scientific approach. That said, our business has over 4,000 emplyees just at head office and a further 200,000 throughout the business, a single nerd trying to educate will only go so far. As far as my parents, flatmates and friends, I have certainly gone to the effort of ensuring that they know enough about what are basic do's and don'ts - but even then, they know that they can call anytime to check if they should do something.

As for the spearphishing, look if we are looking at the pros and cons of Duqu for goodness sake and how it has been implemented, I think that statement is valid. Yes, spearphising is a bit on the naughty side, but as we are talking about something that is totally on the naughty side, I think that the delivery mechanism can be said to have nothing wrong with it in terms of implementation.

### "U're a GOOD MAN, Charlie Brown"!!! (-1)

#### Anonymous Coward | more than 2 years ago | (#38045884)

I am glad to see you are doing what I suggested because users (especially "noobs" as they are often wont to be called & why I used that term)? Are the MAIN WEAKEST LINK out there.

(You sound like you're more of a coder than a networker, as am I actually (since 1994 being doing MIS/IS/IT coding, mostly in Client-Server apps professionally))...

Now, as to THIS part from you, here's something you MAY like & you can tell Ms. Hester I sent you (email her):

"our business has over 4,000 emplyees just at head office and a further 200,000 throughout the business, a single nerd trying to educate will only go so far" - by Fluffeh (1273756) on Monday November 14, @12:15AM (#38045472)

This will help you, immensely, and it's EASY TO USE, multi-platform (does many OS') and you can get a FREE eval copy from which you can start basing logon script merges of .reg files even (what I do on bootup to reinforce Group & Local security policies here based on its advisement in Windows 7):

lhester@cisecurity.org
http://benchmarks.cisecurity.org/ [cisecurity.org]

Once the "freebie trial" does 'wear out' (written in multiplatform JAVA, so you will need it installed on a testbed rig for forming a SOLID security policy, & on MANY OS, and even if 32/64 bit etc.)?

You can SAVE the areas to alter (in registry or .reg merge files using either .reg merge files, OR "auditpol" command line modules (like in a logon script in Windows) such as these:

auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:disable /failure:disable
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:disable /failure:enable
auditpol /set /subcategory:"Registry" /success:disable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:disable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable
auditpol /set /subcategory:"Logoff" /success:enable /failure:disable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

To set & RESET them on workstation end point nodes... for Windows @ least!

Windows EXCELS in this area, AD & Group Policies... this tool helps that excel, even more, for security's sake!

* ENJOY... & see my subject-line above! Hence, why I am "turning you on" to those tips...

Now, because of this post, which YOU can verify the testimonials of the efficacy of the CIS Tool & more I do for security (doesn't take ALL THAT MUCH either):

I am "tipping you off" on this, just because you're into security on PC's/Servers it seems, and you spread it around... that's how things, GOOD THINGS too, get around & start working!

APK

P.S.=> Lastly - Sorry for the delay in reply, too many trolls I am "fending off" & blowing away (lol) in my subsequent replies here!

(They've resorted to off topic illogical adhominem attacks, their usual, modding down my posts without valid technical justifications, etc., when confronted with facts)...

Oh, & I like your username? Why?? Heh - it's my kitten's name "Fluffy" actually, but close enough...

Enjoy the CIS Tool too!

(It's really good now, & better than the versions I used in the past & has VISTA + Win7/Srv2k8 versions too, Linux, Solaris, & FAR MORE, all based on "best practices" for security hardening an OS - makes it FUN TO DO, in a nerdy way, and I am sure it will help you (especially for AD environs Group Policies you can MIGRATE to many 1,000's of users/end point/workstation nodes and yes, servers too))...

... apk

### Re:The way it works though, via Word docs? (1)

#### rtb61 (674572) | more than 2 years ago | (#38045460)

However in this application it serves it purpose, obfuscation, hiding criminally professionally paranoid uses of the stuxnet virus past, present and very likely future or at the least future discoveries. Likely some supposed pretend allies have been stuck with variants of the stuxnet virus and the original perpetrators are trying to hide their digital stab in the back of their would be partners.

### HOW 2 remove Duqu & other rootkits FAST (0)

#### Anonymous Coward | more than 2 years ago | (#38046054)

Firist - It only serves the purpose vs. fools that don't use up to date anti(virus/spyware) that are aware of this via their signatures db's, as well as firewalls n' other layered security measures which I noted in my posts here in this exchange, trolls or not off topic & illogical adhominem attackers though most of them are!

(Still - on those "taken advantage of" by this? Yes, there is plenty of that though as Fluffeh & I discussed here already, sometimes knowingly but mostly by those who are just not aware of or care about online security).

Their loss.

One CAN effectively "layered-security"/"defense-in-depth" protect oneself vs. this & other threats like it, like so:

NOW, most importantly/additionally, per my subject-line above?

* HOW TO REMOVE DUQU & DETECT FOR IT (even IF you're not using updated antivirus software aware of its current builds.variations etc.):

FREE SCANNER (written in multi-platform PyThon which you would need to install the runtimes for) -> http://news.slashdot.org/story/11/11/06/0354207/open-source-tool-scans-for-duqu-drivers [slashdot.org]

REMOVAL TECHNIQUE (with tools you already own as a Windows user no less, takes 5 minutes time, TOPS):

---

1.) BOOT UP from your Windows installation media (read only environs is why) & use RECOVERY CONSOLE

2.) USE THE DISABLE COMMAND on DUQU's driverset:

DUQU KNOWN DRIVERS LIST:

jminet7.sys
cmi4432.sys
nfred965.sys
nfred965.sys
nfred965.sys
nred961.sys
iaStor451.sys
allide1.sys
iraid18.sys
noname.sys
igdkmd16b.sys
igdkmd16b.sys

(the RC listsvc command can show not only services, but also drivers too, like those - should it add more, & they don't "look right"? Look them up on GOOGLE, & if they are not legit & this thing adds more over time (it does, that list above's larger than ones I posted last week on this)? FRY THEM, after you're SURE they're not legit drivers that is!)

3.) Once those are disabled? FIX THE BOGUS BOOTSECTOR USING RC's "FixMBR" command to clear the bootsector of this rootkit!

4.) NOW - Should this rootkit/botnet "haul in" MORE malware, & iirc, it does?

You can delete that a couple ways!

---

A.) RC DEL command

OR

B.) ProcessExplorer in usermode/Ring3/RPL 3 operations by halting infected processes (running the dll list via dll injection on the libs/dlls below), by having the DLL view list pane visible & highlighting all your running processes to check for that, OR if it hauls in just plain other badware running on its own).

DUQU DLL LIST:

netp191.PNF
netp192.pnf
cmi4432.pnf
cmi4464.pnf
netf2.pnf
netf2.PNF
netf1.PNF
netf2.PNF
iddr021.pnf
ird182.pnf

---

* DO THAT, exactly the way it's noted? This thing's HISTORY... in 3-5 minutes time, tops!

(Yes, it works... it worked for me on the allegedly "indestructable rootkit" that used hello_tt.sys a few months back for a paying client & will work on this too, provided its design like that rootkit just noted, does NOT protect its driver init. areas)

See... once those drivers are killed off in Ring 0/RPL0/kernelmode + the bootsector's cleaned? Cake to NUKE the remaining usermode malware, per the above, also! Very easy, very fast, & VERY EFFECTIVE too.

HERE ENDETH THE LESSON...

APK

P.S.=> Drivers & DLL list courtesy of SYMANTEC:

... apk

### Small edit/amendment on ProcessExplorer use (-1)

#### Anonymous Coward | more than 2 years ago | (#38046188)

"B.) ProcessExplorer in usermode/Ring3/RPL 3 operations by halting infected processes (running the dll list via dll injection on the libs/dlls below), by having the DLL view list pane visible & highlighting all your running processes to check for that, OR if it hauls in just plain other badware running on its own)." - by Anonymous Coward on Monday November 14, @02:39AM (#38046054)

FOR THAT TO WORK - SMALL AMENDMENT I MISSED PUTTING UP REGARIND PROCESS EXPLORER USAGE:

You will use ProcessExplorer's ability to:

1.) "SUSPEND" a parent calling the bogus libs/dlls running process (that's been injected by the bogus DLL list this rootkit uses) FIRST...

2.) Then, once the calling parent fielding methods from the bogus dll's is frozen, freeze the DLL too, & then delete it on disk... done!

* Yes, folks... it is THAT simple! RC's DEL would do the job anyhow though, but I believe in being COMPLETE & ACCURATE is all... lol!

APK

P.S.=> Enjoy this method, it works vs. rootkits like this that use bogus bootsectors + drivers in a "mixed blended threat" design such as this or the hello_tt.sys "indestructible rootkit" from weeks ago!

(That is, until the idiots designing them "get wise" to the mechanics I use to destroy them & their drivers (which, afaik, to date? THESE CURRENT ROOTKITS THAT USE DRIVERS + BOGUS BOOTSECTORS DO NOT PROTECT THEIR REGISTRY DRIVER INIT/LOAD AREAS)

NOW... they do that? We probably WILL have nearly indestructable, truly indestructable, rootkits... or, you'll have to use other methods than I do is all!)

... apk

### Fluffeh: READ THIS (U will find it useful) (0)

#### Anonymous Coward | more than 2 years ago | (#38047424)

* Enjoy CIS Tool man...

(Especially for YOUR situation YOU describe w/ TONS of users/endpoints/workstations/servers etc., to secure...!)

APK

P.S.=> I state that, because IF you're using an AD network which I assume @ least you most likely do on Windows, & have Windows Group Policies in place (where Windows EXCELS for massive amounts of user/group mgt. ala "volume mgt. tools" etc.- et al)?

... apk

### Re:The way it works though, via Word docs? (2)

#### ColdWetDog (752185) | more than 2 years ago | (#38045504)

Oops. Looks like 4Chan is down again.

### Re:The way it works though, via Word docs? (4, Funny)

#### cmv1087 (2426970) | more than 2 years ago | (#38045560)

Am I the only one who reads apk's comments in the voice of an insurance or used car salesman?

### Yet MORE off-topic illogical adhominem attacks? (-1)

#### Anonymous Coward | more than 2 years ago | (#38045576)

Disprove the data I put up on HOSTS files here:

And, in every point made by myself there, w/ backing facts from security pros, & even other /. testimonials on HOSTS files' value as a "layered-security"/"defense-in-depth" tool that can also yields FAR BETTER SPEED ONLINE as well?

* You only make ME look good - just because you're yet another EASILY FLOORED TROLL that you are demonstrating yourself to be!

APK

P.S.=> Ah, man... This? THIS WAS JUST "too, Too, TOO EASY - just '2EZ'", as it always is vs. trolls like youself that utilizing off topic illogical adhominem attacks when they're confronted with facts from reputable sources & their peers on this website also + more... apk

### APK u know u did a good job when (0)

#### Anonymous Coward | more than 2 years ago | (#38045762)

All trolls have here is a technically unjustified mod down of ur 1st post http://it.slashdot.org/comments.pl?sid=2523490&cid=38045260 [slashdot.org] and most especially the points you made vs. them on HOSTS files here http://it.slashdot.org/comments.pl?sid=2523490&cid=38045322 [slashdot.org] that shut them up (and had them have to resort to off topic illogical adhominem attacks and modding down your post to try to hide it, hahaha, how weak of them)

### apk is such an idiot (0)

#### Anonymous Coward | more than 2 years ago | (#38045830)

that he can't even figure out how to signup for a /. account.

### Answer me this then... apk (-1)

#### Anonymous Coward | more than 2 years ago | (#38045950)

Why on EARTH should I have a "registered 'luser'" acc't. here when I can post as much as ANY of you 'reg'd lusers' can, and the typical restrictions on us AC's don't apply to me?

That's right: I have an EXTREMELY FAST way around that "lame" discrimination on us ac's to post as much as I like!

No - I won't & DON'T make it "easy" for you trolls to track my posts to down mod my posts on technically unjustifiable grounds... that's all. Too bad you can't stand I do things that way... lol, I've had FOOLS here say that IF I registered, they'd downmod ALL OF MY POSTS... lol, weak!

(Plus? Well - I could give a damn about "mod points" because I can tell others "good job" in person, and also because those get gamed & cheated on here by those with multiple registered luser accounts here & elsewhere online, as easily as I beat post per 24 hour restrictions here)

Additionally... yes that happens on cheating & gaming the moderation system here!

Heck - Even HBGary got CAUGHT pulling that lame trick to their dismay, here -> HBGary POST in Fake Names On Social Networks, a Fake Problem:2011 -> http://tech.slashdot.org/comments.pl?sid=2375110&cid=37056304 [slashdot.org] & done to attack opponents via "enmasse" but easily seen thru "jump on the bandwagon" mass marketer transparent ploy tactics! )

* Please - Don't think it doesn't happen here OR try to say it doesn't...

Especially as I have caught TomHudson & the "trolltalk.com" crew pulling it, + other things, to cheat or game the mod system here!

(E.G./I.E.-> Down modding their opponents down & themselves up in groups using TOR to pull it off - no, I don't use TOR, too many fake honey pots setup endpoints (and it has security issues too), lol, was funny as hell showing others here their "mechanics" on how they do it, pretty lame weak way too!)

APK

P.S.=> Besides, I do FINE as an AC with mod ups!

(Though the trolls who cannot defeat my points always resort to technically unjustified mod down as my 1st post here was subjected to -> http://it.slashdot.org/comments.pl?sid=2523490&cid=38045260 [slashdot.org] but as I see, others are "modding it up" to counteract that, @ 0 Offtopic here (though it's NOT off topic @ all, indicating the bs going on here, lol, that I just spoke of))

Plus? Heck, I do well enough, especially for an AC, on getting "modded up", see below:

Roughly 75++ of them & I post as AC (hard to get even +1, as /. hides our posts & we "AC"'s start @ ZERO/0 points, unlike registered "lusers", lol!):

+5 'modded up' posts by "yours truly" (4):

HOSTS & BGP:2010 -> http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]

----

+4 'modded up' posts by "yours truly" (3):

INFO. SYSTEMS WORK:2005 -> http://slashdot.org/comments.pl?sid=161862&cid=13531817 [slashdot.org]
WINDOWS @ NASDAQ 7++ YRS. NOW:2009 -> http://tech.slashdot.org/comments.pl?sid=1290967&cid=28571315 [slashdot.org]

----

+3 'modded up' posts by "yours truly" (6):

APK MICROSOFT INTERVIEW:2005 -> http://developers.slashdot.org/comments.pl?sid=155172&cid=13007974 [slashdot.org]
APK FOOLS IE7 INSTALL IN BETA HOW TO:2006 -> http://slashdot.org/comments.pl?sid=175857&cid=14615222 [slashdot.org]
HBGary POST in Fake Names On Social Networks, a Fake Problem:2011 -> http://tech.slashdot.org/comments.pl?sid=2375110&cid=37056304 [slashdot.org]
APK RC STOP ROOKIT TECHNIQUES:2008 -> http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261 [slashdot.org]

----

+2 'modded up' posts by "yours truly" (10):

APK TRICK TO STOP A MALWARE:2008 -> http://tech.slashdot.org/comments.pl?sid=1010923&cid=25549351 [slashdot.org]
DOING SHAREWARE 1995-2004:2007 -> http://it.slashdot.org/comments.pl?sid=233779&cid=19020329 [slashdot.org]
MHTML SECURITY BUG FIX IE:2011 -> http://tech.slashdot.org/comments.pl?sid=1973914&cid=35056454 [slashdot.org]
EXCEL SECURITY FIX:2009 -> http://it.slashdot.org/comments.pl?sid=1139485&cid=26974507 [slashdot.org]
CODING JOBS OFFSHORING:2007 -> http://slashdot.org/comments.pl?sid=245971&cid=19760473 [slashdot.org]
MS PUTS YOU TO WORK:2006 -> http://it.slashdot.org/comments.pl?sid=174759&cid=14538593 [slashdot.org]

----

+1 'modded up' posts by "yours truly" (55) & we AC's start at ZERO, not 1 or 2 like registered users on /. do:

DISASSEMBLY & PROTECTING CODE:2010 -> http://news.slashdot.org/comments.pl?sid=1719570&cid=32907418 [slashdot.org]
SECURITY BUGS LINUX vs. WINDOWS:2011 -> http://news.slashdot.org/comments.pl?sid=2247480&cid=36485068 [slashdot.org]
NORTON DNS & DNSBL:2011 -> http://yro.slashdot.org/comments.pl?sid=2311948&cid=36708742 [slashdot.org]
APK ROOTKIT KILLING TECHNIQUE USING RC:2011 -> http://tech.slashdot.org/comments.pl?sid=2428486&cid=37405530 [slashdot.org]
DISK DEFRAG STRATEGY OPTIONS:2011 -> http://it.slashdot.org/comments.pl?sid=2435272&cid=37443738 [slashdot.org]
DATASTRUCTURES & SQL:2011 -> http://news.slashdot.org/comments.pl?sid=2080454&cid=35794668 [slashdot.org]
DELPHI ROCKS VB/VC++:2007 -> http://it.slashdot.org/comments.pl?sid=236049&cid=19261269 [slashdot.org]
MULTIPLE MESSAGE QUEUES:2010 -> http://linux.slashdot.org/comments.pl?sid=1618508&cid=31847246 [slashdot.org]
APK ROOTKIT.COM ON WINDOWS VISTA IPSTACK SECURITY:2009 -> http://tech.slashdot.org/comments.pl?sid=1339085&cid=29106629 [slashdot.org]
PROGRAMMING CONCEPTS MORE IMPORTANT THAN SYNTAX:2009 -> http://tech.slashdot.org/comments.pl?sid=1314993&cid=28827429 [slashdot.org]
CODING .NET FROM VB:2006 -> http://developers.slashdot.org/comments.pl?sid=176229&cid=14641701 [slashdot.org]
SLASHDOT "Pro-*NIX" SLANT CONTROVERSY = GOOD:2005 -> http://slashdot.org/comments.pl?sid=154725&cid=12974078 [slashdot.org]
NYSE+LINUX STOCK EXCHANGE LIE BY PENGUINS:2010 -> http://linux.slashdot.org/comments.pl?sid=1842764&cid=34046376 [slashdot.org]
WINDOWS vs. IBM vs. LINUX ARCHITECTURE STEALING:2005 -> http://linux.slashdot.org/comments.pl?sid=160244&cid=13414756 [slashdot.org]
LINUX IMITATING WINDOWS:2005 -> http://linux.slashdot.org/comments.pl?sid=170126&cid=14177851 [slashdot.org]
APK USING KDE & LINUX:2010 -> http://linux.slashdot.org/comments.pl?sid=1750240&cid=33214838 [slashdot.org]
APK CONGRATS TO LINUX:2005 -> http://linux.slashdot.org/comments.pl?sid=170296&cid=14192885 [slashdot.org]
APK KUDOS TO LINUX:2005 -> http://slashdot.org/comments.pl?sid=162921&cid=13614370 [slashdot.org]
MINIMUM WINDOWS SERVICES:2005 -> http://slashdot.org/comments.pl?sid=157321&cid=13190570 [slashdot.org]
HIDDEN SECURITY BUGS:2005 -> http://linux.slashdot.org/comments.pl?sid=164039&cid=13698742 [slashdot.org]
APK & FIREFOX BUGFIX TEAM:2005 -> http://it.slashdot.org/comments.pl?sid=161697&cid=13526010 [slashdot.org]
WHY OPERA ROCKS:2005 -> http://slashdot.org/comments.pl?sid=170983&cid=14242283 [slashdot.org]
OPERA=FASTER & MORE SECURE:2005 -> http://it.slashdot.org/comments.pl?sid=157615&cid=13208800 [slashdot.org]
OPERA vs. FIREFOX:2007 -> http://slashdot.org/comments.pl?sid=286721&cid=20452183 [slashdot.org]
APK SANDBOXING IE:2007 -> http://it.slashdot.org/comments.pl?sid=236547&cid=19310513 [slashdot.org]
APK ON SANDBOXIE:2010 -> http://it.slashdot.org/comments.pl?sid=1875754&cid=34281930 [slashdot.org]
CHROME NEEDS BY SITE PREFS TO SANITYINANARCHY:2011 -> http://slashdot.org/comments.pl?sid=2358734&cid=36946676 [slashdot.org]
DO YOUR BEST WORK OUR YOUNG MENS LIVES RIDE ON IT:2010 -> http://developers.slashdot.org/comments.pl?sid=1898806&cid=34472826 [slashdot.org]
STAT I/II SKEWING:2010 -> http://slashdot.org/comments.pl?sid=1504756&cid=30711074 [slashdot.org]
WINDOWS EMPLOYS YOU BETTER:2006 -> http://linux.slashdot.org/comments.pl?sid=174277&cid=14498965 [slashdot.org]
APK ON HARDCODES & SHELLOPEN ASSOCIATION:2010 -> http://tech.slashdot.org/comments.pl?sid=1519842&cid=30854906 [slashdot.org]
DR. DEMENTO SHOW:2010 -> http://news.slashdot.org/comments.pl?sid=1678308&cid=32494990 [slashdot.org]
CA DISREPUTABLE #2 of 2:2010 -> http://news.slashdot.org/comments.pl?sid=1884922&cid=34351020 [slashdot.org]
NO PROOF USED BY LOB:2010 -> http://tech.slashdot.org/comments.pl?sid=1907190&cid=34529734 [slashdot.org]
ON KIDS CODING & ARMCHAIR QB's:2011 -> http://science.slashdot.org/comments.pl?sid=2040490&cid=35508400 [slashdot.org]
FPGA & TERMINATORS:2011 -> http://it.slashdot.org/comments.pl?sid=2341586&cid=36842168 [slashdot.org]

---

* THE HOSTS FILE GROUP 23++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]
HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]
APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org]
HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]
HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]
HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]
HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]
HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]
HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org]
HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org]
HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org]
0.0.0.0 IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org]

* THE APK SECURITY GUIDE GROUP 10++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

APK SECURITY GUIDE:2005 -> http://developers.slashdot.org/comments.pl?sid=167071&cid=13931198 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://it.slashdot.org/comments.pl?sid=1361585&cid=29360367 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://yro.slashdot.org/comments.pl?sid=1218837&cid=27787281 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://tech.slashdot.org/comments.pl?sid=1885890&cid=34358316 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=154868&cid=12988150 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://tech.slashdot.org/comments.pl?sid=1027095&cid=25747655 [slashdot.org]

---

And, there you go... as per my usual, with backing facts & data that is easily verifiable from reputable sources (/. itself)... apkAPK 20++ POINTS ON HOSTS MOD UP:2010mode=threadcid=14538593
ARSTECHNICA LOL:2008 -

### Re:Answer me this then... apk (1)

#### Pence128 (1389345) | more than 2 years ago | (#38046476)

You really put a lot of effort into this don't you?

### No, off-topic chumps = EZ 2 dispatch (-1)

#### Anonymous Coward | more than 2 years ago | (#38046544)

See subject-line above, lol... says it ALL! Plus, even how to patch for Duqu? Even easier -> MicrosoftFixit50792.msi from http://technet.microsoft.com/en-us/security/advisory/2639658 [microsoft.com]

* YES - That stalls it dead, & iirc, it's been PATCHED already as of that "FixIt" tool above, for the most part, & yes, it works...

Then, a FINAL fix is issued on MS Patch Tuesday upcoming as I understand that has not issued like it was supposed to this month last week!

Additionally - Most antivirus tools detect for it, & there's probably even removal tools in them (would have to work like my technique below does though imo @ least, vs. a rootkit using ring 0/rpl 0/kernelmode drivers & rogue bootsectors too)...

PLUS, want to detect for & REMOVE IT, if you have been "hit" by it? EASY & 3-5 minutes of your time, here, courtesy of "yours truly":

It works... & has in the past for me vs. the allegedly "indestructible rootkit" that used hello_tt.sys a few weeks/months back as well while I did it for a paying customer...

(Especially since these rootkits are both of "blended threat" type tech utilizing both bogus bootsectors & protective drivers, similar design in BOTH? The technique in the link above, JUST WORKS)...

APK

P.S.=> No need to thank me (lol, "pats self on back") either...

This level of "techie work" in this field? Child's Play!

Especially when compared to programming & design of applications, which is what I usually am about professionally...

... apk

### Re:apk is such an idiot (0)

#### Anonymous Coward | more than 2 years ago | (#38045960)

Odd u're trolling as ac urself then dumbass (pot calling the kettle black?)

### Duqu doesn't work that way. (2, Insightful)

#### Anonymous Coward | more than 2 years ago | (#38046108)

This is not a Word macro. It's not even a Word bug. It's a font rendering bug IN THE KERNEL that can be triggered by anything that lets you embed a custom font. Web pages can contain custom fonts. PDF files can contain custom fonts.

Oh, they also have a properly signed driver, and they disable antivirus/antimalware.

### Been patched (plus FIXIT tool too & removal) (-1)

#### Anonymous Coward | more than 2 years ago | (#38046210)

* YES - That stalls it dead, & iirc, it's been PATCHED already as of last Tuesday's "MS Patch Tuesday", every 2nd tuesday of the month...

PLUS, want to detect for & REMOVE IT, if you have been "hit" by it? EASY & 3-5 minutes of your time, here:

It works... & has in the past for me vs. the allegedly "indestructible rootkit" that used hello_tt.sys a few weeks/months back as well while I did it for a paying customer...

APK

P.S.=> How is it working then, if it is NOT exploiting using macros? Wouldn't matter though - the patch via FIX IT exists, and again - I do believe it's been patched LAST WEEK in fact, per MS "patch tuesday" that just passed & antivirus tools now detect for it as well, etc./et al

... apk

### Re:Been patched (plus FIXIT tool too & removal (1)

#### Anonymous Coward | more than 2 years ago | (#38046366)

YES - That stalls it dead, & iirc, it's been PATCHED already as of last Tuesday's "MS Patch Tuesday", every 2nd tuesday of the month...

no, it has not ... they released a "temporary fix" (besides it was qualified has a "workaround", not sure wether it means "a fix that will last a few days before we need another one" or not), but not in time to be included in November's "ms patch Tuesday". Guess it will be for next month ...

P.S.=> How is it working then, if it is NOT exploiting using macros? Wouldn't matter though - the patch via FIX IT exists, and again - I do believe it's been patched LAST WEEK in fact, per MS "patch tuesday" that just passed

not it has not, do your homework

Besides, if it is not too much to ask, could you STOP SCREAMING (please ?)

### FixIt tool + recommendations there WORK (-1)

#### Anonymous Coward | more than 2 years ago | (#38046386)

IF U get "hit" by it? I list how 2 remove & detect for it 1st w/ a free tool here:

Easily, & with tools Windows users already own, in about 3-5 minutes time taken to do so...

(Funny you omitted I posted that much too, eh? NOT!)

APK

P.S.=> As to this? LMAO, ok:

"not it has not, do your homework" - by Anonymous Coward on Monday November 14, @03:55AM (#38046366)

Ahem: I did my homework ages ago on that account...

I.E.-> I can't be "hit" by this, per this -> http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Search [google.com]

That guide of mine on securing Windows uses MANY multiple "layered-security"/"defense-in-depth" security measures, that stop this type of crap for myself & many others IF FOLLOWED TO THE LETTER, for one thing!

PLUS, I am not that stupid to open Word docs from strangers (or even friends) w/out scanning them, & I have AntiVirus/AntiSpyware in place for that in MS Security Essentials, regularly updated here, too!)

Per that guide? Well... You can SEE that I try to turn others onto that too, per that guide above & for nearly 1.5 decades now online.

Soooo - "Better luck next time" in trying to "get the best of me"... lol, no small wonder you post as AC to me - you're NOT confident enough to face me with a registered "luser" name here, lol...

... apk

### Re:FixIt tool + recommendations there WORK (2, Informative)

#### Anonymous Coward | more than 2 years ago | (#38046450)

"not it has not, do your homework" meant :

No it has not been patched in last Tuesday's "MS Patch Tuesday" (although a temporary fix indeed exist, which I didn't deny in any way, on the contrary), you might want to check that before SCREAMING it to the world. As for the macro thing, I've read (and apparently many others that answered to you) that it's a problem with the TrueType font parsing engine (which you would have read too if you had done your homework ages ago, that is some googling on microsoft's website (and others'))

I don't know where you started to understand that I was implying in anyway that duqu could not be fixed or removed by you and others or that you where vulnerable to it ...

### Question: Does the FIXIT Tool work? (-1)

#### Anonymous Coward | more than 2 years ago | (#38046490)

* So, take your own advice: Stop "screaming" I am wrong, when I am ANYTHING BUT, because of the fixit tool above (and the download page for it's recommendations on ZONES & EMAIL too, stopping it BEFORE IT CAN HAPPEN TO THE UNWARY USER)... period.

I also recommend similar tactics in my security guide also, no less (for "layered-security"/"defense-in-depth") also...

Additionally/Again - I figured out an EASY WAY TO REMOVE THIS ROOTKIT & OTHERS LIKE IT, in 3-5 minutes time, for Windows users!

Have you? No - you just troll, & get SHOT DOWN by the fact MS has a fix for Duqu, period, & most AntiVirus are aware of it as well & can hopefully remove it too (or there are tools for it auxillary to av programs).

APK

P.S.=> I said "iirc" on the Patch Tuesday thing in my post on it didn't I? I wasn't absolutely sure, hence the "iirc", you're just too "dim" to "pick up" on that...

See above though, lol... you made this "too, Too, TOO EASY - just '2EZ'" for me vs. the likes of an AC TROLLING fool like yourself...

... apk

### Re:Question: Does the FIXIT Tool work? (1)

#### Anonymous Coward | more than 2 years ago | (#38046626)

Did it get released within MS Patch tuesday ? Nope

I never said you were lying or anything like it I just pointed that your "belief"/"iirc" was wrong. Which it is. Don't feel insulted or trolled, I'm not insulting/trolling you, I'm just stating a fact.

Also I never denied that you figured out an easy way to remove this rootkit and others. Again I don't know where you read in my post that I implied so ...

besides, since it seems that you're a bit too young to know that, "screaming" here actually means "writting with capslock on".

Oh and it still is not a Word macro problem, as stated on Microsoft website ...

### Avoiding the answer to my question? (0)

#### Anonymous Coward | more than 2 years ago | (#38047358)

QUESTION: Does the FIX IT TOOL WORK? Answer = YES. It's all that matters here, & so do the recommendations on its download page... & IT WAS RELEASED BEFORE LAST WEEK'S "PATCH TUESDAY" even!

* So, until a FINAL patch issues?? Folks DO have a WORKING FIX!

(That final patch was supposed to be ready last week, but apparently, it isn't which is WHY I wrote "iirc" on that aspect of it).

APK

P.S.=> You "barked orders" my way on "how to post" etc./et al, & IF I have a working solution, then yes - I will YELL IT FROM THE ROOFTOPS... why not?

Fact is, I suggest (but not demand OR ORDER as you seem wont to do) YOU DO THE SAME, & stop falsely saying I am "wrong" when I am completely right there's a fix for Duqu already in the FixIt Tool patch, antivirus being aware of it already, & yes, I have an easy way to remove it (& other rootkits like it that use "blended threat" tech (drivers + bogus bootsectors))...

... apk

### Re:Avoiding the answer to my question? (0)

#### Anonymous Coward | more than 2 years ago | (#38047552)

P.S.=> You "barked orders" my way on "how to post" etc./et al, & IF I have a working solution, then yes - I will YELL IT FROM THE ROOFTOPS... why not?

Because no one listen to yelling younglings ?

Fact is, I suggest (but not demand OR ORDER as you seem wont to do) YOU DO THE SAME, & stop falsely saying I am "wrong" when I am completely right there's a fix for Duqu already in the FixIt Tool patch, antivirus being aware of it already, & yes, I have an easy way to remove it (& other rootkits like it that use "blended threat" tech (drivers + bogus bootsectors))...

... apk

wow, just wow 8-|

Didn't say there was not a fix Peter, just said it was not released during MS patch Tuesday, Peter

Anyway, you're the best troll ever Peter, keep up the good work !

Regards, Jeremy

### Re:The way it works though, via Word docs? (0)

#### Anonymous Coward | more than 2 years ago | (#38047728)

Given the whole thread started by Him hereafter (and in other /. stories), I thought it could be enlightening for everyone to learn a bit more about the Great & Wise APK :

http://www.thorschrock.com/2008/05/19/how-to-respond-when-people-threaten-to-sue-you-on-the-web/ [thorschrock.com]

http://www.jeremyreimer.com/phpbb2/viewtopic.php?t=4128&postdays=0&postorder=asc&start=0 [jeremyreimer.com]

If you're in a bad mood, this should be enough to make your day :-p

Keep up that Awesomeness of yours Peter

### Of course on a Wednesday or Thursday... (2)

#### bmo (77928) | more than 2 years ago | (#38045270)

But never on a Sunday.

--
BMO

### Re:Of course on a Wednesday or Thursday... (0)

#### Anonymous Coward | more than 2 years ago | (#38046020)

six days you shall work...

### Re:Of course on a Wednesday or Thursday... (1)

#### The Askylist (2488908) | more than 2 years ago | (#38047444)

Probably never on a Saturday, if it's related to Stuxnet :-)

### God is just (-1)

#### Anonymous Coward | more than 2 years ago | (#38045278)

God is just.

God says...
C:\LoseThos\www.losethos.com\text\BIBLE.TXT

ore, behold, the days come, saith the LORD, that it shall
no more be said, The LORD liveth, that brought up the children of
Israel out of the land of Egypt; 16:15 But, The LORD liveth, that
brought up the children of Israel from the land of the north, and from
all the lands whither he had driven them: and I will bring them again
into their land that I gave unto their fathers.

16:16 Behold, I will send for many fishers, saith the LORD, and they
shall fish them; and after will I send for many hunter

### Source code? (2)

#### seven of five (578993) | more than 2 years ago | (#38045292)

I think you mean object code.

### Re:Source code? (-1)

#### Anonymous Coward | more than 2 years ago | (#38045324)

What's easier moron, source to object to exe to memory or source to memory?

### Some say... (5, Funny)

#### beefmusta (1616667) | more than 2 years ago | (#38045314)

...that he may be four years old. And that he generally tried to steal information on Wednesdays. All we know is... he's called the stig.

### Re:Some say... (0)

#### Anonymous Coward | more than 2 years ago | (#38045392)

That....is awesome.

### Re:Some say... (1, Funny)

#### jd (1658) | more than 2 years ago | (#38045516)

For those unfamiliar with Stig, here he is, prior to racing cars [youtube.com] .

### Re:Some say... (0)

#### Anonymous Coward | more than 2 years ago | (#38045970)

Its a Stig, Jim, but not as we know him.....

### Re:Some say... (1)

#### fatphil (181876) | more than 2 years ago | (#38046810)

Great - a Morris Woody! Who'd have thought that would take the track record?

### Ah (1)

#### no-body (127863) | more than 2 years ago | (#38045388)

they all just talk "about" the thing and never show it for real - source or object. Kinda boring!

### Re:Ah (2)

#### yuhong (1378501) | more than 2 years ago | (#38045864)

From the original blog article [securelist.com] :
"Due to privacy reasons and protection of the identity of the victim, we cannot share the source .DOC file with other parties."

### Some say... (-1)

#### Anonymous Coward | more than 2 years ago | (#38045480)

Some say that he may be four years old, and that he generally tries to steal information on Wednesdays.

All we know is, he's called the Stig.

[applause]

### RemQue (0)

#### Anonymous Coward | more than 2 years ago | (#38045538)

http://www.losethos.com/code/BackEnd.html#l4463

### Why 2003? (1)

#### GNULinuxGuy (2483278) | more than 2 years ago | (#38045580)

I wonder why 2003. Didn't the show start in 2006?

### Re:Why 2003? (0)

#### Anonymous Coward | more than 2 years ago | (#38045956)

Dexter's Laboratory.

### Wednesdays... (3, Funny)

#### gstrickler (920733) | more than 2 years ago | (#38045694)

...because it never could get the hang of Thursdays.

### If only my boss had said such nice things about me (4, Insightful)

#### DrVomact (726065) | more than 2 years ago | (#38045774)

From the article:

The evidence points to a high level of sophistication. "The exploit used to infect victims with Duqu is incredibly well written, beautiful in a sense," Raiu said. "The Duqu authors are top-class exploit writers."

If I were the author(s) of this piece of malware, I'd get a real warm fuzzy feeling reading those words. So they're skillful. But they're also destructive jerks—yet the author of the piece has nothing to say about their character. Heck, they're celebrities, and that's all that matters any more.

Of course they're good. There is big money in writing malware; the nerd-lords of cybercrime can afford to hire the very best coders, and keep them knee-deep in twinkie wrappers. It's not script kiddies anymore (except those who are just practicing to get a real job writing serious malware, or maybe demonstrating the appropriate skills for potential employers); this is a profession now. Given the absence of any sense of morality among the most intelligent of our young people, money buys all the talent the criminals need. But these guys will work for anybody who has money. The TLAs of the government, for instance. Or non-governmental agencies with an interest in destruction. There is nothing more dangerous than smart people without a moral compass.

Sort of reminds me of Oppenheimer's comment about H-bomb technology as being "technically sweet".

### Re:If only my boss had said such nice things about (2)

#### hyades1 (1149581) | more than 2 years ago | (#38045834)

The Invisible Hand of the Free Market is obviously ensuring that the best and brightest aren't under corporate control. The Russian Mafia is bad enough. Can you imagine if Monsanto got hold of some real programmers?

### So you also hate people in the military? (0)

#### Anonymous Coward | more than 2 years ago | (#38046048)

this is a profession now. Given the absence of any sense of morality among the most intelligent of our young people, money buys all the talent the criminals need. But these guys will work for anybody who has money. The TLAs of the government, for instance.

You treat this like it is evil, and also make the reasonable assumption that a TLA of some government is behind this. I don't see how those go together really, unless you think it is evil for a person to support his country. How is this any different from a person paid to operate a submarine, bomber, or tank? It looks the same to me.

### Re:If only my boss had said such nice things about (4, Insightful)

#### thsths (31372) | more than 2 years ago | (#38046174)

> There is nothing more dangerous than smart people without a moral compass.

That's funny, because it seems that is exactly the combination you need to be successful nowadays...

### Re:If only my boss had said such nice things about (2)

#### garaged (579941) | more than 2 years ago | (#38046338)

Of course for a defined/limited version of "success"

### Re:If only my boss had said such nice things about (0)

#### Anonymous Coward | more than 2 years ago | (#38046534)

Too true. On the other hand, depends how you define success.

### Re:If only my boss had said such nice things about (1)

#### mortonda (5175) | more than 2 years ago | (#38047712)

Except stupid people without a moral compass that end up in congress...

### Re:If only my boss had said such nice things about (1)

#### FhnuZoag (875558) | more than 2 years ago | (#38047286)

Wasn't Stuxnet connected with the US government in the end? Could there be a governmental connection with Duqu as well?

### Re:If only my boss had said such nice things about (0)

#### Anonymous Coward | more than 2 years ago | (#38047694)

RE:"There is nothing more dangerous than smart people without a moral compass."
Yes there is,
Stupid people in large groups.
Like Democrats

### Re:If only my boss had said such nice things about (2)

#### inviolet (797804) | more than 2 years ago | (#38047778)

Given the absence of any sense of morality among the most intelligent of our young people, money buys all the talent the criminals need. But these guys will work for anybody who has money. The TLAs of the government, for instance. Or non-governmental agencies with an interest in destruction. There is nothing more dangerous than smart people without a moral compass.

I'd noticed that too. Religion was once the source of our moral compass, but it is thoroughly discredited now, and no replacement has risen to the task. Leftism sort of tried with various Collectivist / Utilitarian approaches, but was doomed to fail by its Skepticist "No one can be certain of anything" ideological foundation.

Evolution hasn't prepared us for the post-religion era.

### wtf... (3, Insightful)

#### snero3 (610114) | more than 2 years ago | (#38046486)

"The Duqu gang has an affinity for Wednesdays,"Raiu said. "They have repeatedly attempted to steal information from these systems on Wednesdays. This probably indicates a strong routine, almost military type."

or they are just fucking with you!

### Really (1)

#### splash12 (2507206) | more than 2 years ago | (#38046646)

how to get this Duqu worm in computer and how do you come to know that from the worm they tried to steal information on Wednesday splash12 [thetorontolimo.com]

### Slashdot, free server load crowd-soucing. (0)

#### Anonymous Coward | more than 2 years ago | (#38046966)

"This account has been suspended..."

Strange, I've never seen that happen with a Slashdot link before.

# Slashdot: News for Nerds

No skis take rocks like rental skis!

Need an Account?

# Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

• b
• i
• p
• br
• a
• ol
• ul
• li
• dl
• dt
• dd
• em
• strong
• tt
• blockquote
• div
• quote
• ecode

### "ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>