Monday, November 28, 2005

wormed pt duex!

So I got home and ran AVG scan.. nothign came up.. I got bored and tired of waiting (short attention span?) so I cancelled the scan and start poking aroung the system myself. I know that whatever worm that's infected my machine would need to drop a copy of itself somewhere in the system. And most importantly it will need a trigger to start itself up each time the system boots up. Where else to check for this other than in the registry!

Poke poke regedit!
True enough I foud a rather suspicious looking file in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
It was calling this file csnss.exe file as "System Monitor". The entry was "System Monitor" = "csnss.exe" and also another copy of itself at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices as well. I know that this is not right, looks alot like a typical worm trigger to me. So poof I deleted them off only to find the values restored when I load up regedit again.

Worm is in memory! and true enough I found 2 instance of csnss.exe running in my task manager.

TCP hog
Knowing that the worm is still in memory, I did a quick check of my outgoing connections. And I found that I have a lot of connection out to port 445 of random ip addresses within my home network. The virus is trying to propogate!.
E:\Documents and Settings\root>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP rumah:epmap rumah:0 LISTENING
TCP rumah:microsoft-ds rumah:0 LISTENING
TCP rumah:61190 rumah:0 LISTENING
TCP rumah:1033 rumah:0 LISTENING
TCP rumah:10110 rumah:0 LISTENING
TCP rumah:netbios-ssn rumah:0 LISTENING
TCP rumah:1037 xdsl-87-78-63-92.netcologne.de:4661 ESTABLISHED

TCP rumah:1322 192.168.73.201:ms-sql-s SYN_SENT
TCP rumah:1323 192.168.106.44:microsoft-ds SYN_SENT
TCP rumah:1324 192.168.131.139:microsoft-ds SYN_SENT
TCP rumah:1325 192.168.100.105:ms-sql-s SYN_SENT
TCP rumah:1326 192.168.144.204:microsoft-ds SYN_SENT
TCP rumah:1327 192.168.22.25:microsoft-ds SYN_SENT
TCP rumah:1328 192.168.243.129:ms-sql-s SYN_SENT
TCP rumah:1329 192.168.187.27:microsoft-ds SYN_SENT
TCP rumah:1330 192.168.95.51:microsoft-ds SYN_SENT
TCP rumah:1331 192.168.72.253:ms-sql-s SYN_SENT
UDP rumah:tftp *:*
UDP rumah:microsoft-ds *:*
UDP rumah:isakmp *:*
UDP rumah:1029 *:*
UDP rumah:1036 *:*
UDP rumah:4500 *:*
UDP rumah:ntp *:*
UDP rumah:1900 *:*
UDP rumah:62515 *:*
UDP rumah:62517 *:*
UDP rumah:62519 *:*
UDP rumah:62521 *:*
UDP rumah:62523 *:*
UDP rumah:62524 *:*
UDP rumah:ntp *:*
UDP rumah:netbios-ns *:*
UDP rumah:netbios-dgm *:*
UDP rumah:1900 *:*

E:\Documents and Settings\root>
Culprit?
An interesting finding... seems that there's a host that my machine connecting outside of my home network. Could be worm calling home and sending informations from my machine.

TCP rumah:1037 xdsl-87-78-63-92.netcologne.de:4661 ESTABLISHED

Or maybe it's just my machine connecting via edonkey protocol that's running on port 4661 on the machine. Hmm I don't have any P2P running at the time that I took the netstat reading.. suspicious.. suspicious...

I quickly Killed both of the csnss.exe and proceeded to remove the 2 registry keys above. Success! I rebooted and checked again and no more worm processes spawned by registry. Ran quick windows update to plug whatever holes the worm came in from and started my forensic investigation.

To be continued with my forensic investigation of how I got wormed in the first place...

Sunday, November 27, 2005

wormed!

This is how I found out that I got wormed!
I'm not very sure what worm but I roughly guesing that it's sasser. Sigh.. a day after setting up my pc back and running auto-update and my boxen is infected by sasser. I'm running Windows XP Pro with Service Pack 2 btw.

The Good and the Bad
The good thing about service pack 2 is that there is now alimit of concurrent TCP connection that a machine can make. While this totally sucks for P2P, this is good to prevent mass broadcasting worms/ viruses/ spywares from trying to infect other machines in your network. Keeping the spread to minimum.

Symptoms
My machine would behave normal few seconds after Xp starting and totally fucked up seconds after.. I can't get any web traffic so the first thing I suspect was TMNET sucking again. So I tried to access my router's web gui to reconnect to the ISP and found that I'm not able to do that or half the time the respond is very very slow.

My NIC (Network Interface Card) fucking up? Checked event log and found no hardware errors registered but something caught my eyes instantly. An error saying "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts".. hmm suspicious, suspicious...

Somehow I manged to get into my router's web gui few seconds after reboot and I saw in the outbound traffic log a lot of traffic to port 445 to arbitarary ip address my local network. Just random ip addresses in 192.168.xxx.xxx range.. where have I seen this before?

My heart immediately screams "Worm broadcasting packets!".. ok then we'll have to clean that up then. Load up that antivirus!

Next step
It was about time for me to head on to the office and I didn't have enough time to launch AVG full system scan. I'll do it tonight and continue this post of my finding.

-to be continued -

Thursday, November 24, 2005

for shame!

Bernama.com
Malaysian National News Agency

Video Of Naked Woman Forced To Do 'Ear Squat' Creates Sensation
General
November 24, 2005 20:30 PM
KUALA LUMPUR, Nov 24 (Bernama) -- A video clip showing a naked woman, believed to be a Chinese national, making an "ear squat" while being observed by a policewoman created a sensation at a news conference in Parliament House, Thursday.

The policewoman was wearing a "tudung" while a background voice recited verses from the Quran in the 30-second recording which ended with the woman being asked to put on her clothes again.

The video, said to be recorded secretly by using a camera phone, was viewed by Home Affairs Minister Datuk Azmi Khalid, Minister in the Prime Minister's Department Datuk Seri Mohamed Nazri Abdul Aziz and Opposition Leader Lim Kit Siang.

It was shown on the screen of a laptop computer by DAP MP for Seputeh, Teresa Kok Suh Sim.

The case became public after a photograph of the woman in the video was published in a Chinese language newspaper today.

Mohamed Nazri and Azmi, who were asked for their comments afterwards, described the incident as "terrible" and "shameful" while Lim demanded immediate action to prevent a recurrence.

Mohamed Nazri, who is also chairman of the parliamentary human rights caucus comprising both government and opposition MPs, said the video was evidence that allegations of such incidents did occur.

He said he would show the recording to Prime Minister Datuk Seri Abdullah Ahmad Badawi and his deputy Datuk Seri Najib Tun Razak.

"I believe PM and DPM will order an immediate investigation," he said.

Asked whether stripping a suspect was part of the police's investigation procedure, he said it was not right.

-- BERNAMA

*** absolute power corrupts absolutely if you ask me. What reason would you have to make people strip down and ketuk-ketampi naked other than to satisfy your own sadistic sick mind? You're the police, a women even.... I guess this is another case of gatal tangan back-fired when the video they took secretly leaked out and got out to the public.

I have a copy of that video, available upon request (leave your email in comment) and verification that you are over 18...

For shame!

opss...

As part of the team to provide real-time machine reporting at my company, I wrote a client software and few hours ago pilot run on a few machines. To me everything went very well, the status parameters before this unknown to management suddenly became visible through our spiffy new web based report. Real-time rocks baby!

Right away my management noticed that all this while the machines (that I piloted run my client software and possibly more ) were wrongly configured thus causing the maximun output for those machines to be limited to only 50% of the machine capabilities. This means that the company is paying double the cost (when you put dollar and cents to it) for each unit of product that goes through the machine. That's a lot of loss, that's few million of dollars! maybe even billions... ok I'm being dramatic here.. :P

A big hoohaaaa followed when emails started to fly from management to responsible parties and opss my name and my client software was in the emails.. I think I'm liked less now down at the production floor. :P I can see it now.. *** scene of me instead of Keller being shanked by an unknown inmate in dark storage room in OZ**

Sorry guys, I'm under orders to do that...

Wednesday, November 23, 2005

she dreamt of..

mommy : zoe, look in the fridge n write in a piece of paper what we're out of...
little zoe : mommy how do we spell 'milk'...we're out of milk...


** my eyes got dust masuk inside

Monday, November 21, 2005

zouk abuse

interesting read..

I'm not even sure where zouk is but I think I've drove by the place once when I got lost (yes, I do get lost sometimes) around jln ampang/ klcc area..

But to me really, what do you expect from thugs hired by clubs as bouncers. They are thugs hired for their agressiveness and their lack of thinking ability.

What? you expect club management to conduct IQ - EQ tests when hiring bouncers? A security company manager once told me that how he interviews bodyguards-to-be's was to ask 2 candidates beat up each other. The one with less black and blue gets the job. You depends on their brutality and sadly but surely brutality does not come with much inteligence.

I feel sorry for the couple that was beaten up in zouk for nothing.. I hope they get their justice served and those people responsible brought to court. Bouncers or not, nobody should be beaten up and the thug getting away with it just because they are hired hands..

For the record, I'm not into clubbing, last club I went to was Hard Rock Cafe for dinner, we quickly left before it turn into a discotheque for the rest of the night.

munchkins withdrwal

it get realy REALLY lonely without munchkins here .... and first day and I'm already having ulcer in my mouth.. :(

Thursday, November 17, 2005

bodohkah kita?

I read this piece on john labu's blog and immediately felt disgusted. Worst thing about this whole thing is that we seems to be too lenient to criminals. Needless to say that a lot the times criminals in this country, from the lowly snatch thieves to hardcore geng mamak, has been in out of jail. It's like a resort for them. Heck free meals and a place to sleep on tax-payer's dime.

We're stupid to think that these people can somehow repent after 45th time done in jail. I'm all out for 3-strikes rules like the one in US. 3rd jail time you get should be for life. Don't wait for the criminal to graduate to murder before putting him out for good. Prevent now! Not react later!

Same goes for drug junkies.. 3rd visit to the rehabilitation center should be the last one. If it's up to me I'd give them 2 syringes .. 1 with enough drug to OD them to death and the other one cyanide. It's death either way you go.

Wednesday, November 16, 2005

halal? I hope so

I've always wondered if those turkeys being sold in carrefour are acually halal to eat. I'm sure most of you guys out there may have also seen and wondered.. There's a picture that we took of the halal certification sticker on the frozen bird.


So I checked out the producer's offical website and found that they claimed that they do produce halal frozen poultry. The halal logo on the tag was a little different though.. see below..


Hmmm.... maybe new halal logo? who are these Halal Food Council S.E.A anyway? so I did a check on google and found that the same party was mentioned as a Halal certifier in this web document on Jabatan Perkhidmatan Haiwan Malaysia and also this document on USDA (US Dept of Agricultural) Foreign Agricultural Services. Here's a htmlized version thanks to google. Seems from the document that as of Nov last year (2004) JAKIM has 3 recognized Halal Certifier in the US and one of them is the Halal Food Council S.E.A. Interesting..

I've sent the picture and related URL to JAKIM and awaits their answer. Will post here once I get any reply from JAKIM. Meanwhile munchkins is looking forward to browsing for some roasted turkey recipes.

Sunday, November 13, 2005

Tuesday, November 8, 2005

Selamat Hari Raya :)

Selamat hari raya from the both of us.

My first time raya with munchkins' family in kuala kurau. I missed my mom & siblings on raya day but raya at kuala kurau was not bad either.

Check out munchkins' blog entry for muchos muchos raya pictures.. and I have an exclusive raya video for all of you here.. the cutest little girl singing soon to be a new hit.