NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| Collaborative Security: Invite 2 HASH PotLuck Dinr
SecCheck Screenshot |
Here's your chance to help by participating in what I'm calling a Hash PotLuck "Dinner" of sorts..you know, that's where everyone brings a small dish to make a larger meal (ok so my humor is super-dry). We need the SHA1 hashes from as many systems as possible in order to build a central store of trusted files.
We've totally automated the collection process into the new SecCheck Collector/Forensic scanner which you can get
here
After download:
Click: Do Check
(wait 30s - 1 minute while info is collected)
Click: Submit results to mNW
(wait 10-30s to upload)
After submission the app will pop a browser window to a SubmissionStatus window...the backend server will process your submission in 1-2 minutes...refresh the page after a while to see how the hashes collected on your system compare to those submitted to others.
Here's the report from my own system so you can see what it looks like:
»seccheckuploadv2.mynetwatchman.c···ionID=68
GREEN shows files where *multiple* users have submitted the same hash, so file is much more likely legit.
YELLOW shows files where you are the only one reporting that hash, so file can not be assumed to be legit. This doesn't mean it's malware, but may just be exotic stuff that not many are running. In the report from my system above you see Ethereal stuff all over the place.
The makeup of this report will change overtime as more and more folks submit hashes, so you may want to refresh the page a day or so later and you should see more GREEN and less YELLOW.
You can also see the entire hash database collected so far here:
»seccheckuploadv2.mynetwatchman.c···List.jsp
Right now we've got data from about 25 systems...we need hundreds in order to properly identify "legitimate" executables...so please take a few minutes to contribute.
The SecCheck .eXE contains can also be run in text mode vs. XML...feel free to use the 'Do Text Check' if you want to produce more human-readble output for your own use in cleaning systems.
As not everyone here knows about myNetwatchman, would appreciate if a few long-timers may drop a few kind words so everyone knows this whole effort is legit.
Thanks in advance for all your help.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
3 edits | Re: Collaborative Security: Invite 2 HASH PotLuck
Having been a myNetWatchman contributor for several years, I will state that it is quite legit. If you're concerned about the legions of botnets continually probing your firewall, but not interested in manually reporting them yourself, MNW is an excellent way of aggregating your observations with thousands of other MNW contributors.
Not too many ISPs will be interested in your solitary report of a handful of probes that you recorded, but a MNW intrusion report, aggregated from a dozen or so MNW members, might get their attention.
If Lawrence and Philip are now asking for software hashes of our systems, so they can generate a database of normals, and then work on Windows forensics, I'm happy to contribute. And you should do so too. All of us could benefit from this.
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
dannyboy 950
Premium
join:2002-12-30
Port Arthur, TX
| reply to NetWatchMan
Re: Collaborative Security: Invite 2 HASH PotLuck Dinr
Well I contributed to the cause, a worthwhile effort.
When I was useing ZA I reported regularly, unfortunately I started useing Sygate and it wasn't supported.
Not sure what those yellow AVG files was all about but there ya have em. Personally I don't ever remember AVG catching any virus. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
1 edit | reply to NetWatchMan
Re: Collaborative Security: Invite 2 HASH PotLuck
It doesn't work (it runs but doesn't collect data) on Win9x system, if at all matters. Otherwise i'll submit from other systems 
edit: correction it doesn't display the data (in the box) but it does save it to xml and clipboard
Cudni |
|
dannyboy 950
Premium
join:2002-12-30
Port Arthur, TX | After ya wait a lil bit ya hit refresh and it will show the data. |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to Cudni
If you have problems, please post what your SubmissionID was so I can look it up.
We're having some problems with character encoding when users are in foreign character sets...I'm assuming this was the case here...
UND-DESKTOP
If so, I manually deleted the offending character and then it was able to process.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
seqrets
Premium
join:2001-05-03
Nederland, TX
clubs: | reply to NetWatchMan
Re: Collaborative Security: Invite 2 HASH PotLuck Dinr
SubmissionID's 78 & 79. Same results. Seccheck saved and executed fronm the Desktop.
 |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| Re: Collaborative Security: Invite 2 HASH PotLuck
said by seqrets  :SubmissionID's 78 & 79. Same results. Seccheck saved and executed fronm the Desktop.
Refresh after a couple minutes.
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
GadgetsRme
R.I.P. dadkins
Premium
join:2002-01-30
Canon City, CO
2 edits | reply to NetWatchMan
Tossed my bit in the pot. I received a browser could not start error after submission. IE shows xml file as text even if I allow active-x. Where in the file do I find the submission #?
--
Gadgets |
|
Sunday_Money
@mtaonline.net | reply to NetWatchMan
Re: Collaborative Security: Invite 2 HASH PotLuck Dinr
Agent Sunday_Money reporting for duty.
Submission ID 88 & 89 no dice.  |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| SubID 82 killed the parser Batchjob due to a file length problem...I fixed that and restarted...every through 89 is processed now.
We're up to 8869 Hashes (started the day with about 7000).
Keep it coming.
Once we get this encoding problem fixed it shouldn't get stuck anymore.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| To Machine Name: KAI
SubmissionID 86
What is:
/windows/system32/XPupdate.exe ???
It's a relatively new file, you're the only submitted for this hash, and has a suspicious name.
Here's the startup key for it:
localaudit133443
You've also got a 'winupdate.exe' that looks questionable.
Suggest you virus scan each of these files manually with:
»virusscan.jotti.org/
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to NetWatchMan
Re: Collaborative Security: Invite 2 HASH PotLuck
They are both worms / Trojans, spreading through shares. Winupdate.exe is also a remote access Trojan allowing complete remote control over the system.
XPupdate
--
You can catch the Devil, but you can't hold him long. |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| said by Wildcatboy :They are both worms / Trojans, spreading through shares. Winupdate.exe is also a remote access Trojan allowing complete remote control over the system. XPupdate Could be, but you really can't go by the file names.
Eventually, we're going to enable seccheck to copy all the active files back to the central repository too...then we can do centralized virus scan on them and provde any detected signatures back in the report...thus enabling user virus scans without even having to download a scanner.
FileID:443
path: C:\WINDOWS\system32\xpupdate.exe
Size: 81100
SHA1: C08B434D5E8D1493C9DE402986828B5B3B316215
If we already have the hash in our database and it's scanned..then even the server doesn't have to scan it again...this should enable a partial virus scan *of just active files* within 1-2 minutes. Try that with a traditional AV scanner.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
1 edit | reply to Cudni
said by Cudni :It doesn't work (it runs but doesn't collect data) on Win9x system, if at all matters. Otherwise i'll submit from other systems edit: correction it doesn't display the data (in the box) but it does save it to xml and clipboard Cudni Thanks for the feedback; it's been a while since I've dealt with 16-bit USER heaps! The 9x edit control is probably punting on anything greater than 32K, though I haven't confirmed. On one system, I get a display; on another, it behaves just as you note.
Edit: correction, make that 64K for 16-bit edit controls.
But that error is noted; the user interface in this "demo" is too "busy" for a broad audience, so I don't know that we'd have all these intermediate steps in a practical submission UI. I'll look into displaying truncated text...
Thanks again,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
|
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to NetWatchMan
Re: Collaborative Security: Invite 2 HASH PotLuck Dinr
What's this acronis thingy I see so many people running?
\program files\common files\acronis\schedule2
We haven't figured it out yet but this file name is what's breaking our XML encoding...which is odd as I don't see any foreign characters in the name.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK | reply to NetWatchMan
Submission ID = 95, status page gives list length of 0 and no data...
I saved the XML to my local HD and can send again if need be. O/S is Win95SE if that makes any difference... |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | reply to NetWatchMan
Re: Collaborative Security: Invite 2 HASH PotLuck
Some kind of disc imaging software.
»www.acronis.com/
Thanks for your work !!
--
Captain of the ATU Tux Racer Clan. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to jimkyle
said by jimkyle :Submission ID = 95, status page gives list length of 0 and no data... I saved the XML to my local HD and can send again if need be. O/S is Win95SE if that makes any difference... Did you mean Win98 Second Edition?
If not, I don't think we'll be able to support anything earlier than the original Windows 98 release, at least not initially. Can't remember the functionality differences between Win95 OSR2 and Win98, but there were a couple of issues, I believe.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to NetWatchMan
said by NetWatchMan :We haven't figured it out yet but this file name is what's breaking our XML encoding...which is odd as I don't see any foreign characters in the name. Strange: if I give us the benefit of the doubt and assume that we're collecting the information correctly, here's what we got:
0x00007500: 65 67 53 74 61 72 74 75 70 3E 0D 0A 09 09 3C 72 egStartu p>....<r
0x00007510: 65 67 53 74 61 72 74 75 70 20 6C 6F 63 61 74 69 egStartu p locati
0x00007520: 6F 6E 49 44 3D 22 34 22 3E 3C 6E 61 6D 65 3E 41 onID="4" ><name>A
0x00007530: 63 72 6F 6E 69 73 A0 54 72 75 65 A0 49 6D 61 67 cronis.T rue.Imag
0x00007540: 65 20 4D 6F 6E 69 74 6F 72 3C 2F 6E 61 6D 65 3E e Monito r</name>
0x00007550: 3C 74 79 70 65 3E 31 3C 2F 74 79 70 65 3E 3C 73 <type>1< /type><s
0x00007560: 69 7A 65 3E 35 38 3C 2F 73 69 7A 65 3E 3C 66 69 ize>58</ size><fi
0x00007570: 6C 65 49 44 3E 33 30 31 3C 2F 66 69 6C 65 49 44 leID>301 </fileID
0x00007580: 3E 3C 2F 72 65 67 53 74 61 72 74 75 70 3E 0D 0A ></regSt artup>..
Acronis True Image Monitor
Oddly, there's no consistency in the way they are using different space characters. In that string, two are the "non-breaking" type and the third is not. In other strings, there are no non-breaking spaces.
At any rate, it's just an encoding issue for us.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
