Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Strategies For Locating Malware?

6 views
Skip to first unread message

(PeteCresswell)

unread,
May 6, 2012, 9:51:04 PM5/6/12
to
Emails are being sent from a friend's AOL account with her
address in From: and always eight address in "To:" (at least in
the ones I've seen).

I'm running MalwareBytes and McAfee's scans on the PC now. Dunno
about a boot-time scan yet, since I can't be there physically.

When I spot-check the nine spams I have on hand, most of the
"TO:" addresses can be found in the person's AOL address book.
The few that cannot look like they might be "From:" addresses in
emails that she has received (e.g.
postm...@e-statements.ezpassnj.com)

I just edited her AOL address book and changed my own address to
one that I will receive - but know it could have come from only
one place.


But what now?

Suppose I start getting spammed at the new address?

Would that strongly suggest that the culprit is running on her
PC? Or could the AOL address book be in the cloud?

Does anybody have any suggestions for finding this thing and
driving a stake through it's heart?
--
Pete Cresswell

David H. Lipman

unread,
May 6, 2012, 10:23:29 PM5/6/12
to
From: "(PeteCresswell)" <x...@y.Invalid>
Change the AOL account password and make is a Strong Password.
http://en.wikipedia.org/wiki/Password_strength



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Shadow

unread,
May 6, 2012, 10:56:17 PM5/6/12
to
On Sun, 06 May 2012 21:51:04 -0400, "(PeteCresswell)" <x...@y.Invalid>
wrote:
Probably won't have to go that far unless it's a vampire.
Li'll old trick I learnt, works for goo...gle aagghhh, and
probably others.

Send yourself a letter addressed to

PeteCresswell+s...@your.email.server.com

Don't forget the "+" between your username and the random
letters.

see if you receive it, look at the headers.

Get the idea ?

[]'s



--
Don't be evil - Google 2004
We have a new policy - Google 2012

(PeteCresswell)

unread,
May 7, 2012, 9:08:13 AM5/7/12
to
Per Shadow:
>Send yourself a letter addressed to
>
> PeteCresswell+s...@your.email.server.com
>
> Don't forget the "+" between your username and the random
>letters.
>
> see if you receive it, look at the headers.
>
> Get the idea ?

That one whizzed right over my head.

I tried sending an email to Peter_Cre...@FatBelly.com and
AOL's address check popped a dialog saying that "XYZ" was
suspicious.

I overrode the warning and told it to just send the message.

Then another dialog popped saying the message was not sent and I
should go to a "Challenge" page.

But when it tried to open the challenge page
(http://challenge.aol.com/en/us/spam.html) it threw "570 User
Identification Failed".

What would have been the implication of it had gone through and
appeared in my inbox? FWIW, I have a GoldList that would have
weeded out that "To:" address - or would I be looking for
somebody extracting my fake-but-deliverable address from the AOL
address book?
--
Pete Cresswell

Beauregard T. Shagnasty

unread,
May 7, 2012, 9:19:58 AM5/7/12
to
(PeteCresswell) wrote:

> Per Shadow:
>> PeteCresswell+s...@your.email.server.com
>>
>> Don't forget the "+" between your username and the random
>> letters.
>
> That one whizzed right over my head.
>
> I tried sending an email to Peter_Cre...@FatBelly.com and AOL's
> address check popped a dialog saying that "XYZ" was suspicious.

I do not see the plus sign (+) in your test address.

--
-bts
-One must not skip steps.

(PeteCresswell)

unread,
May 7, 2012, 9:40:19 AM5/7/12
to
Per Beauregard T. Shagnasty:
>I do not see the plus sign (+) in your test address.

Mea Culpa - didn't realize it was literally supposed tb there.

Just sent one to "PeteCresswell+s...@FatBelly.com"
and it did not get to me.

FWIW, one of those fake-but-deliverable addresses that I
substituted for my "real" address in the affected person's AOL
address book just received a spam: same deal as the others - 8
addrs in "To:", and just two lines in the body: an admonition to
check something out, and an accompanying link.

viz:
========================================================
..Choose the easiest way to earn money
http://www.marinadiportotorres.it/viev.site.php?jbSubCategoryId=46ce9
========================================================


I think I need to find out where this person's AOL address book
resides: in the cloud, or on her C: drive.

Would anybody agree?
--
Pete Cresswell

(PeteCresswell)

unread,
May 7, 2012, 9:52:31 AM5/7/12
to
Per (PeteCresswell):
>I think I need to find out where this person's AOL address book
>resides: in the cloud, or on her C: drive.

I think I have tentatively answered my own question: it seems to
reside in the cloud per
http://forums.mozillazine.org/viewtopic.php?f=39&t=2456369

Maybe I'm too immersed in this stuff for my own good, but that
looks butt-fugly to me.

So... I guess I still have no clue as to whether the culprit is
running on the user's PC or is hitting AOL from afar.

Now I'm thinking the next step sb to follow David's advice and
change the user's PW. Didn't want to do that at first bco
intruducing additional user-confusion....

--
Pete Cresswell

Bear

unread,
May 9, 2012, 10:06:46 AM5/9/12
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:NPSdnX__ep68rzrS...@giganews.com:
Amazing (sadly) how users think they need software to compensate for
laziness or lack of initiative to come up with their own password
algorithm based on their own personal data (that they will always
remember) and which uses the domain to modify their password so it is
unique at every domain where they login.

There are lots of personal sources for components that you could use in
building your password:

- The constonants of your middle and last name up to, say, 4 chars long.
Reverse them if you like (probably not needed).
- Middle, last, and first initials of your name (or some other order).
- A couple digits from your birthdate, like last digit for the month and
last digit of your birthyear (e.g., 03/04/1980 use 30). Or use your
birthday and birthmonth in reverse order.
- The 2 contiguous digits in the middle of your SSN, or the 3rd digit
and the 7th digit, or more digits if you want more, and even reverse
them if you like.
- Just the constonants or just the vowels from your eye color shown on
your driver's license (versus what you'd like to have described as
your color) up to, say, a max of 3 characters long.

Lots of other components can be used to build the password all of which
come from your personal information that you will always remember. If
you chose to reverse order some of the components, do it on all
components so you don't have to remember which are forward or reverse
ordered. You might use 3 pieces of personal info which comprise 3
components or substrings of your password. Each uses the same scheme to
obfuscate from where that substring was derived. The order of these
components is always the same so not much to remember there (I'd suggest
the first component be alphabetic since some sites don't like passwords
that begin with numbers). Your personalized password would be all
lowercase. Some sites want a couple uppercase characters in the
password, so pick a 2 or 3 characters that you uppercase. If the 1st
entry doesn't work, capitalize those fixed selection of characters and
try again. 2 tries and you'll get into a site that you don't remember
wants some uppercase characters in it.

Okay, so now you have a jumbled mess of characters based on personal
info which doesn't look like anything recognizable to others but is
always static (because that personal info is for your entire lifetime so
don't use a street address because you may move or a phone number that
may change). However, you don't want to use the same static password on
every site. You want to use the domain for the site to modify your
otherwise static string.

- Last N characters of the domain portion of the site's URL.
- First 2 characters and last 2 characters of their domain.
- For a really short domain (e.g., ibm.com), use some portion of the TLD
(.com, .net, .org, etc). Don't use the hostname ("www" is way too
common and the hostname may change at a domain but the domain is very
likely to remain the same for a long time or as long as you use it).

You use this domain-specific string, always the same for the domain
because your algorithm always picks the same set of characters from it,
to modify your otherwise static personal-info string. You could append
the domain modifier, append it, stick it in the middle, or something
crazy like insert each character from the domain string in every other
character position in the personal string.

Once you get used to this, it takes all of a couple of seconds to
cogitate when visiting a site as to what is your password there. Faster
than having to install or call up software to retrieve stored passwords.
You don't need to tote around the software on a laptop or thumb drive or
its database. You don't lose your password database because you lost
your USB memory stick. It's in your head. It's based on info that you
will always remember. Once you come up with the pieces of personal info
to use and in what order for each piece and for what order the pieces
are in your string, that pretty much becomes engrained in your memory.
Then you just add in the domain to modify this string somehow (which is
always the same way) to make it unique at each site.

Considering how popular is software like this, it's sad that users are
incapable of remembering algorithms or that they think they have to
memorize multiple strings for unique passwords at different sites. I
use a password scheme that has just 2 components in it based on my
personal info and a 3rd component based on the domain where I am logging
in. The scheme gives me a strong password. At sites that require some
uppercase characters, it's always the same 2 eligible characters that I
use in my 2nd login attempt (because the 1st attempt was all lowercase).

It's so damn simple that it seems trivial to anyone to whom I explain
how I came up with my password. Without knowing the algorithm used to
build the password, it looks like garbage that varies with each domain.
It's sad users need software to do this.

--
Bear
http://bearware.info
0 new messages