TT Livescan

I

idbeholda

It's a scam.
It's a 38k/b rar file that unpacks to a few exes and data files.
The exes have 'The Temple of Transgression' as authors.
The home site 'xxx.tot-ltd.org' is 'under construction'.
Click to expand...

Because it certainly isn't possible that the database in question (tot-
ltd.org/md5db perhaps?) has appropriately named files from 0000-FFFF.

Think before you speak.
 
V

Virus Guy

P

Paul T. Holland

David said:
From: "Virus Guy" <[email protected]>



| http://www.virustotal.com/analisis/a3987b868a228f0423b66cb0b9cbe088

| When I submitted it a couple hours ago, VT hadn't seen it yet.

| Only Prevx1 is calling it. As "High Risk Worm".

| Same with this file:

| http://www.virustotal.com/analisis/80b9371577b26d92501802aa522ad541

| ClamAV Trojan.VB-2815

| And hey, what's the file offensive.dat for? Does George Carlin need a
| new list?

| Apparently, this is from the same outfit:

| --------
| Temple Of Transgression News Article Creation Engine 1.0
| --------

Ibeholda isn't new. Posted several time over the past few years. Used tio post prom a
library. I think he used to a live zoo on a previous web site.
Click to expand...
been around a while, last i knew, ibeholda/eric lived in athens, ohio
 
F

FromTheRafters

It's a scam.
It's a 38k/b rar file that unpacks to a few exes and data files.
The exes have 'The Temple of Transgression' as authors.
The home site 'xxx.tot-ltd.org' is 'under construction'.
Click to expand...

Because it certainly isn't possible that the database in question (tot-
ltd.org/md5db perhaps?) has appropriately named files from 0000-FFFF.

Think before you speak.

I think he spelt spam wrong. :blush:p
 
I

idbeholda

Because heuristics never lie either.

http://www.google.com/search?hl=en&...ntivirus+false+positive+heuristic&btnG=Search

And obviously, since according to at least one poster, I'm clearly
making up stuff about satellite internet being notorious for latency
issues (what's that, round travel of ~75000+ miles... PREPOSTEROUS!).

http://www.google.com/search?source...satellite+internet+latency&btnG=Google+Search

You'll find that *ANY* satellite connection *WILL* have a minimum
latency of *AT LEAST* 500ms, but usually averaging anywhere from
900ms-2000ms. I know this because I have had the misfortune of being
subjected to satellite internet. Hence why I don't recommend using
the online scanner because the delays are ridiculous. Seriously,
because of the latency issues with satellite internet, you will wind
up getting faster scantimes using a dialup connection. Also inb4
"THATS UNPOSSIBLE". Each section of 0000-FFFF is anywhere from 1-5K
in size. It's like that for a reason, folks. With a decent DSL/
Broadband connection, TT Livescan can process up to 232GB of data in
less than 12 minutes. I also trimmed down on as much bloat as I could
to make it possible for an online scanner to be of such a small size,
while having a database of over 3 million md5 hashes available online
for it to make use of.

As for the offensive.dat file: Optional parental scanning based on
partial matches of filenames. And looking at some of these posts...
my, my... what short term memory some seem to have. It looks like
I'll be mailing out boxes of depends this christmas to match the faked
alzheimers. Unless some of you really aren't attempting to reverse
troll.

And so we meet again, Mr. Lipman. Yes, for about 3 months I posted
from a library when I didn't have internet at my residence.... almost
4 years ago, was it? Then I had DSL with AT&T, and after that, moved
out to the boondocks where the only feasible option was dialup, since
according to HughesNet and WildBlue (and I quote), we "did not have a
clear view of the southern sky". But that's beside the point.
However, I no longer live in Ohio: I now live in Texas. How are
things on your end, Mr. Lipman?
 
I

idbeholda

From: "idbeholda" <[email protected]>

| Because heuristics never lie either.

|http://www.google.com/search?hl=en&rlz=1G1GGLQ_ENZZ324&q=antivirus+fa...
| heuristic&btnG=Search

| And obviously, since according to at least one poster, I'm clearly
| making up stuff about satellite internet being notorious for latency
| issues (what's that, round travel of ~75000+ miles... PREPOSTEROUS!).

|http://www.google.com/search?source=ig&hl=en&rlz=1G1GGLQ_ENZZ324&=&q=...
| latency&btnG=Google+Search

| You'll find that *ANY* satellite connection *WILL* have a minimum
| latency of *AT LEAST* 500ms, but usually averaging anywhere from
| 900ms-2000ms.  I know this because I have had the misfortune of being
| subjected to satellite internet.  Hence why I don't recommend using
| the online scanner because the delays are ridiculous.  Seriously,
| because of the latency issues with satellite internet, you will wind
| up getting faster scantimes using a dialup connection.  Also inb4
| "THATS UNPOSSIBLE".  Each section of 0000-FFFF is anywhere from 1-5K
| in size.  It's like that for a reason, folks.  With a decent DSL/
| Broadband connection, TT Livescan can process up to 232GB of data in
| less than 12 minutes.  I also trimmed down on as much bloat as I could
| to make it possible for an online scanner to be of such a small size,
| while having a database of over 3 million md5 hashes available online
| for it to make use of.

| As for the offensive.dat file: Optional parental scanning based on
| partial matches of filenames.  And looking at some of these posts...
| my, my... what short term memory some seem to have.  It looks like
| I'll be mailing out boxes of depends this christmas to match the faked
| alzheimers.  Unless some of you really aren't attempting to reverse
| troll.

| And so we meet again, Mr. Lipman.  Yes, for about 3 months I posted
| from a library when I didn't have internet at my residence.... almost
| 4 years ago, was it?  Then I had DSL with AT&T, and after that, moved
| out to the boondocks where the only feasible option was dialup, since
| according to HughesNet and WildBlue (and I quote), we "did not have a
| clear view of the southern sky".  But that's beside the point.
| However, I no longer live in Ohio:  I now live in Texas.  How are
| things on your end, Mr. Lipman?

That explains the Amarillo based provider, AMA Com.

It is amazing how some things you remember and other things you can't.

I am fine here in the Jersey Shore.

Still waiting for real content on a web site fully explaining your project.
Click to expand...

Glad to hear things are going well for you. As for content... there's
not really a whole lot to explain. It's an online based scanner that
accesses a blacklist directory based on the first 4 digits of an MD5
hash (http://www.tot-ltd.org/md5db/0000-FFFF). The back engine is
still the same as it was when I was working on VTE Virus Scanner.
Only thing that's really changed is instead of using crc32 hashes,
it's now using md5 hashes and has slightly different features and a
quicker scantime. Other than that, I'm not really sure any other
explanation can be given.
 
I

idbeholda

If you expect people to use it there should be an explantion on the
web site - not here. You might also want to mention the ablility of
TTMWST.exe to upload files using FTP. I can see you're likely to fall
foul of other virus scanners with this module since a lot of account/
password stealers are also written in VB6 and use FTP.

You've an impossible task keeping up to date with signatures based on
a file hash. Much malware will have a different signature each time
it's downloaded. It's either packed differently on the fly or some
random bytes are tacked on to the end of the executable.
Click to expand...

1)There is an explanation on the front page (http://www.tot-ltd.org).
It's there for a reason; don't pretend to be illiterate. Secondly,
the use of TTMWST.exe is entirely *OPTIONAL*. If you don't want to
have it upload infected files to the server from /quarantine, then
don't use it. I'm not holding a gun to your head, and this isn't
rocket science.

2)By the same logic, all programs using FTP access should be flagged
as malware. What do you want me to do, publish the working source
code that's like 10 lines, and anyone with a browser and an install of
VS6 can find easily enough? Nice try, but I don't think so. If I
would work on a security app for 5+ years, what would be the point of
me giving people a trojan. Quite honestly, I'm interested in hearing
an explanation for this fantastical scenario that doesn't involve time
travel and alien abduction.

3)If I used string signatures, the same complaint would be given that
it's an "impossible task to keep up with [y] because of [x]." Keeping
up with md5 hashes is NOT that difficult of a task. Really, it
isn't. The reason I don't use string signatures is quite simple: VB
sucks with raw data processing. I could resurrect the subsystem
scanner from VTE, but I'm opting not to. Why you ask? There's an
option for multiple AV plugins using tweak.exe. All you have to do is
copy and paste the commandline of the scanner and replace //disabled
with //enabled.

Finally, I'm offering a free service. If you think it's sketchy/
trojaned/whatever, then don't use it. I won't lose any sleep over
your misjudgement.
 
F

Franklin

On 29 Apr 2009 06:11, idbeholda wrote in alt.comp.freeware
<[email protected]
m>:
If you expect people to use it there should be an explantion on
the web site - not here. You might also want to mention the
ablility of TTMWST.exe to upload files using FTP. I can see
you're likely to fall foul of other virus scanners with this
module since a lot of account/ password stealers are also written
in VB6 and use FTP.

You've an impossible task keeping up to date with signatures
based on a file hash. Much malware will have a different
signature each time it's downloaded. It's either packed
differently on the fly or some random bytes are tacked on to the
end of the executable.
Click to expand...

1)There is an explanation on the front page
(http://www.tot-ltd.org). It's there for a reason; don't pretend
to be illiterate. Secondly, the use of TTMWST.exe is entirely
*OPTIONAL*. If you don't want to have it upload infected files to
the server from /quarantine, then don't use it. I'm not holding a
gun to your head, and this isn't rocket science.

2)By the same logic, all programs using FTP access should be
flagged as malware. What do you want me to do, publish the
working source code that's like 10 lines, and anyone with a
browser and an install of VS6 can find easily enough? Nice try,
but I don't think so. If I would work on a security app for 5+
years, what would be the point of me giving people a trojan.
Quite honestly, I'm interested in hearing an explanation for this
fantastical scenario that doesn't involve time travel and alien
abduction.

3)If I used string signatures, the same complaint would be given
that it's an "impossible task to keep up with [y] because of [x]."
Keeping up with md5 hashes is NOT that difficult of a task.
Really, it isn't. The reason I don't use string signatures is
quite simple: VB sucks with raw data processing. I could
resurrect the subsystem scanner from VTE, but I'm opting not to.
Why you ask? There's an option for multiple AV plugins using
tweak.exe. All you have to do is copy and paste the commandline
of the scanner and replace //disabled with //enabled.

Finally, I'm offering a free service. If you think it's sketchy/
trojaned/whatever, then don't use it. I won't lose any sleep over
your misjudgement.
Click to expand...

I'm new to the history behind all this and saw a reference to
heuristics in this thread and then read an explanation to matching
the first few digits of an MD5 hash. Presumably the reference to
heuristics was a way of saying heuristics are not being used.

As for the MD5 explanation, I couldn't see it on the website but
maybe I need leading by the hand.

Point 2 above makes me uncomfortable. It seems to say the code for
the module is about 10 lines but anyone requesting it must be
paranoid or a fantasist. Surely it would be easier to just post the
code rather than tell people who can't extract it for themselves
that they are technically inadequate.

As I said, I know nothing of any other history but there's something
about this which doesn't inspire confidence. I think I'll let
others try it first and then maybe I'll decide if it's for me.
 
B

Borked Pseudo Mailed

(e-mail address removed)>
idbeholda said:
Gone

Finally, I'm offering a free service. If you think it's sketchy/
trojaned/whatever, then don't use it. I won't lose any sleep over
your misjudgement.
Click to expand...

How come a smart guy like you has not learned one of the simplest
facts of Usenet? Namely, no intended good deed goes unpunished in
the world of the troll?
 
I

idbeholda

On 29 Apr 2009 06:11, idbeholda wrote in alt.comp.freeware
<[email protected]
m>:


1)There is an explanation on the front page
(http://www.tot-ltd.org). It's there for a reason; don't pretend
to be illiterate.  Secondly, the use of TTMWST.exe is entirely
*OPTIONAL*.  If you don't want to have it upload infected files to
the server from /quarantine, then don't use it.  I'm not holding a
gun to your head, and this isn't rocket science.
Click to expand...
2)By the same logic, all programs using FTP access should be
flagged as malware.  What do you want me to do, publish the
working source code that's like 10 lines, and anyone with a
browser and an install of VS6 can find easily enough?  Nice try,
but I don't think so.  If I would work on a security app for 5+
years, what would be the point of me giving people a trojan.
Quite honestly, I'm interested in hearing an explanation for this
fantastical scenario that doesn't involve time travel and alien
abduction.
Click to expand...
3)If I used string signatures, the same complaint would be given
that it's an "impossible task to keep up with [y] because of [x]."
 Keeping up with md5 hashes is NOT that difficult of a task.
Really, it isn't.  The reason I don't use string signatures is
quite simple:  VB sucks with raw data processing.  I could
resurrect the subsystem scanner from VTE, but I'm opting not to.
Why you ask?  There's an option for multiple AV plugins using
tweak.exe.  All you have to do is copy and paste the commandline
of the scanner and replace //disabled with //enabled.
Click to expand...
Finally, I'm offering a free service.  If you think it's sketchy/
trojaned/whatever, then don't use it.  I won't lose any sleep over
your misjudgement.
Click to expand...

I'm new to the history behind all this and saw a reference to
heuristics in this thread and then read an explanation to matching
the first few digits of an MD5 hash. Presumably the reference to
heuristics was a way of saying heuristics are not being used.

As for the MD5 explanation, I couldn't see it on the website but
maybe I need leading by the hand.

Point 2 above makes me uncomfortable. It seems to say the code for
the module is about 10 lines but anyone requesting it must be
paranoid or a fantasist.  Surely it would be easier to just post the
code rather than tell people who can't extract it for themselves
that they are technically inadequate.

As I said, I know nothing of any other history but there's something
about this which doesn't inspire confidence.  I think I'll let
others try it first and then maybe I'll decide if it's for me.
Click to expand...

http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=47972&lngWId=1

Like I said, all it takes is a search engine. The only thing
TTMWST.exe accesses is the mw_submit folder via ftp on tot-ltd.org.
No personal data is collected other than what is flagged and
*optionally* (per user request) sent to the /quarantine folder. The
other 8 lines of code are basically bells and whistles that let the
user know what's being uploaded and the percentage complete.

Regardless you are correct in your assumption regarding the 10 lines
of code. The reason I am stating that is because fantasism is exactly
what's going on here: I'm not putting a trojan on someone else's
system. Therefore, if I'm offering someone a method to find and
detect malware, and someone else is claiming that I'm "offering"
something "different", from my standpoint, they're clearly out of
their mind.

However, if it appears I'm being a bit too obtuse, ask other companies
to discuss their source codes/executable in full detail as I have over
the years. One will soon discover it's not me who's obtuse about
their own dealings.

As for heuristics? There's an option for that too, and the database
is openly located in the TT-Livescan download under the filename of
heuristics.dat. On top of that, if you want to add in your own
heuristics, you can do that too. It honestly makes no difference to
me.
 
I

idbeholda

(e-mail address removed)>


Gone


How come a smart guy like you has not learned one of the simplest
facts of Usenet?  Namely, no intended good deed goes unpunished in
the world of the troll?
Click to expand...

lolwut? >;3>
 
J

John Stubbings

V unq n png jub sryy va n cbby naq qebjarq. Vg envarq gur qnl bs ure
shareny naq ab bar pnzr. Shpx uhznaf.
Click to expand...

png fraqf pbaqbyraprf. Gur napvrag Rtlcgvnaf unq zber erfcrpg.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

TT Livescan Updates + More 26
TT Livescan Database Update 2-26-10 2
TT Livescan Database Update 10-08-10 1
TT Livescan Database Update 10-1-09 2
TT Livescan Database Update 9-23-09 8
TT Livescan - Update Release 5-9-10 2
TT Livescan Update 1
TT Livescan Database Update Information - 6-3-2010 5

Top