David H. Lipman

Please reference; Please read before reporting a false positive

Old referenced thread - HackForums.net New block - hackfourms.net The two are not the same site.

ISPs don't go through the Front Door. If they provide an appliance, they have most likely already enabled a backdoor utilizing TR-069 or some other standard. It is TCP ports 80, 8080 or 445 (HTTP/HTTPS) or 23 (Telnet ) or 992 (Telnet/S) that one disables for remote management. If an ISP puts in a backdoor and you know the TCP port, the user can create a 1Firewall Drop Packets rule. --- 1. Verizon uses TCP port 4567. However in later Firmware versions they actually have an anti block rule that won't allow the user to create a rule to specifically block that port. Their appliances will generate an error message indicating you can't do it for that port. Other known backdoor ports are TCP/6363 and TCP/2420.

Look for something like "Management" or "Remote Management".

It has to do with Decimal representation and Binary numbers. 1KB is really 1024 bytes. http://www.howtogeek.com/123268/windows-hard-drive-wrong-capacity/

I'm not sure which thread John is referring to but maybe it had the following content ?

1. The person he talked to has no idea. 2. The ISP has a specialized firmware/embedded OS which provides different functionality. You will know this if it is an ISP branded appliance. The attached is a PDF User Guide of a Comcast (Xfinity) branded appliance. Note the name is on the chassis and if you login to the device the pages are also branded "Xfinity". < removed attachment as the example is no longer needed - DHL >

Yes. He could use Internet Connection Sharing (ICS) but his sister would know "something is up.

All network interfaces have a Media Access Control (MAC) address. In a Command Prompt you can type; arp -a It will show a table of IP addresses and the MAC address associated with it. Internet Address Physical Address Type 192.168.1.1 00-1f-90-79-f0-b0 dynamic 192.168.1.10 60-a4-4c-b5-10-b9 dynamic The above shows my Router (192.168.1.1) has the MAC address of; 00-1f-90-79-f0-b0 It also can be expressed as; 00:1f:90:79:f0:b0 If you know the MAC address of a device then you can either use MAC Authentication which allows only devices whose MAC addresses are listed in a table, or as MAC Restriction which is a table of defined MACS which are specifically DENIED access. Reference: http://en.wikipedia.org/wiki/OSI_protocols http://en.wikipedia.org/wiki/OSI_model

T1000: Please reference: Please read before reporting a false positive Post #2 If you want to submit a possible False Positive please start your own topic following the guidance in the above referenced URL. If you need support on the product, please post in; Malwarebytes Anti-Malware Help If you need help removing malware, please seek assistance in; Malware Removal Help Thank you for understanding.

CWB: I believe what you describe is MAC Authentication. That is the MAC addresses of allowable devices is used to limit access. If the MAC Address is not in its table, the device doesn't get access.

They say a picture is worth a thousand words so to elaborate on what Firefox has written, see the below photo. On the top is the back of a Toshiba notebook keypad and below it is the back of a Dell notebook keypad. Dell Notebook keypad Toshiba notebook keypad

fivealive: It is a Modem+Router. The modem component is a moot point. It is the Router that you monitor for such as; LAN/WiFi connections, activity, DHCP leases, etc.

Yepper. It's a matter of culpability. The subscriber is responsible for the actions of whoever uses the WAN IP. If one has an Open WiFi and is the subject of War Driving and the actor performs a nefarious action, then the subscriber can be held liable. If one takes ordinary measures to secure their subscription then they limit liability. The thing is if he states he has access, you can prove if he does or doesn't since the Router will know all nodes that use it from the LAN POV.

Like I said "Please go back and verify the facts." Prove that he had access. Otherwise if you don't see him accessing it, he's lying to get a rise out of you.

If you password protected the Router (strong known only by you) and you disable WPS then he will be 1locked out. If he had physical access to the Router and WPS was enabled then that is how he got in. --- 1. Well not entirely. he could reset the Router to factory defaults and setup the unit any way he chooses IFF he has physical access to it.

fivealive: Please go back and verify the facts. If you changed the SSID and associated password and it is a 20 character strong password and you did not pass the information on to your sister than please revaluate what is going on. For example if you did not provide the SSID and PWD to your sister, did you setup your sister's PC or other residential appliance/computer ? Nir Sofer has a utility called WirelessKeyView that when executed on a PC that accesses WiFi networks, the program will enumerate the network's SSID and the associated password and display it in its GUI. Example: NOTE: AV/AM software will flag many Nir Sofer's utilities as PUPs or hackTools not because they are malicious but because they have the propensity of being used maliciously.

Actually they are separate programs launched from a common source. Looking at; C:\Program Files\LibreOffice 4\program You'll see... ( sorted by File Type ) So SWRITER.EXE is the WordProcessor, SCALC.EXE is the SpreadSheet, etc.

"being 1 week late in the update would make you more vulnerable so was wondering if there are any way to minimize the risk when connecting to the network for the first time after 1 week of no updating." It is not that big a risk. Two months would not be that big of a risk. When you return the important thing is FIRST you make sure all software and anti malware signatures are updated THEN surf the web and access content. "You said following the list you gave would minimize the risk so can I assume that scaning the pc regularly, setting the connection to public and turn on firewall is sufficient? Since as the rest are more of a physical protection, like not leaving the password around, not sharing the PC etc." That's only part in a logical sense. Logical as in computers being networked. Your 'mates have PHYSICAL access and thus you have to take physical safe guards first and foremost. Their possible access can be the biggest threat. That threat may increase if your 'mates are not relatives. This is called the Insider Threat.

John.A: Porthos is correct in his assertion. However it can be noted that initially there were no detections on Virus Total and Today there are 30/54 detections, excluding Malwarebytes, and it has been two weeks. Thus, at this point, your concerns are valid. I can also say I have seen MUCH WORSE with Trend Micro. I have submitted samples to them and 6~8 weeks went by for the submitted, and tested malicious, files and they remained undetected. It was only after I brought my concerns to them I was provided a "handler" where my submissions were evaluated and detected within 72 hours. Thus I understand the situation fully. All I can say is we'll have to bring this to the attention of Malwarebytes' Malware Researchers for an "informed" response. Is two weeks a proper time frame or can one expect a longer submission to detection rate ?

"If I am away on a business trip and the PC have not been updated for 1 week. Would it be safe to update it?" Updating is the proper and safe action. When you keep the OS and all software updated you mitigate vulnerabilities that may be exploited. Keeping a PC updated minimizes that risk. "If one of the roommate PC have been infected would it affect the rest?" Infected ? Infected with - WHAT ? The ability to spread from computer to computer is the action of a "true virus". Not what everybody "thinks" is a virus. True viruses self replicate and autonomously spread. Internet worms are a type of virus that spreads by using Internet Protocols. The list I previously gave you minimizes that risk. If a roommate is "infected" with an adware trojan or a Potentially Unwanted Program (PUP) or some other NON-VIRUS then the answer is flat out - NO. If the infection is based upon a file infecting virus, an AutoRun Worm or an Internet Worm then there is the possibility of roommate's PC infecting other computers on the Local Area Network (LAN).

Malware removal should NOT be done remotely. It should be hands-on. You might have to take the drive out and put it on a another computer or boot from a different OS from USB or CD/DVD media. Malware performs self preservation and those techniques will obfuscate and protect the malware in a running OS. When you boot outside the infected OS those self preservation techniques are not in place allowing better malware removal.