File in CAPTURE.BIN being ID'd as SPY ?

Discussion in 'Port Explorer' started by ShyWriter, Aug 2, 2005.

Thread Status:
Not open for further replies.
  1. ShyWriter

    ShyWriter Registered Member

    Joined:
    Jan 17, 2003
    Posts:
    7
    Using the last two databases from Counter Spy 1.5 beta from Sunbelt Software identifies finding a piece of ad-ware inside the Port Explorer "capture.bin" file in the Port Explorer directory. What's up? Here's the data, as presented.

    Spyware Scan Details


    Spyware Scan Details
    Start Date: 8/2/2005 16:47:31
    End Date: 8/2/2005 17:55:16
    Total Time: 1 hrs 7 mins 45 secs

    Detected spyware

    Adw.ConsumerAlertSystem.CASClient Adware more information...
    Details: CAS Client is an adware program that monitors users search engine requests. It then delivers context relative advertising to the user’s desktop in various ways.
    Status: Deleted

    Infected files detected
    c:\program files\port explorer\capture.bin


    Just curious,
    Thanks,
    Anthony
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi,
    You collected a piece of spyware while spying on a socket.
    So you see the practicle use of detecting malware now in action with your socket spy.
    You can look into the packets and see for yourself where the stuff came from, which info was sent, which application on your system did it. You see the program, date, time, IP address, everything.
    Now it is interesting for you to know what you have been spying on: was it a socket to a website, or from an application on your system?
    In the latter case you could have installed some malware on your system, so scanning and cleansing is very important, or in the case of a socket from a website nothing wrong.
    Now was that the only place alarmed on?
    Just clean out the captue.bin with the Remove All button, clean your browser caches and all should be solved.

    You should really not allow other programs to delete your valuable collection, which is there to help you to find out about malware spreaders and attackers, intrusions.
    The captured data itself can do not any harm inside the capture.bin, so don't worry.
    Also with checking the packets you see them as text, not as a dangerous executable.

    You can manually delete the collected data with the remove all button.
    Or close spying, then in the Port Explorer directory either rename the capture.bin with another name if you want to look at a later moment or want it as proof, or just delete the whole thing.
    Port Explorer will re-create a new capture.bin for you next time you use that function.

    You should also check your cookies.

    Let us know how you're doing.

    If you want to see a dialog try this:
    open a spy session on your email client, press the collect email and see the datapackets connecting, chacking user name, password, email on the server, sending it over if there is, close connection and quit.
    You can read all those steps, including text from emails. You can see in the logs the datapackets and sizes, in the main window you should have seen the sockets and status changes. Etc.
     
    Last edited: Aug 3, 2005
  3. ShyWriter

    ShyWriter Registered Member

    Joined:
    Jan 17, 2003
    Posts:
    7
    Hi Jooske; I just got the program a few days ago in lieu of the TDS4 upgrade and I believe I had spyed on a socket once for a moment or two and then I stopped spying as I didn't really have a clue as to what I was doing. ;) (I'm one of those people that only READ THE MANUAL *after* I've totally messed something up - *wry grin*)

    The was the only piece alarmed on and I deleted it - it hasn't reoccured in subsequent scans. I still have TDS3 installed as well two realtime virus detectors and two realtime spyware detectors as well as running various virus/spyware programs on demand so see what the others might have missed. I've also got a hardware fireware (1-way) and a software firewall (2-way). I also have Steve Gibson's (Of Spinrite fame) little programs such as unPNP, socket lock, etc running. I don't go to porno sites, etc, and I use Firefox instead of MSIExplorer as a browser with a NOSCRIPT extension installed. And lastly, I alternate registry cleaner programs on a daily basis. All of this may seem like overkill but I do a lot of beta-testing and some of these beta programs don't have all the security holes plugged yet. As you probably know, one isn't REALLY paranoid if one sees the shadows behind the trees. LOL

    I'm doing fine - thanks for asking as well as your nicely written, very prompt reply. One of these days I'll read the manual and do some more exploring in Port Explorer when I can get free time away from all the other stuff I'm involved in. Things sure were a lot more simple in 1982 via BBSes and then 1994 when few things were dangerous on the internet. *smile*

    Take care; have a great day!
    Steve513p (but you can call me "Shy")
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds all very positive.
    You will really enjoy the manual, as it is really very informative with background info about what you are seeing, kind of info sometimes hard to find on internet.

    I really find the email example i wrote in the posting above informative as you see it really happen in front of your eyes. You have to click the packets of course to see their content.

    It was a way i detected malicious connections and what they were trying to do on my system (when i allowed them through my firewall so i could collect nice malware for Gavin to add to the TDS signatures) -- that way looking through the spysocket collection once i was very sure about something to be malicious, uploaded the sample at the KAV online scanner where it was not detected, but Gavin found out it was an infected trojan and infected with some other virus and infected again, very interesting sample and of course i felt very proud with my find!
    (Several days later also KAV detected the most outside level virus too BTW, but never all the different nasties.)
    I would not recommend to do this kind of dangerous things too frequently or if you don't know what you're doing or what to look for!
    At least it adds to my idea virus and trojan code can infect each other and create new malware maybe all by itself without a malware coder to add to the process, just like with live viruses and bacteria of organic and other origins.
    So getting a nose for suspicious happenings on our system and blocking them from mixing, mutating and spreading and recreating is a must.
    I have the feeling DiamondCS new software evolution goes more and more in that direction. And that all with honestly recycled clean electrons, without any artificial additions or DDT!


    1984 -- was that the time a dr. Solomon or mcafee scanner with some 200 virus detections was very advanced? And trojans only known from Greec mythology but not crossing internet yet?
     
Thread Status:
Not open for further replies.