15 February 2008

CoderTools TotalEdit v4.0

0 comments
Looking for a new text editor? A text editor that can edit code, web pages, and hex as well?

Introducing the award winning TotalEdit. This unique tool allows you to edit in PHP, C , C++, Java, HTML, XML, ASP, JSP, css, javascript and sql. From initial design to finished product TotalEdit helps you to turn your ideas into reality.

For more details see our feature list.

See screen shots of TotalEdit features.

Advanced features include.

* Code Folding (inc. HTML & XML)
* Code Navigation
* Code Compare
* Code Backup
* Code Templating
* File System Explorer
* Project/Workspace
* Hex Editor
* Unicode File Support
* Unicode conversion

TotalEdit is FREE now!

Homepage: http://www.codertools.com
Download: http://www.codertools.com/download.aspx
Mirrors

14 February 2008

Bitdefender Labs Antivirus Defense Center

4 comments
Antivirus software - BitDefender - The future of security now!
maybe they mean yesterday, because before yesterdays updates and some mistakes by the unpacking engine for Inno Setup this months which have been fixed quite fast, it was a top security product.
Packer.XComp.A

BitDefender False positive by using:
Packer Compressor XComp098, XComp097 (XComp & XPack)
info:
XComp/XPack: A freeware PE32-imagefile packer/rebuilder
(c)2007 JoKo, Version 0.98 02/18/2007
from:
http://www.soft-lab.de/joko/ExePack.htm

XComp is in some cases better with compression ratio as upx.
You can compare by self:

XComp/XPack PE32-imagefile packer and/or rebuilder - Freeware

UPX: the Ultimate Packer for eXecutables (Freeware) - Homepage

BitSum PeCompact (Commercial, for students limited free) - Homepage


using LZMA compression and pack some exe, dll files, upload the files to:
VirusTotal - Free Online Virus and Malware Scan

Try upx.exe with parameters --lzma , --best , --ultra-brute
PeCompact highest compression
XComp LZMA method
about NsPack By Nort Star (Commercial), I thing is nothing to say. Just look the result in a hexeditor and see the chaos in the headers, no option to clean/optimize this mess up.

Do they have a research team or do they just drop the signatures of whole packers to them virus database if enough users submit a infected file
because someone maybe have used this packer/compressor to pack some viiri into some program applications...
It is the most ridiculous Security System I ever seen.


eMule 0.48a Sins 0.5 packed with XComp 0.98 Analysis

File size: 1701652 bytes
MD5: 2a3fe800941bd32c7495734ed83dc4e1
SHA1: cf8c09fe40369cf921deb1b4e8128914e04ff9bf

sins.exe

Where is the Virus in this sample???

OllyDbg v1.10

Check the files with:
ExEinfo PE by A.S.L.
follow the unpacking hints


BitDefenders unpacking engine mistakes. Scanning a Inno Setup file - Instyler Module 9 !
Problem resolved within 2 hours by 3 following signature updates:

G DATA InternetSecurity 2008 v12 3er - and all Problems are gone?!


G DATA InternetSecurity 2008TotalCare2008_ESP_COV.exe
GDIS2008_COV_ESP.exe
GDAV2008_COV_ESP.exe
GDAV2008_COV_FRA.exe
TotalCare2008_FRA_COV.exe
GDIS2008_COV_FRA.exe
GDAV2008_COV_ENG.exe
TotalCare2008_ENG_COV.exe
GDIS2008_COV_ENG.exe
TotalCare2008_GER_COV.exe
GDAV2008_COV_GER.exe
GDIS2008_COV_GER.exe

Trial 30 days:

All-round protection against all dangers from the internet!
Info Englisch: http://www.gdata.de/trade/GB/productview_technische/820/16/
Info Deutsch: http://www.gdata.de/unternehmen/DE/archive/160/
3 PC Licenses: € 53,95

Armadillo BitTorrent Mods infection with G Data - Dual engine scan !!!
"I've seen that with BitDefender already that this Armadillo BitTorrent Mods tries from alone to phone out even if they are not started, free run if a access rule have been created in firewall"

BitDefender Antivirus software false positive Packer.XComp.A

4 comments
Sehr geehrte Blog Leser

Bitdefender Antivirus Signaturen ab den 13. Februar 2008 zeigen die mit dem Exe Packer: XComp/XPack freeware PE32-imagefile packer/rebuilder von JoKo, Version 0.98 sowie 0.97 kompremierten Dateien als Virus Packer.XComp.A an.
Info: http://www.soft-lab.de/joko/ExePack.htm

Dies betrifft nicht nur einige gepackten Dateien hier sondern ganze Software Portale sowie einige Freeware Entwickler die ihre Programme damit gepackt haben um den sozusagenden Monopol auf dem Freeware Sektor "UPX" zu umgehen oder den Packer XComp ganz einfach als eine Alternative verwenden, aber auch bei einigen Dateien eine bessere Leistung mit XComp bringen.

Weshalb ein Virus Namens Packer.XComp.A von Bitdefender der Firma Softwin aus Romaenien ins Leben gerufen wird ist unklar jedoch vermutlich an dessen Entwickler Position an schlichtweg mangelndes Wissen wie die mit XComp/XPack gepackten Programme entpackt werden koennen oder an einer fehlenden Scan engine die das zum derzeitigen Zeitpunkt verarbeiten kann.

Falls Bitdefender als Antivirus Loesung eingesetzt wird und nunmehr mit den updates jene false positive Meldung zeigt, bietet sich folgende Loesung an:

- AV wechseln was unumgaenglich ist wenn ganze Verzeichnisse oder sehr viele Dateien mit XComp gepackt wurden, da Bitdefender keine Filter Einstellungen fuer die Erkennung einer einzelner Virus Signature anbietet mangels Einstellungs Moeglichkeiten. Jedoch fast alle anderen AntiVirus Loesungen insbesondere Symantec Corporate Client/Server bieten dies an.

- Die betroffenen Dateien entpacken mit RL!dePacker von http://ap0x.jezgra.net
einige universal unpacker insbesonder mit upx Leistungmerkmalen koennen eventuell
eine alternative zur RL!dePacker darstellen.

XComp/Xpack setzt keinerlei Software Schutz Mechanismen ein jedoch hat Bitdefender scheinbar mangels einer Scan engine dies als Virus abgezeichnet.

Anzumerken ist das scheinbar Business und Freeware in Rumänien auf ein unerklaerliches Ansehen fuehrt. Insbesondere wenn es sich bei einer Freeware Seite ohne Werbung handelt koennte es den Entwicklern dort zu den Entschluss bringen das es sich dann nur um irgend etwas schadhaftes handeln muss, insbesondere bei Komprimierungs Software.

Wir setzten BitDefender seit ueber 2 Jahren ein und komprimierten saemtlichen Verzeichnissen im Vergleich zu UPX und PECompact mit der bereits mehr als ein Jahr alten Version von XComp/XPack jedoch ist dessen Produkt BitDefender Business Security gestern mit einer Loeschaktion darueber gegangen.


Test Datei BitTorrent.exe upx -d und mit Xcomp gepackt:
bittorrent.exe [568.27 KB]
Ergebniss: http://www.virustotal.com/ro/analisis/d7580b66560471ce5f5aafe7a9ae786d
Ein toles Beispiel upx.exe gepackt mit XComp 265.19 KB
upx.exe false positive packed with Packer.XComp.A

With the question I ask my self about AntiVirus Firms and there Security Products:
Are
the most packers listed for example in ExeInfo PE ver. 0.0.1.8 E - ( 360 sign ) by A.S.L. really virus producer or just flop drag n drop signature from the packers, because some people pack with them viruses together into files, these packers/compressors are as virus idented in them positive Virus Databases just like Packer.XComp.A.

Logical it saves a lot of time to put whole packers by string / signature in AV Database as examine the truth inside the packed files and control new/old packer/compression program(s)mers if it's Freeware but not opensource must and should it be on sourceforge.net hosting or a commercial pack/compressor by AV Companies to match in them concepts ?!??!!!

If this is true, I think, maybe the AV Security systems needs to get reformed not only in following reports by language localized PC Magazines AV vs. AV, false positive % / Price value, Quality of research Labs.
Support/Forum/Phone:...Thanks for the advanced friendly English Language knowledge together with the basic product and computer knowledge, just like from a teaching books by the support- or was it the sales team.
Not by asking the simply Questions but by these kind of difficult Questions where they have no answers
..!

After lot of testing, its incredible, as soon doing in files other signatures, up to all AV's playing crazy and show different results - Such things like Anti Cheat mechanism is not known. You can scare unwonted users if you do just the signature from a virus into files but not the virus by self. A very private kind of protection.

13 February 2008

BitDefender Antivirus software false positive detections Packer.XComp.A

9 comments
http://www.bitdefender.com/site/VirusInfo/
http://news.bitdefender.com/site/browseCategory/1/Security-News.html

False positive exe Packer Compressor XComp098, XComp097 (XComp & XPack) nfo:
XComp/XPack: A freeware PE32-imagefile packer/rebuilder
(c)2007 JoKo, Version 0.98 02/18/2007
http://www.soft-lab.de/joko/ExePack.htm

shown by:
BitDefender 7.2 2008.02.13 Packer.XComp.A

Here a test using uTorrent.exe packed with Xcomp0.98 + a injected DLL using PECompact before: http://www.virustotal.com/analisis/a98615218abef2d02a5f6507a24edda5
A deep analysis to the real target which is negative (no backdoor or any kind of a Virus), the dll failed by all AV's.

Since signature updates from today, 14. Feb. 2008 using BitDefender Enterprise Solution for Windows Server and standalone editions (German Versions).

BitDefender Labs Defense Center sucks. they are unable to integrate good unpacking engines for software protectors, result False positive on mass!!!

a UPX variant Packer / unpack engine unrecognized or Bitdefender is unable to unpack and check the files, while Bitdefender skip deep scanning/checking inside Armadillo and Thermida packed files as well by embedded, injected dll's in PECompact scanning.



================================================================

Thermida - Armadillo Protectors:


Sample of background activities by a possible true positive activity by BitDefender Labs Romania does not well monitor packed/protected file automatically installed non pnp system drivers:

Commercial anti-cracking product from Oreans Technologies for Shareware applications...

Shareware protector like Thermida and Armadillo.
Oceans Thermida and Armadillo exe packer/protectors adds and run a system service as non plug and play device driver hidden and registry values with no modify, delete access with the admin account to the windows registry key entries.

Themida is the evolution of Xprotector. Oreans.sys the faulting driver. It is part of Xprotector, Thermida which is a software protection scheme used by some shareware programs.
I've downloaded Themida from www.oreans.com and started to check.

Themida use the ring0 .sys (Oreans.sys) as the Xprotector do (xprotector.sys). Winlicense driver loaded in memory. No way to read from Process Memory.
Thermidia and Armadillo exe packer have the option to easy embedded a nag/splash screen with possibility to attach with certain tools in picture bmp or jpg files a virus/backdoor and other files to the file exe,dll,... by packing/protecting against code view.

Oreans.sys, xprotector.sys you will found under control Panel > Hardware > show hidden devices > non plug and play devices.
Run uninstall this "security" background services. After that its not done you need to edit the registry but the Keys are locked. Right click set access control to be able to delete
as admin the registry entries, see attachment how to get ripped from it.

Also applied for newer Armadillo www.siliconrealms.com
by Digital River, Inc
see wikipedia Digital River

It will run after the very first execution of an Thermidia, Armadillo, injected, packed exe or dll file with windows start up in the background as non-pnp driver service. The Driver Service and sys files are absorbed from the packed file and automatically installed as soon the protected file run the first time.

Service (registry key): XPROTECTOR and others used by Armadillo SoftwarePassport siliconrealms ( = Digital River ) and Oreans Technologies, Themida®, WinLicense®, Code Virtualizer®,...
Display name: XPROTECTOR
Image path: C:\WINDOWS\system32\drivers\Oreans.sys
*.sys file are not signed or show any version info.
Oreans driver loaded in memory by system start.

Access via Control Panel > System properties > hidden devices > non pnp > check the entries and click uninstall.

Image path: %windir%\system32\drivers\Oreans.sys
search in the windows registry for: XPROTECTOR
and Oreans.sys etc...

Windows registry: search for the entries and right click access control, change ownership to get permission to delete, remove, edit.
If it fails try under windows protect mode to remove that kind of driver.
It will install by self as soon you start a application witch is protected by these exe packer/protectors and you have to do the process all over again.
Check with PEiD or EXE Info PE which files are done with Armadillo and Thermida. Not to long ago, older Versions from Oreans.sys many issues been reported by overcloaked CPU's. If newer versions have been fixed are unknown. Best you can do is delete or unpack with Ollydbg files with this kind of protectors. Since a while uTorrent and Bittorrent as well eMule mods have been by some "Modder" protected with this Shareware protectors.

Oreans.sys v1.40 (one of the latest Versions) and some registry keys: Orleans Thermida System Driver Service Non PnP Hidden device.zip 89,7 KB (91.856 bytes)

http://www.google.com/search?q=XPROTECTOR+Oreans+driver

Changing the AV Solution back to Symantec Corporate Solutions, Kaspersky, Nod32 Enterprise for server will be the only way to avoid strong false positive and get better unpacking/scan engine for types like Armadillo, Thermida + save time by unsure application to unpack them manual. More configuration options settings as well *exclude* filtes etc... are in all of them.
BitDefender Support
Unsere Support-Mitarbeiter genießen ein exklusives Training, um Anfragen von Kunden schnell und zielorientiert zu beantworten oder auch nicht wenn sie überfragt sind weichen sie gerne aus.
http://www.softwin.ro/?pagina=stiri&&stire=118 - http://www.softwin.ro/?pagina=istoric

BitDefender
BitDefender™ este producătorul românesc lider tehnologic la nivel mondial în securitatea datelor. Compania oferă soluţii inovatoare care protejează eficient împotriva ameninţărilor informatice, setând noi standarde în domeniu pentru viteza de reacţie, instalare, utilizare şi actualizare uşoară. Prezent în peste 6000 de magazine de pe cele cinci continente, BitDefender este cel mai răspândit produs românesc în întreaga lume care protejează eficient împotriva ameninţărilor a peste 41 de milioane de utilizatori individuali şi corporate din mai mult de 180 de ţări. BitDefender are sucursale în SUA, Marea Britanie, Germania, Spania şi România. Mai multe informaţii puteţi găsi vizitând site-ul: http://www.bitdefender.ro

Network Diag and Monitoring, Process Info Tools AiO

0 comments
Network Diag and Monitoring, Process Info Tools AiO
All Latest Versions for a quick Network Diag and Connection Monitoring TCP, UDP,... and Web browser Site Diag + Program Debug Diag, Process Info

  • From www.nirsoft.net
    InsideClipboard v1.04
    IPNetInfo v1.10
    MozillaCacheView v1.05
    IECookiesView v1.71
    CurrPorts v1.32
    WhoisThisDomain v1.23
    ActiveXHelper v1.12
    RegScanner v1.62
  • Freeware from XP-Antyspy.org
    xp-AntiSpy.exe
Download 13.53 MB: Network Tools and Diag.rar
Mirror1 - Mirrors2 - Mirrors3

Microsoft Patchday Februar 2008 maximum connection limit TCPIP.SYS Patch for P2P

0 comments
Connection limit patch for P2P
Microsoft Patchday Februar 2008

contents: MS08-004 - Security in Windows TCP/IP (KB946456)
It replace/update tcpip.sys for all Windows OS. You will need to run XP-Antispy to patch unlimited connection limitation after update!

Connection limit Patch now can be applied also to 64-Bit systems.

Download 75.50 KB: xp-AntiSpy.exe

Archive