UBCD4WIN

Lisa Kachold lisakachold at obnosis.com
Sun Mar 1 22:40:00 MST 2009 

I think this is meant to be a virus "innoculation" type RAMDISK or unwritable CD?

There are a whole class of virus checking security programs that run completely from a RAMDISK in order to mount and analyze virus and trojan behavior outside of Windows. 

Historically virus's have developed a whole subset of behaviors including:

1) self replication = when attempts to remove them are made, they replicate to BIOS or a USB key for instance, so running from RAM which is reset upon boot was developed.
2) self defense = i.e. when removed from active running systems  they copy themselves to another file name
3) camoflauge = they use various Windows features to hide from general checks
4) controls that preclude removal written into RPC don't allow you to remove them.

Of course there are quite a few other things they do, but this will explain why running your virus cleaner rom a CD where the virus cannot further infect by writing and can run through special controls.

obnosis.com | wiki.obnosis.com| (503)754-4452
PLUG HACKFESTS 2nd Saturday Each Month at Noon - 3PM

Date: Sun, 1 Mar 2009 22:53:11 -0500
Subject: Re: UBCD4WIN
From: bmike1 at gmail.com
To: plug-discuss at lists.plug.phoenix.az.us

Thanks for letting me know about this program. I was s=wondering though: it seems that this was made to be installed. Is that so?

On Sun, Mar 1, 2009 at 4:51 PM, mike havens <bmike1 at gmail.com> wrote:

yes... I will do this this way. thanks for the thrashing! lol


On Sun, Mar 1, 2009 at 4:31 PM, Lisa Kachold <lisakachold at obnosis.com> wrote:






Having this Windows ramdisk on a Flash disk, you MUST have copied it correctly - it's going to need a partition of it's own (RAMDISKs are like boot floppies); next you will need a BIOS that allows you to specify a USB device in boot order.  This is a complex process in itself. 



I can see you are spoiled by Nix?  Under Linux you can download any iso and loop mount it, then copy it in total to a new drive, edit it and reburn it.

In this way, one can trivially change any distro you provide for an InstallFest, or as a gift for a new "trainee".



You can brand your own installs, script additional features or process startups (tunnels), preconfigure example files (hosts, sshd_config [certain characters in files {alt255 on keypad} will keep any line from running while it appears in the config file], recompile top/ls/df to do whatever you might like, or simply run a script to add a rootkit for instance.



I suggest that your repair ramdisk be made following the instructions - just use a CD.

obnosis.com | wiki.obnosis.com| (503)754-4452


PLUG HACKFESTS 2nd Saturday Each Month at Noon - 3PM



Date: Sun, 1 Mar 2009 13:46:57 -0500
Subject: Re: UBCD4WIN
From: bmike1 at gmail.com
To: plug-discuss at lists.plug.phoenix.az.us



is this not possible?

On Sun, Mar 1, 2009 at 1:46 PM, mike havens <bmike1 at gmail.com> wrote:


I was hoping that what i could do is drag-n-drop the drive onto an icon and  not need to burn a cd. That way I could update it at home nd bring the flash-drive to the job.


On Sun, Mar 1, 2009 at 1:26 AM, Charles Jones <charles.jones at ciscolearning.org> wrote:

mike havens wrote:

> I downloaded it and am unpacking it now. I am, however, unclear as to

> where to get updates and how to install them into the program. What I

> am going to do is put it onto a flash drive and just update the virus

> info!



Mike,



Once you boot the disc (it takes a frighteningly long time to boot up

windows from a super-compressed CD), it will ask you first which shell

to launch, the default one is fine.  Then it will ask if you want to

bring up the network interfaces. choose yes and just accept the defaults

(assuming DHCP).  Then once you are online you can for instance launch

SpyBot Search & Destroy (one of the AV tools), and use the built-in

update function.  It will connect to their server and download the

updates (to the RAMDISK) and then restart (spybot S&D restarts). You can

then do a scan with the newest updates.



You can also use the web browser, etc, if you want to download install

your own program (if its small enough to fit in the ramdisk).

---------------------------------------------------

PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us

To subscribe, unsubscribe, or to change your mail settings:

http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



-- 
:-)~MIKE~(-:



-- 
:-)~MIKE~(-:

Windows Live™ Contacts: Organize your contact list.  Check it out.



---------------------------------------------------

PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us

To subscribe, unsubscribe, or to change your mail settings:

http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


-- 
:-)~MIKE~(-:





-- 
:-)~MIKE~(-:

_________________________________________________________________
Windows Live™ Contacts: Organize your contact list. 
http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090302/df4d1c90/attachment.htm

More information about the PLUG-discuss mailing list