Though I say "covertly," the file's name is actually flashed during theinstallation process of mungabunga.exe. Most users would not notice this,however my laptop is six years old, thus anciently slow; and I was staring.Deleting the mungabunga executable and other files in its directory does notremove tcposmod.

> I'm writing to inquire about the executable named tcposmodthat> accompanies mungabunga.exe (1.0.3) and adds a registry key to run > at startup. During a test it initiated 144 TCP connections to port> 80 of web servers around the net in about 8 minutes. It doesn't seem > to do more than fill up the temporary internet files folder with> random web page material.

Munga Bunga`s Http Brute Force S

> I read your trojan warning and agree if this is what you refer to> that its not harmful, just annoying. But, mungabunga was downloaded > from hackology.com and no other site. Actually the link on hackology > to download it leads to ns13.eb1.biz at 69.1.71.205, so I don't know > if that is affiliated with you.

In other words, the longest period of time tcposmod was allowed to run was8 minutes. It is possible that behavior might change drastically on the 9thminute. It is possible other actions are being carried out against the localsystem and the noisy network activity is just a disguise. It also may behavedifferently when run in conjunction with mungabunga.exe.

Alright so I hope I'm not the only person who thinks this is funny. Over ayear ago we found tcposmod and notified the author of the program it wasbundled with. The author claimed his servers were hacked and code insertedinto his program. The irony here is that a year later, the author's program,which happens to be a hacking script for brute force password guessing, isstill "infected" with the tcposmod trojan. I HAVE to believe that MB (see theemails below) and his crew are better coders than that. Anyone who overlooksan entire executable packed within a program they update frequently and raveabout has serious security issues.

I thought about wasting some more time on tcposmod because it seems peopleare still getting infected with it, quite often; and there is still a majorshortage of information about it on the web. The test setup is a little moreadvanced than a year go, which gives us some extra tools and more analyticalcapabilities as well. I built a Windows 2000 VMware machine and downloaded acopy of munga bunga brute forcer (mbhttpbf.exe) from hackology.com. Iinstalled cygwin to get some basic Unix tools onboard (mainly find) andproceeded to install the brute forcer. I quickly checked if tcposmod.exe wasin C:\WINNT\System32 and at the registry location for auto start at boot; andthen rebooted the machine. The process ran for a few minutes as once again, Icaptured all the network traffic at the gateway.

It appears tcposmod is not the only trojan bundled with munga bunga'ssoftware; it is accompanied by several dll, ocx, and a misspelled notpad.exe.No puns intended I guess, notpad.exe is really not notepad.exe. Anyway, itlooks like the brute forcer to hack passwords on other machines is reallyjust a venue for munga bunga and crew to hack your own machine. I was luckyenough to get a second option on the purpose of tcposmod from someone withBASIC reverse engineering skills. This is what he had to say:

Thank you for the report, after looking into it in greater detail, andescalating the issue to our security contact (who is very experienced), wehave found that it does reside in the mungabunga file, and have removedit.

Yes, you would most definitely have empty software logs without thehardware to produce them.Enclosed is a document explaining my methods, key findings, and conclusionsregarding tcposmod.exe in further detail. It should be more than enough to atleast verify tcposmod's existance within mungabunga.exe (by checking theregistry and system folders afterinstallation) even if you can't verify what network traffic it produces. Forthis purpose I would suggest a packet sniffer such as Snort ortcpdump.

I'm writing to inquire about the executable named tcposmod thataccompanies mungabunga.exe (1.0.3) and adds a registry key to run at startup.During a test it initiated 144 TCP connections to port 80 of web serversaround the net in about 5 minutes. It doesn't seem to do more than fill upthe temporary internet files folder with random web page material.

I read your trojan warning and agree if this is what you refer to thatits not harmful, just annoying. But, mungabunga was downloaded fromhackology.com and no other site. Actually the link on hackology to downloadit leads to ns13.eb1.biz at 69.1.71.205, so I don't know if that isaffiliated with you.

Introduction au dossierConcepts, attaques, défenses16 formes d'attaques des mots de passeAttaque en force bruteAttaque Man in the MiddleAttaque par authentification faibleAttaque par authentification frauduleuseAttaque par caméra de surveillanceAttaque par dictionnaire exhaustifAttaque par espionnage humainAttaque par ingénierie socialeAttaque par keyloggerAttaque par keylogger acoustiqueAttaque par keylogger électromagnétiqueAttaque par le virus PEBCAKAttaque par phishingAttaque par sniffing sur protocole HTTPSAttaque par tables arc-en-cielAttaques célèbres et réussies de mots de passeDécrypter un hashcodeDouble authentificationGénérateur de hashcode cryptographiqueGénérateur de mots de passeGénérateur d'identifiant (pseudo)Heartbleed (faille dans OpenSSL) affecte les mots de passeIdentifiantIdentifier l'algorithme de hachage utiliséJeux de caractères utilisés dans les mots de passeLogiciels craqueurs de mots de passeMot de passeMot de passe : test de soliditéMots de passe imbécilesMots de passe par défaut (usine, constructeur, éditeur)Risque juridique de complicité passive de l'internauteVirer le mot de passe protégeant le BIOSTermes (encyclopédie)CRCCRC-1CRC-12CRC-16CRC-32CRC-64MD5NTLMSHA-1SHA-2SHA-224SHA-256SHA-384SHA-512BIOSChiffre cléClavier virtuelCMOSCondensatCryptographieExploitHackHackerHashcodeHeartbleedIdentifiantIngénierie socialeKeyloggerLoginMots de passePassword CrackerPassword RevealerPassword StealerPhishingRainbow Tables (Tables Arc-en-ciel)SpywareUEFILogithèqueHashTab - Calcul de condensats (Windows)SummerProperties - Calcul de condensats 2ff7e9595c