[wavefunction]

It appears that the honeypot has been compromised in both a domestic botnet running in system memory by "authorities" local to the US, and also that there are background processes in Windows that are inspecting the filesystem for binaries matching certain signatures no matter how the user configures the system, even "stubbing out" the visible processes that would make sense, like their anti-malware and indexing services. Basically a Windows machine is owned from the get go.

Unfortunately this is not exactly my particular area of expertise, so for me it's like glimpsing a shadow through smoke and a moving window, mostly an impression but something that has become more and more sophisticated despite my attempts to prevent it via traditional and modern methods of forensics, and even weird things like audible and inaudible platter noise when there shouldn't be heavy (this is the key for me) disk io.

[wavefunction]

I should say as well, I am an interested layman when it comes to this stuff. I have a knack for maths and statistical analysis, so please take my comments for what they're worth, which is only anecdotal

[revscat]

Those are pretty explosive claims.

a) How are you identifying the processes? 2) How are you determining that they are inspecting the filesystem?

[wavefunction]

I certainly understand the gravity of what I'm alleging, and I wish I had formal training in this stuff so I could publish my observations with some sort of rigour. I will say my methods are pretty crude and consist of:

Process of elimination as far as the processes are concerned. Basically I have been paring back the processes that are visible to me in memory until it should be a bare minimum for a functional Windows kernel in memory, and stubbing out the non-essential processes I find with empty "stubs" so that the hooks are still there but non-functional. Then observing disk io and memory usage, and repeating. Not very scientific, but again, I'm an amateur.

The stuff about disk platter noise is simply recording the audible and inaudible frequencies generated from the platter (I haven't upgraded to a ssd for the system disk yet), and then running regressions on the wave forms to detect anomalies via the noise generated by the platter and the reading head interacting. I was interested in looking into the inaudible frequencies because it seemed like a good way to cloak disk io from the average user.

As far as the botnet stuff, I've done some MITM packet analysis and some simple stuff like tracerts and observing changes in routing. Right now the box is routing all name service through what appears to be another compromised box in the US state of Georgia, though I'm hesitant to do much network topology due to port-scanning being considered the same as cracking.

This is all just a hobby, and I'm sure some of the stuff I've mentioned about is either very crazy sounding or perhaps already known to people more knowledgeable than me. I grew up when pcs were still a weird hobby for society, and so this sort of stuff seems like things we should be able to do without fearing repercussions.

Also, I only posted this to give context to what I had posted before, so take it for whatever you want to. I'm interested in non-violent solutions to improving society and I don't want to jeopardize that.

[JamisonM]

How do you tie these things back to a domestic botnet controlled by "authorities" local to the US?

[wavefunction]

Just looking at the disk activity of reads, inspecting the memory dumps from these periods, and picking out what I can via a hex editor as far as what the "inspection" appears to be looking for via checksums derived from file blocks, which appear to be tied to images and videos. I'm assuming that this is domestic and not foreign, which I certainly could be wrong about. I'm also assuming they're looking for kiddie fiddlers, which I doubt someone like China would be all that interested in, but maybe the PRC is for blackmail purposes.

A lot of this stuff is sort of ephemeral and I don't have any credentials to really convince anyone. That's why I would post this, maybe someone else knows more than me. Like I said, take this as anecdotal and perhaps incorrect... You'll notice a lot of assumptions by me.

[JamisonM]

Well, the behaviour you are describing just sounds like Microsoft's anti-virus software - and they have a datacenter in Georgia - something to consider.

If you are genuinely concerned I think it is pretty simple to contact real professionals with whatever data you have.

[wavefunction]

I don't know, the name service resolution terminated in a server with an open smtp relay, which might be what you're talking about but sounds strange. Plus, it's name service resolution for _all_ outbound traffic. Thanks for the tip though. Like I said, I'm just a computer hobbyist