The ORT Thread (aka Sea Turtle Thread)

Yeah, Bitdefender really dislikes ORT, detects it as Gen:Variant.Symmi.65989 - I had to keep whitelisting it for the download, the folder I moved it to, and my flash drive.

Of course, Bitdefender also really dislikes d7techtool.com which is the download domain for d7 updates.
 
Colin said:
TOR does download the exe but then Bitdefender with MAX will block and Quarantine the exe program.
Click to expand...


Ok, that is somewhat normal. I'm looking into other methods to nicely package ORT so that it won't set off every AV known to man, so I'll keep you posted. For now my best advice is to disable your anti-virus.
 
I'd like to apologize for my website going down recently. I've been having issues with a UPS, and it's replacement just arrived yesterday. I'll be getting it installed soon, and I'll have a banner on my website with the scheduled maintenance date as soon as I figure out when I'll be doing it. I also have plans to move to a hosted website, but those are further down the line.
 
Tomorrow (7-31-16) at 4:00PM central time I'll be taking my website and other web services offline for maintenance. This information is also on my website.
 
Build 126 is available for download! It contains two very important bug fixes:

  • ORT was setting the wireless service (Wlansvc) to it's MS default startup value of manual, which would break wireless connections on laptops
  • ORT would not properly move bookmarks and passwords into Google Chrome browser after it was reset if the username had a space in it
To move the Google Chrome bookmarks and passwords manually, here is the code:
Code: 
"%localappdata%\Google\Chrome\User Data\Default"
copy "..\Default_Infected\Bookmarks" .
copy "..\Default_Infected\Login Data" .

One other minor bug I fixed is that when the Google Chrome restore tool was used, the extensions did not come back. This is corrected by this code:

Code: 
%localappdata%\Google\Chrome\User Data\Default"
rd Extensions /s /q
ren Extensions_Infected Extensions
 
After looking at what ORT does, it seems to me that it would create more problems than it solved. The time taken to go and set everything up again is an issue.
Customers asking why this doesn't work, what happened to my passwords, services being reset to default and requiring tuning again, killing the hosts file, killing startup services that have to be reinstated, etc etc.

  • Resets the settings of the Internet Explorer browser
  • Resets the Google Chrome browser to factory state (while keeping bookmarks, history, and some saved passwords)
  • Resets the Firefox browser to factory state (while keeping bookmarks, history, and some saved passwords)

All I can see is 101 questions from customers!
Wouldn't it be easier and far less destructive to just run a Rescue CD like AVG, Kaspersky, Avira, or similar?
 
Last edited:
Barcelona said:
Wouldn't it be easier and far less destructive to just run a Rescue CD like AVG, Kaspersky, Avira, or similar?
Click to expand...

I'm glad you asked! First, let me start off with this:

ORT has some general malware fighting provisions as well, and can be used for home and commercial use--but be warned, it is a powerful tool, and should be used with care.
Click to expand...

That being said, let's look at a few things you mentioned, as they are valid points.

Barcelona said:
After looking at what ORT does, it seems to me that it would create more problems than it solved. The time taken to go and set everything up again is an issue.Customers asking why this doesn't work, what happened to my passwords,
Click to expand...

I think you are thinking of browsers when you are saying this. When ORT cleans out a web browser, it duplicates the profile, and removes anything that is potentially infected. As mentioned in the first post of this thread, I'd rather err on the side of being too aggressive, so I delete things like cookies, preferences, and extensions. So, if you had a password stored in a cookie in Firefox, you're just going to have to type in that password again. The same is true for Google Chrome, where I only safe bookmarks, login data (your passwords), and the history. If this creates an issue, I have a solution:

What's in the folder C:\ORT?
1. The ORT log (ORT.txt).
2. A backup of the IP information before ORT reset it (ip-backup.txt)..
3. A dump of some system info (info.txt).
4. A file with the names of a majority of the deleted files (cleaned.txt).
5. A tool for restoring Google Chrome to it's previous (infected) state.
6. A tool for restoring Firefox to it's previous (infected) state.
Click to expand...

I figured my aggressive cleaning methods would cause issues, so I created undo tools for them. Just double click the batch file, press a key to confirm, and you are right back to where you were. You can then use a tool like JRT or ADW cleaner to clean out the browser.


Barcelona said:
After looking at what ORT does, it seems to me that it would create more problems than it solved....services being reset to default and requiring tuning again, killing the hosts file, killing startup services that have to be reinstated, etc etc.
Click to expand...

So, here is where the niche for ORT comes in. My utility is designed to go in ahead of a regular malware scanner and get the system back on the network, as well as cleaning out temp files to shorten scan times. This being said, it is meant to change a lot under the hood of a PC to get it back on the network. Let me address each item individually:

  • Services:
    Lots of malware will go after services (like Windows update, Security Center, etc) so it can run without interruption. All ORT does is reset these to the default values [With the exception of the wireless service, it turns that one ON as it defaults to off, but it was breaking wireless connectivity.] Since I want ORT to make a system ready for a traditional AV/AM scanner, I want to ensure that mission critical services are running as they should.

  • HOSTS file:
    While the trend in malware using the HOSTS file has gone down, it's still a very basic place to put in a block. If I were a malware author, I'd block the domains of AV/AM downloads in the HOSTS file. While it's no challenge to an experienced technician, a home user or an AV program trying to download definition updates is going to be dead in the water if its download mirrors are blocked in the the HOSTS file.

  • Startup:
    I want to make a clarification here: ORT does not turn anything off at startup, except for what's in the startup folder:
    Deletes the contents of the startup folder
    Click to expand...
    I do this because a lot of of PUPs use the startup folder to launch themselves, and therefore clearing out the startup folder cuts through a lot of chaff. However, I do see where this is problematic -- so, does the idea of creating a quarantine folder and moving the startup items there sound agreeable to you?
My utility is no replacement for AV, bootable scanning environments, or other full fledged malware scanners. I am always open to feature suggestions, bug reports, and any other feedback. However, the aggressiveness of ORT is rather critical to its functionality, so I can't remove all of it and promise it won't touch personal customization on a PC.
 
Thanks for taking the time to explain all that, but I I don't think ORT is a tool I would be comfortable with. I'll keep an eye on the development of ORT and see where it goes.
 
Build 127 has been released, with two big improvements! First, I added a few definition updates, along with a silent command line parameter. So if you run ORT like:
Code: 
ORT.exe /s
ORT will run in silent mode (no button clicking, logs opening, etc). Secondly, I changed how ORT is packaged, so it is much less prone to be flagged by malware. Please note that if you upload the file to VirusTotal any AV engines that don't flag it get notified of the existence of that file, and many will write a definition for it without analyzing the file, so if you'd like ORT not to be flagged by everything DO NOT upload it to VirusTotal.

Otherwise, let me know if you see an improvement in how many times you see it flagged and enjoy your malware removal!
 
Build 129 has been released! This comes with some big changes that I'm very excited about.

First, I switched compiling tools (I'm rolling my own wrapper) so ORT shouldn't be detected as malware by every AV known to man.

Next, ORT is recompiled every hour and automatically uploaded to the server. This should cut down on any false positives for ORT being identified as malware.

Finally, I moved my hosting to the cloud, and I rebuilt my website (and got rid of my bad looking hand written pages). Check out the new and improved website at www.oakslabs.com.
 
@OaksLabs just checked your site and got this

I'm sure it's an error. Just thought you should know
 

Attachments

  • Screenshot 2017-09-13 at 13.09.29.png
    Screenshot 2017-09-13 at 13.09.29.png
    563.3 KB · Views: 13
Hi everyone. I kicked off a mini white list campaign, and I hope to see some changes soon.

As far as endpoints go, I have a couple improvements planned - namely a code signing certificate. It's not exactly a cheap item (so it is probably going to be on the 2018 budget) but that should help with Windows Smart Screen (and some browser based checks).

As a side note, how is ORT performing? I don't use it on a daily basis anymore since I changed jobs, so I don't have a good in-the-wild perspective on things. Is it still effective at knocking out PUPs?
 
You must log in or register to reply here.

Similar threads

Diggs
Spectrum Security Alert
Replies
10
Views
604
Diggs
Diggs
Metanis
[TIP] The ultimate Windows hardening guide site?
Replies
3
Views
228
GTP
GTP
YeOldeStonecat
Audio file converter...from "old special <br25>BMW format" to modern
Replies
2
Views
58
Porthos
Porthos
Appletax
AVG hosed the OS - BSODs, bootrec/fixboot "Access is Denied"
2
Replies
25
Views
960
britechguy
britechguy
Rigo
Outlook - replying to message from notification preview not listed in thread
Replies
4
Views
537
britechguy
britechguy
Back
Top