12 replies to this topic

[ipl_001]

Hi Galadriel, cnm, hi everyone,

...
- How did Merijn come here?
I have in mind Merijn was posting at DOXdesk (unless it was CEXX) when Mike wrote an article about malware (no longer on the Web) and that Merijn came to join Mike and the teams here, right?
...

...
As far as I know, Mike started SWI in 2001. I think the board itself was probably started in 2001 also. I joined (not necessarily registered, but stumbled here) in the middle of 2002. Merijn was already active here, so I don't know the details of his arrival.
...

(I changed to italic myself)

If you are interested in this part of the story, I found some lines written by Merijn in Mai 2005 on hijackthis.nl:

Ongeveer 3 jaar geleden ben ik op de security newsgroups van Gibson Research Corporation terechtgekomen, en vandaar op SpywareInfo waar mijn site gehost wordt. Na een brainstormsessie op oude CounterExploitation board is HijackThis geboren adhv een artikel 'Hijacked!' van Mike Healan (eigenaar van SpywareInfo).

As everyone understands , that should mean:

Approximately 3 years ago I'm on the security newsgroups of Gibson Research Corporation, and then on SpywareInfo where my site is hosted. After a brain storming session on old CounterExploitation board was HijackThis born after an article 'Hijacked! " by Mike Healan (owner of SpywareInfo).

... a brainstorming session on CEXX following Mike's lines "Hijacked!", is at the origin of HijackThis; Merijn then joined SWI.

~~~~~ edit:
Thanks to cnm for having split the discussion about the DDoS attacks and separate this post.
I changed some words above, especially in the translation from Dutch initially performed by Google.

Edited by ipl_001, 30 July 2008 - 06:18 PM.

[cnm]

http://www.merijn.org continues to be hosted on our server, although Merijn sold CWSredder and HijackThis. The site is not often updated any more, but it still has valuable articles and utilities.

[ipl_001]

Hi cnm,

I didn't realize that this domain was on your server!

But a little problem regarding Merijn's site is that there're old links pointing to http://www.spywareinfo.com/~merijn/ which are now dead!

- for example, the news dated "December 11, 2007" on the page you linked to, states "I've answered this question so often now and pointed people to the relevant answer on my FAQ so many times"... the link is dead!

- on this same page, Merijn fixed most of the them but I counted 5 dead links

- similarly, on the latest "Windows Secrets" newsletter (dated July 31), on the right side they display a list "reviews of the best free software".
--- I especially took a look at "Best free anti-spyware" with old URLs like http://www.spywarein...m/articles/p2p/ the link is still alive but it's a bit dodgy to find this on a Newsletter! lol
--- Below on the page, there's http://www.spywareinfo.com/~merijn/programs.php which is dead!
(there's also a lnk to TomCoyote leading correctly to WTT but here again, dodgy!)

[cnm]

You could tell Merijn. I don't have any access to his source, and there are parts of his site that only Mike can access.

[ipl_001]

Hi cnm, hi everyone,

Please, correct me if I'm wrong as lines below sometimes are only thoughts and opinions.

I'm not going to write the history of malware but just a few words before some comments about HijackThis...
- in the very beginning were viruses which consisted in additional code to system files so that the size was changed and the virus was launched when we started the infected programs. An antivirus mainly checked the size of programs: we got messages warning the size had changed and asking whether or not we validated it. At the time, a program could be infected several times so that the size could increase on and on!
- a further stage consisted in the replacement of parts of program code by the code of the virus without any change in the size. An antivirus was trying to recognize characteristic strings in the programs: the "signatures".
- then "viruses" became more sophisticated with infection of other files than system programs (Word, Excel files and any macro-instructioned files), with automatic launch (autoexec macros, start folders, autorun registry keys, etc.)
...
To clean a system, we had antidotes which were specific tools, dedicated to specific viruses.

~~
The result of the brainstorming session at CEXX (see lines in the initial post) led to HijackThis!

As you know, HJT has been a wonderful program which was used to list and easily clean any infection!

HJT was being used at least for 4-5 years as the only program. It was so wonderful that it practically prevented any other tool to emerge!
The secret was that HJT was not dedicated to a specific malware but to a method: it listed the keys of the registry that were used for automatic launch of elements at Windows start... the result was that it listed any content without interpretation bad or legit... a consequence of this "philosophy" was that humans had to analyze the logs and detect badies (an antidote contains this analysis and decision)... hence the schools and our stuff!

HJT was a success and was the tool number One (without any competitor)!
In fact, HJT has not been as successful as expected because it nethertheless needed continuous improvements as pirates were finding out news methods to start baddies (Windows has oodles of possibilities to automate tasks... too many possibilities).
~~

Back to antidotes for a while...
Merijn also developed a superantidote named CWShredder that was targeting the Cool Web Search family, a series of horrible malware Merijn was specialized in!
Merijn decided to sell CWShredder to Intermute on October 19, 2004

- http://www.wildersse...ead.php?t=71451
- http://www.lockergno...res-cwshredder/
- there was a very long article mentioned at http://www.merijn.org/articles.php , unfortunately http://www.cwshredde...chronicles.html is now dead

NB: Intermute was then acquired by Trend Micro in June 2005.

I remember a discussion on SWI between Merijn and pilar members reproaching the sale (I could prolly find the URL) in which Merijn was saying CWShredder was a tool of his and he could decide freely but on the opposite, he considered HJT had been designed collectively and was not his tool and he would never sell it!!!
Rights on HijackThis were sold to Trend Micro on March 12, 2007

- http://www.merijn.org/oldnews.php
- http://news.cnet.com..._3-6167308.html
- http://us.trendmicro...0322131808.html

Again, I don't want to start a debate: please, correct me if you don't agree with my statements.
I just wanted to relate and comment on HijackThis history.

~~ edited to improve presentation.

Edited by ipl_001, 01 August 2008 - 04:46 PM.

[ipl_001]

Hi everyone,

I found the discussion regarding CWShredder sale in October 2004...

- the post in which Merijn says he is the owner -> http://www.spywarein...?...st&p=138347

- I didn't find the post in which he wrote he was not the owner of HijackThis but only that he won't sell it -> http://www.spywarein...?...st&p=142968
The reason of not selling it is "as I am still developing it." poor memories from me!

... funny to read old threads and to meet members of this period!

[Metallica]

It is too bad the old forums were lost.
At the point where Merijns tool to fight of the CWS malware was beginning to get so complex that he decided it needed a name, he started a thread asking for suggestions.
I posted 3 of them, two silly as usual but the 3rd suggestion was CWShredder.

[Galadriel]

lol Pieter, I remember... and yes, it is extremely unfortunate that the old boards are gone. :weep:

[ipl_001]

Hi Gal, Pieter,

So Pieter, I understand you are CWShredder's baptizer: did you get money from Trend? ^_^

[Metallica]

So Pieter, I understand you are CWShredder's baptizer: did you get money from Trend? ^_^

ROFL

If there was any chance of that, I may have ruined that in more recent events.

[ipl_001]

I may have ruined that

Yes! I agree!

In the initial post, I reported some Dutch lines praying nobody might come and state my translation was dodgy, laughable and ridiculous, was it?

~~ edit
You were a member of CEXX, do you remember this brain storming which led to HJT?

Edited by ipl_001, 12 August 2008 - 02:34 AM.

[Metallica]

Ongeveer 3 jaar geleden ben ik op de security newsgroups van Gibson Research Corporation terechtgekomen, en vandaar op SpywareInfo waar mijn site gehost wordt. Na een brainstormsessie op oude CounterExploitation board is HijackThis geboren adhv een artikel 'Hijacked!' van Mike Healan (eigenaar van SpywareInfo).

About 3 years ago I ended up in the security newsgroups of the Gibson Research Corporation. From there I went on to SWI where my site is being hosted. After a brainstormsession at the Cexx board HijackThis was born and named after an article called 'Hijacked!' written by Mike Healan (the owner of SWI)

Translated without peaking at yours

I ended up at Cexx after Merijn had already left. I think it was TonyKlein who asked me to help out there when he needed a break. I later passed the care of that board on to Unzy when I needed a break.
The brainstorming probably took place between Merijn, Bill Webb (owner of cexx.org and developer of LSPfix) and Einhander Sn0m4n.
Not sure if Tony was involved as well, you'd have to ask him.

[ipl_001]

Pieter, thanks for the translation and your lines about CEXX !

Have a good night!