Vandelism finally caught on camera!

[alpine0000 0]

Well, this is the 3rd time in the last 2 years that my mailbox has been bashed in. I finally got them on tape. The crappy part is that they got very lucky because I usually have a large post light in the yard that operates from dusk til dawn, and lights up the entire driveway/curb area, but it burned out just TWO nights ago, and I hadn't had a chance to replace the bulb yet!! Unbelievably good timing for them. Not to mention, the cameras main purpose that I caught them on is to watch my car in the driveway, not the mailbox, so it wasn't zoomed in on the mailbox area. The good part though, is that I have a motion sensor light by my front door that happened to turn on when they drove by, so the scene was lit a little bit.

 

As you can see, this wasn't kids just joy riding around bashing in random mailboxes. They were directly targeting me. They drove to my court, made a U-turn, and got out and kicked my mailbox in with anger multiple times, then drove away. I drove around the neighborhood this morning before going to work, and there are NO other mailboxes bashed in. Somebody hates me. I need to catch these guys. I used to host a poker game, and I think it may be a bitter player, because I have no other enemies and live a very low-key life (go to work, hang out with gf, renovate my home).

 

Can anybody tell what kind of car this is? I am going to give the footage to the police today, but I doubt it'll be usable.

 

The fun happens a few seconds after 4:03am on the video footage. Note that the other guy that jumped out of the car was checking the passenger side of my girlfriends car to see if it was unlocked. I think I'm going to have to install a 3rd camera out front that is zoomed in my mailbox to catch these guys once and for all, and make sure it is nice and lit up out there every night.

 

Here is the file player:

http://www.flopit.net/onlinestuff/cctv/player.exe

and here is the video footage:

http://www.flopit.net/onlinestuff/cctv/mailbox_bash_23april2010.mp4

 

If you are at work, and your network blocks downloads of .exe files, you wont be able to download the file player. So you can download this, and then after youve got it saved, change the file extension from .abc to .exe:

http://www.flopit.net/onlinestuff/cctv/player.abc

 

First open the file player, then within the file player, choose 'file' > 'open' and browse to the mp4 file.

 

Thoughts? Advice? Comments?

Edited April 24, 2010 by Guest

[Erron S. 0]

Bummer man, at least they mailbox was the only thing damaged.

[alpine0000 0]

Yea, it definitely could've been a lot worse.

 

The police left a little while ago. I'm surprised at how much effort they put into this. But then again, the officer was kind of impressed with all of the stuff I had for him. I had burned the footage, file player, some photos, and some other things that I wont go into, for him on a CD to take with him. I also didnt touch the mailbox or the passenger car door until the officer arrived. I carefully took the mailbox off of the post, only holding it by the inside of the box, to preserve any prints on it.

 

The officer showed up, watched the video a few times, then went outside and dusted the entire mailbox for prints, and then lifted prints off of the passenger car door. He found one thumb print on the car door (the passenger side of the car never gets used, so we havent touched that handle in months), and 3 finger prints on the side of the mailbox, along with 2 foot prints that he also lifted.

 

He said he was going to take the prints and enter them into their database system and see if he gets any hits.

 

I was very very impressed with his attention to detail, even on a report as small as a mailbox bashing. He was here for a good hour.

 

 

 

 

On top of all that, he then walked around to all of my neighbors house and talked to all of them. Not only to see if they heard anything, but to let them know what is going on.

 

I wish all officers were this commited.

[Erron S. 0]

WOW!!! I'm really impressed! That is fantastic! I've never seen so much attention on a vandalism case, good stuff man.

[Sawbones 0]

Can't really make out too much on that video... lighting is bad, and not enough pixels-per-foot.

 

What a pack of assholes... hope you catch them.

 

The police are really doing some investigation on this one... nice to see that.

[Bruce M 0]

I'm in the same position.. Kids stealing mail & petit theift in our area. I put a video system in 3 months ago and so far no more problems... can't wait to catch the kids taking my mail (Federal Crime). I bought two really nice 152 LED cameras - one zoomed to the mail box... the other set up 10' from the street to catch cars and plates.

 

Hope you catch your gang.

[Bruce M 0]

Just watched your video... your DVR is capable of much better night resolution... you may want to try a higher quality Camera. I tried 120$ dome cameras... they work fine for up close (doorways/windows)... but when I replace the 2 cameras that view my driveway and mail box - I couldn't believe the difference. I can now clearly see someone across the street. The 152 LED cameras put out 10x better lighting. They light up everything evenly (not bright in the center and dark outside of say 20 degrees). Good luck catching your trouble makers.

[alpine0000 0]

Just watched your video... your DVR is capable of much better night resolution... you may want to try a higher quality Camera. I tried 120$ dome cameras... they work fine for up close (doorways/windows)... but when I replace the 2 cameras that view my driveway and mail box - I couldn't believe the difference. I can now clearly see someone across the street. The 152 LED cameras put out 10x better lighting. They light up everything evenly (not bright in the center and dark outside of say 20 degrees). Good luck catching your trouble makers.

 

I'm using very nice $400 panasonic dome cameras. Its not a problem with the cameras, its a problem with the lighting (or lack of). The cameras also arent setup to monitor the mailbox -- they are set up to monitor my truck in the driveway.

[Scruit 0]

The file player.exe was detected as a threat by my Sophos antivirus classified as "IPConnect". It tried to connect to 24.143.196.66 upon execution. That's a roadrunner address in the Virginia block.

 

Is this expect behavior, OP?

[Sawbones 0]

The file player.exe was detected as a threat by my Sophos antivirus classified as "IPConnect". It tried to connect to 24.143.196.66 upon execution. That's a roadrunner address in the Virginia block.

 

Is this expect behavior, OP?

 

 

Considering I used that to view your video, I'd like an explanation as well.

[alpine0000 0]

The file player.exe was detected as a threat by my Sophos antivirus classified as "IPConnect". It tried to connect to 24.143.196.66 upon execution. That's a roadrunner address in the Virginia block.

 

Is this expect behavior, OP?

 

LOL. Maybe it detected it as a threat since it has a .EXE extension? Some anti-virus software will throw a warning when you download *any* kind of executable... I can assure you, that is the file player that came on the CD with my DVR. It is virus-free. I am also hosting the file on my own web server. I have no idea what you are referring to with the 24.143.196.66 IP address. That is not any address of mine. Not to mention, I dont even have Roadrunner. I have a Cox Business Internet Account here.

 

I have Norton Internet Security / Anti Virus on my machine for a few years now, along with this DVR software, and it has never whined about it.

 

Sawbones -- dont worry. You're safe I am a Network Admin and Database Admin, also with some web development experience... I know a thing or two about computers One of the certifications that I hold is Security+, which specifically deals with computer threats and security. I wouldn't do you guys wrong. Haha

 

Scruit, that file is 100% safe to open. Nothing more than a video player that came with my DVR.

 

EDIT: I just did a search for that IP/company name that you spoke of, and saw that other people have had that issue as well.

 

http://www.computing.net/answers/windows-xp/who-the-hell-are-roadrunner-holdco/99852.html

 

It may be another issue with your machine. I have had at least 10 other people download the player and video and have had no reported issues. I also just tried to download and run the file on my machine from the link above, and it worked fine. Norton didn't whine a bit. Not to mention, a few others in this thread have downloaded and watched it just fine.

 

Looks like something isolated on your machine.

[Sawbones 0]

Daggone it... you're going to make me bust out wireshark, aren't you?

[alpine0000 0]

Daggone it... you're going to make me bust out wireshark, aren't you?

 

I was hoping you would!

[Scruit 0]

No, the .exe extension was not a problem. The problem was the IPConnect behavior that was detected as a threat. I have sent a copy of the player.exe to SophosLabs for analysis - they will tell me what's up.

 

I wouldn't wireshark it because you'd have to let it run first. If you have VMWare you can build a sacrificial VM for it.

 

Nobody else reported issues? Maybe they should be running Sophos instead. It uses behavioral analysis to detect new threats rather than relying on signatures.

 

So that's not any address of yours? What about at home? You have Cox business at home?

 

24. adddresses are usually cable. Is there any chance your DVR exported a player.exe with your IP encoded in it for convenience and it's trying to connect?

[ak357 0]

No, the .exe extension was not a problem. The problem was the IPConnect behavior that was detected as a threat. I have sent a copy of the player.exe to SophosLabs for analysis - they will tell me what's up.

 

I wouldn't wireshark it because you'd have to let it run first. If you have VMWare you can build a sacrificial VM for it.

 

Nobody else reported issues? Maybe they should be running Sophos instead. It uses behavioral analysis to detect new threats rather than relying on signatures.

 

So that's not any address of yours? What about at home? You have Cox business at home?

 

24. adddresses are usually cable. Is there any chance your DVR exported a player.exe with your IP encoded in it for convenience and it's trying to connect?

 

I tried and don't see any problem with file

just player looks like by HIK

I use Commview for traffic sniffing

[Scruit 0]

I'm 99% sure the file will come back from the lab as Ok, but security is all about not giving them that 1% chance.

 

 

Trust, but verify.

 

 

Apline - none of this is meant as an insult to you. My apologies if I come across like that, it's not intended!

 

 

As far as the video is concerned - not enough detail for me to make out the type of car. You have the same problem as me - the action always happens *just* outside the useful range of the cameras. Mailboxes are dime-a-dozen - I'd be more concerned at the interest they showed in the car. I'd go with a camera that's zoomed in on that car out there.

[alpine0000 0]

So that's not any address of yours? What about at home? You have Cox business at home?

The cox business account that i have *IS* at home. Thats what I was referring to.

 

No, that address is not any address of mine. Mine starts with 98.

 

 

Is there any chance your DVR exported a player.exe with your IP encoded in it for convenience and it's trying to connect?

 

No, this software has nothing to do with my DVR. This is the software copied right off the manufacturers CD. It never did reside on my DVR, nor does it connect to my DVR in any way. All it is capable of doing is opening a video file -- in this case a .mp4 file -- that is sitting on my computers harddrive (or some other form of hardware attached to the pc). That file player does not open and search for IP's. I have been using it for about 2 years now.

 

Oh, and I'm not insulted. I am 100% sure that my file is fine and your software is throwing false warnings (if indeed it is referring to the file player). Better safe than sorry, I guess?

[Scruit 0]

All: Don't download the player until I post again.

[Scruit 0]

I have tested this on a sacrificial PC with wireshark running...

 

The player does the following:

 

1: Connects to 24.143.196.66:80 (SYN, SYN_ACK, ACK - So the address is live and working)

2: Issues a HTTP GET for /pki/crl/products/MicWinHarComPCA_2008-01-08.crl

3: Succeeds with a HTTP:200 (OK)

4: Gets the file, which is a certificate revocation list

 

I terminated the connection at that point.

 

Any attempt to get the file from the URL using a standard browser is rejected with a custom checksum error message (not a 500, 401 or 404)

 

Doing some more research to decide if this is a threat, and why any legitimate CRL would be hosted out of a cable roadrunner address.

[Scruit 0]

Curiouser and curiouser...

 

C:\Documents and Settings\Grae>ping crl.microsoft.com

Pinging a1363.g.akamai.net [24.143.196.57] with 32 bytes of data:

[Scruit 0]

Ok, whatever it's doing appears to be some vestigal microsoft functionality within the player itself. It's calling home to Microsoft, downloading this one file and then quitting. Not clear on what certificates it's looking for, but it's definitely this "player"

 

 

 

The behavior is interesting and unexpected, but does not appear to be malicious. Either way, if you have AV software good enough to detect this behavior then I'd suggest blocking it. If your AV didn't see this, get better AV.

[Sawbones 0]

Excellent work, Scruit. I've been out of town, and didn't have time to set up a test network to sniff the traffic.

[Scruit 0]

K, here's the deal...

 

The Certificate Revocation List is downloaded from microsoft by the player on it's first execution. Not sure why it needs that list, but it downloads it anyway.

 

That CRL comes with an expiration date. In my case the expiration was July sometime. Now that I've allowed it to download the CRL it will not try again until the existing copy of the CRL expires in July.

 

This is probably why most people don't notice the behaviour - it happens only once every 3 months or so, and unless you have good AV/internet security like Sophos it won't notice it.

 

SophosLabs responded to my submission of the file sample. They don't consider the file to be suspicious, and they modified their detection engine to flag the file as an internet connection *attempt*, not a *threat*. This would prevent the false "threat* alarm in all other sophos customers, however the internet connection "attempt" message was, and remains, valid.

[alpine0000 0]

All: Don't download the player until I post again.

 

LOL. Unbelievable " title="Applause" />

[rory 0]

its bundled by PEBundle, so perhaps that is the issue.

I read on another forum that it checks for updates ... not sure how true that is though.

http://www.blitzbasic.com/Community/posts.php?topic=28049

 

New version seems to be called PECompact:

PECompact includes plug-ins to perform CRC checks, password based encryption, message box prompt for permission to execute, and much-much more. And since these plugins can all be combined in any order and quantity, each compressed file can be very unique.

 

http://www.bitsum.com/pecompact.php

http://www.powerbasic.com/support/forums/forum8/html/003037.html

http://www.woodmann.com/collaborative/tools/index.php/PEBundle