Wednesday, November 16, 2005

Sony vs. piracy: Sony disqualified

At the end of October, a nice article by Mark Russinovich of SysInternals caught my eye at Mark's blog: it revealed that a rootkit was present on his system, as shown by Rootkit Revealer. After some digging with a few of SysInternals excellent tools, it appeared that the rootkit was actually a DRM protection scheme called XCP from First 4 Internet, installed by a CD that Mark had bought from Amazon. The DRM system that Sony was using on that CD installed an application on the (Windows) system that protected both the CD itself and the software player included on it. This 'application' really was a rootkit, and a very poorly written one at that too. It was actually pretty trivial to crash the system with the rootkit installed, and there was no uninstall option, or any mention of it in Sony's EULA.

Barely a week after Mark posted this on his blog, it generated an outcry that the mainstream media picked up on. Subsequently, Sony released a 'removal tool' for the rootkit, along with a message that claimed the rootkit wasn't really dangerous to your system and did not create any security issues when it was installed. Besides the fact that this was complete bullshit (having something hide all files and folders starting with '$sys$' is not dangerous? hah!), their 'patch' updated most of the existing DRM software already present, and uninstalled the rootkit improperly, possibly leading to system crashes. Also, the music player on the Sony CD's was phoning home to its server, which is not in the EULA either. Sony denied this.

So a few days later, Sony released the patch and announced it to the press only. Most customers still had no idea there was a rootkit on the Sony CD's, and even if they did know, it was pretty hard to get the uninstaller at all, requiring two confirmation emails, allowing an unsafe ActiveX control and using a link to download the thing that is unique to your system only.

This complete saga has led to quite a few results, among which:



And finally, today Sony published a public message on their Sony BMG website about the 'XCP content protection technology', providing a direct link to the patch that uninstalls the rootkit. And leaves the ActiveX control behind. Which has some pretty devastating code in it.

While they originally still refused to call back any of the CD's with the XCP rootkit, they have now decided to turn around and recall the CD's and offering rootkit-free swaps. They also decided to stop making any new CD's with the XCP rootkit.

For your reading enjoyment, here are the excellent posts Mark has written on his blog:
  1. Oct 31: Sony, Rootkits and Digital Rights Management Gone Too Far
  2. Nov 04: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
  3. Nov 06: Sony’s Rootkit: First 4 Internet Responds
  4. Nov 09: Sony: You don’t reeeeaaaally want to uninstall, do you?
  5. Nov 14: Sony: No More Rootkit - For Now
  6. Nov 16: Victory!

Oh, and on a final note, here are the one-line commands to disable the rootkit and the ActiveX control. You can enter them in the Run dialog (Start > Run):

cmd /k sc delete $sys$aries (followed by a reboot)
cmd /k del "%windir%\downloaded program files\codesupport.*"

And remember: the SHIFT key is your best friend! (Though I won't directly say for what it can be used. Might get sued for that.)

Tuesday, November 08, 2005

How to protect yourself from the Internets

The Internet is no longer what it used to be back when I started using it (roughly 1995). While this is good in some ways (more information that is easier to find), there's list of bad things so long it would make Al Gore wish he never invented the Internet. I frequently get emails asking me what the best way is to safely use the Internet, and most importantly, surf the web (yes, the WWW is actually a subsection of the Internet).

There are loads of entry points into a common Windows system that could allow a hacker to take control of your system, crash or reboot the system, or steal data. However, these can mostly be divided into a these groups:

  • Vulnerabilities in Windows or its components
  • Vulnerabilities in Internet-enabled programs
  • Default or bad configurations
  • User error or ignorance

I will discuss each of these to the best of my knowledge below.

Vulnerabilities in Windows or its components
Pretty often, vulnerabilities are discovered in Windows that can allow an attacker to do pretty much everything to your system, while it varies from simple things as stealing cookies to complete remote control. While tempting, this is not purely caused by bad programming on Microsoft's part: Windows is simply used by so many consumers, businesses and even governments that hackers just go for the largest common denominator. After all, the more you use a program, the faster you'll find errors in it. Microsoft has monthly patch security bulletins, in which they release any hotfixes for vulnerabilities of that month. The best way to stay on top of these is to simply on Automatic Updates, which is available natively for Windows 2000 and newer, and available seperately for Windows 98 and newer.
Solution: install security patches, turn on Automatic Updates

Vulnerabilities in Internet-enabled programs
Besides the basic flaws, there are also vulnerabilities in other programs. The most common one is probably Internet Explorer, which has several standing vulnerabilities which can cause your system to be infected with adware, spyware or worse by simply visiting a website. Due to the model Microsoft uses for its software, security may not come in first! Best is to use a different browser for your surfing habits: Mozilla FireFox and Opera are very good browsers that may not have won the browser wars, but make very good alternatives. While Internet Explorer is a major point of attack, file sharing (P2P) programs, email clients and instant messaging programs are the most commonly targeted. For servers, any web services are also frequently targeted. To counter this, always make sure you have the latest version of any programs that use the Internet or act as a server, and shutdown any that you don't use or need. Don't accept or run files from people you don't know over P2P, email or IM, and always have an antivirus program running that scans all files you download or receive. More importantly, if you use antivirus and/or antispyware, make sure they have the latest definitions so they'll be able to detect and delete any threats. Run weekly or monthly full-system scans with both to make sure your system stays clean. Run a firewall so you'll be able to block Internet access to a program that is partially vulnerable or outdated.
Solution: Don't use Internet Explorer. Update old programs, use a firewall, up-to-date antivirus and antispyware

Default or bad configurations
Early on in their rise, Microsoft decided to put user-friendlyness before security, sometimes setting up default configurations for programs like IIS that were insecure. While this does not happen that often, it is something to look out for. Like mentioned before, shutdown any services or programs that you do not need or use. Make sure you properly configure any Internet-enabled programs when you install them, and look up information on the web about securing such programs if you are not sure.
Solution: Properly customize programs, ask for help or search the web for help

User error or ignorance
After all the above, which mostly involves things you can't do anything about, there's always yourself or the people around you. I can't count the amount of emails I have received that started off with 'my son installed something on the computer last week...' and end up in a horrible spyware infestation. Make sure you and your peers know what is right and wrong online, look up information on a program before using it to see if it bundles any programs and functions properly. Don't trust everyone out there, as it is fairly simple for people to try and trick you into running a file, visiting a website or giving them private information. Phishing scams are on the rise and are very dangerous: someone will portray himself as a bank and ask for your account password, for example. Don't be fooled!
Solution: Don't trust everyone, use common sense, educate yourself and others


That's it for now. I'll add stuff later on when I think of anything I could have forgotten.

Tuesday, October 18, 2005

The Jack Thompson Chronicles

(Apologies for heavy linkage, but this man is just everywhere!)

I'm assuming everyone who has not lived in China for the past year has a few clues who Jack Thompson is. After stepping into the spotlight by acting as attorney for a murder which involved the violent Rockstar game Manhunt (1,2), he took the world by storm. And by 'took the world', I mean 'left everyone rolling on the floor with laughter', and by 'by storm', I mean 'pointing and laughing'. I mean, this man seems to think computer games are the spawn of Satan, including The Sims! Just look at this (non)interview with the man JT. If the quote 'i’m too busy destroying best buy and rockstar' is genuine, this man scares me.

Not surprisingly, his opinions of ESA, Take Two, Rockstar Games, GTA: San Andreas, and the Hot Coffee mod are not very high. He manages to combine poorly constructed arguments with vicious personal attacks at everyone who disagrees with him, and then fails to see why no one takes him seriously or doesn't want to have to do anything with him.

The fun part actually started when Jack Thompson made a proposal for a violent game himself, challenging any game company to create it. The game itself involved a father avenging his murdered son (murdered by someone who played too many violent games) by murdering everyone from 'Take This', their laywers, 'GameWerks' for creating and publishing the game, as well as Best Buy, Circuit City, Target and Wal-Mart, because they distributed it. The final part involves making a massacre out of E3, since this is 'the Super Bowl of the video game industry', and of course all computer game creators deserve to die.
Jack Thompsons offered $10,000 for charity if any game company would create, manufacture and distribute this game in 2006.

Though originally everyone just made fun of this, and it wasn't expected that anyone would make a game out of this (not because it was too violent, but because game companies don't normally accept game proposals from individuals), it WAS. A mod has been created for, ironically, GTA: San Andreas called 'Defamation of Character: A Jack Thompson Murder Simulator'. You gotta love it.
So what did Jack Thompson do? Yep, you guessed it: he said he was only kidding. So Penny-Arcade, ever the vigilantes they are, donated the $10,000 themselves, in Jack Thompson's name. His response? He tried to get them shut down and arrested by faxing the local police station a letter claiming Penny-Arcade harrassed him! (scroll down on the above link, there's more about that)

On a side note, Jack T also didn't like VG Cats, an online comic about gaming (yes, another one, but this one features cats!). There is an entire page filled with email conversations between Jack Thompson and Scott Ramsoomair (author of the VG Cats comic), which was set up shortly after Scott made fun of Jack, and JT CC'ed Scott on some anti-game propaganda (he seems to do this a lot, CC'ing random people on his emails). It's very surreal to see a lawyer degrade to personal attacks in his emails so fast that your head spins.
Scott's comic is funny, and most of the time pure genius, though sometimes references some pretty old games, but most of all it does not promote violence at all - it's just parody.

It seems this concept is lost on Jack Thompson. Which is why he will also hate the following: The 'I hate Jack Thompson' T-shirt.
If only we could have a tv show about the daily adventures of Jacky T, it would be funnier than Chappelle's Show.

On a final note, check out Jack Thompson's homepage, stopkill.com. Yes, that is his homepage. Seriously. I'd make a comment about 1995 being here to ask for its website design style back, but someone would probably post a comment saying 1980 is here, asking for its stupid joke back.

[Nov 25, 2005] Update! After arguing his (retarded, as usual) case too aggressively, Jack Thompson has been banned from practicing law in Alabama! Though JT is from Florida, this is funny nonetheless.

Wednesday, October 05, 2005

"I think France should be next."

Here's a funny video from UniquePeek.com where an (Australian) man asks Americans on the street 'in terms of the War on Terror, which country do you think should we invade next?'. He carries a world map and asks people to put a pin in their country of choice. Answers range from 'Korea - hey're trouble' to 'They'll make a big glass crater out of the entire Middle East, for all I care'.


http://www.uniquepeek.com/fusion_pages/index.php?page_id=213


Now, this would be fun enough for me - watching Americans struggle with non-USA geography and spend a few minutes looking for Sri Lanka in South Africa. But there's more. THEY SWITCHED ALL THE COUNTRY NAMES! So imagine my surprise when the last guy puts a pin in 'North Korea' where Australia is located, and then the camera zooms in to show that Australia is actually labelled 'NORTH KOREA'!
That makes it even funnier ^_^ no one even notices the switched labels!

Tuesday, September 20, 2005

Enjoy your free Opera

After giving away free registration codes for their browser on account of their ten-year anniversary, Opera has now decided to switch to the best business model available to customers: free!

After offering their browser in both an ad-supported version as well as a paid ad-free version ($39), they now believe that the two other revenue streams they have (search engine traffic and ad revenues) are enough to offer Opera for free. The Register has an excellent article on this surprising change of route.

Get the newest version (8.50 as of writing) here: http://opera.com/download/

If the UI of Opera is not as much of a 6-train crash pile-up as it used to be when I switched to FireFox, I may even switch back. ^_^

Saturday, September 10, 2005

The Best TV Series On The Planet

Photoshop contests are awesome. :)



Just imagine... you take a tv show about women and sex... and take out Sarah Jessica Parker! It's pure genius.

--
Worth1000.com

Saturday, September 03, 2005

Sean Combs needs a new name

From a great post on TheSuperficial:

http://www.thesuperficial.com/archives/2005/08/30/tyson_beckford_1.html


I should take this opportunity to point out that I will no longer be calling Diddy 'Diddy'. Instead, I'll be referring to him as Señor Walrus Face III. You're not allowed to pick your own nickname, so if you're going to try I'll just go ahead and do it for you. Seriously though, if I could get the media to officially refer to him as Señor Walrus Face III, it would complete my life.

I find this a very, very noble cause. And we have the technology to make it happen. Whoever has a webpage, blog or not, link to the above subject's IMDB profile, as such:

--> Señor Walrus Face III.

Although the fictional new name once offered in Off Centre:

--> Diddles McPeepee.

...is also pretty cool. :D

Wednesday, August 31, 2005

Americans are prude

A few weeks ago, I read a blog from a woman who worked in the adult industry for a good chunk of years. I think her current job was to make up non-offensive descriptions for sex toys, so she had the ability to think of several dozen terms for 'penis', as well as at least two dozen to describe a rimjob. I can't remember the URL or name of the blog, but in one of her posts she argued that contrary to popular belief, Americans are not prude. Coming from someone who works in the adult industry, I slightly doubt how objective that statement was. Maybe Americans are just publicly prude, and are really rampaging sex mongers in private.

Anyway, case in point:
Job #1 for America's Attorney General: porn, not terrorism

When FBI supervisors in Miami met with new interim U.S. Attorney Alex Acosta last month, they wondered what the top enforcement priority for Acosta and Attorney General Alberto Gonzales would be.

Would it be terrorism? Organized crime? Narcotics trafficking? Immigration? Or maybe public corruption?

The agents were stunned to learn that a top prosecutorial priority of Acosta and the Department of Justice was none of the above. Instead, Acosta told them, it's obscenity. Not pornography involving children, but pornographic material featuring consenting adults.

[via BoingBoing]

After you've picked yourself up from the floor, either from LMAO, shock or surprise (depending on your nationality), tell me Americans aren't prude. Well, if they aren't, the government sure is making up for anyone who isn't.

Sunday, August 28, 2005

Regedit vulnerability: Hiding Registry values

Last week I started getting emails that there is a vulnerability in the Windows Registry Editor (Regedit.exe and Regedt32.exe) that can cause it to hide certain Registry values with absurdly long names. Here are a few links on the subject:
http://isc.sans.org/diary.php?date=2005-08-24 (also 3 or 4 pages following it)
http://secunia.com/advisories/16560/
http://www.frsirt.com/english/advisories/2005/1519

So the Regedit utility won't show these Registry values, but they're still there. It probably took malware writers only 1.5 second to figure out this means they can hide autorun Registry values, since - unfortunately - the Windows system itself does not hide these values and faithfully runs them at startup when present.

As far as I can see from my tests, this is because the vulnerable utilities use the RegEnumValue() function with a name buffer size of only 260 bytes (the standard, ironically this is normally used as a constant named MAX_LENGTH). Since this buffer receives the name of the Registry value during enumeration of all values in a Registry key, it will fail when the value name is longer than 260 bytes.
Due to an unfortunate coding convention, the error itself is often not checked and assumed to be ERROR_NO_MORE_ITEMS - like a few of my apps do as well - and the enumeration stops there, confident that it listed all values. This also means that, in addition to not showing the value with the really long name, it will also fail to show and values following that, long name or not. Note that this means NEWER values, not ones following it in an alphabetic list.

While messing with a few Registry values with names varying from 100 characters to 100,000 characters (on WinXP+SP2), I noticed a few things:

  • The size limit for the value name is 16383 bytes, which means 14 bytes are reserved for this name. The page on Microsoft.com about Registry Element Size Limits seems to confirm this. It also says that the limit for Win9x/ME is 255 characters, making those Windows versions immune to this vulnerability.
  • RegEnumValue(), when it can't retrieve a value and/or its data when either is too large for the buffer, is supposed to return the error ERROR_MORE_DATA and say what the required size for the buffer should be. However, it seems to do this only when the buffer to receive the actual data is too small. When the buffer that receives the value name is too small, it just returns ERROR_MORE_DATA (possibly explaining the cases of programs crashing on long Registry value names caused by infinite loops).

So it seems to me the easiest way to fix this problem, is to use two buffer sizes for the value name, depending on the Windows version:
  • For Windows 95/98/98SE/ME: use a buffer length of 260 bytes - since the system can't handle setting values with longer names anyway.
  • For Windows NT4/2000/XP/2003/Vista: use a buffer length of 16400 or so bytes - since the maximum allowem by the system is 16383.

So there you have it. The problem, the cause, and the solution. Case closed. :)

Wednesday, August 24, 2005

GoogleTalk goes live-ish

GoogleTalk
Yesterday, it seems the rumour that Google could be working on an IM client has been confimed not to be a rumour at all. Introducing GoogleTalk!

The service runs on Jabber and has its own server. Google is offering its own IM client, called GoogleTalk, as well as lots of instructions for connecting to GoogleTalk with other IM clients. Note that some of the links on the aforementioned URL are dead, as well as the 'don't see your IM client here? tell us about it' link.

Since using GoogleTalk, Jabber or GAIM is, of course, too easy for me, I decided to be lazy and use my fav IM client Miranda to connect to it. A Jabber plugin for this client is included within the default install, so I figured no problem.

A bit of tweaking, cursing and searching later I have found the following instructions work:

  • Username: Gmail username, without @gmail.com
  • Password: your Gmail password
  • Login server: gmail.com (this is not a login server, but just the domain of your email address)
  • Check 'Manually specify connection host'
  • Host: talk.google.com
  • Post: 5223 (not 5222!)

Since a picture says more than a 1000 words (and the above is a bit short of that), click below to see a pic of the setup:

GoogleTalk in Miranda IM

Note that searching for users (with their Gmail username, no @gmail.com) always seems to return a hit, even if you search for one that does not exist.

Wednesday, August 03, 2005

Beauty is only skin deep, but stupidity goes down to the bone.

Not wanting to sound like a teenager in heat, but still being moderately excited about finding the awesomeness that is TheSuperFicial.com, here's some celebrity news that caught my eye.

Renée Zellweger is slipping down some road she only knows. See below 'after' and 'before Hollywood mainstream' pic. Also note the IMDb pic from link above is pretty old. Poor girl.

Scarlett Johansson is cute. I know of no other way to describe this woman after reading this article. Well, other than talented, sexy, pretty, etc.

:P

Tom Cruise is insane. And that's a medical term for his condition. Apart from believing the complete nonsense that is Scientology, marrying Katie Holmes (who's 14 years younger) and assimilating her, he's generally being a condescending asshole and will be raising his children to be exactly like him. O_o
He also may or may not be very gay.

Today's post was brought to you by TheSuperFicial.com. Because you're ugly.

Friday, July 29, 2005

Check this shit out.

Time for insane scientific articles! If you ever spend a year sifting through scientific articles on PubMed looking for references, you know how completely boring that is. However, the guy linked below had such bad luck, results and assistance, that he wrote the following one-page article, and probably left the department.

Electron Band Structure In Germanium, My Ass. - Picked up from MetaFilter, Feb 2001.

That's possible the funniest scientific article I have ever read. However, the MetaFilter comments also link to this one:

Get me off your f-----g mailing list. (pdf) - Submitted to the 9th World Multi-Conference on Systemics, Cybernetics, and Informatics, July 2005.

Tuesday, July 26, 2005

Lovely, lovely ladies

Just watched The Adventures of Baron von Münchhausen on TV. Man, if I had one wish, I'd know what to do. Absolutely. A waltz with Uma Thurman. That has to be the most beautiful movie scene I have ever seen in my life. Props to Terry Gilliam.

Or to be able to run faster than a speeding bullet. That is pretty groovy too. Props to Eric Idle.

Sunday, July 24, 2005

The only two things that are infinite are the universe and human stupidity.

..and I'm not so sure about the universe. (A. Einstein)

It seems there is such a thing as the 'World Stupidity Awards', and also it seems the 2005 awards have just been announced. For some reason, Canada, which was also the hosting country for the awards ceremony, has won Dumbest Government Of The Year (and they were very proud of it, too). I don't live in Canada, or even near it, so I don't know exactly why - but if the South Park episode It's Christmas in Canada is accurate, I kinda see why they won.

Among the more funny awards of this year:

  • George Bush won Stupidest Statement Of The Year by saying "They never stop thinking of ways of harming America, and neither do we."
  • Paris Hilton won Stupidest Woman Of The Year (and will probably hold this title for at least another 10 years), as well as starring in the Stupidest Show Of The Year, The Simple Life.
  • Alien vs. Predator won Stupidest Movie Of The Year - I rather enjoyed this movie so I'd have to disagree. But then again, my idea of a good movie is one where you can go alone, leaving your brain to do your taxwork at home.
  • Kim Jong-Il won Stupidity Award for Reckless Endangerment of the Planet.


Also, take a look at the nominees. I can't believe they nominated Hitchhiker's Guide To The Galaxy for Stupidest Movie Of The Year. :< The book was awesome. Still have to see the movie, though. Is it that bad?
Also, Stupidest Trend Of The Year should have been War, of course. Seeing how the winner there was something called 'Chrystal Meth' (I have no idea what that is), I guess most voters have been Americans, who must think war is the greatest thing in.. well, America.

Tuesday, July 19, 2005

Ladies and Gentlemen... the Optimus Keyboard!

Just caught this article on Slashdot:

The Optimus keyboard

Every key of the Optimus keyboard is a stand-alone display showing exactly what it is controlling at this very moment. Optimus is good for any layouts—Cyrillic, Ancient Greek, Georgian, Arabian—and so on to infinity: notes, numerals, special symbols, HTML codes, mathematical functions. Patents pending.


eMule key? Booya.
http://www.artlebedev.com/portfolio/optimus/

Can you imagine how friggin' cool that is???

I want one. Badly.

Thursday, July 07, 2005

The deal with malware today, pt 2

In my previous post, I had a small write-up about the first of two major malware problems today (aggressive malware). I just finished my last test today (yay!) so I'd figure I'd write about the second one. Which is, of course, zombie networks, aka botnets.

You might ask yourself, what is a botnet? Well, it's pretty simple. Imagine one person entering the URL to a site in his browser and hitting Enter every second, reloading the page everytime. That puts some strain on the webserver that's hosting that site, but not much. Now imagine 30,000 people doing the exact same thing. A few hundred times per second. Now THAT puts strain on the server, eh? And when the amount of traffic those 30k people are generating is more than the connection speed that server has, no one else can reach it since the bandwidth is 'full'. And it'll probably crash from the traffic overload. Worse still, if the server runs some commercial website, it'll lose money when it's down. And don't be surprised when these damages rack up several thousand dollars.
So basically, that is what happens during a DDoS - Distributed Denial of Service. A botnet owner (short for 'robot network') has control over several hundred to several thousand of computers all over the world ('zombies' or 'bots') and can make them attack a server (or, in fact, ANY computer that is online) all at once. He does this by tricking the computer user into running a small program which plants the bot on the system, which then waits for orders from its owner. At its command, it starts sending out network packets to the specified target as fast as it can until it's told to stop.
Did you pay attention here? The key step is tricking the computer user into running it. See what that means? It means if you don't accept files from strangers, you can help stop these attacks. You can help prevent online companies from losing thousands of dollars. And all you need is common sense. Which is free. Unless there's a bot on the loose that spreads by security holes on your system. In that case, you eiter need to close the hole, or install a firewall. Which is sometimes free.

So how much of this DDoS practice are we seeing nowadays? Well, things started out pretty easy with this news article, detailing on a DDoS (Distributed Denial of Service) attack on Yahoo, eBay, CNN and Amazon in February 2000. You'll probably remember it. Though only Yahoo and eBay were actually off the air for sometime (the other two were just much slower), this marks pretty much the first big zombie network attack. It was also pretty big in the news, making people aware of this type of attack. In vein.

About a year leater in May 2001, Steve Gibson's GRC.com was hit with a similar attack. Being the techie that he is, he wrote a detailed page about it and put it up. Unfortunately, by drawing this much attention to him, he has become a testbed for a lot of small botnet owners who just want to 'check if their 'net has enough force to packet a big site'. Not funny. Not very surprisingly, he was attacked again on January 2002 using a slightly more sophisticated attack. These are just a few examples of attacks. Some nimrod tried attacking the Microsoft.com website once, but that server had such a massive bandwidth that he could barely make a dent in it. A few worm viruses have tried this as well, but only with neglegible results.

The frustrating thing about being hit with a DDoS attack, is that you can't stop the actual flow of data to your server that's crushing you. Imagine it's raining really, really hard. How much of a chance do you stand making all the clouds stop dropping raindrops? That's what I thought. What you can do, however, is build a roof over your head to prevent the raindrops from actually reaching you, and hope things'll blow over fast. If you read the first DDoS report on GRC.com (linked above), you'll see this is exactly what Steve Gibson did: he had his upstream provider filter out all the suspicious packets. This didn't stop the attack, but it did stop the attack from bothering him. A good friend of mine had his anti-malware site attacked sometime ago as well. He now has an ingenious system with several proxy servers setup to prevent this kind of thing from happening again. My own site has been hit with a DDoS attack as well once, and there wasn't much else I could do than copy all content to a website mirror and ride out the attack. The only thing that really helps is preventing the installation of these zombie bots in the first place.

Taking out zombie networks (botnets) is pretty hard. Short of breaking into the controller's house and forcing him at gunpoint to command all of his bots to perform the 'uninstall' command (almost all bots have this), you can't directly control the bots, since 1) most of the time access to the bots is restricted by a really long password, and 2) this password only validates if you're on the right IP subnet. In other words, only if the master controller himself logs onto his ISP account and issues the correct password to the bots, does he actually get to tell them anything. Otherwise they'll just ignore him. Bots are funny like that. Anyway, since most of the time the central place the owner meets his bots is an IRC server (all the bots connect to this server and wait in some channel for commands), you CAN get this server shut down and all the bots will be harmless.. albeit still alive. Unless the controller somehow gets the bots to connect to a new, different IRC server. Rinse, repeat.

So... how do you know if you've got one of them zombie programs on your computer? Well, frankly, they're a bit hard to spot. There's a few technical test you can do, but I've found that these often lead to mistakes and panic, followed by a lot of screaming and shotgunning your monitor.. etc. Better ways to detect this stuff is just your eyes. If the 'send' or 'upload' light on your (cable/DSL) modem is constantly on, even if you're doing squat, something on your system could be sending lots of data somewhere where you don't want it to go. You can also check this with bandwidth monitors like DUMeter, Bandwidth Monitor and NetGrid, which monitor your Internet traffic and display it in a fancy graph.

Secondly, how do you prevent getting a zombie? Well, in some cases you need a sjamaan to cast some spells and nail a plucked dead chicken to your door, but in the case we're interested in, all you need is a brain. I think most of you already got one, too. Just use common sense. If you get an email that claims to be from 'Microsoft TechNet', urging you to install the attached security fix, don't. Microsoft doesn't send out fixes over email. To anyone. If you're on a website that claims it can see your entire harddisk and offers a patch to prevent this, don't. You can see your own harddisk too, by typing 'C:\' in the address bar. What that website does is the same thing. If some buddy sends you a file over MSN claiming 'zOMG this gam is AWSOME!!1one LoLZ', at LEAST scan it using whichever antivirus program you have. Better yet, let 14 anvirus programs scan it by uploading it to virusscan.jotti.org. For free! For all other cases, use common sense. It's stupid not to run an antivirus scanner. It's stupid not to run a firewall if you still have Windows 98 or Windows ME (or even older). It's stupid not to install security fixes from Microsoft. Now go outside and be not stupid.

Sunday, June 26, 2005

The deal with malware today

Recently there has been a lot of buzz on public news sites about zombie networks used for launching DDoS attacks, and aggressive, evasive malware. The way I see it, these two problems are currently the biggest ones on the Internet. And by this, I mean the two problems which are the hardest to solve.

When I first got into the antispyware business, things were pretty easy: if your IE security settings were too low, some ActiveX applet would dump a Registry script on your system and set it to run at startup, causing your startpage and search pages to be hijacked whenever you booted up the system. Nice and straightforward, and easy to solve - once you knew where to look. Spyware and malware were very young then, and it had only recently been exposed to the mainstream news by Steve Gibson's OptOut. For the first time it became clear that it was possible to sneak something (non-viral) on your system piggybacking on an 'ad-supported' program, that was left behind when the host program was removed. Still, things were pretty quiet on the bad guys' side. Techniques that were used were fairly simple, files were easy to detect and remove.

But then things started getting nasty. Malware started using exploits in the Internet Explorer browser to sneak stuff into your system. CoolWebSearch was one of the first to do this, but since then have shifted the blame on their 'affiliates' in what seems to be the general trend now: companies that encourage their affiliates to get users to install their software in whatever way they can, looking the other way while these affiliates use various exploits, that were posted on the full-disclosure list. Since the exploits posted to this list frequently included proof-of-concept code that was easily modified for malicious purposes, most of the exploits used by browser hijackers and drive-by malware installers have simply been plucked from this mailing list. Among the exploits used were the Java.ByteVerify hole in the MS Java VM, an Outlook Express Cross-site Scripting vulnerability, and some unsafe ActiveX objects that crossed the Internet Zone, lowering security and allowing write access to the system.

Still, though keeping the system up to date from Microsoft (keep in mind all these exploits applied only to MSIE on Windows) didn't always protect you from being infected, all these hijackers and pieces of advertising malware were relatively easy to remove. Kill the running processes, kill the autostarts, kill the files, kill the Registry keys and values. Using common sense, a little experience and those steps (in that order), any malware could be removed, even without any additional tools like process managers, antispyware or antivirus programs.

Even when the next step was taken by the bad guys, it took little effort to defeat this. When malware started to emerge that scanned the system's memory for antispyware and antivirus programs and closed these (forcefully), all we had to do was rename the process manager file and kill the malware processes before continuing with the normal cleaning procedure described above. When malware started to use multiple processes that kept each other alive, the 'Delete this file on reboot' option all Windows versions had (though hidden) worked with only very few exceptions. And there was always Safe Mode in those few cases - which loads only a very bare Windows shell.

But then disaster struck. A variant of a browser hijacker emerged that hooked a few Windows system functions and hid itself from Windows itself. This behaviour is commonly known from programs known as rootkits. This type of applications is basically the next generation of Remote Access Tools that emerged around 1999-2000, hiding itself on the infected system, giving the remote attacked complete access to the system as if he were sitting behind it. Rootkits took this one step further, by hooking system functions of Windows and filtering out any information that pointed to itselves before letting Windows read it (and pass it on to the user). This essentially made them invisible down to a very low level.
When malware started to use this, at first they just included a common rootkit like HackerDefender, setup to hide the malware processes, files and Registry keys. Later on the malware itself incorporated rootkit-like features.

We're standing at this point right now - malware using rootkit techniques to hide themselves, and reinstall themselves when something is removed. Though they also started bundling each other with themselves, effectively installing more malware onto the infected system again and again, the main problem is still the rootkit behaviour.
One of the main reasons why this is so hard to detect by antispyware and antivirus tools, is that the scanners aren't on a low enough level to bypass the layer of smoke the malware pulls up. Also, these pieces malware often use random filenames and some polymorphic code so two files are never the same, and signature scanners can't find the files, essentially leaving it up to a competent technician to manually find and kill everything. And that, is exactly what a computer program doesn't have: common sense.

Next up: botnets of spam zombies.

Thursday, June 23, 2005

Sin City - the way comics should be made info movies

A few days ago, I went to see Sin City with a few friends (after the usual fast-food run before that). I really gotta say, that movie rocks! It has to be one of the best comic-to-movie adaptations so far, if you're going for a great story with good acting. For great action shots, of course, you have to see Spider-Man and Spider-Man 2.
But anyway, Sin City really is an awesome movie. What's not to love about the 'Marv' character who's basically a human tank with a really bad attitude and a dark sense of humour? I mean, really, he gets shot in the chest like 5 times throughout the movie and run down by a speeding car a few times, and he just GETS UP. ('Don't worry, it's just a few scratches.') Nice job Mickey Rourke! I like that bit about this movie - characters don't just play dead after being shot once.

The one thing I really was afraid of wasn't there - Hale Berry. When I first saw the movie poster (you know the one) and the trailer, I feared Hale Berry was starring some main part in it. And I really hate that woman. Not because she's black, but because she's a shitty actress with less sex-appeal than a doormat. After scrolling through the cast list on IMDb, it appeared she wasn't even on the list. Great, I thought, she has this teeny-weeny role in the movie with 6 words, and she's on the frigging movie poster?? Phew. She wasn't. Rosario Dawson really was a much better choice. I just love the look of sadism in a woman's eyes. ;)

Another small thing that disappointed me was that even though Quentin Tarantino is the special guest director, he didn't manage to squeeze his 'muse' into the movie: Uma Thurman. God, what I'd have given to see that woman dance like Jessica Alba did in that movie. Hmmmm... (on a side note, the swords Miho uses are the exact same as the ones in Kill Bill :)

All in all, Sin City reminded me of the first Matrix movie a bit. The camerawork is similar, with those impossible angles, close-ups and positions you'll only see in a comic book. Really cool. Definitely worth its money.

Saturday, June 11, 2005

FireFox AdBlock training

Just a quick tip for those starting off with a fresh AdBlock install on FireFox: when you have a few hours of slacking available, go to GeekIssues.org and browse a few links. Filter any ads you run into, with partial URLs like .doubleclick.net, .burstnet.com, rad.msn.com, */ads/*, */ads?, .ads? etc, and you'll have AdBlock properly trained within a few days. Plus some entertainment.

That is, if you prefer not to use the gruesome, horrible RegExp expressions from their forum.

Btw: heed the warning in red at the top of the GeekIssues page.

Wednesday, June 08, 2005

And in the blue corner, Symantec

Just got this over email:

http://www.theinquirer.net/?article=23801


Symantec wants a court to allow its software to identify some programs made by Hotbar as adware.

Hotbar, which is made by a Microsoft partner, Hotbar.com, is a kids add-on that personalises email and browsers. It gives a range of smiley faces for users to play with and gives access to search, skins and yellow pages.

However, HotBar also tracks web site visits and also has an autoupdate feature. Some users find it tricky to remove.


That just brightens up my day. All those spyware companies sueing people willy-nilly screaming 'we're not spyware! our software shows 26 popups a minute and tracks pretty much everything from your surfing habits to your email to your dog, but it's not personally identifiable!!!1' were really starting to piss me off, because you just know they're full of it. They just update their crap to not report your email address back to their servers (which ofcourse, it did in the first place, along with a hundred other pieces of info you don't want to see out on the 'net) and then claim it's not spyware since the info is 'not personally identifiable'. I even got a few emails myself like that, even though my software doesn't even target specific malware (nobody reads help texts anymore today). Seeing an antivirus company hit a spyware company with a lawsuit for the right of calling it 'spyware' just has me going 'YEAH! PRE-EMPTIVE STRIKE IN YOUR FACE!'. Symantec isn't exactly the coolest company to me, but this sure boosted their rankings in the awesome-o-meter.


XML is the coolest thing on this planet

I had a class today about my currently favorite subject: XML. It's actually a 7-week spanning subject, but it just keeps getting more fun all the time. Seriously, hear me out though.
So they start off in the first week with the basic stuff: tags, attributes, XHTML. I think ok, that's pretty easy and pretty much well-known by everyone in class. But anyway, no use rocking the boat by telling the teacher to speed it up. More time off means more time to party. But over the course (sp?) of the past few weeks we've been going steps up on the ladder every time - and it just amazes me how much can actually be done with XML. Really, you have no idea. The first revelation we got was the CSS style sheets you could use to make it appear like a normal HTML website. That was pretty cool. But next, we got into XPath which allows you to dynamically reshape the content on your HTML website. Like, when you have a list of people in XML with their names, birth dates, death dates, shoe sizes etc, you can make a table with this info, sorted on any of those properties. Sounds like fun, huh? Yeah I thought so. Anyway, with this XPath you can select a certain node (element) of the XML file, making the exercises incredibly funny with questions such as 'what XPath query selects the birth country of the second Greek author that lived for over a 100 years?'. Seriously, some of these questions had me in stitches.

Then we had the introduction of XSLT stylesheets, which you can use essentially to completely mess up the content of the XML source file and present it as something completely different in HTML, that even validates at the W3C! Amazing.
Now this last week, they've slowly eased into making for-each loops in XSLT stylesheets, using variables, conditional stuff, and this is starting more and more to look like an actual programming language. Mind you, I started this class expecting to do some light HTML coding and ended up learning a whole new programming language. This stuff just blows me away.
Now today, we had some important guy in a business suit give us a lecture about the business equivalent of XML, named XBRL. You can't make this stuff up. According to him, XML is the only way businesses can properly communicate without wasting weeks or even months of time manually reading reports created with Word, only to input them in their own database and create Excel sheets from that. So instead of your tax report taking three months to process and verify, if XBRL would be used, this would take three hours. Well, hook me up and call me Scotty, where can I get some of that?

The W3C really put some effort into this XML standard... and it's only at 1.0! I'm really amazed over and over again by what you can actually accomplish with it. I almost expect them to fully convince me to stop using ASP, PHP, MySQL, C++ and VB next week, only to replace it with one alternative, the one language, the only language, the language that can do everything, the one language to rule them all.... XML!

Penny-Arcade is funny on occasion

Usually, the online comic Penny-Arcade has episodes covering games I barely even heard of, or satires so sharp I can barely even grasp the tinest bit of wisdom needed to begin to understand them.

Occasionally however, they come up with gems like gems like this. And it just makes my day.

Monday, June 06, 2005

Games, games, games

By the way, before I forget this: if anyone ever comes here (which I doubt), these games you must play. Absolutely. And they're not your run-of-the-mill FPS shooters or something either. Old games are back with a vengeance!

Doukutsu (Cave Story) - http://agtp.romhack.net/doukutsu.html
Japanese game, platform (don't forget the English language patch). Very sophisticated story, but not confusing. Much.

Bejeweled (1 or 2) - http://www.popcap.com/
The greatest Tetris variant of all time. v2 is even more fun.

Gish - http://www.chroniclogic.com/?gish.htm
A friend described this game to me and started like this: 'it's a platform game, but get this:.... you're a ball of tar.'

Mario Forever - http://www.buzg.prv.pl/
A one-man conversion of Super Mario World from the SuperNes... for the PC! Written from scratch, with all new levels and 8 worlds with increasing difficulty.

We apologize for the inconvenience

Um, hang on. I'm not entirely sure how this thing works yet. Bumps and doubleposts ahead. It also appears that I have written the previous post in 3 minutes.

Blah This should be a link blah.
Could we get some bold eagles around here?
Or maybe some Italic pizza, pizza is nice.
Dude, don't go swimming, the underline is madness.

Check out my new gameplay!


Oh well, this blogging thing is relaxing at least. But enough for today. I'm going to get my drinking buddy and get hammered, it's 10 PM here after all.

(B)

Fixing ancient computer systems is fun

Right, so what better way to bore you all then to share a computer horror tale of this last weekend? You see, I had to help my dad and a few other people move all their stuff for work to a new place, and the computers were coming along. That sounds pretty standard, doesn't it? Yeah, I thought so.
Anyway, whichever work my dad has been doing, he has been doing this for a long, long time. It's none of your business what exactly he does, but it's usually followed by a stay at the university of roughly seven years where he spends memorizing lating names for all the bones in your body, as well as a few other things. In latin. So back to computers - he has a few he has been using for AGES. I'm really not kidding, there was this dinosaur I used to play Zaxxon on back in 1987 that was still working as a router/gateway for our whole network until about 12 months ago until the motherboard died. The computer that kept me busy for the entirety of the last weekend was the second-oldest system.

Back when Pentiums were barely even heard of (and I mean the Pentium ONE (1)), my dad got one. 120 million mind-crushing cycles per second it did, and it's still working mostly as of today. So we had all the stuff moved from one place to another and I was called in to help move stuff around, unpack and set up computers. The friday before it seemed this ol' Pentium 1 had been the last computer that was setup (all the ones were purring along nicely), and it didn't 'see the network' (sic). This I heard when I was barely coming into the new place, and friendly me offered help to take a look. Behold my amazement when I walked into the room with said computer, which was crowded with SIX IT TECHNICIANS, all trying to get the damn thing to work. Most of what I saw on the screen was the Win98 dialog 'Windows is building a driver database, please wait...' and network cards were strung around the room, eager to prove themselves and get the behemoth on the network. Mind you, at about this time I heard things had to be up and running by MONDAY MORNING. Yikes.

With six people crowding around the system, I wasn't going to add to the crowding. Since, you know, there was enough of it going on already. So fast forward about 16 hours, to next day morning. Ish. I like to sleep in. Brought meself a bootdisk or two, since after the 'techs' were done 'fixing' the computer, the damn thing wouldn't boot at all. All the while I had been slugging around countless heavy boxes, throwing around looks that screamed 'why aren't you doing something??? look at me, I'm all different sorts of busy and you're eating donuts??'. Apparently only girls can do that in a way that is actually understood.
So I boot the damn system without the bootfloppy first, just to be sure. Lo' and behold, I am greeted with the feared 'Invalid system disk, replace and press any key to continue'. Yes, I checked. There was no floppy in any of the drives. Enter the bootdisk and reboot. Grind grind grind. DIR C:. Returns: nothing. Yes, the drive was empty. In less than 24 hours, either the techs had been so stupid as to erase the entire hard disk, or something seriously screwy was on with this computer.

So I stick my head out the door and yell 'dad! got a Win98 setup CD laying around somewhere?'. He has. Great, in half an hour I'll be up and running. So when he brings me the CD, he informs me that even though the system has no functioning network card, there's two gigabytes of data on the system that needs to be on the network by monday morning. Crap. The one good thing is that this 2 GB is not on the C: drive, so whatever I can throw at it won't affect this precious data.

So I slam in the Win98 CD and start copying the thing to the hard drive. (You know, of course, that I do this because a) Windows installs faster from HD than from CD, and 2) I don't need the CD all the time like this.) I run the Setup utility with a few switches to turn off the commercial bla-bla and start it. Just as I start to leave to get some caffeinated beverage, Setup throws an error in my face, that of all things, says 'An existing version of Windows has been detected that Setup cannot upgrade. Setup will close now'. OK. Seriously, what the hell? This drive was blank five minutes ago.

I reboot the system and do a DIR listing again. Whoa! That wasn't here before! Suddenly I see a whole system on the C: drive that looks ready to go. So this means, either I'm going crazy, or the FAT table on the drive is being a bitch. (The FAT table is like a table of contents for the drive. Without it, you don't know what's on the drive, but it's still there.) OK, cool. All the stuff is still there. So I think, all I need to do is load up Windows, figure out a way to connect it to the other computers and copy over the 2 GB of important stuff, right? Right. Right after I run ScanDisk a few times, since I trust the FAT table about as far as I can throw a fat table.

Right away, MS Scandisk panics and tells me the FAT table is icky. Yes, Sherlock Holmes, that I knew. Now fix it. This overly obvious disk error is then followed by roughly 4 hours of grinding, fixing, waiting, and shouting on my part of the general fucked-upness of the hard drive. Bad folders, bad files, lost chains, lost clusters, you name it. Come to think of it, most of it was probably my fault since I copied about 125 MB of data to the disk from the Win98 Setup CD, overwriting the existing data which was still present than but just not visible, due to the state of the FAT table. Curse that thing. So I spent about 4 hours of alternating between MS Scandisk and Norton Disk Doctor trying to fix the drive and clear it of errors. This was then followed by even more fixing, since a few system ini files were majorly borken and overwritten on random places with characters like þ and ý. So FINALLY... I boot up Windows 98. Fancy logo, lots of chugging, which is then followed by... a sort of green picket fence of Doom. It looks sorta like the video card took a dump onto itself and went insane. The system crashes. And turns itself off out of pure self-pity, and goes to quietly sob in the corner. When I turn it back on it seems I'm back to square one, because it seems the FAT table took shore leave again and I'm left with a blank disk again! By now I'm majorly pissed off, and my dad comes look what the hell is going on after hearing a mind-splitting roar of frustration from the room I'm in. We call it a day and go home.

Next day, next day, next day! Prepared for another round of nimble-footed boxing with ye olde com-poo-tor, I pulled out a few more tricks and took my serial null-modem cable, parallel cable and a few floppy disks full of utilities that claim to be able to transfer stuff over said cables in DOS. I'm determined to make this work. I'm such a masochist. Note that BOTH the cables I bring have been soldered together by my awesome dad, some 20 years ago. How I remember playing Quake 1 over the null-modem cable with my friend, ah... Those were the days. So now this is the day of data judgement: either I tranfer those 2 frigging jiggabytes of whatever-the-hell-it-may-be (work stuff son, you don't need to know), or I toss the damn system off the 15th floor. Yes, the building actually has that many floors.

First item on today's list is continue where I stopped the day before this - run ScanDisk until the drive is healthy again. No big deal I figure, the FAT table disappeared earlier, right? All I have to do is restore it and the system will be just the way I meant it to be. And indeed, right off the bat Scandisk detects and restores the FAT table. I think. However, the next thing it does is go into a flurry of dialogs saying, as I see it, the best error message Microsoft ever cooked up. It tells me, and I quote, that 'some clusters were found that used to be folders. These folders were restored, but since the contents of the hard disk changed, the scan has to restart'. Even better is, that in the language this Windows box is in, this message somehow expresses surprise. It sounds more like 'wtf? I found some clusters that, apparently, used to be folders!'. It then goes on to try and piss you off by saying 'since the contents of the drive have changed, the scan will have to start all over again! hah!'. Best error message ever. It had me in stitches.
So then this same error shows up about 40 more times, and I'm starting to get suspicious. Why are so many lost folders found when the FAT has been restored? Hm. When the scan finishes and the drive is all shiny and happy again, I drop back to DOS and do a DIR listing. Whoa! Holy crap! This is something I've never seen before: the *whole drive* now consists of files named 'file0001.chk', 'file0002.chk', etc, as well as folders named 'dir00001', 'dir00002', up to 'dir00047'. O_o;
Soooo... it seems the FAT table was not restored the way I wanted it to be. After some digging it turns out 'dir00035' used to be the Windows folder in a previous life, and 'dir00014' used to be the Adobe Acrobat folder. After doing a feeble attempt to rename all these folders back to whatever they used to be ('move c:\dir00035 c:\windows'), it occurs to me that I don't *need* Windows to boot on this thing. After all, the parallel cable and the file transfer utilities all work in DOS anyway. Cool.

So after a few minutes of messing with ancient system files you probably don't even remember (does the name HIMEM.SYS ring a bell?), I hook up the parallel cable to the borken system and another (working, networked) Win98 PC and start trying out the parallel-cable-file-transfer utilities. After a few tries, I actually find one that works! (>^_^)>
Such a miracle of technology, it transfers files across the cable at about 70 kilobytes per second. Don't laugh, that was fast as hell back in the days when I wasn't even born yet. So I steal my dad's PDA to calculate how long this is going to take. It spits out the numner 'About 7 or 8 hours'. Cool. Being a sunday evening, this means it'll be done at about 5 o'clock this night. Sweet! Mission: success. This is not mission: difficult man, that should be a walk in the park for you.

So once again, this proves that ancient computer technology can still whip your ass. Do not underestimate the power of a printer cable with plugs on both sides!
Next time I get the chance, I'm totally coaching my dad into upgrading all systems to something like Windows 2000. Aw yeah.

*tap* *tap* Is this thing on?

OK. So... on to the daily compaining that I'm supposed to do here, judging from most of the Blogs I've seen so far. I've been told I have a humorous way of writing stuff, but we'll see about that.

Also, Tjitske is hot stuff.