Sunday, June 26, 2005

The deal with malware today

Recently there has been a lot of buzz on public news sites about zombie networks used for launching DDoS attacks, and aggressive, evasive malware. The way I see it, these two problems are currently the biggest ones on the Internet. And by this, I mean the two problems which are the hardest to solve.

When I first got into the antispyware business, things were pretty easy: if your IE security settings were too low, some ActiveX applet would dump a Registry script on your system and set it to run at startup, causing your startpage and search pages to be hijacked whenever you booted up the system. Nice and straightforward, and easy to solve - once you knew where to look. Spyware and malware were very young then, and it had only recently been exposed to the mainstream news by Steve Gibson's OptOut. For the first time it became clear that it was possible to sneak something (non-viral) on your system piggybacking on an 'ad-supported' program, that was left behind when the host program was removed. Still, things were pretty quiet on the bad guys' side. Techniques that were used were fairly simple, files were easy to detect and remove.

But then things started getting nasty. Malware started using exploits in the Internet Explorer browser to sneak stuff into your system. CoolWebSearch was one of the first to do this, but since then have shifted the blame on their 'affiliates' in what seems to be the general trend now: companies that encourage their affiliates to get users to install their software in whatever way they can, looking the other way while these affiliates use various exploits, that were posted on the full-disclosure list. Since the exploits posted to this list frequently included proof-of-concept code that was easily modified for malicious purposes, most of the exploits used by browser hijackers and drive-by malware installers have simply been plucked from this mailing list. Among the exploits used were the Java.ByteVerify hole in the MS Java VM, an Outlook Express Cross-site Scripting vulnerability, and some unsafe ActiveX objects that crossed the Internet Zone, lowering security and allowing write access to the system.

Still, though keeping the system up to date from Microsoft (keep in mind all these exploits applied only to MSIE on Windows) didn't always protect you from being infected, all these hijackers and pieces of advertising malware were relatively easy to remove. Kill the running processes, kill the autostarts, kill the files, kill the Registry keys and values. Using common sense, a little experience and those steps (in that order), any malware could be removed, even without any additional tools like process managers, antispyware or antivirus programs.

Even when the next step was taken by the bad guys, it took little effort to defeat this. When malware started to emerge that scanned the system's memory for antispyware and antivirus programs and closed these (forcefully), all we had to do was rename the process manager file and kill the malware processes before continuing with the normal cleaning procedure described above. When malware started to use multiple processes that kept each other alive, the 'Delete this file on reboot' option all Windows versions had (though hidden) worked with only very few exceptions. And there was always Safe Mode in those few cases - which loads only a very bare Windows shell.

But then disaster struck. A variant of a browser hijacker emerged that hooked a few Windows system functions and hid itself from Windows itself. This behaviour is commonly known from programs known as rootkits. This type of applications is basically the next generation of Remote Access Tools that emerged around 1999-2000, hiding itself on the infected system, giving the remote attacked complete access to the system as if he were sitting behind it. Rootkits took this one step further, by hooking system functions of Windows and filtering out any information that pointed to itselves before letting Windows read it (and pass it on to the user). This essentially made them invisible down to a very low level.
When malware started to use this, at first they just included a common rootkit like HackerDefender, setup to hide the malware processes, files and Registry keys. Later on the malware itself incorporated rootkit-like features.

We're standing at this point right now - malware using rootkit techniques to hide themselves, and reinstall themselves when something is removed. Though they also started bundling each other with themselves, effectively installing more malware onto the infected system again and again, the main problem is still the rootkit behaviour.
One of the main reasons why this is so hard to detect by antispyware and antivirus tools, is that the scanners aren't on a low enough level to bypass the layer of smoke the malware pulls up. Also, these pieces malware often use random filenames and some polymorphic code so two files are never the same, and signature scanners can't find the files, essentially leaving it up to a competent technician to manually find and kill everything. And that, is exactly what a computer program doesn't have: common sense.

Next up: botnets of spam zombies.

Thursday, June 23, 2005

Sin City - the way comics should be made info movies

A few days ago, I went to see Sin City with a few friends (after the usual fast-food run before that). I really gotta say, that movie rocks! It has to be one of the best comic-to-movie adaptations so far, if you're going for a great story with good acting. For great action shots, of course, you have to see Spider-Man and Spider-Man 2.
But anyway, Sin City really is an awesome movie. What's not to love about the 'Marv' character who's basically a human tank with a really bad attitude and a dark sense of humour? I mean, really, he gets shot in the chest like 5 times throughout the movie and run down by a speeding car a few times, and he just GETS UP. ('Don't worry, it's just a few scratches.') Nice job Mickey Rourke! I like that bit about this movie - characters don't just play dead after being shot once.

The one thing I really was afraid of wasn't there - Hale Berry. When I first saw the movie poster (you know the one) and the trailer, I feared Hale Berry was starring some main part in it. And I really hate that woman. Not because she's black, but because she's a shitty actress with less sex-appeal than a doormat. After scrolling through the cast list on IMDb, it appeared she wasn't even on the list. Great, I thought, she has this teeny-weeny role in the movie with 6 words, and she's on the frigging movie poster?? Phew. She wasn't. Rosario Dawson really was a much better choice. I just love the look of sadism in a woman's eyes. ;)

Another small thing that disappointed me was that even though Quentin Tarantino is the special guest director, he didn't manage to squeeze his 'muse' into the movie: Uma Thurman. God, what I'd have given to see that woman dance like Jessica Alba did in that movie. Hmmmm... (on a side note, the swords Miho uses are the exact same as the ones in Kill Bill :)

All in all, Sin City reminded me of the first Matrix movie a bit. The camerawork is similar, with those impossible angles, close-ups and positions you'll only see in a comic book. Really cool. Definitely worth its money.

Saturday, June 11, 2005

FireFox AdBlock training

Just a quick tip for those starting off with a fresh AdBlock install on FireFox: when you have a few hours of slacking available, go to and browse a few links. Filter any ads you run into, with partial URLs like,,, */ads/*, */ads?, .ads? etc, and you'll have AdBlock properly trained within a few days. Plus some entertainment.

That is, if you prefer not to use the gruesome, horrible RegExp expressions from their forum.

Btw: heed the warning in red at the top of the GeekIssues page.

Wednesday, June 08, 2005

And in the blue corner, Symantec

Just got this over email:

Symantec wants a court to allow its software to identify some programs made by Hotbar as adware.

Hotbar, which is made by a Microsoft partner,, is a kids add-on that personalises email and browsers. It gives a range of smiley faces for users to play with and gives access to search, skins and yellow pages.

However, HotBar also tracks web site visits and also has an autoupdate feature. Some users find it tricky to remove.

That just brightens up my day. All those spyware companies sueing people willy-nilly screaming 'we're not spyware! our software shows 26 popups a minute and tracks pretty much everything from your surfing habits to your email to your dog, but it's not personally identifiable!!!1' were really starting to piss me off, because you just know they're full of it. They just update their crap to not report your email address back to their servers (which ofcourse, it did in the first place, along with a hundred other pieces of info you don't want to see out on the 'net) and then claim it's not spyware since the info is 'not personally identifiable'. I even got a few emails myself like that, even though my software doesn't even target specific malware (nobody reads help texts anymore today). Seeing an antivirus company hit a spyware company with a lawsuit for the right of calling it 'spyware' just has me going 'YEAH! PRE-EMPTIVE STRIKE IN YOUR FACE!'. Symantec isn't exactly the coolest company to me, but this sure boosted their rankings in the awesome-o-meter.

XML is the coolest thing on this planet

I had a class today about my currently favorite subject: XML. It's actually a 7-week spanning subject, but it just keeps getting more fun all the time. Seriously, hear me out though.
So they start off in the first week with the basic stuff: tags, attributes, XHTML. I think ok, that's pretty easy and pretty much well-known by everyone in class. But anyway, no use rocking the boat by telling the teacher to speed it up. More time off means more time to party. But over the course (sp?) of the past few weeks we've been going steps up on the ladder every time - and it just amazes me how much can actually be done with XML. Really, you have no idea. The first revelation we got was the CSS style sheets you could use to make it appear like a normal HTML website. That was pretty cool. But next, we got into XPath which allows you to dynamically reshape the content on your HTML website. Like, when you have a list of people in XML with their names, birth dates, death dates, shoe sizes etc, you can make a table with this info, sorted on any of those properties. Sounds like fun, huh? Yeah I thought so. Anyway, with this XPath you can select a certain node (element) of the XML file, making the exercises incredibly funny with questions such as 'what XPath query selects the birth country of the second Greek author that lived for over a 100 years?'. Seriously, some of these questions had me in stitches.

Then we had the introduction of XSLT stylesheets, which you can use essentially to completely mess up the content of the XML source file and present it as something completely different in HTML, that even validates at the W3C! Amazing.
Now this last week, they've slowly eased into making for-each loops in XSLT stylesheets, using variables, conditional stuff, and this is starting more and more to look like an actual programming language. Mind you, I started this class expecting to do some light HTML coding and ended up learning a whole new programming language. This stuff just blows me away.
Now today, we had some important guy in a business suit give us a lecture about the business equivalent of XML, named XBRL. You can't make this stuff up. According to him, XML is the only way businesses can properly communicate without wasting weeks or even months of time manually reading reports created with Word, only to input them in their own database and create Excel sheets from that. So instead of your tax report taking three months to process and verify, if XBRL would be used, this would take three hours. Well, hook me up and call me Scotty, where can I get some of that?

The W3C really put some effort into this XML standard... and it's only at 1.0! I'm really amazed over and over again by what you can actually accomplish with it. I almost expect them to fully convince me to stop using ASP, PHP, MySQL, C++ and VB next week, only to replace it with one alternative, the one language, the only language, the language that can do everything, the one language to rule them all.... XML!

Penny-Arcade is funny on occasion

Usually, the online comic Penny-Arcade has episodes covering games I barely even heard of, or satires so sharp I can barely even grasp the tinest bit of wisdom needed to begin to understand them.

Occasionally however, they come up with gems like gems like this. And it just makes my day.

Monday, June 06, 2005

Games, games, games

By the way, before I forget this: if anyone ever comes here (which I doubt), these games you must play. Absolutely. And they're not your run-of-the-mill FPS shooters or something either. Old games are back with a vengeance!

Doukutsu (Cave Story) -
Japanese game, platform (don't forget the English language patch). Very sophisticated story, but not confusing. Much.

Bejeweled (1 or 2) -
The greatest Tetris variant of all time. v2 is even more fun.

Gish -
A friend described this game to me and started like this: 'it's a platform game, but get this:.... you're a ball of tar.'

Mario Forever -
A one-man conversion of Super Mario World from the SuperNes... for the PC! Written from scratch, with all new levels and 8 worlds with increasing difficulty.

We apologize for the inconvenience

Um, hang on. I'm not entirely sure how this thing works yet. Bumps and doubleposts ahead. It also appears that I have written the previous post in 3 minutes.

Blah This should be a link blah.
Could we get some bold eagles around here?
Or maybe some Italic pizza, pizza is nice.
Dude, don't go swimming, the underline is madness.

Check out my new gameplay!

Oh well, this blogging thing is relaxing at least. But enough for today. I'm going to get my drinking buddy and get hammered, it's 10 PM here after all.


Fixing ancient computer systems is fun

Right, so what better way to bore you all then to share a computer horror tale of this last weekend? You see, I had to help my dad and a few other people move all their stuff for work to a new place, and the computers were coming along. That sounds pretty standard, doesn't it? Yeah, I thought so.
Anyway, whichever work my dad has been doing, he has been doing this for a long, long time. It's none of your business what exactly he does, but it's usually followed by a stay at the university of roughly seven years where he spends memorizing lating names for all the bones in your body, as well as a few other things. In latin. So back to computers - he has a few he has been using for AGES. I'm really not kidding, there was this dinosaur I used to play Zaxxon on back in 1987 that was still working as a router/gateway for our whole network until about 12 months ago until the motherboard died. The computer that kept me busy for the entirety of the last weekend was the second-oldest system.

Back when Pentiums were barely even heard of (and I mean the Pentium ONE (1)), my dad got one. 120 million mind-crushing cycles per second it did, and it's still working mostly as of today. So we had all the stuff moved from one place to another and I was called in to help move stuff around, unpack and set up computers. The friday before it seemed this ol' Pentium 1 had been the last computer that was setup (all the ones were purring along nicely), and it didn't 'see the network' (sic). This I heard when I was barely coming into the new place, and friendly me offered help to take a look. Behold my amazement when I walked into the room with said computer, which was crowded with SIX IT TECHNICIANS, all trying to get the damn thing to work. Most of what I saw on the screen was the Win98 dialog 'Windows is building a driver database, please wait...' and network cards were strung around the room, eager to prove themselves and get the behemoth on the network. Mind you, at about this time I heard things had to be up and running by MONDAY MORNING. Yikes.

With six people crowding around the system, I wasn't going to add to the crowding. Since, you know, there was enough of it going on already. So fast forward about 16 hours, to next day morning. Ish. I like to sleep in. Brought meself a bootdisk or two, since after the 'techs' were done 'fixing' the computer, the damn thing wouldn't boot at all. All the while I had been slugging around countless heavy boxes, throwing around looks that screamed 'why aren't you doing something??? look at me, I'm all different sorts of busy and you're eating donuts??'. Apparently only girls can do that in a way that is actually understood.
So I boot the damn system without the bootfloppy first, just to be sure. Lo' and behold, I am greeted with the feared 'Invalid system disk, replace and press any key to continue'. Yes, I checked. There was no floppy in any of the drives. Enter the bootdisk and reboot. Grind grind grind. DIR C:. Returns: nothing. Yes, the drive was empty. In less than 24 hours, either the techs had been so stupid as to erase the entire hard disk, or something seriously screwy was on with this computer.

So I stick my head out the door and yell 'dad! got a Win98 setup CD laying around somewhere?'. He has. Great, in half an hour I'll be up and running. So when he brings me the CD, he informs me that even though the system has no functioning network card, there's two gigabytes of data on the system that needs to be on the network by monday morning. Crap. The one good thing is that this 2 GB is not on the C: drive, so whatever I can throw at it won't affect this precious data.

So I slam in the Win98 CD and start copying the thing to the hard drive. (You know, of course, that I do this because a) Windows installs faster from HD than from CD, and 2) I don't need the CD all the time like this.) I run the Setup utility with a few switches to turn off the commercial bla-bla and start it. Just as I start to leave to get some caffeinated beverage, Setup throws an error in my face, that of all things, says 'An existing version of Windows has been detected that Setup cannot upgrade. Setup will close now'. OK. Seriously, what the hell? This drive was blank five minutes ago.

I reboot the system and do a DIR listing again. Whoa! That wasn't here before! Suddenly I see a whole system on the C: drive that looks ready to go. So this means, either I'm going crazy, or the FAT table on the drive is being a bitch. (The FAT table is like a table of contents for the drive. Without it, you don't know what's on the drive, but it's still there.) OK, cool. All the stuff is still there. So I think, all I need to do is load up Windows, figure out a way to connect it to the other computers and copy over the 2 GB of important stuff, right? Right. Right after I run ScanDisk a few times, since I trust the FAT table about as far as I can throw a fat table.

Right away, MS Scandisk panics and tells me the FAT table is icky. Yes, Sherlock Holmes, that I knew. Now fix it. This overly obvious disk error is then followed by roughly 4 hours of grinding, fixing, waiting, and shouting on my part of the general fucked-upness of the hard drive. Bad folders, bad files, lost chains, lost clusters, you name it. Come to think of it, most of it was probably my fault since I copied about 125 MB of data to the disk from the Win98 Setup CD, overwriting the existing data which was still present than but just not visible, due to the state of the FAT table. Curse that thing. So I spent about 4 hours of alternating between MS Scandisk and Norton Disk Doctor trying to fix the drive and clear it of errors. This was then followed by even more fixing, since a few system ini files were majorly borken and overwritten on random places with characters like þ and ý. So FINALLY... I boot up Windows 98. Fancy logo, lots of chugging, which is then followed by... a sort of green picket fence of Doom. It looks sorta like the video card took a dump onto itself and went insane. The system crashes. And turns itself off out of pure self-pity, and goes to quietly sob in the corner. When I turn it back on it seems I'm back to square one, because it seems the FAT table took shore leave again and I'm left with a blank disk again! By now I'm majorly pissed off, and my dad comes look what the hell is going on after hearing a mind-splitting roar of frustration from the room I'm in. We call it a day and go home.

Next day, next day, next day! Prepared for another round of nimble-footed boxing with ye olde com-poo-tor, I pulled out a few more tricks and took my serial null-modem cable, parallel cable and a few floppy disks full of utilities that claim to be able to transfer stuff over said cables in DOS. I'm determined to make this work. I'm such a masochist. Note that BOTH the cables I bring have been soldered together by my awesome dad, some 20 years ago. How I remember playing Quake 1 over the null-modem cable with my friend, ah... Those were the days. So now this is the day of data judgement: either I tranfer those 2 frigging jiggabytes of whatever-the-hell-it-may-be (work stuff son, you don't need to know), or I toss the damn system off the 15th floor. Yes, the building actually has that many floors.

First item on today's list is continue where I stopped the day before this - run ScanDisk until the drive is healthy again. No big deal I figure, the FAT table disappeared earlier, right? All I have to do is restore it and the system will be just the way I meant it to be. And indeed, right off the bat Scandisk detects and restores the FAT table. I think. However, the next thing it does is go into a flurry of dialogs saying, as I see it, the best error message Microsoft ever cooked up. It tells me, and I quote, that 'some clusters were found that used to be folders. These folders were restored, but since the contents of the hard disk changed, the scan has to restart'. Even better is, that in the language this Windows box is in, this message somehow expresses surprise. It sounds more like 'wtf? I found some clusters that, apparently, used to be folders!'. It then goes on to try and piss you off by saying 'since the contents of the drive have changed, the scan will have to start all over again! hah!'. Best error message ever. It had me in stitches.
So then this same error shows up about 40 more times, and I'm starting to get suspicious. Why are so many lost folders found when the FAT has been restored? Hm. When the scan finishes and the drive is all shiny and happy again, I drop back to DOS and do a DIR listing. Whoa! Holy crap! This is something I've never seen before: the *whole drive* now consists of files named 'file0001.chk', 'file0002.chk', etc, as well as folders named 'dir00001', 'dir00002', up to 'dir00047'. O_o;
Soooo... it seems the FAT table was not restored the way I wanted it to be. After some digging it turns out 'dir00035' used to be the Windows folder in a previous life, and 'dir00014' used to be the Adobe Acrobat folder. After doing a feeble attempt to rename all these folders back to whatever they used to be ('move c:\dir00035 c:\windows'), it occurs to me that I don't *need* Windows to boot on this thing. After all, the parallel cable and the file transfer utilities all work in DOS anyway. Cool.

So after a few minutes of messing with ancient system files you probably don't even remember (does the name HIMEM.SYS ring a bell?), I hook up the parallel cable to the borken system and another (working, networked) Win98 PC and start trying out the parallel-cable-file-transfer utilities. After a few tries, I actually find one that works! (>^_^)>
Such a miracle of technology, it transfers files across the cable at about 70 kilobytes per second. Don't laugh, that was fast as hell back in the days when I wasn't even born yet. So I steal my dad's PDA to calculate how long this is going to take. It spits out the numner 'About 7 or 8 hours'. Cool. Being a sunday evening, this means it'll be done at about 5 o'clock this night. Sweet! Mission: success. This is not mission: difficult man, that should be a walk in the park for you.

So once again, this proves that ancient computer technology can still whip your ass. Do not underestimate the power of a printer cable with plugs on both sides!
Next time I get the chance, I'm totally coaching my dad into upgrading all systems to something like Windows 2000. Aw yeah.

*tap* *tap* Is this thing on?

OK. So... on to the daily compaining that I'm supposed to do here, judging from most of the Blogs I've seen so far. I've been told I have a humorous way of writing stuff, but we'll see about that.

Also, Tjitske is hot stuff.