Virus Busting: You catch 'em, we kill 'em

Independence in a corporate age

Thu, 26 Mar 2009 05:30 +1200

Independence in a corporate age....

As a neutral provider of IT support and help we get to see IT life from all perspectives. We work with Linux, Mac, Windows, Novell, IBM, Acer, HP, Dell etc etc ... providing the best possible support and help for our customer - vendor neutral - best fit solutions. Along the way we get to talk to most of the IT vendors / providers in the process of trying to sort out issues for our customers.

Here is one story - trying to help a customer without selling our soul:

A guy, I'll call him Sam, walked into our workshop with a dead Compaq Laptop. The laptop is less than two years old and the hard drive had suffered catastrophic failure. It will not live again and is a fault directly attributable to manufacturers fault or hardware failure - not the user.

After diagnosing the problem we provided a new hard drive and started the process of trying to install the Vista operating system again. Here is where the fun starts. With the original hard drive dead - there is no recovery partition. Therefore we need installation media. The drivers can be downloaded from Compaq/HP but a version of Vista Business installation media was required. Phoning Microsoft pointed us back at the manufacturer. Phoning the manufacturer gave us the options of having them charge a fortune to the customer to re-image the pc (remember it died as a result of manufacturer fault) but they will not provide installation media or recovery disks. The option they gave was to purchase another (retail) version of Vista and install that. Hmm - their customer already has Vista - why would they buy another? Well we don't provide media - have you talked to Microsoft? Yes ... and they told me to talk to you...

Needless to say that conversation is currently escalated to the customer experience team where a gentle reminder of the phrase "fit for purpose" and consumer protection act will probably be invoked. The warranty might have expired after one year but a PC that dies that quickly owing to manufacturers fault runs foul of the consumer protection act. Still - that's a side thought.

On to Microsoft - this episode made me realise a set of Vista disks would be very handy to have. I already am deluged in XP and Office disks from years of buying that OS and product but Vista - we only have three flavours of it - and not the one the customer needed. The customer has the license but having the installation media would be very very handy. We are getting more Vista jobs and so need to have the media around for recovery or reinstall.

My options -

Buy a full set of OEM Vista disks (ie home, home premium, business, business premium , ultimate etc)
Get a set of installation media disks from Microsoft without license so we can support their customers
Pirate disks off the net

My wallet yelled at me when it saw the price of buying a copy of each version of the Os so I decided that talking to Microsoft might be worth it - after all there must be a squazillion people like me around the world fixing Microsoft OS based Pcs and needing installation media. At that point it all went horribly wrong.

Browsing the MS site to look at how to purchase these things lead me to the partner program. Two hours of study later I was more confused than ever, had no prices to work from and still had no idea if I could get vista installation media for use with my customers. I did however know how to get lots of info on upselling MS product. I decided to phone Microsoft. Other than the fact that - the girl on the other end seemed incapable of understanding my simple request on how to purchase OEM installation media or join something that allows me to get this media, I finally got it figured out. I am told I need to join a partner program.

However (this is where selling my soul comes into play) to be an MS partner I need to sign up that I will use the media and software required internally in my business, undertake to push a certain percentage of my sales as Microsoft product and commit to being audited as doing such. HUH??? So I explained - NO!!! I am independent. My goal is to help my customers independent of alliances with big corporates so I can choose the best product to use for them without vendor bias towards one corporate giant or another. Also as a PC repair person I don't sell software, it comes pre-installed as OEM from the manufacturer and I am not gogin to take up software development just so I can join as an ISV. Besides which my Linux server and Lotus Notes mail system hasn't crashed in three years where as my exchange server – well it certainly has - ... nuff said. Did I mention viruses about here as well? I work in a virus rich environment and Ms products dont meet my internal business needs in many cases.

End result - stalemate. If anyone knows how to get hold of OEM / Installation media for Microsoft product without selling ones soul - please let me know.

Microsoft - You big dummies - If you don't support people who are supporting your clients who have purchased your product then it is going to hurt you - - making customers buy second and third versions of a product they have already paid for just peeves them off. When your updates mess up an OS and it needs reinstalled - that really does rack a customer off - then making thme purchase media so they can fix the issue - that's adding insult to injury. And your tech peopel regularly say that is the only option.

Now Linux - anything goes wrong on a Linux box and I can download installation media and reinstall - that's real support for the end user. Apple? They provide media with the hardware. That's real support. Microsoft - you just make us pay and pay and pay - that's just bad business and an insult. HP, Compaq, Dell - take note of what Apple does - they provide media - it only costs them about $0.50 per machine. Take a hint you cheap skates - media is gold to the end user and flings mud at you when you don't provide it. It is costing you sales and consumer love when you money grub on media for the sake of 50c worth of disk and plastic.

Microsoft - we aren't talking piracy here - these customers I am talking about have already purchased your product. The CDs are floating around - all that matters in the long run is the license they purchased. How about throwing those of us who don't want to kowtow to being joined at the hip, and paying you for the privilege of being your vassals, a bone so we can make you guys look better? Just a thought. I don't mind paying a reasonable price for media - its the attached strings and product slavery that really rip my undies.

In the mean time - where is that installer for ultra torrent? Pirate Bay? Here I come.

Knitting with tinfoil.

Sat, 20 Dec 2008 02:57 +1200

I have decided to get out a roll of tin foil and start knitting myself a tinfoil hat - mostly to wear while sitting in my Faraday cage, with the window vibrators on, speaking via voice changer and using anonymous proxy to surf the net via my wireless internet access in an ever moving van. Oh yes – Pink Floyd's, “The Wall”, is screaming in the foreground to stop people overhearing what I say.

So what pushed me (further?) over the edge you ask? Mozilla Firefox 3.

Two days ago I decided to log onto my utility site to manage some web site content for a customer. My utility site has a Url similar to web.nunz.somewhere.net . It is not publicly accessible, needs a password to access it and holds links to Joomla back ends, ftp services, web email etc. What is more it doesn't appear in Google search, Yahoo search or other search engines. In short it is about as anonymous and private as it gets on the net.

So imagine my shock when a window popped up telling me Firefox Three was not going to let me browse to my site as it was a reported phishing site. The window offered me three links:

1 - 'Get Me Out Of Here' which sends you to the Google home page,
2 - 'Why was this site blocked' which leads you to lots of fluff and education about phishing being bad etc
3 - A link that says 'Ignore This Warning'. (supposedly allows you to continue on).

Well I had work to do so I pushed ignore this warning - to get the same page again and again and again and ... you get the idea - The Ground Hog Day event horizon swallowed me whole. Having next tried the 'Get Me Out Of Here' button which got me to Google's front page, a useless destination for my purposes, I tried the 'Why Was This Site Blocked' button.

Now I know great minds are near to madness allied (John Dryden) and some times I may slip through those thin partitions that divide, but I do think that as the owner of a Url banned by some list as being a phishing site, that the button that states, "Why Was This Site Blocked" would give me some information as to why my site was blocked. Sorry to say I was wrong.

The button opens a page that gave me educational fluff and bubble about phishing in general but nothing on Why Was THIS SITE Blocked. What is worse, nowhere was there information on that page that covered the basics I needed such as:

1 - Who blocked this site and why?
2 - Who runs the black list?
3 - How do you contact the blacklist?
4 - How do you get off this blacklist?
5 - Why wasn't I the owner notified of the banning?

Two days of research later I have had an email from the security team at Mozilla telling me all they have done is implement a phishing filter based on lists recovered from Google. They also very kindly gave me a Url to anonymously suggest to Google that the site is wrongly banned. ( http://www.Google.com/safebrowsing/report_error/?tpl=Mozilla )

Now while having the Url is nice I must admit it fails at a number of points:

1 - It is an anonymous submission
2 - The captcha used to receive information is the most unreadable captcha I have ever seen. Problems with R,N,I and M letter combinations that make guessing what the squiggles say almost impossible
3 - It has no accessibility method for submitting the form if you cant read the captcha or have vision or other disability issues (thus fails W3C standards completely)
4 - It doesn't tell you how to contact the black list people
5 - It doesn't acknowledge a successful submission of request for banning removal (just sets itself up again to be used again)
6 - Leaves me no closer to figuring out how my URL got blacklisted, who blacklisted it, why I wasn't notified of the banning and whether I can get off this blacklist (anonymous URL submissions to unknown people with no guarantee of it being received leave me with dread over my chances of success).

While I have turned off phishing filter in FF3 (Tools - Options - Security Tab - Tell me if this site is a forgery and Tell me if the site is an attack site) that doesn't stop my sites being banned for every other FF3 user and still leaves those of us falsely accused swinging in the wind.It also doesn't stop Firefox contacting Google. See one persons experience here

BTW - while I think of it - TELL ME if site is a forgery and TELL ME if site is an attack site - that seems to me to be different to 'BAN me from a forgery and BAN me from an attack site' - or is that my John Dryden delusional state messing with my grasp of the English language?

Here is my big issue over this whole thing in regards to Mozilla FF3. Without my explicit consent, FF3 has been asking Google to comment on sites I am visiting. This functionality was turned on without me being asked as part of an upgrade but what is worse - FF3 is contacting Google about my personal browsing habits without my explicit consent. Even IE asks before turning on phishing filters etc.

Now Google and Mozilla both point to privacy clauses (which have more holes than a sieve) but the reality is my IP address is an identifying feature. It is who I am on the net. While I don't mind having that IP address recorded on intermediate servers along the way I really do mind having it served up to the webs biggest pusher of product for profit. Google is teetering on (some would say has already gone over ) the edge of the precipice of invasive tracking and profiling. Their search results are tailored to me, ads on sites track my movement around the web and now it seems they are deciding (through a supposedly independent and third party browser) which sites I can and cant visit. They have decided to Santa the web and arbitrarily decide who is naughty and nice -banning those they deem unworthy.

When you add this to the accumulation of services integrated in most web browsers you have to wonder just how free the Internet really is today. Some examples:

IE and FF both search for alternative URLs to try if you mess up typing in the URL in the address bar.
How much do you trust them to actually look for what you want and not just return their idea of what you should have? And before you wonder about my paranoia levels - ask yourself this - what is Google and Microsofts primary purpose in life? To make money! And they don't do that by being nice and offering charitable help to others without cost. Add to that Microsoft's ambition to control the web and browsing habits, Google's invasive presence just about everywhere and you have to start wondering if big brother isn't already feeding you your daily dose of desire and consumerism.

IE and FF both have search bars built into their browsers next to the address bar.
Now while those are handy it means there is connectivity between those search bar providers and you by default in the web browser you use. Anyone tried to remove the Live Search tool bar from Windows IE? Even removing phishing from FF doesn't stop the communications - including communications to Google analytics servers (their ad servers) . See one persons experience here

Yahoo - via the medium of being Xtra's provider of email,
... control who can and cant send email to Xtra's customers (see other articles on how people are being arbitrarily blacklisted by yahoo at yahoos whim).

Most web browsers are provided by the webs biggest sellers of IT, media and product.
(Apple Safari, Microsoft Internet Explorer, AOLS Browser, Google Chrome). Sadly it seems that Google is so tightly and completely integrated into Mozilla Firefox that Windows PC users no longer have an easy choice of independent web browser (except Opera maybe?) The best independent offering just sold its soul - unless you want to recompile and sort the code out for yourself.

Ten years ago people were sweating over doubleclick.com, webtrends and similar adverts tracking you around. You knew not to add tool bars into your browsers unless you were prepared to give away some privacy. Now days it seems every e-man and their e-dog have no worries about those providers. Google, Microsoft and Yahoo have ubiquitously done what ad servers couldn't and what is more they are now part of your web browsing software. At least with doubleclick you could ad them to your hosts file as 127.0.0.1 but with Google embedded in your browser that kills most of your browser experience and speed (try waiting for 127.0.0.1 to respond several times a page).

What is worse is they are also part of your desktop in many cases (Microsoft Desktop Search, Google Desktop Search) . And if you think that having them on your desktop is no big deal then ask yourself why Microsoft has applied for a patent to serve you advertising based on what you are doing on your Pc (not even while you are on the web). See Here and Here

But don't worry, rest assured - they only collect your IP address and as long as you don't use MSN, Live, Hotmail, AOL, GMail , Yahoo Mail, Google services, Microsoft One Care, etc. etc. etc. - they cant track that back to your name and personal details.

So anyway - back to my knitting - and while I knit I am going to ponder how on earth (and not the Google version either) the webs most taken up independent web browser just sold out and integrated the webs largest provider of advertising into itself (without notifying users) to arbitrarily decide what you can and cannot see on the web. Maybe big brother is watching but like burning chrome (and yes I would really recommend you do that to Googles browser), the big brothers we need fear are not governments but corporates instead.

Would you trust these people with your money?

Mon, 1 Dec 2008 10:54 +1200

Tonight I set down with a simple goal in mind - to fill out a couple of forms on line to see if my money and I can be seperated in the noble persuit of getting a bank loan to increase my business. Does my current business need a loan? No. But I am hoping to take some of the spare cash we have and put it to good use by purchasing a new (non IT geek type) business.

All good, right up to the point that I visited the online banking sites this great nation of ours boasts. Now - please note - I am not trying to do anything secure online (like internet banking heaven help us all) instead simple things like filling out loan calculators and enquiry forms so the banks can have a crack at seperating me from my hard earned cash.

Now - I believe that if a bank wants to make me feel comfortable about my money being with them and doing business with them then their website should be the portal that helps calm my fears, e-wipe my worried e-brow and convince me these guys really do know what they are doing so maybe I can trust them to do business with. yeah right!!

In no particular order (other than alphbetical).

ANZ - online eligability tests as the first step to getting a loan with them.
URL = http://www.anz.co.nz/calc/bfei.asp

Filled out page one,
Yes I have two years trading,
Amount required - squazillion dollars, click next.

Page Two - Your incorporated entity trading results (for the last two years).

There are two columns. Both have drop down boxes at the top (defaulting to 1998 and 1997)

Click drop down boxes to try to fill in numbers for 2008 and 2007 ( year ending March yyyy - ie last two years trading results). Hmm ...1998, 99, 2000, 2001 ... 2003, 2004, 2005. bugger!!! no 2006, 2007 or 2008. Some nob has hard coded the years in and the stupid bugger hasn't updated them. whats more it hasn't been updated to allow entry of the last two years of trading accounts - Whats a boy to do? Lie about the years whose numbers I am filling in? Not likely -I would actually like to get a loan not go to court facing charges of trying to obtain money fraudulently.

Tried to contact ANZ with screen shots, URLs etc to let them know their system is shite!. Can I do that online? not so far - anyone know what their support email address is (not in their contact page), where a help 404 web form reporter is? how to actually do that? I am going to try the 0800 number but not sure the screen shot will fit down the phone line.

What is really scary is that these pages look like they were written some time in 1999 (assuming 1997 and 1998 were the last two years of financial trading at the time this page was published). It was written in ASP code. it has not been updated since. can anybody spell EXPLOIT!!!!!!!!! ASP code from the 90s was as safe as a 13 year old model on on the catwalks of Milan

Oh by the way - laugh yourself sick at their help pages. http://www.anz.co.nz/ib/TSQuest4.asp

Recommended Browsers and Settings

PC

Internet Explorer® 6.0 (preferred)

Internet Explorer® 5.5

Netscape® 7.0

Firefox® 1.0

MAC

SafariTM 1.2

HOLY TIMEWARP BATMAN - ANZ - GET INTO THE BLOODY NAUGHTYS for crying out loud. The y2k bug obviously came and left you guys in its tidal back wash - by the looks of your site you are still waiting for it to come. Too late dudes - the rapture has been and you were left behind.

MARAC Finance -

Nothing inherently insecure with those guys online - infact as a security model goes, not being able to use the website at all is a fantastic form of security - oh no - wait - its only buggered in Mozilla Firefox and Safari. let me take back my previous comment regarding being secure. Bugger!bugger!bugger!bugger!bugger!. Looks like I might have to crack open that "most secure operating system ever" IE and use that instead. Posts dont work and roll overs dont work in Mozilla. I cant even use the basiscs to apply on line - Looks like I'll mark Marac off my list.

Kiwi Bank (did i say alphabetical? myaybe greek alphabet - Alpha beta, gamma, delta eeerrr ... marac, theta, kiwibank, epsilon omega .. see told you it was alphabetical).

Try filling in this form - https://www.kiwibank.co.nz/forms/business-banking-contact/
Try telling them your business has been trading for 0 years. did you know that 0 is not counted as a numerical entry? - If it is a true statement then you will need to commit fraud to go further on this site. By the way - numerical entry or numeric?

In all - three out of three strikes for the banks. They hardly inspire me with confidence that they know what they are doing. I did try Westpacs site too - complete form failure and issues with Mozilla Firefox (needed IE again). They haven't returned my email contact in the last three days. Guess I'll take my business else where - glad to see they are (not) so friendly and helpful to small businesses (just like their ad didn't say).

Lastly - here is a test for your banks - the definition of the word security.
This is a true story and is a true conversation. In fact it is three true conversations with very little variation or altering of facts from the real happenings.

Walk into a bank with 15k cash - preferably in bills (100s work fine if you like red and it still makes a nice wee pile - doing it in $5 bills is really exciting - but do bring a duffle bag to carry it all in).

Ask to get a credit card with a 5k limit secured against the 15k cash. The cash will be stored in a term deposit, a lien (restraint) put against it as security in case you get out of line with the credit card. do emphasise you will be loading the credit card up with more cash as well and only need it to pay overseas contractors / suppliers.

Listen to them tell you that they cant give your business a credit card as it has been trading for less than two years (or has less than two years audited accounts ) and they have no security.

Ask them why cash doesn't count as security.

"It doesn't", they tell you - "we cannot guarentee you will be able to payback the credit card." Errrrr!!!! 15k cash - 5k credit card - and they think I cant prove an ability to pay 5k back.

"So what does count as security? ",
"A wage / salary"
"Well I have one of those!"
Bank - "Really? Good! Now the name of your employer? - hang on - thats your business isn't it? "

Yep!!.

Well we cant prove you have the ability to pay the CC and so cant give you the CC as you cannot provide security.

Impatiently I tap the 15k bundle of cash (specially converted for the day to see if waving cash in front of them would get their attention).

No I'm sorry sir - we need security and it has to be a wage / salary.

What, I ask, if I bring in 70k cash (its amazing how little space a house takes up when you sell it and convert it to currency.)

No!!.

120k?

No - you cant prove you can pay the 5k credit card back. We need security.

And cash - which cannot loose its job or go out of business - doesnt count as security?

No!!

Well what if I can prove an income great enough to pay back 5k if my cash somehow failed to be able to do so??

Excellent - whats you income sir?

7.5% of 70K - The going rate of a term deposit on the spare cash I have left over from the sale of my house.

No sir - thats not income.

bollocks!! I reply. It sure as poo smells, is income.

But its not a wage sir. so it doesn't count as income.

Finally I lay my trump card down. Leaning forward I say, "You do know I just won the big one with lotto dont you? I'm never going to work again - just live off the interest on my 1.2 million dollar winnings. That's about 90k a year. Do you think that might count as security?"

No sir - its not a wage so you are unable to provide security so we are going to have to decline your application for a credit card.

Retard!! - click - end of conversation.

Choose differnt bank - try again. Fail again. Choose another bank - try again - fail again.

Yes folks it is true - having pocket loads of cash, no debts, no loans, bugger all outgoings and two businesses less than 2 years old will not let you get a credit card at either the Westpac, BNZ or ASB.

Thus the reason for trolling bank sites as per the post above - trying to find a bank that understands cash is king. Unfortunately it turns out the banks above cant run web sites either so they sure as hades are not going to get my cash. And yes - my post proves it is true (some) banks really do still think it is the ninetys and haven't made it to the new millenium yet.

Lastly - a security note from Shane
Incase anybody thinks i am dumb enough to carry large amounts of cash around again, or have it at my house, in my shop, buried under the cat poo in the back corner of my garden or possibly have stashed it at the bottom of the settling tank in bromley sewerage works - think again. it is now stashed with a non-banking institute where it is not earning interest but is helping make the world a better place. All trying to rob me will do is peeve me off and get you a career as a falsetto singing farmer boy witha couple of achers to show for his encounter. - you have been warned.

Oh and No!! I didn't win lotto but was interested what the result would be if I actually had. However any winning lotto tickets greatfully accepted.

Burn all books - out with free thought.

Thu, 27 Nov 2008 13:20 +1200

Kinsten:

>write a sci-fi book, please =)

I thought about it but the only people who would read it would be other geeks and we all know that p2p is the best way to get books we like - no money in it for me though Sigh!!! I even had the art laid out ready to go:

Looks like a series of smileys but dont run it in linux command line :)

>Heard of a guy in America who wrote an article on
how to hack systems, but never actually hacked anything, >was sent to
jail for life for being too dangerous. Was your final comments about
this scenario?

kind of - Tom Clancey actually got hit by the CIA or FBI or similar for writing a book on submarine warfare. They tried to take him through court as he had released Top secret Classified materials. He proved it was all open domain stuff via the librarys and internet so they let him off. Problem is now days the prigs will abduct your burro to Gitmo, tie you to the golf couse and use your testicles for putting practice (seriously - they have a golf course ) no trial - just hasta la vista - enjoy the view of your six by six buddy.

In all seriousness the USA is not a place I have any plans to visit and no desire to go near. Even just transiting from plane to plane on an international flight gets you eyeballed, printed, and a complete ID check done. what ever happened to transit lounges being neutral territory. My Sister In Law, has croation / serbian / bosnian back ground. Cant transit USA on flights from UK to Nz without a guard to escort her.

lastly - the case you mentioened above - I'm not aware of it - but there are some serious problems with free pexpression in the US and other countries now days. Free thought is a free ticket to problems in some cases - and ey what ever you do - do not declare aything to be Da Bomb while transiting (unless you like not traveling). no sense of humour.

BTW - off topic - http://www.msnbc.msn.com/id/27640617/
Obmama plans to release and properly try Guantanimo bay detainees :D

Looks like my plan to earn a zillion dollars and pay for the A-Team to get them all released wont need to go ahead now. Pity - I was looking forward to a game of golf, a Big Mac and a chance to visit the gift store while i was there.

I'm glad I'm mad - it is better than being dperessed.....

Thu, 27 Nov 2008 10:34 +1200

Some one once said depression is just suppressed rage so for me better angry than depressed.

To answer a comment or two:

[David]

>It's got to be better to them than the
alternative of people switching to truly free software like GNU/Linux.
If >you're sick of security software, cd keys, and product activation
sucking your life away, I'd highly encourage you >to give a Live CD from
one of the popular distributions a spin.

I still have my original Caldria Debian CDs circa 1993/4. A 386 PC - two CDs and away I went - green screening across the universe. unfortunately I live in a world were the accounting packages for business are still mostly Windows Oriented - thus my enjoyment in working hard with Win PCs.

[Jones]

>Comment

by

Jones, on 26-NOV-2008 22:33
(

IP: 222.155.219.243, user id: )

>Wow, you are angry. About something being free? :-)

My junkie friends all have a monkey on their back and some moon faced troglodyte gave it to them for free in the guise of helping them - should I not be angry about the free gift they got?

The govt introduced legislation making it easier for younger girls to get on the game - and it cost me nothing. That doesn't make me happy either. Nor does the prick on P down the road who freely pulled a machete on me and threatened to slice my f*ging head off - for free mind you. Are you suggesting I should be thankful for all free gifts -indescriminately of the giver and purposes of said free 'gift'? Oh yes - my nursing friends at th STD clinic - they'll all tell you about the free gift that jsut keeps on giving yet I know very few people who were happy to receive that for free -infact most of them are pretty miffed about it.

Re my anger.

I actually have a lot of time for microsoft in many areas - but not in the area of security. Their security has cost more businesses more money and more pain through dowwntime, exploits and loss of income by paying people like me to fix stuff that should neve have been broke in the first place. I praise them for creating gui layout standards such as File, Edit, View etc and bringing order and consistency to the industry. I praise them for VB as it is a good little language that really stepped up GUI / RAD developement. I praise them for desktops for the average Jo Person - windows has opened computing up for the non geek in massive ways. However their monopolisitic stlye and completely screwed way of thinking about security is a complete nightmare.

Again - I would not take finiancial advice from a bankrupt - neither will I trust M$ with security - and this offering will do nothing to improve the Windows PCs lot and will do lots to hurt vendors who are making a difference in the spyware / malware world. Should even one sale (and believe me it will be more than that) be lost to legit and effective security vendors then they are one step closer to failing as a business. M$ have set out to hurt legitimate businesses and providers - with a product which will not be up to snuff (going by their previous effrots to date).

Lastly - and I'm sure Mel Gibson wouyld be proud of me for my conspiricy theory slant here - since when has M$ given anything away that is not designed to tie you in tighter with their system, pull you away from the competition and improve their bottom line? Nothing is free when it involves M$. Their overriding mantra is world OS domination. Their history and stlye confirm it more and more and more. This might not cost $$$ to buy (yet) but believe me - it will not be free - not buy a long shot.

Yup - I am not thankful for this free gift at all. however should you like free gifts of security software then the good folks at WinAV antivirus ssytems will happily scan your Pc for free. Give em a call - they are waiting with open arms too.

Here beginnith a rant - jones - i dont know if you are trolling for effect or completely ignorant to the state of play security wise with M$ systems but I'll take your one report and raise you thousands more saying different.

[Jones]
>What
do you think of the desktop vulnerability report and the security
intelligence report, they seem to >make MS security record look quite
good really.

I worked for the Dept of stats for 9 months - believe me - i dont
trust stats - seriously - you are aware there are actually closer to 6
million kiwis dont you? - and no I'm not kidding.

MS Security record looks good? Huh??? What ~~platform~~ planet are you from?

Lets give a few raw examples of data - I'll let you draw your own conclusion.

My business - over 300 virus busts / removals in the last year. All M$ - none for Mac (OSX, OS9, OS8), none for Linux, none for AIX, None for as400, none for RS6000, none for OS/2 none for Novell, none for BSD, none for java Desktop ... Did I miss anyitng there? Nope!! Oh and in case you are wondering if i am big noting my self - i really have worked on all those types of systems.

This source - Kapersky labs. Please note the win32 growth - please note the massively smaller growth for non MS operating systems. And no - these stats are not a reflection of which OS is used the most - they are a reflection on the growth in the number of types and instances of malware for OS - independent of how many users there are. If you take these numbers and then weight them according to the growth of usage of each desktop then the skew increases rapidly in favour of non Win32 platforms being more secure and Win32 being less. Win32 systems ar elosing ground to non M$ desktop systems (and boy dont the numbers rack up when we talk about server stats right her as well - can anyone spell samba, lotus notes, ximian, postgres....).

Number of new malicious and potentially unwanted programs according to platform targeted

	2H 2007	1H 2008	Growth	2007%	2008%	"+/-"
Win32	130131	432862	232.60%	96.00%	98.30%	-2.27%
Other	5362	7449	38.90%	4%	1.70%	2.27%
Total	135493	440311	225%

Now back to your question - have i seen reports regarding how secure windows is? ... hang no!! - I'll go looking again. Oh look another H1 report - Kapersky again.

The table below groups all operating
systems and platforms attacked during the first six months of 2008
according to the operating system ultimately under attack. For
instance, JS and VBS falls into the Windows group, Ruby and Perl into
the *nix group and so on.

	Number	%
Nix (Linux, Perl, PHP, Ruby, Shell)	230	0.052%
Mac (OSX, Mac)	20	0.005%
Mobile (J2ME, Symbian, WinCE, Python)	88	0,02
Other (DOS, IIS, Multi, MySQL)	51	0.012%
Windows	439922	99.912%

Oh crud - I've run out of fingers and toes - how many attacks via windows does that show again for H1 2008?
Funnily enough it is within 0.2% of my own inhouse statistics quoted above - and my stats were independently reached before seeing this.

More reports - gotta find reports vindicating windows - my rage must be quenched.
I know - the top virus reports for the last year -that'll show how safe windows is: Site: Eset.

Virus

Count

Infection Ratio (%)

Infection Ratio

01. Win32/Netsky.Q worm

1 954 610

0.050 %

1/ 2.0 ths

02. Win32/Zafi.B worm

1 709 625

0.044 %

1/ 2.3 ths

03. a variant of Win32/Stration.XW worm

981 917

0.025 %

1/ 4.0 ths

04. Win32/Stration.ABF worm

738 759

0.019 %

1/ 5.3 ths

05. Win32/Stration.XW worm

407 798

0.010 %

1/ 9.5 ths

06. HTML/Phishing.gen trojan

324 120

0.008 %

1/ 12.0 ths

07. Win32/Spy.Goldun.NDO trojan

123 399

0.003 %

1/ 31.5 ths

08. Win32/Netsky.D worm

120 904

0.003 %

1/ 32.2 ths

09. Win32/Bagle.HE worm

83 444

0.002 %

1/ 46.6 ths

10. Win32/Mytob.BK worm

76 928

0.002 %

1/ 50.6 ths

> OTHER VIRUSES

687 184

0.018 %

1/ 5.7 ths

> TOTAL THREATS

7.2 mil

0.185 %

1/ 539.5

Total clean messages

3881.5 mil

Total messages

3888.8 mil

Whoops - 9 out of 10 - thanks M$ - Again - the gift that keeps on giving. I forgot to add symbian Os to the list of Os we worked with - they contribute one virus to the list under the other viruses categroy.

Look - i could ridicule M$ security until the stars fall and Jesus returns. The short and the long of it is that M$ security sucks. It sucks because of ideology which is reflected in M$ practice.

M$ dont change ideology therefore their practices are like their patch updates - throwing more crud and rubbish on top of a tottering heap of insecurity.

Now we are being thrown more free m$ security. that is bad because:
It hurst legit vendors who actually know what they are doing
It lulls jo average user into a very false sense of security
It is a response not born out of care for their users but as an action at least partly predicated on their failure to flog their pay for product (one care) successfully.

It will hurt users. The bloat will make life more difficult for legitimate users, programmers, sys admins and people to do their jobs. The last free stuff we got from M$ looks like the following.
Defender - bloated, sucky, ineffective
MSRT - bloated, slow, sucky ineffectiv
Access Control Lists (ACLs) - flawed from birth why wont they use the same stlye as other Os
System ACLs (SACLs)
Discretionary ACLs (DACLs)
Security Identifiers (SIDs),
USER ACCOUNT PROTECTION (UAP)
User Access Control (UAC)
And the list goes on - all without adding effective security benefit and slowing down the rate of virus /malware infection (see graph above) but while reducing the ability of users to do their jobs increasing software failure, bloating network systems, crapping out network connections, killing legit processes and increasing failure rates / Pc down time.

Now!!! ( i hear someone scream ) UAC, ACLs etc are all good things -
That is true theoretically. But it is only as good as the foundation it is built on and the Win32OS security is flawed from the ground design upwards. We still have legacy code or methodology built into vista to allow backwards compatibilty for other OS all the way back to DOS legacy artifacts of style, implementation and requirements.

Until they throw away every last line of code, completely remove all requirements and provsions for backwards application compatibility and rebuild from the ground up their security model is screwed - therefore adding ACLS, SACLS, SIDs etc is window dressing - an elegant tower built atop a jelly foundation. Look out folks - the titanic is sinking but the band still plays. Why dont they put down their instruments and help launch a few more lifeboats?

An excellent article - dated but still as valid can be read here.
http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf
and another one around called why OSX server better than M$ - good technical comparison.

Lastly - does it strike anyone else that m$ seem indecently eager to start telling us of the wonders of windows 7 when their latest and greatest baby is only just clear of the caul and being thumped by every malware bully in town? Me thinks their free security upgraded wonder has turned out to be a whimp - the peewee hermin of the OS security world. Time to move on and hope Win 7 will fix it hey Bill?

M$ free stuff is another body guard / 1000 pound gorilla all designed to stop the principal being attacked or hurt. If M$ re-write their Os correctly (ie why are OS threads all based on a single, high privledged thread? - exploit the child - misuse the parent) then they have taken the gun off the attacker and can free the monkey on your back leaving you to get on with life. However, free monkeys keep appearing and boy they weigh heavily. a free monkey is still anothe monkey on your back - and as my junkie friends tell me , "somebody is always happy to put a monkey on your back for free - its getting rid of it later that costs you lots." Why should I be thankful for another free monkey?

How I would write a perfect virus

Wed, 26 Nov 2008 07:36 +1200

As someone who deals with virii / viruses / crapware every day I try to keep abreast of new developments.

Recently I ran into the work of Joanna Rutkowska who had created a 'Blue Pill' ( http://en.wikipedia.org/wiki/Blue_Pill_(malware) ) rootkit as a sample of an undetectable rootkit / virus infection. While the papers referenced above are more than my decaffinated brain can handle before lunch the concept is beautiful, elegant in its approach and almost completely undetectable using todays AV systems (almost!!!)

In short an attacking system infects a Vista machine, virtualises the running vista system on the fly (ie turns it into a virtual machine) and then sits underneath the ensnared Vista OS doing its thing. Since virtualization is supposed to be indetectable to the host, the only way Blue Pill could be detected is if the virtualization itself is detectable. This means a running AV on the vista machine only sees a clean Vista system running as the root kit exists bleow the hardware level via virtualisation.

While the concept code and idea have been demonstrated, it currently is limited to being able to compromise a system that is not rebooted. The Blue Pill Rootkit Method will not survive a cold reboot as it currently stands as it infects on the fly, virtualises a 'hot running machine' and never places a code foot print on the hard drive / storage area. While this may sound limiting the current Blue Pill methodolgy states that many infected machines don't restart on a regulalr basis for a couple of reasons:

1 - Vista Users tend to send their PCs to sleep or hibernate and only rarely completely shut the PC down to force a cold boot.

2 - Servers rarely shutdown (sigh - pity I cant start an Apple, Linux, windows, AS400 , AIX flame war here) so are ideal attack targets and often hold high value information making them good exploitation targets.

The lack of restart means the ability to survive a reboot is not as required for modern malware.

Lessons learned so far:
1 -Shut your PC down completely on a regular basis - many spyware / crapware instances nowdays have no code foot print on the hard drive as they exploit live machines on the fly and only ever exist in memory space.
2 - Watch your external firewalls well - they may be the only sign of an infection in your system as no one has yet spoofed third party firewall logs on the fly to disguise outbound traffic.

So it got me thinking - hard / cold rebooting systems removes this undetectable Blue Pill rootkit. If I ruled the ware'ld how would I write my virus.

1 - Virutalisation is cool - it takes a very sophisticated check to detect you are trapped in a virtualised system. (comparing timings based on certain low level hooks, calls and process cycles to perform particular actions). Many of those those checks can also be spoofed / defeated.

2 - Surviving a cold reboot is required (after all if rebooting a PC daily ensured the undetectable dies - I would do it for sure.

The obvious way to survive a cold reboot is to catch the system on boot up before the OS starts by having hard coded malware code on non-volatile storage (e.g. hard drive). However having your malware code on the hard drive defeats the in memory only approach which stops a spyware checking process from finding your foot prints on the system HDD.

So where to put the virus code so it is not on the compromised systems hard drive but is still hard coded on the system in order to survive a reboot. (please note - I have considered going across the network (pxe style) to pull the virus back into the system again on the fly but this either requires code on the compromised system to be stored that calls the live / network based exploit (pull stlye infection) or else the attacker to scan the victims networks and re-infect on the fly everytime a reboot is initiated (push style infection) on the previously compromised machine.

Storing initial boot code is straight forward - compromise the bios and hard code an attack that repoints the boot code to ignore the real MBR / Boot Sectors and point to an infection instead. There are a couple of viruses in the wild that do infect the BIOS in order to gain control. However they store their code on the hard drive and so a third party (off line using BART PE, Linux Live, USB cable to connect the HDD to a clean Pc etc) scan of the hard drive can detect the boot code / malware code which is called via the bios infection.

So where do we stand?

1 - The perfect virus / attack uses a Blue Pill style live / realtime virtualisation to take control by keeping the malicious code under the hardware level of a running OS via virtualisation

This renders it undetectable to a virus scanner on the compromised OS

It also means there is no code to be scanned on the hard drive via an offline / third party scan of the hard drive as the malicious code only exists in volatile storage (memory)

Real time memory scans using anti virus sytems also fail as the virtualisation reports a ram size smaller than the real ram size and there is no AV in the world which scans a memory space larger / higher than the physical memory space of the physical (but really virtualised) PC

2 - Get the blue Pill to survive rebooting by getting it to kick off via a compromised BIOS.

3 - Read the Blue Pill code off the hard drive, initiate virtualisation and then continue to boot using the real MBR / boot Sectors on the clean hard drive - but in a virtualised hardware environment.

Whoa!!! back dobbin - whatcha mean read the Blue Pill code off the hard drive. Putting it on the hard drive makes it susceptible to offline AV scans doesn't it and you don't want to put it on the partition where the clean (but jailed) OS resides.

Here is where the sneaky bit comes in.
The Blue Pill kit exists. There is even source code you can download to run and test yourself.
The BIOs virus exists - there is code you can download and modify yourself.
The ability to write on a hard drive without writing on the hard drive exists - if you think about it.

Every hard drive has to be formatted before being used.
The formatting puts the MBR / Boot Sector and formatted partitioning into play at some level.
However, every format (NTFS, DOS, FAT, EXT3, Reiser, HPFS ...) all leave a small unallocated area of the hard drive at the end of the physical drive. this area is not readable by third party Av checkers as it is an unformatted area. However there is nothing to stop a seriously good piece of code using that area and saving data there without formatting it as a readable volume.

Here is how it would work.
BIOS Starts obn cold boot.
It contains just enough code to ignore the MBR / Boot Sector of the hard drive and move the read head of the drive to a specific sector / area of the hard drive which is marked unused.
The BIOs based start up code is just smart enough to read a sinlge instruction (or two or three) from a specific spot on the hard drive and then read the next sector / area / hdd physical address to jump to and read.
When all the instructions are loaded from the unformatted space the Blue Pill is running in memory, virutalisation takes place and the hard drive is booted from it official partitioned space using the OS volume.

In order to stop the unformatted / unallocated space on the hard drive being recognised as a piece of virus code you only put an instrution or two at each readable area of the HDD (inside the unallocated space) and a jump location (random) to get the next instruction. This ensures the unallocated space still looks like random junk and data to any scanner clever enough to scan unallocated HDD space.

this type of code already exists and is actually a facinating article of a main frame devleoper who optimised his code by reading a sector / bit off the storage drum (pre hard drives) of the main frame and then manually moving the read head to the next required location to get the next instruction rather than store his code sequentiallyu in a standard file on a file system.

So there it is - The Cranky Old Man Taking a Blue Pill Virus / Rootkit concept. The code is all available out there on the net, each discrete step of the process has been performed in the past and the only answer to beat this code is protect your bios from write access, flash it if you feel paranoid and wipe your hard drive at a bit by bit,sector by sector, cylander by cylander level if you discover you are pwned by watching crud travel out via your firewall.

A concept - thought and idea. Its probably got a hole or two in it somewhere but hey what do I care - i'm playing with ideas not actually writing this little beast (or am I .. hmmm ... what is reality really?).

Would love to hear from you if you like this idea / hate this idea / or even had the tenacity to read this far. Tell me I'm wrong and why. bow down and hug my feet if you think I'm a guru. visit me in prison when the paranoid androids we call our govt decide I might just be crazy and bright enough to write this little baby.

Next week - Life as a NSA Sponsered Surfer at Guantanimo Bay - or how to perm your chest hair using 12 volt car batteries and aligator clips in three easy steps.

Ever wondered how the Pope, Stewart island and plague victims can be in the same post? wonder no longer :)

Wed, 26 Nov 2008 05:37 +1200

Basically this is a rehash of a comment I wrote in repsonse to the review of Microsofts free security / av software. ( http://www.geekzone.co.nz/content.asp?ContentId=8005 ) I include it here as it has direct relevance to virus busting but also because i see this as a disaster in the making. I feel like the dude looking out to sea watching a tsunami approaching and knowing there is nothing I can do but grab my surf board and hope that the afterlife is better than this one.

To those who don't know - mole men, troglodytes and overly snobbish MAC users who don't know there is life outside of OSX - Microsoft have announced they are going to give away their Live One Care product for free. Well truth be told they have announced Live One Care is a sales failure, they are pulling it as a product and giving away their security software for free.

Hence my worried look and allusions to disaster. While I know there may be some truth to the rumour I am becoming a grumpy old man, I have lived long enough around IT circles to pick trends and this is one pick I don't like.

Here is why -

Buying (or not buying in this case) security off microsoft is like buying realtime sex lessons off the pope (by which I mean the previous one who is dead now - no offence intended to any catholics who see this).

Having failed in making their ~~victims~~ customers pay for One Live Care they are now going to mess with the general populance by trying to take the market - flogging their dead horse for free - screwing up the market and security offered by AV vendors who actually know what they are doing.

Who ( by which I mean the general populance of PC users) is going to purchase or install a real (non-M$) AV or security solution when they already will have one for free courtesy of M$ - thus rendering thier PC's security as exposed as a Stewart Island Beach in a howling Southerly.

M$ - Hear me and hear me good.

The MSRT (Malicious Software Removal Tool) sucks and is incapable of removing any real level of infection - after touting it you dropped it into the back ground as a dead dog in favour of Windows Defender.

Windows Defender - (snigger snigger snigger). Slow as two dead dogs tied together, as useless as MSWT but with more bloat and able to leap onto your systems RAM screwing it faster than Casanova on heat. It doesn't catch viruses, it doesn't prevent viruses and it bloats systems quicker than a dose of giardia. Enough said.

Live One Care - didn't sell - Hey Bill! Do you think there is a reason it wasn't successfull? I can assure you it is not lack of advertising - If I see another advert pop up pushing that product I'll most likely scream.
So what else kills product launches and sales success. Hmmm - I know - is it possible Microsoft is an unknown vendor so their product is hidden by lack of exposure. Yeah Right!!

Lack of distribution channels? - ISP / Broadband bashing aside we are capable of downloading it so it is not that.

Oh I know - it's even more shite than the previosly mentioned sucky offerings. Yup - that will be it. It sucks - its ineffective - it has a milllion better alternative offerings out there that beats its pants off. Such awesome names as Nod32, Malwarebytes, Spybot S & D, Blacklite, and other less salubrious options including Mcaffee, & Nortons. Even free software such as ClamAV, FProt and AVG free are streets ahead of one care.

I'll stop reviewing Microsofts ~~screwedSeverly~~, ~~suxreally~~, security software and systems here as I am having trouble breathing in between laughing my donkey off and retching in disgust

Having failed in all the above to provide security for your nightmare of an operating system you are now going to tout it for free. Please do us all a favour - give up your delusions of security ability and save us all a truckload of pain by not forcing your previous pay-for failures on us a free gift. Gifts like these were banned by the Geneva convention when tossing plague victims into beseiged citys went out of vogue.

Seriously - giving it for free means we are likely to have it foisted on us via service packs and updates in the same way as MSRT, Defender, Application Execution Checking, DEP, User Access control, changed internet settings via IE, MS VPN, Windows Security Centre etc all has been.

It will also mean real AV and security solutions will be over looked or discarded for the free offering. Or worse - people will still use their other AV solution and install M$ Av along side it - No AV is bad on a PC - One is good - two or more is an invitation to disaster. Try putting a couple of cats in a sack and see what happens. Not pretty is it? Well that's what happens when two or more AV systems run simulataeneously. Fur flies, the claws come out and eventually all your system is capable of is spewing up cat balls & bleeding quietly in the corner.

I am not praranoid - really I am not - but looking at the list of crud in an average Vista / XP system designed to keep it safe I have to wonder if M$ make money selling hardware to handle the bloat or if security vendors some how failed to pay enough back handers to keep Windows out of the security game and so prevent M$ touting their own stuff.

Seriously - why does a Windows XP machine, which ran in 70MB of memory (SP0 - No AV installed) need 256MB just to get started today? More functionality? I think not - more security bloat? You betcha - and now here comes more for free. Well more bloat anyway coz it sure as politicians lie isn't goint to keep us safer - quite the opposite infact. False security is worse than no security at all and the average user will think M$ security might actually work - another urban legend at large.

In the 10 years since Win98 M$ still cant solve their basic operating system security issues and rather than doing the basics right are going to foist more crap on us. Hi Bill - stop it dude. People already have the 1000 pound gorilla of M$ security loaded and running. Dont try and get them to trade up to the 2 ton elephantine mirage that you hope to replace One Care with. Spend money on actually getting the security basics right.

My verdict - DONT DONT DONT DONT DONT DONT touch this and DONT DONT DONT let your customers touch it either. Free crap is still crap - which ever way you receive it. Seriouly folks - the Emporer has no clothes.

Further Cause To approach Virii With White Lists not Just Black Lists

Mon, 13 Oct 2008 01:36 +1200

Ironically, soon after finishing my previous post around the idea of going down the whitelist route for hunting viruses (lists of known good software and programs so only unknowns will be checked for problems) I had the (dis)pleasure of runnig into one of the new style root kits.

As before the root kit had gotten into the system via Win Antivirus 2008 or a similar variant of that malware. The machine was dis-infected using smitfraud fix software and also SDFix software, the two quickest methods for killing that type of rubbish.

We then ran Kapersky, Nod32 and Spybot S & D , Malwarebytes antispyware across the system. The first three failed to detect anything. Malwarebytes found something, supposedly killed it and then we rebooted. Malwarbytes again found the same thing and again we rebooted and rechecked. Again the same issues. Also task manager was showing iExplorer.exe process running all the time, a symptom of many zlob or sd type infections.

After unpacking three common root kit checkers we ran them. All three failed to discover a root kit. However our firewalls and malwarebytes all showed ongoing infections.

To cut a long story short we eneded up having to test three new antiroot kit systems and eventually one of thme worked (we hope). We figure it has worked as malwarebytes detects nothing after removal, kapersky detected and removed the virus after the root kit was disabled and the firewall shows no signs of infection.

So why the white list approach? If we had not been observant or meticulous in our double checking we would have missed this new nasty little root kit. It is one giving root kit detection experts problems as it is a bit more devious than most.

However, running a white list executable check from a known good operating system (e.g. boot from linux live, bart, dos disk etc) and we would have seen the root kitted system file, quarentined it and had all our detectors work and detect the virus correctly.

With constantly evolving ways for malware to hide and beat detection, it is becoming more likely that the old fashioned moethds of booting from alternative media will need to be employed. Other than issues with alternative file streams in NTFS and encrypted systems it is the only way to see some of these new versions of malware.

Currently we are working on a Java based system so we can run it on Linux, Windows and DOS based media. The Db will take a while to get filled correctly - but seriously - it may be the best method of detection for a while to come. Verify your friends, don't trust the rest.

Shane

IE7 icon missing On WinXP Desktop

Fri, 26 Sep 2008 06:04 +1200

My poor technician must have freaked out earlier today when his boss (me) suddenly burst into fits of hysterical laughter and couldn't stop giggling for at least 5 minutes.

The thing that provoked such mirth was a couple of lines from the Microsoft Help section. It read like a cross between Monty Pythons Cheese Skit and a programmers joke. The lines in question are bolded below.

SUMMARYThe
Internet Explorer icon might be missing after either you upgrade the
Internet Explorer version to 7, or installed through Windows updates.
Back to the top
CAUSEThis
is not an issue and is by design. Unlike the previous versions of
Internet Explorer, the option to enable to Internet Explorer icon on
the Windows Desktop is not available. The behavior of Internet Explorer
7, which is bundled with Windows Vista is also the same.

[ BTW - HERE IS THE FIX FOR THIS ] -> http://support.microsoft.com/kb/555849

As a programmer I know that poor programming practice* leading to buggy functionality is often passed off on the poor unsuspecting customer as a 'feature' or an implementation 'by design'. For Microsoft to state that the ability to put the Internet Explorer icon on the desktop or Start Menu is not an issue and is by design is ludicrous. Further more for Service Pack Three to REMOVE the icon from the Start Menu or Desktop or even worse, to change the functionality of the icon to bring up Internet Properties instead of starting IE is doubly idiotic.

Some claim it is part of Microsoft's anti-trust agreement responsibilities to have the icon removed and to also remove the ability to put the icon on the desktop as part of the display properties. Personally I think that is bollocks too. How long ago were the anti-trust hearings? Years. To take this long is a mockery of anti-trust, if indeed that was the causative action.

Secondly - with the advent of service pack three, Microsoft's IE components and Internet Explorer security properties are more tightly integrated with the system than ever. As an example, to Install Mozilla Firefox version 3 requires IE 7, or at least some of its components to be present. Why? Because without them some of the dialog boxes and under laying componentry is not present causing the failure of Mozilla 3 during installation.

Further more Mozilla Firefox Three is now so affected by the internet settings in XP that in order to tighten IE 7 to stop downloading and running active X ( and other executable code ) in the Internet Zone also disables downloads in Mozilla Firefox Three (Ref 1). It is now impossible to cripple IE's active X vulnerability completely without also crippling Mozilla's ability to download programmes. While some of these problems stem from Mozilla developers tying Firefox into the Internet Security Panel (Ref 2), the rest also points to Microsoft's embedding of IE in the operating system. Again, try removing IE7 and watch how fast Mozilla Firefox, and presumably other applications, fail.

As this blog entry isn't a rant about MS or how IE is such a PITA I wont go into detail about the fact that if you start IE7, after it has upgraded itself, you have no ability to set the default page until you stop pushing cancel and start answering the damn questions about security and settings you ~~have~~ ... eeerrr .. had already dealt with previously and that has now been reverted by MS with the IE 7 upgrade.

Did I mention that trying to tell IE7 to push off and not bother me with Live Search (AKA dead useless) as I am already using Lycos, or google, or yahoo or wiki or ....bugger!!!!! There is now only live seach - and if I click on - "Go make another search engine the default" - Mozilla pops up as the default browser so I have to enable IE7 as the default browser to get rid of live search tool bar and then re-enable Mozilla as the default browser.

No IE7 tie in to the operating system - hah - my left testicale is less tied in to me than IE is to Microsofts OS.

1 - http://voices.washingtonpost.com/securityfix/2008/07/firefox_3_follows_ie7s_securit_1.html

2 - http://kb.mozillazine.org/Unable_to_save_or_download_files#Reset_system_Internet_security_settings_-_Windows

* DISCLAIMER - Not my programming practices - other peoples. I just had to explain or fix up their bollocks - honest injun - it wasn't me.

loadTOCNode(1, 'summary');loadTOCNode(1, 'cause');

A new approach to virus removal?

Thu, 18 Sep 2008 07:40 +1200

Over the past six years a lot of changes have happened in the world of virus removal and computer security. Basically with the advent of Microsofts most secure operating system ever (Windows XP) the world of virii / spyware / rootkits / exploits (collectively I'll refer to them as malware for this article) etc has exploded. Estimates of the number of new virus released each week are normally in the thousands, if not tens of thousands range. Add to that spyware, unwanted applications (e.g. WinAntivirus2008) , trojans, adware ... and the listis enormous.

Recently I have found it is getting harder to ensure that the latest malware definitions are really catching the latest problems. In the last three weeks we have found several pieces of malware or viruses which have had to be carefully hand removed - with new definitions to detect them coming out 2 to 4 days after we have already discovered them.

Malware detection always lags behind the advent of new malware as a new virus / spyware / trojan etc, when it is released, normally has at least several hours, if not days, head start on the first definitions being released. In order for a new definition to be released the Malware has to be noticed, caught, reported, analysed and finally a fix / detection signature released for it. Finally the update has to be downloaded by the end user.

Part of the process we employ when doing a "Virus Bust" is to run several anti spyware / malware removal and root kit detectors across a system. This of course is quite time consuming, and again - if the malware is a new one, sometimes the only way it is detected is by seeing the results of the malware still present (e.g. rubbish exiting the firewall, strange PC behavious, pop ups etc). Which started me thinking ....

Is it possible that the number if items of legetimate software on the average users PC is growing at a slower rate than the number of malware instances. For example, the average user only wants to surf the net, send emails, write letters, do some word processing and listen to music / videos. Throw into that mix a bit of spreadsheeting, VOIP and games and you are stil only looking at a fairly limited range of software.

On an average week the average user does not add much new software to a system. Microsoft updates and anti virus updates probably account for most of the changes to executable code on a system. Instead of scanning for malware maybe a better solution would be to have a list of known good executable software and run a scan based on that. Any executable code found on a system not in the known good DB can then be flagged as suspicious and that subset of files be scanned / isolated instead of scanning an entire system of mostly good code for the odd piece of rot that has crept in.

Security based not on positive detection of malware but the isolation of unknown code offers a chance to allow quicker detection of potentially dangerous software on a PC. Certify the good code, isolate the unknown code and then apply positive antivirus detection methods against the unknown executables.

Not only does this method have the possibilty of being faster in its scanning of systems (creating and checking hashes is potentially faster than applying heuristic algorithms against an entire executable) but means the ability to certify code as being safe might alleviate some of the Zero Hour threats we face now days. Certainly for someone like me isolating the known good from the unknown means we can rapidly discard 99% of all files in a system has safe and concentrate on isolating the threats in the unknown one percent. It also offers a very positive way of providing reliable scanning from an alternative boot disk on compromised systems.

Historically old anti virus systems (circa DOS and Windows 3.1) were able to add CRC codes or hashes to executable files and then check to see files matched a known hash. That method presents problems today, and has fallen out of favour. However as an off-line virus scan, booted from an alternative operating system or boot disk and making use of a 'white list' database, it has the potential to add another tool to the security experts arsenal.

Heaven knows we need it.

This has been a random thought from the fertile and over caffinated brain of Shane. Thoughts, feed back and offers of millions for the idea welcome.