Archive for July, 2005

Windows Networking And Alternate Transports

July 30, 2005

Windows Networking is the suite of programs that provide file and printer sharing between computers running Microsoft Windows (and compatible Operating Systems, such as Linux). Windows Networking runs at the Application level of the OSI Network Model, and, in its default configuration, uses NetBIOS Over TCP/IP (NBT) and TCP/IP, for logical connectivity. It can be customised to use alternate transports, like IPX/SPX or NetBEUI.

Microsoft supports only NBT and TCP/IP, though you may use IPX/SPX or NetBEUI, if you’re prepared to deal with the support issues. There are advantages and disadvantages to using either alternative.

Advantages Of Alternate Transports

  • No filtering problems. A misconfigured or overlooked personal firewall can cause problems with IP based networks. Neither IPX/SPX nor NetBEUI is affected by firewall problems.
  • Segments are isolated. Any separate networks, connected by routers, won’t pass IPX/SPX or NetBEUI based traffic between them. Windows Networking simply won’t leak onto any networks connected by routers, such as the Internet.
  • Easier to setup. There’s no need to configure TCP/IP settings, both IPX/SPX and NetBEUI attach directly to the hardware, and both setup automatically.

Disadvantages Of Alternate Transports

  • Network complexity. You’ll likely have redundant system components in use by each computer, and redundant network traffic between each computer.
  • Lack of diagnostics. The ipconfig and ping utilities can identify logical and physical connectivity problems on an IP network. This is not available on non-IP networks, and may not give consistent results when you deal with problems on mixed networks.
  • Lack of filtering. Firewalls only filter IP network traffic.
  • Limited effect. Using alternate transports provides a workaround only for TCP/IP configuration problems, or filtering problems. It does nothing for physical problems, or for problems caused by authentication / authorisation.
  • Only TCP/IP can link multiple segments. Any separate networks, connected by routers, won’t pass IPX/SPX or NetBEUI based traffic between them. If your network is segmented, for physical reasons, you’ll have to bridge the segments (which is, by design, what NBT does).
  • Have to be setup properly. If just one computer on the network attaches Windows Networking to NBT, convenience and security gains are eliminated.

Filtering
IP traffic, by design, can be filtered by personal firewalls and routers. IPX/SPX and NetBEUI, which attach directly to the physical transport and in parallel to TCP/IP, are not affected by IP based filtering. This has its good side and its bad side.

If you’re having a problem with a personal firewall on a computer, you can work around that problem. IPX/SPX and NetBEUI are not affected by personal firewalls.

However, if you depend upon a personal firewall providing protection against malicious network traffic, you won’t have that. Any malicious network traffic, IPX/SPX or NetBEUI based, won’t be filtered.

Segmentation
IP traffic, by design, passes thru routers; IPX/SPX and NetBEUI traffic doesn’t. This has its good side and its bad side.

If you have a network in a single segment, and you use IPX/SPX or NetBEUI to provide a transport for Windows Networking, all Windows Networking traffic will stay on that segment. All shares will be totally safe from malicious access from other network segments, including the Internet.

If your network includes multiple segments, connected by routers, and you use IPX/SPX or NetBEUI as a transport for Windows Networking, all Windows Networking traffic will stay on each segment. Computers on separate segments will be unable to access each other, unless you build bridges between the segments. NBT was designed as that bridge.

Setup
A network, using IPX/SPX or NetBEUI, is easy to setup. It’s not so easy to setup properly though.

A simple IPX/SPX or NetBEUI network, in a single segment, requires no configuration. Both transports essentially set themselves up. There’s no subnetting or other complicated TCP/IP settings to make.

If you want to access the Internet from your computers, though, you will still have to have TCP/IP on each computer. If you do not separate Windows Networking from TCP/IP on even one single computer, your entire Windows Networking environment may be exposed. And without protection by personal firewalls, all computers may be at risk more than if they were using NBT.

Complexity and Use of Network and System Resources

IPX/SPX and NetBEUI are not significantly more chatty than NBT, and do not use significantly more network or system resources. If your computers only use IPX/SPX or NetBEUI, there is no complexity or resource problem.

But, if your computers will be accessing the Internet too, you’ll need TCP/IP on each computer. IPX/SPX, NetBEUI, and TCP/IP, although each run under the same operating system, use different system components. And while they each generate traffic on the same network, the content of that traffic is different. So, with multiple combinations of IPX/SPX, NetBEUI, and TCP/IP operating on your network, your computers will have to work harder (to use multiple protocols), and your network hardware will have to work harder (to transport multiple protocols, with a higher volume of traffic).

If Windows Networking functions like browsing, or name resolution, run thru dual protocols on one computer, or if all computers on the LAN aren’t identically setup and different computers run services thru different protocols, you’ll really have problems. And some problems might not be immediately obvious either.

Separating Internet traffic (using TCP/IP) from Intranet (Windows Networking) traffic (using IPX/SPX or NetBEUI) has an effect similar to using a Virtual LAN. But using a common protocol (TCP/IP) with a properly designed layered security strategy is more efficient in the long run.

Network Diagnostic Tools

With any network, any time there’s a problem, such as an “access denied” error, you’ll want to first look for a possible physical problem (by observing the lights on the network devices, and by running Device Manager diagnostics). Having dismissed the physical possibility, on a TCP/IP network, you’ll be looking at IPConfig, and pinging one computer from the other. You have to eliminate lower level problems, before you can diagnose higher level problems.

If you have TCP/IP on each computer, for Internet access, you can still use ipconfig and ping. But if Windows Networking is using a separate transport, neither ipconfig or ping will be conclusively valid.

  • Just because you have IP connectivity (valid ping results), that doesn’t mean that you have IPX connectivity.
  • Just because your computers are on separate subnets (from a bad IP configuration, indicated by ipconfig), you can’t expect to find a NetBEUI connectivity problem.
  • If you don’t install TCP/IP (or if you completely detach it), then ipconfig and ping won’t give any results.

Limitations of Effectiveness

If you have problems with either IP configuration, or with a personal firewall, either IPX/SPX or NetBEUI will provide a good workaround. But, if the problem causing the “access denied” error is a bad cable or connection, or if you haven’t setup file sharing authentication / authorisation properly, you’ll have the same problem with IPX/SPX or NetBEUI. But now you won’t have diagnostic tools to identify the problem.

Windows Networking

July 26, 2005

Windows Networking is the suite of programs that provide file and printer sharing between computers running Microsoft Windows (and compatible Operating Systems, such as Linux). If you reference the OSI Network Model, Windows Networking runs at the Application level. It uses (“binds to”) the lower network layers, such as Ethernet or WiFi, for physical connectivity.

As delivered by Microsoft, and setup in a default configuration, Windows Networking uses NetBIOS Over TCP/IP (NBT), and TCP/IP, for logical connectivity. It can be customised to use alternate transports, like IPX/SPX or NetBEUI, if you’re prepared to deal with the support issues.

There are five concepts, which you need to understand, to deal with Windows Networking problems.

Domains / Workgroups
Computers are grouped in domains or workgroups, with membership in either grouping providing benefits.

We can browse My Network Places (known sometimes as “Network Neighborhood”), and see all nearby computers. The workgroup that we are in is the part of My Network Places that is nearest to us – those are the computers that we need access to the most. A workgroup provides a way of identifying the computers that relate closely to our computer.

A domain, on the other hand, is a collection of computers that trust each other. When your computer is joined to a domain, it sets up a two way trust, where the computer and the domain are trained to trust each other.

  1. You authenticate (login as a local administrator) to your computer.
  2. You allow a domain admininstrator to authenticate to the domain from your computer.
  3. Your computer learns to trust the domain. A “certificate” from the domain is added to your computer.
  4. The domain learns to trust your computer. A “certificate” from your computer is added to the domain.

The domain membership also gives workgroup visibility. You see the other members of “your” domain. as you would see the other members of “your” workgroup. But the two way trust in the domain is special.

  • You gain access to your computer thru domain authentication – you trust the domain, based upon the certificate from the domain that’s now on your computer, and upon the credentials (domain account / password) that you supply.
  • You gain access to domain resources in a similar way, from the certificate from your computer that’s now in the domain, and from the credentials that you supply.

Most small LANs will use workgroups, although small domains are worthwhile. Domain membership provides two components – Authentication / Authorisation, and Browsing. Workgroup membership provides one component – Browsing. Workgroup membership provides no authentication / authorisation; that must be provided by redundant accounts setup on both the client and the server.

Outside of becoming invisible in Network Neighborhood, by changing your domain / workgroup membership, you are not adding to your security at all. Becoming invisible is simply a form of Security By Obscurity. If you’re on a network with untrustable computers or people, making yourself invisible won’t protect you; you need Layered Protection, including a perimeter and / or personal firewall.

>>Top

Name To Address Resolution
You might call the computer in your kitchen “Kitchen Computer”, but it’s a safe bet that your equipment will call it something more definitive, like “192.168.0.101” (an IP address), or “06-04-7A-D7-EF-BA” (a MAC address). The IP address, and the MAC address, are used by the various operating systems and network devices, to send message from computer to computer.

The process of translating a name like “Kitchen Computer” to an IP address like “192.168.0.101” is called name resolution. Name resolution is provided independently of domain / workgroup membership. A domain may contain a DNS or WINS server, but that’s not a given. Less likely, but still possibly, a workgroup may contain either. Without a name resolution server, all computers use peer-peer name resolution. Please don’t confuse peer-peer resolution with Node Type “Peer-Peer”, which is just the opposite.

If your network (domain or workgroup) is setup properly, but does not contain a DNS or WINS server, all computers will use peer-peer broadcasts to resolve names. Using IP addresses to refer to computers should not be necessary, except in extreme situations. And, if you’re using an alternate protocol, an IP address won’t work at all.

>>Top

Browsing
Each domain / workgroup uses a browser server to tell it what resources are out there. For every domain / workgroup on a network, there should be at least one browser server in that domain / workgroup.

You can have computers in a workgroup, sharing a network with a domain. If a workgroup has its own browser server, the computers in the workgroup can see each other, and can see the computers in the adjoining domain.

If a workgroup has no browser server, its members will still be able to see each other, and the computers in the domain, if you make the workgroup name identical to the domain name. If you have a computer that’s not a domain member, AND you give that computer a workgroup name identical to the domain name, the browser servers in the domain will provide visibility between that computer and the computers in the domain.

Does your domain / workgroup occupy multiple subnets? If so, you need to know about Browsing Across Subnets. Do you maybe have two (or more) routers, but would prefer to have one subnet? If so, then read about File Sharing On A LAN With Two Routers.

>>Top

The Total Picture
Browsing is, arguably, not essential in a small LAN. Without the use of a browser server, a common workaround is to make an adhoc mapping to a share.

  • Hit the Start button.
  • Hit the Run button.
  • Type “\\OtherComputerName” (substituting the Other Computer Name, and less the “”), and hit Enter.

Or, you may make a persistent mapping from Windows Explorer.

  • Select Tools, then Map Network Drive, from the Windows Explorer menu.
  • Substitute the Server, and Share, into “\\Server\Share” as entered into the Folder: box.
  • Select “Reconnect at logon”, if desired.
  • Select the Finish button.

Name resolution is not essential either. Without the use of name resolution, you can map a resource by substituting the ip address of the server for the name (again, if you’re using NetBIOS Over TCP/IP as the transport).

  • Hit the Start button.
  • Hit the Run button.
  • Type “\\OtherComputerIPAddress” (substituting the Other Computer IP Address, and again less the “”), and hit Enter.

But, when you use Network Neighborhood (My Network Places) to provide a neat list of all the shared folders and printers on your network, you select and double click on a share, and you get a connection, you are using, in turn,

If you’re having a problem with Network Neighborhood:

  • Network Neighborhood is empty, or lacks an entry for one or more computers that you know are there.
  • Computer A shows in Network Neighborhood for Computer B, but Computer B doesn’t show in Network Neighborhood for Computer A.
  • You get an error “(Workgroup) is not accessible…” when opening Network Neighborhood.
  • You get a variant (and there are many variants here) of “not accessible / name not found … access denied” when clicking on an entry in Network Neighborhood.

then you likely have a problem with either browsing, or name resolution. Diagnose Windows Networking first. If, and only if, you can’t find any problems with Windows Networking, look at File Sharing. Whenever working on problems with Windows Networking, work from the bottom up.
>>Top

Authentication and Authorisation
Whether or not you do use the browser to list resources, and / or name resolution to locate the resources, you will still have to setup authentication and authorisation properly, if you wish to actually connect to, access, and change those resources. You can avoid use of the browser, and of name resolution; you cannot avoid authentication and authorisation.

The Registry Editor

July 24, 2005

The RAM in your computer is short term memory, which is cleared when you restart the computer. The Registry in your operating system is the long term memory of the operating system. The Registry Editor helps you to make manual changes to this memory.

Have you used the Registry Editor before? If not, it’s a scary tool, but it’s pretty simple once you get used to it. Read Annoyances: Introduction to the Registry.

As an example, say you need to Change or to Delete the Value NodeType in Registry Key [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters], as instructed separately.

  1. Open the Registry Editor and navigate to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters].
  2. Right click on the Parameters entry in the registry tree, and select Export. By specifying a file name and a folder, you can backup the Values in the …Parameters key.
  3. Change or Delete the Value.
    • To Change the Value, doubleclick on it, and type the appropriate value. Hit OK.
    • To Delete the Value, rightclick on it, and choose Delete. Hit OK.
  4. Reboot to ensure that the system accepts the change.
  5. If you experience any problems, simply locate the file created in step #2, and doubleclick on it. Its contents will be automatically merged back into the registry, reversing any changes you just made.

Connecting Two Computers With A Crossover Cable

July 22, 2005

Most of my articles in this website are about Windows Networking / File Sharing, or about Internet Connectivity, and start by assuming that you have several computers, and a router / switch / hub connecting them. But what if you have just 2 computers, and just want to quickly move files between the two? Or maybe you want to setup Internet service, for the 2 computers, without using a router to share the service?

>>Top

Make The Right Decision
Start by asking yourself – what do you want to do – both now, and in the future? If you just want to immediately connect just these two computers, and quickly move files between the two, without Internet service, then this is the right start.

If your future might include Internet service, or if you might end up with a third computer, then you would really be better off using a router.

If you want to connect the two computers, and share Internet service, you can do that using a crossover cable. But know the issues before you start.

  • If the computer with Internet service has it thru a dedicated modem, either:
    • Internally installed.
    • Connected externally, but thru a serial cable.
    • Connected externally, but thru a USB cable.

    then using a crossover cable is a valid solution.

  • If the computer with Internet service has it thru an Ethernet connection, or thru WiFi, then this is not a valid solution. If the Ethernet or WiFi connection is on subnet 192.168.0/24, this will not work at all. In the latter case, you will have to connect both computers directly to the LAN with subnet 192.168.0/24.

>>Top

Use The Proper Equipment
The simplest solution, for networking just 2 computers, is to get an Ethernet crossover cable, and connect the two directly. A single crossover cable is the equivalent to getting a hub (or switch or router), and a pair of straight-thru patch cables.

Please use Ethernet, not USB, for connecting your computers. USB networking requires additional drivers, and adds to complexity of the network. Ethernet drivers are native in all modern operating systems.

Please use a Cross-over Ethernet cable. A Straight-Thru, aka Patch, cable may work for some newer systems, which can automatically sense the need for a cross-over. But a cross-over cable will work all of the time, when you need to connect two computers directly.

Patch cables may come in many colours and lengths; some computer stores will have dozens of choices to suit your cabling needs. Cross-Over cables, when you find them in the store, will be explicitly labeled “Crossover”, and will come in one colour (probably orange), and one length (probably 3 or 5 foot).

Please buy a properly made cross-over cable. If you’re a masochist, or extremely desperate, you may make your own from a pair of patch cables, properly spliced. But Ethernet cables, that support modern high speed networks, require precision in their construction. While I’m a fan of do-it-yourself activities (as in the reason for this website), I don’t recommend do-it-yourself Ethernet cabling, when you’re setting up a network. Buy a cable, unless you’re very experienced with networking and can easily recognise the possible problems.

Use the Device Manager in Windows, and test the network adapter in each computer. Connect your cross-over cable to the two network adapters.

Now, will you be setting up your network to Share Internet Service? Or just to share files, with No Internet Service?

>>Top

Setup The Network – No Internet
If you just have two computers, and no Internet service to either, run the Network Setup Wizard on each computer. Select the last option

This computer belongs to a network that does not have an Internet connection.

Having connected the two computers physically, and checked that you have no physical problems, you need to make the logical (TCP/IP) settings. If you have Windows XP, or other current operating systems on your computers, you’re in luck. Modern operating systems use a system called APIPA, and should be able to provide ip settings automatically, so the two computers will connect to each other. If you allow the two computers to dynamically assign addresses, APIPA should take care of this for you.

Be prepared to get an error message – Limited Or No Connectivity – if you use APIPA configuration.

NOTE: if one of your computers is NOT running Windows XP, you’ll have to set the IP address and subnet mask manually. Remember IP addresses have to be unique for IP addressing to work.

  • Run “ipconfig /all”, from a command window, on each APIPA compliant computer first.
  • Make a list of which addresses are automatically assigned.
  • Manually configure each non-APIPA compliant computer.
    • Set each computer up with a unique IP address, in the 169.254.x.x subnet (written as 169.254/16 in many cases).
      • Each computer gets a subnet mask of “255.255.0.0”.
      • Each computer gets an IP address of “169.254.x.x”, where the “x.x” MUST be different for each computer. Check your list of addresses assigned by APIPA!
      • Each value of “x” must fall between 1 and 255 (not including either 1 or 255).
    • You assign IP addresses in the TCP/IP Properties wizard, generally accessed from Start – Network Connections – Local Area Connection – Properties – Internet Protocol (TCP/IP) – Properties. Select “Use the following IP address”. Only worry about IP address and Subnet mask, the other settings are only useful if you have an outside connection. With locally connected computers, just IP address and Subnet mask are essential.

Having connected the two computers physically, and checked that you have no physical problems, next Verify The Network – make sure that it works properly.

>>Top

Setup The Network – With Internet
If you have two or more computers, with Internet service to one, and wish to share the service to the others, run the Network Setup Wizard, first, on the computer that has Internet service. Select the first option

This computer connects directly to the Internet. The other computers on my network connect to the Internet through this computer.

Next, indicate which network connection is to be used for sharing the Internet service.

Finally, run the Network Setup Wizard on the other computers, and select the second option

This computer connects to the Internet through another computer on my network or through a residential gateway.

Having connected the two computers physically, and checked that you have no physical problems, verify that the network works properly.

>>Top

Verify The Network
Please verify that you have connectivity between the computers first.

  • Run “ipconfig /all” on each computer, from a command window. Note the IP address and subnet mask for each network connection.
  • Make sure that you don’t have a bridge, on any computer, unintentionally.
  • Verify that all computers are on the same subnet.
    • If this is two computers without Internet service, each computer should have an address of 169.254.n.n, and a subnet mask of 255.255.0.0. This will indicate that each is on subnet 169.254/16.
    • If this is two, or more, computers sharing Internet service, the first computer (thru which the others will be getting Internet service) must have an address of 192.168.0.1, and a subnet mask of 255.255.255.0 (on the connection used for sharing the Internet service). All of the computers getting Internet service thru the first computer must have an address of 192.168.n.n, and a subnet mask of 255.255.255.0, and show both DHCP and Autoconfiguration Enabled = Yes.
  • From each computer, again in a command window, ping the other. If, for instance, the address on Computer B is “169.254.1.2”, open a command window on Computer A, and enter:

    ping 169.254.1.2

    If you get back a series of responses like

    Reply from 169.254.1.2: bytes=32 time
    then you are ready.

When you open Windows Explorer on each computer, and look in Network Neighborhood, you should see both computers. And when you open (doubleclick on) one entry, you should see the folders and files.

>>Top

Troubleshoot The Network, If Necessary
So what if it doesn’t work, per the basic testing above? Well, now you start troubleshooting, and in this order.

Hacking Redefined

July 18, 2005

Modern malware is constantly taking on new forms; it’s hard for those of us who aren’t dedicated security experts to comprehend how deviously, and methodically, it’s designed and deployed. How do you fight it? Well, first, you have to know what’s out there. With that goal in mind, I will provide here a brief overview of malware.

I would first like to apologise to those good guys, like Steve Wozniak and John Draper, who called themselves hackers, and who insist that the proper term for the bad guys is crackers. If you’re calling yourself a hacker, and you’re a good guy, you’re swimming upstream, and there’s a strong downstream current.

Even though we abhor malware in general, it’s hard NOT sometimes to (objectively) admire how professionally it’s designed and deployed. Computer owners, who become victims of hacking, will NOT (subjectively) admire the tools, or the attackers.

One of the problem is how you describe what’s happening? Which came first – the chicken or the egg? How do you define hacking, other than what a hacker does?

For the purpose of this article, I will define the following terms.

  • Hacking is aggressive, deceiptful, or intentional misuse of any computer not legally owned by any Attacker, for commercial, financial, or personal purpose.
  • Hacker is the person, or groups of people, doing the Hacking.
  • Malware is the tool used for Hacking, AND the payoff of the Hacking.
  • Victim is the legal owner of the computer Attacked by a Hacker.

Malware includes:

  • Adware.
  • Hijacks.
  • Spam.
  • Spyware.
  • Trojan.
  • Virus.
  • Worm.

The people performing the Hacking Attacks have been referred to as, variously:

  • Adware / Spyware Writers.
  • Hackers (Classically).
  • Crackers.
  • Spammers.
  • Virus Writers.

In the past, this cross-referencing was not necessarily done. Classically, Malware was of a distinct nature, and one type of malware was not used by another type, or group, of Attackers. Today, we have combined Attacks, where:

  • Spam is used to deliver Trojans to be installed on Victims computers.
  • Adware / Spyware is installed as Trojans.
  • Trojans, installed on Victims computers, are used in the delivery of Spam, or Worms, to other Victims.
  • Viruses are used to attack people or software used to defend against Adaware, Spam, and Spyware.
  • Viruses, having infected the Victims computer, can become Worms, and attack other computers on the same Network.
  • Viruses or Worms were used to Attack the data on the Victims computer, rendering the data unusable unless actual money was paid by the Victim to the Attacker. No, this is NOT fiction.

Trojan
The term Trojan refers classically to the mythical story of the Trojan Horse in Greece. A Trojan is software which is packaged (by the hacker) with Host software that is trusted by, and intentionally installed by, the Victim.

A Trojan can be anything as innocent as an extra toolbar, installed as a part of the Victims browser, and used to “enhance the browsing experience”, to software that makes the Victims computer act in a three role Spam delivery capacity. A Trojan has to be intentionally installed on a server (by a Hacker), with the Host software. It then requires the intentional installation of the Host software (by the Victim), for propagation onto the Victim’s computer. A trojan travels as a server to client infection – from a server to a client (victim) and then no further.

Virus
A virus is software that travels, from one computer to another, in trusted Host software, such as an application or data file passed by Victim 1 to Victim 2. A virus requires the intentional installation of the Host software (by the Victim), for propagation, but automatically repackages itself on the Victim’s computer, for transport to the next computer. A virus travels as a peer to peer infection – from any computer to other computers, and then to more computers later.

Worm
A worm is software that travels, from one computer to another, in a trusted media, such as the computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place). A worm requires no intentional action, by the Victim, for propagation. A worm travels as a peer to peer infection – from any computer to other computers, and then to more computers later.

Hacker
The classical Hacker was a disenfranchised teenager, hiding in his bedroom, attacking an individual computer owned by a single Victim, for amusement. See, for instance, War Games, one of the earliest movies about Hackers.

Today, Hackers use programs that they may release as Trojans, as Viruses, or as Worms. The Hack, which when installed on the Victims computer, may make that computer part of a Botnet. A Botnet, or entire army of computers controlled by a Hacker, can be sold to individuals or corporations for delivery of Spam, for hosting of Adware or Spyware, or for the creation of even more Botnets. As of June 2005, the reported value of ONE bot was $.55 USD, thus a 10,000 member Botnet (a not at all abnormal number) could net the Hacker $5,000 or so.

Malware – Classified By Delivery Mechanism

  • Trojan – A server to client infection, that requires action by the Victim to propagate. A trojan starts out life packaged, by a hacker, with software trusted by the Victim. When the Victim installs the trusted software, the malware gets installed. Once installed on the Victims computer, a Trojan travels no further. A trojan can be used targeted against a specific set of victims – maybe players of a specific game, or visitors to a specific website.
  • Virus – A peer to peer infection, that requires action by the Victim to propagate. A virus starts out on a Victims computer, and packaged with software trusted by the next Victim. When the next Victim installs the trusted software, the virus gets installed. Unlike a Trojan, a Virus automatically repackages itself, on the Victims computer, for transport to the next Victim. A virus is simply broadcast – its spread cannot be controlled, excepting by the media in which it spreads. A successful virus spreads indiscriminatly.
  • Worm – A peer to peer infection, that requires no action by the Victim to propagate. A Worm is malware that travels, from one computer to another, in a trusted media, such as a computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place).

Malware – Classified By Payload

  • Adware – Malware that delivers, or influences the delivery of, commercial material (aka advertisements) to the Victims computer.
  • Hijack – Malware that makes the Victims computer do things not intended by the Victim.
  • Spam – Malware consisting of unwanted Messages delivered to the Victims computer.
  • Spyware – Malware that collects and transmits personal information about the Victims computer, or about the Victim, to persons who have no legal entitlement to that information.

Malware Detection

So, if there’s malware out there, how do we know what’s out there? More importantly, how do we describe what’s out there? And how do we remove what’s on our computers, and then hopefully, keep it from coming back?

You have to know what’s there before you can fight it. Knowing what’s there is a matter of detecting it. Basic malware detection is based upon two alternate processes.

  • Behaviour analysis and detection.
  • Signature analysis and detection.

Behaviour analysis, also known as heuristic analysis, takes a suspect file (or a computer system), opens it (operates it), and sees what it does. Sophisticated heuristics are used by some antitrojan / antivirus products, which contain a sandbox, which is a replica of the operating system, within the AT / AV product code. A suspect file is copied into the sandbox, opened from within, and watched. When opened, if it makes suspicious use of system resources provided by the (replica) operating system, it is determined to be malware, and examined further.

Signature analysis takes the actual contents of the various bytes in a suspicious file, and mathematically calculates a hash of the contents. The hash becomes the signature, which is compared against a database listing known malware. If suspected malware has a hash matching known malware, it is determined to be malware.

Malware analysis can be done heuristically against the entire system. Note the difference between adware and spyware. The first will typically generate incoming network traffic; the second, outgoing.

By statefully looking for incoming or outgoing traffic, compared against what should be expected, malicious activity can be detected. Software designed to look for malicious incoming traffic will be better at detecting adware, software designed to look for malicious outgoing traffic will be better at detecting spyware.

Signature analysis is a much simpler process, but demands more repetitious work. To do a signature analysis of the system (a trojan or virus scan) requires taking each file, one at a time, on the entire system, generating a signature from the file, and comparing the signature against each entry in a very long list (database) of known malware. Multiply the number of files in your typical system, against the number of possible (known) malware, and you see what a massive effort that is. And each time a new set of signatures is produced (and with some antivirus products, it’s multiple times / day), a rescan could be appropriate.

Some malware is encrypted, to fool the signature scanners. Malicious code is taken, and subjected to rearrangement (packing), with some packing containing random operations which makes unpredictable results. Simple signature checking (and the bad guys, in some cases, know what procedures are followed to produce the signatures) won’t detect packed code, which follows no known pattern. So suspect files have to be examined for unpacking code embedded in the code, and in some cases, the unpacking has to be allowed to execute so the signature checking can take place. This makes signature checking even more complex, and more time consuming.

On the other hand, its somewhat possible that having unpacking code in a file indicates that it’s malware. Most legitimate code (excepting openly compressed files) does not use unpackers, as most legitimate code is already in an executable state. So when an AT / AV scan finds a file with an embedded unpacker, it’s a strong possibility that the file contains malware. Of course, the malware still has to be analysed, to determine just what malware it is. But the scanner doesn’t have to continue the heuristic analysis, just switch to the signature check.

Malware Detection and Removal Tools

So all of the above is good background information, but what do you do about the problem, once you understand it?

The traditional way of scanning for viruses, the first malware that was distributed so long ago, was by examining each file on the computer that might carry a virus. This is where the signature and heuristic checks would be done. I’ll discuss the tools required in Dealing With Malware.

The problem with scanning each individual file on the computer is several:

  • You need a database on the computer being scanned, that describes each known malware.
  • Scanning each file on the computer is labourious; as the signature database gets larger, scanning each file on the computer times the length of the database gets larger still.
  • You still have to do heuristic scanning. If you limit your analysis to known malware, you risk overlooking undiscovered malware, that hasn’t been added to the database.
  • Since the scanning process constantly gets longer, the tendency is to scan only when convenient. Malware that propagates between the scans travels with ease.

The new procedure is to observe the computer as one large process. With the exception of malware that has no payload, except to travel from computer to computer, all malware has to surface with secondary symptoms. Generally, those secondary symptoms have to include one or more rogue processes, running on the victims computer.

If we treat the computer itself as one large file, we can do signature and heuristic checks against all of the processes and files, or whole computer heuristic analysis. I’ll discuss that process in Dealing With Malware Version 2.

Connecting Different Devices To Your Internet Service

July 15, 2005

Many Internet services do not want you to casually connect just any network device (computer or router) to their network. They will link your IP address, or network connection, to a specific MAC address entry in a database in their system, or in the memory of the modem connected to their network.

If you connect another device, with a different MAC address, to their network, they will deny service to the unknown device. Each different network device in the entire world, be it a modem, network card, or router, has a different MAC address assigned when it is manufactured. Most broadband services will provide or deny service based upon the MAC address.

If you connect a different computer, or a router, to your Internet service and get no connection, you will have two choices to force your service to accept the new computer or router.

Reset the Broadband Service

  • Power everything down.
  • Connect everything as you wish.
  • Wait 5 – 10 minutes.
  • Power only the modem on. Wait until the modem indicates service (the Line / Link / Service light is lit).
  • Power the router on.
  • Power the computer on.

If this procedure doesn’t work, try again, but wait 1/2 hour or so. Some services reportably have a 4 hour retraining period, as the equipment behind the modem (at the broadband head-end) has to reset too. You may even have to involve your ISP, in extreme cases.

Change The MAC Address
Most network cards and routers will allow you to change their MAC address. This is called the User Defined MAC address, as opposed to the Vendor Defined MAC address which is assigned at manufacture. The procedure for doing this, if available, will vary by vendor and by device.

Most network cards can be changed, in Windows NT systems, from the connection properties wizard. From Local Area Connection Properties, hit the Configure button, to get the wizard for the network card. On the Advanced tab, in the Property window, you should find the Network Address. Change that to the appropriate value, and hit the Close button. Restart the system if necessary.

To find the MAC address for a network card, look in the output from “ipconfig /all“.

Physical Address. . . . . . . . . : 00-04-76-D7-B7-6F

To change the MAC address of a router, you will probably use the router configuration web page. This process, called MAC address cloning or spoofing, will vary by router. You will have 2 possibilities here – either the router will allow you to manually change the MAC address of its WAN port (similar to the network card change above), or the router will automatically change its WAN port to match the MAC address of the computer that you are currently using to manage it (making the assumption that you are running the management program from the computer previously used for Internet access).

From the router configuration web page, find the MAC Address Clone (or Spoof) selection. Follow instructions – either type a MAC address, or select “Use this MAC address” (the address of the computer which you are on right now). The router will, most likely, restart, the modem will see a known and trusted MAC address, and will grant service.

The Local Security Policy Editor

July 14, 2005

The Local Security Policy editor, aka “secpol.msc” is used on any computer running Windows 2000, or XP Professional, to provide the granularity needed in tuning the operating system. It is not available for XP Home. With XP Home, you may have to use alternative products.

You can run the editor in any of several ways.

  • From Control Panel – Administrative Tools – Local Security Policy.
  • From Start – Run – “secpol.msc”.
  • From any command window, again as “secpol.msc”.

Having started the Editor, you can find the entry that you need in a branch under Security Settings.

  • Account Policies.
    • Password Policy
    • Account Lockout Policy
  • Local Policies.
    • Audit Policy
    • User Rights Assignment
    • Security Options
  • Public Key Policies.
    • Encrypting File System
  • Software Restriction Policies.
    • Security Levels
    • Additional Rules
  • IP Security Policies on Local Computer.

The names of the entries themselves are long enough to be self-explanatory.

Server Availability Affected By Maximum Simultaneous Connections

July 14, 2005

With Windows XP, you are subject to a limitation on the number of simultaneous connections that a server can provide. If you have more than 5 connections to a server running XP Home, or 10 connections to a server running XP Pro, you may observe various symptoms:

  • The error “No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept.”
  • As connections time out from disuse, they will become disconnected. Attempts to reconnect will either result in the above error, or will force the disconnection of another, less active computer.
  • The error “Server is not accessible…”.

The good news is, you can’t use up all of your connections on any server from any one client with multiple sessions on that server. Generally, one account on one client with multiple sessions = 1 connection. A session started by a user, and another session started by the system account, from one client, will count as 2 connections, though.

If you ever need to know how many connections are active on your server, look in Control Panel – Adminstrative Tools – Computer Management. Under System Tools – Shared Folders, you will find the current Sessions inventory.

As a client becomes inactive on a server, its connection will timeout, and become available to another client. The default period for inactivity to trigger a disconnection is 15 minutes.

If you need many more client connections than the server can provide, you can lower the timeout period, by tuning the server. Inbound connections limit in Windows XP tells us how to change the timeout period to 10 minutes, for instance. Into a command window, enter:

net config server /autodisconnect:10

But beware. Changing the timeout period, by using “net config”, may affect server functionality, permanently.

The Windows Server service is self-tuning; normally the server configuration parameters are autoconfigured (calculated and set) each time you start Windows XP. If you run net config server in conjunction with the /autodisconnect, /servcomment or /hidden options, the current values for the automatically tuned parameters are displayed and written to the registry. After these parameters are written to the registry, you cannot tune the Server service by using the Networks tool in Control Panel. If you change any of the Server service settings, Windows XP can no longer automatically tune the Server service for your new configuration. To avoid losing the Server service’s automatic self-tuning capability, make the change through Registry Editor instead from a command line or Control Panel Network.

You may want to use the Local Security Policy Editor (for XP Pro only) instead. Under Security Options, you should find “Microsoft network server: Amount of idle time required before suspending session”. Or, you may prefer to edit the registry directly, and change Registry Value [HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\autodisconnect]. Change either the LSP entry (for XP Pro), or the registry value, to an appropriate setting.

You may find additional information of interest in Server Service Configuration and Tuning, or Troubleshooting Server Message Block inbound connection limit…

Use NTRights To Grant Specific Privileges

July 11, 2005

Generally, you use the Security Policy Editor, aka “secpol.msc” to grant rights to accounts under Windows NT (NT, 2000, XP, Server 2003). There are two cases where you wouldn’t do this, though.

  • The Security Policy Editor won’t run under Windows XP Home.
  • You may wish to change the rights using a script.

In either of these cases, you’ll want to use the NTRights utility.

NTRights is available, as a standalone component, from Dynawell, or as a component in the Windows 2003 Server Resource Kit Tools.

You can run NTRights depending upon how it was downloaded and installed.

  • If you downloaded NTRights as a standalone component from Dynawell, and copied NTRights.exe into a folder in the Path, you can run NTRights directly from a command window.
  • If you downloaded and installed the Server Resource Kit Tools, you run NTRights from a SRK command shell.
    • Hit Start.
    • Hit All Programs.
    • Hit Windows Resource Kit Tools.
    • Hit Command Shell.

NTRights is case and syntax sensitive, so you may want to look at the command help – type “ntrights /?” at the prompt. Or you can read How to Set Logon User Rights with the Ntrights.exe Utility. You may also find How to: Determine NTRIGHTS Names and Meanings informative.

As an example, to allow the Guest account to be used for network access, you grant the SeNetworkLogonRight. Enter precisely:

ntrights +r SeNetworkLogonRight -u Guest

Read the documentation carefully, and remember:

  • Distinguish properly between “+r” and “-r”.
  • All rights names, such as “SeNetworkLogonRight”, are case sensitive.
  • There are 4 words (strings of non-blank characters) after “ntrights”, in the above example. Each word must be preceded by a space.

Limited Or No Connectivity

July 4, 2005

With XP SP2, Microsoft wants you to be aware when your computer, although configured for automatic address assignment, does not in fact get service from a DHCP server. Your computer, and maybe one or more other computers, will have APIPA addresses.

This is simply a new message – it is not a new problem, and the APIPA address is a symptom of the problem, not the problem itself. You have to solve the problem, not the symptom. Manually assigning an IP address, subnet mask, etc won’t solve anything.

There are 2 possible reasons for not getting DHCP service.

No Connectivity
If your computer has no connectivity, whether you leave the APIPA address, or use a manually assigned address, you will gain nothing. You will have to diagnose and fix the physical connectivity problem.

A case of LSP / Winsock corruption can cause No Connectivity, so if you can’t easily find a physical connectivity problem, check that next.

Connectivity, but no DHCP server
If your computer has limited connectivity, it has an APIPA address, and it may have connectivity to other computers on the local network. APIPA addresses don’t pass thru routers though, so you’ll at best have connectivity only with other computers, also with APIPA addreses, and also on your local network.

There is one case where this is not at all a problem. If you have 2 or more computers – either 2 computers connected directly with a cross-over cable, or 2 or more computers connected thru a hub or switch, you may have a LAN with no DHCP server, and no gateway.

In this case, each computer will self-assign an IP address, per APIPA design. If your only need to connect the computers is to let them share files with each other, then you’re fine.

If you have a gateway on your LAN, and intend for the computers to communicate outside the LAN, however, you have a problem. Manually assigning normal addresses, such as 192.168.n.n, to match the rest of the computers on the LAN, will accomplsh nothing.

If you manually assign an IP address that will communicate with the outside world, you’ll have to do this for every computer on your network with an APIPA address. You’ll be better off finding and fixing the problem.

Make sure that the DHCP Client service is running – Started and Automatic.

If your DHCP Client is running, the problem is probably not with your computer. Either you have no device on your local network that can provide DHCP services, or the DHCP server is ignoring the requests from your computer. The latter condition can either be caused by a MAC address filter, or by an exhausted DHCP scope (all available IP addresses having been issued).

More Analysis
If none of the above scenarios apply to you, or if you can’t work as above, then continue by asking for help for basic Internet Connectivity. Or troubleshoot the Internet Connectivity problem yourself, methodically.