Archive for June, 2006

Deeply Hidden, and Heavily Protected, Malware

June 28, 2006

Some malware, besides making it impossible for you to interrupt its processes, will make it impossible for you to even locate on your computer. This is called rootkit protection.

Any program that lists (“enumerates”) objects on your computer, for instance,

each of these programs depends upon system functions to tell it what is on your computer. None of these programs gets its list straight from system inventories, they ask system functions for a copy of those lists. Why is this relevant? Because, like any copy, things can be omitted when copying.

If your computer is infected by malware that’s using rootkit protection, the system functions that enumerate processes and services, or those that enumerate files and folders, may have been customised. When Process Explorer asks for a list of processes, or Windows Explorer asks for a list of folders in storage, the list returned by the system may be filtered by the rootkit function.

Knowing what folders and processes are related to the protected malware, the rootkit function will simply not list those items. If “C:\Malware” contains the program library for the malware that has infected your computer, “C:\Malware” simply won’t be listed by Windows Explorer. You can’t delete what you can’t see.

That’s the bad news. Now the good news.

Any file, folder, process, or service, that isn’t enumerated by a system function, is quite likely malware. There are several special programs, distributed by security experts, that enumerate system objects by bypassing the rootkit functions. They compare the results with a normal enumeration, calling the standard (and possibly rootkitted) system functions. If there are objects in the former list, that are not in the latter list, those objects are quite possibly rootkit protected malware.

Two of these special programs are

That’s the good news. Now for the bad news, again. Many experts believe, that if Blacklight, RootkitRevealer, or a similar program, identify unknown system objects, your computer is probably compromised beyond reliablity. In this case, the only option is to nuke and pave.

Advertisements

Patience, Persistence, and Publicity

June 26, 2006

When you’re trying to diagnose and solve a networking problem, these are three qualities that you need.

Be patient – with yourself, and with others. Accept the fact that you don’t know what’s going on, and move ahead.

Be persistent – with yourself, and with others. If one diagnostic procedure doesn’t tell you anything useful, try another. If one solution doesn’t produce the results you hope for, look somewhere else for another. Ask questions – of yourself, and of others.

Provide, and seek, publicity. Let others know what works – and what doesn’t. Use the Internet for what it is – a gigantic reservoir of knowledge. But be selective in where you seek advice.

Bad Websites? Don’t Go There

June 18, 2006

One of the best ways of protecting your computer from websites which serve malicious content is not to go to those websites. If their content includes malicious code, why would you think that any of their content is desirable? Just don’t go there.

Various security experts provide lists of websites that you should avoid, and they distribute the lists on the web. These lists are pretty big, and change frequently – generally each month. And, to prevent you from having to examine a list, by hand, each time you consider following a given link, you put these lists into the Hosts file on your computer, and let the computer do the work for you.

You can get a Hosts file from several trusted sources.

The Hosts file is a simple text file, stored in a recognised location on your computer. The operating system finds it from registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath]. Generally, this entry points to “%SystemRoot%\System32\drivers\etc”, though malicious software, if installed on your computer, may change this entry.

If you use a Hosts file from only one of the above sources, you’ll simply copy the file into the folder, as discussed above. If you do as I do, and use combined sources (since each source has different criteria what undesirable content is out there), you’ll not want to edit and merge the file by hand. So there are several tools for doing this.

All of the above are free, and reliable. But, if you’re skeptical about whether to trust any of the sources listed above, that’s good. Do some research.

With exception to the issue below, using a Hosts file, as part of a layered security strategy, is simple yet effective. Use of the Hosts file is built in to every network operating system that uses Internet Protocol. Installing the Hosts file simply consists of merging entries into the existing file (as described above), or copying a file into the folder, if there is none in use right now.

Now, using a Hosts file is not without cost. A Hosts file entry identifies one individual subdomain, in any given domain. If “hackersrus.net” has separate addresses for “servera”, “serverb”, and “serverc”, you’ll need

127.0.0.1 servera.hackersrus.net
127.0.0.1 serverb.hackersrus.net
127.0.0.1 serverc.hackersrus.net

and this can make the Hosts file pretty large. With HPGuru Hosts, the file is well over 1M in size.

If you’re running the DNS Client service, which provides a centrally managed DNS / Hosts lookup, the Hosts file is cached automatically. When the system starts up, and anytime you update the Hosts file, the DNS Client service will recache the file. This is a very CPU intensive process – on my computer (the last time I used it), the service would take 10 – 15 minutes to cache the file; during that time, the computer was pretty useless.

The solution, in that case, is to Stop and Disable the DNS Client service.

This should be a relevant issue only on small LANs that don’t have a dedicated DNS server. If your domain includes a DNS server for local name resolution, you need to setup both the clients and the server very carefully. In that case, you’ll want to centralise your website blocking, not have separate files on each client. If you don’t have a dedicated DNS server, there are free DNS server utilities, that will provide local caching of DNS information, without having to precache the Hosts file.

Layered Testing In Windows Networking

June 15, 2006

When you’re working in Windows Networking – that is, the ability to share files, using named resources, between computers – you’ll find sometimes that you can’t access the files on one computer. Sometimes, you can’t even see the files on another computer.

The challenge here is that the inability to see the files on another computer might be something as simple as your having kicked the network cable loose – or it might come from your having given a different workgroup name to the other computer. But how are you going to diagnose the problem?

Some folks will tell you, immediately

If you don’t see the other computer in My Network Places, go to Entire Network – Microsoft Windows Network, and look there.

Now, if your physical network is solid, and the Internet Protocol is properly configured, then checking in Entire Network for a missing computer name is one of the next logical steps. But be aware of the lower layers, and check them, at least briefly. Maybe your network cable is broken, AND your computers are in different workgroups.

As I point out in Solving Network Problems – A Tutorial, Windows Networking is based on the OSI Network Model.

  • Windows Networking, in its default state, uses an application interface called NetBIOS Over TCP.
  • NetBIOS Over TCP, aka NetBT, uses TCP/IP for the logical network.
  • And in your home or small office, you’ll likely have either Ethernet or WiFi. TCP/IP uses Ethernet, WiFi, and similar transports for physical connectivity.

When you test, observe those layers. Test from the bottom up.

  • Test Layers 1 & 2 – Physical & Data Link. If you have Ethernet, you’ll have an Ethernet cable connecting either 2 computers, or one computer and a hub / switch / router. If you have WiFi, you’ll have a computer connected to another computer, or to a similar WiFi hub / switch. Physical devices like Ethernet adapters, WiFi adapters, and hubs / switches / routers have diagnostics. Most have multi-colour lights. Find out about the diagnostics for each device. Learn what each colour means, and how it tells you that it detects a connection (or not).
  • Test Layer 3 – Network. If you verify that your computer is physically connected to another computer, or to the hub / switch / router, next check your IP settings. First, verify that the settings are good, using “ipconfig /all”. Next, ping the other computer, or the router, and make sure that you get a consistent reply. If you get a partial reply (with some dropped packets), or if the reply time from the other device varies widely, do some more research. Here’s where PingPlotter may come in handy.
  • Test Layer 7 – Application. If IPConfig and Ping indicate a good, solid, logical connection, look in My Network Places. If you don’t see what you’re hoping for, a combination of “browstat status” and “net config server” / “net config workstation” is a good diagnostic here. Coupled with “ipconfig /all”, and compared against the same from the other computers involved, you can figure out just about any network problem.
  • Finally, if neither “ipconfig /all”, “browstat status”, “net config server”, nor “net config workstation” indicates a problem, then do relational analysis using CDiag and CPSServ.

I’m aware that this just scratches the surface. But it’s a start.

The Real Blogger Status / WordPress Edition #1

June 9, 2006

The Real Blogger Status / WordPress Edition is now online.

All I did was run a script from the WordPress Dashboard – Import. It was predictable, and simple.

  • Indicate Blogger as my blog host.
  • Backup settings in blogs being imported.
  • Log out of Blogger, from the Dashboard.
  • Log in to Blogger, thru the Import script.
  • Select the blog to be imported, from my Blogger blog list.
  • Watch and pray.
  • This blog is not terribly large, just a few pictures (no, actually just 1), and maybe 50 posts. It took a good 5 minutes, with a nice console type display showing what was going on.
  • The Import script finished, and that was that.

Having finished, I now have a blog in WordPress. That being said, it’s just a blog.

All in all, a brief and disappointing exercise. It’s pretty – check it out. But there’s lots more to be done, before The Real Blogger Status / WordPress Edition can be seen as a mirror to The Real Blogger Status / Blogger Edition.

I Blog Slowly

June 9, 2006

I publish each post dozens of times – that’s why I like blogging. I’m still working on my most previous blog, Another Day Of Anguish.

My current project, The Real Blogger Status / WordPress Edition, is just a stub right now. I just started it, and as any new blog, the WordPress blog starter puts in a welcome comment. So this morning, I went to remove the comment – cleanup the stub, and get ready to mirror it from The Real Blogger Status / Blogspot Edition. And imagine my surprise when I found a real comment from a real blogger. Already.

Blogger Employee: Are you reading this? Check this.

Spam Blogs #3

June 8, 2006

In Spam Blogs #2, I briefly touched on the issues of spam in the blogging world. The problem is worse than the previously referenced articles.

In Washington Post Security Fix: Fake Blogs Use Security Fix to Support Bad Advice, Brian Krebs discusses how the splogs are being used to advertise, among other things, fradulent security products.

…they will link to one or two anti-spyware products that either aren’t worth a fraction of what they cost or have earned a reputation for marketing by scaring people into thinking — often falsely — that they have massive spyware infections on their computers.

In TGDaily Number of websites grows at record pace, they mention that Blogger reported 660,000 websites added just last month. I wonder how many of them were splogs? And how many of the chronic Blogger failures are due to the increased load caused by the splogs?

Another Day Of Anguish

June 8, 2006

Blogspot appears to have been up all day, so my blog viewers, apparently, didn’t lose interest. My hit counts are almost equal to a month ago; though discounting the fact that half of my viewers are reading this blog, not my main one, we are still suffering. But Blogspot, today, was not the concern.

Blogger was the story today.

Since today, the action was in the forums, mainly Google Blogger Help: Something Is Broken, and Publishing Trouble, that is where today’s story comes from.

  • From What the *%^%$ Is going on with Blogger?!, drjewest writes

    It really is tragic because its just another example of American indifference to customer service. When the country is bankrupt and has to receive foreign aid in a few years maybe folk will wake up and do their jobs. But of course then it will be too late.

  • From What the *%^%$ Is going on with Blogger?!, Blogger Employee writes

    We’re currently having some trouble with one of our databases. This is likely the cause of the problems that you are experiencing. We’re aware of the issue and are working hard to resolve it as quickly as possible.

  • From What the *%^%$ Is going on with Blogger?!, blogonaut writes
    1. If it´s downtime one day, blogger is likely to be sluggish and jumpy for the next few coming days and as we´ve experienced today, hardware problems can return and become worse.
    2. It´s really bad that blogger don´t post to their status page immediately.
    3. Good thing is that if blogger is down, blogspot usually work better… it can be slow but is usually not gone completely, which means people can still access our blogs although we can´t update them. That said, today was awful 🙂
    4. Yeah, I´m thinking of moving as well but a) I´ve just finished too many hours on my template…. b) I´ve always hated WordPress´s interface and I don´t like it more just because Blogger is having trouble c) I fear a mass-migration to other platforms, which mean they´re gonna get into trouble as well. Pls. tell me what you think, I´m still struggling with this issue!
    5. Learning from the posts in this forum in the past days, the problem is not always on the blogger side … clean out cookies and cache and switch browser for a while if you can´t post and you have no reason to think blogger is actually down again… It´s better than waiting a few days for a reply from support and it can work very well.
    6. Back up… as soon as blogger is running as normal again I´ll be heading for the help page and learn how to make a back up of all my posts!
  • From Google has better things to do…, electricwind writes

    Google has better things to do than to attend to Blogger outages and outrages…

    Remember, Blogger only costs money for Google–while they’re busy making their billions..

  • From Google has better things to do…, CyberNewsmaster writes

    I suspect Blogger actually generates revenue for Google through Adsense. It’s a great model. Get other people to write content for you. Split the profit from ads on their blog…

  • From blogger sluggish today?, J.D. Matthews writes

    Hey Blogger Employee, why don’t you stop posting useless comments like that in here and get over there and fix the friggin’ problem? We’re all aware of the issue, and you can take your apology and stuff it until you get everything running right.

  • From Simple recipe for keeping Blogger users happy, Marsh writes

    When the problem has been identified, update the Status page with a brief description of the problem (hardware failure, denial of service attack, etc), who is affected, and give a conservative estimate of the time for a fix (and triple it). A range might be useful too, like 8-24 hours.

  • From Simple recipe for keeping Blogger users happy, Blogger Employee writes

    Thanks to everyone for their honest feedback, it is truly appreciated. We do our best to keep you folks in the loop, and to make Blogger as reliable as possible. Unfortunately, as noted in my earlier post, despite the efforts made yesterday, Blogger is a bit sluggish today.

    Additionally, some folks may be experiencing intermittent outages. I assure you that our engineers are doing everything in their power to get Blogger up and running normally again ASAP.

  • And, in addition to the pain and anguish shown above, Blogger Status suggests

    …we are also planning to make additional changes this evening.

  • And for the last quote, in blogger sluggish today?, MaryK writes

    Okay, Blogger Employee – this is helpful information for the 10 people who read this group. How about updating your OFFICIAL Blogger Status page for your other 10 million members?


The last post is the most telling. Let’s look at the most current Blogger Status post, as of today – Friday, June 06, 2006:

Thursday, June 08, 2006

For many users, Blogger will have been extremely slow or down for most of the morning. We continue to work on fixes for this problem and hope to have it resolved as quickly as possible.

Update (4:45p): We are planning another infrastructure overhaul to address the significant problems we’ve been having in the past several days.

Update (6:59p): We’ve made another change that has improved performance, but we are also planning to make additional changes this evening.

Posted by Jason at 11:14 PDT

That is symptomatic of the same problem – ongoing lack of communication. We see the same, stale, content that we saw there, yesterday evening. If we see a problem today (Friday), how do we know if it’s the same problem, returned? Or a new, unrelated problem? Or maybe a problem caused by the final changes made last night (if any were made)?

Blogger Employee: We appreciate that you are willing to take 10 minutes out of your busy day of playing frisbee and napping on the couch to post a few words of comfort (identical content, pasted into half a dozen threads), but you are (were) replying to people in real pain.

Jason speaks in the highest overview – “…infrastructure overhaul…” and “…another change that has improved performance…”.

These words mean very little to the typical Blogger. We see the post editor – or the photo upload – up right now. Here’s an immediate decision to be made. Will it be up for 2 more hours, or just 10 more minutes? Should I rush and finish this post now, or maybe take a shower now, and do some better work after I am refreshed? Decisions to be made, constantly – and your vague status reports don’t help us with those decisions.

And this morning’s content, which is unchanged from last night, provides no sense of closure. Was anything actually done last night (“…additional changes this evening”)? Or will you maybe make an unplanned improvement sometime today?

And here’s a thought. If you find using Blogger Status to be less than useful when Blogger (or Blogspot) is down, mirror Blogger Status on another service. This blog, The Real Blogger Status, is being mirrored this weekend. Watch this blog (or its mirror) during the next Blogger / Blogspot outage (NOTE the truthfulness of this statement depends upon how long it is until the next major outage).

Of Blogger and K-Mart

June 8, 2006

Having written about my early memories of shopping in Richmond, Virginia, I was saddened to read the news from a fellow Blogger and Richmond resident:

…Miller & Rhoads and Thalheimers are alas, no more. Both went out of business and their buildings are slated to be torn down in some downtown renovation.


Miller & Rhoads, Richmond VA
c. 1931 (gone)

That sad news was delivered thru my website GuestBook, as it was impossible to write a Blogger comment.

Thal – heimers, Richmond VA somewhat later (also gone)

K-Mart, on the other hand, however questionable their service, is still with us. And K-Mart is getting bigger, having recently bought out Sears / Roebuck (aka Sears).

So many Bloggers are thinking about moving to alternate blog hosts, like WordPress. Well, The Real Blogger Status is being mirrored there, this week. But do I expect that to be a long term solution? Regretfully, no.

K-Mart, though known for providing less customer support, outlasted both Miller & Rhoads and Thalheimers. And engulfed Sears / Roebuck, which was a mail order giant from years back.

I have no doubt that Blogger will continue to expand, even as some Bloggers move to WordPress. And one day, WordPress will be engulfed too. Those of you fleeing Blogger for greener pastures may not be away for very long.

Stay and fight the problems now, or flee and fight the problems later. Your choice.

Welcome to PChuck’s Network / WordPress Edition!

June 7, 2006

Welcome to PChuck's Network WordPress edition!

We tested migration from Blogger to WordPress, starting with The Real Blogger Status, recently.  Next, we have to test an update migration.  Neither PChuck's Network, nor The Real Blogger Status, are static blogs.  One migration will not even begin to test the WordPress utility. 

Be patient, this may take a while.