KCNET NEWSLETTER 03/06/05 TECHNICAL PAGE
TECHNICALLY SPEAKING VIRUS AND OTHER STINKY STUFF INTERESTING SITES
The researchers discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco this week. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.
With names like "Hacker Defender," "FU" and "Vanquish," the programs are the latest generation of remote system-monitoring software that has been around for years, according to Mike Danseglio and Kurt Dillard, both of Microsoft's Security Solutions Group.
The programs are used by malicious hackers to control, attack or ferret information from systems on which the software has been installed, typically without the owner's knowledge, either by a virus or after a successful hack of the computer's defenses, they said. Once installed, many rootkits run quietly in the background but can easily be spotted by looking for memory processes that are running on the infected system, monitoring outbound communications from the machine, or checking for newly installed programs.
However, kernel rootkits that modify the kernel component of an operating system are becoming more common. Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio.
In particular, some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools, said Danseglio.
The increasingly sophisticated rootkits and the speed with which techniques are migrating from rootkits to spyware and viruses may be the result of influence from organized online criminal groups that value stealthy, invasive software, said Dillard
One rootkit, called Hacker Defender, released about a year ago, even uses encryption to protect outbound communications and can piggyback on commonly used ports such as TCP Port 135 to communicate with the outside world without interrupting other applications that use that port, he said.
The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products, the researchers said. In fact, some of the most powerful tools for detecting the rootkits are designed by rootkit authors, not security companies, they said.
There are few strategies for detecting kernel rootkits on an infected system, especially because each rootkit behaves differently and uses different strategies to hide itself.
It is sometimes possible to spot kernel rootkits by examining infected systems from another machine on a network, said Dillard. Another strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system, according to Dillard and Danseglio.
Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research.
The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.
Although rootkits are not unique to Windows, the popular operating system is a rich target and makes it easy for malicious hackers to disguise the presence of such programs, according to Jonathan Levin of Symantec Corp.'s @stake division, who attended the presentation at the RSA conference.
The operating system's powerful application programming interfaces make it easy to mask behaviors on the system. Microsoft's Internet Explorer Web browser is also a frequent avenue for malicious hackers, viruses and worms that could drop a rootkit on a vulnerable Windows system, Levin said.
Better tools could be built to detect the current crop of kernel rootkits. However, rootkit authors are adept at spotting new detection techniques and modifying their programs to slip around them, Danseglio said. "These people are smart. They're very smart," he said. ******************************************
Digital Imaging Tip: Camera Lock Ups Worldstart came up with this one. Have you ever been out shooting and suddenly your camera stopped responding? It looks like it's on, but nothing works—no dials, no buttons—it's locked up. I know it's happened to me a time or two and no amount of pounding it on the hood of my Jeep seems to make any difference. So, when a friend called this weekend and told me he was shooting some pictures and the camera locked up, I knew what to do! I told him to take his camera and bang it on the hood of his car. He asked "Really?" "Yup, go out and give it a good whack and see what happens," I replied, seeing how long he'd go for it. "Come on Steve, how do I fix it?" Ahh, the game was up. So, I told him the secret, tried and true method that has always pulled me through—Remove the battery, wait a minute, then put the battery back in. He tried it and everything went back to working order. Anytime I lock up a digicam, this trick seems to get it back up and running. So, for occasional lockups, keep it in mind. **********************************************
This is a nifty one also from Worldstart. I'll bet even the advanced 'puter Geeks among us haven't considered this approach to sending. We would just right mouse click and go through the exercise of typing an address or going to the Address Book for an address. I'm making a folder in the Bookmarks and Favorites for these shortcuts to sending URLs and mail from the browser. (Mike) Email Addresses as Favorites/Bookmarks. Have you ever been surfing the web and had a sudden urge to send an e-mail to someone? Maybe you just stumbled upon a really cool page or some awesome information that you just gotta share. Whatever the reason, wouldn't it be cool if you could compose an e-mail without launching Outlook Express, fiddling around in the address book, then finally starting the message? Well, where there's a geek, there's a way! Why not put the people you frequently send e-mail to on your Favorites/Bookmarks? That way, if you see something you need to tell them about while surfin', you can click their name in the Favorites/Bookmarks. Outlook Express will start a new message already addressed to them and all you need to do is put in a subject and a message. I know you're saying, “Whoa, Steve, you're getting crazy… an E-mail address as a Favorite?!?” Well, check this out: Web browsers aren't really designed for this trick, so you'll need to add e-mail addresses in a round about way: Here's what to do with Internet Explorer (other browser instructions are below): 1. Hit the Favorites menu, Add to Favorites. Don't worry about the address, we just need to create a new favorite.
The Red X Controversy Member Question of the Week Submitted to CNet's Tech Question Of The Week. Using Internet Explorer 6.2 (Windows XP SP2), on some sites, certain images and HTML sections are replaced with a red cross. The same pages are accessed without any problem with IE 6.1 (Windows 2000 SP4) with similar security settings. What's new in IE 6.2 that blocks additional objects, and what is the workaround? I already disabled the pop-up blocker with no change. The following were chosen by the editor as good answers to the question: It may not even be your Internet Explorer that is giving you the image problem. I found that my firewall was blocking the images from showing, it was even giving me a problem about getting to the control panel to my Web site--until I went in and changed some settings in the firewall. For a while, I even had to temporarily disable my firewall to access my control panel for my Web site. I no longer have this problem because the host made some changes that are compatible with the firewall that I use (and I imagine other types of firewalls as well). So if I were you and you are using a firewall (and I don't see why you wouldn't), check the part that controls images. You may have to lessen the security on how it shows images. Second suggestion There is a bit of a warning here, some of the resolution to your problem might require you to access your registry, so as always, back up a restore point and copy your registry as well for backup. Below is what Microsoft has for returning the images to the browser. http://support.microsoft.com/default.aspx?scid=kb;en-us;283807 **************************************************
Netscape launches browser beta By Matt Hines Staff Writer, CNET News.com March 3, 2005 Netscape has released a public test version of a Web browser that includes antifraud technology, with hopes of challenging Microsoft's Internet Explorer browser dominance. The company, a division of media giant Time Warner's America Online subsidiary, said Thursday that the browser, dubbed Netscape 8, will better protect people from growing online fraud threats such as phishing. Over the last several months, the browser has been available only to a small number of individuals involved in a limited beta test. Now anyone can download the software via the company's Web site. The beta was expected to arrive in mid-February, but the release date slipped so that the company could fix some bugs in the software, according to Netscape. The product will remain in test mode for at least several more weeks. No date has been set for the browser's official launch, a company representative said. Netscape once controlled approximately 80 percent of the Web browser market. But Microsoft's Internet Explorer wrested the market away and currently owns nearly 90 percent of the sector, according to most surveys. However, IE's growing specter of security vulnerabilities has encouraged Netscape and other companies, most notably Netscape's open-source spinoff Mozilla, to make security their main selling point. Read more about Netscape 8 and improved security. http://news.com.com/Netscape+launches+browser+beta/2100-1032-5598291.html?part=dht&tag=ntop&tag=nl.e433 ****************************************************
VIRUS AND OTHER STINKY STUFF:
Watchdog-attacking Bagle ramps up By Dan Ilett CNET News.com March 1, 2005 UPDATE - A new variant of Bagle is spreading rapidly, security companies have warned. Rather than being a mass-mailing worm, BagleDl-L is a Trojan horse that damages security applications and attempts to connect with a number of Web sites. It has been sent via spam lists to millions of addresses in the past 12 hours, said security company McAfee, which has upgraded it to a "medium" risk. The new variant could also have boosted overall Bagle traffic, which has increased five times in the past 24 hours, e-mail security vendor Postini said Tuesday. The attempt to disable security protection could expose systems to a variety of threats. "Any Trojan horse which turns off your antivirus or firewall can open you up to further attack, even by very old viruses," Graham Cluley, senior technology consultant for antivirus company Sophos, said in a statement. Unlike a mass-mailing worm, the Trojan does not self-propagate, but the security companies have highlighted it because a high number of e-mails containing it have been detected. Although the Trojan horse doesn't spread itself, the code is similar to other variants of the Bagle worm, which is why Sophos marked it a descendent of that program, Cluley said in an interview. According to Sophos antivirus company F-Secure, the Web sites that the new Bagle links to currently contain no malicious code. However, Trojan and worm writers have been known to add malicious code to a Web site after the initial attack has calmed down, said Craig Schmugar, a senior virus research manager for McAfee. For this Trojan to work, a certain amount of naivete is required on the part of victims because the e-mails contain a ZIP-file attachment that must be opened to display the programs "doc_01.exe" or "prs_03.exe," which must be run manually to infect a computer. "This Trojan horse is aiming to take advantage of people's reflex reaction when they receive an executable file via e-mail," Cluley said in a statement. "Users who want to install software on their computer should be receiving it from their IT department, not from friends at other companies or potentially dangerous spam mailings." Variants of Bagle, which surfaced more than a year ago, continue to proliferate. The detection of BagleDl-L comes just days after Send-Safe.com, which offered spamming tools, was kicked off Internet service provider MCI's network. Send-Safe is said to use PCs that have been compromised by Trojan horses to propagate spam. ************************************************
IF YOU SUSPECT THAT YOU HAVE A VIRUS OR IF YOU HAVE NOT SUCCESSFULLY SCANNED YOUR DRIVES FOR VIRUSES LATELY... THESE NEXT SITES ARE FOR YOU. Free Virus scans. Computer Associates, a reputable and reliable anti virus developer introduced a new free program which allows anyone to do a virus scan without downloading any software or registering for an anti virus program. You must use Internet Explorer for access to Computer Associates and to perform the scan. This is a good one and very simple to operate The address is http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Trend Micro, more commonly referred to as Housecall, offers free virus scans and in most cases can fix damage down by a virus or worm that your computer may have contacted. The program works well. The first time one uses the free program it is necessary to download a small program. Trend Micro walks you through the process. Then the virus scans are quite simple for each return. Go to http://housecall.antivirus.com/ then choose the link "Scan without registering". Follow the directions.
You should disable any anti virus program that you have running. If you do not have a virus program I recommend that you use one of the programs offered above first and then download and install one of the free programs listed below or install any anti virus program you have purchased.
Free Anti Virus programs for download. Quite a few KCnet members use these programs and like them. Be careful if you download a virus program and you already have one installed on your computer. You need to at least disable the program already installed.
AVG Free AVG Free Edition is the well-known anti-virus protection tool. AVG Free is available free-of-charge to home users for the life of the product! Rapid virus database updates are available for the lifetime of the product, thereby providing the high-level of detection capability that millions of users around the world trust to protect their computers. AVG Free is easy-to-use and will not slow your system down (low system resource requirements). http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5
Avast Avast has been "anti virusing" for quite awhile. The following info comes from their download page: Avast! Home is now free of charge for HOME users for NON-COMMERCIAL use. You can find more info here. http://www.avast.com/eng/down_home.html Note: This product is free for home non-commercial use after registration! HINTS: Click on the English Version Link and download the installation file. Then click on the installation file and follow the directions. You will need to return to the download page and click on the link to get the registration key. It will be sent to you in an email after you provide some registration information. This will give you 14 months of coverage including any updates which can be set to auto download. You can reregister for additional free coverage at the end of the 14 months. You will want to browse around and choose from the many options available for operation. This process will take some time and digging.
Another good free program is: http://www.free-av.com/ This one installs a bit easier than Avast.
Top 5 Viruses for February 18 to February 25 from Trend Micro.
1. WORM_NETSKY.P 2. HTML_NETSKY.P 3. JAVA_BYTEVER.A 4. TROJ_AGENT.AAB 5. WORM_NETSKY.D
Here are a few sites of many that can help you determine if an email is a hoax or real.
http://www.quatloos.com/ http://www.snopes.com/ http://vil.nai.com/VIL/hoaxes.asp http://kumite.com/myths/ http://www.symantec.com/avcenter/hoax.html http://www.scambusters.org/VirusHoaxes.html http://www.sophos.com/virusinfo/hoaxes/ http://www.truthorfiction.com/
In Pennsylvania Wayne Wert sent this one. This is a rerun, however the site has been updated and Clinton County has some new haunted entrees. I wonder about the basement of KCnet. Warning--Any places listed in the Haunted Places requires permission to visit or investigate. Many of the places are patrolled by the authorities, trespassers will be prosecuted. http://theshadowlands.net/places/pennsylvania.htm
Apollo 11 Digital Picture Library Still the extraordinary pictures ever taken! Awesome shots on the moon, around the moon, life inside the Space RV, etc. (Each picture opens in a new window) This Apollo 11 Image Library contains all of the pictures taken on the lunar surface by the astronauts together with pictures from pre-flight training and pictures of equipment and the flight hardware. High-resolution version of many of the lunar surface images are included. A source for both thumbnail and low -resolution versions of the lunar surface images is a website compiled by Paul Spudis and colleagues at the Lunar and Planetary Institute in Houston. Descriptions of the cameras, film and general contents of the various magazines used during Apollo 11 can be found in National Space Science Data Center Report NSSDC 70-06, Apollo 11 Lunar Photography, issued April 1970. http://www.hq.nasa.gov/alsj/a11/images11.html
Look at Book This one from Amanda. I like this one but it does take some time. I'm hitting on it a bit every other day. (Mike) You will need the latest version of Flash for this site, if you don’t have it you can get it here... http://www.macromedia.com/shockwave/download/ Now when you enter the site a new window will pop up. What are you looking at? Well this is an art project that traveled over 60,000 miles before reaching its completion. About Book — this gives you the rich history of how this project was started and what it was about. View Book — take a gander at all the art in the book. Click on the individual pages to see them up close and personal. View Exhibition — take a virtual tour of the exhibit, or view the timeline. If you choose the tour pick rooms that you want to look at and have fun checking everything out. Artists — This is where you can find out about the artists who put this book together. Two artists in Brooklyn, NY, and two in Belfast, Ireland. Read their bio’s and learn all about them. A really neat project worth exploring, enjoy! http://www.lookatbook.com/
Having a baby..or someone close to you is having a baby? You'll like this baby naming site. Having a baby is easy compared to deciding on a name! Time was, you'd have to scan a thick, overused family hand-me-down tome for selecting the baby's name. In many cases you listen to great grandparents campaigning for those awful old family names. After awhile, the names would start to blur together. The new way to find the perfect name is to go online. You want to access thinkbabynames. It is a good start and probably as far as you need to go. You can search under General, Name, Name Prefix, Name Suffix or Meaning. Or, if you prefer, consider names from other countries. This particular site also ranks the most popular baby names by year. Lately it's been Emily for girls and Jacob for boys. Michael is still popular. Great Great Gram Isabella Aileena Franks will get over your non family tradition choice but you might get a bit less in the final reading. http://www.thinkbabynames.com
Return to Top of Page