Malware Continued

This post continues the story of my PC being viciously hacked after visiting a rogue website. Every few minutes there would be a popup from a new icon in my system tray. This popup stated that Windows detected spyware on my computer. There were a couple tell tale signs that this message actually came from the malware. The popup continued to say “that it recommend [sic] that I allow it to automatically download antispyware software to prevent [sic] problems.” Usually Microsoft spells words correctly in its error messages.

I saw that a program called “brtask.exe” had been installed in my Windows system directory. And I could not delete the file. It was locked because it was in use. At first I could not get my Task Manager running because the malware was preventing me from running it. However I installed another type of Task Manager. But the process did not show up in the list of active processes.

My initial reaction was to run some antivirus software. I had an old copy of McAfee from 2007. Here was the odd thing. The McAfee software could not perform an update. It thought that I was not connected to the Internet. I suppose this was more shenanigans from the malware. I still ran my old copy of McAfee antivirus. It did the trick to get rid of the popups from the system tray. However my Google search results were still being hijacked with bogus links.

This time I turned to a software I was not familiar with. I installed and ran Anti-Malware from Malwarebytes. This software also was unable to update itself. It thought my computer was not connected to the Internet. This evil malware was quiet tricky. Luckily I had version 1.30 of AntiMalware, which might even be the most recent version. Running this software got rid of my Internet Explorer hijack. The version I had was free. Thanks Malwarebytes.

Regardless of the extra work this malware brought me to clean my system, I still thought it was quite an impressive piece of work. It had some tricks to ensure I could not manually eradicate it. Good thing a couple antivirus software packages were able to quarantine it. I wonder how much work went into constructing this piece of malware. And I fear the evil deeds it was secretly accomplishing when it was running on my PC. For now I am going to keep McAfee antivirus running all the time. And lucky for me, it now is able to update itself from the Internet.

Malware Ownage

This weekend I was browsing the web. I found a link for what appeared to by a juicy story. The headline was that Miley Cyrus, the actress who plays Hannah Montana, had moved in with her boyfriend. Link any chump I clicked through. I got the feeling I was in trouble when the web page never showed up, but my system starting acting like it was very busy.

Here is how I knew I was definitely in trouble. I tried to bring up the Task Manager but it was grayed out. In other words, my Task Manager had been disabled. Normally I use Task Manager to kill malware executables when my system gets infected. However this ability had been stripped. At first I thought some rogue program just disabled the access from the menu. So I went to the Start Run menu, and tried to launch “TaskMgr.exe”. What I saw next was the beginning of a very long weekend. The message I received back was that the Task Manager had been disabled by my system administrator.

I figured that I was up against a pretty smart malware program that was going who knows what with my PC. So I went to Google looking for a way to get my Task Manager running again. Google had a lot of hits on this particular subject. There was just one problem. Every time I tried to click one of the links from the Google search results, I got sent to some advertising page. It looks like the malware was hijacking my search results. That was painful.

Now I am not one to give up easily. It was a little annoying that I did not have control of my system. But I was confronted with what I would call a very smart malware program. I did notice that my Google search results had the real URLs listed at the bottom of each result. I copied and pasted the link for a page which hopefully would restore my ability to run Task Manager. Apparently the trick was to modify a certain registry entry.

I had thought I reached some level of success. My ability to run RegEdit had not been compromised. But I still could not run Task Manager even after a reboot. Then I found out the pain. This malware program was detecting that I was changing the registry entry. And it was changing the value back before I could reboot. This was indeed one smart program. It did all kinds of other damage to my system. I will continue the tale of my battle with this malware program in a future blog post. I promise you the story is filled with juicy details.

Network Security Appliance

I was reading this week’s issue of Information Week magazine. There was a full page advertisement for the SonicWALL NSA 240. It was being hyped as the next generation firewall. The ad claimed it could support 600 Mbps network throughput. The proposition declared this was three times better than similar priced competition. There were a lot of buzzwords in this advertisement. So I thought I would try to digest what the heck they were selling, and determine whether there was any substance to the claims.

The first thing I did was look to the fine print at the bottom of the page. They said their massive throughput was assuming use of their “RFDPI” engine and specialized multi-core processor. Now I did not immediately know what that means. However I assumed that meant you had to pay more for some if not all of these features.

To tell you the truth, I do not think I have heard of SonicWALL before. I did know some of the big competitors they listed like Cisco Systems, Fortinet, and Juniper Networks. The ad stated that it provided full network protection without compromising performance. It was in the sales text that I found out that NSA means Network Security Appliance in this context. That is funny. Everywhere else I thought it mean National Security Agency. Perhaps they chose this acronym on purpose to align with the real NSA.

Here is what I have gathered this box does. It performs antivirus, spy ware, and other intrusion detection activities. I also decoded that RFDPI refers to Reassembly Free Deep Packet Inspection. Once again I cannot be totally sure, but I am hoping this means that they check every single byte that goes through their device. A look at their web site shows they are aligning the NSA 240 to compete against products which cost between $1000 and $2000. Unfortunately I could not find their price listed anywhere.

Well I am going to be honest here. It is going to take a while to further digest how good this box does its job. At least I found out that SonicWALL was founded in 1991, and employs over 700 people. They appear to be a real company. I am not sure, but I believe their headquarters is in Sunnyvale, CA. Shortly I shall also inspect competitor products like the FG100A, the SSG 20 Extended, the UTM-1 Edge, the X55e, and the ASA 5505. Those are great names, aren’t they? Hopefully I will learn something more about intrusion detection systems by researching this.

Linksys WRT54G Router

Recently I was reading an article from Wired on making money with open source hardware. It mentioned the Linksys WRT54G router in passing. This router was released in 2002. It was initially a $150 router. The firmware was based on Linux. You could do all kinds of tricks to turn the router into one that rivals a $1500 one. These changes include boosting the antenna power, making it a signal repeater, and create a mesh network. The point of the article was that the hacking of this router actually boosted sales for Linksys. I was more interested in the history of these modifications. I am pretty sure I have a WRT54G myself.

First let’s look into the hardware contained in the WRT54G. It has a 200Mhz MIPS processor. Specifically it is a BCM5352E processor from Broadcom. The versions of this model come with 16 to 32 megabytes of RAM, as well as 5 to 8 megabytes of flash RAM. You have the ability to add more RAM if you like. The router actually consists of a wireless access point, a switch, and a cable/dsl interface.

The more interesting part of the WRT54G is what runs on the processor. Prior to version 5, the router ran embedded Linux. This was later replaced with the VxWorks operating system. In order to comply with the GNU GPL, Linksys released the source code.

Note that any mods to the router void its warranty. This box has been called the most hackable router. The great part is that it is easy and free to do so. Most of this starts with upgrading the firmware. And there are many open source replacements which are free such as DD-WRT, OpenWRT, and HyperWRT to name a few.
You can run customer applications and scripts if you replace the firmware. A common change is one to boost the transmit power. By default the transmission is at 28 mW. However you can modify this to be boosted almost ten times that amount. Be warned that higher transmission power may cause overheating. I have heard that levels less than 100 mW work best. Apparently there might be laws as to how high you can transmit.

Knowing all this, I want to run home and tear apart my router. I am hoping that I have the right version which runs Linux. If so, get ready for a firmware upgrade. Who knows what kind of cool programs I can write to run on my $50 router.

Keyboard Attack

I read an article from the BBC News. Some researchers found a way to read computer keyboard presses using a radio antenna. It detects the radiation from the keystrokes. It can then determine which keys were pressed. This is all supposedly possible using cheap hardware. Unfortunately the details of the hack were sparse. I imagine there will be more details posted later when they actually publish their research.

This was done by some PhD students at a security and cryptography lab. They were part of a Swiss university. It sounds like interesting research for students. It must be nice to have the time to research this stuff. The big deal is that this is yet another way that criminals might be able to snoop on what you are doing on your computer without your knowledge.

You can think of this as a hardware key logger that does not need to be physically connected to your computer. The researchers did give some tidbits of information about their research. They stated that they have 4 attack vectors in which to guess the keystrokes you are pressing. I think I want to follow this story more carefully. Any strong coder can write a secret application that logs keystrokes if this rogue application is installed on the victim’s computer. However this latest hack is describing some snooping at a distance. Nice.

Spammers Revenge

Recently I discovered a Security and Risk site. There were some nice articles there. I read one column that talked about the scams that are sent via spam email. The latest one was somebody claiming to be from a bank, and needed the reader’s account information. The spam advised the reader to contact the spammer, not their own bank. The author of this piece questioned who would be gullible enough to believe this nonsense.

The real gems from this site were contained in the user comments. One commenter said he received a doctored up VISA card picture in an email from a spammer. The person decided to entertain the spammer and contacted them. They said that they could not clearly read the information on the card. They requested that the spammer FAX and enlarged copy to a certain FAX number. The punch line was that they provided the FAX number of the local FBI office. Ownage.

I can confess that I have never responded to any of the spam sent to my many email addresses. The fact of the matter is that I just do not have time to deal with it. It all gets deleted. I like some free email accounts that filter out the spam into a junk email folder. However it might be educational to actually respond to these jokers. I might generate some funny stories of my own here.

Security Virtual Event

I got this week’s copy of Information Week magazine. There was an advertisement in it for a Security Virtual Event. This is like a conference. However it only simulates face to face interaction. The event is being held on October 23rd. It is being marketed as a gathering of the best known white hat hackers. Kevin Mitnick is presenting the keynote speech. The event is being sponsored by Information Week and Dark Reading.

To tell the truth, I have never heard of Dark Reading before. Maybe that’s one of the reasons why they are sponsoring the event – to get more exposure. A little research taught me that Dark Reading is a web site. The group that produces it is a division of CMP Technology. It was started in May 2006, and is a security web site. They analyze and report on security vulnerabilities.

The event is an online one. It is supposed to be interactive. In other words, you can participate in discussions. Some of the big topics being addressed are cybercrime, risk management, and compliance. You can network with other security professionals. There will be virtual booths staffed by security companies.

If you register for the event, you have the chance to win some prizes. Kevin Mitnick’s keynote is “The Art of Deception: The Shifting Face of Cybercrime”. That sounds a little like his first book. There are also a number of sponsors for the event. The only name that sounded familiar was Symantec. The big sponsors get 45 minute blocks during the day to present.

All of the speakers listed show their actual names. There are no hackers code eLiTe handles presenting at this conference. I guess it is a legitimate security conference. The only difference is that the whole thing is being presented online. I hope I can get off from work that day to check it out.

Comcast Newgroups

I got an e-mail from Comcast, which is my Internet service provider. They are dropping the availability of USENET newsgroups. I will have to arrange for newsgroups myself if I want access to them. In other words, I may have to pay a separate extra fee for this privilege.

Comcast stated that newsgroups popularity has declined. However they did admit that there are customers who do still use newsgroups. I myself do not use them as often. But I still read a couple newsgroups occasionally. I think what Comcast is saying is that they do not want to pay for this newsgroups service.

So I am getting a decrease in the services that are being provided by Comcast. This comes on the heels of another e-mail from Comcast that stated they were going to cap total bandwidth for users. The icing on the cake was that I also got a letter from Comcast. They are raising my rates.

This is a double jeopardy that Comcast is putting on me. They are raising the rates and reducing the services. On the surface this may be good for their bottom line. However it is irking customers such as me. I guess the only way for me to respond so that Comcast notices is for me to walk.

Yes I can go with Verizon FIOS. However they probably have the same greedy policies. In some markets, you just can’t win. Time to look for a pay raise to deal with this nonsense.