Dealing with Rootkit Trojans
EDITORIAL: Dealing with Rootkit Trojans
Best of this month May 2008 
1. TOP TECH SITES AND RESOURCES
1.1 Free Spyware Scan
1.2 Disposable Email Address Services
1.3 Free Anonymous Browsing
1.4 File Extensions Explained
1.5 Google Search-As-You-Type
1.6 How to Check Out a New Program Before Installing
2. TOP FREEWARE AND SHAREWARE UTILITIES
2.1 The Best Free Browser Scrubber
2.2 How to Restore Desktop Icons
2.3 Free Tool Analyzes End User Licensing Agreements
2.4 Free Utility Identifies Download File Size
3. SECURITY PATCHES, SERVICE RELEASES AND UPDATES
3.1 Microsoft Security News
3.2 Scanning Vulnerability in Avast Virus Scanner
3.3 Is Firefox Secure?
3.4 US Govt. Backdoor in Windows Security Revisited
3.5 New Beta of Firefox 1.5
4. OTHER USEFUL STUFF
4.1 Ethernet Cable Tester for $5.95
4.2 How to Check Whether Your PC has High Speed USB Ports
4.3 Sort Algorithms Compared
4.4 Lots of GMail Usage Tips
4.5 Preventing Computer-related Neck and Shoulder Problems
4.6 Useless Waste of Time Department
5. TIP OF THE MONTH
5.1 How to Find Out If You Are Secretly Connected to the Internet
6. FREEBIE OF THE MONTH
6.1 The Best Free Instant Messaging Client
EDITORIAL How
to Deal With Trojan Rootkits
Rootkits
are increasingly being used by writers of viruses,
spyware, trojans and other malware products to hide their
unwanted programs from you and your security products.
At
the moment rootkits are not exactly common, however they are
becoming more common and this is causing concern in the computer
security industry.
Rootkits
are not themselves malware programs but are programs
that offer a system or technique to hide the presence of malware
programs.
They
do this using a variety of clever tricks to manipulate the
Windows operating system itself, the effect of which is that you
cannot see the cloaked malware product on your computer using
normal Windows programs.
For
example, you will not be able to see any malware files that
are protected by a rootkit by using Windows Explorer or any
other common file viewer.
Nor
will you be able to see any of the malware processes by
using Task Manager or most other process viewers.
Similarly,
there will be no visible malware entries in the
Windows Startup folder or other startup locations. Even a
HijackThis log will show nothing.
In
other words, the malware infection is totally stealthed by
the rootkit from your view and the view of most of your security
software products.
Because
of this stealthing, your security software may report
that your PC is totally clean from infection when in fact you
are infected. That's why rootkits are so appealing to writers of
malware products.
Rootkit
detectors are special programs designed to look through
these stealthing techniques. There are several products on the
market and, thankfully, most are free.
Detecting
rootkits is only part of the problem. If you find one,
then there is the issue of how you get rid of it. Perhaps most
important of all is knowing how to avoid being infected in the
first place.
Back to top
1.0 TOP TECH SITES AND RESOURCES
1.1 Free Spyware Scan
Trend Micro is an excellent free online
anti-virus scanner. Now they are offering a free anti-spyware
scanner [1] as well. This one is not online; you have to
download the 1.7MB file and then run it on your PC. It works
just like McAfee's Stinger program in that there are no
signature file updates so if you want to run the program in the
future you have to download the latest version of the full
program once again. It's a pretty competent anti-spyware scanner
and will fix any problems detected. It's well worth the download
even if you are already using another anti-spyware product; two
opinions are always better then one. While at the Trend Micro
site why not try their free online anti-virus scan as well?
It's accessible from the same page as the spyware scanner. It
will only work with Internet Explorer but Firefox and Opera
users can use this [2] version.
[1] http://housecall.trendmicro.com/
[2] http://fr.trendmicro-europe.com/consumer/products/housecall_launch.php
1.2 Disposable Email Address Services
there's sixteen different services with brief descriptions of each in this site..
http://www.tipmonkies.com/2005/10/04/disposable-e-mail-address-services
1.3 Free Anonymous Browsing
This
site allows you browse the web anonymously using any of 11
different anonymizing services. You can optionally disable
cookies, scripts and ads as well.
http://www.space.net.au/~thomas/quickbrowse.html
1.4 File Extensions Explained
FileInfo.net. It provides extensive information
on various file extensions and, unlike similar sites, it
provides a good explanation of each type rather than a simple
listing. Definitely one to bookmark.
http://www.fileinfo.net/
1.5 Google Search-As-You-Type
Don't
confuse this with Google's own suggest-as-you-type [1].
This is a third party service called Inquisitor that uses an
AJAX front end to provide snappy Google search suggestions.
Works best in Firefox and Opera. Another impressive use of AJAX.
[1] http://www.google.com/webhp?complete=1&hl=en
[2] http://www.inquisitorx.com/beta/
1.6 How to Check Out a New Program Before Installing
This
little known Microsoft site [1] provides a wealth of user
comments on many applications and is a valuable resource for
anyone thinking of buying or installing a new program. As ever,
some of the comments are well informed and valuable, others are
inane. SnapFiles [2] also provides user comments on software but
beware - some of these are really from vendors seeking to
bolster the reputation of their products.
[1] http://www.windowsmarketplace.com/Reviews.aspx
[2] http://www.snapfiles.com/
Back to top
2.0 TOP FREEWARE AND SHAREWARE UTILITIES
2.1 The Best Free Browser Scrubber
There's
no doubt that when you browse the web you accumulate
huge amount of stored data. The sheer quantity is surprising;
often gigabytes. A lot of this is just junk while other parts
can be useful. Just what is and what isn't junk is a personal
decision. That's why the
flexibility to choose exactly what you want to keep or delete is
a key requirement in any browser cleaning utility. It's in this
area that CleanCache excels. Yes, there are a few other cleaner
programs that also offer this but when you take into account
CleanCache's speed, ease of use, automation features, near-
forensic thoroughness and the fact that it works with Internet
Explorer, IE Clones such as Avast, Firefox and Opera, then you
have a clear winner in this category. Note that it requires the
26MB Microsoft .NET Framework to be installed on your PC.
Freeware, Windows 2000 and later, 1.3 MB
http://www.buttuglysoftware.com/CleanCache3.html
2.2 How to Restore Desktop Icons
Everyone
knows the annoyance of having your desktop icon layout
scrambled. There are lots of causes; a system glitch, booting in
safe mode, Windows Explorer crashing and more. Icon Restore is a
tiny free utility that solves this problem by adding two new
items to your right click context menu: one to save your desktop
layout the other to restore it. What could be simpler?. Freeware, all
Windows versions, 281KB.
http://users.rcn.com/taylotr/icon_restore.html
2.3 Free Tool Analyzes End User Licensing Agreements
If
you are one of those people who never reads EULAs when you
install software then this utility [1] may be just what you have
been looking for. Just cut and paste the EULA into EULAlyzer and
it will flag for your attention any areas of concern. That's pretty good and well worth the effort. BTW,
check out this really funny cartoon [2] about EULAs. All Windows
versions, 1.7MB.
[1] http://www.javacoolsoftware.com/eulalyzer.html
[2] http://ars.userfriendly.org/cartoons/?id=20051014
2.4 Free Utility Identifies Download File Size
It's
often useful to know the size of a file before you download
it, particularly if you have a slow connection or are
approaching your bandwidth quota. Most folks do this by starting
the download and then looking at the indicated file size in
their download manager but InternetFileSize offers a far simpler
solution. It works by adding a menu item to the right click
context menu. All you do is right click on a download link and
InternetFileSize shows the true file size, modification date and
the true download path. Freeware, Windows 98 and later, 575KB.
http://www.moveax.com/eng/content/view/7/13/
Back to top
3.0 SECURITY PATCHES, SERVICE RELEASES AND UPDATES
3.1 Microsoft Security News
several
months ago, Microsoft released nine Windows updates covering 14
vulnerabilities including three considered "critical." All three
of these, if exploited, could allow someone to take control of
your PC, so please ensure your computer is updated ASAP.
One
of these patches, MS05-51, is of particular importance. It
covers four individual flaws, one of which has the potential to
be exploited through a network worm. Such a worm attack is now
looking certain as proof of concept code is already circulating
on the internet.
The
catch is that there have been implementation problems with
this particular patch. Microsoft has officially acknowledged
this and has offered work-arounds [2] but claims there have only
been a few isolated instances of the problem. Whatever, it puts
sysadmins into a difficult position; patch and risk bringing
down the system or don't patch and risk getting attacked by a
worm.
Full
details of all patches can be found at the third link below.
[1] http://windowsupdate.microsoft.com/
[2] http://support.microsoft.com/kb/909444
[3] http://go.microsoft.com/fwlink/?LinkId=54789
3.2 Scanning Vulnerability in Avast Virus Scanner
Secunia
is carrying a report of a flaw in the Avast "Anti-Virus
scan engine, which can be exploited by malware to bypass certain
scanning functionality. The weakness is caused by an error in
parsing certain malformed archives and can be exploited via a
specially crafted archive with additional characters pre-pended
to the header. Such malformed archives can be correctly
extracted by some archiving software. Successful exploitation
allows malware packed in malformed archives to pass the email
anti-virus scanning gateway undetected." No fix is currently
available from Avast so in the interim it is recommended that
Avast users unpack all archives and scan the contained files
rather than execute files within archives.
http://secunia.com/advisories/17126/
3.3 Is Firefox Secure?
With
all the recent Firefox security patches, a lot of users asking whether Firefox
can still be considered more secure than Internet Explorer? The
answer is unequivocal yes. Two main factors contribute to this:
First, FF does not support ActiveX, one of the major sources of
malware infection for Internet Explorer users. Second, Mozilla
fixes new reported vulnerabilities in FF really quickly, often
within hours while, in contrast, Microsoft takes many months.
Consequently, there are virtually no exploits circulating on the
internet for FF while there are dozens for IE. In fact, you'll have
never myself even seen a circulating FF exploit while you
encounter IE exploits daily. Case closed; FF is way safer than
IE. Yes, there have been a lot of FF security patches and yes,
there will be more. That's to be expected for a product whose
source code is publicly available. But all those patches are a
good sign; they tell you that Mozilla is at work fixing
potential problems. It's not the patches you should worry about
folks, it's the number of reported but unpatched flaws. If you
use IE, depress yourself by checking out Secunia's list of IE's
outstanding unpatched flaws, 20 at last count and rising.
http://secunia.com/product/11/
3.4 US Govt Backdoor in Windows Security Revisited (Recommended to read)
An article at StumbleUpon.Mintioned that
at the time MS denied it outright and claimed the researcher had
jumped to the wrong conclusion. Does anyone know how this was
finally resolved? In any case, in these terrorism-dominated
times it makes very interesting reading.
http://www.heise.de/tp/r4/artikel/5/5263/1.html
3.5 New Release of Firefox 1.5
The
second Beta of Firefox V1.5 is available, though It's not
recommend to download it unless you are willing to live with a
few bugs - as they say, "beta" stands for "broken." The full
release is considerably faster than V1.07 when browsing back and forth
between sites, has improved rendering and a much better system
for handling extensions and updates.
http://www.mozilla.org/projects/firefox/
----------------- sponsored links -----------------------
The
Best Windows Backup Software
We are in the process of updating all the backup reviews at our
site but the top product has
blitzed the field for a second year in row. In fact, it's
improved so much that it's now a one horse race for our
"editor's choice." The updated review of the top product is now
online. If you have been looking for a backup program, this is
the one.
http://www.backup-software-reviews.com/
The
Best SpyWare Detector
If you use Ad-aware or SpyBot you will be surprised just how
more effectively SpySweeper detects and protects your PC from
Adware, Spyware, Trojans and other malicious products. That's
why it won the prized "Editor's Choice" award in PC Magazine's
massive January 2005 survey of anti-Spyware products. Try the
free evaluation copy of the new Version 4 and see for yourself.
http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=1132
The
Best Remote Access Software
Reviewer had given this product category away as "too slow,
tool clumsy and too unreliable" but after reviewing this product
he's changed his mind; "at long last a remote access solution
that actually works! Quite frankly we agree with him, it's an
impressive product. Read the full review here:
http://www.pcsupportadvisor.com/best_remote_access_software.htm
The
Best Anti-trojan Scanner
Most users are not aware that their anti-virus scanner can only
provide a moderate level of protection against trojan programs
that try and take control of your PC. To really protect your
computer, you need a dedicated anti-trojan program. Our editor's
have reviewed every major product on the market and have
concluded that two scanners stand head and shoulders above the
other contenders.
http://www.anti-trojan-software-reviews.com
-------------
end of sponsored links --------------------------
Back to top
4.0 OTHER USEFUL STUFF
4.1 Ethernet Cable Tester for $5.95
How
neat; an RJ45 cable tester that fits on your keychain at a
ridiculously low price. It checks for both broken and shorted
wires and even handles both male and female plugs and sockets.
http://smartronix.com/smx_products/index.cfm?fuseaction=product.display&Product_ID=85
4.2 How to Check Whether Your PC has High Speed USB
Ports
This
is a question I get regularly user. Finally a document shows how to do it.
http://www.usbman.com/Guides/checking_for_usb_2.htm
4.3 Sort Algorithms Compared
At
this site they have animated displays of 17 different sort
techniques in operation.
http://cg.scs.carleton.ca/~morin/misc/sortalg/
4.4 Lots of GMail Usage Tips
42
tips at last count. A great resource for all Gmail users.
http://g04.com/misc/GmailTipsComplete.html
4.5 Preventing Computer-related Neck and Shoulder
Problems
Anyone
who uses a computer for long periods is at risk of
developing these problems. I certainly did. This article
shows you how to solve the problem. I hope
it works for you.
http://www.techsupportalert.com/neck-problems.htm
4.6 Useless Waste of Time Department
This
is a well-known site always rewarding to re-visit. Dr.
David G. Alciatore at Colorado State University has this amazing
collection of slow motion videos of everyday events. Among the
many fascinating clips, you must check out the computer hard
drive video. It will leave you wondering how these things manage
to work at all.
http://www.engr.colostate.edu/~dga/high_speed_video/
Back to top
5.0 TIP OF THE MONTH
5.1 How to Find Out If You Are Secretly Connected to the
Internet
One
of the most unnerving computer experiences is to notice
sudden unexpected internet activity from your PC when you're not
using the internet at the time.
It
can be brought to your attention several ways; for example
the lights on your modem might start blinking furiously, your
firewall may indicate internet activity or your download/upload
monitor could show that a lot of information is being received
or transmitted.
If that happens to you, the first thought that goes through your
mind is that a malware program may be "phoning home" to some
remote PC divulging all your personal information.
Now this is unlikely because my PC is well protected but
I know enough about security to know that it's possible. So
whenever this happens you immediately investigate what's
happening. So should you; in the following paragraphs I'll show
you how.
When
you are connected to the internet you are not connected at
one point but at multiple points. These different points are
called ports. Data can flow in and out each of these ports. It's
a bit like the way flies get into your house. They can get in
(or out) the front door, the back door, the windows or the
chimney. These openings in your house are just like the ports in
your computer.
There
can be up to 65000 ports on your computer but normally
these are shut. When you start a program that connects to the
internet such as your web browser, that program opens one or
more ports to make the connection.
So
when you computer shows signs of unexpected internet activity
what you need to do is to track down what ports are open and
then identify the programs that opened those ports.
There's
a whole class of utilities called port enumerators that
will do this job for you. In fact, there are more than a dozen such
programs currently available. Additionally, many firewalls and
most anti-trojan programs have in-built port enumerators though
these are often quite basic.
From the most of these products there's two that are
outstanding:
The
favorite free port enumerator is called CurrPorts from
EH_Soft. It works best with Window 2000 and later though Windows
98 users can still use the product with less information
displayed.
CurrPorts,
like all port enumerators, shows all the ports that
are currently open on your PC. It also shows you the process
that opened each port and the time the port was opened. Most
importantly it flags in pink, any suspicious ports.
Now
"suspicious" here just means worth checking. However this
flagging makes the job of interpreting results much easier for
less experienced users.
CurrPorts
also allows you to track down the remote site a
particular port is connected to. If it's somewhere like North
Korea, China or Romania you have a problem.
If
you do have a problem CurrPorts allows you to immediately
shut down that port. That reduces the potential damage but of
course doesn't solve the problem. To do that you need to find
the malware program responsible.
How
you do that is unfortunately, beyond the scope of this
article. As a quick guide I suggest you download HijackThis
from the link below and follow the instructions on the same
page how to paste the output to the Tom Coyote web forums.
http://www.tomcoyote.org/hjt/
The
folks on the forum should be able to help you permanently
get rid of the problem and it won't cost you a cent either.
CurrPorts
is a great product but it has one weakness; it doesn't
tell you the amount of data flowing in and out the open ports on
your computer.
This
is a really important piece of information when you are
trying to track down sudden unexplained internet activity. There
may be dozens of open ports on your PC but what you want to know
the ones that are currently being used to transmit or receive
data.
I
couldn't find any free port enumerator that provides this
information but there are two shareware products that do: Port
Explorer from Diamond Computer and TCPView Pro from SysInternals.
Port
Explorer is the standout pick. Port Explorer works with all
versions of Windows and a home license is $29.95. Simply put,
it's the best port enumerator have been ever used. Port Explorer does
pretty well everything that CurrPorts does and more. It combines
ease of use with great power; a rare quality in technical
utilities.
In
this context its greatest ability is to show for each open
port, the amount of information being transmitted and received.
The display can even be sorted on this criterion so the ports
moving the most data appear at the top. This makes
identification of the culprit program really easy.
Once
the cause of the internet activity has been identified Port
Explorer provides a whole raft of tools to help you identify the
remote computer using the port. It even includes a packet
sniffer so you can see what information is being transmitted.
Both
Port Explorer and CurrPorts can provide you with the
information you need to identify the cause of unexpected
internet activity. I suggest you check out both and go with the
program that best suits your needs. Whatever, every experienced
user should have a port enumerator installed on their PC ready
and waiting to track down those mystery internet connections.
You may only occasionally require such a product but it's a
great comfort to have one on hand when you really need it.
CurrPorts: http://www.edmond-hakmeh.com/utilities and hacking tools/utils/cports.html/
Port Explorer: http://www.diamondcs.com.au/portexplorer/
NOTE:
No standard port enumerator can detect open ports that
have been stealthed by Rootkits. To detect these you need a
specialist rootkit detector. For more information see this
months' Editorial.
Back to top
6.0 FREEBIE OF THE MONTH
6.1 The Best Free Instant Messaging Client
One way to talk with people on
each one of these networks is to open an account for each and
then download and install each IM client on your computer.
However, running four different IM applications on your computer
uses a lot of system resources, is difficult to manage, and
broadens your attack surface. Therefore, I would recommend using
a multi-protocol IM client. These applications not only allow
you to connect to multiple IM networks, but they are also
advertisement free, more secure, and have features that allow
you to easily manage your various IM accounts.
Trillian Basic is a
great application and supports the AIM, ICQ, IRC, MSN, and Yahoo
networks. However, during this evaluation, I have decided that
IM2 Messenger [2] is slightly better than Trillian Basic if you
only need to connect to the aforementioned IM networks. Its
interface is much cleaner and easier to use and it supports
video messaging (in addition to text and voice messaging). Now,
if you're a power user and want support for more networks and
the ability to add features via plug-ins, then definitely check
out Miranda Instant Messenger [3]. In addition to the networks
supported by IM2, it has native support for Gadu-Gadu and Jabber
(it also will connect to the Google Talk [1] network with a
little plug-in tweaking!). Its interface is minimalist, but the
application is very extensible through the use of plug-ins.
[1] http://talk.google.com/ Windows 2000 and XP, 900 KB
[2] http://www.im2.com/ Windows 98 and later, 2.9 MB
[3] http://www.miranda-im.org/ Windows 95 and later, 943 KB+
Back to top
