Monday, January 29, 2007

Underground Economies

I just read an interesting article[pdf] from a recent issue of ;login:
It begins with an important figure: -$336(mil) was lost to online fraud
in the US last year. In a recent case, a Michigan treasurer fell
victim to a 419 scam and lost county funds!

Keep in mind that the above figure is likely an underestimate.
Identity theft (and similar online crime) is especially strong in
countries where computer skills are high and good job opportunities
low. And what is being done about this problem by credit card
companies, isps, the government, etc. ? "Not much," according
to the two CYMRU Team authors. If predictions are correct, and
I believe they are, these underground economies should experience
a boom in 2007.

This reminds me of a telemarketing call I recently got. It was from
my bank. A sales rep droned on and refused to let me say anything.
It was obvious that he was just reading a script. First, he told me
about the growing threat of identity theft. Then, he said that for a
low monthly fee, my bank would take steps to ensure that my
information (including social security number) would be safe.
So I have to pay extra money have my info guarded? Shouldn't
every possible safeguard be standard for a company I entrust
with my personal information (and money!) Where is the funding,
or even a plan to troubleshoot this situation? [It's likely that my
banks protection does nothing more than take my money. Oh,
and i hung up on the sales rep]

Another example related to this "underground economy"-
I've recently quoted HolyFather, writer of the HackerDefender
rootkit. In an interview, he talked about how hew has done
freelance programming for people who needed various kinds
of malware.

"IDG News: Did you code viruses or Trojans previously? Do
you do other kinds of software development?

HF: I code (mostly) security stuff. I can code Trojans, viruses,
whatever. But I have never coded a virus or Trojan for me. It
was always commercial stuff.

IDG News: Could you explain that more. Commercial for who
or what?

HF: I'm the coder. This means (people) hire me to code something.
I do accept or I do refuse (their) job offers; security stuff (including
trojans/virus/spyware) is what I can code and usually do not refuse
to make. For who? Who needs and pays."

Microunits & Macroresults

For years, I used the Windows Defragementer, thinking that
other defrag software had minimal benefits over it. Upon
using a program called UltimateDefrag, I must say that I was

Here's a brief outline of how it works. If you're still confused,
check out the site, which has an excellent explanation.
You hard disk is basically a circle filled with little clusters that
store data. There is an arm that spins around the disk to retrieve
the data. The data in the outer portion of the disk is retrieved
at a significantly faster speed than data on the inner portion.
This program allows you to specify which programs/files
you'd like to put in that outer portion of your hard drive. This
equals amazing speed increases (you just have to know where
all the files for a particular program are located)

You can download a fully functional 7-day trial if you'd like.
Use the method described: label certain program folders as
important so they will be written to the outer section of the
hard disk.

No more
Firefox startup delays!

P2P Bonanza

After trying out countless crap software on several fresh
installs of Windows XP, here are my favorite p2p clients.

I'll omit the obvious examples [namely: azureus, utorrent,
bitcomet, bittornado, etc.] and link to a few excellent, lesser
known clients.

Direct Connect Network:
This network allows you to connect to 'hubs' that cater to
your interests. Many of the quality hubs have requirements
to join, like sharing a certain amount of files. These clients
allow for speed boosts and downloading from multiple sources.
Personally, I prefer Strong DC++ because you can tinker with
its settings to increase download speed.
- Strong DC++

- DC++

eDonkey Network:
Big file selection, and you can reach pretty good speeds on it.
-eMule Plus

Encrypted Friend-to-Friend Network:
It's likely that we'll see many more losses for 'free' file sharing
in the future. I believe that encrypted-transfer, friend-to-friend
(f2f) networks will become more and more common because of
this. See the f2f wikipedia entry for more info.
-WASTE (also allows for encrypted instant messaging)

Fasttrack Network:
If you still use Kazaa, a removal tool exists for it. Replace it with
an adware free version which includes faster download speeds
and lots of handy tools.
-Kazaa Lite Resurrection

Gnutella Network:
I'm not a big fan of the Gnutella network, but if you're still
using Limewire or Bearshare, it's time you learned. Get
yourself some quality, malware free Gnutella clients. Just
make sure to uninstall the old ones and do a malware scan.
- Shareaza
- Phex

SLSK Network:
Soulseek - Ok, it's the only client for this network. But it
has an amazing selection of music (even very obscure artists)
Make sure to get version 156c, not 158.

Sunday, January 28, 2007

The College Life Is The Life For Me

For those at university: a compliment to my previous post.

"Comprehensive statistics on computer break-ins at
do not exist. But in the first six months of this
year alone, there were
at least 29 security failures at
colleges nationwide, jeopardizing the
records of 845,000
people. Both private and public institutions have
been hit."

"Personal information on 800,000 students, alumni
and others is exposed. Attacks lasted a year, the school

[possibly including social security numbers]

I wonder what sort of encryption they had for this
sensitive data. The article provides another example
of a breech, though it was different in cause.

"...a hacker atSan Diego State used an outdated computer
network in the
drama department to find a way into the
financial aid system.
The Social Security numbers of more
than 200,000 people
were exposed."

Everybody likes words with 'Crypt-' in them

Cryptobiont, cryptozoology, etc.

Recently, a friend and I had a debate: He insisted that if the
government had the need, it could decrypt any data - that
nothing was fully secure. While I had to concede to the second
part, I didn't entirely agree with the first.

If I had some data, and used the 63kb application Bcrypt to
encrypt it (using a very strong 56 character password) - it's
doubtful that the file could be decrypted. Maybe partially,
but secure passwords can go a long way if you have good
encryption algorithms. Bcrypt provides 448-bit encryption!

"There are two kinds of cryptography in this world:
cryptography that will stop your kid sister from reading
your files, and cryptography that will stop major
governments from reading your files. This book is
about the latter."
-- Preface to Applied Cryptography by Bruce Schneier

On a (very) slightly related note, I happened across an
interesting article that talks about how US government
websites are constantly hacked. For example, 19 sites
were hacked in the last 27 days.

What's in a name?

The makers of the excellent program RootkitUnhooker recently
released an anti-rootkit test file. Apparently, it will bypass most
modern anti-rootkiters, showing how "useless/helpless/out-of-dated
antirootkit software" [is] - It even eludes their own anti-rootkit

Partial description of Unreal.A:
"1. We are using NTFS ADS (that's bypasses DarkSpy, IceSword

2. ADS attach to root directory of disk C: (that automatically
bypass GMER, RootkitRevealer)

3. driver set up itself as File System Filter and filters some IRP's
bypasses all other antirootkit thats using RAW reading (BlackLight,
Rootkit Unhooker etc).

Unreal.A contains specific code for AVG Antirootkit and AVZ
Antirootkit Module. Specific code was done because both of these
products using monitoring dirty-tricks based on Notify Routines
which are not a detection at all. Unreal.A do search for antirootkit
device (using DeviceObjects lists) and when it's found rootkit do
IoDeleteDevice, so antirootkit can't anymore communicate with
kernel part. Unfortunately as shows some tests of independent
people this part of Unreal.A are little buggy, sometimes AVG/AVZ
can show (with help of Notify of course) hidden driver."

As I said before idea is not new, but we do not found any others
ready for use rootkits, so we decide to create this special demo to
show how in reality useless/helpless/out-of-dated antirootkit
software and of course for our internal testings."

Download the demo off their site if you'd like to test it.

The case of the 'Two Collectors'

My personal record for malware found on a computer is ~400.
This person, however, shattered it with only a virus scan.

On a related note, this guy took his old Dell Desktop and
purposely infected it with as much malware as he could,
visiting the shadiest websites he could find. He then
brought it in to GeekSquad to see what they would say...

Saturday, January 27, 2007

Certified Shmalware Expert

Someone at the SANS security training Institute recently
posted the following in their newsletter:

"Does anyone on your staff do an excellent job of cleaning
out PCs that have been infected by spyware and other
malicious software. We are just starting development of
a new certification (and related training) for Certified
Malware Removal Experts and we are looking for a
council of 30 people who have done a lot of it to help vet
the skills an knowledge required for the certification exam
and classes. "

First off, it is often impossible to undo all the changes made
by certain malware, particularly trojans and rootkits. Since
you often do not have full information of the attack, you cannot
know which of many possible ways the system was compromised.
Often, reinstalling the program/OS is the best solution.
Although hours of painstakingly tedious analysis could address
this concern, most businesses/individuals would simply want
the problem fixed ASAP.

I recently came across a malware cleaning toolkit (yes, it is
malware free) While I would include (just a brief list) more
decompilers, Snort, and the SIS Analysis Toolkit in my
version of this disc, will I really be able to fully disinfect a
compromised system? It would be very tough [see
this article for more info]

My second concern is how this certification program will
be executed. Will it genuinely be for experts in the field,
or yet another certification anyone who knows the basics
of computing can obtain? How much networking, rootkit,
trojan, programming, etc. knowledge will be required to
be "official"? Probably not too much.

The Caffeine Collection

Caffeine is showing up in many unlikely products lately.
Let's take a look at just a handful of examples:

-Water Joe - Caffeinated water. This has been around for
a long time. Even before the energy drink craze kicked in.

-Octane Energy Gel - Morning showers can be very refreshing-
especially if you absorb a megadose of caffeine through your

-Spazzstick - An Alaskan police officer wanted unchapped lips
and an easy buzz.

-Buzz Donuts - A scientist develops a way to add caffeine to
baked goods without the bitter taste.

Still not buzzed? Check out these great collections of caffeinated
& energy drink reviews.

*For the caffeine sensitive: I recommend a Guarana only
beverage/candy. Guarana is an Amazonian berry with a
natural caffeine content. It gives you a less jittery buzz
and seems to have health benefits (particularly for the liver).
Check out this study!
"The findings suggest that the effects cannot be attributed
to caffeine alone." [referring to the cognitive improvements
of guarana ingestion]

Efficient German Sex

While writing my post about Symantec, I thought of a few other
bloated programs that many people still use. In fact, many do
not realize that excellent alternatives exist. A few examples:

1. itunes - Most people use this for their ipods. Apple Quicktime
is needed for itunes to work, and it is painfully slow. Imagine a
brand new 2.3ghz desktop lagging constantly - i'd be pist. Not
only is there an alternative to Quicktime, but several very
efficient ipod alternatives. [I don't believe you need Quicktime
for the following programs, and you need the official Quicktime
software for itunes to work]

Anapod & Yamipod

2. Nero - One of the best programs for burning has been getting
quite chubby. Version 6 was tolerable, but 7 has been pretty slow.
You can either download an older version from the above link, or
choose an alternative. If you want all the features without the bloat,
get Alcohol 120% (shareware). If you want a free alternative,
download DeepBurner.

3. Adobe Acrobat - Another program that gets more bloat with
each release
. To be sure, a speedup application exists. However,
why even use it when you can get all the features in a 1.6mb Foxit file?
If you want a standalone application, Coolpdfreader works.

4. Windows Media Player - The newer version of this program can
be slow, especially on older systems. An excellent alternative is
VLC player. No codecs needed, as it supports most formats.
Alternately, you can use the modified version of Windows Media
Player Classic which is included in this wonderful codec pack.

If you want more quality freeware alternatives to commonly
used programs, check out this site.

How do I destroy Babylon?

Among nerds interested in malware, rootkits are all the rage.
Not only for those who want to detect and analyze, but those
who want to write them. A recent article gives us a detailed
review of 6 rootkit detectors. Whose product best detects
stealth malware? An AV company's, or an independent
programmer's? [It's too bad GMER and Darkspy weren't

For the reader who isn't tech savvy: meet the malicious rootkit.
A magical program that hides itself on a computer and allows an
attacker full access to a machine. It often bypasses Anti-Virus,
Anti-Spyware, and Firewall programs. There is no process visible
in Task Manager, and you need some special tools to find this
malware. An example: you may recall a scandal resulting from
Sony secretly adding rootkits to over 4 million CDs.

*Some programs legitimately make use of rootkit technology (for
example, a firewall that wants to prevent itself from being shutdown
by malware must protect itself by hiding). Outpost, Daemon Tools,
and Alcohol 120% are some examples of programs that use rootkit
technology in a non-malicious way.

What kind of an human being would purposely create such devious
software? Holyfather, author of HackerDefender, one of the most
common & well known NT rootkits addresses this quite well:

" might find something strange on the behaviour of
and other security companies that develop products
to save people
from the threats of rookits. They sell the fake
sense of security but
they do not bring the real security to your
computer. Yes, they will
protect you against wild spread threats
like destructive worms but
this is not the real danger for users.
The real danger are pointed
attacks where private tools are used.
These tools uses the same
methods as our tools but are not
detected because security companies
have no chance to
download them and add those few bytes in their
database. And
because they catch only tools they know and do not
solve the
cause attackers will succeed with their tools. This attitude

brings money to security companies because their users still
upgrades and buy new versions of their products
and so this is why
these security companies don't want to
change the situation. We think
this has to be changed. We
believe that Hacker defender project
contribute making the
world of computers more secure. It forces
security companies
to care about the core of the problems, to develop
better and
better products. And after the years we see the results. The

situation here is still better and we believe it is also because of
our work.
There is still lot of work to be done with rootkit
detectors and antivirus
products. This is why we will continue
in our work to try to find ways
how to bypass their poor
products until they come with the real solution."


In fact, Holyfather's rootkit was a very big driving force in making
Anti-Virus companies take notice of this threat (and of their poor
software). Companies like F-Secure began to write tools to battle
rootkits. Then, almost every single AV company jumped on the
bandwagon. Which one of these excellent companies, who recruit
only the most promising developers nabbed the best anti rootkitter
trophy? Two did: a Chinese programmer named 'jfp_' and a team
of independent Russian coders. These programs surpass by far the
half-assed attempts of McAfee, Grisoft, Sophos, and many other
AV companies.

Very few Anti Virus programs (at least quality ones) come with
proactive rootkit defense. An AV with quality RK defense is
Kaspersky 6. In the next year, many companies should integrate
this sort of protection into their products (do not interpret this
as integrating quality rootkit defense). Until then, the best
proactive solutions are DefenseWall (recommended, shareware),
Neoava Guard (free) , and the latest Version of Outpost Pro.
However, proactive defense means little if you're already infected
with a RK. Check the review of programs and the link below for
more details.

If you need rootkit related assistance/info, check out this forum.

Friday, January 26, 2007

Symantec awarded prestigious Bloatware Award

Norton Internet Security 2006 = 60% system delay?
Norton 2007 fails retest

I haven't used Norton Anti-Virus since the 2000 version, which came
pre-installed on my 900mhz desktop. I quickly removed it when I
realized how much speed I'd regain. Back then, the uninstall was fairly
painless. But when I tried Norton again in 2004, I found that it wasn't
just cripplingly slow- short of doing a system restore, it was nearly
impossible to remove. Every version that followed was equally bad;
of course, other programs like Norton Ghost were also morbidly
obese. After standard delays, Norton cranked out a de-sodomization
tool for their slopware.

Norton has a ~70% hold on the virus market; i'm hoping for at least
a 5% drop over the next six months. And while we're boycotting AV
companies, let's add McAfee to that list; they're heading in exactly
the same direction.

-Need AV software suggestions? Here are some excellent freeware
anti-virus programs:

Antivir (recommended) -
ClamAV -

-But are these as good as Norton? I know that Antivir is equal to
or better in detection (depending on the test) If you want to see
detection rate comparisons, look here.