Hacked Nation

Closure!

2008-09-26T21:43:00.002-04:00

More than a year after the fact, I found the answer to the hacking of my PC: the article SubVirt: Implementing malware with virtual machines. Reading this article, I instantly recognized the symptoms in the proof-of-concept described in it as identical to what I had experienced. A virtual machine monitor (VMM), running on a system such as VMware or Virtual PC, had supplanted my existing operating system, making it the guest (virtual) operating system running virtually in a directory of my hard drive. This was done by changing the boot routine at startup. After an initial reboot upon infection, the VMM is run as the core operating system, with the virtual operating system loading directly afterwards. A barely noticeable lag results upon bootup. Small differences will be noticed by the observant user, however. When a user attempts to shut down their infected system, the virtual machine instead puts the computer into a hibernation mode, and makes it appear as if the computer has shut down. (It is only upon an actual reboot that a user can detect the virtual machine malware, reinstall the operating system, etc.) Since the machine is running a virtual operating system, any antivirus or antispyware utilities can be made to look like they are working, when they are in fact doing nothing. I urge anyone who has experienced any problems such as the ones I've described in this blog to check out the SubVirt article. It describes in detail how to circumvent and prevent these attacks. I'll say again for the record that for the last year and a half, running a MacBook, I've been rid of these problems. Windows computers seem to be extremely vulnerable to this difficult-to-diagnose and difficult-to-eradicate attack. Good luck.

3 Essential Mac OS X Security Software Programs for PC Converts (Part 2: Little Snitch)

2008-09-23T13:27:00.006-04:00

Mac OS X Leopard has a fairly decent built-in firewall, but it's an incoming firewall, protecting you from the dangers from the outside (and it's turned off by default which blows my mind). It does not prevent trojans already installed on your computer from sending all your data to a zombie computer somewhere in the cloud. You'll remember that Windows XP had the same problem, leading to the proliferation of excellent third-party products like my favorite, ZoneAlarm. Microsoft claims that Vista now offers outbound firewall protection, but as I (and I am sure many users) can attest, it's virtually worthless. Don't just take my word for it, read the article at PC World). In all fairness, I should say that OS X does have the capability to turn on an outbound firewall using ipfw, but that requires Unix coding, much too advanced for me, and most of you I'd guess. So, what software can Mac users use to plug this security hole? While there are many out there, and I've tried a bunch, my favorite by far is Little Snitch.

In essence, Little Snitch complements the inbound firewall in the Mac OS X operating system. That firewall prevents hackers from getting in. Little Snitch, meanwhile, prevents applications to send data outside your computer without being authorized. Certainly, there are many applications that will want to access the internet at any time for a variety of legitimate reasons. Many applications perform automatic updates, for example, and many others "phone home" to its developer to verify that you don't have a pirated product. But suppose, God forbid, you were infected with malware from a torrent site, for instance, or something else that occurred before you figured out you were required to turn on the OS X firewall (it's turned off by default -- come on Apple, I just don't get that). Or even something more mundane: suppose your jealous significant other has installed keyloggers and other spyware on your system (of course, he'll surely burn in hell, but that won't help you right now). Without an outbound firewall, malware could be sending just about your whole computer's contents to someone in Kazakhstan and you'd never know it. Enter Little Snitch.

The main screen of little snitch is the Configuration panel, shown above. Little Snitch is rule-based, with several rules pre-made to keep you from screwing things up on your Mac. Those rules are locked. You can unlock or lock rules at any time. The lock key just prevents accidental changes to important rules. As a new program starts to access the internet, Little Snitch interrupts is, and a pop-up screen asked you if you want to allow or deny that access, and at what degree you want to allow or deny (specific ports, domains, types of connections, etc). The configuration panel shows in red text software that has been deleted so you can delete those rules if you want. Some programs will have multiple rules, leading you to perhaps give a higher level of clearance to that program (on my computer, for example, the constant jumping around of Skype to different domains every few seconds eventually forced me to set its rule at "Allow any connection". I just hope that doesn't come back to bite me on my butt. Other programs I use have twenty rules with as many domains or IP addresses. In such cases, perhaps allowing that program access to port 80 would be sufficient.

The menu bar on the Mac OS X screen shows a Little Snitch icon that displays a popup of activity when an application tries to access the internet. It can be somewhat disconcerting to the average Mac user, since may of the program names are operating system components that could mean anything and scare people who don't know better, and because the nagging popup is nearly constantly appearing. You can, however, turn that feature off, which I have.

It's a program that can really be learned through trial and error. Rules can be changed at any time or reset to the original initial rules to start over. For the sake or privacy, and based on my knowledge and personal history with the real danger of malware and hackers, Little Snitch is worth every penny.

VirusTotal Report: Trojan.ByteVerify

2008-09-23T13:08:00.002-04:00

VirusTotal's report on my uploaded virus was instantaneous and presented me with the following report on the virus that Symantec.com dubbed Trojan.ByteVerify (each antivirus vendor has slightly different names for the universe of viruses):

File ms03011.jar-3847f8dc-50961bb6.zip received on 06.30.2008 14:04:16 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	-	-	-
AntiVir	-	-	EXP/Java.Bytver.5.B
Authentium	-	-	Java/Trojan!8746
Avast	-	-	JS:ClassLoader-7
AVG	-	-	Java/ByteVerify
BitDefender	-	-	Trojan.Exploit.Byteverify.V
CAT-QuickHeal	-	-	-
ClamAV	-	-	Java.Openconnection
DrWeb	-	-	VBS.Siggen.1989
eSafe	-	-	Trojan-Downloader.Ja
eTrust-Vet	-	-	Java/ByteVerify!exploit
Ewido	-	-	-
F-Prot	-	-	Java/Trojan!8746
F-Secure	-	-	Trojan-Downloader.Java.OpenConnection.ao
Fortinet	-	-	Java/ClassLoader.AU!tr
GData	-	-	Trojan-Downloader.Java.OpenConnection.ao
Ikarus	-	-	-
Kaspersky	-	-	Trojan-Downloader.Java.OpenConnection.ao
McAfee	-	-	Exploit-ByteVerify
Microsoft	-	-	Exploit:Java/ByteVerify.C
NOD32v2	-	-	Java/TrojanDownloader.OpenConnection
Norman	-	-	-
Panda	-	-	Exploit/ByteVerify
Prevx1	-	-	Cloaked Malware
Rising	-	-	Trojan.DL.Java.Jadoler.a
Sophos	-	-	Troj/ByteVeri-X
Sunbelt	-	-	-
Symantec	-	-	Trojan.ByteVerify
TheHacker	-	-	-
TrendMicro	-	-	JAVA_BYTEVER.BJ
VBA32	-	-	Trojan-Downloader.Java.Agent.a
VirusBuster	-	-	Java.DL.OpenConn.C
Webwasher-Gateway	-	-	Exploit.Java.Bytver.5.B

Symantec says the virus infects only computers using Microsoft's operation system (no surprise there), but my philosophy is that viruses are like cockroaches: kill them just because.

3 Essential Mac OS X Security Software Programs for PC Converts (Part 1: Clam Xav 1.1)

2008-09-23T10:53:00.007-04:00

Coming from a PC background, I'm a bit paranoid when it comes to computer security. It was a bit disconcerting for me to find not only the dearth of security products for Macs, and the lack of marquee names (McAfee VirusScan and Webroot's SpySweeper, for instance) that even produce security products for Macs, but also the prevailing attitude among longtime Mac users that security products, specifically antivirus programs, are basically unnecessary in a Mac environment. (I personally believe this is a false sense of security, although there is some truth in that assertion, but that will be the subject of another article.

When I first purchased my MacBook, as a PC convert, I asked the salesman what I've since learned to be the most common question PC users ask when switching over to Macs: What security products should I use? The only product name given to me by the helpful Mac store sales rep was MacScan, an anti-spyware program (currently $29.99 for a single license from http://macscan.securemac.com/buy/). No antivirus program was recommended at all, and my initial research indicated that, at the time, the commercial programs for Macs (specifically Norton) had a bad ratings and were used by very few people.

Welcome to the Mac Paradigm! I was also a bit shocked that my favorite financial software, Quicken, was essentially useless (at the time at least) on the Mac platform. Reviews were dismall. In the Mac Universe, most of the quality software in any given area are produced by names you've never heard of. Finding what's worth the money is a little bit of a challenge. Of course, these programs for the Mac by smaller developers also tend to cost less, so there's an upside to this phenomenon. But I digress.

After spending a while with my Mac, I settled on the following three security programs that I find indispensible, especially if you're a worrywart (as most of us who had PCs tended to be): the afforementioned MacScan; a free antivirus application called ClamXav (you'll forgive the naming of this little gem. That's what you get when your marketing budget is $0), and Little Snitch ($29.95 for one license), an outbound firewall program whose closest analogous PC program is probably ZoneAlarm (also free for the PC). This posting focuses on ClamXav.

ClamXav 1.1 Review (Mac OS X)

The user interface of ClamXav is very utilitarian, and the initial warning when loading the program each time is a bit jarring. If I can paraphrase, it basically says "Back up all your data before using me. You got this for free, so don't expect tech support, or any kind of restitution if things go wrong"). The program preferences deserve tweaking in order to get the program to actually do anything. The default settings at the very least will not harm your system.

ClamXav's icon displays in the OS X menu bar, so u can easily access the program to perform occassional real time searches, or see the progress bar scanning files that have been added to or changed in your watch folders. This is pretty cool and definitely helpful.

ClamXav has some limitations. Chief among them, and mentioned in several popular websites, is the speed at which scans are performed compared to commercial programs in this field. But its virus definitions are updated daily, and the reports I've read say that its ability to find viruses rivals or betters those you'd spend $60 on [citation needed]. Unlike antivirus solutions in the PC universe that I was used to, ClamXav does not have real-time scanning capabilities, except for the folders you select in what the program terms "Folder Sentry". I have my Downloads folder set to be scanned as items are put there, and that's about it. There is an option to delete or quarantine viruses upon detection, but that option is turned off by default, and is not recommended if you plan to scan e-mail (also turned off by default). Indeed, a quick google search of ClamXav technical issues will lead to some quite disturbing issues people have had with the program deleting their entire inbox. So conservative settings of the system preferences has the end result that emails are not scanned upon arrival for infected messages. I have mine set to Not Scan Email, and to Quarantine (versus Delete) any found viruses. That is what I recommend, especially because false positives do happen.

Once a virus is found and moved to the quarantine folder, what does that mean exactly? Generally speaking, any or most found viruses will only be able to infect PC Users (or so I've been told by complacent Mac users), but does that mean I can just delete the file with impunity? Or, for that matter, leave them on my computer with impunity? I am still trying to figure that out. For my own edification, I'm going to submit the virus I recently found (the first in a year), a little ditty called "ms03011.jar-3847f8dc-50961bb6.zip" to a site I just discovered called Virus Total for analysis. Results of the analysis will be forthcoming.

You'll want to perform full system scans regularly (I scan the directory "/Users/[myusername]".) That's how I found the potentially harmful file above. Somehow it appeared in the Java system files without my knowledge. (Maybe it was that pirated version of Sim City 4 I downloaded. I guess I'll never learn my lesson.) Full scans do take quite a long time, but affect the performance of my MacBook only modestly.

For now I see no reason to spend a lot of money on commercial antivirus programs for my Mac when ClamXav does just about everything I need, for the right price.

Kernel Panic and Zip Bomb

2007-11-04T14:04:00.000-05:00

My MacBook experienced what I think was called a Kernel Panic (see below screen capture) two days ago. I was unable to boot into the Mac OS X operating system, and had to perform a system restore from my OS X disc. Subsequently, I ran a virus scan using Sophos, which, according to the log, found a possible Zip Bomb (see below abridged scan log). This was recorded as an error but not a virus. I've never even heard of a Zip Bomb before, but Wikipedia defines it in this entry. Coincidence or unrelated? As my college Probability professor taught me, which I'll paraphrase, "correlation does not mean causation". I can find very little info online on bootroot.loader -- is this a zip bomb or a legitimate linux/OS X function?

Error: File not scanned (appears to be a ‘zip bomb’)
Joss Whedon:System:Library:PrivateFrameworks:MediaKit.framework: Versions:A:Resources:MKDrivers.bundle:Contents:Resources:bootroot.loader

Info: Immediate job completed at 1:39:36 PM on Saturday, November 3, 2007
512774 items scanned, 0 viruses detected, 5 errors

SecurityFocus's "Attacking the Attackers"

2007-10-21T02:53:00.000-04:00

There are a couple of very good, very hard to understand, articles on SecurityFocus's web site about fighting back against hackers. The articles are titled Malicious Malware: Attacking the Attackers, Part One, and Part Two. But can I tell you, they were so far over my head they could've been written in Chinese and I wouldn't know any more than I did when I started. However, the more technically proficient among you may learn something valuable. That you can then bring back to my site to help me catch my own bad guys. :-)

Portion of an interview with Jamie Butler on Rootkits

2007-10-16T23:03:00.000-04:00

I just saw a pretty amazing video podcast available on iTunes from OnSecurity called Rootkits: Detecting the Threat with Jamie Butler. Mr. Butler is co-author of a book called Rootkits: Subverting the Windows Kernel (Addison-Wesley Software Security Series). Here is some enlightening dialogue:

Mr. Butler: Normally what has to be done is a complete reinstall of the operating system itself. And we've seen, um, over the last year, year to two years, the evolution of rootkits even into the hardware and bios spaces, where it's been demonstrated at Black Hat Federal and other conferences where a complete reinstall of the operating system may not be enough to get rid of the rootkit itself.

For months I could not understand why a complete wipe and reinstall of Windows Vista on my infected machine(s) resulted in the same damaged computer as before. At times I blamed an infected installation disk, infected hidden partition (from which many computer companies perform system reinstalls, eschewing disks altogether). Finally I was convinced the malware was coming straight from my Cable Internet provider (paranoia I realize, but I was basing this on the statements of a nemesis's statement (who worked for Comcast) that "You would be amazed what we can do to your computer and what we can see." Over time my infected computer's security had essentially been completely wiped out. Services I disabled automatically re-enabled themselves. At certain points my system was visibly under the control of an unseen entity/hacker. I described the problem to friends, and they told me what I was explaining to them was science fiction, and used the "P" word to describe me again. Now thanks to Mr. Butler I have some explanation that the events I was experiencing was and are real, but am now pessimistic that my one remaining Windows machine will ever be viable and may have to be trashed completely.

A relevant portion of the podcast can be seen below.

Securing Your Mac

2007-10-16T18:54:00.000-04:00

There's a pretty good article in the November 2007 issue of MacWorld called Secure Your Mac. Beyond the offensively obvious items such as "Choose Strong Passwords", there are a couple of really good tips.

Change Your Keychain Password. Many people (myself included) don't realize your keychain of passwords is entirely accessible once you log in to your Mac. Your Mac login unlocks the keychain, so if you step away from your computer, anyone can access without restriction your passwords for Airport settings and even web site passwords that Safari stores in the keychain. Solution: open Keychain Access, select Show Keychains, select your default keychain (usually called 'login'), then choose Edit | Change Password for Keychain, and choose a different password from your login.
Encrypt Sensitive Files. Acknowledging the instability inherent in Mac's FileVault, MacWorld describes a better way to encrypt your sensitive data, by creating an encrypted disk image: In Disk Utility, create a new disk image by selecting File | New | Blank Disk Image. Under Encryption, select 'AES-128'. Select 'Sparse Disk Image' from the Format popup box, specify a name and location, and move all your sensitive files to this location once you mount the disk. Eject the disk when you're through editing/viewing these top-secret files.

My Mac, the Server?

2007-10-13T00:39:00.000-04:00

I admit I don't know Macs, I don't know networking, but is it normal that when I connect to the internet via my Airport Extreme my entire home folder becomes a server? Am I just not "getting" the way my Mac operates? When I connect to the Internet, the Server icon shows the following: Does that mean I am sharing my home folder (all users, all info) or that it is public? If my computer is a server, who is the client? I honestly hope I am being ignorant and paranoid here, but something seems amiss.

Red Herrings

2007-10-11T22:37:00.000-04:00

When one's computer is routinely hacked -- even though I still can't "prove" that it was -- one starts to think it's a personal vendetta at work, not a random act. It seems clear to me that the person or persons who perpetrated these attacks on me knew me; that they probably even had physical access to my computer. I have theories of how this was accomplished. So-called "social engineering" is the most probable: leaving an unmarked computer DVD for me to pop into my PC, unwittingly running a malware installer, for example. But the truth is, I still don't know when or how I was initially targeted (though I have some pretty good guesses as to why). If that's the case -- if a person is indeed "targeted" by a hacker, how can he be safe? Especially when both Windows and Mac computers come out-of-the-box essentially defenseless against such inrusions, with minimum security in place and, in the case of Windows (any variant), running a host of unneeded, security-reducing services by default.

Unfortunately, the paranoia such thoughts bring about are maddening. One sees "evidence" everywhere, signs pointing to one person or the other. Red herrings, as they call them in detective novels and movies. I've been led down several wrong paths, but have narrowed the list of suspects down to three serious ones. Each one has had opportunity (access to my machine), motive (let's just say I've made my share of enemies), and the amorality required to commit such an offense. I used to hang around with a group of people with let us say ... questionable scruples. What can I say, it's true: You lay down with dogs, you get fleas. But no one deserves to be put through what I've gone through. I plan in a later post to enumerate the direct and indirect costs -- such as time spent troubleshooting and reinstalling software -- this crap has cost me. I expect the figure to be astounding. I plan also on profiling (though not naming) each of these three Horsemen of the Apocalypse.

Norton Security Scan Clues (part 3)

2007-10-11T07:44:00.000-04:00

Here are a couple of more-recent clues gleened from the neutered but still-helpful Norton Security Scan. By this time I had ditched Comcast cable internet service in favor of AT&T's mobile broadband service (another expense, another dead end). First, Keyhost.exe, a normal process according to ProcessLibrary.com, or a Hijacker, hailing from jraun.com, says bleepingcomputer.com.Next up: StaffCop. It's spyware that captures screenshots and logs activity, storing the compromised confidential information inside the %System%\CSRSS folder, says Symantec.Lastly, Symantec categorizes the program Surf Sidekick, shown in the following screen capture, as Adware.
What's troublesome is that these latest screen captures were taken a little more than a month ago, after I started using my MacBook almost full-time and had only recently put the Windows machine back on the Web. More troublesome of course is that my current Antivirus (Kaspersky) and Antispyware (Spyware Doctor) solutions aren't finding any infections at all, though if my machine was already infected with Uber-Malware, and if it works as I suspect it does, then theoretically any legitimate download would be filtering through a the Malware Host machine, which could then "neuter" or alter the program so that it becomes inert. Anyone out there know a Trojan or Rootkit with those properties?

Encryption in Vista and OS X: Not Worth It?

2007-10-10T13:18:00.000-04:00

I read an article not long ago in Details magazine about white-hat hackers. I lost the issue, and I can't find a link, so I'm working from memory here. Anyway, a government security guy who recruits white-hat (i.e., ethical) hackers stated that he was worried about the heavy-duty encryption (called BitLocker) found in Vista Ultimate (no other versions of Vista include this feature). He said he was worried about it from a National-security perspective, but BitLocker is also supposed to make it much harder for your PC to be hacked into.

I bought a Toshiba laptop (a great machine, really) with Vista Ultimate, one of my many purchases (this one roughly $1,400) in an attempt to foil my already-hacked home network. No sooner had I plugged the machine into the ethernet cable to my modem than it seemed to be hacked again. I ran all the Microsoft security updates as soon as possible, but it was too late. Very quickly, my PC looked like it was running a copy of Virtual PC or something. Windows showed me being on a "network" which was composed of an intermediary computer between me and the internet. I wasn't on a network at all. When I tried to download and install BitLocker (although it's a Vista Ultimate feature, it still requires a download) a weird error denied my enabling the feature. Drive wipes and reinstalls didn't help. Was my mystery hacker to blame, or is Microsoft?

I ran into similar, though less paranoia-inducing, problems with OS X's File Vault (the Mac version of this strong disk encryption). My computer kept freezing, unable to recover from Sleep Mode, requiring constant restarts. Apparently this corrupted the FileVault, resulting in the below message.I ended up losing a lot of data, and found a bunch of common threads on the topic stating that the system freeze issue was a common one but pretty much unexplained at this time. Of course Apple takes no responsibility for this. As with all software companies, the warranty for the software excludes them from any sort of liability to damage that their bugs cause the end user. Bottom line of those threads was not to use FileVault on an administrator account at all. Thanks for the heads-up Apple! I've given up on FileVault altogether, though don't get me wrong, I'm still an Apple convert. Compared to Microsoft, Apple's products are far and above superior.

"In the end there can only be one..."

2007-10-09T20:15:00.000-04:00

After more than a year and at least a couple grand spent trying to outwit the hackers who were intent on terrorizing me, I took several friends' advice and went out to buy a Mac. I was at my wit's end, sure that the Uber-Malware was entering directly from Comcast, my cable provider (a former "friend" of mine who worked for Comcast alluded to that fact). I took all the cash I had, and went to the local Apple store and bought a MacBook, spending $1800, at least $800 more than I would spend for a comparable PC. But if it was secure, as all my friends contended, then it would be worth it.

The same day I brought my MacBook home, a friend-of-a-friend Mac "expert" took a look at it and said "This computer isn't behaving very Mac-like," a frown creasing his forehead. I didn't know what "Mac-like" behavior was of course -- I had nothing to compare it to. Of course the statement scared me, especially since this person supposedly knew nothing of my ridiculously unfixable PC security issues. But at the end of the session he seemed convinced my computer was okay. Then a few days later, my outbound firewall popped up the below message.Along with the ordinary request for permission of a program to have outbound internet access, there was this message at the end: "In the end there can be only one. The quick brown fox jumped over the lazy dog."To this day I am not sure how or why that message popped up. It happened several times before I deleted the software (Internet Cleanup 4.0) and replaced it with LittleSnitch. The first line I believe is from Highlander. The second if I am not mistaken is from The Matrix, but I could be wrong. Was someone trying to tell me something, or was this some glitch in the code of the software? Googling the term yielded no result, so my instincts lead me to believe it was the former.

Norton Security Scan Clues (part 2)

2007-10-04T22:29:00.000-04:00

I think it's a bit ironic that I spent hundreds of dollars on antivirus and antispyware software, yet the one that really gave me "clear and convincing evidence" of a breach to my Vista PC's security was a little freebie utility called Norton Security Scan, (included in Blogger's parent company's self-titled Google Pack). But don't get me wrong, it's not like Norton Security Scan really worked, and actually discovered the malware I contend my PC was infected with. Like all the other products, it loudly proclaimed my computer to be free of all viruses and spyware. But the following screen captures show a couple of other gems apparently either hiding on my PC or -- more likely in my opinion -- residing on the host computer. It became my theory, and still is, that my machine became (and probably still is) a client to a hacker's host computer, with him pulling all the strings. I am guessing that I connected to his machine transparently upon log-on if there was an internet connection. And if there was no connection, my computer synced with his at the first opportunity.

The first of two more incriminating screen captures from Norton Security Scan shows a file called dnsrxpob.exe, below, in the c:\windows\system32 folder. I knew from my limited knowledge that the system32 folder is where a lot of malware likes to hide out. Googling the file name, I found out that it's evidence of a mass-mailing Worm that Symantec calls W32.Stration.DD@mm (how do they come up with these names?). Info about this worm can be found on Symantec's site.The second screen capture, below, shows Swartax. This one's name alone kind of made me think "malware", and sure enough, it's a Trojan/Backdoor according to Sophos's threat analysis. Pausing the scanner to take screen captures and notes led, again, however, to a "spontaneous" reboot of my Vista PC. I felt a mixture of elation to finally be "onto him" (whoever "he" was/is), and dread that no software I installed seemed capable to actually discover these files themselves (I had to google them?!) and disinfect my machine. My theories on that will be forthcoming.

Video Evidence?

2007-10-04T13:49:00.001-04:00

I've posted two videos on my YouTube channel. I hope the resolution is good enough that you'll be able to see what I see in the videos. You tell me, is this evidence of hacking or not? The videos show a view of certain log files on my Vista media center PC (all my main computing is performed on my Mac, which hopefully has still remained uncompromised). As I scrolled and clicked through the entries, I knew that something "just wasn't right". It seemed to show a lot of weird stuff going on, but I am not a techie, and have no way to tell whether there's any real evidence there. Check these videos out. I will upload a higher-def version of the complete 17 minute-long video on a free FTP server, TBD.

And finally, this is part two. Again, the quality sucks I realize.

Update [10/5/07]: It took some time since I am fairly new to video editing, but the first of two higher-def videos is posted online at a free hosting site called Files Upload. Direct link to part one: hacking_evidence_or_not_1.mov. Direct link to part two: hacking_evidence_or_not_2.mov.

Norton Security Scan Clues (part 1)

2007-10-01T10:34:00.000-04:00

I'm going to start calling the virus or other malware that attacked me less than 12 months ago (and possibly recently) Uber-Malware. Right now there's really no description more apt, it certainly won't get confused with other topics on this blog, and it sounds kinda cool. One thing this "Uber-Malware" did was, as it slowly infected my PC, it began disabling all my security applications. Every single one. This is commonplace behavior for a Trojan, I am sure. However, it made the apps appear to be working 100% correctly. But the spyware-finding and cleaning abilities in all of them was as fake as Joan Rivers'... pick a body part. They'd essentially been neutered. The only "problem" was, every antispyware and antivirus app I used would always result in zero viruses found, zero spyware applications, zero infections with malware... even, it turns out, zero cookies found from bad sites. In other words, the Uber-Malware was essentially too good at disabling my defenses, since I noticed right away that my antispyware program, which routinely returned dozens of "spyware" cookies from "bad sites" for me to delete, now returned none, yet my surfing habits had not changed. This was one clue something subversive was going on with my machine.Next, I noticed that if I ran Norton Security Scan (available as part of the Google Pack) and paid close attention to the destinations it was scanning, it was scanning entire folders and files that did not reside on my computer -- or so I thought. I was able to slow down Norton Security Scan considerably by running memory and processor-intensive applications at the same time, and by randomly performing screen captures. I caught one screen capture (below) that showed a shortcut for a program called PC Activity Monitor Standard on the Administrator's desktop. I was running the Administrator account when I found it, and that program was not on my desktop; in fact I had never even heard of it. I performed subsequent identical scans, and was able to see that on the desktop of this other person's PC ("host PC"?) there were maybe half a dozen Remote Administration programs or other programs that could be used as Trojans! My PC seemed truly screwed.I knew I was on to something when my computer mysteriously, spontaneously rebooted when I had an incriminating screen capture like the one above paused on my screen. Could it be someone on the other side of a monitor somewhere, viewing my computer and terrorizing my life, figured out I was onto him?

Afterward: I did a google search for the program PC Activity Monitor Standard and found no information on their site for how to detect or remove the program once it was installed. I find this infuriating, and think there's probably a consumer law about it that would apply.

Unidentified Virus: x86_wcf-system.io.log~.zip

2007-09-30T11:36:00.000-04:00

ClamXav discovered the following unidentified virus on my Mac, which no other antivirus program I have used has claimed is a virus. I am not sure whether it is a false positive or evidence of something insidiary going on on my PC. It originated from my PC, where I did a search for all files containing the word "LOG" in them, and zipped them up to keep them as "evidence" in case something in there could later be used to track the hacker(s) I've mentioned before. I then transferred the .zip file to my Mac, where ClamXav said there was a virus contained in the zip file. The possibly infected file has the unweildy name of x86_wcf-system.io.log_b03f5f7f11d50a3a_6.0.6000.16386_none_da9913e6bac66516.zip~RF478b4d4.TMP. If anyone has any info about the above file let me know. I plan on submitting it to McAfee or some other antivirus software vendor for analysis. Any recommendations on who to submit the file to would be appreciated as well.

Update: Apparently the virus was a null virus. I have no clue really how this relates to me and the incredibly sophisticated hacking that went on with my PC. This looks like a BB gun when what I need to find is a bazooka.

Warez Scam of the Century

2007-09-28T23:57:00.000-04:00

I got scammed on a warez site yesterday, and have only myself to blame.

Background: I recently decided to pay for all my software, after the hacking issues that plagued my PC made the concept of "nothing in life is free" take on new meaning. Not to mention the fact that software developers need to get paid too, and I have always considered stealing wrong -- only that morality didn't seem to cover digital media. Go figure. However, I've had a financial crisis of late, and really wanted to replace the truly awful SierraWatcher software for Mac OS X (it connects my laptop to the internet via my AT&T AirCard 875U) with something better, and AT&T (nee Cingular) doesn't support Macs, so their superior software is unavailable to me. My only option seems to be a program called launch2net, made by a finnish company I believe, and I tried a trial and it's way superior to SierraWatcher. Yet maybe it's the exchange rate, but it costs 75 euros, currently $106 USD, and I don't think you'll find anyone out there arguing that a modem dialing piece of software is worth that much. $25 maybe... but over $100? Give me a break. So I had a slip in my "no pirated software" philosophy and did a Google search for "launch2net warez" which resulted in a site with an incredible scam.The Scam: The site, dollarwarez.com, claims you can pay $1 to get access to the site by buying a 3-day trial membership to any of its porn affiliates, which costs only $1, natch. Make a successful purchase and return to dollarwarez and enter the code you're provided by the porn affiliate to get access. Only, the code doesn't work. The email address on the site for support doesn't work. You've just been screwed, and dollarwarez has made a big profit off you by the payment the porn affiliate will send them for signing up a new customer. What's worse, if you forget to cancel your three-day trial membership (and a high percentage of people probably do), then your credit card will be billed monthly every month until cancellation, which results in a perpetual payout for dollarwarez for operating a bogus site. Of course, you (or I, whatever) surfed there looking for free (illegal) software warez downloads, so who's going to call the BBB on them? It's a scam that works because the scammed party (in this case myself) basically "deserved" it. Still, they're scum. Be warned.

Guess I'll have to settle for using the sucky SierraWatcher for Mac OS X for the time being, until the guys who make launch2net learn how to price competitively.

U.S. Government Hacking

2007-09-27T20:14:00.000-04:00

The identity of the hacker who targeted me is of course unknown; hence the reason for this blog. But the possibility that it could have been the U.S. government itself is truly disturbing. It's hard to believe we are living in an Orwellian police state in this country, but the evidence is all around us: the government's use of spyware or "fedware" that can bypass a computer's security software altogether; the Bush Administration's program of wiretapping without obtaining a warrant; the FBI's use of trojan horses to get information on would-be drug dealers and other criminals (not just terrorists); and the Patriot Act, which has let all the above occur unchecked. I thought the Patriot Act was supposed to help in finding and fighting terrorists, not in prosecuting America's own citizens without due process. I never really thought movies such as Enemy of the State and Minority Report were realistic. Certainly they were pessimistic views of the future. But it seems the future is here, and it's more V for Vendetta than even Alan Moore would have predicted when he based the idea on Thatcher-era England in the '80s.

All may not be lost, however. The Courts seem to be striking down the above provisions of the Patriot Act as unconstitutional with more regularity. Big Brother is here, but perhaps with enough light on this issue, he'll become a bit smaller.

MacBook Firmware Upgrade Annoyance

2007-09-27T18:45:00.000-04:00

Mac annoyances pop up almost as frequently as with my PC. Today, for instance, I upgraded my MacBook's firmware to 1.1 using the downloaded "MacBook EFI Firmware Update" patch, available today from Apple. After reboot I was greeted with yet another opportunity to enter an old password. I changed the computer name from [name redacted to protect my identity] some time ago... yet there it appears on the screen. Of course entering old passwords doesn't work. Canceling the dialog box altogether seems to be a stopgap measure for now.Update [9/28/07]: The dialog box has stopped appearing altogether. That's one thing Macs seem to do a lot better than PCs: fix themselves. How they do so, beats the hell out of me. I guess I should just be grateful, albeit confused.

Figure Out Who Hacked Me... Win $1,000,000

2007-09-26T12:25:00.000-04:00

Okay so that's stretching it, but you will at least win my undying admiration. Here's the puzzle: for a year and a half or more I was (and may currently still be) under constant relentless attack by unnamed hacker(s). Why? I have no clue... maybe it was a personal vendetta, maybe it was industrial sabotage, or maybe it was just sheer boredom. But the attacks were real, yet everyone around me thought I was losing it. People thought I was becoming Unabomber-paranoid, and almost everyone gently amused me but steered the conversation elsewhere should I ever bring it up in their presence (which was, like, constantly). I spent thousands of dollars on new computer equipment, every antivirus and anti-spyware application in existence (or so it seemed), new routers, a firewall.... yet these unseen menaces kept getting in my friggin' computer. Finally I heeded the advice of several people to "Go get a Mac". I thought things would be simple, that I'd finally be hacker-free.

The very first day I set up my Mac, it was hacked as well. Or so I claimed to everyone. I bitched out my friends who touted the almighty Mac as the holy grail to fix my problems. I'd spent $1800 on what -- a pretty MacBook just as or possibly even more susceptible to intentional hacking and malware. (Truth be told, however, I am now a Mac convert).

This begins the story, vague though this prologue is. Hopefully you guys out there will be able to help me figure out, Was I hacked... or just paranoid? I've kept many log files, screen captures, and a few notes in order to supplement my oh-so-fallible memory. I'll post my recollections, supplemented by these logs and screenprints, in no particular order, in the hope of raising awareness and, just maybe, catching the damn bastard that made my life hell for two years plus.