Friday, September 26, 2008

Closure!

More than a year after the fact, I found the answer to the hacking of my PC: the article SubVirt: Implementing malware with virtual machines. Reading this article, I instantly recognized the symptoms in the proof-of-concept described in it as identical to what I had experienced. A virtual machine monitor (VMM), running on a system such as VMware or Virtual PC, had supplanted my existing operating system, making it the guest (virtual) operating system running virtually in a directory of my hard drive. This was done by changing the boot routine at startup. After an initial reboot upon infection, the VMM is run as the core operating system, with the virtual operating system loading directly afterwards. A barely noticeable lag results upon bootup. Small differences will be noticed by the observant user, however. When a user attempts to shut down their infected system, the virtual machine instead puts the computer into a hibernation mode, and makes it appear as if the computer has shut down. (It is only upon an actual reboot that a user can detect the virtual machine malware, reinstall the operating system, etc.) Since the machine is running a virtual operating system, any antivirus or antispyware utilities can be made to look like they are working, when they are in fact doing nothing. I urge anyone who has experienced any problems such as the ones I've described in this blog to check out the SubVirt article. It describes in detail how to circumvent and prevent these attacks. I'll say again for the record that for the last year and a half, running a MacBook, I've been rid of these problems. Windows computers seem to be extremely vulnerable to this difficult-to-diagnose and difficult-to-eradicate attack. Good luck.

Tuesday, September 23, 2008

3 Essential Mac OS X Security Software Programs for PC Converts (Part 2: Little Snitch)

Mac OS X Leopard has a fairly decent built-in firewall, but it's an incoming firewall, protecting you from the dangers from the outside (and it's turned off by default which blows my mind). It does not prevent trojans already installed on your computer from sending all your data to a zombie computer somewhere in the cloud. You'll remember that Windows XP had the same problem, leading to the proliferation of excellent third-party products like my favorite, ZoneAlarm. Microsoft claims that Vista now offers outbound firewall protection, but as I (and I am sure many users) can attest, it's virtually worthless. Don't just take my word for it, read the article at PC World). In all fairness, I should say that OS X does have the capability to turn on an outbound firewall using ipfw, but that requires Unix coding, much too advanced for me, and most of you I'd guess. So, what software can Mac users use to plug this security hole? While there are many out there, and I've tried a bunch, my favorite by far is Little Snitch.


In essence, Little Snitch complements the inbound firewall in the Mac OS X operating system. That firewall prevents hackers from getting in. Little Snitch, meanwhile, prevents applications to send data outside your computer without being authorized. Certainly, there are many applications that will want to access the internet at any time for a variety of legitimate reasons. Many applications perform automatic updates, for example, and many others "phone home" to its developer to verify that you don't have a pirated product. But suppose, God forbid, you were infected with malware from a torrent site, for instance, or something else that occurred before you figured out you were required to turn on the OS X firewall (it's turned off by default -- come on Apple, I just don't get that). Or even something more mundane: suppose your jealous significant other has installed keyloggers and other spyware on your system (of course, he'll surely burn in hell, but that won't help you right now). Without an outbound firewall, malware could be sending just about your whole computer's contents to someone in Kazakhstan and you'd never know it. Enter Little Snitch.

The main screen of little snitch is the Configuration panel, shown above. Little Snitch is rule-based, with several rules pre-made to keep you from screwing things up on your Mac. Those rules are locked. You can unlock or lock rules at any time. The lock key just prevents accidental changes to important rules. As a new program starts to access the internet, Little Snitch interrupts is, and a pop-up screen asked you if you want to allow or deny that access, and at what degree you want to allow or deny (specific ports, domains, types of connections, etc). The configuration panel shows in red text software that has been deleted so you can delete those rules if you want. Some programs will have multiple rules, leading you to perhaps give a higher level of clearance to that program (on my computer, for example, the constant jumping around of Skype to different domains every few seconds eventually forced me to set its rule at "Allow any connection". I just hope that doesn't come back to bite me on my butt. Other programs I use have twenty rules with as many domains or IP addresses. In such cases, perhaps allowing that program access to port 80 would be sufficient.

The menu bar on the Mac OS X screen shows a Little Snitch icon that displays a popup of activity when an application tries to access the internet. It can be somewhat disconcerting to the average Mac user, since may of the program names are operating system components that could mean anything and scare people who don't know better, and because the nagging popup is nearly constantly appearing. You can, however, turn that feature off, which I have.

It's a program that can really be learned through trial and error. Rules can be changed at any time or reset to the original initial rules to start over. For the sake or privacy, and based on my knowledge and personal history with the real danger of malware and hackers, Little Snitch is worth every penny.



VirusTotal Report: Trojan.ByteVerify

VirusTotal's report on my uploaded virus was instantaneous and presented me with the following report on the virus that Symantec.com dubbed Trojan.ByteVerify (each antivirus vendor has slightly different names for the universe of viruses):

File ms03011.jar-3847f8dc-50961bb6.zip received on 06.30.2008 14:04:16 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V3---
AntiVir--EXP/Java.Bytver.5.B
Authentium--Java/Trojan!8746
Avast--JS:ClassLoader-7
AVG--Java/ByteVerify
BitDefender--Trojan.Exploit.Byteverify.V
CAT-QuickHeal---
ClamAV--Java.Openconnection
DrWeb--VBS.Siggen.1989
eSafe--Trojan-Downloader.Ja
eTrust-Vet--Java/ByteVerify!exploit
Ewido---
F-Prot--Java/Trojan!8746
F-Secure--Trojan-Downloader.Java.OpenConnection.ao
Fortinet--Java/ClassLoader.AU!tr
GData--Trojan-Downloader.Java.OpenConnection.ao
Ikarus---
Kaspersky--Trojan-Downloader.Java.OpenConnection.ao
McAfee--Exploit-ByteVerify
Microsoft--Exploit:Java/ByteVerify.C
NOD32v2--Java/TrojanDownloader.OpenConnection
Norman---
Panda--Exploit/ByteVerify
Prevx1--Cloaked Malware
Rising--Trojan.DL.Java.Jadoler.a
Sophos--Troj/ByteVeri-X
Sunbelt---
Symantec--Trojan.ByteVerify
TheHacker---
TrendMicro--JAVA_BYTEVER.BJ
VBA32--Trojan-Downloader.Java.Agent.a
VirusBuster--Java.DL.OpenConn.C
Webwasher-Gateway--Exploit.Java.Bytver.5.B



Symantec says the virus infects only computers using Microsoft's operation system (no surprise there), but my philosophy is that viruses are like cockroaches: kill them just because.

3 Essential Mac OS X Security Software Programs for PC Converts (Part 1: Clam Xav 1.1)

Coming from a PC background, I'm a bit paranoid when it comes to computer security. It was a bit disconcerting for me to find not only the dearth of security products for Macs, and the lack of marquee names (McAfee VirusScan and Webroot's SpySweeper, for instance) that even produce security products for Macs, but also the prevailing attitude among longtime Mac users that security products, specifically antivirus programs, are basically unnecessary in a Mac environment. (I personally believe this is a false sense of security, although there is some truth in that assertion, but that will be the subject of another article.

When I first purchased my MacBook, as a PC convert, I asked the salesman what I've since learned to be the most common question PC users ask when switching over to Macs: What security products should I use? The only product name given to me by the helpful Mac store sales rep was MacScan, an anti-spyware program (currently $29.99 for a single license from http://macscan.securemac.com/buy/). No antivirus program was recommended at all, and my initial research indicated that, at the time, the commercial programs for Macs (specifically Norton) had a bad ratings and were used by very few people.

Welcome to the Mac Paradigm! I was also a bit shocked that my favorite financial software, Quicken, was essentially useless (at the time at least) on the Mac platform. Reviews were dismall. In the Mac Universe, most of the quality software in any given area are produced by names you've never heard of. Finding what's worth the money is a little bit of a challenge. Of course, these programs for the Mac by smaller developers also tend to cost less, so there's an upside to this phenomenon. But I digress.

After spending a while with my Mac, I settled on the following three security programs that I find indispensible, especially if you're a worrywart (as most of us who had PCs tended to be): the afforementioned MacScan; a free antivirus application called ClamXav (you'll forgive the naming of this little gem. That's what you get when your marketing budget is $0), and Little Snitch ($29.95 for one license), an outbound firewall program whose closest analogous PC program is probably ZoneAlarm (also free for the PC). This posting focuses on ClamXav.

ClamXav 1.1 Review (Mac OS X)


The user interface of ClamXav is very utilitarian, and the initial warning when loading the program each time is a bit jarring. If I can paraphrase, it basically says "Back up all your data before using me. You got this for free, so don't expect tech support, or any kind of restitution if things go wrong"). The program preferences deserve tweaking in order to get the program to actually do anything. The default settings at the very least will not harm your system.

ClamXav's icon displays in the OS X menu bar, so u can easily access the program to perform occassional real time searches, or see the progress bar scanning files that have been added to or changed in your watch folders. This is pretty cool and definitely helpful.

ClamXav has some limitations. Chief among them, and mentioned in several popular websites, is the speed at which scans are performed compared to commercial programs in this field. But its virus definitions are updated daily, and the reports I've read say that its ability to find viruses rivals or betters those you'd spend $60 on [citation needed]. Unlike antivirus solutions in the PC universe that I was used to, ClamXav does not have real-time scanning capabilities, except for the folders you select in what the program terms "Folder Sentry". I have my Downloads folder set to be scanned as items are put there, and that's about it. There is an option to delete or quarantine viruses upon detection, but that option is turned off by default, and is not recommended if you plan to scan e-mail (also turned off by default). Indeed, a quick google search of ClamXav technical issues will lead to some quite disturbing issues people have had with the program deleting their entire inbox. So conservative settings of the system preferences has the end result that emails are not scanned upon arrival for infected messages. I have mine set to Not Scan Email, and to Quarantine (versus Delete) any found viruses. That is what I recommend, especially because false positives do happen.

Once a virus is found and moved to the quarantine folder, what does that mean exactly? Generally speaking, any or most found viruses will only be able to infect PC Users (or so I've been told by complacent Mac users), but does that mean I can just delete the file with impunity? Or, for that matter, leave them on my computer with impunity? I am still trying to figure that out. For my own edification, I'm going to submit the virus I recently found (the first in a year), a little ditty called "ms03011.jar-3847f8dc-50961bb6.zip" to a site I just discovered called Virus Total for analysis. Results of the analysis will be forthcoming.

You'll want to perform full system scans regularly (I scan the directory "/Users/[myusername]".) That's how I found the potentially harmful file above. Somehow it appeared in the Java system files without my knowledge. (Maybe it was that pirated version of Sim City 4 I downloaded. I guess I'll never learn my lesson.) Full scans do take quite a long time, but affect the performance of my MacBook only modestly.

For now I see no reason to spend a lot of money on commercial antivirus programs for my Mac when ClamXav does just about everything I need, for the right price.

Sunday, November 4, 2007

Kernel Panic and Zip Bomb

My MacBook experienced what I think was called a Kernel Panic (see below screen capture) two days ago. I was unable to boot into the Mac OS X operating system, and had to perform a system restore from my OS X disc. Subsequently, I ran a virus scan using Sophos, which, according to the log, found a possible Zip Bomb (see below abridged scan log). This was recorded as an error but not a virus. I've never even heard of a Zip Bomb before, but Wikipedia defines it in this entry. Coincidence or unrelated? As my college Probability professor taught me, which I'll paraphrase, "correlation does not mean causation". I can find very little info online on bootroot.loader -- is this a zip bomb or a legitimate linux/OS X function?
Error: File not scanned (appears to be a ‘zip bomb’)
Joss Whedon:System:Library:PrivateFrameworks:MediaKit.framework: Versions:A:Resources:MKDrivers.bundle:Contents:Resources:bootroot.loader

Info: Immediate job completed at 1:39:36 PM on Saturday, November 3, 2007
512774 items scanned, 0 viruses detected, 5 errors

Sunday, October 21, 2007

SecurityFocus's "Attacking the Attackers"

There are a couple of very good, very hard to understand, articles on SecurityFocus's web site about fighting back against hackers. The articles are titled Malicious Malware: Attacking the Attackers, Part One, and Part Two. But can I tell you, they were so far over my head they could've been written in Chinese and I wouldn't know any more than I did when I started. However, the more technically proficient among you may learn something valuable. That you can then bring back to my site to help me catch my own bad guys. :-)

Tuesday, October 16, 2007

Portion of an interview with Jamie Butler on Rootkits

I just saw a pretty amazing video podcast available on iTunes from OnSecurity called Rootkits: Detecting the Threat with Jamie Butler. Mr. Butler is co-author of a book called Rootkits: Subverting the Windows Kernel (Addison-Wesley Software Security Series). Here is some enlightening dialogue:
Mr. Butler: Normally what has to be done is a complete reinstall of the operating system itself. And we've seen, um, over the last year, year to two years, the evolution of rootkits even into the hardware and bios spaces, where it's been demonstrated at Black Hat Federal and other conferences where a complete reinstall of the operating system may not be enough to get rid of the rootkit itself.
For months I could not understand why a complete wipe and reinstall of Windows Vista on my infected machine(s) resulted in the same damaged computer as before. At times I blamed an infected installation disk, infected hidden partition (from which many computer companies perform system reinstalls, eschewing disks altogether). Finally I was convinced the malware was coming straight from my Cable Internet provider (paranoia I realize, but I was basing this on the statements of a nemesis's statement (who worked for Comcast) that "You would be amazed what we can do to your computer and what we can see." Over time my infected computer's security had essentially been completely wiped out. Services I disabled automatically re-enabled themselves. At certain points my system was visibly under the control of an unseen entity/hacker. I described the problem to friends, and they told me what I was explaining to them was science fiction, and used the "P" word to describe me again. Now thanks to Mr. Butler I have some explanation that the events I was experiencing was and are real, but am now pessimistic that my one remaining Windows machine will ever be viable and may have to be trashed completely.

A relevant portion of the podcast can be seen below.

Securing Your Mac

There's a pretty good article in the November 2007 issue of MacWorld called Secure Your Mac. Beyond the offensively obvious items such as "Choose Strong Passwords", there are a couple of really good tips.
  1. Change Your Keychain Password. Many people (myself included) don't realize your keychain of passwords is entirely accessible once you log in to your Mac. Your Mac login unlocks the keychain, so if you step away from your computer, anyone can access without restriction your passwords for Airport settings and even web site passwords that Safari stores in the keychain. Solution: open Keychain Access, select Show Keychains, select your default keychain (usually called 'login'), then choose Edit | Change Password for Keychain, and choose a different password from your login.

  2. Encrypt Sensitive Files. Acknowledging the instability inherent in Mac's FileVault, MacWorld describes a better way to encrypt your sensitive data, by creating an encrypted disk image: In Disk Utility, create a new disk image by selecting File | New | Blank Disk Image. Under Encryption, select 'AES-128'. Select 'Sparse Disk Image' from the Format popup box, specify a name and location, and move all your sensitive files to this location once you mount the disk. Eject the disk when you're through editing/viewing these top-secret files.

Saturday, October 13, 2007

My Mac, the Server?

I admit I don't know Macs, I don't know networking, but is it normal that when I connect to the internet via my Airport Extreme my entire home folder becomes a server? Am I just not "getting" the way my Mac operates? When I connect to the Internet, the Server icon shows the following: Does that mean I am sharing my home folder (all users, all info) or that it is public? If my computer is a server, who is the client? I honestly hope I am being ignorant and paranoid here, but something seems amiss.

Thursday, October 11, 2007

Red Herrings

When one's computer is routinely hacked -- even though I still can't "prove" that it was -- one starts to think it's a personal vendetta at work, not a random act. It seems clear to me that the person or persons who perpetrated these attacks on me knew me; that they probably even had physical access to my computer. I have theories of how this was accomplished. So-called "social engineering" is the most probable: leaving an unmarked computer DVD for me to pop into my PC, unwittingly running a malware installer, for example. But the truth is, I still don't know when or how I was initially targeted (though I have some pretty good guesses as to why). If that's the case -- if a person is indeed "targeted" by a hacker, how can he be safe? Especially when both Windows and Mac computers come out-of-the-box essentially defenseless against such inrusions, with minimum security in place and, in the case of Windows (any variant), running a host of unneeded, security-reducing services by default.

Unfortunately, the paranoia such thoughts bring about are maddening. One sees "evidence" everywhere, signs pointing to one person or the other. Red herrings, as they call them in detective novels and movies. I've been led down several wrong paths, but have narrowed the list of suspects down to three serious ones. Each one has had opportunity (access to my machine), motive (let's just say I've made my share of enemies), and the amorality required to commit such an offense. I used to hang around with a group of people with let us say ... questionable scruples. What can I say, it's true: You lay down with dogs, you get fleas. But no one deserves to be put through what I've gone through. I plan in a later post to enumerate the direct and indirect costs -- such as time spent troubleshooting and reinstalling software -- this crap has cost me. I expect the figure to be astounding. I plan also on profiling (though not naming) each of these three Horsemen of the Apocalypse.

Norton Security Scan Clues (part 3)

Here are a couple of more-recent clues gleened from the neutered but still-helpful Norton Security Scan. By this time I had ditched Comcast cable internet service in favor of AT&T's mobile broadband service (another expense, another dead end). First, Keyhost.exe, a normal process according to ProcessLibrary.com, or a Hijacker, hailing from jraun.com, says bleepingcomputer.com.Next up: StaffCop. It's spyware that captures screenshots and logs activity, storing the compromised confidential information inside the %System%\CSRSS folder, says Symantec.Lastly, Symantec categorizes the program Surf Sidekick, shown in the following screen capture, as Adware.
What's troublesome is that these latest screen captures were taken a little more than a month ago, after I started using my MacBook almost full-time and had only recently put the Windows machine back on the Web. More troublesome of course is that my current Antivirus (Kaspersky) and Antispyware (Spyware Doctor) solutions aren't finding any infections at all, though if my machine was already infected with Uber-Malware, and if it works as I suspect it does, then theoretically any legitimate download would be filtering through a the Malware Host machine, which could then "neuter" or alter the program so that it becomes inert. Anyone out there know a Trojan or Rootkit with those properties?

Wednesday, October 10, 2007

Encryption in Vista and OS X: Not Worth It?

I read an article not long ago in Details magazine about white-hat hackers. I lost the issue, and I can't find a link, so I'm working from memory here. Anyway, a government security guy who recruits white-hat (i.e., ethical) hackers stated that he was worried about the heavy-duty encryption (called BitLocker) found in Vista Ultimate (no other versions of Vista include this feature). He said he was worried about it from a National-security perspective, but BitLocker is also supposed to make it much harder for your PC to be hacked into.

I bought a Toshiba laptop (a great machine, really) with Vista Ultimate, one of my many purchases (this one roughly $1,400) in an attempt to foil my already-hacked home network. No sooner had I plugged the machine into the ethernet cable to my modem than it seemed to be hacked again. I ran all the Microsoft security updates as soon as possible, but it was too late. Very quickly, my PC looked like it was running a copy of Virtual PC or something. Windows showed me being on a "network" which was composed of an intermediary computer between me and the internet. I wasn't on a network at all. When I tried to download and install BitLocker (although it's a Vista Ultimate feature, it still requires a download) a weird error denied my enabling the feature. Drive wipes and reinstalls didn't help. Was my mystery hacker to blame, or is Microsoft?

I ran into similar, though less paranoia-inducing, problems with OS X's File Vault (the Mac version of this strong disk encryption). My computer kept freezing, unable to recover from Sleep Mode, requiring constant restarts. Apparently this corrupted the FileVault, resulting in the below message.I ended up losing a lot of data, and found a bunch of common threads on the topic stating that the system freeze issue was a common one but pretty much unexplained at this time. Of course Apple takes no responsibility for this. As with all software companies, the warranty for the software excludes them from any sort of liability to damage that their bugs cause the end user. Bottom line of those threads was not to use FileVault on an administrator account at all. Thanks for the heads-up Apple! I've given up on FileVault altogether, though don't get me wrong, I'm still an Apple convert. Compared to Microsoft, Apple's products are far and above superior.

Tuesday, October 9, 2007

"In the end there can only be one..."

After more than a year and at least a couple grand spent trying to outwit the hackers who were intent on terrorizing me, I took several friends' advice and went out to buy a Mac. I was at my wit's end, sure that the Uber-Malware was entering directly from Comcast, my cable provider (a former "friend" of mine who worked for Comcast alluded to that fact). I took all the cash I had, and went to the local Apple store and bought a MacBook, spending $1800, at least $800 more than I would spend for a comparable PC. But if it was secure, as all my friends contended, then it would be worth it.

The same day I brought my MacBook home, a friend-of-a-friend Mac "expert" took a look at it and said "This computer isn't behaving very Mac-like," a frown creasing his forehead. I didn't know what "Mac-like" behavior was of course -- I had nothing to compare it to. Of course the statement scared me, especially since this person supposedly knew nothing of my ridiculously unfixable PC security issues. But at the end of the session he seemed convinced my computer was okay. Then a few days later, my outbound firewall popped up the below message.Along with the ordinary request for permission of a program to have outbound internet access, there was this message at the end: "In the end there can be only one. The quick brown fox jumped over the lazy dog."To this day I am not sure how or why that message popped up. It happened several times before I deleted the software (Internet Cleanup 4.0) and replaced it with LittleSnitch. The first line I believe is from Highlander. The second if I am not mistaken is from The Matrix, but I could be wrong. Was someone trying to tell me something, or was this some glitch in the code of the software? Googling the term yielded no result, so my instincts lead me to believe it was the former.

Thursday, October 4, 2007

Norton Security Scan Clues (part 2)

I think it's a bit ironic that I spent hundreds of dollars on antivirus and antispyware software, yet the one that really gave me "clear and convincing evidence" of a breach to my Vista PC's security was a little freebie utility called Norton Security Scan, (included in Blogger's parent company's self-titled Google Pack). But don't get me wrong, it's not like Norton Security Scan really worked, and actually discovered the malware I contend my PC was infected with. Like all the other products, it loudly proclaimed my computer to be free of all viruses and spyware. But the following screen captures show a couple of other gems apparently either hiding on my PC or -- more likely in my opinion -- residing on the host computer. It became my theory, and still is, that my machine became (and probably still is) a client to a hacker's host computer, with him pulling all the strings. I am guessing that I connected to his machine transparently upon log-on if there was an internet connection. And if there was no connection, my computer synced with his at the first opportunity.

The first of two more incriminating screen captures from Norton Security Scan shows a file called dnsrxpob.exe, below, in the c:\windows\system32 folder. I knew from my limited knowledge that the system32 folder is where a lot of malware likes to hide out. Googling the file name, I found out that it's evidence of a mass-mailing Worm that Symantec calls W32.Stration.DD@mm (how do they come up with these names?). Info about this worm can be found on Symantec's site.The second screen capture, below, shows Swartax. This one's name alone kind of made me think "malware", and sure enough, it's a Trojan/Backdoor according to Sophos's threat analysis. Pausing the scanner to take screen captures and notes led, again, however, to a "spontaneous" reboot of my Vista PC. I felt a mixture of elation to finally be "onto him" (whoever "he" was/is), and dread that no software I installed seemed capable to actually discover these files themselves (I had to google them?!) and disinfect my machine. My theories on that will be forthcoming.

Video Evidence?

I've posted two videos on my YouTube channel. I hope the resolution is good enough that you'll be able to see what I see in the videos. You tell me, is this evidence of hacking or not? The videos show a view of certain log files on my Vista media center PC (all my main computing is performed on my Mac, which hopefully has still remained uncompromised). As I scrolled and clicked through the entries, I knew that something "just wasn't right". It seemed to show a lot of weird stuff going on, but I am not a techie, and have no way to tell whether there's any real evidence there. Check these videos out. I will upload a higher-def version of the complete 17 minute-long video on a free FTP server, TBD.

And finally, this is part two. Again, the quality sucks I realize.

Update [10/5/07]: It took some time since I am fairly new to video editing, but the first of two higher-def videos is posted online at a free hosting site called Files Upload. Direct link to part one: hacking_evidence_or_not_1.mov. Direct link to part two: hacking_evidence_or_not_2.mov.