Kernel Panic and Zip Bomb

My MacBook experienced what I think was called a Kernel Panic (see below screen capture) two days ago. I was unable to boot into the Mac OS X operating system, and had to perform a system restore from my OS X disc. Subsequently, I ran a virus scan using Sophos, which, according to the log, found a possible Zip Bomb (see below abridged scan log). This was recorded as an error but not a virus. I've never even heard of a Zip Bomb before, but Wikipedia defines it in this entry. Coincidence or unrelated? As my college Probability professor taught me, which I'll paraphrase, "correlation does not mean causation". I can find very little info online on bootroot.loader -- is this a zip bomb or a legitimate linux/OS X function?

Error: File not scanned (appears to be a ‘zip bomb’)
Joss Whedon:System:Library:PrivateFrameworks:MediaKit.framework: Versions:A:Resources:MKDrivers.bundle:Contents:Resources:bootroot.loader

Info: Immediate job completed at 1:39:36 PM on Saturday, November 3, 2007
512774 items scanned, 0 viruses detected, 5 errors

SecurityFocus's "Attacking the Attackers"

There are a couple of very good, very hard to understand, articles on SecurityFocus's web site about fighting back against hackers. The articles are titled Malicious Malware: Attacking the Attackers, Part One, and Part Two. But can I tell you, they were so far over my head they could've been written in Chinese and I wouldn't know any more than I did when I started. However, the more technically proficient among you may learn something valuable. That you can then bring back to my site to help me catch my own bad guys. :-)

Portion of an interview with Jamie Butler on Rootkits

I just saw a pretty amazing video podcast available on iTunes from OnSecurity called Rootkits: Detecting the Threat with Jamie Butler. Mr. Butler is co-author of a book called Rootkits: Subverting the Windows Kernel (Addison-Wesley Software Security Series). Here is some enlightening dialogue:

Mr. Butler: Normally what has to be done is a complete reinstall of the operating system itself. And we've seen, um, over the last year, year to two years, the evolution of rootkits even into the hardware and bios spaces, where it's been demonstrated at Black Hat Federal and other conferences where a complete reinstall of the operating system may not be enough to get rid of the rootkit itself.

For months I could not understand why a complete wipe and reinstall of Windows Vista on my infected machine(s) resulted in the same damaged computer as before. At times I blamed an infected installation disk, infected hidden partition (from which many computer companies perform system reinstalls, eschewing disks altogether). Finally I was convinced the malware was coming straight from my Cable Internet provider (paranoia I realize, but I was basing this on the statements of a nemesis's statement (who worked for Comcast) that "You would be amazed what we can do to your computer and what we can see." Over time my infected computer's security had essentially been completely wiped out. Services I disabled automatically re-enabled themselves. At certain points my system was visibly under the control of an unseen entity/hacker. I described the problem to friends, and they told me what I was explaining to them was science fiction, and used the "P" word to describe me again. Now thanks to Mr. Butler I have some explanation that the events I was experiencing was and are real, but am now pessimistic that my one remaining Windows machine will ever be viable and may have to be trashed completely.

A relevant portion of the podcast can be seen below.

Securing Your Mac

There's a pretty good article in the November 2007 issue of MacWorld called Secure Your Mac. Beyond the offensively obvious items such as "Choose Strong Passwords", there are a couple of really good tips.

1. Change Your Keychain Password. Many people (myself included) don't realize your keychain of passwords is entirely accessible once you log in to your Mac. Your Mac login unlocks the keychain, so if you step away from your computer, anyone can access without restriction your passwords for Airport settings and even web site passwords that Safari stores in the keychain. Solution: open Keychain Access, select Show Keychains, select your default keychain (usually called 'login'), then choose Edit | Change Password for Keychain, and choose a different password from your login.
   
   
2. Encrypt Sensitive Files. Acknowledging the instability inherent in Mac's FileVault, MacWorld describes a better way to encrypt your sensitive data, by creating an encrypted disk image: In Disk Utility, create a new disk image by selecting File | New | Blank Disk Image. Under Encryption, select 'AES-128'. Select 'Sparse Disk Image' from the Format popup box, specify a name and location, and move all your sensitive files to this location once you mount the disk. Eject the disk when you're through editing/viewing these top-secret files.
   

My Mac, the Server?

I admit I don't know Macs, I don't know networking, but is it normal that when I connect to the internet via my Airport Extreme my entire home folder becomes a server? Am I just not "getting" the way my Mac operates? When I connect to the Internet, the Server icon shows the following: Does that mean I am sharing my home folder (all users, all info) or that it is public? If my computer is a server, who is the client? I honestly hope I am being ignorant and paranoid here, but something seems amiss.

Red Herrings

When one's computer is routinely hacked -- even though I still can't "prove" that it was -- one starts to think it's a personal vendetta at work, not a random act. It seems clear to me that the person or persons who perpetrated these attacks on me knew me; that they probably even had physical access to my computer. I have theories of how this was accomplished. So-called "social engineering" is the most probable: leaving an unmarked computer DVD for me to pop into my PC, unwittingly running a malware installer, for example. But the truth is, I still don't know when or how I was initially targeted (though I have some pretty good guesses as to why). If that's the case -- if a person is indeed "targeted" by a hacker, how can he be safe? Especially when both Windows and Mac computers come out-of-the-box essentially defenseless against such inrusions, with minimum security in place and, in the case of Windows (any variant), running a host of unneeded, security-reducing services by default.

Unfortunately, the paranoia such thoughts bring about are maddening. One sees "evidence" everywhere, signs pointing to one person or the other. Red herrings, as they call them in detective novels and movies. I've been led down several wrong paths, but have narrowed the list of suspects down to three serious ones. Each one has had opportunity (access to my machine), motive (let's just say I've made my share of enemies), and the amorality required to commit such an offense. I used to hang around with a group of people with let us say ... questionable scruples. What can I say, it's true: You lay down with dogs, you get fleas. But no one deserves to be put through what I've gone through. I plan in a later post to enumerate the direct and indirect costs -- such as time spent troubleshooting and reinstalling software -- this crap has cost me. I expect the figure to be astounding. I plan also on profiling (though not naming) each of these three Horsemen of the Apocalypse.

Norton Security Scan Clues (part 3)

Here are a couple of more-recent clues gleened from the neutered but still-helpful Norton Security Scan. By this time I had ditched Comcast cable internet service in favor of AT&T's mobile broadband service (another expense, another dead end). First, Keyhost.exe, a normal process according to ProcessLibrary.com, or a Hijacker, hailing from jraun.com, says bleepingcomputer.com.Next up: StaffCop. It's spyware that captures screenshots and logs activity, storing the compromised confidential information inside the %System%\CSRSS folder, says Symantec.Lastly, Symantec categorizes the program Surf Sidekick, shown in the following screen capture, as Adware.
What's troublesome is that these latest screen captures were taken a little more than a month ago, after I started using my MacBook almost full-time and had only recently put the Windows machine back on the Web. More troublesome of course is that my current Antivirus (Kaspersky) and Antispyware (Spyware Doctor) solutions aren't finding any infections at all, though if my machine was already infected with Uber-Malware, and if it works as I suspect it does, then theoretically any legitimate download would be filtering through a the Malware Host machine, which could then "neuter" or alter the program so that it becomes inert. Anyone out there know a Trojan or Rootkit with those properties?

Encryption in Vista and OS X: Not Worth It?

I read an article not long ago in Details magazine about white-hat hackers. I lost the issue, and I can't find a link, so I'm working from memory here. Anyway, a government security guy who recruits white-hat (i.e., ethical) hackers stated that he was worried about the heavy-duty encryption (called BitLocker) found in Vista Ultimate (no other versions of Vista include this feature). He said he was worried about it from a National-security perspective, but BitLocker is also supposed to make it much harder for your PC to be hacked into.

I bought a Toshiba laptop (a great machine, really) with Vista Ultimate, one of my many purchases (this one roughly $1,400) in an attempt to foil my already-hacked home network. No sooner had I plugged the machine into the ethernet cable to my modem than it seemed to be hacked again. I ran all the Microsoft security updates as soon as possible, but it was too late. Very quickly, my PC looked like it was running a copy of Virtual PC or something. Windows showed me being on a "network" which was composed of an intermediary computer between me and the internet. I wasn't on a network at all. When I tried to download and install BitLocker (although it's a Vista Ultimate feature, it still requires a download) a weird error denied my enabling the feature. Drive wipes and reinstalls didn't help. Was my mystery hacker to blame, or is Microsoft?

I ran into similar, though less paranoia-inducing, problems with OS X's File Vault (the Mac version of this strong disk encryption). My computer kept freezing, unable to recover from Sleep Mode, requiring constant restarts. Apparently this corrupted the FileVault, resulting in the below message.I ended up losing a lot of data, and found a bunch of common threads on the topic stating that the system freeze issue was a common one but pretty much unexplained at this time. Of course Apple takes no responsibility for this. As with all software companies, the warranty for the software excludes them from any sort of liability to damage that their bugs cause the end user. Bottom line of those threads was not to use FileVault on an administrator account at all. Thanks for the heads-up Apple! I've given up on FileVault altogether, though don't get me wrong, I'm still an Apple convert. Compared to Microsoft, Apple's products are far and above superior.

"In the end there can only be one..."

After more than a year and at least a couple grand spent trying to outwit the hackers who were intent on terrorizing me, I took several friends' advice and went out to buy a Mac. I was at my wit's end, sure that the Uber-Malware was entering directly from Comcast, my cable provider (a former "friend" of mine who worked for Comcast alluded to that fact). I took all the cash I had, and went to the local Apple store and bought a MacBook, spending $1800, at least $800 more than I would spend for a comparable PC. But if it was secure, as all my friends contended, then it would be worth it.

The same day I brought my MacBook home, a friend-of-a-friend Mac "expert" took a look at it and said "This computer isn't behaving very Mac-like," a frown creasing his forehead. I didn't know what "Mac-like" behavior was of course -- I had nothing to compare it to. Of course the statement scared me, especially since this person supposedly knew nothing of my ridiculously unfixable PC security issues. But at the end of the session he seemed convinced my computer was okay. Then a few days later, my outbound firewall popped up the below message.Along with the ordinary request for permission of a program to have outbound internet access, there was this message at the end: "In the end there can be only one. The quick brown fox jumped over the lazy dog."To this day I am not sure how or why that message popped up. It happened several times before I deleted the software (Internet Cleanup 4.0) and replaced it with LittleSnitch. The first line I believe is from Highlander. The second if I am not mistaken is from The Matrix, but I could be wrong. Was someone trying to tell me something, or was this some glitch in the code of the software? Googling the term yielded no result, so my instincts lead me to believe it was the former.

Norton Security Scan Clues (part 2)

I think it's a bit ironic that I spent hundreds of dollars on antivirus and antispyware software, yet the one that really gave me "clear and convincing evidence" of a breach to my Vista PC's security was a little freebie utility called Norton Security Scan, (included in Blogger's parent company's self-titled Google Pack). But don't get me wrong, it's not like Norton Security Scan really worked, and actually discovered the malware I contend my PC was infected with. Like all the other products, it loudly proclaimed my computer to be free of all viruses and spyware. But the following screen captures show a couple of other gems apparently either hiding on my PC or -- more likely in my opinion -- residing on the host computer. It became my theory, and still is, that my machine became (and probably still is) a client to a hacker's host computer, with him pulling all the strings. I am guessing that I connected to his machine transparently upon log-on if there was an internet connection. And if there was no connection, my computer synced with his at the first opportunity.

The first of two more incriminating screen captures from Norton Security Scan shows a file called dnsrxpob.exe, below, in the c:\windows\system32 folder. I knew from my limited knowledge that the system32 folder is where a lot of malware likes to hide out. Googling the file name, I found out that it's evidence of a mass-mailing Worm that Symantec calls W32.Stration.DD@mm (how do they come up with these names?). Info about this worm can be found on Symantec's site.The second screen capture, below, shows Swartax. This one's name alone kind of made me think "malware", and sure enough, it's a Trojan/Backdoor according to Sophos's threat analysis. Pausing the scanner to take screen captures and notes led, again, however, to a "spontaneous" reboot of my Vista PC. I felt a mixture of elation to finally be "onto him" (whoever "he" was/is), and dread that no software I installed seemed capable to actually discover these files themselves (I had to google them?!) and disinfect my machine. My theories on that will be forthcoming.

Video Evidence?

I've posted two videos on my YouTube channel. I hope the resolution is good enough that you'll be able to see what I see in the videos. You tell me, is this evidence of hacking or not? The videos show a view of certain log files on my Vista media center PC (all my main computing is performed on my Mac, which hopefully has still remained uncompromised). As I scrolled and clicked through the entries, I knew that something "just wasn't right". It seemed to show a lot of weird stuff going on, but I am not a techie, and have no way to tell whether there's any real evidence there. Check these videos out. I will upload a higher-def version of the complete 17 minute-long video on a free FTP server, TBD.

And finally, this is part two. Again, the quality sucks I realize.

Update [10/5/07]: It took some time since I am fairly new to video editing, but the first of two higher-def videos is posted online at a free hosting site called Files Upload. Direct link to part one: hacking_evidence_or_not_1.mov. Direct link to part two: hacking_evidence_or_not_2.mov.

Norton Security Scan Clues (part 1)

I'm going to start calling the virus or other malware that attacked me less than 12 months ago (and possibly recently) Uber-Malware. Right now there's really no description more apt, it certainly won't get confused with other topics on this blog, and it sounds kinda cool. One thing this "Uber-Malware" did was, as it slowly infected my PC, it began disabling all my security applications. Every single one. This is commonplace behavior for a Trojan, I am sure. However, it made the apps appear to be working 100% correctly. But the spyware-finding and cleaning abilities in all of them was as fake as Joan Rivers'... pick a body part. They'd essentially been neutered. The only "problem" was, every antispyware and antivirus app I used would always result in zero viruses found, zero spyware applications, zero infections with malware... even, it turns out, zero cookies found from bad sites. In other words, the Uber-Malware was essentially too good at disabling my defenses, since I noticed right away that my antispyware program, which routinely returned dozens of "spyware" cookies from "bad sites" for me to delete, now returned none, yet my surfing habits had not changed. This was one clue something subversive was going on with my machine.Next, I noticed that if I ran Norton Security Scan (available as part of the Google Pack) and paid close attention to the destinations it was scanning, it was scanning entire folders and files that did not reside on my computer -- or so I thought. I was able to slow down Norton Security Scan considerably by running memory and processor-intensive applications at the same time, and by randomly performing screen captures. I caught one screen capture (below) that showed a shortcut for a program called PC Activity Monitor Standard on the Administrator's desktop. I was running the Administrator account when I found it, and that program was not on my desktop; in fact I had never even heard of it. I performed subsequent identical scans, and was able to see that on the desktop of this other person's PC ("host PC"?) there were maybe half a dozen Remote Administration programs or other programs that could be used as Trojans! My PC seemed truly screwed.I knew I was on to something when my computer mysteriously, spontaneously rebooted when I had an incriminating screen capture like the one above paused on my screen. Could it be someone on the other side of a monitor somewhere, viewing my computer and terrorizing my life, figured out I was onto him?

Afterward: I did a google search for the program PC Activity Monitor Standard and found no information on their site for how to detect or remove the program once it was installed. I find this infuriating, and think there's probably a consumer law about it that would apply.

Unidentified Virus: x86_wcf-system.io.log~.zip

ClamXav discovered the following unidentified virus on my Mac, which no other antivirus program I have used has claimed is a virus. I am not sure whether it is a false positive or evidence of something insidiary going on on my PC. It originated from my PC, where I did a search for all files containing the word "LOG" in them, and zipped them up to keep them as "evidence" in case something in there could later be used to track the hacker(s) I've mentioned before. I then transferred the .zip file to my Mac, where ClamXav said there was a virus contained in the zip file. The possibly infected file has the unweildy name of x86_wcf-system.io.log_b03f5f7f11d50a3a_6.0.6000.16386_none_da9913e6bac66516.zip~RF478b4d4.TMP. If anyone has any info about the above file let me know. I plan on submitting it to McAfee or some other antivirus software vendor for analysis. Any recommendations on who to submit the file to would be appreciated as well.

Update: Apparently the virus was a null virus. I have no clue really how this relates to me and the incredibly sophisticated hacking that went on with my PC. This looks like a BB gun when what I need to find is a bazooka.

Warez Scam of the Century

I got scammed on a warez site yesterday, and have only myself to blame.

Background: I recently decided to pay for all my software, after the hacking issues that plagued my PC made the concept of "nothing in life is free" take on new meaning. Not to mention the fact that software developers need to get paid too, and I have always considered stealing wrong -- only that morality didn't seem to cover digital media. Go figure. However, I've had a financial crisis of late, and really wanted to replace the truly awful SierraWatcher software for Mac OS X (it connects my laptop to the internet via my AT&T AirCard 875U) with something better, and AT&T (nee Cingular) doesn't support Macs, so their superior software is unavailable to me. My only option seems to be a program called launch2net, made by a finnish company I believe, and I tried a trial and it's way superior to SierraWatcher. Yet maybe it's the exchange rate, but it costs 75 euros, currently $106 USD, and I don't think you'll find anyone out there arguing that a modem dialing piece of software is worth that much. $25 maybe... but over $100? Give me a break. So I had a slip in my "no pirated software" philosophy and did a Google search for "launch2net warez" which resulted in a site with an incredible scam.The Scam: The site, dollarwarez.com, claims you can pay $1 to get access to the site by buying a 3-day trial membership to any of its porn affiliates, which costs only $1, natch. Make a successful purchase and return to dollarwarez and enter the code you're provided by the porn affiliate to get access. Only, the code doesn't work. The email address on the site for support doesn't work. You've just been screwed, and dollarwarez has made a big profit off you by the payment the porn affiliate will send them for signing up a new customer. What's worse, if you forget to cancel your three-day trial membership (and a high percentage of people probably do), then your credit card will be billed monthly every month until cancellation, which results in a perpetual payout for dollarwarez for operating a bogus site. Of course, you (or I, whatever) surfed there looking for free (illegal) software warez downloads, so who's going to call the BBB on them? It's a scam that works because the scammed party (in this case myself) basically "deserved" it. Still, they're scum. Be warned.

Guess I'll have to settle for using the sucky SierraWatcher for Mac OS X for the time being, until the guys who make launch2net learn how to price competitively.

U.S. Government Hacking

The identity of the hacker who targeted me is of course unknown; hence the reason for this blog. But the possibility that it could have been the U.S. government itself is truly disturbing. It's hard to believe we are living in an Orwellian police state in this country, but the evidence is all around us: the government's use of spyware or "fedware" that can bypass a computer's security software altogether; the Bush Administration's program of wiretapping without obtaining a warrant; the FBI's use of trojan horses to get information on would-be drug dealers and other criminals (not just terrorists); and the Patriot Act, which has let all the above occur unchecked. I thought the Patriot Act was supposed to help in finding and fighting terrorists, not in prosecuting America's own citizens without due process. I never really thought movies such as Enemy of the State and Minority Report were realistic. Certainly they were pessimistic views of the future. But it seems the future is here, and it's more V for Vendetta than even Alan Moore would have predicted when he based the idea on Thatcher-era England in the '80s.

All may not be lost, however. The Courts seem to be striking down the above provisions of the Patriot Act as unconstitutional with more regularity. Big Brother is here, but perhaps with enough light on this issue, he'll become a bit smaller.

MacBook Firmware Upgrade Annoyance

Mac annoyances pop up almost as frequently as with my PC. Today, for instance, I upgraded my MacBook's firmware to 1.1 using the downloaded "MacBook EFI Firmware Update" patch, available today from Apple. After reboot I was greeted with yet another opportunity to enter an old password. I changed the computer name from [name redacted to protect my identity] some time ago... yet there it appears on the screen. Of course entering old passwords doesn't work. Canceling the dialog box altogether seems to be a stopgap measure for now.Update [9/28/07]: The dialog box has stopped appearing altogether. That's one thing Macs seem to do a lot better than PCs: fix themselves. How they do so, beats the hell out of me. I guess I should just be grateful, albeit confused.

Figure Out Who Hacked Me... Win $1,000,000

Okay so that's stretching it, but you will at least win my undying admiration. Here's the puzzle: for a year and a half or more I was (and may currently still be) under constant relentless attack by unnamed hacker(s). Why? I have no clue... maybe it was a personal vendetta, maybe it was industrial sabotage, or maybe it was just sheer boredom. But the attacks were real, yet everyone around me thought I was losing it. People thought I was becoming Unabomber-paranoid, and almost everyone gently amused me but steered the conversation elsewhere should I ever bring it up in their presence (which was, like, constantly). I spent thousands of dollars on new computer equipment, every antivirus and anti-spyware application in existence (or so it seemed), new routers, a firewall.... yet these unseen menaces kept getting in my friggin' computer. Finally I heeded the advice of several people to "Go get a Mac". I thought things would be simple, that I'd finally be hacker-free.

The very first day I set up my Mac, it was hacked as well. Or so I claimed to everyone. I bitched out my friends who touted the almighty Mac as the holy grail to fix my problems. I'd spent $1800 on what -- a pretty MacBook just as or possibly even more susceptible to intentional hacking and malware. (Truth be told, however, I am now a Mac convert).

This begins the story, vague though this prologue is. Hopefully you guys out there will be able to help me figure out, Was I hacked... or just paranoid? I've kept many log files, screen captures, and a few notes in order to supplement my oh-so-fallible memory. I'll post my recollections, supplemented by these logs and screenprints, in no particular order, in the hope of raising awareness and, just maybe, catching the damn bastard that made my life hell for two years plus.