Sunday, October 21, 2007
SecurityFocus's "Attacking the Attackers"
There are a couple of very good, very hard to understand, articles on SecurityFocus's web site about fighting back against hackers. The articles are titled Malicious Malware: Attacking the Attackers, Part One, and Part Two. But can I tell you, they were so far over my head they could've been written in Chinese and I wouldn't know any more than I did when I started. However, the more technically proficient among you may learn something valuable. That you can then bring back to my site to help me catch my own bad guys. :-)
Tuesday, October 16, 2007
Portion of an interview with Jamie Butler on Rootkits
I just saw a pretty amazing video podcast available on iTunes from OnSecurity called Rootkits: Detecting the Threat with Jamie Butler. Mr. Butler is co-author of a book called Rootkits: Subverting the Windows Kernel (Addison-Wesley Software Security Series)
. Here is some enlightening dialogue:
A relevant portion of the podcast can be seen below.
. Here is some enlightening dialogue:Mr. Butler: Normally what has to be done is a complete reinstall of the operating system itself. And we've seen, um, over the last year, year to two years, the evolution of rootkits even into the hardware and bios spaces, where it's been demonstrated at Black Hat Federal and other conferences where a complete reinstall of the operating system may not be enough to get rid of the rootkit itself.For months I could not understand why a complete wipe and reinstall of Windows Vista on my infected machine(s) resulted in the same damaged computer as before. At times I blamed an infected installation disk, infected hidden partition (from which many computer companies perform system reinstalls, eschewing disks altogether). Finally I was convinced the malware was coming straight from my Cable Internet provider (paranoia I realize, but I was basing this on the statements of a nemesis's statement (who worked for Comcast) that "You would be amazed what we can do to your computer and what we can see." Over time my infected computer's security had essentially been completely wiped out. Services I disabled automatically re-enabled themselves. At certain points my system was visibly under the control of an unseen entity/hacker. I described the problem to friends, and they told me what I was explaining to them was science fiction, and used the "P" word to describe me again. Now thanks to Mr. Butler I have some explanation that the events I was experiencing was and are real, but am now pessimistic that my one remaining Windows machine will ever be viable and may have to be trashed completely.
A relevant portion of the podcast can be seen below.
Securing Your Mac
There's a pretty good article in the November 2007 issue of MacWorld called Secure Your Mac. Beyond the offensively obvious items such as "Choose Strong Passwords", there are a couple of really good tips.
- Change Your Keychain Password. Many people (myself included) don't realize your keychain of passwords is entirely accessible once you log in to your Mac. Your Mac login unlocks the keychain, so if you step away from your computer, anyone can access without restriction your passwords for Airport settings and even web site passwords that Safari stores in the keychain. Solution: open Keychain Access, select Show Keychains, select your default keychain (usually called 'login'), then choose Edit | Change Password for Keychain, and choose a different password from your login.
- Encrypt Sensitive Files. Acknowledging the instability inherent in Mac's FileVault, MacWorld describes a better way to encrypt your sensitive data, by creating an encrypted disk image: In Disk Utility, create a new disk image by selecting File | New | Blank Disk Image. Under Encryption, select 'AES-128'. Select 'Sparse Disk Image' from the Format popup box, specify a name and location, and move all your sensitive files to this location once you mount the disk. Eject the disk when you're through editing/viewing these top-secret files.
Saturday, October 13, 2007
My Mac, the Server?
I admit I don't know Macs, I don't know networking, but is it normal that when I connect to the internet via my Airport Extreme my entire home folder becomes a server? Am I just not "getting" the way my Mac operates? When I connect to the Internet, the Server icon shows the following: Does that mean I am sharing my home folder (all users, all info) or that it is public? If my computer is a server, who is the client? I honestly hope I am being ignorant and paranoid here, but something seems amiss. 
Thursday, October 11, 2007
Red Herrings
When one's computer is routinely hacked -- even though I still can't "prove" that it was -- one starts to think it's a personal vendetta at work, not a random act. It seems clear to me that the person or persons who perpetrated these attacks on me knew me; that they probably even had physical access to my computer. I have theories of how this was accomplished. So-called "social engineering" is the most probable: leaving an unmarked computer DVD for me to pop into my PC, unwittingly running a malware installer, for example. But the truth is, I still don't know when or how I was initially targeted (though I have some pretty good guesses as to why). If that's the case -- if a person is indeed "targeted" by a hacker, how can he be safe? Especially when both Windows and Mac computers come out-of-the-box essentially defenseless against such inrusions, with minimum security in place and, in the case of Windows (any variant), running a host of unneeded, security-reducing services by default.
Unfortunately, the paranoia such thoughts bring about are maddening. One sees "evidence" everywhere, signs pointing to one person or the other. Red herrings, as they call them in detective novels and movies. I've been led down several wrong paths, but have narrowed the list of suspects down to three serious ones. Each one has had opportunity (access to my machine), motive (let's just say I've made my share of enemies), and the amorality required to commit such an offense. I used to hang around with a group of people with let us say ... questionable scruples. What can I say, it's true: You lay down with dogs, you get fleas. But no one deserves to be put through what I've gone through. I plan in a later post to enumerate the direct and indirect costs -- such as time spent troubleshooting and reinstalling software -- this crap has cost me. I expect the figure to be astounding. I plan also on profiling (though not naming) each of these three Horsemen of the Apocalypse.
Unfortunately, the paranoia such thoughts bring about are maddening. One sees "evidence" everywhere, signs pointing to one person or the other. Red herrings, as they call them in detective novels and movies. I've been led down several wrong paths, but have narrowed the list of suspects down to three serious ones. Each one has had opportunity (access to my machine), motive (let's just say I've made my share of enemies), and the amorality required to commit such an offense. I used to hang around with a group of people with let us say ... questionable scruples. What can I say, it's true: You lay down with dogs, you get fleas. But no one deserves to be put through what I've gone through. I plan in a later post to enumerate the direct and indirect costs -- such as time spent troubleshooting and reinstalling software -- this crap has cost me. I expect the figure to be astounding. I plan also on profiling (though not naming) each of these three Horsemen of the Apocalypse.
Norton Security Scan Clues (part 3)
Here are a couple of more-recent clues gleened from the neutered but still-helpful Norton Security Scan. By this time I had ditched Comcast cable internet service in favor of AT&T's mobile broadband service (another expense, another dead end). First, Keyhost.exe, a normal process according to ProcessLibrary.com, or a Hijacker, hailing from jraun.com, says bleepingcomputer.com.
Next up: StaffCop. It's spyware that captures screenshots and logs activity, storing the compromised confidential information inside the %System%\CSRSS folder, says Symantec.
Lastly, Symantec categorizes the program Surf Sidekick, shown in the following screen capture, as Adware.
What's troublesome is that these latest screen captures were taken a little more than a month ago, after I started using my MacBook almost full-time and had only recently put the Windows machine back on the Web. More troublesome of course is that my current Antivirus (Kaspersky) and Antispyware (Spyware Doctor) solutions aren't finding any infections at all, though if my machine was already infected with Uber-Malware, and if it works as I suspect it does, then theoretically any legitimate download would be filtering through a the Malware Host machine, which could then "neuter" or alter the program so that it becomes inert. Anyone out there know a Trojan or Rootkit with those properties?
Next up: StaffCop. It's spyware that captures screenshots and logs activity, storing the compromised confidential information inside the %System%\CSRSS folder, says Symantec.
Lastly, Symantec categorizes the program Surf Sidekick, shown in the following screen capture, as Adware.
What's troublesome is that these latest screen captures were taken a little more than a month ago, after I started using my MacBook almost full-time and had only recently put the Windows machine back on the Web. More troublesome of course is that my current Antivirus (Kaspersky) and Antispyware (Spyware Doctor) solutions aren't finding any infections at all, though if my machine was already infected with Uber-Malware, and if it works as I suspect it does, then theoretically any legitimate download would be filtering through a the Malware Host machine, which could then "neuter" or alter the program so that it becomes inert. Anyone out there know a Trojan or Rootkit with those properties?
Wednesday, October 10, 2007
Encryption in Vista and OS X: Not Worth It?
I read an article not long ago in Details magazine about white-hat hackers. I lost the issue, and I can't find a link, so I'm working from memory here. Anyway, a government security guy who recruits white-hat (i.e., ethical) hackers stated that he was worried about the heavy-duty encryption (called BitLocker) found in Vista Ultimate (no other versions of Vista include this feature). He said he was worried about it from a National-security perspective, but BitLocker is also supposed to make it much harder for your PC to be hacked into.
I bought a Toshiba laptop (a great machine, really) with Vista Ultimate, one of my many purchases (this one roughly $1,400) in an attempt to foil my already-hacked home network. No sooner had I plugged the machine into the ethernet cable to my modem than it seemed to be hacked again. I ran all the Microsoft security updates as soon as possible, but it was too late. Very quickly, my PC looked like it was running a copy of Virtual PC or something. Windows showed me being on a "network" which was composed of an intermediary computer between me and the internet. I wasn't on a network at all. When I tried to download and install BitLocker (although it's a Vista Ultimate feature, it still requires a download) a weird error denied my enabling the feature. Drive wipes and reinstalls didn't help. Was my mystery hacker to blame, or is Microsoft?
I ran into similar, though less paranoia-inducing, problems with OS X's File Vault (the Mac version of this strong disk encryption). My computer kept freezing, unable to recover from Sleep Mode, requiring constant restarts. Apparently this corrupted the FileVault, resulting in the below message.
I ended up losing a lot of data, and found a bunch of common threads on the topic stating that the system freeze issue was a common one but pretty much unexplained at this time. Of course Apple takes no responsibility for this. As with all software companies, the warranty for the software excludes them from any sort of liability to damage that their bugs cause the end user. Bottom line of those threads was not to use FileVault on an administrator account at all. Thanks for the heads-up Apple! I've given up on FileVault altogether, though don't get me wrong, I'm still an Apple convert. Compared to Microsoft, Apple's products are far and above superior.
I bought a Toshiba laptop (a great machine, really) with Vista Ultimate, one of my many purchases (this one roughly $1,400) in an attempt to foil my already-hacked home network. No sooner had I plugged the machine into the ethernet cable to my modem than it seemed to be hacked again. I ran all the Microsoft security updates as soon as possible, but it was too late. Very quickly, my PC looked like it was running a copy of Virtual PC or something. Windows showed me being on a "network" which was composed of an intermediary computer between me and the internet. I wasn't on a network at all. When I tried to download and install BitLocker (although it's a Vista Ultimate feature, it still requires a download) a weird error denied my enabling the feature. Drive wipes and reinstalls didn't help. Was my mystery hacker to blame, or is Microsoft?
I ran into similar, though less paranoia-inducing, problems with OS X's File Vault (the Mac version of this strong disk encryption). My computer kept freezing, unable to recover from Sleep Mode, requiring constant restarts. Apparently this corrupted the FileVault, resulting in the below message.
I ended up losing a lot of data, and found a bunch of common threads on the topic stating that the system freeze issue was a common one but pretty much unexplained at this time. Of course Apple takes no responsibility for this. As with all software companies, the warranty for the software excludes them from any sort of liability to damage that their bugs cause the end user. Bottom line of those threads was not to use FileVault on an administrator account at all. Thanks for the heads-up Apple! I've given up on FileVault altogether, though don't get me wrong, I'm still an Apple convert. Compared to Microsoft, Apple's products are far and above superior.
Tuesday, October 9, 2007
"In the end there can only be one..."
After more than a year and at least a couple grand spent trying to outwit the hackers who were intent on terrorizing me, I took several friends' advice and went out to buy a Mac. I was at my wit's end, sure that the Uber-Malware was entering directly from Comcast, my cable provider (a former "friend" of mine who worked for Comcast alluded to that fact). I took all the cash I had, and went to the local Apple store and bought a MacBook, spending $1800, at least $800 more than I would spend for a comparable PC. But if it was secure, as all my friends contended, then it would be worth it.
The same day I brought my MacBook home, a friend-of-a-friend Mac "expert" took a look at it and said "This computer isn't behaving very Mac-like," a frown creasing his forehead. I didn't know what "Mac-like" behavior was of course -- I had nothing to compare it to. Of course the statement scared me, especially since this person supposedly knew nothing of my ridiculously unfixable PC security issues. But at the end of the session he seemed convinced my computer was okay. Then a few days later, my outbound firewall popped up the below message.
Along with the ordinary request for permission of a program to have outbound internet access, there was this message at the end: "In the end there can be only one. The quick brown fox jumped over the lazy dog."
To this day I am not sure how or why that message popped up. It happened several times before I deleted the software (Internet Cleanup 4.0) and replaced it with LittleSnitch. The first line I believe is from Highlander. The second if I am not mistaken is from The Matrix, but I could be wrong. Was someone trying to tell me something, or was this some glitch in the code of the software? Googling the term yielded no result, so my instincts lead me to believe it was the former.
The same day I brought my MacBook home, a friend-of-a-friend Mac "expert" took a look at it and said "This computer isn't behaving very Mac-like," a frown creasing his forehead. I didn't know what "Mac-like" behavior was of course -- I had nothing to compare it to. Of course the statement scared me, especially since this person supposedly knew nothing of my ridiculously unfixable PC security issues. But at the end of the session he seemed convinced my computer was okay. Then a few days later, my outbound firewall popped up the below message.
Along with the ordinary request for permission of a program to have outbound internet access, there was this message at the end: "In the end there can be only one. The quick brown fox jumped over the lazy dog."
To this day I am not sure how or why that message popped up. It happened several times before I deleted the software (Internet Cleanup 4.0) and replaced it with LittleSnitch. The first line I believe is from Highlander. The second if I am not mistaken is from The Matrix, but I could be wrong. Was someone trying to tell me something, or was this some glitch in the code of the software? Googling the term yielded no result, so my instincts lead me to believe it was the former.
Thursday, October 4, 2007
Norton Security Scan Clues (part 2)
I think it's a bit ironic that I spent hundreds of dollars on antivirus and antispyware software, yet the one that really gave me "clear and convincing evidence" of a breach to my Vista PC's security was a little freebie utility called Norton Security Scan, (included in Blogger's parent company's self-titled Google Pack). But don't get me wrong, it's not like Norton Security Scan really worked, and actually discovered the malware I contend my PC was infected with. Like all the other products, it loudly proclaimed my computer to be free of all viruses and spyware. But the following screen captures show a couple of other gems apparently either hiding on my PC or -- more likely in my opinion -- residing on the host computer. It became my theory, and still is, that my machine became (and probably still is) a client to a hacker's host computer, with him pulling all the strings. I am guessing that I connected to his machine transparently upon log-on if there was an internet connection. And if there was no connection, my computer synced with his at the first opportunity.
The first of two more incriminating screen captures from Norton Security Scan shows a file called dnsrxpob.exe, below, in the c:\windows\system32 folder. I knew from my limited knowledge that the system32 folder is where a lot of malware likes to hide out. Googling the file name, I found out that it's evidence of a mass-mailing Worm that Symantec calls W32.Stration.DD@mm (how do they come up with these names?). Info about this worm can be found on Symantec's site.
The second screen capture, below, shows Swartax. This one's name alone kind of made me think "malware", and sure enough, it's a Trojan/Backdoor according to Sophos's threat analysis. Pausing the scanner to take screen captures and notes led, again, however, to a "spontaneous" reboot of my Vista PC. I felt a mixture of elation to finally be "onto him" (whoever "he" was/is), and dread that no software I installed seemed capable to actually discover these files themselves (I had to google them?!) and disinfect my machine. My theories on that will be forthcoming. 
The first of two more incriminating screen captures from Norton Security Scan shows a file called dnsrxpob.exe, below, in the c:\windows\system32 folder. I knew from my limited knowledge that the system32 folder is where a lot of malware likes to hide out. Googling the file name, I found out that it's evidence of a mass-mailing Worm that Symantec calls W32.Stration.DD@mm (how do they come up with these names?). Info about this worm can be found on Symantec's site.
The second screen capture, below, shows Swartax. This one's name alone kind of made me think "malware", and sure enough, it's a Trojan/Backdoor according to Sophos's threat analysis. Pausing the scanner to take screen captures and notes led, again, however, to a "spontaneous" reboot of my Vista PC. I felt a mixture of elation to finally be "onto him" (whoever "he" was/is), and dread that no software I installed seemed capable to actually discover these files themselves (I had to google them?!) and disinfect my machine. My theories on that will be forthcoming. 
Video Evidence?
I've posted two videos on my YouTube channel. I hope the resolution is good enough that you'll be able to see what I see in the videos. You tell me, is this evidence of hacking or not? The videos show a view of certain log files on my Vista media center PC (all my main computing is performed on my Mac, which hopefully has still remained uncompromised). As I scrolled and clicked through the entries, I knew that something "just wasn't right". It seemed to show a lot of weird stuff going on, but I am not a techie, and have no way to tell whether there's any real evidence there. Check these videos out. I will upload a higher-def version of the complete 17 minute-long video on a free FTP server, TBD.
And finally, this is part two. Again, the quality sucks I realize.
And finally, this is part two. Again, the quality sucks I realize.
Update [10/5/07]: It took some time since I am fairly new to video editing, but the first of two higher-def videos is posted online at a free hosting site called Files Upload. Direct link to part one: hacking_evidence_or_not_1.mov. Direct link to part two: hacking_evidence_or_not_2.mov.
Monday, October 1, 2007
Norton Security Scan Clues (part 1)
I'm going to start calling the virus or other malware that attacked me less than 12 months ago (and possibly recently) Uber-Malware. Right now there's really no description more apt, it certainly won't get confused with other topics on this blog, and it sounds kinda cool. One thing this "Uber-Malware" did was, as it slowly infected my PC, it began disabling all my security applications. Every single one. This is commonplace behavior for a Trojan, I am sure. However, it made the apps appear to be working 100% correctly. But the spyware-finding and cleaning abilities in all of them was as fake as Joan Rivers'... pick a body part. They'd essentially been neutered. The only "problem" was, every antispyware and antivirus app I used would always result in zero viruses found, zero spyware applications, zero infections with malware... even, it turns out, zero cookies found from bad sites. In other words, the Uber-Malware was essentially too good at disabling my defenses, since I noticed right away that my antispyware program, which routinely returned dozens of "spyware" cookies from "bad sites" for me to delete, now returned none, yet my surfing habits had not changed. This was one clue something subversive was going on with my machine.
Next, I noticed that if I ran Norton Security Scan (available as part of the Google Pack) and paid close attention to the destinations it was scanning, it was scanning entire folders and files that did not reside on my computer -- or so I thought. I was able to slow down Norton Security Scan considerably by running memory and processor-intensive applications at the same time, and by randomly performing screen captures. I caught one screen capture (below) that showed a shortcut for a program called PC Activity Monitor Standard on the Administrator's desktop. I was running the Administrator account when I found it, and that program was not on my desktop; in fact I had never even heard of it. I performed subsequent identical scans, and was able to see that on the desktop of this other person's PC ("host PC"?) there were maybe half a dozen Remote Administration programs or other programs that could be used as Trojans! My PC seemed truly screwed.
I knew I was on to something when my computer mysteriously, spontaneously rebooted when I had an incriminating screen capture like the one above paused on my screen. Could it be someone on the other side of a monitor somewhere, viewing my computer and terrorizing my life, figured out I was onto him?
Afterward: I did a google search for the program PC Activity Monitor Standard and found no information on their site for how to detect or remove the program once it was installed. I find this infuriating, and think there's probably a consumer law about it that would apply.
Next, I noticed that if I ran Norton Security Scan (available as part of the Google Pack) and paid close attention to the destinations it was scanning, it was scanning entire folders and files that did not reside on my computer -- or so I thought. I was able to slow down Norton Security Scan considerably by running memory and processor-intensive applications at the same time, and by randomly performing screen captures. I caught one screen capture (below) that showed a shortcut for a program called PC Activity Monitor Standard on the Administrator's desktop. I was running the Administrator account when I found it, and that program was not on my desktop; in fact I had never even heard of it. I performed subsequent identical scans, and was able to see that on the desktop of this other person's PC ("host PC"?) there were maybe half a dozen Remote Administration programs or other programs that could be used as Trojans! My PC seemed truly screwed.
I knew I was on to something when my computer mysteriously, spontaneously rebooted when I had an incriminating screen capture like the one above paused on my screen. Could it be someone on the other side of a monitor somewhere, viewing my computer and terrorizing my life, figured out I was onto him?Afterward: I did a google search for the program PC Activity Monitor Standard and found no information on their site for how to detect or remove the program once it was installed. I find this infuriating, and think there's probably a consumer law about it that would apply.
Subscribe to:
Posts (Atom)
