CACroll Small LANs
Welcome to CACroll Small LANs
Microsoft Windows is an incredibly complex operating system. Making an installation of computers running Windows work, at all, is a challenge. Making one work properly is even more of a challenge. Fortunately, thanks to the Internet, the problems which you may be observing today may have already been discussed, and resolved, by other folks before you. And there are many websites to give you advice, based upon those experiences.

Now, many websites offer you learned advice on various subjects; some on Windows Networking, as CACroll Small LANs does. Many websites are procedure oriented. If you know what to do, they will give you details showing you how you can use a particular wizard. But - if you don't know what to do, or how to solve a given problem, how are you going to find a solution? That's like using a dictionary - some folks think that you can learn how to spell a word, by looking it up in a dictionary.

CACroll Small LANs is organised by goal. For problem solving, it's organised by symptom. Now, it's not finished - few websites are ever actually finished. But give it a shot - it may have an answer or two for you.

If this is your first visit here, you may wish to start with the introduction, How To Get The Most Out Of CACroll Small LANs.

Having reviewed the site introduction, you may find that there are several ways to benefit from the material here.

And check out my Links page, for extra interests of mine.

More articles are added frequently, and existing articles are revised even more frequently. Check here regularly, using a newsfeed reader for best results. And tell your friends about CACroll Small LANs!


Common Problems and Resolutions

"Error = 5" aka "Access Denied"
"Error = 53" aka "Name Not Found"
Intermittent Connectivity Problems When Computer Is Idle
Intermittent Server Visibility Caused By The Restrictanonymous Setting
Intermittent WiFi Connectivity Problems Caused By WiFi Client Manager Conflicts
Internet Access Problems Caused By DNS Problems
Internet Connectivity Problems Caused By A Corrupt Or Hijacked Hosts File
Internet Connectivity Problems Caused By The MTU Setting
Irregularities In Access To Individual Shares On A Single Server
Irregularities In Access To Network Neighborhood (Workgroup)
Network Access Affected By Limited Or No Connectivity
Network Access Affected By LSP / Winsock / TCP/IP Corruption
Network Access Affected By NetBIOS Over TCP/IP Being Inconsistently Set
New Network Connections Wizard Functionality Damaged By System Restore
Server Access Affected By IRPStackSize
Server Access Affected By User Not Granted Requested Logon Type
Server Access Affected By Maximum Simultaneous Connections
Server Visibility Affected By The Invisibility Setting
Server Access And Visibility Affected By Personal Firewalls
Server Access and Visibility Affected By Less Known Registry Settings
Well Known, Yet Mysterious, Errors May Have Simple Resolutions



Asking For Help For Internet Connectivity Problems
Asking For Help For Network Neighborhood Problems
Hacking Defined
Layered Security
Malware (Adware / Spyware)
Network Neighborhood and the Browser
Networking Your Computers
Restrict Your Privileges
Solving Network Problems
Troubleshooting Internet Connectivity
Troubleshooting Network Neighborhood (Windows Networking)
WiFi Networking
WiFi Security
Windows Networking Concepts
Windows XP File Sharing


Current Events

August 26, 2006: Hacker sentenced to 37 months in prison
August 21, 2006: Pizza Order Credit Card Scam
August 13, 2006: August 2006 Patch Tuesday Report
August 7, 2006: Bots And You
July 6, 2006: Bump Keys - A Growing Security Problem
June 16, 2006: Patch Tuesday for June 2006
June 8, 2006: R.I.P., Windows 98, 98SE, ME, and XP SP1
June 7, 2006: Sharing The Pain
June 6, 2006: Happy Devil's Day

And more current events in PChuck's Network News, and in Today's Security Alert.


Diagnostic Procedures and Tools

CPSServ (NOTE: Requires download of PSTools (free).
Command Windows
Event Viewer
Finding, and Tracking, Computers On Your Network
Local Security Policy Editor
My Personal Toolbox
Net Config
Network Setup Wizard
Registry Editor
Services Wizard
Static Route Table
System Restore
Watching What Your Computer Is Doing
Windows Explorer
WiFi Environment Analysis
WindowsUpdate Log Interpretation


Using The Internet Properly

Bottom Post, Please
Download Software Selectively
Help Us To Help You
Getting Help On Usenet - And Believing What You're Told
How To Contact Me
How To Post On Usenet And Encourage Intelligent Answers
Interactive Problem Solving
Please Don't Hijack Threads
Please Don't Spread Viruses
Provide Diagnostic Data As Text, No Attachments or Images
Provide Essential Details When Asking For Help
Please Use BCC:


Networking / Security

Ad-Aware or Spybot S&D? You Decide
Beware Of Hidden Physical Personal Firewalls
Components Definition - Networking
Design Your Network Properly
Have Laptop Will Travel?
Computer Uniqueness and Security Needs
ICS Is Not The Only Possible Solution
Make Your Wireless Computer Connect Only To Your Network
NAT Router - What Is It?
NAT Routers With UPnP - Security Risk, or Benefit?
Online System Virus Scanning Services
Pop-Ups - How To Deal With Them
Protect Yourself - Restrict Your Privileges
Protect Yourself When Using A Public Computer
Protect Yourself When Using A Public WiFi LAN
Protect Your Hardware - Use A UPS
Quick Networking With A CrossOver Cable
Setting Up Two Routers On The Same LAN
Sharing Dial-up Internet Service With A Router
Spam Spam Spam - Spam Spam Glorious Spam: Early Spam, and Modern Spam.
SSID Broadcasts
WEP Just Isn't Enough Protection Anymore
WiFi Will Never Be As Fast As Ethernet


Windows Networking / File Sharing

Address Resolution On The LAN
Browsing and Multiple Subnets
Domain vs Workgroup? Plan Properly
Cleanup Your Protocol Stack
Components Definition - Windows Networking
Local Name and Address Resolution On Your Computer
One Use For IPX/SPX
Setting Up File Sharing Properly
Windows 9x (95/98/ME) and the Browser
Windows NT (NT/2000/XP/2003) and the Browser
Windows XP / 2000 On A Domain

Hacking Redefined
This article is an attempt to decribe malware, its delivery mechanisms, its payloads, and its detection and prevention, in a canonical and objective format. Modern malware is taking on new forms that it's hard to comprehend how aggressively it's developed and deployed.

And even though it's malware, it's hard NOT sometimes to admire how professionally it's developed and deployed (as an IT professional only, NOT as a computer owner). Computer owners, who become victime of hacking, will NOT admire the tools, or the attackers.

One of the problem is how you describe what's happening? Which came first - the chicken or the egg? How do you define hacking, other than what a hacker does?

For the purpose of this article, I make the following definitions.

Malware includes:

The people performing the Hacking Attacks have been formerly referred to as, variously:

In the past, this cross-referencing was not necessarily done. Classically, Malware was of a distinct nature, and one type of malware was not used by another type, or group, of Attackers. Today, we have combined Attacks, where:

The term Trojan refers classically to the ancient story of the Trojan Horse in Greece. A Trojan is software which travels, as a separate component, in a package of Host software that is requested by, and intentionally installed by, the Victim.

A Trojan can be anything as innocent as an extra toolbar, installed as a part of the Victims browser, and used to "enhance the browsing experience", to software that makes the Victims computer act in a three role Spam delivery capacity. A Trojan typically requires action (wilfull or otherwise) by the victim to install.

A virus is software that travels as an integral part of Host software, that is intentionally installed by the Victim. A virus installs itself into an innocuous Host file, which is passed from Victim 1 to Victim 2. Both Victims intentionally pass the file, without either being aware of the total nature of its contents.

A worm is software that travels from Host to Host in a trusted media, such as the computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place). A worm typically requires no action, or intentional action anyway, by the Victim, for propagation.

The classical Hacker was a disenfranchised teenager, hiding in his bedroom, attacking an individual computer owned by a single Victim, for amusement.

See, for instance, War Games, one of the earliest movies about Hackers.

Today, Hackers use programs that they may release as Trojans, as Viruses, or as Worms. The Hack, which when installed on the Victims computer, may make that computer part of a Botnet. A Botnet, or entire army of computers controlled by a Hacker, can be sold to individuals or corporations for delivery of Spam, for hosting of Adware or Spyware, or for the creation of even more Botnets. As of June 2005, the reported value of ONE bot was $.55 USD, thus a 10,000 member Botnet (a not at all abnormal number) could net the Hacker $5,000 or so.

So let's classify the malware.

We can classify it by delivery mechanism.

We can classify it by payload.

Malware Detection

So, if there's malware out there, how do we know what's out there? More importantly, how do we describe what's out there? And how do we remove what's on our computers, and then hopefully, keep it from coming back?

You have to know what's there before you can fight it. Knowing what's there is a matter of detecting it. Basic malware detection is based upon two alternate processes.

Behaviour analysis, also known as heuristic analysis, takes a suspect file (or a computer system), opens it (operate it), and sees what it does. Sophisticated heuristics are used by some antivirus / antitrojan products, which contain a sandbox, which is a replica of the operating system, within the AV / AT product code. A suspect file is copied into the sandbox, opened from within, and observed. If its opening makes suspicious references to the system services provided by the (replica) operating system, it is suspected to be malware, and examined further.

Signature analysis takes the actual contents of the various bytes in a suspicious file, and mathematically calculates a hash of the contents. The hash becomes the signature, which is compared against a database listing known malware. If suspected malware has a hash matching known malware, it is determined to be malware.

Malware analysis can be done heuristically against the entire system. Note the difference between adware and spyware. The first will typically generate incoming network traffic; the second, outgoing.

By statefully looking for incoming or outgoing traffic, compared against what should be expected, malicious activity can be detected. Software designed to look for malicious incoming traffic will be better at detecting adware, software designed to look for malicious outgoing traffic will be better at detecting spyware.

Signature analysis is a much simpler process, but demands more work. To do a signature analysis of the system (a trojan or virus scan) requires taking each file, one at a time, on the entire system, generating a signature from the file, and comparing each against each entry in a very long list (database) of known malware. Multiply the number of files in your typical system, against the number of possible (known) malware, and you see what a massive effort that is. And each time a new set of signatures is produced (and with some antivirus products, it's multiple times / day), a rescan could be appropriate.

Some malware is encrypted, to fool the signature scanners. Malicious code is taken, and subjected to rearrangement (packing), with some packing containing random operations which makes unpredictable results. Simple signature checking (and the bad guys, in some cases, know what procedures are followed to produce the signatures) won't detect packed code, which follows no known pattern. So suspect files have to be examined for unpacking code embedded in the code, and in some cases, the unpacking has to be allowed to execute so the signature checking can take place. This makes signature checking even more complex, and more time consuming.

On the other hand, its somewhat possible that having unpacking code in a file indicates that it's malware. Most legitimate code (excepting openly compressed files) does not use unpackers, as most legitimate code is already in an executable state. So when an AV / AT scan finds a file with an embedded unpacker, it's a strong possibility that the file contains malware. Of course, the malware still has to be analysed, to determine just what malware it is. But the scanner doesn't have to continue the heuristic analysis, just switch to the signature check.

Powered by Blogger

Please Sign my guestbook!