|
Paranoia Is Not A Problem, When It's A Normal Response To Experience.
Links
- Welcome to CACroll's Small LANs
- Home
- Site Feed - Atom
- MS-MVP Program
Web Counter- Please Sign My Guestbook
- My Mom's Recent Trip To Russia
- PChuck's Kitchen
Other Articles
Archived ArticlesJuly 2005
December 2005
CACroll Small LANs
Welcome to CACroll Small LANs
Microsoft Windows is an incredibly complex operating system. Making an installation of computers running Windows work, at all, is a challenge. Making one work properly is even more of a challenge. Fortunately, thanks to the Internet, the problems which you may be observing today may have already been discussed, and resolved, by other folks before you. And there are many websites to give you advice, based upon those experiences.
Now, many websites offer you learned advice on various subjects; some on Windows Networking, as CACroll Small LANs does. Many websites are procedure oriented. If you know what to do, they will give you details showing you how you can use a particular wizard. But - if you don't know what to do, or how to solve a given problem, how are you going to find a solution? That's like using a dictionary - some folks think that you can learn how to spell a word, by looking it up in a dictionary.
CACroll Small LANs is organised by goal. For problem solving, it's organised by symptom. Now, it's not finished - few websites are ever actually finished. But give it a shot - it may have an answer or two for you.
If this is your first visit here, you may wish to start with the introduction, How To Get The Most Out Of CACroll Small LANs.
Having reviewed the site introduction, you may find that there are several ways to benefit from the material here.
- From my featured articles.
- This week's feature is a reminder to anybody installing a computer network, that Ethernet cannot be replaced by WiFi, without compromise and planning. The total bandwidth of a WiFi LAN is limited. You have to protect your LAN from your neighbors. And noise, both analogue and digital, will further reduce your bandwidth.
- Last week's feature was a pair of short advices about professional proactive techniques for ensuring that your computer, and network, are all running properly. Proactive monitoring of your computer, and of your network, can save you hours of wondering "what's up with this?" when something isn't running with its usual speediness. Learn about Finding, and Tracking, Computers On Your Network, and about Watching What Your Computer Is Doing, using free tools, each available for quick download.
- This week's feature is a reminder to anybody installing a computer network, that Ethernet cannot be replaced by WiFi, without compromise and planning. The total bandwidth of a WiFi LAN is limited. You have to protect your LAN from your neighbors. And noise, both analogue and digital, will further reduce your bandwidth.
- From the current list of known Problems and Resolutions, which present a lightweight view of the various subjects, indexed by symptom.
- From the various Tutorials, which present an in depth view of the various subjects, indexed by overall topic.
- From the individual articles, indexed by category.
- Current Events.
- Diagnostic Procedures and Tools.
- Using The Internet Properly.
- Networking / Security.
- Windows Networking / File Sharing
- Current Events.
- By using the Google Search Engine.
And check out my Links page, for extra interests of mine.
More articles are added frequently, and existing articles are revised even more frequently. Check here regularly, using a newsfeed reader for best results. And tell your friends about CACroll Small LANs!
>>Top
Common Problems and Resolutions
"Error = 5" aka "Access Denied"
"Error = 53" aka "Name Not Found"
Intermittent Connectivity Problems When Computer Is Idle
Intermittent Server Visibility Caused By The Restrictanonymous Setting
Intermittent WiFi Connectivity Problems Caused By WiFi Client Manager Conflicts
Internet Access Problems Caused By DNS Problems
Internet Connectivity Problems Caused By A Corrupt Or Hijacked Hosts File
Internet Connectivity Problems Caused By The MTU Setting
Irregularities In Access To Individual Shares On A Single Server
Irregularities In Access To Network Neighborhood (Workgroup)
Network Access Affected By Limited Or No Connectivity
Network Access Affected By LSP / Winsock / TCP/IP Corruption
Network Access Affected By NetBIOS Over TCP/IP Being Inconsistently Set
New Network Connections Wizard Functionality Damaged By System Restore
Server Access Affected By IRPStackSize
Server Access Affected By User Not Granted Requested Logon Type
Server Access Affected By Maximum Simultaneous Connections
Server Visibility Affected By The Invisibility Setting
Server Access And Visibility Affected By Personal Firewalls
Server Access and Visibility Affected By Less Known Registry Settings
Well Known, Yet Mysterious, Errors May Have Simple Resolutions
>>Top
Tutorials
Asking For Help For Internet Connectivity Problems
Asking For Help For Network Neighborhood Problems
Hacking Defined
Layered Security
Malware (Adware / Spyware)
Network Neighborhood and the Browser
Networking Your Computers
Restrict Your Privileges
Solving Network Problems
Troubleshooting Internet Connectivity
Troubleshooting Network Neighborhood (Windows Networking)
WiFi Networking
WiFi Security
Windows Networking Concepts
Windows XP File Sharing
>>Top
Current Events
August 26, 2006: Hacker sentenced to 37 months in prison
August 21, 2006: Pizza Order Credit Card Scam
August 13, 2006: August 2006 Patch Tuesday Report
August 7, 2006: Bots And You
July 6, 2006: Bump Keys - A Growing Security Problem
June 16, 2006: Patch Tuesday for June 2006
June 8, 2006: R.I.P., Windows 98, 98SE, ME, and XP SP1
June 7, 2006: Sharing The Pain
June 6, 2006: Happy Devil's Day
And more current events in PChuck's Network News, and in Today's Security Alert.
>>Top
Diagnostic Procedures and Tools
Autoruns
Browstat
CDiag
CPSServ (NOTE: Requires download of PSTools (free).
Command Windows
Event Viewer
Finding, and Tracking, Computers On Your Network
HijackThis
IPConfig
Local Security Policy Editor
My Personal Toolbox
Net Config
Network Setup Wizard
NTRights
Ping
PingPlotter
Registry Editor
Services Wizard
Static Route Table
System Restore
Watching What Your Computer Is Doing
Windows Explorer
WiFi Environment Analysis
WindowsUpdate Log Interpretation
>>Top
Using The Internet Properly
Bottom Post, Please
Download Software Selectively
Help Us To Help You
Getting Help On Usenet - And Believing What You're Told
How To Contact Me
How To Post On Usenet And Encourage Intelligent Answers
Interactive Problem Solving
Please Don't Hijack Threads
Please Don't Spread Viruses
Provide Diagnostic Data As Text, No Attachments or Images
Provide Essential Details When Asking For Help
Please Use BCC:
>>Top
Networking / Security
Ad-Aware or Spybot S&D? You Decide
Beware Of Hidden Physical Personal Firewalls
Components Definition - Networking
Design Your Network Properly
Have Laptop Will Travel?
Computer Uniqueness and Security Needs
ICS Is Not The Only Possible Solution
Make Your Wireless Computer Connect Only To Your Network
NAT Router - What Is It?
NAT Routers With UPnP - Security Risk, or Benefit?
Online System Virus Scanning Services
Pop-Ups - How To Deal With Them
Protect Yourself - Restrict Your Privileges
Protect Yourself When Using A Public Computer
Protect Yourself When Using A Public WiFi LAN
Protect Your Hardware - Use A UPS
Quick Networking With A CrossOver Cable
Setting Up Two Routers On The Same LAN
Sharing Dial-up Internet Service With A Router
Spam Spam Spam - Spam Spam Glorious Spam: Early Spam, and Modern Spam.
SSID Broadcasts
WEP Just Isn't Enough Protection Anymore
WiFi Will Never Be As Fast As Ethernet
>>Top
Windows Networking / File Sharing
Address Resolution On The LAN
Browsing and Multiple Subnets
Domain vs Workgroup? Plan Properly
Cleanup Your Protocol Stack
Components Definition - Windows Networking
Local Name and Address Resolution On Your Computer
One Use For IPX/SPX
Setting Up File Sharing Properly
Windows 9x (95/98/ME) and the Browser
Windows NT (NT/2000/XP/2003) and the Browser
Windows XP / 2000 On A Domain
0 comments
Hacking Redefined
This article is an attempt to decribe malware, its delivery mechanisms, its payloads, and its detection and prevention, in a canonical and objective format. Modern malware is taking on new forms that it's hard to comprehend how aggressively it's developed and deployed.
And even though it's malware, it's hard NOT sometimes to admire how professionally it's developed and deployed (as an IT professional only, NOT as a computer owner). Computer owners, who become victime of hacking, will NOT admire the tools, or the attackers.
One of the problem is how you describe what's happening? Which came first - the chicken or the egg? How do you define hacking, other than what a hacker does?
For the purpose of this article, I make the following definitions.
- Hacking is aggressive, deceiptful, and intentional misuse of any computer not legally owned by any Attacker, for commercial, financial, or personal purpose.
- Hacker is the person, or groups of people, doing the Hacking.
- Malware is the tool used for Hacking, AND the payoff of the Hacking.
- Victim is the legal owner of the computer Attacked by a Hacker.
Malware includes:
- Adware - Software that delivers, or influences the delivery of, commercial material (aka advertisements) to the Victims computer.
- Hijackware - Software that makes the Victims computer do things not intended by the Victim.
- Spam - Unwanted Messages delivered to the Victims computer.
- Spyware - Software that collects and transmits personal information about the Victims computer, or about the Victim, to persons who have no legal entitlement to that information.
- Trojans - Software accompanied, in a package with software requested by, and installed when the requested software is intentionally installed by, the Victim.
- Viruses - Software that installs itself, and makes itself part of, software known by, and trusted by, the Victim.
- Worms - Software that travels by itself, and installs itself, on the Victims computer without any intent, or knowledge, of the Victim.
The people performing the Hacking Attacks have been formerly referred to as, variously:
- Adware / Spyware Writers.
- Hackers (Classically).
- Spammers.
- Virus Writers.
In the past, this cross-referencing was not necessarily done. Classically, Malware was of a distinct nature, and one type of malware was not used by another type, or group, of Attackers. Today, we have combined Attacks, where:
- Spam is used to deliver Trojans to be installed on Victims computers.
- Adware / Spyware is installed as Trojans.
- Trojans, installed on Victims computers, are used in the delivery of Spam to other Victims.
- Trojans, installed on Victims computers, are used in the delivery of Worms to other Victims.
- Viruses are used to attack people or software used to defend against Adaware, Spam, and Spyware.
- Viruses, having infected the Victims computer, can become Worms, and attack other computers on the same Network.
- Viruses or Worms were used to Attack the data on the Victims computer, rendering the data unusable unless actual money was paid by the Victim to the Attacker. No, this is NOT fiction.
Trojans
The term Trojan refers classically to the ancient story of the Trojan Horse in Greece. A Trojan is software which travels, as a separate component, in a package of Host software that is requested by, and intentionally installed by, the Victim.
A Trojan can be anything as innocent as an extra toolbar, installed as a part of the Victims browser, and used to "enhance the browsing experience", to software that makes the Victims computer act in a three role Spam delivery capacity. A Trojan typically requires action (wilfull or otherwise) by the victim to install.
Viruses
A virus is software that travels as an integral part of Host software, that is intentionally installed by the Victim. A virus installs itself into an innocuous Host file, which is passed from Victim 1 to Victim 2. Both Victims intentionally pass the file, without either being aware of the total nature of its contents.
Worms
A worm is software that travels from Host to Host in a trusted media, such as the computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place). A worm typically requires no action, or intentional action anyway, by the Victim, for propagation.
Hackers
The classical Hacker was a disenfranchised teenager, hiding in his bedroom, attacking an individual computer owned by a single Victim, for amusement.
See, for instance, War Games, one of the earliest movies about Hackers.
Today, Hackers use programs that they may release as Trojans, as Viruses, or as Worms. The Hack, which when installed on the Victims computer, may make that computer part of a Botnet. A Botnet, or entire army of computers controlled by a Hacker, can be sold to individuals or corporations for delivery of Spam, for hosting of Adware or Spyware, or for the creation of even more Botnets. As of June 2005, the reported value of ONE bot was $.55 USD, thus a 10,000 member Botnet (a not at all abnormal number) could net the Hacker $5,000 or so.
So let's classify the malware.
We can classify it by delivery mechanism.
- Trojans - Software accompanied, in a package with software requested by, and installed when the requested software is intentionally installed by, the Victim.
- Viruses - Software that installs itself, and makes itself part of, software known by, and trusted by, the Victim.
- Worms - Software that travels by itself, and installs itself, on the Victims computer without any intent, or knowledge, of the Victim.
We can classify it by payload.
- Adware - Software that delivers, or influences the delivery of, commercial material (aka advertisements) to the Victims computer.
- Hijackware - Software that makes the Victims computer do things not intended by the Victim.
- Spam - Unwanted Messages delivered to the Victims computer.
- Spyware - Software that collects and transmits personal information about the Victims computer, or about the Victim, to persons who have no legal entitlement to that information.
Malware Detection
So, if there's malware out there, how do we know what's out there? More importantly, how do we describe what's out there? And how do we remove what's on our computers, and then hopefully, keep it from coming back?
You have to know what's there before you can fight it. Knowing what's there is a matter of detecting it. Basic malware detection is based upon two alternate processes.
- Behaviour analysis and detection.
- Signature analysis and detection.
Behaviour analysis, also known as heuristic analysis, takes a suspect file (or a computer system), opens it (operate it), and sees what it does. Sophisticated heuristics are used by some antivirus / antitrojan products, which contain a sandbox, which is a replica of the operating system, within the AV / AT product code. A suspect file is copied into the sandbox, opened from within, and observed. If its opening makes suspicious references to the system services provided by the (replica) operating system, it is suspected to be malware, and examined further.
Signature analysis takes the actual contents of the various bytes in a suspicious file, and mathematically calculates a hash of the contents. The hash becomes the signature, which is compared against a database listing known malware. If suspected malware has a hash matching known malware, it is determined to be malware.
Malware analysis can be done heuristically against the entire system. Note the difference between adware and spyware. The first will typically generate incoming network traffic; the second, outgoing.
By statefully looking for incoming or outgoing traffic, compared against what should be expected, malicious activity can be detected. Software designed to look for malicious incoming traffic will be better at detecting adware, software designed to look for malicious outgoing traffic will be better at detecting spyware.
Signature analysis is a much simpler process, but demands more work. To do a signature analysis of the system (a trojan or virus scan) requires taking each file, one at a time, on the entire system, generating a signature from the file, and comparing each against each entry in a very long list (database) of known malware. Multiply the number of files in your typical system, against the number of possible (known) malware, and you see what a massive effort that is. And each time a new set of signatures is produced (and with some antivirus products, it's multiple times / day), a rescan could be appropriate.
Some malware is encrypted, to fool the signature scanners. Malicious code is taken, and subjected to rearrangement (packing), with some packing containing random operations which makes unpredictable results. Simple signature checking (and the bad guys, in some cases, know what procedures are followed to produce the signatures) won't detect packed code, which follows no known pattern. So suspect files have to be examined for unpacking code embedded in the code, and in some cases, the unpacking has to be allowed to execute so the signature checking can take place. This makes signature checking even more complex, and more time consuming.
On the other hand, its somewhat possible that having unpacking code in a file indicates that it's malware. Most legitimate code (excepting openly compressed files) does not use unpackers, as most legitimate code is already in an executable state. So when an AV / AT scan finds a file with an embedded unpacker, it's a strong possibility that the file contains malware. Of course, the malware still has to be analysed, to determine just what malware it is. But the scanner doesn't have to continue the heuristic analysis, just switch to the signature check.
0 comments
