Slashdot Mirror

Thanks for the Windows IT Pro link - it's hilarious! That will make for some great shitter reading later.

I don't actually see a debate with Russinovich, though. He wrote an article, and you left comments. I don't think he's aware you exist.

Your apps aren't being used. It's difficult to even find a current download for your garbage while a professional like Dr. Russinovich has a website of his own: http://www.sysinternals.com/

Oh, you think you schooled the guy who started sysinternals.com? Bahahahhahaa

On a related topic, I had an issue with my motherboard, which hasn't been resolved. It's an Asrock Z87 Extreme4. Running Windows 7 - I notice that the first hyperthread of my i7 4770k is pegged at 50%. Lots of digging, it looks like it might be a faulty design, putting the intel management engine and the USB subsystem on the same interrupt. What do you lot think?

http://forum.sysinternals.com/...

#BadBIOS - BIOS Malware

#

- Copernicus: Question Your Assumptions about BIOS Security

http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about

- "Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed."

https://twitter.com/dragosr/status/388512915742937089

=

- #BadBIOS

https://twitter.com/search?q=%23BadBIOS

=

- "More on my ongoing chase of #badBIOS malware."

https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
https://plus.google.com/103470457057356043365

=

- Nobody Seems To Notice and Nobody Seems To Care: Government & Stealth Malware

http://slexy.org/view/s2otvoDuKW

=

- Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

=

- #badBIOS (and lotsa paranoia, plus fireworks)

https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/

=

- Air-Gap-Breaching BIOS Rootkits with SDRs Inside (and smartphones, Snowden, NSA, Wikileaks)

"A little while back I covered a paper on FPGAs that could turn themselves into SDRs. I suspected this would be one way to breach an air gap.

It seems I was right on the money. If a little behind the times.

Researchers have found an incredibly persistent BIOS rootkit in the wild that includes SDR functionality⦠literally turning your computer into a radio transmitter to exfiltrate data even if youâ(TM)re not connected to the Internet." [..]

"The researchers were using a new tool, Copernicus, which sadly seems to be Windows-only. Nevertheless a number of you might be interested in checking it out.

There is one enduring mystery of this rootkit⦠how does it survive BIOS reflashes?" [..]

https://kabelmast.wordpress.com/2013/10/11/air-gap-breaching-bios-rootkits-with-sdrs-inside-and-smartphones-snowden-nsa-wikileaks/

https://twitter.com/dragosr/status/388511686744764416

- IMHO Copernicus is the most important security tool in recent history. Already found persistent BIOS malware (survives reflashing) here.

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

###

Scientist-developed malware prototype covertly jumps air gaps using inaudible sound
---
Malware communicates at a distance of 65 feet using built-in mics and speakers.

by Dan Goodin - Dec 2, 2013 7:29 pm UTC

http://arstechnica.com/author/dan-goodin
https://twitter.com/dangoodin001

"Dan is the IT Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications."

http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/

--------------------
Topology of a covert mesh network that connects air-gapped computers to the Internet:

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

#badbios - probing for deeper looks at
----
@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

- Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

see the thread here where it says you were warned for years about this problem

and -

#BADBIOS - You Were Warned About This For Years!
http://slexy.org/view/s2BLnoBPxn

#BadBIOS - BIOS Malware

#

- Copernicus: Question Your Assumptions about BIOS Security

http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about

- "Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed."

https://twitter.com/dragosr/status/388512915742937089

=

- #BadBIOS

https://twitter.com/search?q=%23BadBIOS

=

- "More on my ongoing chase of #badBIOS malware."

https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
https://plus.google.com/103470457057356043365

=

- Nobody Seems To Notice and Nobody Seems To Care: Government & Stealth Malware

http://slexy.org/view/s2otvoDuKW

=

- Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

=

- #badBIOS (and lotsa paranoia, plus fireworks)

https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/

=

- Air-Gap-Breaching BIOS Rootkits with SDRs Inside (and smartphones, Snowden, NSA, Wikileaks)

"A little while back I covered a paper on FPGAs that could turn themselves into SDRs. I suspected this would be one way to breach an air gap.

It seems I was right on the money. If a little behind the times.

Researchers have found an incredibly persistent BIOS rootkit in the wild that includes SDR functionality⦠literally turning your computer into a radio transmitter to exfiltrate data even if youâ(TM)re not connected to the Internet." [..]

"The researchers were using a new tool, Copernicus, which sadly seems to be Windows-only. Nevertheless a number of you might be interested in checking it out.

There is one enduring mystery of this rootkit⦠how does it survive BIOS reflashes?" [..]

https://kabelmast.wordpress.com/2013/10/11/air-gap-breaching-bios-rootkits-with-sdrs-inside-and-smartphones-snowden-nsa-wikileaks/

https://twitter.com/dragosr/status/388511686744764416

- IMHO Copernicus is the most important security tool in recent history. Already found persistent BIOS malware (survives reflashing) here.

https://twitter.com/dragosr/status/388512915742937089

- and thatâ(TM)s not even interesting part. Seems to have a BIOS hypervisor, SDR functionality that bridges air gaps, wifi card removed.

https://twitter.com/dragosr/status/388521551693217792

- Copernicus BIOS verification. Also if tool is mysteriously failing or weird output full of FFs you may have problem. http://goo.gl/AHLwbD

https://twitter.com/dragosr/status/388534580493287424

- This particular BIOS persistent malware sample seems use TLS encrypted DHCP HostOptions as a command and control.

https://twitter.com/drago

I know about msconfig, and I would recommend Soluto above it for 50% of the cases, and sysinternals Autoruns for the other 50% (especially since it can be downloaded straight from http://live.sysinternals.com/

See this, & call me that (you done nothing with yourself NOBODY), because I am FAR from a malware author:

PSEXEC detected as Malware HKTL_PSEXEC.A:

http://forum.sysinternals.com/psexec-detected-as-malware-hktl-psexeca_topic661.html

OR

http://www.pcworld.idg.com.au/article/251492/trojan_lurks_waiting_steal_admin_passwords/?fp=2&fpid=1

Fact is, I'd have to be the STUPIDEST there is, considering I've written the most viewed & well rated guide for securing Windows there is, bar none, here:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE

"Poor old APK, well known malware author" - by Falconhell (1289630) on Monday May 30, @10:45PM (#36292632)

How am I a "malware author" shit head? I'm no more a malware maker than is Dr. Mark Russinovich of Microsoft (& a recent malware attack used his wares too, here http://www.pcworld.idg.com.au/article/251492/trojan_lurks_waiting_steal_admin_passwords/?fp=2&fpid=1 )

I wrote an app that a company called Computer Associates (who sold off that division no less recently because their wares sucked) said 1 app of 40 or so I put out over time is a "malware" (one with zero threat levels and has YET to be used in a malware attack & good luck with that - it's NOT scriptable (which is WHY Mr. Russinovich's wares get abused that way, & I saw that ahead of time & why I didn't put in argc/argv possibles into my code for use as a malware))).

Now, COMPUTER ASSOCIATES? LOL, true criminals - busted for ACCOUNTING FRAUD:

http://www.nytimes.com/2006/11/03/business/worldbusiness/03iht-web.1103computer.3381368.html

You, however & in particular? You're a NOTHING, that's never done a damned thing with yourself... you limited little loser!

---

"just cant stand his own irrelevance" - by Falconhell (1289630) on Monday May 30, @10:45PM (#36292632)

LOL, listen: The day you can show you've done more than this PARTIAL LIST of my favs. only of SOME of my accomplishments in the art & science of computing, and before I did? Is the day you can talk, bigshot:

----

Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61

(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it

HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!

Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn'

• Nuke the MBR (recovery console, or linux's ms-sys)
• nuke any random exes in %appdata% or %appdata\randomdigits\, etc
• Inspect the autoruns list with Sysinternals' autoruns
• Check the system for a rootkit with GMER
• If this is personal use (as opposed to commercial / business), run Combofix (google it, they dont seem to like direct links)
• If you have a capable AV (like avast), a boot-time scan is helpful

Additionally, if you know the specific virus, there are specific removal tools that are remarkably effective; I would nevertheless run the steps above to verify the computer is clean. If you see any evidence that your repairs are being undone, you may need to break out a live-boot linux disk, or hose the entire OS-- dont forget to nuke the MBR if you do a clean install, and to sanitize any connected USB drives.

Great link! Thanks.

And to have them all on your USB stick, just cd to it, and do :

      wget -cm http://live.sysinternals.com/

Don't forget live.sysinternals.com for instant access to any of the tools.

This little program demonstrate how screw up Windows (any version, including Win 7 ) are !

http://download.sysinternals.com/Files/RegHide.zip

Get the low down on Hidden Registry Keys from http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx

Or test it on your test machine :

http://live.sysinternals.com/Reghide.exe

This little program demonstrate how screw up Windows (any version, including Win 7 ) are !

http://download.sysinternals.com/Files/RegHide.zip

Get the low down on Hidden Registry Keys from http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx

Or test it on your test machine :

http://live.sysinternals.com/Reghide.exe

Vista allows you to change IO priority. I just found this out last week. If I had known that, I would have used Vista from day 1, regardless of all of the other complaints I've had. I'm using Win7 on Aug. 6 when it's available on MSDN and I'll never look back.

http://forum.sysinternals.com/forum_posts.asp?TID=12767

Windows NT has seemed slow ever since I tried NT 4 server on my 233mHz Packard Bell. I soon learned that Disk IO brings the computer to its knees, even if the CPU usage is minimal. I remember watching controls be painted individually when copying or analyzing large data files. That still happens today on XP, while System Idle Process takes 85% or more. Lowering the CPU priority of the offending process doesn't help, because it's not maxed out.

Some days, it takes me literally 10 minutes to click something. Visual Studio hung last night doing something, and it was 30 minutes before I could switch to Process Explorer (which I always keep running) and end task. I didn't want to kill everything because I had work open in other windows. 30 minutes on a dual core 1.8 gHz processor with XP to switch to another app, with 80% CPU idle. Disk IO in the background was the culprit, and no it wasn't due to memory paging in or out either. How do I know that? I've been watching this happen since running NT4 on my 233mHz Packard Bell. I watch my memory and leave process explorer running all day every day.

Windows Update seems to be a huge IO eater, and I would love to set it to low priority. Virus scanning an entire file when you only need the first 100 bytes is a huge waste, and I'd love to set the virus scan priority to match the priority of whatever app is trying to open the file. So if it's a background process, just let me do what I'm doing and scan it when I'm done. Windows Update + Anti-virus + Whole disk encryption is just asking for pain, and it's what I get daily. Pain. Windows 7 should solve that.

The job of a virus scanner is to scan files for virii, not to monitor the filesystem for changes. It seems that one of the major problems of windows, compared to other OS's, is that there is not a good ecosystem of simple utility services. In a linux environment, it's easy to use fam/gamin to be notified of filesystem changes, and then get the virus scanner to use fam/gamin instead of writing the code necessary to do the filesystem monitoring.

In the absence of such an environment, in order to provide similar functionality, the antivirus developers must write the filesystem monitors themselves. This is also true for antispyware developers, etc. This can cause problems when these programs are from different vendors, and each program has its own means of monitoring the filesystem, which can cause unnecessary lag and memory usage, and sometimes competition over which process get access to which files (causing the system to become less responsive).

These statements may not be as true as they once were, at least with respect to filesystem monitoring. I don't really have much experience with any version of windows after xp, and only limited experience with xp. Regardless, the manner in which commercial software is developed, marketed, and distributed sometimes makes it difficult to use third party "middleware" with a commercial solution. Often, if such middleware isn't developed by Microsoft, and present or available for the target system, the developers must make their own solution. ( http://www.clamwin.com/content/view/35/27/ -- here we see that the clamwin developers are being "forced" to do exactly this)

(I was just looking and came across this article - http://srikanthtechnologies.com/articles/dotnet/file_system_monitoring.html)
It seems that there is an api to do the file system monitoring, but not yet any standard service to perform the action, which is the critical difference.

With regards to Winpooch and XPsp3 (and likely vista, win7, win8 ...) you may want to read the third post on this forum thread: http://forum.sysinternals.com/forum_posts.asp?TID=14895

This is likely the main reason that development on winpooch has stopped.

Even though winpooch is dead, the interaction between winpooch and clamwin demonstrates an appropriate separation of responsibilities. Winpooch monitors, and clamwin scans. So, winpooch doesn't have to scan (as it can call clamwin for that, or another drop-in replacement) and clamwin doesn't have to monitor the filesystem, as it can rely on the monitoring program, in this case winpooch, to call it on alterations in the filesystem.

It would be nice if the clamwin developers were making the filesystem monitor that they are now having to develop as a separate component (even if distributed with the scanner), so that other programs could plug into it, saving them the trouble of having to develop their own solution.

I usually just do a pskill run32dll. Just make sure you save your work first.

Windows Internals has a pretty fun tool which by the click of a button will do bad things. One of the 'bad' things it can do is randomly overwrite kernel memory.

What is fun about the tool is that it is like Russian Roulette: You can click the button several times currupting memory, and eventually you will corrupt something important and bring the machine down. Or you can click the button a couple of times, and see how long you can use your machine before that memory path is hit and your system comes down.

The tool consists of two components, Notmyfault.exe, and Myfault.sys (which IIRC, is embedded within the exe, and launched into the kernel when the tool is run with admin rights). Notmyfault.exe cannot itself take down the machine, as it has not 'rights' to stomp on memory outside of its sandbox. This is why it has to request the bad deed to be done by the kernel component, myfault.sys

You can find a link to the tool below:

http://download.sysinternals.com/Files/Notmyfault.zip

Related to this thread - you can corrupt memory and not see any adverse affects if nothing important is located in that memory space. This would easily explain why Windows might crash, but not Linux. It just depends on where modules are loaded, and what code/data is corrupted.

A few months ago, I encoutered (within a week) the same rootkit on three different PCs in my care. It was the now infamous TDSS rootkit. There were no automated fixes by that time, don't know if there are now.

You don't get good malware-removal tools running on Linux

I got the best malware-removal tools from the Ubuntu 8.10 install disc: ntfsclone, ntfsmount, find and rm.

From what I can find on the MBAM forums, it still cannot reliably cure Windows from a TDSS infection. I do not know about UBCD, but I certainly hope that all features concerning auto-preview and/or thumbnailing are disabled in Explorer, or I still would not trust it.

I see your anecdotal evidence and raise you some fairness.

I boot Ubuntu and a ruthlessly pared down Windows XP on this laptop and while Ubuntu does seem (anecdotally) faster, I'm certain that part of that is having google desktop, outlook, and a bunch of other stuff running only in windows and not Linux. Even with all autoupdating programs and extraneous background programs killed off and removed from startup, there's still more stuff running in my XP install than there is in my Ubuntu one.

So to be fair, you should kill off all of those background processes that don't ship with a vanilla (not from dell) windows install if you're going to compare the speed of the two OSes. If they're slowing the machine down, that's no more windows' fault than running folding at home on the Ubuntu machine would be Linux's fault.

I'd start with installing the sysinternals suite of windows utilities, firing up Autoruns (they're all pretty awesome, not just Autoruns) and cleaning out all the garbage that's slowing the machine down. Those utilities have made my Windows XP life a great deal better and more livable, even recently, despite XP's age.

I don't have neither the game or the OS to try, so does this still work? The simple rundown on how it works is pretty obvious - it just creates an empty DACL and applies it to the PROCEXP100 symlink in the object manager. When the app is done, it just resets the DACL to the original value. I included a "reset" switch as well just in case something happens and you need to reset it manually.

• If you rm -rf a junction, you remove all of the linked directory's contents, not just the link itself.
• Most Windows tools are not aware of the existence of symlinks, so if you create a circular directory structure (/a/b/c linking to /a) you're in for a nasty surprise whenever a program is going to scan a complete directory tree.

I've been following this matter on the web since the Bioshock release and monitoring Slashdot's Firehose as the story submissions popped in. This particular story submission was one of the worst of the bunch. There are genuine issues with Bioshock's DRM decision to use Securom which will unfortunately be dismissed due to the poor choice of article. Whether or not this is a rootkit, the fact that the game won't run unless a user completely disables or uninstalls legitimate utilities such as antivirus programs or process monitors is enough to make a security conscious user worry.

References:

http://consumerist.com/consumer/punishing--the-one s-that-don.t-steal/bioshock-comes-with-nasty-drm-t hat-sets-off-anti+virus-software-ruins-everyones-d ay-292841.php
http://forum.sysinternals.com/forum_posts.asp?TID= 11000

Certainly, they should follow the news where those who care talk about such issues and others do analysis for such things.

How can your aunt Tilly and cousin Joe Bob trust ANY software at all? They probably didn't build it.

Thanks to some poor choices in my younger days, I have become a full-blown Microserf herding along 250 Windoze servers, half of them in remote locations. If I had it to do all over again, I would have taken the red pill. This may offend the *nix snobs here, but if MS gets really serious about MSH (the way I keep seeing it when running PowerShell), it will be awesome. I haven't seen anybody here mention that it is built-in with Exchange 2007 and when you run through an E2K7 wizard, the last step is the display of the MSH script that will execute once you click the Finish button. It's also just waiting for you to copy and paste that script before clicking the Finish button, so you can expand it and reuse it later.

My boss is such a Windoze junkie, he pooh-poohs my scripting efforts at every turn. We often spend hours and hours doing repetitive crap in the GUI's because "we don't have time to work out a script now!". I have avoided getting really deep into cmd.exe and VBscript approaches ever since I first read about Monad during the betas as that crap should be passing away. I've been bursting at the seams for some good books to come out.

Beware a first effort from MS. If they get serious, the third version will be quite good. In the meantime, a wise sage told me to expect third party vendors to jump on this bandwagon and cook up gobs of stuff to leverage the PowerShelll to save Win Sysadmins keyboard time with canned scripts. That would leave me sucking garbage in the MS Matrix with the rest of the Duracells, but fortunately my boss won't spend any money on decent tools, so I will get to hack out the scripts by hand and really learn MSH. Awesome.

If you're a Win Sysadmin reading this, be sure to check out http://www.sysinternals.com/Sysinternals and download the Misc utilities package, especially pstools.exe I use them all the time like a telnet session (via RPC) into remote PC's to clear up networking problems on them. netsh.exe then allows me to remove freakin' static WINS and DNS entries in TCP/IP properties, all without disturbing the user. It doesn't take long to learn and it saves gobs of time.

Now I need to get back to my Linux lessons so I can use some discrete Linux servers on our edge networks, then they can start appearing closer and closer to The Core.

There's a nifty trick I've been using for a while to get rid of the reboot pestering.

At Sysinternals (now owned by Microsoft) get the program called Process Explorer.

Use Process Explorer to suspend the execution of the windows update process, "wuauclt.exe." Don't kill it because it will just be respawned. There are two of these processes for some reason and you need to suspend both of them. (If you only see one, suspend it and wait for the other one to spawn. Oh, it will. )

When both of the processes are suspended, they won't bug you at all and you are free to finish the day (or whatever you're doing) before shutting down.

I think the idea that your OS could shut down (on purpose!) without asking is a terrible design decision.

Fundelete accomplishes this through the use of an undocumented API, ObOpenObjectByPointer
...
The final step Fundelete performs is to convert the binary representation of the SID into a textual representation. Another undocumented API, RtlConvertSidToUnicodeString, performs this.
...
Tokenmon relies on several undocumented SRM functions to obtain a logon ID from a thread's primary and impersonation tokens, and GetSecurityUserInfo, an undocumented function exported by the KSecDD (Kernel Security-support driver) that retrieves a logon session user's name, domain name, and logon server given a logon ID. Another interesting implementation detail is that several of the native API functions that Tokenmon hooks are not exported by ntoskrnl.exe for use by drivers. Thus, the Tokenmon GUI must reach into NTDLL.DLL, extract their system call numbers, and pass them to the driver.

netr00t's got solid advice for you.

http://slashdot.org/~netr00t

I would add, get a Lawyer, as in, have a Lawyer (anyway).
If you're in the USA, you should know by now, mostly morons make the "rules" of conduct, try not to participate.
Pay the Man:

http://www.forescout.com/index.php?url=products&se ction=activescout

http://www.winternals.com/

Useful:
http://www.sysinternals.com/SecurityUtilities.html

http://www.porcupine.org/forensics/forensic-discov ery/

http://www.fish2.com/tct/help-when-broken-into

Firewalls and Internet Security
http://www.wilyhacker.com/

First Ed. (online)
http://www.wilyhacker.com/1e/

Practical UNIX and Internet Security
http://www.oreilly.com/catalog/puis3/

FWIW
http://exuberant.ms11.net/index.html

http://exuberant.ms11.net/98sesp.html

http://exuberant.ms11.net/links.html

http://www.oldversion.com/

Use psexec to protect your system from your browser.
http://download.sysinternals.com/Files/PsExec.zip

C:\utl\psexec.exe -dl "C:\Program Files\firefox\firefox.exe"
or
C:\utl\psexec.exe -dl "C:\Program Files\Internet Explorer\iexplore.exe"

...while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing.

...while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing.

I agree with most of this.

The only exception being I use Autoruns from Sysinternals rather than MSConfig, its easier to do everything in a larger resizable frame than the tiny interface MS supply (and it doesn't ask you the stupid message after rebooting)

http://www.sysinternals.com/Utilities/RootkitRevea ler.html has a tool that can help flesh out all those registry and file system API discrepancies for further study.

Of course it's always safe to run AdAware[ http://www.lavasoft.com/ ] and if you have the budget, purchase WebRoot[ http://www.webroot.com/ ] for a fast, centralized cleaning in the enterprize environment.

Now, more so than ever, I hope that the PS3 fails! It sickens me to think of wide spread proliferation of this console in home all across the world draining all that power :( Consumer electronics are one of the first things that need to become more energy efficient if we are going to taclke this little problem that we're getting ourselves into...

...you forgot the infamous "Sony Rootkit."

http://www.boingboing.net/2005/11/14/sony_anticust omer_te.html
http://www.wired.com/news/privacy/0,1848,69601,00. html
http://www.sysinternals.com/blog/2005/10/sony-root kits-and-digital-rights.html
http://news.com.com/Microsoft+will+wipe+Sonys+root kit/2100-1002_3-5949041.html
http://en.wikipedia.org/wiki/2005_Sony_CD_copy_pro tection_controversy

Deep inside the Windows NT/XP kernel, it maintains an object namespace very similar to a Unix filesystem. You can use WinObj from sysinternals.com to navigate this object namespace. Notice that under the 'Global??' folder you will find the entries 'C:' and 'D:' and so on symbolic linked to the appropriate file system. Also, '\Device\*' in the object namespace is very much like '/dev/*' on Unix.

It is evident that drive letters under an NT kernel is just a DOS compatibility after-thought. The kernel doesn't have concepts of drive letters.

Try getting TCPView and ProcessExplorer from http://www.sysinternals.com/Utilities.html
Should give you the name of the process at least.

Try this: RootkitRevealer

Note, however: interpreting the results will be difficult, and *really* tricky code could defeat it anyway. Actually cleaning the infection is probably impractical, and certainly not worth your time unless your aim is to become intimately familiar with the bowels of Windows.

You can do the same thing in Windows, but you need a third party application to do. http://www.sysinternals.com/

Sysinternal's website says ghosting software usually keeps the SID, and they reason they distribute NewSID is because you wouldn't want them to be the same. I've had problems doing a simple clone of a hard drive from one HD to another, just because I wanted to give the user a bigger hard drive.

hejdig.

>The six inch screen uses E Ink, rather than an LCD, to display the text,
>reducing strain on the eye while reading.

Since when did LCD strain your eyes?
I have read many books (full scale novels) on an ordinary PDA and thought paper lacked contrast when I switched back. Compared to LCD I would say that paper puts a strain on eyes.

Maybe EInk is even better than LCD. (don't know, don't care - sony has used all their credibility with me)

/OF

<sig/>

The ability to kill 'required' services, for example. It can be done, but not as 'Administrator'.

Also, you have to pull some tricks to make filesystem changes to files marked 'protected' by Windows... or that any 3rd party marks as 'protected'.

1. You don't have permission. Administrators can take ownership of any object and give themselves permission. SYSTEM would also be blocked (unless it was specifically granted access) because it can't bypass ACLs directly either.
2. A sharing violation. A program like Process Explorer can find out what process has the file opened (opened without FILE_SHARE_DELETE) so you can forcibly close the handle or kill the process. SYSTEM can't delete locked files either.
3. System file protection. The file can be deleted, but it comes back. There are several ways to disable system file protection, or you can delete the backup copy of the file at the same time as the original so there's nowhere to get a replacement to restore the file. This effect still occurs even when a SYSTEM authority process deletes such a file.

The ability to kill 'required' services, for example. It can be done, but not as 'Administrator'.

Also, you have to pull some tricks to make filesystem changes to files marked 'protected' by Windows... or that any 3rd party marks as 'protected'.

1. You don't have permission. Administrators can take ownership of any object and give themselves permission. SYSTEM would also be blocked (unless it was specifically granted access) because it can't bypass ACLs directly either.
2. A sharing violation. A program like Process Explorer can find out what process has the file opened (opened without FILE_SHARE_DELETE) so you can forcibly close the handle or kill the process. SYSTEM can't delete locked files either.
3. System file protection. The file can be deleted, but it comes back. There are several ways to disable system file protection, or you can delete the backup copy of the file at the same time as the original so there's nowhere to get a replacement to restore the file. This effect still occurs even when a SYSTEM authority process deletes such a file.

The ability to kill 'required' services, for example. It can be done, but not as 'Administrator'.

Also, you have to pull some tricks to make filesystem changes to files marked 'protected' by Windows... or that any 3rd party marks as 'protected'.

1. You don't have permission. Administrators can take ownership of any object and give themselves permission. SYSTEM would also be blocked (unless it was specifically granted access) because it can't bypass ACLs directly either.
2. A sharing violation. A program like Process Explorer can find out what process has the file opened (opened without FILE_SHARE_DELETE) so you can forcibly close the handle or kill the process. SYSTEM can't delete locked files either.
3. System file protection. The file can be deleted, but it comes back. There are several ways to disable system file protection, or you can delete the backup copy of the file at the same time as the original so there's nowhere to get a replacement to restore the file. This effect still occurs even when a SYSTEM authority process deletes such a file.

The ability to kill 'required' services, for example. It can be done, but not as 'Administrator'.

Also, you have to pull some tricks to make filesystem changes to files marked 'protected' by Windows... or that any 3rd party marks as 'protected'.

1. You don't have permission. Administrators can take ownership of any object and give themselves permission. SYSTEM would also be blocked (unless it was specifically granted access) because it can't bypass ACLs directly either.
2. A sharing violation. A program like Process Explorer can find out what process has the file opened (opened without FILE_SHARE_DELETE) so you can forcibly close the handle or kill the process. SYSTEM can't delete locked files either.
3. System file protection. The file can be deleted, but it comes back. There are several ways to disable system file protection, or you can delete the backup copy of the file at the same time as the original so there's nowhere to get a replacement to restore the file. This effect still occurs even when a SYSTEM authority process deletes such a file.