However, these have all displayed similar symptoms, and I am thinking there might be another outbreak of malware coming.  I have noticed that malware seems to come in waves.  I will spend a whole bunch of time cleaning it up for a while, then I will go months with out having to clean any up… then it’ll come back in force again.

I’m not sure of the injection vector of the latest version (the previous wave seemed to enjoy Java exploits quite a lot), but I can give you a fairly obvious and quick to diagnose symptom and a quick way to clean it up.

The first and easiest check on an infected machine is try and visit http://windowsupdate.microsoft.com.  On the machines I have seen, regular websites will work like cnn.com or google.com, but you can not get to the Windows Update site.  It will just snap to a page not found error.

The second easy check basically confirms that Windows Updates are being blocked.  Hop in to the Event Viewer, and look in the Application log.  You should see a whole onslaught of errors from crypt32 complaining that it “Failed auto update retrieval of third-part root list sequence number from…The connection with the server was terminated abnormally”.  This is almost a guaranteed sign you’ve picked yourself up some new malware, and more specifically a rootkit.  This rootkit is sort of nasty in that it makes you think you have got the machine all cleaned up.  If you run a Malwarebytes Antimalware scan the scan will come back clean, and the system will seem normal (aside from the errors in Event Viewer and not being able to get to Windows Updates).

To get rid of this bugger you’re going to need a bit more powerful medication.  If Malwarebytes Antimalware is cough syrup, this thing is full-body radiation.  I am speaking of Combofix.  First a word of warning:  Combofix can seriously hose your computer.  Do not run it unless you are a computer expert and able to manually repair any damage that may be inadvertently caused by Combofix.  That said, I have never had a problem with Combofix, it has always worked great for me.

Don’t be afraid by Combofix’s low-level appearance.  It appears that way because that is what it is, low-level.  It gets deep in the system and does what it needs.  How it actually works is a trade secret that only the author of the program knows.  He must keep the methods he uses secretive so that malware writers won’t be able to stop his cleanup efforts and make his program useless.

So you run Combofix and follow it’s steps and take note of it’s warnings and you’ll eventually get to it’s notice that it found rootkit activity:

Excellent news!  Not so excellent you have a rootkit, but excellent that Combofix has detected it and will now proceed with the cleanup.  Your machine will reboot at least once to continue with the cleanup and Combofix will go about it’s business of cleaning up the mess you have.  combofix has over 50 stages, so it can take a while to run.  Just be patient, let it do it’s thing, and never interrupt it.

After Combofix has done it’s thing, it will display a notepad window with a log file of what it has done.  If you’re bored you can browse through the logs and see it’s work.  At this point your machine is rootkit free, and you should be able to once again get to the Windows Updates web site.  At this point I always do a couple things.  One, make sure to go ahead and run a Malwarebytes Antimalware scan to clean up any remaining malware not picked up by Combofix (Combofix only goes after the major problems, where as Malwarebytes goes for a full system cleaning).  Next, update the browser, java, and flash plugins on the machine, and run all Windows Updates to insure the machine hasn’t missed anything important while the rootkit was blocking it from checking.

As I said, I am not sure of the injection vector of this particular rootkit as I have only seen it’s aftermath, but regardless, the cleanup method is the same for this as is with many other malware infections.  Combofix it, Malwarebytes, and then update the system.  Good luck and feel free to sound off in the comments with any questions.

Come on people.  It’s 2010.  Optical mice can be had from Newegg for $4.  I can’t believe ball-mice are still being packaged with new machines.  And this wasn’t even a cheap piece of crap Acer, this came with a brand new HP Proliant server!  Sheesh.  Spare no expense with that fancy fuckin technology why don’t yah?

I guess since it’s a server it’ll be remoted in to 99% of the time anyway, but still.  Like it would’ve broken HP’s bank to throw an optical mouse in there?

I had forgotten how absolutely frustrating ball mice are with out a perfectly flat surface until now.  Thanks HP.

Java isn’t supposed to allow apps with out a certificate to execute unless the user gives it permission to.  The problem is that there are bugs in the Java plugin that allow malicious apps to still run, regardless of the user clicking allow or block!  I don’t know if the latest Java update version has patched these holes or not.  Every system I have seen though has been running Java 6, just one of the lower update numbers (they’re on update 18 at the time of this writing).  Compounding the issue is that most people never update Java.  Heck, I hardly ever used it, so I never updated it either.

The Java plugin is allowing malware writers to infect machines, no matter which web browser or which version of the browser the victim is using.  Java is allowing malicious code to run, which in turn infects machines.  This needs to be stopped, and the best way to do so is completely remove Java from your computer.  I urge everyone to uninstall the Java plugins immediately.  If this is not an option for you because you need Java for some poorly coded website, or obscure photo uploader (thanks Facebook), then you should at least be disabling Java in your browser until you come to the page you actually want it to run on.

In my previous article I showed you how to disable it in Firefox 3.5.  Well, since then Firefox 3.6 has come out, and it changes how the Java Plugin has to be disabled.  Now you have to click Tools -> Addons -> Plugins

Find the “Java(TM) Platform SE x Uxx” (the x’s are version numbers), and click the Disable button on it.  There is also a “Java Deployment Toolkit” that you should disable as well.

If you’re using Internet Explorer you should uninstall Java completely.  In IE you’re supposed to be able to click Tools -> Internet Options -> Manage Add-ons, then find all of the Java Plug-in’s in there going through the various lists, and disable them, but I have not been able to.  Even though I have disabled every single java plugin possible, when I visit a java web site, it still loads up Java.  For this reason, I recommend completely removing Java from your computer if you’re in IE user.  Or even better yet, use Firefox which actually disables the Java plugin when you click the disable button in it.  IE sucks, stop using it.

For Firefox, that’s it.  Rest assured you have once again secured your browser.  If you visit a site you TRUST explicitly, then you will simply need to revisit the Plugin and click Enable.  The change is instantaneous and fortunately doesn’t require a browser restart.

I can already hear you now “Just make sure you’re updated to the latest version”.  To that I say NO.    Java has proven itself HIGHLY dangerous to a computer’s security.  Allowing it to sit there and load, even if it’s the latest version, is ill-advised as any new exploit could be found at any time and allow the malicious code through again.

Just say NO to java!

After loading up 3.6 and seeing my Theme was lacking my Persona (the clean  Firefox B), I hopped back over to the Persona website and reapplied it.  But at this point something disturbing happened.  Firefox switched back over to it’s morbidly obese default theme.  I turned Classic Compact back on and applied the Persona again, and again Firefox’s ugly fat theme butted in.  After a quick goog, I discovered that this was a common complaint on the Mozilla forums.  Evidently in the new version of Firefox, with the Persona integration, they merged Persona’s in to themes.  You can no longer have both, as you always could before.

After screaming a few choice words I decided to just downgrade back to 3.5.7 until Firefox fixes this issue or someone else releases an add-on that will fix this bullshit.

It’s pathetic that Mozilla would take a feature that has been working fine for such a long time, integrate it, and completely fuck it up!

I also find it rather pathetic that Mozilla couldn’t scrape together a single fucking Windows 7 feature for Firefox… I would’ve been happy with even some god damn jump lists, but noooo… heaven forbid the Mozilla team actually be on the ball about what it’s users want.

So the lesson here is, if you run a theme and a persona, don’t upgrade to 3.6 quite yet.  Wait for a fix to come out, either from Mozilla, or from someone in the community in the form of an add on.  And since pictures are always more fun to look at…

Here is Firefox’s Ugly Fat Theme (with Persona):

Here is my nice Classic Compact running with Persona in 3.5.7:

And here is how it looks in 3.6:

(I know from the screen shots it doesn’t look like that much of a difference in real estate, but when you’re stuck with 1024×600, every line of resolution you can reclaim helps!)

Over the holidays I picked up an Asus EeePC 1005HA Netbook

I have a 14 inch laptop with all the bells and whistles of a normal laptop, but after a while, lugging the beastly heavy thing around got to be quite old, and it got to a point where I just didn’t even bother bringing it with me any more because it was just a hassle.  I picked up the Netbook to hopefully remedy this issue.  Their small and incredibly light build will hopefully not become such a burden down the road.  While you can definitely feel the slowness of the Atom processor, you only really notice it if you’re doing a bunch of stuff at once.  If you’re just surfing the net, IM’ing, doing office stuff, you don’t really notice at all.

So now that I have my new little buddy I started thinking about security for it.  Since it’s so small and will be going with me every where, it’s also prone to growing a set of legs and walking off.  Should this occur, I want all of my personal and work related files stored on it to be completely secure.  I have used TrueCrypt for many years so I have come to trust it, and I figured this would be en excellent solution.

However, installing TrueCrypt on a Netbook presents a few hurdles, primarily due to the lack of a CD drive.  Sure, you could pick up a USB external CD drive, but what fun would that be?  I have already re-partitioned it using a USB bootable G-Parted, and used the Microsoft ISO USB DVD download utility to make a USB bootable Windows 7 flash drive, so it was my mission to go about this the same way.  When you use TrueCrypt to encrypt a system volume, it requires you to burn a TrueCrypt Emergency Boot CD, which is really a good idea because if something goes wrong you really need it.  Of course on a Netbook this isn’t an option.  So basically what happens is TrueCrypt gives you an .iso image and makes you burn it, then it verifies the disc you burned to.  At this step I got around the verify requirement by simply mounting the .iso in a Damon Tools virtual drive.  This tricked TrueCrypt in to thinking that I had burned the image.  But, this still left me with a nagging issue.  Should something go wrong, or happen to my system, I would NEED to be able to boot this image to recover my system, or face 100% data loss.  Off to Google I went, and came upon a very informative blog post at Florian Freundt’s site that outlines how to make a multi-utility USB boot drive!  What a wonderful blog entry, as I followed it’s directions and was able to successfully create a USB drive that will let me boot my TrueCrypt Rescue Image!  Not only that, but I also put my Acronis Recovery Image on it, along with Parted Magic (contains G-Parted and other useful utilities), and Ultimate Boot CD.  Plus, in the future it will be very simple to upgrade these utilities to new versions because all I’ll have to do is replace the .iso on my flash drive.  Very nice!

Once I knew I would be able to boot the TrueCrypt Rescue Image, I proceeded with the system encryption.  This went of with out a hitch, and took about 5 hours to complete the encryption.  I was a bit worried about system performance since the Atom isn’t exactly a beast, but to be honest I don’t see any real performance hit other then coming out of hibernation seems a bit slower.  I can still pop open a 3gb 720p HD Xvid encoded video file and play it full screen with no hiccups.  Firefox fires up in the same amount of time and I don’t really notice any lag.

I can now rest soundly with the knowledge that my ultra portable data is safe and secure, and should I ever need it, I can recover my partition with the TrueCrypt Utility.

I recently had the pleasure of another horrid Server 2008 product.  This time around it’s the built in backup utility causing my head aches.

What’s the problem with it?  It’s slow.  I don’t mean takes a few extra hours slow… I mean it takes 18 hours slow.

First let me give a quick over view of the equipment being used… as this is definitely NOT a hardware issue.  It’s a poorly-written half-assed software issue.

The server is 2U rackmount HP Proliant DL380, running 2 Intel Xeon E5540 CPU’s at 2.53Ghz.  Each CPU has 4 cores with hyper-threading, giving it a total of 16 processing cores.  It has 24gb of ram (6gb free when in production).  For HD’s it is running 8 300GB 10,000 RPM SAS hot-swappable drives in a RAID 10 configuration.  This server is no slouch.  The server’s sole purpose is a Hyper-V server.  It runs 4 virtual machines, all Server 2003 machines with 4 gb of ram each.  In total, the virtual server has 746gb of data that needs backed up.

The server is connected via gigabit ethernet to a switch.  The switch is connected via fiber to another switch, where lives our backup server that is also connected at gigabit and has 2tb of storage space for the server backup.  Using straight file copying over network shares I have verified full gigabit transfer speeds.

It all sounds good right?  Well, it actually all is pretty nice… until you throw Windows Server Backup in to the mix.  What a piece of shit program this is.  I’ll save you the hours of configuration it took to get it to play nice in setting the backup to go to the network share and to play nice with the Hyper-V virtual machines.  Mind you this is a production server, so shutting down the 2003 servers for a couple hours isn’t an option.  Luckily volume shadow copy services comes to the rescue here, but again, I’ll spare you the explanation on that as this isn’t the point.

The point is that 746gb of data transferred at gigabit speeds should take just under 2 hours according to my handy dandy file transfer time/speed calculator.  The backup was scheduled for 9pm, so imagine my shock and horror when I came in and checked in on it at 8am the next day and see that the transfer was 70-something-% done.  WHAT?!  The backup did eventually complete around 3pm the next day.  That is 18 hours.  18 HOURS.  18  Hours to transfer 746gb of data over a gigabit/fiber connection.  This is just insane.  How could Microsoft have let a product out the door with such a disgusting, fatal, problematic flaw?!  And trust me, I – am – not – alone.

The problem it seems is due to the way it compresses the files in the backup.  Apparently Microsoft has decided it is best that each file be compressed to it’s maximum amount.  Nevermind the fact that some people might actually have storage space to store backups uncompressed… nevermind the fact that the NTFS file system has built in file compression that works quickly.  It’s another one of those things that Microsoft let out the door and obviously never seriously tested, which being a corporate server product, you would THINK Microsoft would actually care about the code and programs going in to it.  Apparently this is not the case.  I’m about over Microsoft’s bullshit.

I also mentioned I didn’t blame Avira because I felt that it was a new strain, and it looks like I was right.

Yesterday when I scanned the infected file it wasn’t reporting any issues.

Today I noticed a little update notice from Avira so for the heck of it I scanned the infected file again (kept it around to test with), and bam, detected!

So for the heck of it I popped it through my trusty online scanner, VirusTotal which will scan any file you upload against 41 antivirus engines.

The other day I got:

File iaStor.sys received on 2009.11.12 18:25:30 (UTC)
Current status: finished

Result: 1/41 (2.44%)

Reanalysing the file today I get:

File iaStor.sys received on 2009.11.15 00:09:41 (UTC)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 11/41 (26.83%)

Also, yay for Avira being one of the 11 detecting it now.  I picked Avira because of it’s high detection rates, so hopefully they will continue leading the sector.

Despite similar names, Javascript and Java are 2 entirely different things.

Java, or Java applets are programs that can be embedded in to websites.  They are generally poorly written, and hardly ever function right.  Most people will probably never even need java, and in fact the only website I can think of that I ever use it on is Facebook’s shitty multi-photo uploader which I use only a handful of times a year.

Why am I writing about this?  Because I had a Windows 7 machine that was fully updated, running an updated Firefox with Java (Java may have not been up to date),  and a fully updated Antivirus program.  By clicking one simple link, the machine was infected through the Java run time in Firefox.  Despite clicking “Deny” on the Java question, the app still managed to run itself.  It looked like it caused some type of crash in the Java run time and allowed itself to execute code.  The virus then proceeded to attempt to hijack the browser and insert other malicious code in to the system.  Avira Antivirus was able to block most of these attempts, but it did miss something.  I have a feeling that this was a new strain of the virus, so I’m not going to place too much blame on Avira here.  After all was said and done I ran the infected file through an online scanner, and only 1 of 41 virus engines detected it.  Yikes!

Before shutting down the system I had ran FULL scans with Malwarebytes and Avira, both came back clean.  I rebooted the system and that is when it happened.  7 load screen… blue screen…. reboot.  Over and over.  Safe mode was of no use, other methods of recovery didn’t work, the bluescreen yielded no useful information.  It wouldn’t even point me to the file causing the crash (which would of helped me tremendously).  To make a long story short (I put probably 4 hours in to fixing this bluescreen), the virus had attempted to insert code in to my iaStor.sys driver.  This is an Intel Storage driver, vital to system operation.  I believe that because this was a Windows 7 machine, it was unable to successfully hijack this file (the virus was probably written to hijack XP machines).  I found the lone infected file by pulling the drive out of the laptop and using a separate computer running Nod32 to scan the entire drive,  and replaced the infected file with a good copy I had in my archives.  The really strange thing about it was the good file and infected file were the same exact size, but the infected file no longer had the Intel signature and had a different MD5 hash then the good file.  The virus obviously tried to re-write some part of my storage driver… who knows what though.

Nod32 identified it as Olmarik.pv which from what I can tell is a pretty new strain.

To bring this story back to it’s point, a fully updated system, running Firefox still caught an infection thanks to shitty ass Java.  So, do yourself a favor out there RIGHT NOW.  Disable Java.

Tools -> Options -> Content

Un-check Enable Java:

The nice part about this is that if you do end up on a site that you TRUST and need to enable it, you can simple check the box again and reload the page and it will work.  You don’t have to restart your browser.  Just be sure to disable it again after you’re done to keep your browser safe!

I have made this change on all of my machines and I strongly encourage you to as well!

Nothing, nadda, zip, zero, zilch.  We tried 3 different machines and none of them would read the aged disc.

I’m a bit disappointed in Philips’ quality here.  This disc was only around 3 years old, and in my opinion was way too new to have gone bad already!  What a let-down from the Philips brand name.  I can’t say I have bought any of their discs since then, and I’m glad.  I’ll be sure to avoid their media products from now on.  I have other memorex discs from approximately the same era, and they were still perfectly fine.

Below is a picture showing the bad Philips DVD on the right next to a nice good silver disc on the left.

Luckily the data on the disc was unimportant and archived else where, but never the less there is an important lesson to be learned here.

Never use recordable disc media for archival purposes.  This disc was not mistreated, and was not left out in the sunlight.  It was stored in a stack of ~15 other discs.  Recordable media is a great way to transport or play your files, but it should never be used for archiving or backups.  Besides, with how filthy dirt cheap hard drives are, there is no good reason not to use hard drives as your backup medium.

A few weeks ago I wrote about how Microsoft was artificially crippling “lesser” versions of Windows.

Blocking you from running software you have a right to use, simply because you didn’t buy their more expensive version.

Well, it looks like the Free Software Foundation is launching an attack against Microsoft, pointing out just that…

“Microsoft is up to their usual tricks again — only this time, they’re also inserting artificial restrictions into the operating system itself. While not the first time they’ve done this, this is the first release of Windows that can magically remove limitations instantly upon purchasing a more expensive version from Microsoft.”

I for one am glad to see this.  This mentality over at Microsoft of “we wrote your OS, so we control everything on your computer” needs to stop.  Unfortunately Microsoft has done this shit since the early days of Windows… they always want to control what you can and can’t do on your own machine and it seems like a constant fight with Microsoft and Windows just to be able to do what you want on your machine.

They’re pushing Linux based software of course, and I wouldn’t be opposed to switching to such a platform if it weren’t for one major issue, which is gaming.  A lot of my home PC use is gaming, of which almost none of the modern games run on Linux platforms.

Maybe in time Linux will mature enough and get a large enough market share that developers will pay more attention to it.  If this would happen we could finally switch off of Microsoft and their bullshit strangle hold on our machines.