However, these have all displayed similar symptoms, and I am thinking there might be another outbreak of malware coming.  I have noticed that malware seems to come in waves.  I will spend a whole bunch of time cleaning it up for a while, then I will go months with out having to clean any up… then it’ll come back in force again.

I’m not sure of the injection vector of the latest version (the previous wave seemed to enjoy Java exploits quite a lot), but I can give you a fairly obvious and quick to diagnose symptom and a quick way to clean it up.

The first and easiest check on an infected machine is try and visit http://windowsupdate.microsoft.com.  On the machines I have seen, regular websites will work like cnn.com or google.com, but you can not get to the Windows Update site.  It will just snap to a page not found error.

The second easy check basically confirms that Windows Updates are being blocked.  Hop in to the Event Viewer, and look in the Application log.  You should see a whole onslaught of errors from crypt32 complaining that it “Failed auto update retrieval of third-part root list sequence number from…The connection with the server was terminated abnormally”.  This is almost a guaranteed sign you’ve picked yourself up some new malware, and more specifically a rootkit.  This rootkit is sort of nasty in that it makes you think you have got the machine all cleaned up.  If you run a Malwarebytes Antimalware scan the scan will come back clean, and the system will seem normal (aside from the errors in Event Viewer and not being able to get to Windows Updates).

To get rid of this bugger you’re going to need a bit more powerful medication.  If Malwarebytes Antimalware is cough syrup, this thing is full-body radiation.  I am speaking of Combofix.  First a word of warning:  Combofix can seriously hose your computer.  Do not run it unless you are a computer expert and able to manually repair any damage that may be inadvertently caused by Combofix.  That said, I have never had a problem with Combofix, it has always worked great for me.

Don’t be afraid by Combofix’s low-level appearance.  It appears that way because that is what it is, low-level.  It gets deep in the system and does what it needs.  How it actually works is a trade secret that only the author of the program knows.  He must keep the methods he uses secretive so that malware writers won’t be able to stop his cleanup efforts and make his program useless.

So you run Combofix and follow it’s steps and take note of it’s warnings and you’ll eventually get to it’s notice that it found rootkit activity:

Excellent news!  Not so excellent you have a rootkit, but excellent that Combofix has detected it and will now proceed with the cleanup.  Your machine will reboot at least once to continue with the cleanup and Combofix will go about it’s business of cleaning up the mess you have.  combofix has over 50 stages, so it can take a while to run.  Just be patient, let it do it’s thing, and never interrupt it.

After Combofix has done it’s thing, it will display a notepad window with a log file of what it has done.  If you’re bored you can browse through the logs and see it’s work.  At this point your machine is rootkit free, and you should be able to once again get to the Windows Updates web site.  At this point I always do a couple things.  One, make sure to go ahead and run a Malwarebytes Antimalware scan to clean up any remaining malware not picked up by Combofix (Combofix only goes after the major problems, where as Malwarebytes goes for a full system cleaning).  Next, update the browser, java, and flash plugins on the machine, and run all Windows Updates to insure the machine hasn’t missed anything important while the rootkit was blocking it from checking.

As I said, I am not sure of the injection vector of this particular rootkit as I have only seen it’s aftermath, but regardless, the cleanup method is the same for this as is with many other malware infections.  Combofix it, Malwarebytes, and then update the system.  Good luck and feel free to sound off in the comments with any questions.

If you hadn’t… well, hit the 2 links above to catch up.

When I fired up Firefox today I got an interesting message:

Nice!  Apparently Mozilla has decided to act where Oracle has not.  Mozilla has disabled the Java Deployment Toolkit, responsible for probably hundreds of thousands of malware infestations, across the board in Firefox.  Thank you Mozilla for taking responsibility where Oracle has not.

Orace: You suck.

But there was one “link” missing.  If you spent time entering birthday information for as many of your contacts as possible, they don’t show up in your calendar.  Even my girlfriend’s Blackberry does this, surely Android can.  I had downloaded an App from the market call EboBirthday.  While the app worked, it still had a flaw.  The birthdays didn’t show up in you calendar.  If you wanted to see what birthdays were coming up, you had to actually open up the EboBirthday app.  And on top of that, if you added in any new birthday information, you had to manually resync the EboBirthday app.  Rats… this isn’t the best solution.

Well, last night I was playing around and Google Calendar, and there is actually an option tucked away, built right in to Google Calendar, that lets you show your contact birthday infromation right on the Calendar!

Here is how you add it on:

Go to the Google Calendar web interface on your computer (google.com/calendar).

1) Click the settings button in the upper right

2) Click the “Calendars” settings tab

3) In the Other Calendars section click “Browse Interesting Calendars”

4) Click the More tab here

5)  You should see an item labeled “Contacts’ birthdays and events”, click the Subscribe link. (While you’re in here, you might want to poke around.  There may be some other calendars you’re interested in adding in to your own as well, such as holidays and stuff!)

That’s it!  In a couple minutes, all your contact birthdays will show up on the Calendar in your phone.  How cool is that?

While this is a nice feature to have available, it highlights one of the issues with Android and Google integration right now.  When you’re looking for a setting, it’s not always in the most obvious place, and some times you can only change it on the web.  However, I do expect as Android matures, we will see a lot more features and options added directly in to the Android OS.  I love Android and I suspect will be sticking with it for a long time to come!

Over the holidays I picked up an Asus EeePC 1005HA Netbook

I have a 14 inch laptop with all the bells and whistles of a normal laptop, but after a while, lugging the beastly heavy thing around got to be quite old, and it got to a point where I just didn’t even bother bringing it with me any more because it was just a hassle.  I picked up the Netbook to hopefully remedy this issue.  Their small and incredibly light build will hopefully not become such a burden down the road.  While you can definitely feel the slowness of the Atom processor, you only really notice it if you’re doing a bunch of stuff at once.  If you’re just surfing the net, IM’ing, doing office stuff, you don’t really notice at all.

So now that I have my new little buddy I started thinking about security for it.  Since it’s so small and will be going with me every where, it’s also prone to growing a set of legs and walking off.  Should this occur, I want all of my personal and work related files stored on it to be completely secure.  I have used TrueCrypt for many years so I have come to trust it, and I figured this would be en excellent solution.

However, installing TrueCrypt on a Netbook presents a few hurdles, primarily due to the lack of a CD drive.  Sure, you could pick up a USB external CD drive, but what fun would that be?  I have already re-partitioned it using a USB bootable G-Parted, and used the Microsoft ISO USB DVD download utility to make a USB bootable Windows 7 flash drive, so it was my mission to go about this the same way.  When you use TrueCrypt to encrypt a system volume, it requires you to burn a TrueCrypt Emergency Boot CD, which is really a good idea because if something goes wrong you really need it.  Of course on a Netbook this isn’t an option.  So basically what happens is TrueCrypt gives you an .iso image and makes you burn it, then it verifies the disc you burned to.  At this step I got around the verify requirement by simply mounting the .iso in a Damon Tools virtual drive.  This tricked TrueCrypt in to thinking that I had burned the image.  But, this still left me with a nagging issue.  Should something go wrong, or happen to my system, I would NEED to be able to boot this image to recover my system, or face 100% data loss.  Off to Google I went, and came upon a very informative blog post at Florian Freundt’s site that outlines how to make a multi-utility USB boot drive!  What a wonderful blog entry, as I followed it’s directions and was able to successfully create a USB drive that will let me boot my TrueCrypt Rescue Image!  Not only that, but I also put my Acronis Recovery Image on it, along with Parted Magic (contains G-Parted and other useful utilities), and Ultimate Boot CD.  Plus, in the future it will be very simple to upgrade these utilities to new versions because all I’ll have to do is replace the .iso on my flash drive.  Very nice!

Once I knew I would be able to boot the TrueCrypt Rescue Image, I proceeded with the system encryption.  This went of with out a hitch, and took about 5 hours to complete the encryption.  I was a bit worried about system performance since the Atom isn’t exactly a beast, but to be honest I don’t see any real performance hit other then coming out of hibernation seems a bit slower.  I can still pop open a 3gb 720p HD Xvid encoded video file and play it full screen with no hiccups.  Firefox fires up in the same amount of time and I don’t really notice any lag.

I can now rest soundly with the knowledge that my ultra portable data is safe and secure, and should I ever need it, I can recover my partition with the TrueCrypt Utility.

Despite similar names, Javascript and Java are 2 entirely different things.

Java, or Java applets are programs that can be embedded in to websites.  They are generally poorly written, and hardly ever function right.  Most people will probably never even need java, and in fact the only website I can think of that I ever use it on is Facebook’s shitty multi-photo uploader which I use only a handful of times a year.

Why am I writing about this?  Because I had a Windows 7 machine that was fully updated, running an updated Firefox with Java (Java may have not been up to date),  and a fully updated Antivirus program.  By clicking one simple link, the machine was infected through the Java run time in Firefox.  Despite clicking “Deny” on the Java question, the app still managed to run itself.  It looked like it caused some type of crash in the Java run time and allowed itself to execute code.  The virus then proceeded to attempt to hijack the browser and insert other malicious code in to the system.  Avira Antivirus was able to block most of these attempts, but it did miss something.  I have a feeling that this was a new strain of the virus, so I’m not going to place too much blame on Avira here.  After all was said and done I ran the infected file through an online scanner, and only 1 of 41 virus engines detected it.  Yikes!

Before shutting down the system I had ran FULL scans with Malwarebytes and Avira, both came back clean.  I rebooted the system and that is when it happened.  7 load screen… blue screen…. reboot.  Over and over.  Safe mode was of no use, other methods of recovery didn’t work, the bluescreen yielded no useful information.  It wouldn’t even point me to the file causing the crash (which would of helped me tremendously).  To make a long story short (I put probably 4 hours in to fixing this bluescreen), the virus had attempted to insert code in to my iaStor.sys driver.  This is an Intel Storage driver, vital to system operation.  I believe that because this was a Windows 7 machine, it was unable to successfully hijack this file (the virus was probably written to hijack XP machines).  I found the lone infected file by pulling the drive out of the laptop and using a separate computer running Nod32 to scan the entire drive,  and replaced the infected file with a good copy I had in my archives.  The really strange thing about it was the good file and infected file were the same exact size, but the infected file no longer had the Intel signature and had a different MD5 hash then the good file.  The virus obviously tried to re-write some part of my storage driver… who knows what though.

Nod32 identified it as Olmarik.pv which from what I can tell is a pretty new strain.

To bring this story back to it’s point, a fully updated system, running Firefox still caught an infection thanks to shitty ass Java.  So, do yourself a favor out there RIGHT NOW.  Disable Java.

Tools -> Options -> Content

Un-check Enable Java:

The nice part about this is that if you do end up on a site that you TRUST and need to enable it, you can simple check the box again and reload the page and it will work.  You don’t have to restart your browser.  Just be sure to disable it again after you’re done to keep your browser safe!

I have made this change on all of my machines and I strongly encourage you to as well!

For most of that time it was a good program.  It had it’s little hiccups along the way, but they always seemed to be resolved by Eset rather quickly.

That was until Vista Service Pack 2 came along and changed everything.

Don’t get on me about user error as I did everything in my power to ENSURE no issues.  I uninstalled my old NOD32 (version 4), downloaded the LATEST version/build direct from Eset’s site, installed SP2, then installed the new NOD32 I downloaded.

This is when things started to fall apart.  Ever since then I was plagued with system lockups and hangs ESPECIALLY at the login screen or going in to or coming out of standby or hibernation.  This wasn’t just happening on 1 machine either.  Both my [aging] Desktop and my [new-ish, 1 year old now] laptop were having CONSTANT issues.  I initially didn’t pin it down to NOD32.  I thought I was having some other issues until I jumped on to the Eset forums and found hundreds upon hundreds of other people having issues with their Vista SP2 machines.

I uninstalled NOD32 from both of my machines and they both became rock-solid.  My desktop went from locking up every 2-3 days to being up for 2 weeks straight.  My laptop has been in and out of standby/hibernation at least 2 dozen times without a single problem.  I checked as recent as last week and Eset has still not issued any newer versions of NOD32 to rectify the issues I and many many many other NOD32 users were having.

After nearly a month running with nothing, I decided it was time to hunker down and find something.  I began my trek to find an antivirus solution that didn’t suck so much balls.   I spent many hours combing over all kinds of performance benchmarks, detection ratings testing, and over all features I have now installed my new protection system…

Avira AntiVir’s detection rates were among the top rankings, often times beating out NOD32′s detection rates… and get this… IT’S FREE!!!  Everyone loves free, right?

Does it play well with Vista SP2?  I have no idea as of right now.  Only time will be able to tell me that.

So far my initial impression is good.  It is definitely light weight.  It definitely has A LOT fewer options then something like NOD32.  It is very basic… but really complexity doesn’t always mean better.  It’s about the programs ability to detect and protect.   I may not put it to that thorough a test in that regard as I am usually very careful about what I’m doing and am not your average user that would be more careless, but I still think that everyone should have SOMETHING.  You never know when you might accidently hit a malicious web page or a site that has been hacked and infected and get hit with a Java-based worm or something.

I will write a follow up article about AntiVir after I’ve got some play-time in with it and see how it plays with my systems.

Until next time.

This one is not as dramatic as 800mb, but I did gain back around 400mb of disk space.

Just as with SP1, this works by removing backup files made during the service pack install, making it prememnant and impossible to remove.  Just keep that one fact in mind.

Just pop open your favorite command prompt, and issue compcln

It will ask you to confirm, and then it’ll get to work.  After a couple minutes you’ll have your reclaimed space!  (And a permenent SP2 install!)

We use it quite a lot where I work and we’re always looking for the smaller, better IPCop box.

The most recent version we went with was a 1U half-depth rack mount server from the guys over at abmx.com.  This unit was both cheap, and met our needs of a rack-mountable IPCop machine.

The slight downside to this machine was there was no CD-Rom drive in it as our past IPCop boxes have had.  In addition, there was no IDE port on the motherboard (only SATA), and we didn’t have a SATA CD-Rom drive hanging around the office, so I set out to figure out how to install IPCop from a USB drive.

After a ton of searching I came across some instructions, which I will post for you in case you ever want to do the same.

1) Download the “usb-fdd” from the IPCop Downloads page.

2) Download a utility called dd for windows.  I am also providing a download link here in case that page ever disappears, because dd for windows is vital to making this happen.

3) Extract the dd.exe file from the zip, and extract the ipcop-[version]-install-usb-fdd.i386.img file from the .gz file you downloaded, put them both in the same directory.

4) Insert a USB drive.  Any files on this drive will be WIPED so be sure if there is anything you need on it, to copy the files off it!!!

5) Open up a command window and CD to the directory your dd.exe file and IPCop .img file are sitting.  Run this command:

dd if=ipcop-install-usb-fdd-1.4.11.i386.img of=\\.\g: bs=1k

In my example above my USB drive was g: you will want to change that letter to what ever drive your USB drive is on your machine of course

6) That’s it!  It will take about 5 minutes to write the image to the USB drive.  When dd.exe is done it will return you to the command prompt.  You’re ready to stick the USB drive in your soon-to-be IPCop machine, boot off it, and install it!

One thing to note is that this utility reformats your USB drive to the size needed by the image (around 50mb). Optimally it’d be cool to have say a 64mb flash drive around that you could just leave as an IPCop install stick (well, that’d be nice for me since I do a lot of IPCop installs).  When you’re wanting to reclaim your flash drive for regular use, you’ll want to right click on it in windows, and format it back to the appropriate size using FAT32.  Otherwise you will be like me with a 2gb flash driver partitioned to 50mb and wondering why your 800mb BackTrack 3 boot image won’t copy over to it! haha

Anyway, I hope someone finds this article useful.  If not, I know I will the next time I need to do an IPCop USB Install.

Redirect /nonexistenshit http://www.fbi.gov/
Redirect /mail http://www.fbi.gov/
Redirect /bin http://www.fbi.gov/
Redirect /rc http://www.fbi.gov/
Redirect /roundcube http://www.fbi.gov/
Redirect /webmail http://www.fbi.gov/
Redirect /mantisbt http://www.fbi.gov/
Redirect /tracker http://www.fbi.gov/
Redirect /bugtracker http://www.fbi.gov/
Redirect /bugtrack http://www.fbi.gov/
Redirect /support http://www.fbi.gov/
Redirect /bug http://www.fbi.gov/
Redirect /bugs http://www.fbi.gov/
Redirect /mantis http://www.fbi.gov/

I believe BigBoss is referring mostly to the extra directories under /private/var/stash. Each time Cydia runs “for the first time”, it moves and symlinks some directories there to ensure that the root partition doesn’t run out of space. If that was over your head, stop reading, and follow his instructions above.

Still with me? Okay, so first off it’s these directories that are showing as “Other” in iTunes. That’s fine, and it’s totally normal for there to be a decent amount of space showing that way.

The problem comes when Cydia runs again on the “Upgraded” device, and goes and creates all these directories over again, resulting in double the space consumed (though I personally didn’t see quite as much as 500mb).

If you are comfortable poking around *nix, the cleanup you asked about is generally straightforward. Just stroll over to /private/var/stash, do an ls -al and delete the older of any duplicate directories (Applications.23981, Applications.sidufh, etc.). If they have the same date, you’ll need to find for the symlink and see which one’s current.

As always, backup first, and if you brick your device, go back and follow BigBoss’ instructions above.

So I deleted the old duplicate folders that didn’t need to be there any more and got back over 800mb of free space!!

I’ve some screen shots so you get what I’m talking about…

Duplicate folders, wtf?

Only 183mb free… That is weird because I had around 900mb free before I upgraded to 2.2

What’s this?!  Notice that each folder has an older dated twin… these are the ones that can be safely removed… the ones with the OLDER dates on them, NOT the newer ones!!!

To get them removed all the way I actually did need to ssh in to the phone, cd to /private/var/stash/
And do a rm -rf foldername.random/ on the folder to remove it entirely.

But once I did, it was all cleaned up

And my missing free space has been returned to me!

Just thought I’d give some of you other guys (and gals?) a heads up.  You might be missing some free space on your iPhone…