Battle Ground Computers

Anti-Virus Programs Don't Work

2008-05-27T15:27:00.000-07:00

For years, computer users have been led to believe that an AV program (Norton, McAfee, etc.) on their computer will protect from hackers. If that were true, I wouldn't have a job.

Ample research (www.battlegroundcomputers.com/resources.html) has proven that hackers have figured out how to infect your computer even with an AV program on it. How?

Well, first, you have to understand the business model that AV programs work on. I call it prescriptive defense because the AV program is trying to find something AFTER it's in your computer. By then, it's too late.

The assumption is that the AV program will examine your computer for files that it can recognize by the file signatures. (When you update your AV program, you're downloading the latest virus signatures that the AV program will use to identify virus files on your computer).

The problem with this model is that the AV companies first have to discover the virus in the "wild", then create the signature, then distribute it to your computer via automatic updates. At best, this process can take 3-5 days leaving you open to infection until you have the updated signatures. Coupled with an aggressive spam/IM campaign, hackers can deliver a virus to you long before the AV even knows about it.

Hackers modify their payloads more frequently to stay ahead of the AV detection signatures. They can instruct the virus to morph itself before spreading thereby becoming invisible to even the best AV program.

But this is only the beginning....

Instead of relying on a viral file to hack your computer, hackers are now using web sites to infect your computer through the browser (IE, Opera, Firefox, MSN, AOL, NetZero, PeoplePC, etc.).

When you connect to a web site, the browser executes the code used to create the web site - notably HTML. But HTML is limited in what it can do - it is primarily a display language and therefore cannot create attractive menus or other functionality. So, the HTML code is designed to execute scripts that are tasked to do the real work of web functionality. This is most often javascript and the browser executes all scripts on the web site WITHOUT USER INTERVENTION OR KNOWLEDGE OF THE SCRIPT.

Hackers are now hacking web sites and injecting their own links to javascripts that infect your computer. By hacking the database that generates web site HTML code (you knew that hosting companies use a database to store your web site files, right?), hackers can create thousands of viral web sites - many of them known good, safe web sites.

Because scripts are executed by the browser in the context of the user, they have all the power of the user including modifying the Windows registry, modifying the NTFS file attributes/permissions (making files invisible and/or undeletable), disabling the AV and creating new user accounts.

But users still adhere to the notion that they're protected because they have an AV program. The AV companies tout their effectiveness and so create an attitude of complacency in the users. This complacency is the door through which the hackers gain access to the computer.

The only effective defense against hackers is preventive - blocking scripts BEFORE they can execute in your browser.

Use Firefox with the NoScript plugin to protect your computer.

Beware of any computer repair shop that claims they can remove viruses from your computer by using an AV program.

If the virus has modified your registry to do some task, the AV program has no way of knowing that - there is no signature to compare to.

Is your off-the-shelf computer secure?

2007-12-05T13:43:00.000-08:00

NO. Why? Read on…

Pre-installed software (bloatware) comes in many different categories – anti-virus, photo editing, web surfing, document creation, games, etc. – and is installed in virtually ALL brand-name computers.

So, imagine you’re a hacker and you want the best return for the least amount of effort. What are you gonna hack first? The anti-virus and the default web browser, of course.

This year, over 200 million PCs were shipped. All had Microsoft Internet Explorer and most had either Norton or McAfee antivirus software pre-installed.

The computer manufacturers used to make a big deal about how buyers have the latest security technology, blah, blah…..all designed to separate you from your money and alleviate your concerns about viruses and hackers. (Lately, they’ve tuned down that message).

Now, Mr. Lazy Hacker knows he has two obstacles to overcome to gain access to your computer. Using an ActiveX control built into IE (or a Windows vulnerability), hackers can gain access to the operating system. From there it’s a small step to disabling the antivirus software.

Since 2002, I’ve seen the pre-installed antivirus software disabled. Oh, it’s still there and it updates regularly, prompts for renewal of the license, scans dutifully and reports that all is well. But the computer is running very slow, lots of pop-ups, etc.

Upon examination of the quarantine logs (where the antivirus software puts the infected files it finds), we find that the most recent date/activity is more than a year ago. Obviously the antivirus software hasn’t met a file it didn’t like in over a year.

Likely? Perhaps. Probable? NOT!!!!

Software publishers pay computer manufacturers to install their software thereby subsidizing the cost of the computer. You do get what you pay for – and in this case, you’ve sacrificed your computer security which could cost you more to repair than you saved.

Secure off the shelf? HARDLY!

Visit http://www.battlegroundcomputers.com/resources.html for links to several malware research sites.

Bad programming and the virus lanscape

2007-09-17T17:36:00.001-07:00

Years ago I was a programmer - long before object-oriented programming became the norm. These were the days when the programmer had to ensure that the user did not press any keys or input any strings that the program would choke on. It was called "bounds checking" - min/max characters, only ascii characters, that sort of thing.

For you click n' pray programmers, bounds checking meant that I had to limit what the user could type - characters, length, etc. And then, when they hit the key, my program had to make sure that the string was correctly formatted (sanitized, if you will) before the string was sent to my program functions.

Today we see more and more viruses exploiting vulnerabilities through the lack of bounds checking. From Symantec on the recently discovered vulnerability in the MS Agent....

Microsoft Agent (agentsvr.exe) is prone to a stack-based buffer-overflow vulnerability because the application fails to adequately bounds-check user-supplied data.

When did programmers quit checking users input...and why?

So now, every vulnerability researcher and hacker gets a list of program objects, functions or input routines and starts throwing large strings at it to see if it pukes. Oh, and what if we sent it some strings or any of the HTML representations of strings.

Do we blame the programmers for this gaping hole in the security of our systems? Or do we blame MS and other application development companies that convinced us that object-oriented programming was going to save the planet and our jobs? And who decided that a user's input doesn't need to be checked/sanitized?

P.S. - Here's another one.....
Microsoft MSN Messenger is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. From Symantec

New laptop won't run XP

2007-09-17T12:02:00.000-07:00

Customer brought in a Toshiba Satellite with Vista on it. Very upset that his new laptop was having trouble he didn't have time to deal with. Asked us to remove Vista and install XP. Fine, we can do that. But........

THERE ARE NO XP DRIVERS FOR THE COMPUTER!!!

I downloaded the XP drivers from nVidia for the GeForce 7900GS. Install says no supported hardware. Go to Toshiba web site, download Vista drivers for the GeForce card, install says I have an unsupported O/S.

Right now I'm waiting on hold (have been now for > 30min) trying to talk with second level Toshiba tech. Now, one hour on hold - I hung up.

Have we reached the point where the MS monopoly can now dictate, via hardware, what version of their OS we can use? Am I the only one that thinks this is unacceptable?

Apparently, with the complexity of today's O/S's, manufacturers have to choose which O/S they're going to develop drivers for. Is this a product of the cost of developing drivers for multiple O/S or is it the MS monopoly dictating which O/S we can use on the hardware we buy?

Personally, I think MS learned their lessons from 98/2K/XP (no money in keeping old PCs running). So when MS decided MS needed a new O/S to fulfill promises to stockholders, they made sure we would not be able to extend the life of old computers. To do so, they had to

1 - completely rewrite the O/S so that no other drivers would work
2 - make sure that old hardware was gone (have you tried to find a Pentium 4, socket478 motherboard lately?)
3 - make sure that manufacturers don't develop XP drivers for their "Vista Ready" computers.

I've been working on/with computers since 1984. I remember when I could choose my O/S - different flavors of DOS (Dr. Dos, SeattleDos, etc.). But MS took care of that and bought up all the competitors (what kind of monopoly would they be if they let competitors exist?).

Whenever new hardware came out, manufacturers had to provide the drivers needed for operation in the different O/S environments. Manufacturers knew that even older machines would benefit from updated drivers thereby keeping customers happy.

Then we started seeing more and more integration of the add-on components (NIC, video, sound, USB, etc.) throwing the driver development onto the chipset manufacturers (Via, SiS, Intel, et al). Good for me cause it makes resolving drivers issues much simpler.

But it seems that this has also allowed the MS monopoly to take hold and gain control of the manufacturers driver development.

So when Toshiba (or any other PC manufacturer) says "XP will not run on this machine", who's to blame for that? Has the component manufacturer really said that they're happy to throw out all their XP development and write only Vista code for the component? Or has MS threatened the PC manufacturers O/S margins?

Whatever the reason, customers are being screwed, AGAIN, by a company that has put stockholder profits ahead of customer satisfaction.

Why would a manufacturer close the door to those customers that want their computer but not the O/S MS says you'll use?

You Get What You Pay For

2007-08-01T18:25:00.000-07:00

Computers have become an integral part of our lives on par with the dishwasher, washer/dryer and car. Yet most people think that a cheap computer is as good as a more expensive one. Do you still buy the cheapest appliances?

When an appliance breaks down it’s really inconvenient; but that’s usually all it is. You can go to a Laundromat or do dishes by hand. When the car breaks down you have to find other means of transportation and it is a major inconvenience.

But when a computer breaks down it’s more than just inconvenient. That machine contains information that is irreplaceable and, often times, the source of income. That is way more than inconvenient.

Then why would you purchase a computer based on just the price?

So, just what makes up a cheap computer and how can the manufacturer sell it so cheap?

PHYSICAL COMPONENTS:

Reducing manufacturing costs usually involves reducing the number of parts or features built into the motherboard. Things like floppy drives, serial/parallel ports, memory slots, expansion slots and even video slots. They also use older technologies that are available at liquidation prices – especially when bought in bulk.

But they also reduce cost by using a BIOS* that is just enough to get the computer to boot up. This saves money on licensing costs because the PC manufacturer doesn’t write the BIOS program, they license it from those who do. Smaller BIOS = less cost.

(*BIOS = Basic Input Output System: the instructions built into the computer non-volatile memory that tell it how to get started – what devices it has and how to use them).

SOFTWARE (operating system):

Every computer has to have an operating system, usually some version of Microsoft Windows (though there are others). In exchange for huge discounts on the purchase of MS products, manufacturers are contractually obligate to NOT sell a computer without a MS operating system. Try it. Ask to buy just the hardware. Some of you may remember when you could choose your operating system. Microsoft has made it their business to make sure you have as few choices as possible (can you say “monopoly”?).

SOFTWARE (programs):

Every software manufacturer wants their programs in has many computers as possible. They either have to convince the consumer to buy the program or have it pre-installed on the computer you purchase. It is obviously cheaper to have the program pre-installed. The software manufacturers pay computer manufacturers to pre-install their software thereby subsidizing the cost of the computer. Then the computer manufacturer convinces the buyer that they are providing all these wonderful “enhancements” and “add-ons” to your purchase to make you feel like your really getting a good deal.

Have you ever noticed how most of these pre-installed programs are either trial versions with an expiration or a dumbed-down version of the real program. If you want to continue using the program or do something with it, you have to buy it. Every notice that most of these programs you either don’t use or don’t want.

So what is the price of all the “bloatware” on the computer? Well, first it takes up space on your hard drive that you could be using for your files. It often loads itself at startup taking up processing cycles and using the precious little RAM memory your budget computer came with.

INTERNET

As broadband internet has become more widespread, computer and software manufacturers have learned that an “always on” internet connection is their best friend. They know that you won’t care or notice the little tidbits of information the bloatware is sending back home about their preinstalled program. Things like how many computers are running their software and other information about your computer. The information they get is never anything personal, it’s more statistical information they can use in the marketing.

Computer manufacturers are now installing adware on their computers - possibly inadvertantly. Software designed to receive advertisements via the internet on your computer. Why? Because the advertising companies have paid the manufacture to pre-install their software so both parties can make money with your computer connected to the internet.

The internet advertising phenomenon has made a broadband connected PC a virtual cash cow. Google Adsense, affiliate marketing, toolbars (and more) has made it possible to get paid for causing a PC user view an ad. If the user clicks on one of those ads, you get paid even more. These are the fortunes that allow hackers to thrive unabated.

ENTICEMENTS:

Don’t you love the bundled deals? Computer, speakers, LCD monitor printer, etc for $499. How do they do that? Well, everyone of the components is the cheapest they can make it. When the printer stops working, don’t bother getting it repaired – it’s not worth it. More landfill.

And you trust your children’s baby picture, wedding photos, vacation memories and business records to these machines. Please learn to backup your important files.

So, what’s the best computer to buy?

THE ONE YOU CAN GET YOUR HANDS ON THE GUY THAT BUILT IT

Tom’s Maxim:

Every computer is a good computer as long as it does what you expect it to.
Every computer will break.
You don’t know what you bought until it breaks

Without personal accountability for this increasingly important device, you’re at the mercy of large impersonal corporations who are fiscally bound to produce the greatest profit for their stockholders. Cheap parts, cheap support, etc. I live here and have to be accountable to my customers and the community I live in.

I have been building/repairing computer at BGC for six years now and can honestly say I rarely have to repair my computers. Today I have customers trading in the still working computers I built for them six years ago. Why?

Because when I opened BGC, I decided that I would not compete on the price of the hardware. I build the best computers I can with the best parts I can buy and I stand behind what I build. My basic box with all the latest components and 3-year manufacturer warranty is about $800.

My focus is on the computer itself. Quality computers will last. Sure I can sell monitors and printers but those are add-ons and you should be able to pick the one you like at a good price. I often build complete systems for customers - keyboard/mouse, speakers, monitors, printers, etc. But, if you want to shop for price, shop for the peripherals - go to the electronic department stores for your

But spend the money to buy a good quality computer just like you do your appliances and cars. You can pay me now or pay me later. Either way, you’re going to end up paying the same amount for the computer – you just have to decide if you want to pay it up front or later after it’s full of your pictures and files and you don’t know if the computer crash took your files with it.

RPC Server Unavailable when installing printer

2007-07-11T23:33:00.000-07:00

Trying to install a new printer and getting, "Printer Installation Failed: RPC Server Unavailable"? Or are you simply trying to print document but happen to run into an error along the lines of: "Print Spooler Service Is Not Running"

Well, the first thing you need to know is that it is most likely that the problem you are having is within your operating system itself. As always, if you are having major printer problems, try uninstalling and reinstalling your printer's drivers and/or visit the printer manufacturer's website and download and install the latest drivers for your device. If this does not fix your printing issues, the problem does most likely lie within the operating system itself. (Unless of course, your printer itself is broken).

What we have been seeing here at BG Computers, is that customers with these specific "Printer Spooler Service" or "RPC Server Unavailable" errors happen to have, or have had, a Lexmark printer.

What Is RPC and How Does it Work?

Secondly, here is a quick definition of what a Windows Service, like the Print Spooler Service, basically is: (Taken from Wikipedia.org Link)
A Windows service is an application that starts when the Microsoft Windows operating system is booted and runs in the background as long as Windows is running.
So the Print Spooler Service itself basically is a Windows service that starts when your computer starts, and is constantly running in the background of your operating system to load files to memory for printing.

Now what does all of this have to do with Lexmark printers?
Well when we have heard of these errors and have actually seen these errors, we have found that there is a service installed in the computer from Lexmark called the "LexBce Server".
The LexBce Server Service is installed by the Lexmark printer's software to configure the onboard network print server. Because the LexBce Server Service installs itself so the Windows Print Spooler Service becomes dependent upon it. Disabling the LexBce Server Service will make it so that the Print Spooler Service can no longer startup, which then disables printing on your computer. Also, without the Print Spooler running, an installation of a printer is not going to be possible and you are going to most likely get the "RPC" error. the LexBce Server Service can also come pre-installed on some Dell computers that are packaged with "Dell" printers made by Lexmark.

The LexBce.dll, a file related with the LexBce Server, is also related to the software "MarkVision for Windows" also a product of Lexmark.

So, do all Lexmark printers install this service? We don't know. What we do know is that if you are using a Lexmark printer or have had a Lexmark printer, you could have the LexBce Server Service installed on your computer. Same scenario for previous owners of Lexmark printers. The un-installation of Lexmark printer drivers/software might have left this service behind. The bottom line is that if LexBce Server Service was, or is, on your computer and happened to fail, become disabled, or become infected; you could be facing the "Printer Installation Failed: RPC Server Unavailable" or "Print Spooler Service Is Not Running" errors.

Repair my computer or buy a new one

2007-06-18T22:49:00.000-07:00

I can't tell you how many times I've been asked that question so here are some of my responses.

1 - Buy a new one - your computer is too old to justify putting $$ into it to rid it of viruses. Trust me, if a computer is not worth fixing, I'll tell you. I don't want to work on an old machine (probably with Win98/ME) that's slow and will take me twice as long to finish.

2 - The (once) new computer you have is what got you here now. Without understanding what led to your computer being infected (adware/bloatware/trialware, etc.), you're destined to be back in 3-6 months anyway. So, pay me now or pay me later.

3 - Viruses don't care what you paid for your computer. It's running Windows and that's all a hacker cares about. The knowledge and expertise needed to repair your computer is knowledge of Windows. Windows is just as complex on a cheap computer as on an expensive one and the effort required to repair an infection has nothing to do with the cost of the computer.

4 - When I'm done with your computer, it will be in better shape than when you got it. In fact, if you'd had me work on it when you got it, you might not be here now. See the blog about bloatware......

Resources

2007-06-18T22:25:00.000-07:00

These are some of the web sites we use in our research....

http://research.sunbelt-software.com/ - Browse through the threat listing (sorted by category) to get some idea of the size of the effort trying to gain control of your computer. Also, from their home page, purchase/download their program CounterSpy - today it's one of the best "malware" cleanup tools available.

http://sunbeltblog.blogspot.com/- Sunbelt's researchers also blog their latest findings as well as other tips and info. Good read.

http://darkreading.com - Heavy reading for those interested in the IT security angle - enterprise/corporate stuff but also some good blogs from security researchers.

http://benedelman.org - Ben's site is a must read for anyone interested in the dark underbelly of internet advertising and how it drives the adware/spyware business.

Welcome the the BGC blog

2007-06-18T22:17:00.000-07:00

If you've made it to here, it's probably because you're one of our customers and want to catch up on some of the latest news around the tech bench.
We've started this blog as a place to record some of our observations, discoveries and announcements regarding malware and hacker's efforts to use your computer.
We're not going to edit too carefully because we spend a lot of time working on computers and blogging is a very secondary job for us. We just want to record our information and let the user sort out the grammar/spelling/etc.
So, as of this writing Jon-Eric and myself (Tom Cross) are the two techs working the bench. Jon has been getting more and more involved in the diagnosis and discovery of various viruses lately. Notably, virtumondo - it's a nasty one!
Jon will be posting about his findings in the computer itself and I'll be posting about the trends, resources and anything else that our customers should be aware of.
So, thanks for visiting.

Tom