Thursday, July 22, 2004

Neostream magic

Check out Neostream Interactive's latest Flash extravaganza!! These guys are creative geniuses! Extremely stylish artists. It's a largish download so you will have to wait a bit - but its worth it.

They have released a lighter wire-frame version of their . In case you missed out on the whack fun in the main flash page, go back and try it.

Thursday, July 15, 2004

Virus Hunting

I recently spent several hours ridding a computer of a virus which had managed to avoid virus scanners. The experience was interesting and quite exhilarating. I am sharing my learnings with the hope that you might find it worth your while and might have some of your own to share. If you find it useful, let me know :-).

The Infected

It was a Windows computer (of course ;-)), the Windows 98 kind and it belonged to someone who had a lot of confidential data - financial and otherwise - on his computer. I suspect he accessed a site which ran some malicious code which downloaded the virus and installed it. AVG was the installed virus scanner, and believe me although its a good piece of software and manages to prevent most viruses, it failed in this case. His machine began freezing up and he could no longer access Yahoo! or Google or other sites.

The Hunt

Hosts

check the hosts file, you say? and you would be right.



It had several entries covering all the popular search engines, mail sites, and other popular web-sites. Interestingly, this virus made a backup of the original hosts file and called hosts.sam in the same directory [talk about being nice]. Well, that explained why he was complaining about not being able to connect to Yahoo!.
Trying to overwrite, modify or do anything to the hosts file resulted in it being rewritten almost instantly. Until then, I had no idea how frustrating it can be to not have access to any of the web's search engines. Does anyone know how to make Windows not use the hosts file?
Ok, so obviously there is a malicious program resident in memory that is monitoring changes to this file. So the next step is to prevent this program from executing.

Cleaning up the registry


Perhaps the most common mechanism to hijack a Windows machine is to install the virus in one of the Run registry keys. So the next step was to remove everything unrecognizable from the following keys -
  1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  2. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  3. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Use your judgement when you do this and keep a copy of the original settings because most of the stuff there is legitimate. Since I didn't have access to Google I could not get SysInternal's extremely useful software Autoruns. It provides a list of all programs that run when your OS starts up. Extremely useful! If you run it, you'll see that there are a lot many more registry keys to be concerned about than the three I was aware of.

Relapse



Back to the story :-). There was a suspicious entry for Explorer.exe and when that was removed, the hosts file could be restored. Internet access was available again. So, gullible me, restored the registry to its older setup minus the malicious Explorer entry. Everything seemed ok for a while and then again the legitimate explorer started to freeze and took the OS with it.

File Times


I have had considerable success with locating malicious programs by doing a search for all files that were modified/created recently in the WINNT directory. A careful analysis of this output seemed to indicate various programs created on the day of the attack and all of the same size. All the programs had very legitimate sounding names like dialer32.exe, system32.dll, wintime.exe, etc. There were about 5 such files that I could locate with the same size and creation date. Comparing with another computer that he had which ran the same OS, these files were not part of the Windows installation. Another way of finding out if a program is legitimate is to simply type its name in Google. You will have links to sites that list all well-known programs or suspected viruses and will be able to provide detailed information on your queried file.
After I deleted all these files, the computer was restored to its original healthy state. I hadn't expected multiple entries in the registry. However, I do suspect that there were perhaps two different viruses because this one didn't seem to touch the hosts file.

Psychological Stuff


I recently had to clean my own computer of a nasty little virus that kept trying to download itself and execute although AVG wouldn't let it. For me, since I am just a lowly programmer with nothing of any value other than code on my computer, it was nothing more than an irritant. However, for someone who uses his computer for his business and stores all his personal data, financial statements it was such a gross violation of his personal space - it was as if, his house had been broken into.

Wednesday, July 14, 2004

Googlemania

My interest in Google continues.

Zeitgeist


Google has a wonderful site called Zeitgeist that collects interesting patterns of data based on the queries they get from around the world. Since Google is no longer something only the "geeks" use, there's more credibility to the diversity of data. Depending on what you like to believe, it shows up some surprising and some not so surprising data!

Take, for example, that 87% of the operating systems hitting Google are Windows and that MSIE still rules inspite of my ardent wish that we all used Mozilla Firefox which really is a brilliant browser.

Zeitgeist can probably do better though. Perhaps, top 10 hits for queries on technology - anyone has any better ideas??!!

Labs@Google


Google has even more interesting stuff. To get a sneak preview of their technologies that might appear in the future try labs.google.com. For example, the key board shortcuts technology they have in gmail was first previewed at the labs. While you are at it give Google Sets a try. If you were wondering how they do all this then try this.

HTTP Headers


If you stop to think about it for a second, its an amazing location to do an automatic survey. And it all happens because of something called HTTP Headers.
As the initiated amongst you have already guessed that the rest of this blog is going to be about me bragging about how much I know about HTTP headers you can give this a clean miss!

When you instruct your browser to go to a particular web resource, it asks the server at that location for the resource. As a part of the communication [which is not visible to the user], every browser sends information about itself, the operating system it is running on and which site it came from. It also returns a small piece of information called a cookie which is stored on your computer. This is a substantial amount of information and with 200 million hits a day, a wealth of information about usage. This information is sent through HTTP headers.

Here's an example of the HTTP headers sent by the browser [Mozilla Firebird] told to access Google's home page. Similar headers will be sent by other browsers like Internet Explorer.

GET /search?q=geek&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8 HTTP/1.1
Host: www.google.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
Accept: text/xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,
image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

Cookie: en_IN; PREF=ID=52eef62d74670ae2:
FF=4:LD=en:NR=10:CR=1:TM=1048623851:
LM=1069183668:S=c2RqGKqGOQXoZV8g


Note the parts marked bold. They specify the client (browser) you used to access Google and the Operating System you are running. The second line that is in bold is a piece of information that Google has put on your computer to identify you the next time you access Google. [this example does not have a referer header]

By the way, in case you are interested there are some interesting sites that discuss privacy issues regarding Google. Whether you would like to believe them or not is upto you :-)!!