WMF Exploit

There’s a nasty exploit going around involving WMF files. Windows XP SP2 is not protected by any of the updates now available. Check out this video showing the exploit in action. It infects your computer with spyware, then prompts you to buy Winhound for $39.99 to clean it off! F-secure’s blog describes this little demon. Be careful out there.

-Soli Deo Gloria

Disabling Sound During Sysprep

In a business environment, you usually do not want users having the ability to produce sound on a computer. In the latest Dell GX280, GX620 and GX520s, however, they use the regular internal speaker as if it was a regular speaker. I actually remember doing this in Windows 3.1 with a special driver. The only problem is that when Windows 3.1 would play the sound nothing else would happen. If I was playing a game, Windows 3.1 will literally stop everything, play the sound and then resume operation of the computer.

Now, it’s easy enough to go into the device manager to disable the sound card after ghosting an image down to a machine. Wouldn’t it be better if we could script it? Well, we can! Microsoft has a niffy utility called devcon that will interact with the device manager on a command line level.

Every device in a computer will have an unique hexadecimal id. Download devcon and then issue “devcon find *”. This will return all of the devices in the system and there corresponding ids. Upon issuing this on a Dell GX620 and scrolling through the list we find this:

PCIVEN_8086&DEV_27DE&SUBSYS_01AD1028&REV_01: SoundMAX Integrated Digital Audio

Here’s the part we need:


Now we can type the following: “devcon disable “PCIVEN_8086&DEV_27DE”. Viola, the sound card is disabled! We can put this in the [GuiRunOnce] section in sysprep.inf to disable the sound. Repeat this for every model of computer you have (the statement for the GX280 looks like this: “devcon disable “PCIVEN_8086&DEV_266E””)

Wait….what about laptops? We give laptops to traveling users and it’s OK for for them to have sound. The problem with the above statement is that the Dell Latitude D610 and Dell Optiplex GX280 share the same sound chipset! The above statement will disable the sound chipset on both models. How can we get around this? Well, from a little trick from my sysprep page:

@echo off

C:installtemppci32 > C:installtempdev.txt

C:windowssystem32find /i “cardbus” C:installtempdev.txt >NUL

if errorlevel 1 “C:installtempsound.cmd”

if not errorlevel 1 echo “Not a workstation, do nothing”

Here’s what this does: it runs PCI32 from Craig Hart to run a hardware profile of our system and dumps the results into a file called dev.txt. It looks for any text with the labeling “Cardbus” in the dev.txt file. Cardbus is only found in laptops. If we find the term “cardbus”, the find program will return 0 and 1 if it doesn’t find it. Based on this result, we can determine whether we are imaging a laptop or desktop. If it’s a laptop, the command for disabling the sound never executes.

-Soli Deo Gloria

Antivirus Nightmares

I’ve used various antivirus programs over the years and want to share my thoughts on some of them. Just recently I was running Symantec Antivirus 10 Corporate Edition. This is a no thrills antivirus program that doesn’t have any of the bloat of the retail version. A few weeks ago I came home and SAV informed me of a hacktool named SVKP.SYS in my Windows directory. I was quited alarmed, wondering how on earth I would have gotten a hacktool. I then went to play one of my favorites games, Command and Conquer Renegade only to find it did not work. Why didn’t it work? Well, it was because SAV had removed SVKP.SYS! See, I also run an addon to Renegade called Renguard. This addon ensures that I am not cheating by using various techniques. In order to prevent debugging tools such as Regmon and Filemon from disassembling and circumventing the program, it uses this tool kit to prevent Renguard from running if it detects these tools.

This is the problem with SAV. Whenever it finds a file that could be used with a virus its immediate action is to delete the file. Instead of this dumb action, how about letting the user decide what to do with the file? In the above case I would have done some research before blindly letting SAV deleting any file it wishes. In addition to doing this, SAV seems to take a ridiculous amount of RAM: 28 MB! 28 MB for what?

I then decided to try out Mcafee 8.0i. Unfortunately, it has the same problem as SAV: removing files that are not viruses, but valid security tools. Mcafee also took around the same memory (27 MB). I removed it at once as well.

I then tried NOD32. Again, it would find files that were not viruses which is really annoying, but at least NOD32 gave me the choice what to do with the files. Now that’s an anti-virus program I like to see! In addition, NOD32 only took up 18 MB vs. 28 MB for SAV and Mcafee. In addition to its small footprint, NOD32 also updates virus definitions DAILY. That means if a virus should break out you are much better protected then with Mcafee or SAV.

NOD32 is available for download for a 30 day trial.

-Soli Deo Gloria

Sony Caves In

After a boat load of bad press, law suits and warnings from the government, Sony decided to recall music CDs using its secret rootkit technology to enforce intellectual property rights. I have very strong feelings about copy protection which you can read here. This is the PDF version of a report I wrote for a class back in college. I think we may get to a point where media is plagued with so many protection systems that people will stop buying them. How much money did Sony save itself with this copy protection scheme? It has to recall all of these CDs, re-compile them, re-press them and re-release them.

Sadly, this is nothing new. Back in the good old days manufacturers intentionally put bad sectors on floppy disks so people couldn’t make backup copies of them. The problem with this approach is that floppy disks are inherently susceptible to corruption and not being able to make a backup copy seriously inhibits the user from using the software. Eventually, the manufacturers removed the copy protection due to decreasing sales.

With all of these copy protection schemes you think piracy would have slowed down or stopped. It hasn’t. In fact, the more protection schemes you have the more people you have looking for cracks. For example: Command and Conquer Renegade. This is one of my favoriate games. Despite verifying its serial online, the game requires me to keep the CD in the CD drive. Why? Well, I might have copied the CD from someone else. I have to keep removing the game CD every time I want to play another CD. Why should I have to bother myself with this? Why not go find a crack that removes the game’s ability to look for the CD? These copy protection schemes only prevent the truly clueless from bypassing them.

The music industry has made a special point of going after consumers that share music with law suits. We can only hope that consumers return the favor with this malware invasion of their personal computers.

-Soli Deo Gloria

The Power of Remote Control

Several years ago I started working in a help desk doing phone support 2 days a week. At the time we did not have remote control capability to workstations. Words cannot describe the frustration there is trying to solve something you cannot see. What I call an icon and what the user calls could be (and usually is) two different things. “Now open My Computer” says the tech and “IT IS OPEN” yells the user. Don’t laugh, it happens far too often. Eventually, the help desk did get a buggy version of workstation remote control software with Novell Zenworks 3. However, this little beast was based on IPX communications which are older and much more unreliable then TCP/IP communications. We also had problems with video acceleration crashing the remote control agent on the user’s machine, so I had to figure out a way of disabling the acceleration. We finally got Microsoft SMS 2003 for inventory management and remote control and let me tell you that is one sweet product.

Of course you probably don’t have money for SMS 2003 and that’s where VNC comes in. VNC stands for Virtual Network Computing and was originally developed by AT&T. Those nice guys at AT&T released the source code for VNC into the public domain (or more specifically: GNU…I know GNU’s not public domain, but you get the point). VNC lets you connect to a client workstation from your own workstation for…..FREE. Free? Yes, free. Everyone likes the word free including me!

So how does it work? You basically put a remote VNC host on the workstation (a mini server) and then you connect to that workstation using a VNC viewer. This is done using the standard TCP/IP protocol. It will even do it by host name (which resolves to an IP address). At my new company we didn’t have any remote control software, so I decided to use VNC on our workstations (with management approval of course). There different “flavors” of VNC: RealVNC, TightVNC, UltraVNC, etc. You can lock down VNC by using a password to keep out the bad guys. UltraVNC will do Windows authentication, RealVNC will not (unless you pony up money for the enterprise version).

In the course of using VNC you’ll notice one really annoying thing: no computer list. There’s really no way of knowing what computers have VNC and which ones don’t. That’s where VNCScan comes in. VNCScan will scan your network based on the IP parameters you give it and will search your entire network for VNC and RDP clients. How cool is that? Now this program is $39 per administrator, but there is a trial copy at the web site that is good for 30 days so you can completely test drive the program before buying (that’s PER administrator, NOT per computer!). After downloading and installing the program you make a group (or multiple groups). You then specify the starting and ending IP address. Now you can right-click on the group and pick Scan. Again, make sure you have permission from your management team to do this as this will do a port scan of your whole network. Some network administrators may get a bit upset at you if you don’t ask first.

If you are are running Windows XP SP2 like I am you’ll notice that VNCScan won’t recognize computers that are truly running VNC nor find them. What gives? Well, according to VNCScan you need a patch to boost your concurrent TCP/IP connections. That brings us to this site which claims “Since XP SP2 there are only 10 concurrent TCP connection attempts possible, while in SP1 it has not been limited.” Well, thank you Mr. Gates! I’m sure this is all part of the M$ security initiative: if you cannot run port scanners you cannot be a bad boy with Windows XP SP2. I ran the patch and sure enough, VNCScan worked like a charm. The makers of VNCScan claim you should boost the default number from 10 to 10,000, but I just did 100 and it seemed to work fine.

The amazing part did not stop there. The company I currently work for now is setup in one big Microsoft work group. There is no way of pushing programs out to users workstations (no free way at least). When I saw the option in VNCScan to right-click on a computer object and “Deploy VNC here”, I was expecting it to fail. To my surprise it actually worked! I spent countless hours trying to get programs to push out to a PC and here was VNCScan doing it like it was nothing. Now, there a few caveats to this. You need local administrator rights on the box you are trying to push VNC out to. You’ll also need Windows Script Hosting (WSH) on the target box, so this will only work with 2000, XP and beyond. Finally, I’m guessing you’ll need File And Print Sharing, Remote Registry and the Server services enabled on the target workstation (and the Windows Firewall turned OFF). I’ll going to try to decode the script they use, because it seems to work quite well. There is one bug I found in the program. The list shows computers that have VNC on them and those that don’t. If you pick “Deploy VNC Here”, VNCScan shows that computer has VNC on it after the script runs on it even if the script fails to install VNC on the computer! They need a cleaner way of determining if the installation was successful or not.

If you read up on UltraVNC you’ll also notice a program called UltraVNC SC. What can you do with this program? Well, lets say you have Joe User on the West Coast having problem with his laptop. Joe User is behind a router with a private IP address. How in the world are you going to connect to Joe User? That problem is solved with UltraVNC SC. This PDF was shamelessly pulled from a sticky in the UltraVNC forum. Simply stated: you start a VNC lister on your end opening up port 5900. You’ll need an external name or IP address which you can simply get for free from www.dyndns.org. You then configure UltraVNC SC per the instructions and then throw it up on a web site. Have Joe User download the program and then run it, and bingo, he connects right into you. No fuss, no muss. Now if you don’t think that is impressive, check out Webex which offers a commercial version of this technology that goes for $149/month for one seat. Just imagine the possibilities: if you have a computer store you can configure your store logo into UltraVNC and then offer that as part of warranty service. Maybe we can dream, like those spam messages that always say, “work from home and make thousands”. Hey, maybe this is not such a bad idea after all.

Now, your security team (if you have one) will need to do a risk assessment and evaluation of VNC. I believe the authentication piece is encrypted, but the rest of the communication is not. I also noticed the administrator password I used to connect to workstations was in plaintext in the file C :Program FilesTGCSVNCScan Console .NETauth.cmd. If I should decide to register this program I believe that this issue needs to be addressed.

-Soli Deo Gloria

The E-mail Problem

Now I know why I hate AOL. A couple of years ago I subscribed to an e-mail service called Mailblocks. I had a bunch of my news letters forwarded to various aliases at Mailblocks and it worked quite nicely for curbing spam. A few months ago AOL bought out Mailblocks.com and hired all of the Mailblocks staff. I got a sickening feeling about this, but there wasn’t another e-mail service that did what Mailblocks did (Challenge/Response spam control and aliases). The service started to get slow and was down for long periods at a time. Alas, on October 16th, AOL announced it was discontinuing the Mailblocks service and was replacing it with a crappy version of its own. Yes, I said crappy. There was no mention of Challenge/Response spam control in this new e-mail service and of course you can imagine that my e-mail address would be aleinss@aol.com. Shudder! I’m sure there’s a few blacklists roaming out there with aol.com plastered all over them.

I quickly regained my composure and went over to www.emailaddresses.com. This is a nice little web site that has information on all sorts of e-mail providers. If you are looking for an e-mail provider I highly suggest it. My big requirement was aliases. Why? Well, when I go to a merchant’s web site they always want my e-mail address. There’s really no way of tracking who sold your e-mail address when you have given your e-mail address to multiple providers! So I made an alias for every web site I went to. This alias would forward e-mail to a specific folder. I found that when I started to get spam in one folder I would simply delete the alias and make a new one. Once your e-mail address is on a spam list it is never coming off of it. Granted, this required a lot of work on my part, but it kept my inbox pretty darn clean.

The first e-mail provider that caught my eye was Fastmail.fm. Unfortunately, they only offer 5 aliases on their own domain. Then I saw an intriguing feature: having them host your own domain name for e-mail! On went on to look at this and saw that domain registration is $8 a year. I could register my very own domain name and keep the same e-mail address as long as I wanted to. I continued on and found the e-mail provider Tuffmail. They offered unlimited e-mail aliases and 500MB of space at $25/year. That is what Mailblocks was charging and they only offered 100MB of space and 25 aliases. I also decided to register a domain in my name: literally my last name of Leinss. This name is very unique and cool. I can search the whole Internet and see everything that I posted. You will find a few of my relatives by searching on this term.

Using Tuffnames I registered www.leinss.com for the next 10 years. What’s cool is that even if Tuffmail goes out of business I can point my MX records to the mail server of my new provider. Here’s another cool feature: forwarding domains. I can actually “park” my domain at Tuffnames (a reseller of GoDaddy) and then have it forward www.leinss.com to my web page at Kirenet. If Kirenet goes out of business, I just move my web site to another provider and change the forwarding domain. I actually tried to keep the same e-mail address long ago with mail.com. They promised a free e-mail address for life and free forwarding. After several years they were bought by another company. This company decided that free forwarding was not in their best interest and forced everyone to pony up money if you wanted your “free, lifetime e-mail address” to get forwarded to somewhere else. No grandfathering, no backing of the earlier promise, nothing. I was using this e-mail address (aleinss@mindless.com) on the USENET for many years and I was getting about 75 pieces of spam PER day. It was time to give up the “lifetime” e-mail address.

How do you get the best e-mail experience?

Use “disposable” e-mails for merchant web sites. Never give them your “real” e-mail address.

Never post your real e-mail address on the Internet. If you must, make sure you tailor it in a way that doesn’t look like an e-mail address. For example: on my web page I made an alias web @ leinss.com. If you send e-mail to web it gets forwarded to my web folder. If some nut job decides to spam that alias I just make a new one (which takes all of 30 seconds). Combined with the spam lists that Tuffmail offers (which are impressive I must say and very configurable client side) and unlimited aliases, Mr. Spam Man ain’t getting to this guy!

Give your real address to friends and acquaintances only.

-Soli Deo Gloria