Archive for November, 2007

Vista Tasklist – Cool Tool!

November 30, 2007

Alright, I finally found something decent about Vista but it actually is in Vista DOS which evolved from NT DOS and XP Pro DOS. It’s a tool called Tasklist and it’s used to get a listing of all processes by PID and which services are running in these Processes. By using various switches, you can find out what modules and executables are associated with a PID and learn about them. Knowledge leads to defense or minimally it will allow you to identify and disable your intruder.

My very First Tasklist command was:

C:\>Tasklist /svc

In my last post I found that Level 3 was connected to two unknown processes, 2060 and 988. Now I’m still not proficient with this command, but the output shows I have reason to be concerned.

Image Name PID Services
========================= ======== ============================================
svchost.exe 988 AeLookupSvc, Appinfo, BITS, Browser, gpsvc,
IKEEXT, iphlpsvc, LanmanServer, MMCSS,
ProfSvc, RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
winss.exe 2060 winss

By searching for winss on Google you find that this is part of Windows One Care but has been related to malware problems and that svchost.exe is a generic host for Windows Modules that has also been suspect in malware. Still, you cannot dismantle them without hurting your operating system so you have to find the service or even specific module that is connecting to the net without your permission.

The next command I tried was

C:\>tasklist /m >> module.txt

It’s necessary to send this to a text file because the output is bigger than the DOS screen allows. The output gives you all the modules for each PID which is informitive but not necessarily useful. What would be ideal is if the IP were related to the PID which connected to a service and then connected to the modules within that service. This is what netstat -bv did and it allowed me to isolate and eliminate problems like with ccproxy.exe.

I’m sure that Tasklist is the solution, but it will take me awhile to figure it out unless somebody gives me the answer. I suspect whatever this intruder was standard malware and not Military Strength Malware. I ran all my malware eliminators and when I awoke I only had Google Talk knocking on my door.

Vista – Beyond Netstat!

November 29, 2007

Where do you find your lost car keys? You find them in the same place every time and the answer is easy.

You find them the last place you look.

When it came to XP I never got past netstat to find out who’s invaiding my privacy because it wasn’t necessary. Now there are some interesting things about DOS that I forgot but since analyzing Vista is a whole new ballgame, I thought I better refersh myself. The command of the day was netstat -ano with a few modifiers to give me a hand. After all this is still a computer and it should be able to follow a few simple commands. Check the following:

C:\>netstat -ano 10 >> fred.txt

Now this command is fairly straight forward when you learn DOS. The netstat -ano gives a listing of the protocal, the local port, the foriegn IP and port, the state and the Process ID. The 10 means the command for that information is repeated every 10 secods and since you really can’t do much with DOS output and the retained DOS data is finite, the >> fred.txt command sends it to a text file named fred and adds the new information being generated every 10 seconds to the bottom of the file.

Because of the slow speed of Vista and all the Simon Says rules, I set up DOS with the above command the night before and a second DOS window with “notepad fred.txt”. Since they were set up the night before, all I have to do when the machine comes out of hibernation is to press enter on the netstat command and about 2 minutes later press enter on the other DOS window to see wat I have captured in notepad.

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 748
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 432
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1148
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 516
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 988
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 500
TCP 12.197.60.34:139 0.0.0.0:0 LISTENING 4
TCP 12.197.60.34:53044 72.14.203.101:80 CLOSE_WAIT 1028
TCP 12.197.60.34:53045 209.85.163.125:5222 ESTABLISHED 1028
TCP 12.197.60.34:53046 64.233.163.189:80 TIME_WAIT 0
TCP 12.197.60.34:53047 207.46.235.29:443 ESTABLISHED 2060
TCP 12.197.60.34:53049 8.12.213.124:80 ESTABLISHED 2060
TCP 12.197.60.34:53050 8.12.213.124:80 ESTABLISHED 988

The first three external IP’s belong to Google Talk. The third Google connection drops out after 2 minutes and the first 2 stay connected all day. The forth IP is Microsoft and the last IP using two different processes belongs to Level 3.

Now Level 3 is an untrusted, uninvited quest but the connection only lasts for less than a minute. By the time I check the task manage and get through “Simon Says” and “processes from all users“, it’s too late to find out who is doing what to me and I have yet to discover a meaningful list of subprocesses for each PID that I might block to block the intruder. Blocking the IP is a waste of time because there are billions and the task of invading my privacy can be shifted to another server. The only perminant way is to identify and kill the process.

Tomorrow, I’ll discuss a new DOS command, at least it’s new to me and does not exist in Windows XP Dos.

But the only thing for sure right now is that I have an univited intruder invading my privacy which has made it past Windows Defender and I dont have a clue on how to stop it.

XP vrs. Vista, Netstat Tools!

November 28, 2007

There is absolutely no comparison between using netstat on XP and netstat on Vista. This example is limited to Googletalk because I have it on both machines and it seems to be the first program to make contact over the Internet when I bring my machines out of hibernation. I have used netstat to track uninvited connections some of which I blocked by turning off the process and some of which were blocked by changing the name of an executable. The reason I made a name change instead of a file deletion was in case I made a mistake, I could open in safe mode and reverse the process.

Lets slowly and carefully take a look at netstat outputs from XP and Vista.

C:\WINDOWS>netstat -ano (THIS IS XP)
Active Connections

Proto Local Address Foreign Address State PID
TCP 192.168.0.101:1053 216.239.51.125:5222 ESTABLISHED 1644
TCP 192.168.0.101:1054 64.233.163.189:80 TIME_WAIT 0

L:\Windows\system32>netstat -ano (THIS IS VISTA)

Active Connections

Proto Local Address Foreign Address State PID
TCP 12.197.52.45:49487 216.239.51.125:5222 ESTABLISHED 1028
TCP 12.197.54.76:49161 72.14.203.100:80 CLOSE_WAIT 1028

There is not much difference in the information which can be obtained. The two different machines are using difference ports and Process Identification Numbers (PID) but the information given is exactly the same. In both cases, the only way to prove that this is Google Talk connected to the Internet is to look up the IP using a DNS service.

Now let’s take a look at netstat -bv. I have discussed this deficiency of Vista before although not in complete detail.

C:\WINDOWS>netstat -bv (This is XP)
Active Connections

Proto Local Address Foreign Address State PID
TCP Whatever:1053 kc-in-f125.google.com:5222 ESTABLISHED 1644

C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\USER32.dll
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\kernel32.dll
— unknown component(s) —
[googletalk.exe]

TCP Whatever:1054 nz-in-f189.google.com:http TIME_WAIT 0

Take note that in XP, netstat -bv clearly identifies the URL of the connection to the Internet saving you the time to look it up. Also, the link between the port and the PID are connected to the URL or in some cases the IP but the connection is always clear. Also note that all of the subprocesses of Google Talk are identified and you can look them up one by one to identify whether they are legitimate or not. If any are suspect, a replacement can be downloaded to replace the suspect file or they can be renamed to find out what happens to your machine when they are deleted.

The following is the output from netstat -bv in Vista.

L:\Windows\system32>netstat -bv (This is Vista.)

Active Connections

Proto Local Address Foreign Address State
TCP 12.197.52.45:49534 ro-in-f100:http CLOSE_WAIT
[googletalk.exe]
TCP 12.197.52.45:50325 kc-in-f125:5222 ESTABLISHED
[googletalk.exe]

The above is the output from Vista and the information is worthless. There is no link bewtween the URL, the PID or the port and the ports which are identified are not the same ones identified by netstat -ano. Also, no subprocesses are identified so the search for problem exicuitibles is hindered.

There is no defensible reason why a powerful diagnostic tool like netstat should have been debased in Vista. It would have been easier for Microsoft to spin bullshit if it had been entirely eliminated.

Window Washer Sucks!!!

November 27, 2007

About a month ago, Steve sent the following comment.

“please google the following CMU-ISRI-05-119. It is a real eye opener and I promise it will enlighten all in this discussion!”

I did Google it at the time, and meant to comment on it further. Seems this is an only modestly technical paper which could be read and copied by a bright high school kid for his science fair project. In the simplest terms, they evaluated about six different manufacturer’s privacy protection software. There conclusion was also fairly clearly stated.

“The results highlight some significant shortfalls in the implementation and approach of these tools leading to privacy concerns about the exposure of sensitive data. The findings also raise questions about the level of privacy protection that is realistic to expect from these tools….”

All of these tools were tested on windows XP and I’m not aware of a similar comparison of privacy products which allegedly protect you from Vista’s invasion of Privacy. All vendors were notified of the work in progress and only CyberScrub which was the best of a very poor lot responded with positive changes being made in the new version.

This excellent piece of practical knowledge was done by Matthew Geiger and Lorrie Faith Cranor at the Institute for Software Research at Carnegie Mellon University.

There report ran 64 pages and is easy enough to read. My original report on Privacy software ran a little more than two paragraphs and I stand by the Title

Window Washer Sucks.

Vista OOBE Sucks!

November 26, 2007

As an old marketing practitioner, OOBE is an acronym for Out Of Box Experience

Forget that Microsoft has hijacked the term to mean their start up programming that bores you to tears while describing all the new bells and whistles and telling you how great they are and how much you will love them. To me OOBE includes all those factory preset conditions that make your computer act the way it does. I Know that there has been much written about how to turn off or correct many of the nasty conditions I’ll describe but that’s not the point. The average user does not know how to change the registry or turn off processes and shouldn’t have to learn.

All my complaints deal with the fact that this operating system is a total mismatch for current equipment. The worst manifestation is that it is slow, slow, so very slow. When I wake up and go to my hibernating machine I don’t know what to expect when I tap the enter key. It might spring to life in a minute it might take five minutes, only the Vista Gods may have a clue. I have programmed my human self to tap a key to wake it up before I start my morning tea and go to the bathroom, then my trusty Vista machine will probably wake up before I’m finished my morning ritual.

Now when my XP machine takes more than 2-7 seconds to come to life the first thing I do is run “netstat -ano” to see who’s connected to my machine and what they are doing. Running “netstat -bv” identifies the processes and the executables involved in each process by the connection name (This doesn’t work as well in Vista).

When I try to quickly run the netstat command on Vista DOS, Vista plays a silly game of Simon Says where it asks me if I am truly the person who clicked to open DOS and it will not open it until I click yes. I mean I am operating as administrator with administrative privileges, what’s above that? When you get to your answer for your request, you have no way of knowing how many connections were made and broken while you were playing Simon Says or waiting for your machine to come out of hibernation.

My next task is to identify the processes which the IP’s are connected to and when I run Task Manager, it plays that silly game of Simon Says again invoking my administrative privilege to proceed and then the first answer is not complete. You have to click on a box that asks if you want to see the processes for all users. I mean, I’m supposed to be the administrator with full administrative privileges and there are no other users on the machine yet more processes are identified as being operated by “system”.

By the time you get full administrative privileges there is no way to get full knowledge. All this crap slows you down so much it is impossible to know what wasn’t captured.

There are ways to work around this unnecessary crap but then why should I have to?

Vista; Resistance is Futile, Knowledge is Soporific!

November 24, 2007

Well my friends over at Vistasucks wanted to know what I think about Vista and what am I doing about an operating system.The answer should be obvious: Nothing at all.

I finally got Vista installed and even used Defender antivirus. This operating system is slow and I finally figured out one of the reasons was the daily backup which quadrupled disk usage in about a week. I’ll discuss the Vista shortcomings in the next few blogs and they go from banal to unacceptable and sometimes you can’t tell the difference. I mean is it banal or unbelievably unacceptable that the solitaire game cannot keep accurate score. This has to be indicative of a lack of market testing, and poor software control. If they do something stupid like that with trivial solitaire programming – what’s wrong with the rest of the system.

I’m not above self criticism, so about a month ago, I went back to my computer assembler and tried to purchase a brand new Vista Machine just in case the mistakes were caused by me during installation. He told me they no longer built them for inventory because everybody wanted XP but they would build them to order. So I had one built. I’ve forced my home to be a Vista enclave by giving away a perfectly good and almost new XP machine that I dreaded doing the upgrade on after my first experience. The second custom built machine has not even come out of the box as I have been too busy but since the house must be in order before the Christmas guests arrives, I have a deadline. The biggest change is I’m sleeping in later and no longer working from home because I don’t need early morning aggravation. As a result, my hobby blogs have been unattended for about a month. Vista is too much like work, it reminds me of the old Sinclair Timex machine with the memory always falling out and crashing the machine. It was cute but it still sucked.

For now it’s XP & Suse Linux at work and Vista ( mostly never used) at home. At work there are no issues of security or privacy. We are in a controlled industry and damn near every government agency in the world can get a court order to see what’s in our files or on our machines so we let them look without too much bother. Since I don’t understand the security of my Vista operating system at home, there is not much other than family pablum on it.

I was born free, I would prefer to die with my right of privacy intact and I feel that no operating system exists which will work to protect me. They all seem to be designed to a greater or less degree with some obscenity called “the National Interest” in mind. I’ve done the boring blog about Vista invading your privacy and the only reason XP is better is that there are more programs out there that work to protect you. Vista was probably released in the “National Interest” to provide usable trapdoors for the Feds because the XP vulnerabilities were all being closed by independent software developers.

As stated previously, Linux is still a toy and the open source movement is a disaster. (Open Office is dreadfully slow and there are now 33,000 images associated with the program.) I suspect thats whats wrong with totally open source is that every kiddie hacker in the world wants to add an image or their 2 lines of code and soon, the programs will grow to Bill Gates size with all the associated backdoors. There are probably a half dozen programers working at Homeland Security submitting clever code to add to the various Linux distribution which will make the system weaker.

I’m starting to think about alternate surfing technology and alternate operating systems which is why I’ve started blogging again. I can’t believe that there is not a way to once again surf the net with the privacy of a library. But in my heart I know:

Resistance is Futile, Knowledge is Soporific!