Final Post

No – I’m not dead yet!!

This is a final post at Tigerstail.wordpress.com because I am tired of seeking knowledge and bitching about that which is. It is time to use my skills to develope the solutions to all of the problems I have discovered.

Join Me at jimmicap.wordpress.com

Vista Tasklist – Cool Tool!

Alright, I finally found something decent about Vista but it actually is in Vista DOS which evolved from NT DOS and XP Pro DOS. It’s a tool called Tasklist and it’s used to get a listing of all processes by PID and which services are running in these Processes. By using various switches, you can find out what modules and executables are associated with a PID and learn about them. Knowledge leads to defense or minimally it will allow you to identify and disable your intruder.

My very First Tasklist command was:

C:\>Tasklist /svc

In my last post I found that Level 3 was connected to two unknown processes, 2060 and 988. Now I’m still not proficient with this command, but the output shows I have reason to be concerned.

Image Name PID Services
========================= ======== ============================================
svchost.exe 988 AeLookupSvc, Appinfo, BITS, Browser, gpsvc,
IKEEXT, iphlpsvc, LanmanServer, MMCSS,
ProfSvc, RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
winss.exe 2060 winss

By searching for winss on Google you find that this is part of Windows One Care but has been related to malware problems and that svchost.exe is a generic host for Windows Modules that has also been suspect in malware. Still, you cannot dismantle them without hurting your operating system so you have to find the service or even specific module that is connecting to the net without your permission.

The next command I tried was

C:\>tasklist /m >> module.txt

It’s necessary to send this to a text file because the output is bigger than the DOS screen allows. The output gives you all the modules for each PID which is informitive but not necessarily useful. What would be ideal is if the IP were related to the PID which connected to a service and then connected to the modules within that service. This is what netstat -bv did and it allowed me to isolate and eliminate problems like with ccproxy.exe.

I’m sure that Tasklist is the solution, but it will take me awhile to figure it out unless somebody gives me the answer. I suspect whatever this intruder was standard malware and not Military Strength Malware. I ran all my malware eliminators and when I awoke I only had Google Talk knocking on my door.

Vista – Beyond Netstat!

Where do you find your lost car keys? You find them in the same place every time and the answer is easy.

You find them the last place you look.

When it came to XP I never got past netstat to find out who’s invaiding my privacy because it wasn’t necessary. Now there are some interesting things about DOS that I forgot but since analyzing Vista is a whole new ballgame, I thought I better refersh myself. The command of the day was netstat -ano with a few modifiers to give me a hand. After all this is still a computer and it should be able to follow a few simple commands. Check the following:

C:\>netstat -ano 10 >> fred.txt

Now this command is fairly straight forward when you learn DOS. The netstat -ano gives a listing of the protocal, the local port, the foriegn IP and port, the state and the Process ID. The 10 means the command for that information is repeated every 10 secods and since you really can’t do much with DOS output and the retained DOS data is finite, the >> fred.txt command sends it to a text file named fred and adds the new information being generated every 10 seconds to the bottom of the file.

Because of the slow speed of Vista and all the Simon Says rules, I set up DOS with the above command the night before and a second DOS window with “notepad fred.txt”. Since they were set up the night before, all I have to do when the machine comes out of hibernation is to press enter on the netstat command and about 2 minutes later press enter on the other DOS window to see wat I have captured in notepad.

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 748
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 432
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1148
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 516
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 988
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 500
TCP 12.197.60.34:139 0.0.0.0:0 LISTENING 4
TCP 12.197.60.34:53044 72.14.203.101:80 CLOSE_WAIT 1028
TCP 12.197.60.34:53045 209.85.163.125:5222 ESTABLISHED 1028
TCP 12.197.60.34:53046 64.233.163.189:80 TIME_WAIT 0
TCP 12.197.60.34:53047 207.46.235.29:443 ESTABLISHED 2060
TCP 12.197.60.34:53049 8.12.213.124:80 ESTABLISHED 2060
TCP 12.197.60.34:53050 8.12.213.124:80 ESTABLISHED 988

The first three external IP’s belong to Google Talk. The third Google connection drops out after 2 minutes and the first 2 stay connected all day. The forth IP is Microsoft and the last IP using two different processes belongs to Level 3.

Now Level 3 is an untrusted, uninvited quest but the connection only lasts for less than a minute. By the time I check the task manage and get through “Simon Says” and “processes from all users“, it’s too late to find out who is doing what to me and I have yet to discover a meaningful list of subprocesses for each PID that I might block to block the intruder. Blocking the IP is a waste of time because there are billions and the task of invading my privacy can be shifted to another server. The only perminant way is to identify and kill the process.

Tomorrow, I’ll discuss a new DOS command, at least it’s new to me and does not exist in Windows XP Dos.

But the only thing for sure right now is that I have an univited intruder invading my privacy which has made it past Windows Defender and I dont have a clue on how to stop it.

Window Washer Sucks!!!

About a month ago, Steve sent the following comment.

“please google the following CMU-ISRI-05-119. It is a real eye opener and I promise it will enlighten all in this discussion!”

I did Google it at the time, and meant to comment on it further. Seems this is an only modestly technical paper which could be read and copied by a bright high school kid for his science fair project. In the simplest terms, they evaluated about six different manufacturer’s privacy protection software. There conclusion was also fairly clearly stated.

“The results highlight some significant shortfalls in the implementation and approach of these tools leading to privacy concerns about the exposure of sensitive data. The findings also raise questions about the level of privacy protection that is realistic to expect from these tools….”

All of these tools were tested on windows XP and I’m not aware of a similar comparison of privacy products which allegedly protect you from Vista’s invasion of Privacy. All vendors were notified of the work in progress and only CyberScrub which was the best of a very poor lot responded with positive changes being made in the new version.

This excellent piece of practical knowledge was done by Matthew Geiger and Lorrie Faith Cranor at the Institute for Software Research at Carnegie Mellon University.

There report ran 64 pages and is easy enough to read. My original report on Privacy software ran a little more than two paragraphs and I stand by the Title

Window Washer Sucks.

IE 7 Sucks

In the Tigerstail blog, security and privacy are the only issues. I’m not fond of Window Washer because it doesn’t automatically live up to it’s promise to erase all tracks of your websurfing habits. I finally figured out that it does a fair job of removing tracks from IE 6 if you use a convoluted system of having it fight the browser on start-up and then wipe again when you close it down.

So while I wasn’t comfortable with all thos pop up windows advising me to close my browser because it wasn’t clean, it actually worked to prevent storage of my web surfing tracks if I ignored the message saying the browser couldn’t be cleaned while open.

Then – BAM!!!

In a drive-by download from my automatic upgrade of Windows, I was upgraded to IE 7. Now the reason I stuck with Windows was because I was documenting just how crappy the browser is. However, IE 7 creates and stores those index.dat files in a different way and there was no way for me to get Windows Washer to work in any acceptable manner. Tracks remained and I got random browser error and shutdown messages.

So I switched to CCleaner which I wanted to try anyway based on the recommendation by Shane Fowler in a comment. Now here’s where IE 7 really failed. I mean it simply wouldn’t let CCleaner do its job. There was no way I could get the combination of CCleaner and IE 7 to work. So the choice was stick with my Constitutional right to Privacy or abandon it in favor of supporting Bill Gates and IE 7.

I mean – is this a no-brainer?

In the next couple of blogs, I’ll report on securing Firefox for privacy and the ability of CCleaner to protect me and you.