Post #68,328
12/12/02 2:55:31 AM
|
Re: Is it possible to hide programs on someone computer
My Zone Alarm Pro lists two programs that it says I have given the ok to access the Internet. I have my Win2K folder options set to show hidden files & all extensions.
The two programs are named as A and B (just that)
If I look at the file path shown for each of these programs, it appears not to exists ?
A is listed as
D:\\Program Files\\Adobe\\Acrobat 5.0\\A but there is no such file in this location (Zone Alarm says it has a zero size ?
B is listed as being in a Folder that I can't see at all.
Just wondering
Doug Marker
|
Post #68,336
12/12/02 6:05:53 AM
|
Hidden directories?
Hi Doug,
W2K/NT5; dunno about hidden directory rules in that kluge. It hasn't been high on my list to delve any more into M$ internal obfuscation - I just assume there are trapdoors yet to be ID'd. My naive guess would be to find the errant Task; surely a necessary component - by elimination. There may be a perfect Rixtool for that - alas! he has given up on entire M$ platform, re any future devs and is seeking a new OS venue; this despite his many years of effort in creating small bulletproof utils to illuminate Doze errata. (Maybe XP and its direction of final obfuscation -- was the final straw)
Here be present 'Doze related tools at [link|http://www.radsoft.net/| Radsoft]
Here's what may? be his latest venture (if it's the Right Rick) [link|http://rixstep.com/| Rixstep].
Also [link|http://www.sysinternals.com/| Sysinternals] has some compact monitoring utils - which also seem relevant. Filemon.exe is impressive (to me).
re ZA: What happens if you check (programs menu) X X for these listed items, and allow NONE server access. One would likely do packet-sniff things, but you know all that stuff.
With the reproducible effects - obv. you are looking to decide the method being used: no longer 'if'. I'm sure many here would like to know what the wannabe-Big Boys are fielding - thus far. Clearly they plan to get better and better - at pabulum-feeding a billion people ??! The hubris - but Ah... the techno folks like Cisco who WILL pander. Capitalism thy surname is Prostitution.
Why do scenes from The Boys from Brazil keep running through the internal viewer? (If you missed that, you Gotta find a copy!)
Luck with the sleuthing; I be too iggerant to offer even a first approach, though I'd bet there are some freeware utils already - capable of illuminating the process.
Ashton
|
Post #68,340
12/12/02 8:02:16 AM
|
Re: Hidden directories?
[link|http://www.radsoft.net/news/20020905,00.html|Warning re Win2K and installing SP3]
Thanks for the pointers, the above item was of particular interest - esp the bit about the SP3 EULA allowing MS to hack your computer.
Cheers
Doug
|
Post #68,351
12/12/02 8:39:49 AM
|
OT: About your PIC...
I liked the Grand Daughter's picture better... She is a cutie!
Nice to know I *am* the ugliest one here though (on the outside only)... ;)
[link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT
[link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!!!]
Your friendly Geheime Staatspolizei reminds:
[link|http://www.wired.com/news/wireless/0,1382,56742,00.html|Wi-Fi enabled device use] comes with an all inclusive
free trip to the (county)Photographer!
Overbooking, is a problem, please be prepared for "room-ies".
Why You ask? Here is the answer to your query:
SELECT * FROM politicians WHERE iq > 40 OR \\
WHERE ego < 1048575;
0 rows found
|
Post #68,495
12/12/02 9:23:02 PM
|
Re: That Pic (grin) Miss HK 2000 - I used it
After mad 'Mike' in "War on Terrorism" accused me of spreading Chinese whispers" - I wanted to feed his paranoia a little more <grin>.
Yup she sure is cute but too old to be my granddaughter :-( - But old enough for me to appreciate.
Cheers
Doug
|
Post #68,350
12/12/02 8:39:26 AM
|
you have been smacked
/winfilepath/a(space)<return> I had links to how to do this on sleazyboard I think but the search functions isnt so good over there but try this as a start point
[link|http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt|http://www.xs4all.nl...endofdeleters.txt]
luck,
bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
I was so poor growing up ... if I wasn't a boy ...I'd have nothing to play with.
--Rodney Dangerfield
|
Post #68,497
12/12/02 9:31:07 PM
|
Re: Hmmm that does it - will reinstall from scratch
I believe it is most likely related to the blocks I *still* keep getting to certain IWE forums (this post is coming from a testing servers).
So my first plan is to go ahead & re-install from scratch.
Interestingly - last week I was in Australia & using my little Sony notebook & I have Norton AntiVirus installed. I had dialled into attglobal.net then when reviewing my email (using netmail via HK) I got a message from Norton that some program had illegally altered its registry settings & advising me to remove the software & re-install from CD. I disabled the program (was in a Sony maint folder) then re-installed Norton then ran a full disk scan but it failed to show up that altered program or any other as being virii
Cheers
Doug
|
Post #68,511
12/12/02 10:07:02 PM
|
Forensics
legacy MS Windows has several ways of hiding files from you, some better known than others. \r\n\r\n I'd very strongly suggest you boot the system with another OS, inventory the drive, and run MD5 checksums on all executables. Particularly, note the ones that change. Debian's going to bypass virtually all of NTFS's security. Being able to compare images at different times would also be useful. \r\n\r\n A friend recommends [link|http://www.sysinternals.com/|sysinternals.com] as a useful site for forensics tools. \r\n --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
Post #68,948
12/15/02 3:06:06 AM
|
Re: Is it possible to hide programs on someone computer
Doug - no, I have Acrobat 5.0(.5) on Win2k and there is no file like that. I thought it might be a spool directory for Distiller but unless I missed something in the installation, I doubt it.
Another thing - there are sort of hidden files, and really hidden files. You have to uncheck the box that says "Hide system and settings folders" or some such (sorry on 98 right now). If these are visible, they show up as dimmed folders - really a nice feature.
-drl
|
Post #70,440
12/22/02 9:37:34 PM
|
Hidden files & really hidden files ...
Every win install I do I immediately uncheck the hidden files & suffixes.
The hidden files showing up in my ZA log were truly hidden - they were in the log as having accessed the Internet (with permission) but when I looked for them they were not in those locations.
I had deleted them but a day later they were back & I had *not* given any permission thru ZA to allow them net access.
My educated guess is that theye were trojans modules planted as components of either Netscap MSIE or Win services.
Anyway - I seem to have got rid of them with a clean install & by 'hardening & firewalling' every one of my computers. BUt I am being hit with 2 virus attachments in email, per day. I won't open email from people I don't know esp if they have attachments.
Cheers
Doug
|
Post #70,446
12/22/02 10:10:08 PM
|
could you forward a copy of the virus to me?
I would like to take a look under the hood.
woxley at tampabay dot rr dot com
thanx,
bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
You think that you can trust the government to look after your rights? ask an Indian
|
Post #70,447
12/22/02 10:12:41 PM
12/23/02 12:14:22 AM
|
"Opening" attachments
Doug wrote:
But I am being hit with 2 virus attachments in email, per day. I won't open email from people I don't know esp if they have attachments.
Back when I ran legacy Microsoft OSes, I found a 100% effective way to nullify the virus problem: Never run code you don't have reason to want to trust well enough to run. This, of course, implied ensuring that I knew about all occasions when I (or my machine on my behalf) ran code, and that it never happened without my approval.
Relevant to that, your quotation (above) indicates clearly where part of your problem lies: You talk about "opening" e-mail attachments. In Microsoft-speak, the verb to "open" sometimes mean to execute, and sometimes means to view -- with the implication that the user has no idea which of the two he's doing. The implied mindset is part of what leads Microsoft's captive userbase to put up with misdesigned applications like MS-Outlook and MS-Outlook Express, whose three-pane view (at least in some versions) auto-executes code arriving as attachments without the user even selecting the attachment at all, let alone giving permission to run it.
The first steps to asserting control (aside from probably rebuilding your system from trusted media) is to remove all executables that you don't regard as trustworthy. I.e., if you suspect that MS-Outlook Express runs executables without checking with you first, get rid of it. And does your MS-Word, MS-Excel, MS-Access, or WordPro run AutoOpen or AutoClose macros automatically without checking with you? (Are you sure? Did you create test documents with those macros and see if they ran without checking with you? If not, why not?)
From that point forward, never just "click on" or "open" files without knowing of a certainty whether that's going to run as code or not. And don't just install software without meaningfully checking its identity. (You downloaded it? OK, but are you sure the site you got it from was the real site? Are you trusting some dubious party's DNS?)
Unfortunately, keeping a legacy Microsoft OS non-compromised is always a bit stressful, because you know that a user-level error of judgement can compromise the whole system's security, and not just his own security. (This is largely true even on NT, which at least in theory supports multiple user contexts, although it's not genuinely multiuser.) You have much more of a safety cushion, in that respect, on Unix.
If you use Linux, you get your pick of [link|http://linuxmafia.com/~rick/linux-info/muas|105 e-mail clients], none of which has a "virus attachment" problem. No offence intended, but it's a bit pitiful to have to ignore e-mail from strangers: No competently designed system can be threatened by a mere e-mail.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
Edited by rickmoen
Dec. 23, 2002, 12:14:22 AM EST
|
Post #70,449
12/22/02 10:18:09 PM
|
Obvious flaw
Doug wrote:
I won't open email from people I don't know esp if they have attachments.
Afterthought: How do you know which mail is genuinely from people you know? If you simply elect to believe the name in the From: header, then you're immediately at the mercy of malware-carrying SMTP worms like SirCam, which forge SMTP mail to make it appear to come from names and addresses familiar to you.
So, your protective measure not suggests a serious problem with you using untrustworthy mail software, but also is ineffective.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #70,528
12/23/02 2:42:27 PM
|
Hey Doug,
Your post triggered a very faint light in the cobwebs of my mind. I seem to recall some additional functionality of the NTFS that is not well documented (of course). Each NTFS file has something called an "alternate data stream" (ADS). Here is an excerpt [link|http://patriot.net/~carvdawg/docs/dark_side.html|from one] of the over 9000 articles Alta Vista returned when asked for "NTFS and stream" NTFS is the preferred file system due to its stability, functionality, and the level of security it provides. NTFS alternate data streams (ADSs) are provided for compatibility with the Macintosh Hierarchical File System (HFS), which uses resource forks to maintain information associated with a file, such as icons, etc (RUSS00). While Microsoft provides a means for creating specific ADSs via Windows Explorer, the necessary tools and functionality for detecting the presence of arbitrary ADSs is conspicuously absent. Oddly enough, the operating systems have the necessary native functionality and tools to allow a user to create ADSs and to execute code hidden within those streams. Microsoft KnowledgeBase article Q101353 acknowledges the fact that the Win32 base API supports ADSs inconsistently. [emphasis added] An NTFS file created with a stream other than stream 0 would appear as a file of 0 size to a program, but would (probably) not be visible to the Explorer. It appears to be possible to create a directory containing only ADS's too (but I'm no expert on this). It seems as iF A and B may well be such entities. HTH jb4
"They lead. They don't manage. The carrot always wins over the stick. Ask your horse. You can lead your horse to water, but you can't manage him to drink."
Richard Kerr, United Technologies Corporation, 1990
|
