Don’t be a victim of Sinowal, the super-Trojan

Use these techniques to ease holiday stress

In her new book, One Year to an Organized Work Life, Regina Leeds shows how you can turn time into your ally. In this exclusive excerpt, available from Windows Secrets only until Dec. 17, she provides four exercises that demonstrate how the holiday month of December can actually be used to get your workplace under control.

This bonus download is available only to paid subscribers or to free subscribers who upgrade to receive Windows Secrets’ paid version. Simply update the entries on your preferences page and a link to download our PDF e-book bonus will appear. Thanks! —Brian Livingston, editorial director

Paid subscribers: Set your preferences and download your bonus
Free subscribers: Upgrade to paid and download your bonus
Info on the printed book: United States / Canada / Elsewhere

No Thanksgiving content, but look for news updates

By Brian Livingston

All of us turkeys are taking a week off, so there won’t be any new articles on our site or a new Windows Secrets Newsletter on Nov. 27, which is the Thanksgiving holiday in the United States.

Our next regular batch of content will appear on Dec. 4, but we may send out a short “news update” if anything important comes up in the meantime.

All readers get a free excerpt of ‘Pleasure’

As often as possible, Windows Secrets licenses some new content that all of our readers can download and enjoy at no cost. This month, our bonus download reveals hidden motivations that operate beneath the level of our conscious mind. Our exclusive excerpt of The Pleasure Instinct: Why We Crave Adventure, Chocolate, Pheromones, and Music explains why everything from the smell of cocoa to a whiff of an expensive perfume moves us in unexpected ways. The printed book won’t be available in stores until mid-December, but you can get our PDF e-book excerpt now through Dec. 3, 2008. Simply visit your preferences page, update your entries, press the Save button, and a download link will appear. Thanks for your support! All subscribers: Set your preferences and download your bonus Info on the printed book: United States / Canada / Elsewhere

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

Don't be a victim of Sinowal, the super-Trojan

By Woody Leonhard

The sneaky “drive-by download” known as Sinowal has been, uh, credited with stealing more than 500,000 bank-account passwords, credit-card numbers, and other sensitive financial information.

This exploit has foiled antivirus software manufacturers time and again over the years, and it provides us in real time a look at the future of Windows infections.

Imagine a very clever keylogger sitting on your system, watching unobtrusively as you type, kicking in and recording your keystrokes only when you visit one of 2,700 sensitive sites. The list is controlled by the malware’s creators and includes many of the world’s most popular banking and investment services.

That’s Sinowal, a super-Trojan that uses a technique called HTML injection to put ersatz information on your browser’s screen. The bad info prompts you to type an account number and/or a password. Of course, Sinowal gathers all the information and sends it back home — over a fancy, secure, encrypted connection, no less.

Washington Post journalist Brian Krebs wrote the definitive overview of Sinowal’s criminal tendencies in his Oct. 31, 2008, column titled “Virtual Heist Nets 500,000+ Bank, Credit Accounts” — a headline that’s hard to ignore. Krebs cites a detailed analysis by RSA’s FraudAction Research Lab: “One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts.”

Sinowal has been around for many years. (Most virus researchers nowadays refer to Sinowal as “Mebroot,” but Sinowal is the name you’ll see most often in the press. Parts of the old Sinowal went into making Mebroot. It isn’t clear whether the same programmers who originally came up with Sinowal are also now working on Mebroot. Mebroot’s the current villain.)

Microsoft’s Robert Hensing and Scott Molenkamp blogged about the current incarnation of Sinowal/Mebroot back in January. RSA has collected data swiped by Sinowal/Mebroot infections dating to 2006. EEye Digital Security demonstrated its “BootRoot” project — which contains several elements similar to Sinowal/Mebroot — at the Black Hat conference in July 2005.

That’s a long, long lifespan for a Trojan. It’s important for you to know how to protect yourself.

A serious infection most antivirus apps miss

I haven’t even told you the scariest part yet.

Sinowal/Mebroot works by infecting Windows XP’s Master Boot Record (MBR) — it takes over the tiny program that’s used to boot Windows. MBR infections have existed since the dawn of DOS. (You’d think that Microsoft would’ve figured out a way to protect the MBR by now — but you’d be wrong.)

Vista SP1 blocks the simplest MBR access, but the initial sectors are still programmatically accessible, according to a highly technical post by GMER, the antirootkit software manufacturer.

The key to Sinowal/Mebroot’s “success” is that it’s so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn’t run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn’t start until 10 minutes after that.

Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process. Peter Kleissner, Software Engineer at Vienna Computer Products, has posted a detailed analysis of the infection method and the intricate interrupt-hooking steps, including the timing and the machine code for the obfuscated parts.

Once Sinowal/Mebroot is in your system, the Trojan runs stealthily, loading itself in true rootkit fashion before Windows starts. The worm flies under the radar by running inside the kernel, the lowest level of Windows, where it sets up its own network communication system, whose external data transmissions use 128-bit encryption. The people who run Sinowal/Mebroot have registered thousands of .com, .net, and .biz domains for use in the scheme.

Wait, there’s more: Sinowal/Mebroot cloaks itself entirely and uses no executable files that you can see. The changes it makes to the Registry are very hard to find. Also, there’s no driver module in the module list, and no Sinowal/Mebroot-related svchost.exe or rundll32.exe processes appear in the Task Manager’s Processes list.

Once Sinowal/Mebroot has established its own internal communication software, the Trojan can download and run software fed to it by its creators. Likewise, the downloaded programs can run undetected at the kernel level.

Sinowal/Mebroot isn’t so much a Trojan as a parasitic operating system that runs inside Windows.

Windows XP users are particularly vulnerable

So, what can you do to thwart this menace? Your firewall won’t help: Sinowal/Mebroot bypasses Windows’ normal communication routines, so it works outside your computer’s firewall.

Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot’s creators have modified the program well enough to escape detection. AV vendors scramble to catch the latest versions, but with one or two new Sinowal/Mebroot iterations being released every month, the vendors are trying to hit a very fleet — and intelligent — target.

Peter Kleissner told me, “I think Sinowal has been so successful because it’s always changing … it is adjusting to new conditions instantly. We see Sinowal changing its infection methods and exploits all the time.”

Similarly, you can’t rely on rootkit scanners for protection. Even the best rootkit scanners miss some versions of Sinowal/Mebroot. (See Scott Spanbauer’s review of free rootkit removers in May 22’s Best Software column and Mark Edwards’ review of rootkit-remover effectiveness in his May 22 PC Tune-Up column; paid subscription required for the latter.)

Truth be told, there is no single way to reliably protect yourself from Sinowal/Mebroot, short of disconnecting your computer from the Internet and not opening any files. But there are some historical patterns to the exploit that you can learn from.

First of all, most of the Sinowal/Mebroot infections I’ve heard about got into the afflicted PCs via well-known and already-patched security holes in Adobe Reader, Flash Player, or Apple QuickTime. These are not the only Sinowal/Mebroot infection vectors by a long shot, but they seem to be preferred by the Trojan’s creators. You can minimize your risk of infection by keeping all of your third-party programs updated to the latest versions.

Windows Secrets associate editor Scott Dunn explained how to use the free Secunia Software Inspector service to test your third-party apps, and how to schedule a monthly check-up for your system, in his Sept. 6, 2007, column.

In addition, according to Peter Kleissner, Sinowal/Mebroot — at least in its current incarnation — doesn’t infect Vista systems. Windows XP remains its primary target, because Vista’s boot method is different and its User Account Control regime gets in the worm’s way.

Don’t look to your bank for Sinowal safeguards

So, you’d figure the banks and financial institutions being targeted by Sinowal/Mebroot would be up in arms, right? Half a million compromised accounts for sale by an unknown, sophisticated, and capable team that’s still harvesting accounts should send a shiver up any banker’s spine.

I asked Rob Rosenberger about it, and he laughed. Rosenberger’s one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.

“I’ll be labeled a heretic for saying this, but … from a banking perspective, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.

“Banks have dealt with this kind of fraud for many, many decades,” Rosenberger continued. “Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud.”

If the bankers aren’t going to take up the fight against Sinowal/Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.

In this particular case, the major AV packages have failed to detect Sinowal/Mebroot over and over again. It’s hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they’ve left the barn, so to speak.

The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.

The only company that seems to be in a position to fix the Master Boot Record problem is Microsoft. But it’s hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP’s successors (I use the term lightly) don’t appear to have the same flaw.

This is short-sighted, however. It’s only a matter of time before Sinowal/Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.

If Microsoft decides to take on Sinowal/Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says “I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup.”

As Peter Kleissner puts it, “I personally think most people behind the [Sinowal] code do not know what they have done. I would bet that more than half of the code was written by students around the world.”

Kleissner’s in a good position to judge. He’s a student himself, 18 years old. I’m glad he’s on our side.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

A freebie really does streamline Windows startup

By Dennis O’Reilly Many tools make dubious claims about boosting PC performance, but some utilities actually do trim Windows’ boot time. One example is a free program from the person who brought us the popular Process Explorer troubleshooting tool.

Windows Secrets associate editor Scott Dunn tested for his Nov. 6 Top Story several well-hyped utilities that he found of little value. Lest you think any program that makes speedup claims is snake oil, you should know that worthwhile system tools are out there, many of which are free. Reader Cecil Britton writes in to tell us about his favorite:

• “I read Scott’s great column on the relative worthlessness of commercial speedup utilities for Windows, and I completely agree with his assessment of that type of software. While he didn’t go into it, I think he’ll find that many of these same products can actually do more harm than good to a working system.

  “My real comment on the column has to do with Scott’s recommendation on good, free utilities that control Windows startup programs. Scott mentioned Mike Lin’s excellent little Startup Control Panel, which I personally used for several years and found to be an essential tool in easily controlling Windows’ startup behavior.

  “I have since found that I get far more control by using Sysinternals’ nice little Autoruns utility (Microsoft/Mark Russinovich). I know this program is probably suited to more sophisticated users than Startup Control Panel [is], but it gives the technically competent user far more control over all types of startup components than does SCP.”

Autoruns has been around for years — the current version is 9.35 and is available from a Microsoft download page — but it shows that when it comes to useful system tools, newness isn’t all it’s cracked up to be.

Flash cookies foil Comcast video playback

We received a tremendous volume of responses to Woody Leonhard’s Nov. 6 column (paid content) on the threat that third-party Flash Player cookies pose to your Web privacy. For some readers, the Flash cookies were more than a nuisance — they were a show-stopper. Wayne Wert was one of several Comcast customers we heard from:

• “I wanted to express my thanks to Mr. Woody Leonhard for his article on Adobe’s ‘cookies.’ After reading an earlier article about this problem, I had reset my Adobe settings to try to increase the security on my computer.

  “I soon found that Comcast’s Fan (video clips) would not work, but when clicking the blank page and bringing up Adobe, the site implied that all was well. In addition, I could go to any other site that used Adobe [Flash], and it worked properly. Even Comcast’s other sites, such as old TV programs and such, worked very well, so I assumed that the problem must be elsewhere — other than Adobe.

  “Today, I was getting ready to call Comcast’s trouble line and try to rectify the problem, but I first read Mr. Leonhard’s article. I reset Adobe’s settings to allow almost everything and found that the Fan then worked. I reset the categories one by one to get the maximum security I could without preventing the Fan from working.

  “I found that I had to allow third-party cookies, as reported in the Windows Secrets article, but I could set stored content to 0 (zero) and the Fan still played. I think that I achieved maximum security, thanks to Mr. Leonhard’s article.”

The good thing about nuisances such as third-party cookies is that there’s usually a workaround.

Microsoft clarifies its support policy for XP

Associate editor Stuart Johnston stated in his Top Story last week that Microsoft has extended free support for Windows XP beyond the standard five years after the product’s initial release. Microsoft spokesperson Katie Fazzolari sent in the following clarification:

• “You claim that the end of Microsoft’s mainstream support phase is ‘coming more than two years later than is typical.’ Actually, the Microsoft Support Lifecycle policy states that mainstream support is available for five years after the product is released or two years after the successor product is released, whichever is longer. In XP’s case, Vista was released in early 2007, starting the two-year clock for the end of XP mainstream support, which ends in early 2009, right on schedule.

  “Also, I just want to clarify again that XP users who are buying a new PC with that operating system installed will receive support from their OEM, not Microsoft.”

XP was first shipped in late 2001, so the five-year gap before Vista was released has had the effect of giving XP seven years of mainstream support rather than five. Stuart was pointing out that seven years is two years longer than the five years of mainstream support that other Windows versions typically enjoyed. Anyway, I’m glad Microsoft clarified the point.

It’s been almost two years since Microsoft sold Windows XP at retail in the United States. Copies of XP that were sold to consumers by PC makers are supposed to be supported by those manufacturers. The question is whether PC users will truly get the support they need when they have XP-related problems in the years to come.

Richard Chase of Gadget’s Computers & Electronics in Sundre, Alberta, Canada, reminds us that help with XP glitches may be closer than you think:

• “Don’t forget your local mom & pop shops. We’ve been using XP for years and will continue to do so. Any decent shop will help you out with warranty and any other Windows XP issues until it’s finally tossed completely by 2014. Hell, we still service some Windows 2000 and even 98 and Me machines (although we discourage it). For the $59 that MS charges, you can get some good service elsewhere.”

That’s good advice, although somehow I just can’t see my mom wearing a grounding wrist strap as she disassembles a motherboard.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

I'll call you back, I'm about to hit a dead zone

By Katy Abby Cell phones have become a relative social necessity. Most users have embraced some semblance of cell-phone etiquette in public. But we unwritten-rule-abiding citizens are too often plagued by obnoxious, inconsiderate users. You know who they are. They’re holding up the line at the coffee shop, disrupting business meetings, and ruining the ambience at your favorite restaurant. If only there were some way to mete out an appropriate punishment … Check out this hilarious commercial and watch a brazen offender get his just deserts. (As a public courtesy, kindly share it with any oblivious cell phone users in your life!) Play the video

How to solve 'delayed write failed' errors

By Fred Langa They may be rare, but Windows’ delayed-write errors can mean immediate data loss. These glitches can also be a bear to sort out, but I’ve found a bunch of first-rate troubleshooting resources for the problems.

When a network file-save goes ‘poof!’

Torrey Everett ran into the kind of problem I hope you never encounter:

• “I have an XP Media Center (SP3) PC that’s part of a home Ethernet network on which resides a backup server running XP Pro (SP3).

  “I have been using Norton Ghost for over a year for backing up my main computer and storing the backup files on the server. This week, I began getting ‘Windows — Delayed Write Failed’ errors consistently.

  “I have searched the Microsoft Knowledge Base and find nothing that seems relevant, either because I don’t have the hardware, adapters, etc., they reference or because the Registry already is set according to their recommendations.

  “I have checked the obvious things — such as space available on the backup server, trying a different drive on the backup server, making sure the network connections are secure, and running chkdsk on each of the drives. Ghost starts normally and runs for a while, but always fails 15-20% of the way through the process — not in the same place each time, but fairly close.

  “My first thought was that perhaps I had run into another SP3 problem, but I applied that service pack back in August and started having problems just this week. I have a tech-support guy I use when I get stumped, and he replied, ‘Let me know if you find a solution, because I also am having that problem.’ “

First, a bit of background: a “delayed write” is a technique used to increase the apparent speed of some hard-drive operations. When the drive is busy, data is cached temporarily in a solid-state memory buffer and written to the physical hard-drive platters at the next available opportunity.

With this kind of buffering, Windows can hand off data to the hard drive’s electronics at very high speed. The OS then immediately goes on to the next task, trusting that the hard drive’s mechanical systems will soon catch up.

Delayed writes usually work fine. They create a sense of improved performance because Windows doesn’t have to wait for each separate write request to fully complete before starting the next task. But as you found out, Torrey, things can go wrong.

One example: if something causes the cache or buffer to be flushed before its data is written to the physical platters, the cached data is lost and your system reports a delayed-write failure. Or if the buffer or cache fills up because data is being added faster than it can be processed, data may be lost: you again have a delayed-write failure. And so on.

USB drives seem especially prone to delayed-write problems. A USB interface is slower than a standard IDE or SATA drive interface, which makes it easier for the OS to outrun the hardware.

Networked drives also seem susceptible to this trouble because of latency issues, dropped packets, and other connection glitches. However, even a local, inside-the-case hard drive can generate these errors. A complete list of all the possible causes of delayed-write problems would fill several pages.

It sounds like you’ve already gotten pretty deep into your research, Torrey. For the record, and as a timesaver for others who may experience this problem, here are some especially productive places to start troubleshooting delayed-write failures:

Let’s begin with software. Microsoft Knowledge Base articles 330174 and 321733 describe common causes and cures for delayed-write failures.

Microsoft offers a ton more information on dealing with many other possible software-related causes for this problem. You can skim all the relevant information via a preconfigured Microsoft Search to see solutions that may fit your specific situation.

Outside of Microsoft, I especially like How to Networking’s collection of links and information on the many possible causes for delayed-write problems associated with networked drives. The links are easily skimmable.

If none of the software fixes at those sites works or seems plausible for your situation, you may be facing a most-unwelcomed hardware inevitability: a hard drive on the verge of collapse. Problems with the drive’s electronics or mechanical systems may manifest themselves as delayed-write failures.

Most of today’s hard drives have built-in SMARTs (Self-Monitoring Analysis and Reporting Technology) to help you see what’s going on inside as the drive ages. Tools such as the free SMART and Simple utility (available from Beyond Logic’s download page) can tap into and interpret the SMART data stored in the hard drive. If the SMART tools show something’s out of spec, it’s a clear sign of deteriorating hardware.

Fortunately, hard-drive prices are in near free fall these days — I’ve seen terabyte drives priced at $110! The simplest fix for a dying drive might be to replace it with a newer, faster drive that has a larger built-in cache or buffer.

I’m sorry to say, Torrey, that there’s no simple answer. But working methodically through the software sites I mentioned above — and in the worst case, replacing the hard drive outright — ought to clear things up for you.

A different kind of network-file failure

Rich Wilson’s PC seems to be telling him that a whopping 61GB of free disk space somehow isn’t enough to copy a couple of ordinary-sized files to a networked drive:

• “Today, I tried to copy some files from my desktop to my laptop using the network. I’m sure I’ve done this before, but today I got an error message about ‘Not enough server storage is available to process this command.’

  “Are they talking about disk storage on the remote computer? 61GB isn’t enough? Sigh.”

Don’t you love vague error messages? They sure make troubleshooting harder than it has to be.

But if this is what I think it is, “storage” refers not to disk space or RAM but to an obscure parameter known as IRPStackSize. IRP stands for Input/Output Request Packet; in this context, “stack” is a kind of scratchpad memory used by the operating system. Thus the IRPStackSize parameter determines how much scratchpad memory is set aside to handle IRPs.

Some software — notably, Symantec Antivirus and Ghost — can eat all the available space in the default IRP stack. Then, when one-too-many IRPs come in, you get either the vague “Not enough server storage …” message or an equally vague “Not enough memory to complete transaction” alert. Why Microsoft couldn’t make these error messages more specific is anybody’s guess.

Despite the obscurity of the IRPStackSize parameter and the head-scratching lack of clarity in the error messages it can generate, the fix is actually quite easy. In fact, you’ll find a complete step-by-step fix (and a more-thorough discussion of the problem) detailed in my Windows Secrets column of Nov. 15, 2007.

Finding the source of Vista audio trouble

Keith Hoffman’s Vista upgrade worked fine — almost.

• “I am using a machine that has an Intel vPro motherboard running Vista Business. This particular board has a RealTek sound system built in.

  “When I was using XP Pro on this box, I could play an FM radio tuner through the sound system. Now, with Vista, no sound. I can record — the record section shows a signal — but I can’t hear the tuner, no matter which audio source I select. Any suggestions?”

I’ll bet you lunch that it’s a driver issue, Keith. Your motherboard’s from Intel, so I suggest you visit the company’s download center and grab the latest BIOS and drivers for audio, video, and any of your motherboard’s other built-in systems and features. (Might as well update everything while you’re there.)

If your FM tuner doesn’t work with the latest BIOS and drivers, and if you’re sure the hardware is still OK, then you simply may be stuck with half-cooked drivers.

Some early “Vista-capable” hardware was especially prone to this: the original XP drivers were modified enough so that Vista would run and could access the hardware’s essential core features, but these drivers are more prone to trouble, and their secondary features don’t work the way they did in XP.

The cynic in me usually sees this kind of poor driver support as a naked ploy by the hardware vendors to get you to upgrade to new hardware with better drivers. But whatever the reason, it’s a hardware-vendor issue, although Vista gets the blame.

With luck, a simple driver update will provide the fix you need. If not, your only option may be a change of hardware.

Note that one way to get full Vista support for motherboard devices without having to buy a complete new PC is to replace just the motherboard itself. Swapping out a motherboard isn’t a trivial task, but it’s not rocket science, either.

Microsoft’s Knowledge Base article 824125 provides instructions on how to force your existing version of Windows to work with a new motherboard without trashing the rest of your current software setup.

There are myriad online sites that review, sell, and provide information on how to install motherboards:

• Motherboards.org for reviews;
• Tiger Direct for sales; and
• Foner Books for installation instructions.

Some simple ways to set file associations

In my Nov. 6 column, I showed you how to repair incorrect or missing file associations. The problem makes files open in the wrong program, or you see an “unknown file type” message when you try to open a file.

Ken Hofbauer — who sounds like the kind of IT guy you’d love to have answering all your trouble calls — sent in this simple empirical technique that can work even when you have no clue what the correct file association should be:

• “Here’s a method I can walk my users through over the phone. Usually, it starts with ‘I can’t open a file that’s attached to my e-mail.’

  “I have them right-click the file and save it to the desktop. At the desktop, I tell them to click it once, then right-click and choose Open With, Choose Program. Then I have them choose the program that is their best guess and tell them not to check the Always use the selected program box.

  “If the program doesn’t open correctly, I have them repeat the process, guessing again. When they get the program to open properly, I have them repeat the process, choosing the program that worked, and this time do check Always use the selected program. They can then delete the file from the desktop.

  “This avoids [their] having to know the file name of the program and where it lives.”

Thanks, Ken — and everyone else who wrote in!

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

A favorite tool gets an easier-to-use update

By Ian “Gizmo” Richards When I last discussed backup, in my Sept. 18 column, I noted that backing up your PC appears to be a simple process on the surface, but in practice it’s often complex. Well, folks, with the release of Acronis True Image Home 2009, backups just got a little simpler, though they’re still no walk in the park.

Can one product meet all your PC recovery needs?

The complicating factor with backup is that different kinds of data need to be backed up at different frequencies and in different ways. For example: the only effective way of backing up your Windows operating system is to use drive imaging, whereas to backup important data files a file backup or synching solution is far more efficient. Additionally, you may want to back up Windows only once a month but important data files several times every day.

Because of this diversity of backup requirements, it’s hard to find a single product that will efficiently meet all your backup needs. Indeed, to back up my computers precisely the way I want to, I use three different backup products: a drive-imaging program, a data-backup program, and an online backup service.

Backup-program developers have tried to address this problem. For example, the developers of drive-image utilities try to add some kind of data-file backup capabilities to their products, while companies selling data-backup programs have bolted drive-imaging features onto their apps.

Alas, these initiatives have not been particularly effective. You’ll get a much better drive image by using a specialized program such as Acronis True Image rather than using Genie Backup Manager (GBM), primarily a data-backup program to which imaging has been added as an afterthought. By the same token, GBM and other data-backup apps are far better at backing up specific user files than True Image and other drive-imaging utilities.

Imaging app gains some new data-backup chops

Let me give you a tangible example: I use GBM once an hour to back up an important file containing notes I’ve made while browsing, ideas I’ve had for articles, and the results of any tests I’ve been conducting. This file has so much vital information that I want to keep multiple copies — not just a single backup file — in case I accidentally overwrite something or the file becomes corrupt.

Setting GBM to perform this hourly backup is a snap. Not only does the program allow me to create multiple backup copies, it also automatically date-stamps these files for me. Additionally, GBM lets me specify the number of backup copies to retain and then automatically deletes the oldest backup once that limit has been met.

I can save backup copies as .zip files or in their native file format. This way, I can access the backup copies directly from Windows rather than needing to use GBM. (You’ll find more information about GBM on the Genie-Soft site.)

It takes me only two minutes to set up such a backup with GBM. I’ve never found a simple and robust way of performing the same data-file backup in Acronis True Image.

Here’s the good news: there’s a brand-new version of True Image that — at last! — provides a better solution to the problem of creating and maintaining multiple copies of your backed-up data files. Furthermore, the new release can create backups as .zip files, not just .tib files that can be accessed only via True Image.

But I’m racing ahead here. First, let’s look at the general features of the new version of True Image.

ACRONIS TRUE IMAGE HOME 2009

New interface, new features, and more speed

I’ve been using True Image since version 6 and have tracked the program through version 11. With each release, the product has improved, though at the same time it’s grown larger. Thankfully, the just-released 2009 version (V12) has reversed this size-bloat trend; at 88.7MB, the new model is considerably slimmer than version 11’s hefty 139.9MB.

True Image Home 2009 features a new interface and numerous enhancements that further improve the utility’s drive-imaging performance. More importantly, True Image’s data-backup features are improved significantly in the most recent release.

The program’s new Vista-style interface will initially disorient regular True Image users who, like me, have become accustomed to the traditional Acronis way of doing things. However, after the initial shock, True Image vets will realize that the program’s new interface is a big step up from the old one.

It’s now easier for beginners to use the program, which is organized more logically in addition to being more pleasing to the eye. However, like the ribbon interface introduced with Microsoft Office 2007, some users won’t care for the app’s new look simply because it’s different.

Figure 1. The new version of Acronis True Image sports an easier-to-use interface.

Major new features in the 2009 version of the program include the following:

• Full-text searches of images using either Windows Desktop Search or Google Desktop Search
• A one-click option for predefined backups
• Automatic resumption of backups for drives that were unavailable during the initial backup
• Automatic shutdown after backup or restoration
• The ability to store images in standard .zip format rather than having to use Acronis’ proprietary .tib format
• The ability to select the number of backups to retain

All these features are useful improvements, but the last two really open up the potential of the product for data-file backups rather than simply disk imaging alone.

In particular, the ability to store your disk images in the .zip format is most welcome. You can now read your backup files on systems that don’t have True Image installed.

I wish the program would let you store your file backups in the file’s native format. For example, I’d like to store backups of .doc files as .doc files. Hopefully, this is a feature that will be added to a future version of the program.

The other valuable addition to True Image Home 2009 is the ability to maintain several unique copies of your full data backups. Rather than always overwriting the last backup, True Image can now rename and save previous copies, up to any number you prescribe.

The program’s backup-renaming scheme is quite simple: if your initial backup file was called mydata.tib, then subsequent backups are renamed mydata1.tib, mydata2.tib, etc. This is not quite so elegant as date-stamping the backups but is sufficient for most purposes.

Figure 2: True Image Home 2009 allows you to save multiple copies of your full backups.

The “Automatic consolidation” dialog in the program’s backup wizard lets you set the maximum number of backups to be kept, the maximum size of your backup archives, and the maximum length of time your archives are to be retained.

This soup-to-nuts solution is worth a look

If you’re using an earlier version of True Image — or some other competent disk-imaging program — along with a reliable data-file backup program such as Genie Backup Manager, there’s little reason to upgrade to the latest True Image version. You already have a great backup system in place.

However, if you haven’t yet implemented a backup procedure for your PC, True Image Home 2009 offers a comprehensive solution that meets all your backup needs. The program allows you to back up both your Windows system and your key data files with a high degree of reliability and with minimum effort.

At U.S. $50, True Image is not cheap, but quality rarely is. Besides, if you hunt around the Internet, you can find the program at a significant discount. Using a Froogle search, for example, I found new copies available for as little as $34. You may find an even better price.

Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.

Great system tools that don't cost a dime

By Ryan Russell I install several free utilities on my Windows machines to make quick work of standard network and maintenance tasks. Whether you compute strictly with Windows or with a mix of Windows and Unix systems, as I do, you’re likely to find at least one of these programs very useful.

A bevy of Unix command-line tools for Windows

The granddaddy of all system tools is cygwin, which provides a Unix-like command-line shell for Windows. Actually, that simple description does the program a disservice, because after installing cygwin, you can choose from among many different Unix shells. In fact, the program is really a compatibility layer for Unix source code that’s compiled to run on Windows.

Cygwin gives you access to a ton of Unix tools, including security utilities, programming languages, and text processors. If you’re comfortable using a Unix command prompt, you’ll be right at home in cygwin. Among my favorite cygwin programs are OpenSSH, find, sed, and rsync.

What cygwin is not is small and compact. The program is much like an entire operating system, requiring as much as a few hundred megabytes of hard-disk space, depending on how many of its tools you choose to install.

Also, there are dependencies to worry about in cygwin and updates to manage. I often have to reinstall the specific utilities I want because I initially missed the app in cygwin’s cryptic installer interface. That’s why I usually install cygwin only on my primary Windows machines.

A fast, lightweight Secure Shell client

Way back when, in the DOS days, I forced myself to learn how to use DOS utilities, such as the Edlin line editor, because I knew they would be available on any system. At the time, I was working on hundreds of different PCs and knew only that DOS itself was certain to be installed.

I still work on other people’s machines on occasion. Cygwin is too large and unwieldy to install on each one, but almost every system now has a decent Internet connection. That’s where Secure Shell (SSH) clients come in handy.

My favorite quick and small SSH client is Putty. If you’re not familiar with SSH, it’s a secure (encrypted) replacement for such remote-shell tools as telnet and rsh, most of which originated in the Unix world. Putty is comprised of a remote shell (putty.exe) and a remote file copier (pscp.exe). Together, the programs are less than a megabyte, so they download quickly over most Internet links.

I can walk up to a workstation and download Putty in a minute or so and then access the remote machine right then and there. Just enter putty in your favorite Web search engine, and you’re in business.

Of course, an SSH client requires an SSH server. This is usually a Mac or a Unix machine, but you can also run an SSH server on Windows through cygwin, among other utilities. If you pay for Web hosting, your ISP may provide access to an SSH server.

View a Web page’s HTML code as a text file

Wget is a command-line utility that lets you download the HTML of a Web page to a text file. Obtain the binary from Christopher Lewis’s download page, go to a command prompt, and type wget followed by the URL (do include the http:// part).

Why is this handy? If I suspect that a site may contain browser exploits, I can use wget to download the page to a text file and then look at its HTML code in Notepad or another text editor.

The program is also useful for general Web-page downloads. For example, if you have a list of URLs that you want to save, rather than going through the pain of visiting each one and clicking File, Save As, you can use wget to save them all at one time.

I also use this wget feature when my browser isn’t saving files correctly. Recently, I found that IE would sometimes mangle .gz files or save them with the wrong name. Wget doesn’t have that problem.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.