Has your PC become a spammer’s botnet zombie?

Has your PC become a spammer's botnet zombie?

By Scott Dunn Worldwide spam traffic dramatically dropped after a major spam server was temporarily shut down last fall, raising public awareness of botnets: networks of PCs that have been turned into spam-spewing robots. Most antivirus applications are ill-equipped to stop this kind of malware, but you can reduce the risk of having your PC become zombified.

Last November, a provider of Internet connectivity named Hurricane Electric pulled the plug on hosting company McColo. Immediately, the worldwide volume of spam dropped a whopping 65%, according to some estimates.

As explained by Brian Krebs in an article at WashingtonPost.com, Hurricane — one of the two companies McColo depended on for its Internet connection — took the action after the newspaper informed the provider of McColo’s role in hosting all sorts of Internet bad guys.

According to Krebs, McColo’s clients included “international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products, and child pornography via e-mail.”

The spam reduction held for a couple of weeks before rebounding, according to a Nov. 26 story at InfoWorld.com.

McColo’s servers didn’t send out the spam themselves. Instead, they provided the command and control for a vast network of PCs infected with malware. A collection of hacked PCs that have been turned into automated spamming machines is known as a robot network or “botnet.” Security professionals name these botnets after the malware that runs them, which include Asprox, Rustock, Cutwail, and Srizbil.

The malware creators rent their botnets to spammers, who in turn use the control servers to coordinate the transmission of huge amounts of junk mail, as explained in another Washington Post story.

Your computer could be a spam zombie and you might never know it. And if you think your security software is keeping your computer safe from botnet slavery, you’d better think again.

A recent study by security firm FireEye revealed that antivirus products detect bots less than half the time. The study tested AV programs using Virus Total’s free malware-scan service; consult that site for a list of the AV products tested.

Your four-step spambot-safety program

What can you do to prevent becoming a botnet victim? Although there are no perfect solutions, the following actions will help prevent your system from being compromised. (My thanks to the security blog written by Wiz Feinberg for many of the tips.)

Step 1: Keep your security products up-to-date. Although the FireEye study found little protection against bots from antivirus products, the study’s author, FireEye chief scientist Stuart Staniford, did note that “AV works better and better on old stuff — by the time something has been out for a couple of months, and is still in use, it’s likely that 70% to 80% of products will detect it.”

Update your antivirus program regularly with the latest patches and virus definitions; even if the app doesn’t catch the latest bot, your AV protection will reduce your risk of catching older malware still circulating around the Internet.

Step 2: Use a software firewall. By carefully monitoring your Internet connection, you’ll reduce your risk of infection by botnet malware. By default, the firewalls built into Windows XP and Vista monitor only incoming connections. The firewalls can be configured to monitor outbound traffic, but doing so is technical and problematic for most users. The differences between the firewalls in XP and Vista are described in this Microsoft TechNet article.

Many free, third-party software firewalls are bidirectional. Third-party firewalls sometimes require updates after you install Patch Tuesday fixes from Microsoft, but the added functionality of these firewalls can make this inconvenience worth living with. WS senior editor Ian “Gizmo” Richards describes the best products in his July 31, 2008, column.

Step 3: Get a free diagnosis. Some security products are intended specifically to combat the botnet plague. For example, RUBotted is a free utility from Trend Micro that sits quietly in your system tray and monitors suspicious activity (more info). If the program spots an infection, it alerts you to take action. The program is currently a beta, but it worked fine for me.

According to a post by security blogger Feinberg, RUBotted encourages you to scan your system with Trend Micro’s free HouseCall online virus-scanning service, which detects and removes many malware infections. Note that on my system, RUBotted uses 8MB of RAM.

Figure 1. Scan your system with Trend Micro’s RUBotted to ensure that your PC is bot-free.

Full disclosure: Feinberg’s blog is sponsored in part by RUBotted’s manufacturer, Trend Micro. But I don’t consider this to be an argument against using RUBotted.

Step 4: Try Norton AntiBot. Another bot-specific security product is Symantec’s Norton AntiBot (more info). This $30 program claims to monitor, detect, and remove bots before they can cause harm. Norton AntiBot uses behavioral analysis rather than definitions for specific bots and received an Editor’s Choice award from PC Magazine in 2007.

Security sites such as Marshal continue to report spam-bot activity. The buggers are delivering junk mail, malware, and other odious data to millions of victims. By using the above bot-prevention tools and techniques, you’ll reduce the chances that your machine’s a spammer’s helper.

Scott Dunn is a contributing editor of the Windows Secrets Newsletter. He has been a contributor to PC World since 1992 and currently writes for the Here’s How section of that magazine.

Downgrading Vista to XP is possible ... maybe

By Dennis O’Reilly Reverting a Vista PC to XP requires an installation CD for each OS and can be done only on OEM editions of Vista Business and Ultimate. Users of Vista Home Basic and Home Premium — and anyone who used a retail version of Vista to upgrade an XP machine — must buy a copy of XP to make the switch.

Last week’s Top Story on Microsoft’s decision to extend yet again the deadline for buying a PC with Windows XP installed caused many readers to wonder whether they could dump their copy of Vista in favor of its predecessor. Reader Jim Harvey put it this way:

• “We have Vista Home Edition installed on a newly refurbished Gateway computer purchased for my wife for Christmas. However, trying to cope with all the operational changes in Vista has proven to be too frustrating for her.

  “We would like to downgrade the new computer back to the old XP license we have on our replaced computer, but we don’t know how to do so. Is there a legitimate way to install our old licensed version of XP , still on the replaced computer, onto our new Gateway and get rid of Vista?”

Unfortunately, the only way you can revert a machine running Vista Home Basic or Home Premium is to buy a copy of XP and install it over the Vista configuration. However, anyone who bought a PC with an OEM edition of Vista Business or Vista Ultimate can downgrade to XP Pro.

Even if you installed a retail version of Vista on an XP machine, you have to purchase a new copy of XP to revert to that OS. Fortunately, OEM versions of XP Home and Pro cost as little as $90 and $120, respectively, online. (Note that OEM releases can be installed on only one system and come with zero support from the vendor.)

Computerworld’s Gregg Keizer describes the XP-downgrade limitations and offers step-by-step instructions for making the Vista-to-XP switch in this FAQ.

Other places to look for missing disk space

Fred Langa’s Jan. 8, 2009, column (paid content) described several ways to recover hard-disk space. Reader Kevin Kleinhomer wrote in to remind us of a couple of other tools that might help track down the missing bytes.

• “In his most recent article, Fred talks about a reader with missing space, but I think he missed a very important tip for the reader: Chkdsk. It could be a corrupted file system that is the root cause of the missing disk space. I have seen this many, many times.

  “A less likely possibility would be a rootkit. Booting off one of the many recently reported-on [rootkit-revealing] tools would hopefully turn this up.”

Running Windows’ built-in disk-checking utility couldn’t be easier: click Start, Run (in XP) or just Start (in Vista), type cmd, and press Enter. At the command prompt, type the following:

chkdsk x: /r

The x represents the letter of the drive you want to check, and the /r switch instructs the utility to repair errors, find bad sectors, and recover whatever data it’s able to.

Microsoft’s Help and Support site provides complete instructions for using the Chkdsk utility in article 315265 (the article specifies XP, but the information applies to Vista as well).

Scott Spanbauer reviews several free tools for detecting and removing rootkits in his May 22, 2008, Best Software column (paid content).

Go to the source for a copy of Ubuntu on disc

The rap on Linux — at least among Windows users — has long been that the alternative OS is too difficult to install and use. Scott Spanbauer’s Jan. 8, 2009, Best Software column (paid content) described the free Wubi installer utility for the Ubuntu distribution of Linux. Reader Howard Harner points out that you can also get a free copy of Ubuntu on disc, if you’re patient.

• “I’m glad to see your discussion of Ubuntu, since I have been using it as an alternative to uSoft [Microsoft Windows] for years. For older computers, cruising the Web, and copying CDs, it’s great.

  “You didn’t mention that one can get a free disk from Ubuntu that contains two versions of the OS — a full-install copy and a version that will run on top of Windows — by going to their Web site and filling out the short application form. It usually takes less than two weeks to receive it.”

In fact, many Windows users choose to run Ubuntu off the CD rather than to create a hard-drive partition for the OS. Of course, you can burn your own Ubuntu CD. You’ll find the download and instructions for creating your disc on the Ubuntu Community Documentation page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

I'd eat an apple a day to keep this doctor away!

By Katy Abby It seems like every time you turn on the TV, there’s an eye-catching new pharmaceutical commercial airing. Each new pill is packaged more beautifully than the last, and drug makers’ lofty claims promise an enticing array of health improvements — as long as you ignore the dubious side effects. Still, the advertisements often skirt the big issues — what exactly are these new miracle pills for? Where do you turn for more information? Watch what happens when one man decides to seek some answers and ends up with more information than he bargained for! Play the video

Determine your PC's true memory ceiling

By Fred Langa Buying RAM for Windows is like buying shoes for kids: what’s a fine fit one day is soon too small. How much is too much RAM, and how high can your system memory go?

A gigabyte ain’t as much as it used to be

When Terry Maier bought a new laptop just two years ago, a full gigabyte of RAM seemed ample. But apps and OSes always want more. Now RAM prices are dropping fast, and Terry’s thinking about adding more. How much can he add to his system and still have it do any good?

• “I have an HP DV8225NR laptop computer that is about two years old. I cannot read the larger-capacity memory cards — 4GB and higher. Do you know if there’s an update or upgrade that can be downloaded to allow the computer to read these cards?”

The short, incomplete answer is no, Terry, there’s no such update. The complete answer takes a bit longer but will help you understand what’s going on — not only for your current system, but for any future system you may own. Here’s the full story behind how much RAM a given system can handle.

First, there’s hardware. Each system has a fundamental physical limit on the amount of memory it can accommodate. Most PCs and laptops sold today have a 32-bit internal architecture.

That means that the computer can generate distinct, internal memory addresses that start at zero and go up to a binary number (ones and zeros) that’s 32 digits long. Mathematically, that’s 2 to the 32nd power — or about 4.2 billion memory addresses to play with. This translates to about 4GB.

The 32-bit limit is fundamental and real: a 32-bit PC cannot generate an internal 33-bit address, so once all 4.2 billion addresses are in use, you’re done. About 4GB is all you get for RAM in a 32-bit PC, period.

Why “about” 4GB? Why isn’t it an exact number? That’s because the PC uses its total memory space not just for RAM but also for such housekeeping chores as remembering your hardware and maintaining internal scratchpads and “stacks.”

Any memory addresses remaining unused after the housekeeping requirements are met will be available for use as general-purpose memory. This represents the amount of RAM you can actually use.

It’s not unusual for a PC to need almost a full gigabyte of addresses for internal use, so putting 4GB of RAM into a standard 32-bit system usually nets around 3.2GB of usable RAM. The rest of the 4GB of RAM is there, but the system has no way of accessing the memory because your PC has run out of internal addresses.

There’s a further complication: many current systems — especially laptops — don’t even try to allow the absolute theoretical maximum RAM due to such design considerations as cost, heat, power consumption, and size.

In your case, Terry, a quick look-see on the HP site shows that your laptop model is designed to support a maximum of 2GB of RAM, which is half the theoretical maximum for 32-bit hardware.

That HP laptop normally ships with 1GB installed in the form of two 512MB RAM modules. To max out the RAM in that system, you would need to remove the two original 512MB memory modules and replace them with a pair of 1GB modules. You would then have a 2GB laptop, which is the hardware limit for that particular model.

There’s no way to add more than 2GB of RAM to that machine. The laptop’s limits make installing more than 2GB a waste of memory. And putting in more than 4GB of RAM wouldn’t work in that or any other 32-bit PC because of the fundamental mathematical limits of 32-bit hardware. Thus your system, Terry, is doubly limited; 2GB is as much memory as that system will ever be able to use.

That’s the hardware side of things, but standard 32-bit software also shares the same mathematical ceiling that 32-bit hardware has and is likewise limited to recognizing no more than 4GB of address space.

That’s all the RAM that standard 32-bit XP or Vista (or 32-bit Linux or Macs, for that matter) will ever “see” on standard 32-bit hardware. No matter how you slice it, 2 to the 32nd equals 4GB. That’s all there is.

Note that some server-oriented 32-bit systems can use “address extensions” to perform a sleight-of-hand that tricks the operating system into thinking it’s working within the normal 4GB address space when the system is actually tap-dancing madly behind the scenes to allow access to somewhat more.

Scott Dunn covered some of these techniques in his excellent column in the Dec. 18, 2008, newsletter titled “Access more memory, even on a 32-bit system.” But even though the techniques Scott describes let you partially sidestep current memory constraints, they don’t change the fundamental 4GB cap for 32-bit architectures.

The real answer for more memory space is to move to 64-bit hardware and software. The mathematical ceiling for 64-bit hardware is an astonishing 16EB (exabytes) of memory space — 16 quintillion bytes. That’s a whopping 16 million terabytes, or 16 billion gigabytes. That ought to accommodate your MP3 collection.

Jokes aside, ponder that number for just a moment. It’s beyond huge. To put 16EB into context, Wikipedia says that the sum total of human knowledge — that is, all the manuscripts, books, scrolls, clay tablets, newspapers, audio, video recordings, etc. ever produced in all of human history since the dawn of time — currently adds up to about 12EB of data.

To call the 16EB memory space of 64-bit architecture “large” just doesn’t say it. It’s freaking gigantic!

Of course, no PC can accommodate even one exabyte of RAM today, and currently most 64-bit hardware and software is capped at a much lower — but still comparatively vast — amount. For example, the 64-bit versions of XP and the high-end 64-bit versions of Vista can address up to 128GB of RAM.

The lower-end versions of Vista are artificially limited to 8GB RAM for Home Basic and 16GB for Home — a silly, marketing-driven restriction. On the other hand, very few of us will need more than 16GB or even 8GB of RAM in our home PCs anytime soon.

So, Terry, the only way to get more than 2GB of RAM is to get a new system. And the only real way to use more than 4GB in a normal system is to purchase 64-bit hardware and software.

Bottom line: with standard 32-bit hardware and software, your maximum RAM will be whichever is less: 4GB or whatever your system’s internal design constraint is. Those are fundamental limits that cannot be changed.

That’s why your next PC might very well be a 64-bit system running 64-bit software.

Recover bad sectors after a hard-disk crash

A repair job after a hard-drive crash experienced by a reader named George caused some troubles of its own:

• “I had a hard-drive prob on a laptop (XP Pro) and used [Gibson Research’s $89] SpinRite [more info] to fix it. Unfortunately, some sectors could not be recovered. I can boot and run most of the software, but I have a few programs that display an error message concerning 0cx0000005 when they start up.

  “I’ve deleted and reinstalled one of the programs, but to no avail. Are there any pointers you can provide re: this prob?”

That error code usually indicates a memory glitch, George. Those unrecoverable sectors are the most likely cause.

You probably have missing or scrambled data in several key sectors. It doesn’t take much: a one or a zero flipped the wrong way can cause software to misbehave or crash. You said you already tried a reinstall with one program. If there are only a few that are misbehaving, try reinstalling all the ones exhibiting problems.

If the trouble is widespread, it’s possible that some pieces of Windows itself were incorrectly restored. To fix your Windows configuration, boot the PC with your Windows Setup CD — if you have one — and select the Repair option when it’s offered.

You can also try deleting or temporarily shrinking your PC’s pagefile because the scrambled data may be stored there. To change your pagefile settings, click Start, Control Panel, Performance & Maintenance (in Category view), System. In the System Properties dialog box, click Advanced, Settings (in the Performance section), Advanced, Change.

In the Virtual Memory dialog box, select “Custom size” and set both the initial and maximum sizes to 0. If Windows complains, shrink the file as small as you can. Then reboot, recreate a normal pagefile, and reboot again. If lingering pagefile problems were at fault, the errors will now be history.

You’ll find step-by-step instructions for changing your pagefile in Microsoft’s Knowledge Base article 308417, “How to set performance options in Windows XP.” Scroll to the middle of the page for the pertinent material.

If the memory error isn’t due to your software or pagefile, the problem might be caused by the physical RAM. You didn’t say what caused your hard drive to go bad, but if you dropped your laptop or it suffered some other kind of physical accident, the RAM modules may have been jostled loose in their sockets.

Check the Web site of your system’s manufacturer for detailed information on accessing your laptop’s RAM. Most notebooks have a RAM door of some kind on the bottom. Turn off and unplug the machine, remove the battery, and then open the door over the add-on RAM bank.

Remove and reinstall your laptop’s RAM modules. While you’re under the machine’s hood, so to speak, make sure any other cables, sockets, and connectors you can access are clean and tight.

If your RAM is well-seated, one of your modules may have simply gone bad through a random failure or as a side effect of whatever accident took out your hard drive. Microsoft’s free Windows Memory Diagnostic utility may help here (more info).

We’re climbing pretty far down the decision tree now, but there are several other possible causes for that error message. You’ll find good coverage of the lower-probability issues in Microsoft MVP Mark Liron’s article titled “Finding a Solution for the 0xC0000005 Error.”

Trouble accessing a college’s Wi-Fi network

I’ve put two kids through college, so Robert Wells’ question struck a chord:

• “My daughter is away at college. I sent her a laptop that worked on Wi-Fi here. She can connect to her college Wi-Fi and get to her home page, MSN.com. She cannot navigate from there.

  “Any address or click goes to the page but halts with red X’s on the page. We have cleaned caches, run spyware, tried a blank home page, reset IE 7 defaults, etc. Any suggestions for this frustrated duo?”

Here’s some good news: every college I know of has at least a reasonable IT department, and some are truly outstanding. At the start of every semester, a fresh batch of connectivity problems arrives with the returning student body. As a result, the college IT folks have seen just about every problem there can be, including your daughter’s. Odds are they can fix it, so your best option is to instruct your daughter to call the college IT department or computer help desk.

If the school’s IT support crew can’t solve the problem, have your daughter try Firefox. The browser’s installation file is only 7.1MB, so a friend could load the file on a thumbdrive or burn it to CD for her. If Firefox works on her laptop but IE doesn’t, you know that the problem isn’t with general connectivity but with IE itself.

Microsoft’s Internet Explorer 7 Solution Center may provide helpful information, although most is pretty basic. If you can narrow down the potential causes of the problem, query Microsoft’s Knowledge Base for info on the specific IE 7 problem you’ve defined.

If neither browser works, look to your daughter’s security tools or general network settings as the most likely culprits.

Microsoft’s article titled “Troubleshoot Networking Problems in Windows XP” is a pretty good primer on general connectivity snafus. If you need more advanced information, two of my favorite networking sites are Windows Networking and Practically Networked.

As helpful as these resources may be, I’m betting that the college’s computer help desk will have an easy fix right at hand!

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Prevent your system from becoming infected

By Ian “Gizmo” Richards What will be the major security risks in 2009? More importantly, what can you do to protect your PC against these risks? Be forewarned: the answers are not quite what you expect.

There’s more in that download than meets the eye

Most PC users have a distorted view of the nature of the security risks they face. Conventional wisdom holds that the three biggest threats come from (1) criminals exploiting flaws in Windows and other software products; (2) e-mail-borne viruses; and, more recently, (3) visits to malicious Web sites.

These threats, though real, are relatively minor players: each accounts for only a few percent of home PC infections. No, folks — the biggest threat doesn’t come from any of these exotic sources but from something much more common and pedestrian: downloading infected programs.

The people who make their living cleaning up infected PCs have known this for years. When they ask users when their problem started, the answer is all too commonly “after I downloaded and installed a new program.”

Tech-support personnel in corporations will tell you the same thing, and they’ll often single out senior managers as particularly susceptible to malware-bearing downloads.

This practical experience is borne out in the statistics. Security research company Trend Micro recently reported that of the top 100 infections in the U.S. in 2008, approximately 63% were caused by downloading and running programs. E-mail–borne infections accounted for only 3%, while the exploitation of security flaws in products was responsible for a tiny 1.7% of PC infections.

Software thieves get more than they bargained for

So, what are these infected programs that users are downloading?

They include free games, utilities, toolbars, and just about any other program a malicious site can entice a user into downloading. An even-greater threat are pirated software and pornography.

Pirated software is particularly dangerous, because such programs are used widely and are often crawling with viruses.

In fact, when I’m looking for a new set of malware for my security tests, I go straight to pirated-software sites and cracked-software sources on BitTorrent.

The last time I did this, 39 of the 61 illegal programs I downloaded from BitTorrent were infected. Most of the infections are in the key generators (“keygens”), but in seven of the 39 cases, the infection was in the pirated program itself.

Even scarier was how few of these infected downloads had been noted by users in their comments on the BitTorrent search sites. I’m not sure why, though I do know that some malware infections disable your security software, so the commenters were likely unaware of the viruses.

I suspect many users of pirated software are smart enough to download a fresh copy of the program from the vendor’s site and use only the pirated serial number or keygen they lifted off BitTorrent. Whatever the reason, be assured that you cannot rely on program ratings given by BitTorrent users.

Now, all of this sounds very scary, but I don’t want to alarm you unnecessarily. Most downloading is perfectly safe. Indeed, downloading and trying new programs is one of the great pleasures of the Internet.

However, you do need to be smart about what you download and install. That, as we shall see, is not too hard at all.

In the last few years, I’ve downloaded and installed dozens of programs onto my laptop and it’s never been infected by malware. Not even once.

This is not due to any technical genius on my part nor to the quality of the security software I use. It’s the result of adopting safe downloading practices. If you develop the habit of using these practices, your computer will be just as safe as mine.

Rule 1: Download only from reputable sources

Following this single rule will cut your risk of infection dramatically. So, what is a “reputable source”? Certainly the following:

• Any major download site, such as Download.com, Softpedia.com, and MajorGeeks.com.
• Any site of a reputable developer or vendor, such as Microsoft, Google, HP, and Dell.
• Any open-source software hosted on Sourceforge.net, Mozilla.org, and other large open-source hangouts.

There are, of course, many more “reputable sources.” The problem is knowing which sites to trust. McAfee SiteAdvisor is a free plug-in for Internet Explorer (download page) and Firefox (download page) that rates sites based on a number of security criteria, including whether the downloads from the site are free from malware.

If a site has SiteAdvisor’s “Green” rating, you can be pretty sure it’s safe. Conversely, you can count on any site with a “Red” rating as being unsafe.

Figure 1. The McAfee SiteAdvisor browser plug-in shows safe (green) and unsafe (red) sites at a glance.

So, what files are definitely unsafe to download or install?

Topping the list are files a site offers to you unprompted or via a popup window. If the site asks whether you’d like to install a toolbar, video viewer, download manager, or whatever, always say no. Such files are the riskiest of all downloads, so never be tempted. Make no exception here; this is seriously dangerous territory.

Other unsafe sources are file-sharing services. Never download software from BitTorrent and other file-sharing networks unless you can verify the authenticity and integrity of the download with 100% certainty. For most people, it’s best to play it safe and never download from these services.

The same prohibition applies to software provided to you by friends and colleagues. Unless it’s on the original manufacturer’s CDs, there’s no way you can verify the authenticity and integrity of the program.

Rule 2: Scan all downloaded files

Normally, you don’t have to worry about scanning files you download, because most of the top antivirus and antispyware programs automatically scan a file when you download it. If you’re unsure whether your security product scans downloaded files automatically, you can usually initiate a manual scan by right-clicking the downloaded file and selecting the “Scan this file” option.

Unfortunately, even the best AV scanners have a less-than-100% detection rate; a downloaded file may scan as clean yet still be infected.

You can further reduce the chance of a file’s being infected by making use of a free Web-based scanning service, such as Jotti and Virus Total. These sites run your downloaded file through a dozen or more antivirus and anti-malware programs.

Of course, there’s still a chance your download is infected, even if it passes all the tests at Jotti or Virus Total. However, the protection these services offer is good enough to keep most PCs safe.

Rule 3: Run suspicious programs in a sandbox

If you have the slightest doubt about a program or e-mail attachment you downloaded, install the program or open the file in a sandbox or other virtualized environment before you load it on your PC.

My favorite sandbox app is the excellent free program called Sandboxie (download page). This and other virtual environments allow you to install and run programs in an area of your PC that’s been specially corralled off.

If the program you install happens to be infected, the infection is confined to the sandbox and cannot affect your PC. Any infection can be removed by simply deleting the sandbox or its contents.

For more on sandboxes, read my Oct. 16 column.

A neat feature of sandboxing is that your security software can see what’s happening in the sandbox and can warn you of any problem. In fact, it’s much easier for your AV scanner to detect an infected program that is actually running than to detect an infection simply by scanning the file before installation.

If you install a downloaded program in a sandbox and get no warnings from your security software, it’s unlikely that the file is infected. You can then delete the sandbox and install the program with confidence on your real PC.

Sandboxes are also great for safely opening e-mail attachments. The next time someone sends you a funny PowerPoint presentation, save the attachment and then open it inside a sandbox. OK, it may take you 20 seconds longer, but that’s a lot less time than the hours you’d spend removing a malicious infection from your PC.

Rule 4: Read the software licensing agreement

Of my four rules for safe downloading, this one is most likely to be ignored. That’s a pity, because perusing the end-user licensing agreement (EULA) is a surprisingly good way of determining whether the program you’re installing contains any unwanted components.

Now, no hacker or Internet criminal is going to tell you in a licensing agreement that they have malicious programs in their software. However, most adware purveyors and spyware vendors will disclose the contents of their “services.”

That’s because adware is quite legal. Indeed, some AV and antispyware programs won’t pick up particular adware programs because they’re legit.

Spend a couple of minutes reading the EULA rather than just automatically clicking the “I have read this and agree” button.

If you find reading EULAs too tedious, have Javacool Software’s EULAlyzer program read it for you and flag for your attention any worrying paragraphs. EULAlyzer is free for personal and educational use (more info).

In addition to reading the EULA, you should also be vigilant about what you agree to during the program’s installation routine. Quite often, software vendors will slip into the install wizard a default selection permitting the installation of a third-party’s product, a subscription to their promotional newsletter, or whatever.

A common example of this practice is the otherwise excellent freeware disk-cleaning program CCleaner (more info). Embedded in the utility’s install is a default option to add the Yahoo search toolbar to your system. If you don’t want the toolbar, you need to uncheck the option.

Now, the Yahoo search toolbar is a legitimate product and quite a good one, in fact. But do you really want it? I don’t, and I suspect most other users don’t want it, either. The next time you install a program, read before you click.

So there you are, folks. Of all the security threats you face, downloading and installing programs is statistically your highest risk. I’ve outlined four simple rules for downloading that anyone can follow. Just stick to these rules and you’re on the way to a malware-free 2009.

Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.

Google search results lead to browser hijackers

By Mark Joseph Edwards A piece of malware in circulation since last September redirects links in search results to hacker sites. Reports of infection are widespread, but fortunately, you can remove this persistent threat relatively easily.

Search links redirected to malware downloads

For at least the past four months, an Internet attack has been under way that transforms the links in search results into browser hijackers. Known as the go.google, go.yahoo, or go.msn virus, it infects systems to redirect certain Google, Yahoo, and MSN search-results pages to hacker-operated sites.

Even worse, the virus takes several steps to prevent you from removing it. The infection blocks access to certain antivirus sites and shuts down many antivirus tools. The go.google virus in particular appears to be widespread: a quick search of Google for go.google virus turns up no fewer than 4 million pages where people discuss this nasty critter!

Getting this bugger off your computer is a two-step process. First, scan your system with a malware-removal tool. If you’re unable to open and download updates for your regular antivirus and anti-malware software, use a noninfected computer to download to a flash drive a program such as the free Malwarebytes Anti-Malware (more info) and SuperAntiSpyware (more info). Finally, plug the flash drive into the infected computer and run the antivirus program from that device.

Note that even if you are able to download a malware-removal tool on the virus-laden PC, the virus may prevent you from running it. To get around that problem, rename the anti-malware tool’s executable file. For example, change SuperAntiSpyware.exe to mytool.exe. Now you should be able to launch the app.

Another way to get around the inability to access your antivirus program is to check your system for the presence of a particular rogue device driver:

• Step 1: Click Start, Control Panel, Performance and Maintenance (in Categories view), System.
• Step 2: Select the Hardware tab and click Device Manager.
• Step 3: Choose the View menu and select Show hidden devices.
• Step 4: Scroll to the Non-plug and play drivers section and expand the tree.
• Step 5: If you see an item labeled TDSSserv.sys, right-click it and select Disable.

After you reboot your computer, you’ll be able to access your antivirus program and browse to anti-malware sites to remove the pest from your PC. Once you’ve cleaned your system, make certain that you update your antivirus software every day to avoid reinfection.

VMware experiences denial-of-service attacks

I bet a lot of you are using VMware in some form or fashion. After all, the program is one of the most popular free virtual machines available. Unfortunately, VMware Player 2.5.1 and VMware Workstation 2.5.1 are vulnerable to remote denial-of-service (DoS) attacks. Someone could cause the software to crash by sending a very long username or password during the authentication process.

By default, the VMware authentication service monitors port 912, so to protect against this problem, simply set your firewall to block access to that port by anything other than trusted systems. Keep an eye on the VMware Products page for news of an update that fixes this problem.

Web-development platform leaves sites vulnerable

While you were on your holiday vacation, a critical vulnerability was discovered in the DotNetNuke Web-application development program. This extremely popular application framework is used to create an array of Web software for Microsoft Internet Information Server (IIS) platforms, particularly blogs and portals.

The security hole could allow users to add roles to their accounts — roles that should be inaccessible. Effectively, this means that unless you upgrade to DotNetNuke 4.9.1 or a later version, your site is wide open to attack.

Be sure to apply this patch pronto (more info). If you aren’t sure whether your Web applications use DotNetNuke, head over to the company’s marketplace to see whether any of your software is listed there. Or ask your Web administrator or developer to investigate the matter for you.

Free plug-in strengthens WordPress security

As of Jan. 12, the latest version of the popular WordPress blogging platform, 2.7, has been downloaded nearly 1.12 million times. Of course, being so popular makes the program a common target for the bad guys.

In the past couple of months, I’ve fixed at least six WordPress blogs that were hacked. If I’ve repaired that many, surely a lot of other WordPress experts have had to do the same.

The WordPress platform is well designed, but the bad configuration habits and lack of security knowledge of users can leave a WordPress site vulnerable to attack. In fact, this is a problem for many Web applications.

Unfortunately, not many WordPress users are aware of the need to tighten the security of their blogs. Those who are aware often don’t have the skills to secure their blogs themselves.

That led to the development of Maximum Security for WordPress, a plug-in that adds over a dozen security features to the blogging system, all of which are available with a click of the mouse. These include stronger password security, automated file-permission adjustments, more-effective user account controls, audit controls, and extensive logging.

The plug-in, which is currently in beta, scans themes and other add-ons for potentially malicious or dangerous code. It analyzes your site’s security settings to discover weaknesses and includes a Web-application firewall and intrusion-prevention system that helps block cross-site scripting attacks, SQL injection, HTTP header manipulation, and other threats.

If you use WordPress, head over to the Maximum Security page to sign up for the beta.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Critical patch for Windows file-sharing bug

By Susan Bradley The lone patch for January addresses three vulnerabilities that some experts claim will be the next big worm event. While the threat to Windows users may not be quite so dire, be sure to reboot after you install this patch, even though Windows Update may not prompt you to do so.

MS09-001 (958687)
Bolster firewalls to block remote-code attacks

We kick off the new year with only one security patch, but MS09-001 (958687) plugs three holes in the Microsoft Server Message Block (SMB) file-sharing protocol that pose a significant threat, many security analysts claim.

Microsoft labels the update critical for Windows 2000, XP, and Server 2003 and moderate for Windows Vista and Server 2008. In Microsoft’s Security Vulnerability Research & Defense blog, Mark Wodrich recommends updating domain controllers and SMB servers first, since these systems are more vulnerable to a denial-of-service (DoS) attack. He claims the risk is lower for “non-critical workstations.”

As stated by Gregg Keizer in a Computerworld article, security experts such as Eric Schultze from patch vendor Shavlik warn that this will be the next big worm event. I don’t agree, nor do I concur with Microsoft’s assessment that the patch must be deployed immediately to all domain controllers and servers.

I’m not saying that you shouldn’t install the update on Windows PCs as soon as you can, nor do I suggest that you delay deploying it to servers. As I see it, the most probable result of this vulnerability is a DoS attack on your servers. A DoS attack can crash a server and cause other harm, but the threat of someone stealing information from the server is a much-higher risk for me.

Microsoft states that this vulnerability allows remote-code execution, but the manner in which the attack must be launched makes reliable exploit code highly unlikely to appear. The best defense is to set your firewall to block TCP ports 139 and 445.

Something troubles me about this patch, however. When I ran my patch tests on several Windows 2008 Servers and Vista workstations, none of them required that I reboot to complete the update. Yet Microsoft’s security bulletin states that you’re not protected unless you reboot the machines.

I know what a pain rebooting is, but when you install this patch — and the Malicious Software Removal Tool update I discuss below — be sure to reboot your computer, even if the updater doesn’t prompt you to do so. I’m not convinced you’ll be protected otherwise.

MS08-037 (951748)
New XP PCs finally get an important update

Thanks to fellow Microsoft Security MVP Ottmar Freudenberger, that Windows XP netbook you bought yourself for Christmas may now be offered a security patch that was initially released way back in July. Ottmar noticed that newly installed workstations with XP Service Pack 3 installed were not getting the patch described in MS08-037 (953230). Microsoft investigated and ultimately re-released the update on Jan. 14, 2009.

Any XP SP3 PC not having previously received this patch will see it offered by Windows Update this week. Fortunately for anyone whose XP system missed this patch, the DNS spoofing issue it addresses affects servers much more than workstations.

Malicious Software Removal Tool packs heat

This month’s Malicious Software Removal Tool release targets a couple of particularly nasty pests that have been infiltrating systems lately. Conficker and Bankload invade networks through file shares and try to guess weak passwords. The Malware Protection Center blog provides more detail regarding these vermin.

In addition to running a scan with this utility to ensure that your system is clean, I urge you to verify that you’ve installed the patch described in MS08-067 (958644). There are several ways to do this. One is to open the Add or Remove Programs Control Panel applet, check Show updates, and look for Security Update for Windows XP (KB958644) under Windows XP — Software Updates.

Bottom line: there’s no excuse not to apply this patch, which I found very painless to do.

961367
Bleeding-edger alert: Windows 7 beta available

Steve Ballmer’s announcement at this year’s Consumer Electronics Show that the Windows 7 beta would be available for download on Jan. 9, 2009, sure caused a buzz. In fact, the huge demand for the public beta forced Microsoft to delay the release until the company could ensure that its servers could handle the crush.

If you’re one of the millions of folks who managed to download and install the Windows 7 beta, there’s already some patching required. The patch described in KB article 961367 fixes a problem that mangles MP3 files. The update also applies to Windows Media Center and Windows Media Player. As with all beta software, things may not work as you expect them to, and some devices may not connect as they should.

If you’re the adventurous type and download the beta, make sure you don’t use the Checked Build version. This is a special build that developers use to expose raw errors for debugging. If you install this version, you’ll get more Dr. Watson errors than you’ve ever imagined. Unless you’re a code developer working on a special project, the Checked Build version is meant to be run only after a Microsoft support person asks you to do so.

Most of the feedback from Windows 7 testers has been positive. Several new features are being blogged about widely, as reported on this Microsoft Developer Network blog. If you’d like more technical information about Windows 7, I urge you to post in the Windows 7 Beta forums. You just might see yours truly answering a few questions there.

Apple update requires a hands-on approach

Just before Christmas, I needed to update my Mac OS version to 10.5.6, but every time I used the machine’s automatic update, I got the following incomprehensible error message: The update “Mac OS X Update” can’t be installed.

At least the error message didn’t refer me to my System Administrator for guidance, as many other Apple error messages do. On numerous occasions, an Apple error message has instructed me to call myself (the sys admin) for guidance. I wouldn’t be the first admin left talking to herself, but doing so gets me no closer to a solution.

Fortunately — or unfortunately, as the case may be — I was not the only person experiencing this problem. The remedy posted by others in the Apple Forums was to manually download the entire patch and then run a manual update.

Once I downloaded the patch from Apple’s site and manually installed it, the patch was applied as expected.

Dell owners: Beware the bogus driver offering

I found it a bit odd on this Patch Tuesday to find my Dell PC being offered an IdeaCom HID TouchScreen driver. I was even more perplexed when I read a blog post detailing how others who had received the same driver in a Windows update subsequently experienced system problems and had to roll the driver back.

What made my driver experience all the more interesting is that my Dell is a desktop. Unless I’m mistaken, the IdeaCom driver has no business on this brand and model. This is not the first time that Dell and Microsoft Update have installed a driver that was faulty.

If Windows Update offers this driver to your Dell system, decline or ignore it.

An alternative third-party patching tool

I use a lot of different software, so I’m a big fan of third-party patching tools. In the past, I’ve recommended Secunia Personal Software Inspector (download page). In fairness, some of you have had problems using this free program. The company has cleaned up many of the updater’s glitches, as posters in the Secunia forums indicate.

Even with the service’s growing pains, I’m still a fan and urge you to use Secunia’s online scanning service on a regular basis.

If you’d like to try an alternative patching tool, the Shavlik Patch Google Gadget (download page) integrates with the Google Desktop add-on. In fact, I used this utility to confirm Ottmar Freudenberger’s contention that XP SP3 machines were missing an important security patch (see the second item in this column).

The drawback to Shavlik’s gadget is that it requires Google Desktop. Still, the program’s ability to determine that XP SP3 was missing a security patch proved that it was more accurate than Microsoft’s own updater.

Windows Media Player update gets another go

Last but not least, Microsoft is re-releasing the patch described in MS08-076 (959807), which patches Windows Media Player. Specifically, updates to Windows Media Format Runtime 9.5 on Windows XP SP2 and SP3 (KB 952069) were failing because the patch discussed in KB 944110 was getting installed first. If your installation of this update was successful the first time around, you won’t see this patch again.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.