Limiting Login Attemps

One common way to reduce the likelihood of an account getting hacked is to limit the number of login attempts and lock the account once the number of failed logins reaches some threshold.

This is a reasonable way to prevent brute-force, and even most dictionary attacks. The problem is that most implementations count each and every login attempt. When someone forgets their password or types it in incorrectly, they usually try again a few times.

If you limit the number of attempts, it should detect if the passwords are the same (or possibly even similar) since they are obviously not an attack, but rather the user wondering why their password isn’t working (for example, they may be typing in the password for a different account).

Technology Breeds “Patience”

Last night, CBS news did an article about the recent increase in airport security due to the attempted Christmas bombing. The anchor went to on to say how people have been okay with the extra wait times and delays that the increased security checks have created because passengers are more patient and understanding; that they are willing to put up with the extra wait times because they know that it is for their own good and safety, and that they are cheerful because it is the holidays, so they are in better, less rushed moods. Unfortunately the news team got it completely wrong.

The reason that people are more willing to put up with down time and delays these days, not just at airports, but everywhere: on the bus, at work, at the the DMV, in coffee-shop lines, etc. is because of technology. In the past, people disliked having to stand around and wait because it was such a waste of time. Having to stand or sit around and twiddle your thumbs, or at best read a book was really frustrating. Now however, with iPods, iPhones, PSPs, laptops, netbooks, Kindles, and so on, wait-time is no longer down-time, but break-time. Thanks to all of the varied gadgets and devices, we can now spend those two minutes here, 10 minutes there actually doing something useful, be it work or play, instead of waiting around, bored out of our minds.

Rule of Thumb Can Do More Harm Than Good

I just read the following line in an article in a security focues issue of NetworkLife magazine about novice computer users and firewalls:

A good rule of thumb: “If an alert occurs when users are launching any kind of Internet action, such as connecting to their mail servers, downloading programs, connecting to a Web server, or updating software, then they should accept it”

And to be honest, that has been the general consensus on this matter for pretty much ever. Unfortunately, while it is quite logical, it is not a very good rule of thumb. What happens when a piece of software, say their anti-virus app, tries to check for an update while the user is typing a paper? An alert pops up telling them that a program is trying to connect, and they think “hmmm, I’m just typing a paper; I didn’t initiate anything, so I’m supposed to block it”. They click Deny Access. The next day it tries to check while they’re playing Solitaire, so they click Deny Access again. The day after, it happens while they were in the bathroom, so they get tired of this and just click Deny Access And Remember. Now their anti-virus is never updated again.

The opposite can occur as well. They open an email and see a message from someone they don’t know and click the attachment to see the greeting card. An alert pops up telling them that a program is trying to access the Internet. They think “hmmm, I’m viewing email and I just clicked a Web-card, so it’s safe to allow it”. Now they are infected with a trojan and their zombie computer will begin sending out infected spam.

Truly, the best rule of thumb is to just educate the users in even a rudimentary fashion. If you go to the trouble of installing a firewall on grandma’s computer and telling her a rule of thumb as the above, then you may as well just give her a better, crash course instead.

Virus Clues

If you are downloading files from a P2P network, then be especially wary of viruses.

One dead giveaway is when a search gives you moderate results, but then you get a few results (usually at the end of the search) that suddenly have hundreds, or even thousands of sources, particularly if those files are of wildly different sizes. What happened, did you get really lucky and manage to find a hidden cache of the file you were looking for? No, those few results that show hundreds or thousands of sources for the file you were searching for are not real, they are viruses that a bad server returns. When you do a search, the servers that are queried return a list of sources for that file that they know of. There are fake servers and virus pits that always respond with a very large number of sources no matter what the file is. They return a large number as bait, and if someone attempts to download the file, they receive one of a number of fakes (possibly even dynamically created), which are infected with viruses and other malware, regardless of what file they were trying to get.

Yet another dead giveaway is when you get a ZIP file that contains three files, an EXE, a DLL, and a TXT, especially if the files have gibberish filenames. This is a common dummy file that virus pits send out which contains an encrypted virus (checking the binary contents looks like it’s not an executable, but it is merely XOR-encrypted and is indeed a virus). What’s interesting about this one is that it usually uses the tag ZWT. ZWT is an actual scene group that does release “legitimate” cracks and such. It is unknown whether the owners of the virus pits that send out fake ZWT-tagged files targeted ZWT on purpose or not, but since it is the only group who’s name is used in the fakes, it may very well be the case.

One more virus-infected fake pattern that is making the rounds on the donkey network is the one where the resulting files contain an NFO file and an EXE. The EXE is the virus, and the NFO contains nothing but a numerical url: eg,, etc. These ones often contain the name of a piece of software or something in the names, and even version numbers to look even more legitimate. However, they don’t usually contain release group names.

As usual, be very wary of anything you download, especially from P2P networks, and in particular when looking for warez. Always check files that you download with at the very least a virus scanner, if not a trojan scanner, worm scanner, rootkit scanner… You can also run them through online scanners such as Jotti’s,, and Virustotal.

If everyone kept themselves clean, the whole world would be cleaner overall. If you must pirate, practice safe piracy.

Easy Rootkit Detection

An easy way to detect most rootkits is to use an old technology: DOS.

Most (read, pretty much all) rootkits require some sort of file component. In fact all malware requires some sort of file to be loaded to perform it’s malfeasance. This is because malware is just software that does bad things and software means files. Even worms and other memory-resident applications require files at some point. This is why rootkits hijack directory listing commands to hide themselves.

So, how do you find files when they are being hidden? One way is to check the drive at a low-level, viewing the disk directly instead of using a file listing command. You can look at the disk and see if the entries in the cluster match up with the directory listing. This is a common method but has it’s drawbacks. For one thing, a decent rootkit would be able to hijack sector-level disk access and hide it’s entries just as it does with a directory listing command. Another problem is that it is difficult to use and can be unreliable.

Another easy to use method is to get a directory listing from within Windows, then boot into DOS mode and get another one, then compare the two. There are few if any DOS rootkits, but more importantly DOS is a lightweight, easy to control environment that can fit on a single floppy. This is important, because it means that you can ensure the integrity of a DOS boot disk because a minimal system needs just four files taking no more than 200KB. Make sure that the boot disk is reliable by making it from a secure system and then write-protecting it. Another option is to use a CD, for example a Windows 95/98 CD which allow you to boot to DOS.

To check for a Windows rootkit:

  1. Open a command prompt with the cmd command.
  2. Get a directory listing with dir c:\/s/a/o>d:\windir.txt.
  3. Reboot into pure DOS mode (do this ASAP after the previous step.)
  4. Get another directory listing with dir c:\/s/a/o>d:\dosdir.txt.
  5. Compare the two files (eg: WinDiff d:\dosdir.txt d:\windir.txt).

Obviously there will be some differences, since files are normally created, changed, and deleted while shutting down Windows. You’ll have to use your best judgement and possibly a reference or the Internet to determine which files that are different are malicious. To minimize the noise, make sure to clean up any temporary files and such before getting the listing.

If there is no rootkit, then the two listings should be more or less the same. If there is a rootkit present, then the DOS listing will reveal the hidden rootkit files.

One drawback to this method is that the built-in DIR command returns the directory listings in different formats in Windows and DOS. As a result, it will be difficult to do a straight comparison of the two listing files. For example this is a listing made in Windows:

Volume in drive C is C-Windows
Volume Serial Number is 0123-4567

Directory of C:
Mar.03.03 03:03am 233,632 ntldr
Mar.03.03 03:03am 47,580
Mar.03.03 03:03am 193 boot.ini
Mar.03.03 03:03am Windows
Mar.03.03 03:03am Program Files
Mar.03.03 03:03am Documents and Settings
3 File(s) 48,638 bytes
3 Dir(s) 123,456,789 bytes free

and the same in DOS (with DOSLFN for long file names on the right):

Volume in drive C is C-WINDOWS
Volume Serial Number is 0123-4567
Directory of C:
NTLDR 233,632 03-03-2003 03:03 ntldr
NTDETECT COM 502 03-03-2003 03:03
BOOT INI 502 03-03-2003 03:03 boot.ini
WINDOWS 03-03-2003 03:03 Windows
PROGRA~1 03-03-2003 03:03 Program Files
DOCUME~1 03-03-2003 03:03 Documents and Settings
3 file(s) 48,638 bytes
3 dir(s) 123,456,789 bytes free

The formats are quite different and will require some reworking to make a comparison easy. One solution is to use a third party directory listing program instead of the built-in dir. A third party dir would give the listing in the same format in both Windows and DOS, just make sure that it can list anything, and everything (including hidden files, system files, volumes, etc.)

All software is limited and hackable, and malware is no different. With a little thought and the right tools, even a rootkit can be ferreted out.