IN THIS ISSUE:
0. EDITORIAL: Dealing with Rootkit Trojans
How to Deal With Trojan Rootkits
Rootkits are increasingly being used by writers of viruses, spyware, trojans and other malware products to hide their unwanted programs from you and your security products.
At the moment rootkits are not exactly common, however they are becoming more common and this is causing concern in the computer security industry.
Rootkits are not themselves malware programs but are programs that offer a system or technique to hide the presence of malware programs.
They do this using a variety of clever tricks to manipulate the Windows operating system itself, the effect of which is that you cannot see the cloaked malware product on your computer using normal Windows programs.
For example, you will not be able to see any malware files that are protected by a rootkit by using Windows Explorer or any other common file viewer.
Nor will you be able to see any of the malware processes by using Task Manager or most other process viewers.
Similarly, there will be no visible malware entries in the Windows Startup folder or other startup locations. Even a HijackThis log will show nothing.
In other words, the malware infection is totally stealthed by the rootkit from your view and the view of most of your security software products.
Because of this stealthing, your security software may report that your PC is totally clean from infection when in fact you are infected. That's why rootkits are so appealing to writers of malware products.
Rootkit detectors are special programs designed to look through these stealthing techniques. There are several products on the market and, thankfully, most are free.
Detecting rootkits is only part of the problem. If you find one, then there is the issue of how you get rid of it. Perhaps most important of all is knowing how to avoid being infected in the first place.
I'd like to address all these issues here but I'm afraid it takes more space than I have available. So, what I've done is write a special article for you dear subscribers and it's now on the Tech Support Alert web site at this address: http://www.techsupportalert.com/rootkits.htm
suggest you check out the article and follow the instructions
to thoroughly scan your PC. Of course, the chances of your PC
being infected are quite small but it's definitely worth a few
minutes of your time to make sure. I'm sure no one wants to be
in the position of believing their PC is totally clean when it
is in fact, totally compromised.
If anyone does detect a rootkit on their PC, please write to let me know.
See you next month.
written before about Trend Micro's excellent free online
anti-virus scanner. Now they are offering a free anti-spyware
scanner  as well. This one is not online; you have to
download the 1.7MB file and then run it on your PC. It works
just like McAfee's Stinger program in that there are no
signature file updates so if you want to run the program in the
future you have to download the latest version of the full
program once again. It's a pretty competent anti-spyware scanner
and will fix any problems detected. It's well worth the download
even if you are already using another anti-spyware product; two
opinions are always better then one. While at the Trend Micro
site why not try their free online anti-virus scan as well?
It's accessible from the same page as the spyware scanner. It
will only work with Internet Explorer but Firefox and Opera
users can use this  version.
1.2 Disposable Email Address Services
to subscriber JW for letting me know about this directory
listing of 16 different services with brief descriptions of each.
1.3 Free Anonymous Browsing
site allows you browse the web anonymously using any of 11
different anonymizing services. You can optionally disable
cookies, scripts and ads as well.
1.4 File Extensions Explained
Per Christensson wrote in recently to let me know
about his site FileInfo.net. It provides extensive information
on various file extensions and, unlike similar sites, it
provides a good explanation of each type rather than a simple
listing. Definitely one to bookmark.
1.5 Google Search-As-You-Type
confuse this with Google's own suggest-as-you-type .
This is a third party service called Inquisitor that uses an
AJAX front end to provide snappy Google search suggestions.
Works best in Firefox and Opera. Another impressive use of AJAX.
1.6 How to Check Out a New Program Before Installing
little known Microsoft site  provides a wealth of user
comments on many applications and is a valuable resource for
anyone thinking of buying or installing a new program. As ever,
some of the comments are well informed and valuable, others are
inane. SnapFiles  also provides user comments on software but
beware - some of these are really from vendors seeking to
bolster the reputation of their products.
** Additional Items in the SE Edition **
1.7 Collaborative Search Engine is Hot
in issue 124 I mentioned a new experimental search engine
that takes Google search results and weighs them with
Del.icio.us tag frequency usage from the top 500 taggers. The
search engine is really taking off and for the best of reasons:
it gives wonderfully relevant results. I find that it works best
for topics of the kind likely to interest Del.icio.us users. So,
computer topics and pop culture work fine, but subjects like
art, history, etc. are poorly served. Quite separately, if you
haven't been using Del.icio.us for saving and tagging your
bookmarks, you are really missing out on something special. If
you have time, go over to the site now and register for a free
account. If you do, would you mind saving my "46 Best-Ever
Freeware Utilities" page  as your first bookmark? It will
help me get a few more visitors to the Tech Support Alert
1.8 Use MS Office-Style Apps Online for Free
 is a web service that allows you to create and
read online documents in common office formats such as .DOC,.XLS
and others. You get 30MB of free storage space to store your
files and any or all of your files can be shared with or edited
by others. I found the system very slow which is typical of Java-
based online systems. By comparison, check out Writely , a
free online Word-style system for creating personal or shared
documents. Writely flies along and is really usable system.
That's because it's powered by AJAX, rather than Java. AJAX is
currently the hot product for the development of web-based
applications. Its appeal is that it offloads a lot of the work
from the server to your browser. That's why it's so much more
responsive. What a difference. It makes Java look very much
like yesterday's technology. If you need more convincing, check
out Kiko , an interactive web calendar developed using Ruby
1.9 The Free Programs Hidden in Windows
a list of useful programs in Windows that you may not
know about. Check out the users comments at the bottom; they add
a whole lot more.
Editors note: looks like page has been pulled by the author.
1.10 How to Fix Dead Pixels in Your Monitor
or "stuck" pixels are a common flaw in digital monitors,
however, it is possible to try to "un-stick" them. This site
show how. The claimed success rate is around 60%.
some top sites to suggest? Send them to
no doubt that when you browse the web you accumulate
huge amount of stored data. The sheer quantity is surprising;
often gigabytes. A lot of this is just junk while other parts
can be useful. Just what is and what isn't junk is a personal
decision. For example, I regard the information stored in my
browser's history as a valuable resource but I know a lot folks
see it as clutter or even an embarrassment. That's why the
flexibility to choose exactly what you want to keep or delete is
a key requirement in any browser cleaning utility. It's in this
area that CleanCache excels. Yes, there are a few other cleaner
programs that also offer this but when you take into account
CleanCache's speed, ease of use, automation features, near-
forensic thoroughness and the fact that it works with Internet
Explorer, IE Clones such as Avast, Firefox and Opera, then you
have a clear winner in this category. Note that it requires the
26MB Microsoft .NET Framework to be installed on your PC.
Freeware, Windows 2000 and later, 1.3 MB
2.2 How to Restore Desktop Icons
knows the annoyance of having your desktop icon layout
scrambled. There are lots of causes; a system glitch, booting in
safe mode, Windows Explorer crashing and more. Icon Restore is a
tiny free utility that solves this problem by adding two new
items to your right click context menu: one to save your desktop
layout the other to restore it. What could be simpler? Thanks to
my friend Mikel Peters for this contribution. Freeware, all
Windows versions, 281KB.
2.3 Free Tool Analyzes End User Licensing Agreements
you are one of those people who never reads EULAs when you
install software then this utility  may be just what you have
been looking for. Just cut and paste the EULA into EULAlyzer and
it will flag for your attention any areas of concern. I tried it
on five agreements and it picked up about 80% of what I detected
manually including most surreptitious adware installation
clauses. That's pretty good and well worth the effort. BTW,
check out this really funny cartoon  about EULAs. All Windows
2.4 Free Utility Identifies Download File Size
often useful to know the size of a file before you download
it, particularly if you have a slow connection or are
approaching your bandwidth quota. Most folks do this by starting
the download and then looking at the indicated file size in
their download manager but InternetFileSize offers a far simpler
solution. It works by adding a menu item to the right click
context menu. All you do is right click on a download link and
InternetFileSize shows the true file size, modification date and
the true download path. Freeware, Windows 98 and later, 575KB.
** Additional Items in the SE Edition **
2.5 How to Copy Songs From Your iPod to Your PC
is a free utility that will not only allow you to get
your music off your iPod, but it also allows you to move files
from your PC back to your iPod without using iTunes.
2.6 A Utility That Civilizes the Command Prompt
the Windows Command Prompt (aka DOS Box) poses few
problems to those of us raised on DOS but it can be daunting
experience for less experienced users. PromptPal  is a
shareware utility that addresses this problem by providing a
friendlier interface to the command prompt with support for
standard Windows functions like the Open Dialog for accessing
files, drag and drop, copy, paste and other similar functions.
Accessing the program is easy through the Windows Explorer right-
click context menu; just click on a folder and select "Open
PromptPal here." When I first tried this product I must admit my
attitude was really, "OK for newbies but we experienced users
don't really need this." However, with use I totally changed my
mind. Once I discovered some of the nifty features, I realized
that PromptPal is a real productivity tool. As an experienced
user I found that with PromptPal I consistently worked faster
and had fewer errors; it's quite addictive actually. Command
Prompt Explorer Bar  is a viable freeware alternative but,
price aside, I preferred CommandBar and recommend it for both
newbies and honchos. Shareware, 30 day trial, $29.95, Windows
2K and later, 1.7MB.
2.7 Open Source Alternative to MS Exchange
you are looking to install Exchange or, alternatively, trying
to find a way to get rid of it, then check Zimbra, a new open
source solution. I haven't tested it but it looks like a real
contender, particularly for medium size and smaller companies.
some favorite utilities to suggest? Send them to
This month Microsoft released nine Windows updates covering 14 vulnerabilities including three considered "critical." All three of these, if exploited, could allow someone to take control of your PC, so please ensure your computer is updated ASAP.
One of these patches, MS05-51, is of particular importance. It covers four individual flaws, one of which has the potential to be exploited through a network worm. Such a worm attack is now looking certain as proof of concept code is already circulating on the internet.
The catch is that there have been implementation problems with this particular patch. Microsoft has officially acknowledged this and has offered work-arounds  but claims there have only been a few isolated instances of the problem. Whatever, it puts sysadmins into a difficult position; patch and risk bringing down the system or don't patch and risk getting attacked by a worm.
3.2 Scanning Vulnerability in Avast Virus Scanner
is carrying a report of a flaw in the Avast "Anti-Virus
scan engine, which can be exploited by malware to bypass certain
scanning functionality. The weakness is caused by an error in
parsing certain malformed archives and can be exploited via a
specially crafted archive with additional characters pre-pended
to the header. Such malformed archives can be correctly
extracted by some archiving software. Successful exploitation
allows malware packed in malformed archives to pass the email
anti-virus scanning gateway undetected." No fix is currently
available from Avast so in the interim it is recommended that
Avast users unpack all archives and scan the contained files
rather than execute files within archives.
3.3 Is Firefox Secure?
all the recent Firefox security patches I've been getting
quite of lot of email from subscribers asking whether Firefox
can still be considered more secure than Internet Explorer. The
answer is unequivocal; yes. Two main factors contribute to this:
First, FF does not support ActiveX, one of the major sources of
malware infection for Internet Explorer users. Second, Mozilla
fixes new reported vulnerabilities in FF really quickly, often
within hours while, in contrast, Microsoft takes many months.
Consequently, there are virtually no exploits circulating on the
internet for FF while there are dozens for IE. In fact, I have
never myself even seen a circulating FF exploit while I
encounter IE exploits daily. Case closed; FF is way safer than
IE. Yes, there have been a lot of FF security patches and yes,
there will be more. That's to be expected for a product whose
source code is publicly available. But all those patches are a
good sign; they tell you that Mozilla is at work fixing
potential problems. It's not the patches you should worry about
folks, it's the number of reported but unpatched flaws. If you
use IE, depress yourself by checking out Secunia's list of IE's
outstanding unpatched flaws, 20 at last count and rising.
3.4 US Govt Backdoor in Windows Security Revisited
ran into this 1999 article over at StumbleUpon. I recall that
at the time MS denied it outright and claimed the researcher had
jumped to the wrong conclusion. Does anyone know how this was
finally resolved? In any case, in these terrorism-dominated
times it makes very interesting reading.
3.5 New Beta of Firefox 1.5
second Beta of Firefox V1.5 is now available, though I don't
recommend you download it unless you are willing to live with a
few bugs - as they say, "beta" stands for "broken." The full
release is tentatively scheduled for November and, based on what
I've seen from the beta, it's something to look forward to. It's
considerably faster than V1.07 when browsing back and forth
between sites, has improved rendering and a much better system
for handling extensions and updates.
neat; an RJ45 cable tester that fits on your keychain at a
ridiculously low price. It checks for both broken and shorted
wires and even handles both male and female plugs and sockets.
4.2 How to Check Whether Your PC has High Speed USB Ports
is a question I get regularly from subscribers. Thankfully
someone has finally documented how to do it.
4.3 Sort Algorithms Compared
this site they have animated displays of 17 different sort
techniques in operation. Geeks will find this quite fascinating;
I know I did. ;>)
4.4 Lots of GMail Usage Tips
tips at last count. A great resource for all Gmail users.
4.5 Preventing Computer-related Neck and Shoulder Problems
who uses a computer for long periods is at risk of
developing these problems. I certainly did. In this article I
show you how I solved the problem. It worked for me and I hope
it works for you too.
4.6 Useless Waste of Time Department
is a well-known site always rewarding to re-visit. Dr.
David G. Alciatore at Colorado State University has this amazing
collection of slow motion videos of everyday events. Among the
many fascinating clips, you must check out the computer hard
drive video. It will leave you wondering how these things manage
to work at all.
** Bonus Items for Supporters **
4.7 How to Write Email That Gets Answered
most folks I get some dreadful though well-intentioned
mail; blank subject lines, questions that don't mean anything,
long missives without a point. No wonder so much email in the
world goes unanswered. This site offers some excellent advice
how to write a short, to the point email that is likely to get a
response. A top read for all. Pity about the typos on the page.
4.8 A Web Site That Can Change Your Mood
a mood you'd like to be experiencing and this web site will
dispatch you to another site that will set you on the way.
4.9 A Simple Way to Improve Your Job Resume
some useful practical advice that will improve your
chances of getting a job interview. Having hired a lot of folks
over the years, I can vouch for the accuracy of the
One of the most unnerving computer experiences is notice sudden unexpected internet activity from your PC when you're not using the internet at the time.
It can be brought to your attention several ways; for example the lights on your modem might start blinking furiously, your firewall may indicate internet activity or your download/upload monitor could show that a lot of information is being received or transmitted.
When this happens to me, the first thought that goes through my mind is that a malware program may be "phoning home" to some remote PC divulging all my personal information.
Now I know this is unlikely because my PC is well protected but I know enough about security to know that it's possible. So whenever this happens I immediately investigate what's happening. So should you; in the following paragraphs I'll show you how.
When you are connected to the internet you are not connected at one point but at multiple points. These different points are called ports. Data can flow in and out each of these ports. It's a bit like the way flies get into your house. They can get in (or out) the front door, the back door, the windows or the chimney. These openings in your house are just like the ports in your computer.
There can be up to 65000 ports on your computer but normally these are shut. When you start a program that connects to the internet such as your web browser, that program opens one or more ports to make the connection.
So when you computer shows signs of unexpected internet activity what you need to do is to track down what ports are open and then identify the programs that opened those ports.
There's a whole class of utilities called port enumerators that will do this job for you. In fact, there are more than a dozen such programs currently available. Additionally, many firewalls and most anti-trojan programs have in-built port enumerators though these are often quite basic.
I've looked at most of these products and found two that are outstanding:
My favorite free port enumerator is called CurrPorts from Nirsoft. It works best with Window 2000 and later though Windows 98 users can still use the product with less information displayed.
CurrPorts, like all port enumerators, shows all the ports that are currently open on your PC. It also shows you the process that opened each port and the time the port was opened. Most importantly it flags in pink, any suspicious ports.
Now "suspicious" here just means worth checking. However this flagging makes the job of interpreting results much easier for less experienced users.
CurrPorts also allows you to track down the remote site a particular port is connected to. If it's somewhere like North Korea, China or Romania you have a problem.
If you do have a problem CurrPorts allows you to immediately shut down that port. That reduces the potential damage but of course doesn't solve the problem. To do that you need to find the malware program responsible.
How you do that is unfortunately, beyond the scope of this article. As a quick guide I suggest you download HijackThis from the link below and follow the instructions on the same page how to paste the output to the Tom Coyote web forums. http://www.tomcoyote.org/hjt/
The folks on the forum should be able to help you permanently get rid of the problem and it won't cost you a cent either.
CurrPorts is a great product but it has one weakness; it doesn't tell you the amount of data flowing in and out the open ports on your computer.
This is a really important piece of information when you are trying to track down sudden unexplained internet activity. There may be dozens of open ports on your PC but what you want to know the ones that are currently being used to transmit or receive data.
I couldn't find any free port enumerator that provides this information but there are two shareware products that do: Port Explorer from Diamond Computer and TCPView Pro from SysInternals.
Port Explorer is the standout pick. Port Explorer works with all versions of Windows and a home license is $29.95. Simply put, it's the best port enumerator I've ever used. Port Explorer does pretty well everything that CurrPorts does and more. It combines ease of use with great power; a rare quality in technical utilities.
this context its greatest ability is to show for each open
port, the amount of information being transmitted and received.
The display can even be sorted on this criterion so the ports
moving the most data appear at the top. This makes
Once the cause of the internet activity has been identified Port Explorer provides a whole raft of tools to help you identify the remote computer using the port. It even includes a packet sniffer so you can see what information is being transmitted.
Both Port Explorer and CurrPorts can provide you with the information you need to identify the cause of unexpected internet activity. I suggest you check out both and go with the program that best suits your needs. Whatever, every experienced user should have a port enumerator installed on their PC ready and waiting to track down those mystery internet connections. You may only occasionally require such a product but it's a great comfort to have one on hand when you really need it.
NOTE: No standard port enumerator can detect open ports that have been stealthed by Rootkits. To detect these you need a specialist rootkit detector. For more information see this months' Editorial.
I don't use IM so I asked regular contributor Craig Vollmar to review this category for me. Here's an abbreviated version of Craig's full review which is available online  from the Tech Support Alert web site.
you're like me, then you probably have friends and family
using a variety of IM networks. One way to talk with people on
each one of these networks is to open an account for each and
then download and install each IM client on your computer.
However, running four different IM applications on your computer
uses a lot of system resources, is difficult to manage, and
broadens your attack surface. Therefore, I would recommend using
a multi-protocol IM client. These applications not only allow
you to connect to multiple IM networks, but they are also
advertisement free, more secure, and have features that allow
you to easily manage your various IM accounts.
** Bonus Freebie for Supporters **
6.2 Clean Out the Junk from the Windows Uninstaller
users who try out lots of programs end up with dead entries
in the Windows Uninstaller (aka the Add/Remove Programs utility)
that can't be removed or uninstalled. The usual cause is program
uninstalls that went wrong or programs that have no uninstaller.
A number of commercial utilities are available that will delete
these defunct entries but few folks know that Microsoft provides
a free tool that does the same thing. It removes the offending
program from Add/Remove programs and tidies up the corresponding
Windows uninstaller registry entries but can't, of course,
remove registry entries, DLLs and files that belong to the
defunct program. In fact, I know of no program that will do that
automatically. That's best done by hand. Still, it's useful to
be able to clean out all those dead entries from the Windows
Uninstaller. Freeware, all Windows Versions, 1.23MB.
Got some top sites and services to suggest? Send them in to mailto:email@example.com
7.0 MANAGE YOUR SUBSCRIPTION
The best way to manage your
Premium SE Edition subscription is from the Supporters' Area of the Support Alert website.
There you'll also find all individual back issues, a downloadable back issue archive,
an extensive FAQ plus a growing list of resources exclusively available to Supporters.
The Supporters' Area is protected. To log-in, use the security information sent to you when you first subscribed or as notified subsequently.
If you no longer wish to receive this newsletter, send me an email at firstname.lastname@example.org. Remember to state the email address at which you are currently subscribed.
Receiving duplicate issues? If you are receiving an unwanted copy of the free edition of this newsletter, you can cancel that subscription by going to one of following links:
Note that the free and paid editions are totally different publications so you can unsubscribe to the free edition without any chance of impacting your paid subscription.
For lots more free IT newsletters see
Thanks to subscriber A. Belile for proofreading this issue.
You can contact this newsletter by snail mail at:
Support Alert is a registered online serial publication ISSN 1448-7020. Content of this newsletter is (c) Copyright TechSupportAlert.com, 2005
See you next issue