Cooking With Technology

I haven’t used antivirus for near five years now, and yes, even on my Windows hosts. According to the popular opinion of the Internet, my Windows machines should now be zombies supporting the botnet efforts of Russian organized crime - but they aren’t. The reason for this is, and I am going to make a bold statement here, is I am just as secure without antivirus software as I would be with it. Now that you all know where I’m heading, I’ll explain why it is true for me, and why it is probably true for you too.

The secret lies in the reasons people would have you believe you need antivirus software. Obviously the reason is to prevent and clean infections, but the effectiveness of these tasks is dependent on the signatures created for the software. To give a rough outline, the process goes like this:

1. Virus is coded and released
2. Antivirus labs obtain a sample of the virus
3. Labs reverse engineer and create signature for the virus
4. Signatures are downloaded by your AV software to be able to detect and clean the virus

Ignoring heuristic scanning for a second, note that between events one and four you are vulnerable to the virus that was released. The amount of time it takes for AV labs to release a signature for a virus varies, but in that time you are unprotected from it. That means that your signature based virus detection and cleaning system is effective only for attacks that have been around for a bit.

With heuristic scanning, there is a chance that it will pick up new viruses that don’t yet have signatures. This is fairly effective for trivial viruses that repeat methods used by other viruses, but poses no resistance to viruses using new techniques, engines for encrypting malicious code, or polymorphic engines. Unfortunately for Joe Public, the damaging viruses are the advanced ones - heuristic scanning is only going to prevent you from doing something really silly (like opening that screen saver someone sent you in an e-mail).

Viruses aren’t even that dangerous. I’m sure I’ll catch some flak for this statement, but they are generally contracted by user ignorance or idiocy. Viruses by definition require user interaction to propagate, which means that if you are infected with a virus, it is because you did something to contract it. Worms are a different story, they can infect you without your participating in the event. However, antivirus is completely ineffective in blocking the initial wave of worm infections (even with heuristic scanning) anyway, which is the same time you are most likely to come in contact with the worm. If you don’t do anything to contract viruses, you don’t have to worry about them.

So say I am a discerning user who doesn’t open shifty attachments or download warez executables (ie, I in general know what I am interacting with) - what is my risk of contracting a virus with antivirus? Slim to nil. And without antivirus? Slim to nil, because I don’t open the attack vector required to be infected by viruses. And say I contract a virus using a new attack vector that catches me off guard because it uses some new technique - what is my risk now? Antivirus wouldn’t catch it even using heuristic scanning because it is using new techniques, so it doesn’t matter whether it is installed or not. My risk hasn’t increased because my machine lacks antivirus software.

This plays out practically, too. In my five years of not running antivirus software on a Windows box that I keep patched and behind a router with NAT (which is the new default setup for many families), I have not contracted a single virus nor been hit by a single worm. This isn’t something I’m bragging about - it is just a fact that defies the common notion that antivirus is a necessity, especially on Windows boxes.

If you don’t keep your machine patched, your company policy requires it, or you are gullible, you should probably have antivirus software - your risk will decrease by having it there. If you are security conscious, aware, and scrupulous, you can save your system resources and some money by ditching your antivirus software - you are no more secure with it than you would be without it.

I had a friend share a blog post of a story that has been all over the Internet lately regarding Microsoft having a government backdoor in Windows. The story shared is located here, but I’m sure drudging around tech news sites run by 14 year olds or ignorant IT professionals will expose you to similar content.

Full disclosure: I’ve been using Linux for over five years regularly, and am typing this post from my laptop running Debian Linux to my server running Debian Linux, but I do use Windows on my desktop. Hopefully that sentence will cut down on comments accusing me of fanboyism, because I’m going to stick up for Microsoft here.

Actually, I don’t need to stick up for them - because the ‘backdoor’ doesn’t exist as far as anyone knows. I can’t pretend to know whether one exists (a huge reason why open source is better in cases like this), but in this instance the authors of titles are just being media whores and trying to amplify the situation for traffic. The reasons why this is true are straightforward, and numbered for your pleasure:

1. The component in question is not a part of Windows by default.

The program the article’s author is claiming has a backdoor is the Malicious Software Removal Tool, which does not ship by default with any version of Windows. Yeah, it is a component produced by Microsoft, but even if there was a backdoor in it, it isn’t a backdoor in Windows.

2. It isn’t a backdoor.

Backdoors allow an outsider unauthorized access into a system. As the article reports, the Malicious Software Removal Tool may report the IP address of the machine through the tool to a central location. Reporting an IP is nowhere near the same class as a backdoor. While I won’t argue that doing this against the user’s will is a breach of privacy, people seem to be in love with escalating issues, and it is as stupid as it is unfounded.

3. Everything is speculation.

Find a fact worth the attention these stories are getting. Everything is based on interpretation of events, and the discussion following those interpretations are once again removed before “facts” are arrived at. Sensationalist writing has always annoyed me, and that people take it seriously even more so.

So there you have it. The fabled Microsoft Windows government backdoor is a manifestation produced by someone who fails both at basic computer security and journalism. Just as the title of this post states: the Microsoft Windows government backdoor… isn’t.

I enjoy computer security. There aren’t a lot of opportunities to study it formally within computer science, so my education in this field is entirely from what I read and practice in my own time.

Most recently, I’ve been feeling the itch to write a worm. The idea is attractive because a worm can be developed modularly with reusable components. Each individual component will increase my knowledge substantially in a different area of security, making the development a measurable goal with incremental positive feedback.

However, before development could begin, I wanted to ensure that I wouldn’t end up in court for an accidental release of one of the components gone awry. I love virtual machines as a tool to aid in the development process, so the solution was immediately obvious - create a multi-host virtual network that is isolated from the world. Further, I wanted each machine on this isolated network to occasionally be able to access the Internet to retrieve updates or tools, so the isolation needed to be complete but /controllable./ The final requirements of the virtual network ended up looking like this:

• Isolated network except when explicitly given access to the Internet
• Multiple hosts with different operating systems
• Must be able to easily add and remove hosts
• All hosts on the network must both default and fail to isolation

The way to implement this using VMWare Workstation (and I’m sure other products in their virtualization line) is to utilize teams. Teams are a ‘wrapper’ of a sort that encompass multiple VMs with additional configuration. When you start a team, each virtual machine included in the team’s configuration is also started. The team can be configured to also provide a virtual network segment for the virtual machines to use, which when paired with each VM in the team being configured with ‘host only’ network access, results in a virtual isolated network.

The team doesn’t provide DHCP though, which means the network has to be maintained with static address and modifications to each machine’s host file. This hardly met my requirement for easily adding and removing hosts from the network. Creating a host that would act as the network server fulfills this requirement, and will also facilitate network control access. As we continue on, please note that I’m using Debian Linux with a 2.6.x kernel, and all of the commands I give below and edits to configuration files *must be done as a superuser.*

Enough setup: time for implementation. To speed the process, I created two base images, one Windows XP SP2 install, and one Debian Lenny netinstall with a 2.6.x kernel. Each image was updated to include the latest patches, user accounts were created, and standard tools were installed. Once these base images were created, they were set aside to never be modified. Clones of the base images are created for each of the expendable hosts, and one clone of the Debian base image was used as the only ‘permanent’ member of the team. All members of the team share one virtual network segment, and have one interface. The only exception to this is the network server VM, which is dual-homed to be connected to both the virtual network and the Internet via NAT.

All hosts default to DHCP, so cloned images have no need for additional configuration when added. The network server is the only machine that had be set up specially. The bind9 and dhcp3-server packages were obtained (for DNS and DHCP, respectively) using Debian’s awesome package manager:

apt-get install bind9 dhcp3-server

Configuring bind is trivial, it defaults to forwarding DNS requests, so nothing is required as far as configuration unless you want to. dhcpd, provided by dhcp3-server, is a little more complicated. First, the interface connected to the isolated network must be set up to have a static address in the subnet in which you will be offering IP addresses, like 10.10.10.1 for the 10.10.10.x subnet or 192.168.30.1 for the 192.168.x.x subnet. It would be wise to modify your interface configuration to make this change survive rebooting.

/etc/network/interfaces:

auto lo eth0 ethiface lo inet loopback

iface eth0 inet static
 	address 10.10.10.1
 	netmask 255.255.255.0iface eth1 inet dhcp

The external interface is eth1, and is configured with DHCP since it is NAT routed. The internal interface is eth0, and is given an ip of 10.10.10.1 with a subnet mask of 255.255.255.0. (This means that the last quartet of the IP address is variable and available for use.) Next comes the configuration for dhcpd:

/etc/dhcp3/dhcpd.conf:

default-lease-time 600;max-lease-time 7200;
authoritative;option domain-name-servers 10.10.1.1 192.168.30.1

subnet 10.10.10.0 netmask 255.255.255.0 {
 range 10.10.10.2 10.10.10.254;
 option routers 10.10.10.1;
 option ip-forwarding off;
 option broadcast address 10.10.10.255;
 option subnet-mask 255.255.255.0;
}

Here we are saying that the subnet is 10.10.10.*, and that we will assign addresses from 10.10.10.2 - 10.10.10.254. The other options should be self-explanatory - read up on networking if you have questions. As it stands, when the interfaces are brought down and back up and dhcpd is started, addresses will be assigned to all virtual machines sharing that network segment. If this is all you want, just issue:

ifdown eth1 eth0
ifup eth1 eth0
/etc/init.d/dhcpd3-server start

And you are done! The machine now will serve DHCP to the isolated subnet, while maintaining separate access for itself to the Internet.

However, if you want to continue on to enable Internet access for other hosts on the isolated network, we still have some work to do.

My solution for this involves iptables and masquerading. Before we do anything, we’ll need to enable IP forwarding. This can be done in multiple ways, but the most reliable for me has been the following simple command:

echo 1 > /proc/sys/net/ipv4/ip_forward

With IP forwarding enabled, we can now utilize the masquerading features of iptables, the Linux firewall. By creating rules that will take packets coming in from our internal network’s interface and sending them out on our external interface, in addition to creating a complementing rule that will accept return packets coming in from the external interface headed for the isolated host, we can accomplish this. The individual rules for my setup are:

iptables -t nat -A POSTROUTING -s  -o eth1 -j MASQUERADE
iptables -A FORWARD -d  -i eth0 -j ACCEPT

Since these are annoying to have to type in each time I want to enable access for a host, I wrote a set of scripts. The first two enable and disable access for a host or multiple hosts respectively. The third script is my emergency “oh crap” failsafe, with which a simple command I can disable all isolated hosts’s access immediately followed by bringing down the network server’s interfaces for complete assurance that whatever is going on won’t get out of the virtual network. Here they are:

enableInternet.sh

#!/bin/bash
if [ $UID -ne 0 ]; then
        echo
        echo “Must be root to run this program.”
        echo
        exit 1
fi

if [[ -z $* ]]; then
        echo
        echo ”  Usage: ./enableInternet.sh <ipaddress [ipaddress2...ipaddressN]>”
        echo
        exit 1
fi

for ip in $@; do
        # Will match an address of type 10.10.1.2, which matches our subnet
        # definition
        check=`echo $ip | grep -E “^([[:digit:]]{2}[.]){2}[[:digit:]][.][[:digit:]]+$”`
        # If it doesn’t match, print a warning and skip it
        if [ -z $check ]; then
                echo “Improperly formatted address $ip, skipping…”
                continue
        fi

        # Enable Internet access for the address
        iptables -t nat -A POSTROUTING -s $ip -o eth1 -j MASQUERADE
        iptables -A FORWARD -d $ip -i eth0 -j ACCEPT
        echo “$ip’s internet access enabled…”

done

echo “Done.”

blockInternet.sh

#!/bin/bash
if [ $UID -ne 0 ]; then
        echo
        echo “Must be root to run this program.”
        echo
        exit 1
fi

if [[ -z $* ]]; then
        echo
        echo ”  Usage: ./blockInternet.sh <ipaddress [ipaddress2...ipaddressN]>”
        echo
        exit 1
fi

for ip in $@; do
        # Will match an address of type 10.10.1.2, which matches our subnet definition
        check=`echo $ip | grep -E “^([[:digit:]]{2}[.]){2}[[:digit:]][.][[:digit:]]+$”`
        # If it doesn’t match, print a warning and skip it
        if [ -z $check ]; then
                echo “Improperly formatted address $ip, skipping…”
                continue
        fi

        # Disable Internet access for the address
        iptables -t nat -D POSTROUTING -s $ip -o eth1 -j MASQUERADE
        iptables -D FORWARD -d $ip -i eth0 -j ACCEPT
        echo “$ip’s internet access disabled…”
done

echo “Done.”

blockAll.sh

#!/bin/bash
if [ $UID -ne 0 ]; then
        echo
        echo “Must be root to run this program.”
        echo
        exit 1
fi

echo “Disabling Internet access for all hosts on 10.10.1.0/255.255.255.0…”

iptables –flush
iptables –delete-chain
iptables -t nat –flush
iptables -t nat –delete-chain
ifdown eth0 eth1

echo “Done.”

I alias’d all the commands in my shell’s configuration scripts and prefixed them with sudo so they may be executed quickly and from anywhere on the system. If you’ve read this far, you should too - at least for the blockAll script. You don’t want to be fumbling around trying to remember where you put the script when you need complete isolation 30 seconds ago :)

I know this post was long, but there was a lot to cover. With this setup, hosts can now be easily added thanks to DHCP, Internet access is manually granted and defaults to none, and the environment is completely homogeneous. Perfect for worm development, malware analysis, or what have you. If you replicate this environment, let me know how it works out for you and what improvements you make. I’m always interested in making better systems!

I’m one of those people that tends to get distracted when I’m procrastinating. Most often, this comes out when I’m doing a programming assignment and I go to open documentation in my browser. For those of you that weren’t aware, Firefox and Stumbleupon are a developer’s worst nightmare - so many interesting things, only a click away! It had to stop.

So I hacked up DocBrowser, a minimalist’s web browser created solely for the purpose of quickly accessing documentation and APIs. It is free of clutter and distractions, leaving only you and the information you seek on the screen. It is not extendable, and its feature set is limited. It is therefore exactly what I had in mind when I started coding it.

I’ve created a page for it here. It is free, and is only 1.5mb, so why not download it and give it a shot?

Windows only, requires .NET 2.0.

In my last post I chronicled the time consuming process of converting an image produced using the Unix dd utility to a vmware VMDK virtual disk. The process does work, but VMWare will only load it if the image contains a master boot record that still contains the appropriate information when removed from the rest of the system. Additionally, I think it is appropriate to mention again how terribly slow it is. We can circumvent these problems with Live View for Windows, a program developed for forensic work by Carnegie Mellon University.

The process for creating the image with dd is the same as last time, IE, by doing something along the lines of:


dd if=/dev/hdc3 of=/mnt/external/diskImage/XPSP2.img bs=1024

Once that image is generated and you are back in Windows, simply launch the Live View utility and… the rest is pretty self explanatory. Once the dd image is generated, the Live View program takes only a couple minutes to create the new vmdk, configure the virtual machine, and launch it. Sweet, sweet efficiency!

[Update: there is an alternative method here. It has better success and is more reliable for partitions that reside in the second or later primary partition positions. It is also a more user friendly.]

I have a Windows XP SP2 installation that I use for work, while my current personal OS of choice is Windows Vista. I only work weekends, so rebooting wasn’t too bothersome initially. Over time it has become more and more of a chore, as I can’t easily switch from one development environment to another without rebooting. I decided it was time to make my work installation a virtual machine.

I had some additional complications that made the process a little non-standard. I originally tried using VMWare’s converter tool, but it would fail at 97% of the creation of the disk. I then tried using a Windows port of the Unix utility ‘dd’ to create a raw image of the disk, but because the Windows volume manager was accessing the disk, dd would give me access errors. Additionally, the VMWare converter doesn’t support converting from a raw image (…grr…), so Qemu’s qemu-img tool would have to be used to convert the raw image to a disk in VMWare’s vmdk format.

The steps to reach our goal aren’t too complicated, and can be replicated by others easily. To do it, I used:

• VMWare Workstation
• A Linux installation or LiveCD (I used my existing Debian installation, but something like Knoppix would work fine)
• Qemu
• NTFS-3G (if you plan on writing out to an NTFS partition from Linux, as I did)

I started by booting into my Linux install. Linux only mounts the disks it uses (hint hint, Microsoft) so we can access all sectors of the partition to make a dump of the disk with dd. I first had to mount the partition where I wanted the output file to reside, which uses NTFS:

ntfs-3g /dev/sdb1 /mnt/external

Next, create the image. I did this with the following (substitute your device/partition and output file):

dd if=/dev/hdc3 of=/mnt/external/diskImage/XPSP2.img bs=1024

When that finishes, the file specified with the ‘of’ option in dd will contain a block-by-block exact copy of your partition. However, it is in a raw format - we need it in a format VMWare can read. This is where Qemu comes in. Qemu is distributed with qemu-img, a tool used for creating, manipulating, and converting images. Specifically, our goal is to use qemu-img’s convert functionality to convert from a raw image format to the vmdk format. This is accomplished with:

qemu-img convert -f raw /mnt/external/diskImage/XPSP2.img -O vmdk /mnt/external/diskImage/XPSP2.vmdk

Be prepared to wait. For a 40gb image, this process took roughly 12 hours. Since qemu-img provides no status as to how far it has come, I kept tabs on it just by monitoring the filesize of the output image. This is entirely unnecessary, but if you want to do the same, just open a new terminal and type the following:

while [1 -gt 0 ]; do du -hs /mnt/external/diskImage/XPSP2.vmdk; sleep 10; clear; done

This will just print out the size of the file on your screen so you can watch it grow. Alternatively, Roberte provided a tip in the comments that suggested using the “watch” command. Either will work:

watch ‘ls -lh /mnt/external/diskImage/XPSP.vmdk’

When the process is completed, boot back into Windows (or if you are using Linux as the host, stay put) and create a virtual machine around your new disk image. Don’t forget to remove the original img created with dd, it is a huge waste of disk space :)

[Notes]

1. This process is really only feasible if you have a lot of disk space. At worst, the disk requirements are greater than 2*P, where P is the partition size of the virtual machine you wish to create. However, qemu-img only writes out actual data, not empty sectors, so your output image will be the size of the used space in the input image. For my conversion, I used over 40gb (input)+15gb (output) of disk space, which was reclaimed with the deletion of the output of dd, and resizing another partition to use the old physical installation’s space.
2. qemu-img doesn’t support stream input, which is why we can’t pipe dd’s output directly into qemu-img convert. This would have reduced the disk requirements to only the size of the vmdk image, and sped up the process substantially. Bug the Qemu developers to implement this feature :)

When converting a raw image (such as an image created using dd) to a VMWare vmdk image in Windows using Qemu’s qemu-img utility, I came across an error. The command I used is as follows:

qemu-img convert -f raw L:\\VMtmp\\winImage.img -O vmdk D:\\vmtmp\\xp.vmdk

Which works fine until the output image reached 2GB in size, at which point it exits with this error:

qemu-img: error while writing


Yay for descriptive error messages! I hunted through the qemu-devel mailing lists, as this is an apparently undocumented feature. The cause behind the error is that the Qemu binaries were compiled for Windows with MinGW, which apparently doesn’t have large file support built in. So the solution to the problem is to either compile your own version of Qemu for Windows using Cygwin (which has had large file support for some time), or do what I do - use linux. The Qemu binaries in linux aren’t affected by this problem, and you can create files of whatever size you desire.

Giving your application an icon can be that finishing touch that says “application, I love you.” Unfortunately, the icon designer in Visual Studio 2005 isn’t a very friendly tool for creating nice looking icons. Wanting to make a cow icon for a quick 12/24 hour converter I wrote for my girlfriend, I went running to my favorite image editing program - Paint.NET.

Paint.NET it turns out doesn’t support saving images in the windows-standard .ico format! Luckily, someone was as unhappy with this as I was and created a filetype plugin for Paint.NET that grants the ability to work with and save images as icons. The download link is here. The plugin is awesome, it supports editing and saving images to be used as cursors also. And both formats, icons and cursors, can be saved with multiple image sizes in one file to support multiple icon and cursor sizes. While it is overkill for my application, this feature will save time in the future by allowing  icons and cursors to be designed once (as a larger image) before being automatically scaled to each of the smaller sizes. The same feature addresses large icon and cursor sizes for users that require higher accessibility (another extremely important aspect of software development that is far too often ignored) making this plugin an all-in-one hit.

So while my girlfriend will never appreciate the depth and accessibility her little cow icon provides, it makes me smile knowing that in a pinch it could be blown up to all its 256×256 32bit glory :)

I found this page on how to enable remote desktop remotely, and found the tip handy enough to pass along.

Too bad it won’t work if access to the registry via the network has been disabled :-/

Reinstalling Windows Server 2003 isn’t necessarily difficult. However, when you introduce 3rd party disk controllers and no floppy drive, things get tricky.

The question here is simple: Why Microsoft, WHY!? Requiring a floppy drive is ridiculous, especially on newer servers! Please allow, at the very least, a usb flash drive to be used instead. Thank you.