Thursday, September 18, 2008

Security Tip - Renaming Tools

Some malware is smart enough to recognize its enemies. I ran across one of these this week cleaning up an infected PC. The PC had a recent version of the Spybot anti-spyware tool (www.safer-networking.org/en/index.html) on it so I started that up to run a scan. Nothing happened. I tried again but still nothing.

So then I downloaded Autoruns from Sysinternals (technet.microsoft.com/en-us/sysinternals/default.aspx). I started that up and again nothing happened. So what can you do when you can't even open your tools to try to get rid of some malware?

In this case, I renamed my tool and ran it under the new name and it worked. The executable at the core of the Spybot version I was using is a file called "spybotSD.exe". I renamed it to some arbitrarily chosen name. I called it "bobo.exe". Then when I double-clicked on that file I just renamed, it opened the Spybot program. I ran my scan. It found the malware and removed it.

So if it seems like one of your scanning tools isn't working, this is one thing to try. Be careful out there.

Monday, September 8, 2008

World Community Grid

The World Community Grid (www.worldcommunitygrid.org/) uses your computer to help solve problems we are all interested in solving, for example cancer and AIDS. Have a look at their site to find out more about the problems they work on, or go to YouTube and search on "World Community Grid". The idea is simple. They mean to use the leftover processing power of your PC to cure cancer.

I first heard about it a couple months ago and I have been running this software on some of my public stations, and my own, as a test. Though I suspect a number of you are already familiar with this application, I thought I would share my experience with and plans for this software.

I have been running this software on a half dozen stations for about the past month. I have noticed no response degredation at any time on any machine because of this software. It certainly does use resources but it is efficient about keeping its use to a minimum and not getting in your way.

One of the installation options is to run it as a service. This is what I use. This means it runs in the background. I use no screensaver or graphics so there is no indication there is anything going on in the background. Whenever the PC is on, this computer is working on one of these problems.

I am installing this on my public stations. I have been using it on OPACs so far. OPACs spend most of the minutes in a day just sitting there waiting for a person to use it. Now they are put in service for the good when someone isn't using them. I am just getting ready to install it on our surfing stations too.

Once this is fully in place we will provide a little promotional packet telling our our patrons what we are doing with these PCs and show them how they could put their home PC to similarly good use as well.

Tuesday, September 2, 2008

Security Tip - Hosts File Security Filtering

Here is another option for DNS filtering. As Suzanne described, OpenDNS is a great way to provide content filtering. But here at MPL, we simply won’t do any content filtering at all. On the other hand, as the guy who has to keep all things tech working, I am very interested in filtering access to sites that can do us harm. So I would like to filter not content, but malware.

Let me digress into techspeak for a moment. DNS is all about translating human language to computer language. You want to type blahblah.com but your computer needs to know it is 55.555.55.55. This translation can occur at a variety of places, for example at a DNS server at your ISP or the OpenDNS server. But before your computer checks some other machine, it will check its own records to see if it has the translation stored from a previous visit to the site. You can manipulate these records yourself. So if you know you want to never access the site malware.com, you can lie to your PC and tell it malware.com is found at 127.0.0.1. That IP is a dummy IP address. So when your computer checks its records as it tries to get to malware.com, it gets lied to and it can’t get there. End techspeak section.

But there are thousands of bad sites that you would potentially block for security reasons. Wouldn’t it somewhat time consuming finding those sites and changing all your records? It would. So have somebody else do it for you. That is what they do at www.mvps.org/winhelp2002/hosts.htm. The ‘records’ I refer to above are kept in a file called “Hosts” deep in your file system. This site creates a custom Hosts file with thousands of entries. It is up to you to download it and put it in the right place on your PC. I won’t tell you how to do that because there are instructions at the site. You have to be at least a little tech savvy to do it though.

I have automated the process of disseminating the current hosts file to all my PCs by using logon scripts. I still have a couple glitches but I almost have it right. If you are running a server in your environment and you would like the description of how I have automated it, drop me a line at jims@missoula.lib.mt.us and I’ll send you the description when I get it right. Or, if enough of you drop me a line, I’ll just post the description here at Montana Bibliotechies (http://mtbibliotechie.blogspot.com/). Thanks y’all.

Addendum: The IP address 127.0.0.1 is not really a dummy address. It has a definite meaning. It means the present PC, regardless which PC that is. It’s called the “Home” PC. That is why you see those bumper stickers on geek cars that say “There is no place like 127.0.0.1”.