Microsoft Security
|
|
(2007 Oct 24 blog post)
! Note !
Some images, links, and/or text may be added
--- if/when I re-visit this page.
|
INTRODUCTION : A few years ago (Oct 2005), I had a virus infection of my computer while using the Microsoft Internet Explorer web browser. It was a very educational experience. And it took me two weeks to recover from the 'trojan horse attack' on my computer. Most of that time was spent looking for answers, doing web searches, and trying things that I now know were a waste of time to try. Here is how it started. I had been using a Mozilla Firefox browser, to avoid the exposure to viruses that comes with using Microsoft's Internet Explorer browser. Unfortunately, that release of Firefox (a 1.x release) had a memory-leak in it. After about 10 or 20 repeats of some operations (downloading medium-sized image files), the Firefox browser would get slower and slower, until it finally locked up. I resorted to using Microsoft's Internet Explorer browser. Brother, was that ever a mistake. The first indication that I had an 'infection' on my computer was the screen background on my computer turned red. And on the background was a message that said to click on the indicated link, on the desktop background, to get to a site for some software that would remove the infection. Yeah. Like I am going to trust an unknown person, who did this to me, to 'do the right thing'. Anyway, things started going haywire on my computer. The Internet Explorer web browser was bogging down, and after about 10 minutes of use the whole computer would lock up. I would have to re-boot to get started again. Every ten minutes, or so, of use I would have to re-boot. |
|
Tracking down the offending programs : I finally figured out, by looking at programs that the Microsoft Task Manager said were running (and by some Web searches, on a different computer), that a program named 'desktop.exe' is not a Microsoft program --- and that other people had been infected by this 'trojan horse' virus. I learned later that every time I booted up the computer, there was a program executed, via the Microsoft Registry, that made sure the 'desktop.exe' program was running. It apparently used a copy of the program, disguised under a different (scrambled letters) name, which would be copied to the name 'desktop.exe' and then started up. So I could not simply remove 'desktop.exe' to fix things. The insidious hidden-program, that inserts its assault team, including programs like 'desktop.exe', on a computer, is the reason for the name for this type of infection --- a 'trojan horse'. By the way, it is not simple to remove 'desktop.exe'. It was installed in the 'C:\WINDOWS\SYSTEM32' directory/folder --- and Microsoft does not let you remove programs from any of its 'system' folders --- nor can you stop ANY such running program. Further, Microsoft does not tell you about the 'safe' mode method of booting up in order to remove non-running programs from the system directory. You have to find those things out by doing web searches to get the info from your fellow trojan-horse victims.
2009 UPDATE: When you boot up in 'safe' mode, the infection programs have already started running, and --- according to Microsoft's great design to thwart you --- you cannot stop or remove a program in one of the Microsoft system directories. You have to suffer that sort of curtailment of your rights of ownership of the Microsoft software, after paying for the software. I found many forums on which people had asked for help and they were told to run 'Hijack-Pro' to get a listing of crucial contents of the Microsoft Registry. When they posted these results, Hijack-Pro 'experts' would point out, to the victims, the cause(s) (actually, just some symptoms, usually) of their infection. BUT, almost invariably, with 'trojan horse' infections such as this, it turned out that there is no easy cure. The closest thing to an easy cure was re-installing the operating system, after backing up files. Even people with up-to-date anti-virus software had been infected by this 'desktop.exe' 'trojan horse'. Their anti-virus software could not detect, much less remove, the offending files and Registry-database-entries, even after repeated scans with their anti-virus software. |
|
Trying to undo the damage : The people seeking help on these forums found out that, even after they knew that this 'desktop.exe' file is a part of this infection and they were told by Hijack-Pro 'experts' some entries to remove from their Microsoft Registry database, via the 'regedit' program (for which Microsoft does not provide much guidance), they could not 'manually' remove a sufficient amount of the 'infection' so that their computer would return to 'healthy' behavior. I tried for two weeks, to return to a 'healthy' computer. Here is a relatively brief overview of what I did. Using the Microsoft Windows 'Search' utility (for recently-created/modified files on your computer --- files created/modified since the day before the infection), I found that the 'desktop.exe' program was in the Windows 'System' directory. I found out, from experience, that Microsoft protects that directory so that I, THE OWNER OF THE COMPUTER, COULD NOT SIMPLY REMOVE THAT PROGRAM FROM THE SYSTEM DIRECTORY --- BUT A PERSON HALF-WAY AROUND THE WORLD COULD INSERT THE PROGRAM (and various auxiliary files) IN THAT PROTECTED-FROM-ME DIRECTORY --- AND!!! THAT SOCIOPATHIC PERSON COULD MAKE ENTRIES (new Registry variables and changes to values of existing variables) IN THE MICROSOFT REGISTRY ON MY COMPUTER. How great a design is that? Bill Gates allowed this to happen?! He can't be as intelligent as people think he is. OR, he is so concerned that owners of computers will make trouble by mucking about with operating system files and the registry, that he concentrates effort on keeping the owner of the computer from accessing those files, while allowing the rest of the world to insert almost anything they want, into any folder or file, on your computer. I found out that I had to start my computer up in 'safe mode', in order to have a chance to remove files from the Windows System folder. You can start up in 'safe mode' by pressing a specific key, like Esc or F10 (it varies by BIOS type or computer maker), during the early part of the boot-up process. In 'safe mode', your computer background and icons look very crude, but you can use 'MyComputer' or 'WindowsExplorer' to get to the Microsoft System directory and remove the 'desktop.exe' file. Then you can re-boot into 'normal mode' and try to continue. That is when I found that 'He's baaaaccckkk.' The 'desktop.exe' file had been 're-constituted' and was executing again. To make a long story short, I finally found some Registry entries that were running a program on startup that, apparently, was re-creating the 'desktop.exe' file. However, even after getting to the point of being able to login without the 'desktop.exe' program running, I found that I could not use Internet Explorer (web browser) for more than a few minutes before it started locking up or crashing. I could not find a way to repair Internet Explorer. Read on. |
|
Finding that I needed to do I tried to obtain and re-install the recommended version of Internet Explorer from the Microsoft site. But I found that I could not use another browser, like Firefox, at the Microsoft download pages --- I had to use Microsoft's Internet Explorer. I hit problems with the re-installation of IE. I hit a catch-22 situation where it would install most of the Internet Explorer components, but the Microsoft install procedure thought that I already had certain components and would not download those. (And I'm expected to trust Microsoft to automatically update my computer whenever Microsoft wants to?! Let me make this clear. I am really fed up with Microsoft and HP and others, running automatic update software on MY computer and not giving me an easy, obvious way to de-activate it.) I finally had to recognize the fact that my computer files and registry were so damaged by now, that I was not going to get my computer cleaned up to the way that it was before the infection --- unless I did a complete re-install of the operating system. Luckily, the computer would run about 10 minutes before it would lock up. And luckily, I could load a CD into the CD-writer and use the Easy-CD-Creator software to backup my files before the computer locked up. (My files were in a couple of folders, MyDocuments and one other. Also, a couple of browser bookmarks files and about thirty Outlook Express mail '.dbx' files were in 'ProgramFiles' sub-folders. I found them with the Windows 'Search' utility.) [It took a lot of web searching to find out how I could backup-and-reinstall the Outlook Express files --- and even then, I ended up losing some of my folders of mail. The backup process took a matter of days, not hours --- mostly for information gathering.] Luckily, my computer had come with Recovery disks. I did not have to download from the Internet multiple CD's worth of files. (Many vendors nowadays, like Compaq for their laptops, do not provide Recovery CDs or DVDs. They require you to download them from one of their web sites/pages. But I found the download would fail, on my Compaq laptop, before I got the first CD written. That doesn't much matter to me now. I now have Linux on 3 desktop PC's. My laptop is next. I would recommend Ubuntu Linux, for which I have provided some install information on an Ubuntu Install Notes web page.) |
|
Restoring the Microsoft operating system --- My infected computer would stay up just long enough so that I could read the instructions, in a computer-vendor (HP) Help system, for how to use the HP Recovery disks. I re-installed the operating system. That took about an hour. My only action through most of that process was to remove and insert a couple of CD disks. Then I had to replace my data files from my backup CD. I managed to reinstall some Mozilla bookmarks and most (but not all) of my Outlook Express folders. (Probably my fault. I probably missed a couple of '.dbx' files.) I then proceeded to install some programs that I have found useful, like Irfanview for re-sizing and touching-up photos --- and a Mozilla web browser to use in place of Microsoft Internet Explorer. After this virus experience, I studiously avoid using the Microsoft Internet Explorer web browser --- and I installed ZoneAlarm Firewall software. (I also installed ZoneAlarm [later Sunbelt Personal Firewall] on my wife's computer, and it immediately found two spy-ware programs that were attempting to send information to two different web sites. Via a Google search, I found that one of the programs was sending information to a web site that no longer existed. The other was sending to a site that did exist. I deleted both programs. If I can find some notes or emails on those programs, I will put that info here. One program was sending to a 'websense' site.)
NOTE: You have to use a special key (or key combo) during boot-up, to boot up in 'safe mode'. Then the Microsoft operating system 'should' allow the anti-virus software --- which is 'running as you' and thus is not ordinarily allowed to remove files in the Microsoft System directory in 'normal mode' --- to remove files from the System directory. So when anti-virus vendors tell you their software will remove viruses, they are not telling you the whole story. You typically have to run the software in 'safe mode' to remove the really insidious viruses. And even that typically fails. Think about it for a minute, folks. The way the anti-virus software works is that it has to know the names of files to delete or change --- and the names of variables to change or remove in the Microsoft Registry database. All it takes for a virus-writer to get around the anti-virus utility is to change the names of some files and variables. Voila. He has a new virus --- undetectable by current anti-virus software. |
|
From my experience, I see that THERE IS NO WAY THAT ANTI-VIRUS SOFTWARE CAN PREVENT ALL VIRUSES FROM INFECTING YOUR COMPUTER. The viruses can 'mutate' by simple name changes. THUS, IN MY OPINION (and in the opinion of a writer of an article in Network World magazine in early 2007), ANTI-VIRUS SOFTWARE IS BASICALLY A SCAM. It might work against the most amateurish of propagators of viruses --- and the older viruses. But even 'beginner' virus-propagating 'criminals' can change a virus to get around ALL current updates to ALL current anti-virus software. Hence, I recommend using firewall software --- like ZoneAlarm or Sunbelt Personal Firewall (both old, gone?) --- which can warn you when new (suspicious) programs are trying to DOWNLOAD network packets (files, "trojan horses") onto your machine . . . AND warn you when programs are trying to UPLOAD network packets from your machine (for example, your keystrokes, in particular, the characters corresponding to the keys that you pressed when you enter login IDs and PASSWORDS) to other 'bad guy' computers on the Internet. In summary, the reason I say that 'Microsoft security is an oxymoron' and 'anti-virus software is useless against strong infections' is: ANY PERSON, AT ALMOST ANY OTHER COMPUTER IN THE WORLD, CAN PUT A NASTY 'TROJAN HORSE' INFECTION ON YOUR COMPUTER --- COURTESY OF ESSENTIALLY NO FILE PROTECTIONS ON YOUR MICROSOFT OPERATING SYSTEM, IN ITS 'DEFAULT' CONFIGURATION, AS IT IS TYPICALLY DELIVERED TO YOU. AND, AT THE SAME TIME, MICROSOFT MAKES IT QUITE DIFFICULT, IF NOT IMPOSSIBLE, FOR YOU, THE OWNER OF THE COMPUTER, TO REMOVE FILES AND REGISTRY ENTRIES RESPONSIBLE FOR INFECTING YOUR COMPUTER. Based on my experience, if your computer ever gets infected by a 'sticky' trojan-horse-type virus, you can bet that it probably involves a bunch of insidious, self-propagating garbage in your Microsoft 'Registry' database and in your Windows System directories. And you can bet that you can save yourself a lot of wasted time by
|
|
Some 'Postcript' notes --- including In the latest versions of the Microsoft operating system, there may be 'recovery images' that are stored in a separate partition on your disk drive, taking a significant amount of space on your disk drive. You may be able to press a few keys to implement a recovery based on an image taken on some date before you believe your infection occurred. To find out how successful people are in using the recovery option, you could do a WEB SEARCH on terms such as and focus on conversation 'threads' found on computer forums. Some threads that I have encountered suggest that this 'Microsoft recovery' technique is not a cure-all. If the Microsoft Recovery option doesn't work, try the re-install method that I outlined above. And, seriously, consider Linux. It has made great strides in the years 2005-2007 in providing an easy-to-try, easy-to-install, easy-to-use experience --- with a desktop operating environment at least as good as Microsoft in many ways, and better in many others.
POSTSCRIPT 1: After recovering from my 'trojan horse' infection, I was able to track down the web site from which the infection came --- and I was even able to see a 'desktop.exe' file on the server there. From the IP address of the web site, I was able to determine that the web site was headquartered in a city in Northern California (Concord). And I was able to get an email address of the web site administrator there --- and the street address of the file-server site (below). Here is an email that I sent to the to the administrator there (with copies to web administrators who had complained to this web administrator about other abuses from that site --- a fact I found out via some Google searches). This email includes some quite detailed notes on the files inserted onto my machine as well as corresponding files on the 'Intercage' (alias Atrivo) host site. It seems 'Russ' is an administrator at the site --- and here is a street address and phone number, as well as email address.
Intercage Inc. (later Atrivo Inc.) 1955 Monument Blvd. Concord, CA 94520 1-925-550-3947 IP address harboring the 2005 infection: 69.31.79.117 Other IP addresses involved: 69.31.79.114 and 69.31.79.115 If that administrator and site are continuing with web abuses, they need to be neutered and terminated, respectively. You could try a WEB SEARCH on keywords like atrivo intercage abuse once in a while to see how things are going. (I got about 3,500 hits in April 2010.) I got about 13,000 hits in April 2010 on the Intercage/Atrivo president's name, Emil Kacperski --- and most of the hits I saw involved Intercage/Atrivo and were not complimentary. (Note that the 'Kacperski' last name seems to be a play on the name 'Kapersky', which is the name of an anti-virus software company. Accidental or on-purpose-flaunting?) And I got about 500 hits in April 2010 on the Intercage/Atrivo admin Russell Mitchell. The Russian and Estonian involvments make interesting reading.
POSTSCRIPT 2: About a month or two after I had the 'trojan horse' infection on the HP computer (with a pre-XP Microsoft Windows operating system), I got a new desktop computer with Microsoft Windows XP installed. Since I had been reading for the past several years about how Microsoft had been working to make their operating system much more secure, I was expecting to find that Microsoft had implemented more robust (Unix-like) file protections in XP. |
|
Microsoft still not making their There is no significant difference in the permissions system on XP and on previous Windows operating systems (2000, ME, 95, 3.1). It is still the case that, by default, you work without a password, as both a user and as an administrator, with update permission to Windows directories (folders) and files. And you are still not allowed to remove files from the System folder 'manually' --- via MyComputer, WindowsExplorer, or MS-DOS command line. Other than those restrictions on you (the owner of the PC), file permissions are essentially 'wide-open'. In other words, it is STILL THE CASE that a PERSON HALF-WAY AROUND THE WORLD FROM ME (or next door) CAN PUT FILES IN THE WINDOWS SYSTEM DIRECTORY --- AND ENTRIES IN MY REGISTRY. But I, the owner of the computer, still, cannot remove files from the System directory in a direct or user-friendly way. By searching around in the Microsoft XP Help system, I found that there IS a user administration system. You actually CAN setup a more secure environment --- a userid (with password) for normal use, and an administrator-id (with separate password) for administrative tasks such as program installation tasks. That could conceivably ('maybe' is the operative word here) allow one to protect the Windows System directories from people 'half-way around the world' inserting files in the Windows System directories --- and (?) keep those ne'er-do-wells from inserting new entries and changed values in the Windows Registry database. Dare I hope? On this XP computer, I DID setup a userid, separate from the default administrator-id. In the process, guess what I found out about the default userid that you boot into when you first startup Windows XP? The default userid is 'User'. It has no password. And the description of this userid is 'Administrator'. I think I understand what is going on here. Microsoft can say they have provided a more secure system. BUT ... they do NOT provide any user-friendly help on how to implement a more secure system with the user administration facility. Microsoft does not help the new XP user to easily discover the existence of that facility. There is a 'more secure' system --- but they still start the user out in a very insecure system --- and do not make the user aware of the 'more secure' system --- say, in a 'welcome' startup system. |
|
Why Microsoft is not motivated to I can see why. If you have an administrator-id and a user-id, you can get into some confusing situations in
Getting desktop icons arranged as you would like can be quite frustrating, unless you can divine what is going on underneath it all, in terms of files and folders, in the Document and Settings sub-folders of Administrator and User. (The Microsoft OS presents a confusing mixture of files of the 2 userids.) Similar 'underneath the covers' (directory/folder hierarchy) knowledge is needed to tailor the Start menus without a lot of confusing behavior of the program groups. So, bottom-line is ... Microsoft provides SOMEWHAT better security, that would PROBABLY reduce the incidence of SOME types of viruses --- BUT hardly anyone knows about it! And Microsoft is NOT going to promote the enhanced security option(s) because the typical user will be confused. He/she will have a heck of a time doing things like installing an update to utilities like AdobeReader, for example, if the user implements passwords, and, heaven forbid, multiple userids. As things stand, in the as-delivered Microsoft operating system, by default, the user simply clicks on a link on a web page and the update (Flash, AdobeReader, whatever) is quickly installed. No need to switch userids and use passwords. No problems with encountering permissions problems to folders. BUT, you are wide-open to trojan-horse infections like the one described here. AND I do not expect things to change in Vista. So the insidious trojan horses --- and various viruses and worms --- will continue. You hear that, folks? The floggings will continue. (And Microsoft and the anti-virus vendors will tell you it is your fault because you did not update your anti-virus software. What a racket!) See the next postcript for another interesting discovery in XP --- and Internet Explorer. |
|
POSTSCRIPT 3:
Soon after I got the new desktop computer with XP, mentioned in Postscript2, I also got a Compaq laptop with XP. I use it on trips out of town. And even though I soon downloaded Mozilla Seamonkey and Firefox browsers to use, in addition to Netscape and Internet-Explorer that came on the computer, I decided to check the security configuration options in Internet-Explorer, for the rare cases when I might be forced to use Internet Explorer. (I haven't found any need to use Internet Explorer yet. If I find a site that requires the use of Internet Explorer, I intend to avoid that site. In fact, whenever I find a site that requires Flash, I avoid that site too. If sites cannot use animated-GIF files and mpeg files for animations, then I do not want to use those sites. That removes one possible source of computer infections --- namely, Flash-based viruses. Besides, the quality of Flash videos seems poor compared to mpeg videos.) In any case, here is the MAJOR SECURITY HOLE that I found in the default configuration of Internet Explorer on my XP laptop. In the Internet Explorer toolbar, under Tools > Internet Options > Security > Custom Level > Miscellaneous I found a check-box labelled Open files based on content, not extension. It is ENABLED by default!!!!! If the security problem with that does not hit you right away, let me give you an example. |
|
Example of how a sociopath A fellow who wants to deploy 'trojan horse' software on unsuspecting web surfers' computers, has a link on a web page to a file called 'desktop.pdf'. This file is not really a PDF file. It is really a '.exe' executable program that he has renamed to a '.pdf' extension. When the user clicks on the link to this '.pdf' file, the Internet Explorer web browser DOES NOT use the '.pdf' extension to determine that it needs to startup the AdobeReader program, to allow the user to read this PDF file. NOOOOOOOO! The Internet Explorer web browser has been setup, by default, to look at the contents of this file, NOT the extension --- '.pdf' in this example. Microsoft's Internet Explorer (IE) does that and determines that this is a Microsoft executable program and starts up that program. IE loads that program file into the memory of your computer and turns over operation to that program, for it to do what it wants next. Well, the hypothetical guy who put together this web page has written the program to install some files in your Windows System directory and to enter some new entries into your Windows Registry database. They could be the same types of files and Registry entries that I described above in the 'desktop.exe' infection of my computer in October 2005. Voila! The trojan horse has been installed on your computer --- all because of that check-box for "Open files based on content, not extension". Is this the kind of enhanced security that Steven Ballmer, CEO of Microsoft, is always preaching about? Steven, you had better get your ducks in a row. By the way, how many other 'options' in Internet Explorer allow for viruses, worms, spyware, adware, and trojan horses???? Linux anyone? Mac OS anyone? FreeBSD anyone? NetBSD anyone? OpenBSD anyone? ... the list of alternatives to Microsoft goes on. |
|
POSTSCRIPT 4:
Steven (Ballmer), don't give ME that bull about how Linux has stolen Windows proprietary software. You and I both know that there is gobs of code in MS-Windows that was based on, and directly ripped off from, program code for Unix and other such operating systems. What comes around, goes around. And Microsoft is lucky that a lot of Unix code 'came around'. Remember the historical story, about how Gates bought the Microsoft operating system from another person ... I believe the OS was a competitor to CP/M, another DOS-like operating system at the time ... and, just before a demo to IBM, to sell that OS to IBM, to run on the new IBM PC, back around the 1970's, Gates thought the OS looked too much like other OSes, like Unix. So Gates had his programmers, who were touching up that purchased operating system, change the forward-slashes, used in specifying file-names in directory hierarchies, to backward-slashes --- to make the new Microsoft OS look different from CP/M and Unix. I hate to think how many Unix programmers there are out there who would gladly take Microsoft to task for using their code for the basis of MS-DOS and MS-Windows --- without just compensation for their intellectual property. Microsoft --- do you really want to get into an intellectual property dispute with Unix or Linux operating system companies? Bring on the lawyers. Authors will start coming out of the woodwork. Skeletons will come out of closets. Microsoft, you can buy off a lot of U.S. politicians and U.S. bureaucrats. Maybe even some U.S. judges. But it's a big code-developing world now --- with Indian, Chinese, other Asian, west European, east European, middle Eastern, etc. etc. legal systems to deal with. Think you have enough money --- and reach --- for them all? All I see FROM you, Ballmer-Microsoft ... and FOR you ... in the future, is a lot of ill-will generated --- world-wide --- because of your proprietary nonsense which conveniently ignores the debt you owe to Unix. |
|
CONCLUSION:
I found out the hard way that, for essentially all 'strong' viruses nowadays, there is no good way to clean out your machine --- other than re-installing the Microsoft operating system. This is because most of the hard-core viruses of today put so many changes into the Microsoft registry database --- and install so many hidden programs in various system directories --- that even the best and most up-to-date virus removal programs can't clean up sufficiently. Just read some of the computer forums as people try to clean up their machines. Typically when they think they have it cleaned up, a short time later ... they report 'It's Baaa-aaack.' This is typically because it never completely went away. I found out the hard way. Here is a brief overview of recovery steps. I hope you have the recovery disk for your operating system. The makers used to ship the disk with the machine, but they do not do that in some cases. (I got a Compaq laptop that expected you to download the stuff --- several CD's worth from the Internet. I tried that once --- and never made it to the second CD's worth. AND it's a slooowww process.) Recovery-process steps :
|
|
For more details on these recovery steps, I found that doing web searches worked well. And ... it helps to have a second computer to go to, to do things like web searches, when your infected computer is acting up. Don't hold your breath waiting for Microsoft to make it hard for someone half-way around the world to put entries in your Microsoft registry database --- and hard to put evil-programs into YOUR Microsoft system folders/directories. Microsoft is mainly concerned about you not knowing much about accessing the registry and system directories --- because their main concern is to ELIMINATE CALLS FROM YOU when you accidentally remove a registry entry or program or configuration file that you should not have removed. THAT is their top priority. |
|
Bottom of this page on
To return to a previously visited web page location, click on the
Back button of your web browser, a sufficient number of times.
OR, use the History-list option of your web browser.
< Go to Top of Page, above. >Or you can scroll up, to the top of this page. Page history:
Page was posted 2007 Oct 24.
|