Security news and information

A new command introduced in Windows Vista is the mklink command.  This command create a symbolic link between one directory/file and another directory/file.  As long as you are an administrator, you can use this command to make a link anywhere on your computer that points to another file or directory anywhere on your computer.

You may be wondering why this is useful.  Well I have folders stashed all over my hard drive that I use quite often.  My tutorials is nestled deep down in one folder, my images in another, videos over there and documents somewhere else.  To make my life easier, I can use mklink to create symbolic links to all of these folders in one location.  Now I have a folder that contains links to all my commonly used data. 

For example, if I had data scattered across my hard drive I could create a directory called C:\Work and then in a cmd prompt at the C:\Work folder issue these commands:

mklink /D docs d:\Word\Documents
mklink /D images d:\content\site\static\images
mklink /D videos d:\content\site\videos

Now I will have folders C:\Work\docs, C:\Work\images, and C:\Work\videos that are easily accessible and easy to type.

Tags: No Tags

In a previous blog entry I stated that Virtual PC does not have the ability to create multiple snapshots like Vmware does.  Since then I have been apprised that though this is true, there are two workarounds that can allow you to create multiple states or snapshots.

The first method is to simply backup the virtual machine folder and rename it.  Then if you need to restore to the state contained in the backup you can copy the contents of the backup into the normal virtual machine folder.  Though this will work, it’s time consuming and can take up a great deal of extra storage space on your hard drive fi you start backing up different snapshots of the same virtual machine.

Another method that I have learned is to use something called differencing disks. These disks are used to store any changes that are different from a parent disk.  This enables you to install a fresh install of an operating system which becomes the parent.  You can then make further virtual machines of the same OS containing a differencing disk and set to use the parent as the parent disk.  The differencing disks are used to store only changed data compared to the original parent install.  This keeps the differencing disks small and allows for multiple installation points.  Please visit this tutorial for more information and steps on doing this.

Though these methods do work, in my opinion they are still not as easy to use as Vmware’s snapshots.  On the other hand, if you do not want to fork over the cash, then these may be perfectly good solutions.

Tags: virtual pc, microsoft, virtual machines

If you have been following the blog entries here, you could tell that I am a big Virtual Machine user.  I use it when writing blog entries, creating tutorials, and analyzing malware.  My Virtual Machine software of choice is Vmware Workstation.  Last week someone on the BC IRC channels mentioned that I should give Virtual PC a try as it is free and a very good program.  I had tried it in the past, but never really got down and dirty with it, so decided to give it a workout.

Virtual PC Screen

Overall Virtual PC does the same thing as Vmware Workstation.  It provides the ability to run another operating system within your normal one.  This is great for a variety of activities as described above.  There are though some glaring differences that I will point out.  Let’s start with the positive aspects of Virtual PC.

1. It’s faster.  Whether it’s in my head, or not, when using Windows XP Pro under Virtual PC there is definitely a more snappy feel to its operation compared to Vmware.
2. It is easy to use.  Though Vmware is not rocket science, the wizard in Virtual PC makes it so even a novice user can set up a virtual machine.
3. I can resize the desktop simply by resizing the main Virtual PC window.
4. Terrific Windows virtual machine support.
5. Shared folders are much easier to use.
6. Free!

Unfortunately, for me at least, the negatives far outweigh the positives:

1. No multiple Snapshots! This is by far the biggest downfall of Virtual PC.  Snapshots are when you basically take a image of the current state of the Virtual Machine which you then have the ability to restore to at any point.  Vmware supports multiple snapshots so you can do a fresh install and make a snapshot and then make snapshots of other installation or testing milestones.  Virtual PC’s has the ability to only make one snapshot which makes the program almost non-functional for me.
2. No screen snapshot ability like Vmware has.
3. No ability to create a video of your virtual machine.
4. Inferior support for non-Windows virtual machines.

I personally can’t live without multiple snapshots.  Virtual PC not having that one feature was really the decision maker.  I use multiple snapshots a great deal and without them certain tasks become a complete nuisance. Unfortunately, from what I have read Virtual PC 2007 does not fix these issues but instead focuses on performance, which is always a good thing, and Vista compatibility.  Maybe multiple snapshots in 2010?

Tags: No Tags

For those who want to try Office 2007, Microsoft is providing a method that is so simple you do not even have to install it.  Instead go to the 2007 Test Drive  page using Internet Explorer 6 or 7.  When you click on the Test Drive Microsoft Office button, the site will walk you through the installation of the Citrix Web Client.  This client allows you to take over a remote session of Office 2007 running on Microsoft servers. From this session you can use all the Microsoft Office 2007 products as if they were installed on your computer.

One of the features of Word 2007 that we really found interesting was the auto preview when you format text.  This feature allows you to see on the document how the selected text will appear as you hover over the various fonts, colors, etc.  To see a video demonstration of this you can click here.

Tags: No Tags

A report of approximately $1.9 million dollars worth of XBOX 360 consoles have been stolen from a depot center in Lichfield, Staffordshire, England.  These thefts consist of two seperate incidents with the first being a theft of $1.4 million dollars from the depot and then an additional $500,000 worth being stolen off of a truck.

Police believe the consoles are being stolen so that they can be sold on the black market for the Christmas holiday shopping season.  The Xbox 360 retails from $386 to $579 in the UK and is a top choice for consumers, according to The Times of London.

Tags: No Tags

A programmer has successfully configured a Playstation 3 to run Windows XP and has a video to prove it.  Playstation 3 come with the ability to install Linux as an alternative operating system for the console.  A free process emulator for Linux is a program called QEMU which has the ability to emulate x86 and x84 processors and thus Windows XP was able to be emulated.  Very cool stuff and shows the inventiveness of world wide programming community.

Tags: playstation 3, windows xp, linux, qmue

Are you running Vista?  If so then it’s important to be protected.  Microsoft is saying that Vista is the end all to security, but the reality is that virus writers are already starting to write new malware for it.  In fact Sophos reported about a family of viruses called the Modan viruses created for Vista that are written in MSH or Microsoft Shell language.

With that said, I suggest you visit this list of approved Antivirus software for Vista.  This list includes CA, AVG, F-Secure, Trend Micro, among others. Not on the list, but definitely notable antivirus software are Sophos and Avast.

Tags: No Tags

Do you manage an ASP.Net web site and want to make sure its protected from  Cross-Site Scripting (XSS) attacks?  If so then you may be interested in the recently released Microsoft Anti-Cross Site Scripting Library V1.5.

For those who are unfamiliar with the term XSS, this definition explains it quite well.

Cross-site scripting (XSS) attacks exploit vulnerabilities in Web-based applications that fail to properly validate and/or encode input that is embedded in response data. Malicious users can then inject client-side script into response data causing the unsuspecting user’s browser to execute the script code. The script code will appear to have originated from a trusted site and may be able to bypass browser protection mechanisms such as security zones.

This library is used to filter input on ASP.Net applications so that only certain characters in input are allowed through, and all else are encoded in such a way so that the input can’t be used to exploit a web based application.

An interesting tutorial showing this process can be found here:

http://msdn2.microsoft.com/en-us/library/aa973813….

Tags: No Tags

Now that the RTM, or the Ready to market, build of Windows Vista has been released you may be wondering if it’s possible to run it under Virtual PC or Server.  The answer is yes, but to get the best performance you will need the right version of each software to do so.

If you are using Virtual PC, then you need to use the new Virtual PC 2007 Beta.  This beta can be downloaded at the Microsoft Connect site.  Just click on the available connections link and join the beta.

For Virtual Server, you will need Virtual Server 2005 SP1 beta. This is available at the Microsoft Connect site as well.

Tags: No Tags

My answer is both. Malware analysis through a virtual machine is definitely easier than infecting an actual computer.  The problem, though, is that this year a new strain of malware has been coming out that has built-in virtual machine detection.  That means if it detects a virtual machine, it won’t do anything. Now if you want to analyze this particular malware you need to infect a live computer. 

This blog entry is intended to give you some tips for using a live (non-VM) computer for malware analysis.  If anyone has any suggestions for other programs, please let me know.

First and foremost, use a spare computer.  Do not do malware analysis on your home or work computer.  Instead find an unused laptop or PC and follow these steps on that instead. Install the operating system you want to use along with any tools that you will need for analysis.  When done we will use an imaging tool to create an image of your freshly prepared computer so that when we are done analyzing a malware we can quickly revert it back to its clean state.  Below are some options that you can use to image your drive:

• Download the free Microsoft Virtual PC and use it to install Ubuntu on a virtual machine with at least a 10GB hard drive.  This should be done on your normal computer and will be used to store the image of your laptop. Ubuntu comes with a program called partimage that listens on your network.  Once you have that setup and listening, you can download SystemRescueCD and boot your new malware analysis computer from it. Once the CD has loaded, you can run partimage to save your hard drive’s image to the virtual PC running the listening partimaged.  Now you have a saved image of your hard drive on a virtual PC that you can restore from at will.  This is the method I use for drive imaging, but if Linux and this suggestion sounds like gibberish, then try these other options.
• Use g4u to backup and restore drive images via FTP. This is linux based, but its a bit easier as it has prepared boot disks and saves directly to an FTP account so you do not need to set up a server like above.
• Use a commercial drive image program like Norton Ghost. It is not free and costs around 70 USD.  Who said hobbies are cheap though? This does not allow network backups, unless you have the corporate edition, of your image, but does allow you to save your images to recordable media or external hard drives.  Other vendors like Paragon and Novastor among others make similar imaging programs

As you can see I put a stronger emphasis on the free network aware imaging programs.  This is because I strongly suggest that you do not use the same computer that you are imaging to store the image. Rather always image your drive with a program that can restore over a network or from an external drive/recordable media.  The last thing you want to do is have a new malware wipe your computer out, including the image!

Tags: malware, security, analysis, virtual machine