Defensive Computing

I got a taste today of the ever present danger that is the Internet. A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer. Hopefully the details of the scam, described below, will educate anyone not yet sufficiently skeptical about life on the Internet.

Initially, Google sent me to
clarkjohnlzl22.blogspot.com
which purported to mention my client by name. It doesn't. But it does have a big video box with the usual Play button on it. Clicking the Play button, at least as of this writing, takes you to
gift-vip.net/videos/?name=crystal+children
Recently it took me to
gift-vip.net/videos/?name=steve+harvey+bald
On another computer, it took me to
websoft-a.com/download/504/411/0/

Update. January 24, 2008: The next day, the Google Alert email linked to another malicious web page peggynoonztj46.blogspot.com. Just like the clarkjohnlzl22 phony blog, this site too had a video that required the installation of software from gift-vip.net

The video doesn't play, but instead generates the error window shown below.

Clicking anywhere in this error window leads you down a dangerous path. There is almost no getting away from the nagging to install the software. For example, clicking Cancel, just results in nags similar to those below (one is from Firefox, one from IE6).

Here again, clicking Cancel or the official "X" does nothing useful. These prompts also prevent access to other open Firefox tabs. The only way to get out of this is to kill your web browser. But, clicking the "X" in the top right corner of the browser window does nothing (technically, the install prompts are modal). Normally you can right click on the task bar entry for a program and close the program from there. That too, doesn't work in this case.

To kill your browser in Windows XP, use Task Manager (see my prior posting Task Manager - useful enough to run all the time). Right click on the task bar and select Task Manager from the pop-up menu, then navigate to the Applications tab. Click on your web browser in the list of active applications, then click on the End Task button at the bottom of the window.

In the interest of research, I downloaded the file. Don't try this at home. Needless to say, I didn't install the software. Instead I had it analyzed at VirusTotal.com a great web site that analyzes a single file with many different antivirus products. (for more see Can you trust that file?).

As is usual at VirusTotal, some antivirus programs found the file to be malicious, others gave it clean bill of health. Among those that felt the software was safe were NOD32, BitDefender, Ewido and eTrust-Vet. Most products however, considered the file malicious. Among them were:

AntiVir 7.6.0.48 2008.01.23 HEUR/Malware
Avast 4.7.1098.0 2008.01.23 Win32:DNSChanger-SF
AVG 7.5.0.516 2008.01.23 Generic_c.FTY
ClamAV 0.91.2 2008.01.23 Trojan.DNSChanger-2168
F-Secure 6.70.13260.0 2008.01.23 Trojan.Win32.DNSChanger.aqd
Kaspersky 7.0.0.125 2008.01.23 Trojan.Win32.DNSChanger.aqd
McAfee 5214 2008.01.23 Puper.gen.d

There are two lessons here. First, any one anti-malware product can only provide so much protection. Second, any software that is pushy about getting itself installed, you don't want.

Update. January 25, 2008. As a couple people commented below, another point here is that you are safer by not running Windows. The comments were about Macs but the same can be said about Linux.

See a summary of all my Defensive Computing postings.

Although it has it's annoyances, in general, I like NOD32 antivirus vesion 2, from ESET. But a new version was recently released and new software scares me. As I wrote about in November, I hold this truth to be self-evident:

All new software contains bugs and design mistakes.

I recently worked on a Windows XP computer whose copy of NOD32 version 2 had expired the day before. If it's possible to renew a copy of NOD32 v2, then finding out how eluded me. After clicking around everywhere in the user interface, and not being able to learn anything about renewing, I gave up and un-installed it.

(Credit: ESET)

The only indication I found, that the software had expired, was a single message buried in the middle of one of the log files. It would seem that a novice user could continue on their merry way without a warning that their software had expired.

But, that's a version 2 issue and I moved on to version 3, hoping that it was ready for prime time. Since the initial release, NOD32 version 3 has been revised three times.

Here is a first look.

The first thing any anti-malware (malicious software) program has to do just after it's installed is update itself with new malware definitions. This has been true since the product category was invented.

At this point in the game, it's reasonable to expect some sort of notice that the virus definitions are old and need to be updated. But NOD32 is mute. After installation, the user interface just sits there. It doesn't say anything or ask anything. In fairness, it might have triggered a warning from the Windows Security Center, but I turn off the Security Center because it is next to useless.

Turns out that NOD32 is smart enough to determine that an update is needed, and it performs the update in the background. But, just like Spyware Doctor, this is kept secret while the update is in-flight.

Despite the web site touting a 30 day free trial, I installed the trial software on January 1, 2008 and the license was only valid until January 19, 2008. Doesn't inspire confidence.

One of the first things I did was run some scans and then view the scan log. The difference here between Spyware Doctor and NOD32 was night and day. Whereas Spyware Doctor hardly logs anything about each scan, the NOD32 logs are very detailed and a pleasure to review (if you like that sort of thing).

In the course of running some custom scans, I noticed that each new scan included the files and folders selected for the prior scan (great activity logging). This turned out to be a small bug in the display of files/folders selected for the scan.

As the screen shot on the right shows, the selection tree view is pretty standard stuff. What is not standard however, is the checkboxes next to folders with sub-folders. As you can see, all the checkboxes are white, which normally means that no files or folders under that folder are selected. The bug is that there were some selected sub-folders but since the checkboxes were not the standard gray color, I didn't realize it.

While a scan is in-flight NOD32 shows the percent completed so far. During one scan, however, a second percentage was displayed underneath the main one. Adding to the confusion, the bottom percentage went up, then down, then back up, then down again, etc. etc. etc. I think this is because a large zip file was being scanned and my guess is that the bottom percentage is within the zip file. But other files didn't show a processing percentage, and it doesn't explain why the percentage kept going up and down.

Like version 2, a full scan with NOD32 version 3 generates oodles of messages, many of them errors. Again, I appreciate the level of detail, but some of the errors seem avoidable. The first one, as shown above, was an error opening the Windows page file. Windows has had a page file for a very long time. You would think ESET could have learned to deal with it by now.

The second error above was a problem opening a file. I mention it because the file, CACHE.NDB, belongs to NOD32. One part of the product is protecting files from being scanned by another part of the product.

Not to be too negative, the revised user interface in version 3 is an improvement. One thing in particular stands out, the option to use the product with a simple or advanced interface. I think this is a great idea, as it lets both non-technical and technical people use the software with an interface they are comfortable with.

But, there is more

This should have been the end of the story. When I first started writing this, it was. But the next morning (January 2nd), the computer owner contacted me about an error from NOD32. As the screen shot below shows, it complained about a userid and password.

To understand the error message you need to know that instead of simply getting a serial number as proof of ownership, ESET gives their customers a userid and password. When you install the free trial, a default userid and password is generated for you. The password is obscured, on one computer the userid was eavtrial48.

When you install the version 3 trial, none of this explained. All you are told is to enter the userid/password that ESET provides after you pay for the software. Nowhere in the instructions does say what trial users are supposed to do.

In this case, the same user/password that worked on New Years day, was now invalid.

Since I no longer had direct access to the computer in question, I downloaded the trial version of NOD32 v3 another Windows XP computer.

The download procedure had also changed overnight. On the first computer, I had to fill in a form on a web page and provide an email address before I could download the trial software. Not any more.

The basic installation of NOD32 on the second machine went fine, but then this copy too, couldn't update itself. It failed with the same error about an invalid userid/password. And, like the first computer, the trial expired on January 19th rather than in the advertised 30 days.

I contacted technical support at ESET and they responded fairly quickly:

"... In regards to your inquiry, the user name and password that was provided during installation has expired on our end and is not your fault. We are currently working on this issue. As soon as a new user name and password has been issued for the trial version you will be able to download and/or update your trial version of NOD32. If you have additional questions regarding your case or if the issue continues to persist please let us know by replying to this email..."

Three revisions to version 3 were apparently not enough. This is all too typical. As I mentioned earlier, new software scares me. It should scare you too.

Update: January 4, 2008. The problem with the invalid userid/password cleared itself up with no action on my part. The issue was on an ESET server, not on my computer. Added the simple and advanced interfaces.

FYI: CPU magazine just gave NOD32 an excellent review. They also tested the core anti-virus functionality, which I didn't. I'm just a blogger.

Technical information about NOD32 version 3 on the second computer
Product version 3.0.566.0
Virus signature database: 2658 (20071114)
Update module: 1019 (20071030)
Antivirus and antispyware scanner module: 1100 (20071112)
Advanced heuristics module: 1066 (20070917)
Archive support module: 1065 (20071109)
Cleaner module: 1021 (20071101)

See a summary of all my Defensive Computing postings.

When it comes to antimalware software, the first decision any Windows user needs to make is whether to go with an integrated suite of software or pick and chose specific products, such as a firewall, antivirus, and antispyware software. If a suite came preinstalled, it's certainly a tempting option. Dealing with a single company and not having to install new software has obvious appeal. But, I think it's the wrong way to go.

For one thing, the software suites can be complicated to use. Oftentimes they have been known to slow down the computer. And they cost money, whereas there are many free antivirus, antispyware, and firewall programs to chose from.

Plus, they may be overkill. In what has been called feature creep, they typically include many different types of protective software in addition to the baseline antivirus, antispyware, and firewall. This added complexity can negate the single product simplicity advantage.

Among the extras are antispam software that many people don't need, and, a case can be made that fighting spam is a server side thing, not something best done on your computer.

My colleague from The Personal Computer Show, Alfred Poor, has recommended against software suites many times on the show. He cites "bloatware" as the main reason:

"... the publisher piles on features not because they are practical or useful, but so that they can win the 'battle of the checkbox' where buyers go for the program with the most features. This leads to more software running in the background, which means a performance hit at the very least, and an increased chance of conflicts with other applications. My advice is to buy what you need, and no more."

Another big consideration is that, taken as a whole, software suites don't offer the best protection.

Leo Notenboom, made this argument last week on his Ask-Leo Web site. Quoting from How do I pick the right tools to protect my system?

"Would a bundled application (all defenses in one) be necessarily more effective than several standalone products? In my fairly strong opinion, no. I base that primarily on the four+ years of problem reports and feedback that I've received here at Ask Leo!. It just seems that the combined suites cause more problems and miss more malware or security issues than a well chosen set of individual solutions."

Why don't the suites offer the best protection? Here too, I agree with Leo:

"My theory is that the suites start with a really good single product...in order to create a suite the manufacturer then buys or creates what I can only assume are second-rate additional components..."

The ZoneAlarm firewall is a case in point. I like the free firewall and would buy the commercial version for the additional features. But I can't; at least not without also buying either antispyware or antivirus software from CheckPoint. So I pass.

Interestingly, I disagree with Leo's recommendations for antivirus, antispyware, and firewall software. But, even people who disagree on the specific choices, agree that making specific choices is the way to go.

As for Alfred's point about bloatware, a comparison of the assorted software bundles offered by ZoneAlarm/CheckPoint shows no less than 16 types of defensive software included in the top-of-the-line product.

Another example of an antimalware product being assimilated into a suite comes from Eset.

In his newsletter/blog last week, Scot Finnie discussed the stand-alone NOD32 anti-virus program vs. their suite of anti-malware software called Eset Smart Security. As for the new version of NOD32, Scot writes "...my preliminary impression of Nod32 3.0...was quite positive. That product is available as a standalone upgrade to Nod32 2.7..."

But regarding the suite he says "I looked pretty extensively at Eset Smart Security in late beta, and I didn't think much of the firewall at all. Plus I have no use for Eset's antispam solution. So I am definitely recommending *against* the new $60 Eset Smart Security (ESS)."

Finally, a note from the school of hard knocks.

After reading some good reviews of F-Secure Anti-Virus a while back, I installed it on a couple machines. On one machine, when I later installed Spy Sweeper, the antispyware product from Webroot, I learned about an incompatibility with F-Secure Anti-Virus.

Another machine had the free ZoneAlarm firewall installed. When I tried to install F-Secure Anti-Virus, it complained about ZoneAlarm, basically saying it's either us or them. The F-Secure product would not install unless the ZoneAlarm firewall was removed.

What possible conflict could there be between an antivirus program and a firewall? My guess is that F-Secure had a single installation program for both their software suite and their standalone antivirus, and they hadn't customized the antivirus installation to not bother checking for firewall software. Just a hunch.

The debate over individual antimalware products will continue until Windows truly becomes secure. Until that day, fight assimilation and opt for standalone antimalware products.

See a summary of all my Defensive Computing postings.

Earlier I had a trilogy of postings about DropMyRights (Part 1, Part 2 and Part 3) that included the warning to run Microsoft Office applications in restricted mode in case a file (Word document, Excel spreadsheet, etc.) carried a virus or some other type of malicious software.

But what do you do if a Word document or Excel spreadsheet doesn't display or work properly when the application is run in restricted mode? A decision needs to be made whether to trust the file and open it in unrestricted mode.

If the file was sent to you by e-mail, you'll no doubt be tempted to judge it based on the person who sent the message. Don't.

For one thing, you can't trust that the reported sender of an e-mail message is the actual sender. It is trivially easy to forge the From address in an e-mail message. And even if the message really did come from the person in the From address, and you trust that person, you still should not assume the file is safe. The sender's computer could be infected with malicious software that sent the e-mail message on its own, without human involvement. But what if the trusted person actually sent the file on purpose? It still could be infected with malware without him or her knowing it.

What to do?

The safest thing, of course, is to delete the file. But if you want or need to use it, then I suggest using the Virus Total and/or Jotti Web sites. Each site lets you upload a file to be scanned by multiple antivirus programs.

The last time I used Virus Total, a free service from Hispasec Sistemas, it scanned my suspicious file with 29 different programs. The list included popular antivirus software from Symantec, Kaspersky and Clam, some less well-known products such as NOD32, Avast and Panda, and a host of products that I had never heard of such as DrWeb, Ikarus and TheHacker. That's the good news.

The bad news is that there probably won't be a consensus opinion. Each time I submitted something suspicious to Virus Total, the results were all over the map. For example, in this screenshot from July 10, you can see that 7 of the 29 programs felt the file was malicious. Democracy is great in other contexts, but here, I'd rather be safe than sorry.

The NOD32 antivirus program from ESET has its share of enthusiasts. After a long, detailed review of the field, Scot Finnie in February called it the best antivirus product of 2007.

Based on Mr. Finnie's reviews and recommendation, I've been installing NOD32 on the computers of some of my clients. I've also lived with it a bit on one of my computers and had no major gripes.

Until yesterday.

NOD32 is using 88% of the CPU after having been shut down. Click for full-size image.

I was about to run Microsoft Update on a Windows XP machine for the third or fourth time, and was getting tired of waiting for it complete. So this time, I turned off ("Quit") NOD32 beforehand.

It didn't seem to make much of a difference, as Microsoft Update still maxed out the CPU while checking for new patches and seemed to take forever to complete.

But while I was waiting, I took a look at the system using Process Explorer, a great free program, now from Microsoft but formerly from Sysinternals. Surprise, surprise. NOD32 was using 88 percent of the CPU cycles. Despite the disappearance of the system tray icon, it never really shut down.

In the screen shot above (click for a full-size image), the highlighted line is nod32krn.exe, and you can see from the CPU History that it has been using a good portion of the processor horsepower.

NOD32 version details. Click for full size image.

I've been down this road before. This isn't the first time the user interface of an application says that it is not running but the underlying Windows service is still running (in Windows XP: Control Panel -> Administrative Tools -> Services). Windows Update is like this. So, too, is the Windows Security Center.

But NOD32 won't let you shut down its Windows service. The Stop option is disabled. I've seen enough episodes of ''Star Trek'' to know how important a manual override is. NOD32 doesn't have a manual override.

The version of NOD32 in question is the current version, 2.70. Click on the screen shot at the right to see the full details on the version of NOD32 being used at the time.

UPDATE (July 17, 2007)

Randy Abrams, the Director of Technical Education for ESET, the company behind NOD32, explained why NOD32 only partially shuts down.

"As for the inability to completely shut down NOD32, that is necessitated by the nature of security software and the threats we face. NOD32 implements technologies designed to prevent malicious software from disabling it. While NOD32 offers the user the ability to partially turn off NOD32 services, in order to allow the user to completely do so we would have to allow malware to easily disable NOD32. Additionally, the low level at which anti-virus software runs means that system stability may be compromised if it is completely removed - making it potentially dangerous to completely remove the software without a reboot. The anti-stealth technology in NOD32 that is designed to be able to detect active rootkits must operate at a system level at least as low as the rootkits it is detecting."

And he goes on to explain that NOD32 can be totally shutdown after a reboot:

"To temporarily disable NOD32 without uninstalling it on a Windows XP System, I would recommend using MSConfig and temporarily disabling the startup item NOD32KUI and the service NOD32 Kernel Service.

Although you can't stop the NOD32 Kernel Service, you can change it from the normal startup mode of Automatic to Manual or Disabled. Addressing the CPU usage observed with NOD32 half shut-down Mr. Abrams says:

"Typically when NOD32 is disabled the resource consumption will go down to about zero. There can be very strange cases where the exact combination of hardware and software create conflicts. These conflicts can be a real bear to track down."

Being a programmer, I feel his pain. And NOD32 in normal usage is not a resource hog at all.

I asked Mr. Abrams about other defensive software (antivirus, antispyware, firewalls and the like) that asks for confirmation from a human being when it gets a request to shut down. On this point he said:

"There are definitely a variety of approaches that can be taken. Each will have trade-offs in terms of security implications. Malware that can shut down a security program can also intercept messages. It is a calculated risk. "

And, on a lighter note, Mr. Abrams adds:

"Remember, in Star Trek the ultimate manual override still required a senior officer's verbal confirmation and was not valid for all starships (we hope). Ultimately, NOD32 can be uninstalled without difficulty, but we wouldn't want any random Trible (hey, they are great at replication) to be able to come along and disable every copy of NOD32."

You've got to love a company with a sense of humor. :-)

Finally, let me put this in perspective. NOD32 has been a well reviewed product, which motivated me to try it in the first place. At my computergripes.com site I often gripe about software that I continue to use and recommend. Nothing's perfect. But you'll never see me griping about, for example, Microsoft's antivirus product because it has been so poorly reviewed, I won't bother with it.