Purpose one: writing a travelogue to describe my various trips.

Purpose two: muse.

Saturday, August 15, 2009

Digital Vandalism

I have in the past resisted security software (read: anti-virus packages), and relied instead on caution and manual system monitoring to ward against malware. Within the last couple of years, either Windows got too complicated, the malware got too sophisticated, or I became too rusty. I got infected by several viruses.

One of the reasons I am reluctant to use security software is that they typically install several services, an email plugin, browser plugins, and some of them even mini-port drivers. It would take a pretty nasty virus to have worse impact on your system! (Of course, security software do not propagate aggressively). I wish there was a passive security package I could run only whenever I choose.

I installed Free avg, then deactivated the extraneous services, drivers and plugins, thereby getting almost what I wanted. Yet, after several scans, deletions, and reboots, I still had a problem that the viruses had introduced, which was that I could not start certain programs or processes, such as procexp.exe, regedit.exe or even the anti-virus scanner and update programs.

At first, I thought that avg had missed a virus. I tried to deactivate or kill different processes that might host a virus, but still I had the problem. I could run the programs after I renamed them -- for instance, I could not run "procexp.exe," but I could run the same program renamed to "sysinternals_procx.exe." Thinking that there must be a malware system-hook running in one of the Windows processes, I checked each one and searched its image for 'procexp.exe,' still without finding it.

Searching the registry instead, I found that the virus had added the programs I could not start to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Each program had a "Debugger" subkey, with the "ntsd -d" options. 'ntsd' is the debugger (NT Symbolic Debugger), and -d tells it to attach to the kernel debugger -- which typically will not be present, thus failing the launch altogether.

I wrote this up in case you have, or get, the same problem. If so, just delete the 'Debugger' subkey under each program found at the registry key indicated above.

Since I am on the subject: Reading about convictions against black hats in the news, I have several times been disappointed at their light sentences. I looked it up for this post, and according to the Cybercrime watch list, it seems as if courts are issuing punishments more in line with the severity of the crimes now. The author of "Melissa" was caught and convicted, the damage was estimated to US$80M, and the perpetrator got 20 months in jail and a $5,000 fine.

I think the damage is underestimated, though. They have to account for all the money and time we spent in prevention. Symantec makes $6 billion a year (mostly) selling anti-virus software. A big portion of that is a dead-weight loss we spend in protection against the digital vandals.

No comments:

Post a Comment