Archive for October, 2005

Using A Hosts File For Security

October 31, 2005

One of the simplest ways of protecting yourself against outbound traffic to known malicious websites is with a Hosts file. If you want to prevent access to a known malicious website, for instance,, you would add an entry

Using a Hosts file in this way has its pluses and its minuses.


  • A Hosts file requires no software installation. The Hosts file is referenced, natively, by every IP stack in every operating system.
  • A Hosts file is universally used. There are multiple well known and reliable providers of free Hosts files, which define known malicious websites.


  • Each entry defines precisely one website. The entry

    blocks access to only A separate entry is required for, and another for

  • The Hosts file will become quite large. The HPGuru, a very comprehensive file, is currently over 1M in size, when expanded and installed.
  • Loading the file takes significant CPU power, if not configured properly. If the DNS Client service is running on your computer, and you make any change to Hosts, your system could be unusable for 10 to 16 minutes.
  • To be effective, the file must be kept up to date. The bad guys are constantly creating new domains, and subdomains.
  • It will only block access by website name. Neither of the following will work:


WiFi Will Never Be As Fast As Ethernet

October 27, 2005

With Ethernet, you expect (and generally get) 100Mbps performance from the network. With Gigabit Ethernet, you expect 1000Mbps. With 802.11g WiFi, you expect 54Mbps, but you seldom get that. Why is WiFi unreliable?

Ethernet is based on rigidly defined specifications. If you observe the limitations imposed on you by those specs, you get predictable results – those limitations should exceed your operating requirements. For instance, 100M Ethernet is provided for cable runs of up to 100 Metres (300 feet) between the computer, and the other network device (generally a hub / router / switch, or another computer).

Draw a 300 foot sphere around your home / computer room. With WiFi, you will probably find numerous factors within that sphere, that will interfere with your getting consistent 54M performance from a 802.11g network. With WiFi, there are things you just can’t control, and others that you can, but not easily.

  • Ethernet is a full duplex, dedicated medium. WiFi is half duplex, and shared – it has one media, the WiFi channel, which has to be shared for both sending and receiving the packets. And it’s shared with your neighbours.
  • Ethernet is a mature technology – it’s been around for much longer than WiFi. WiFi components have frequently upgraded firmware. Any time you ask the vendor for help, their first question will be “What version firmware are you running?”. This is not a delaying tactic, or needless protocol – it’s an attempt to ensure that your drivers are up to date, so they can help you effectively.

    Any time you get new hardware, you should always consider the possibility that the firmware was upgraded after your unit was packaged. Always get up to date firmware – and get it from the vendor.

  • Ethernet is a much more stable medium. With switched Ethernet, you have two hosts, for instance a router / switch, and a client computer. The two hosts are connected by a physical cable. The firmware and hardware on each host has to manage the conversation only with the other host.

    With WiFi, each host is managing / blocking conversations with dozens of other hosts (multiple channels, locations, and networks) constantly, and no two hosts are seeing the same complement of other hosts at any time or in any place. Managing relationships in the constantly changing WiFi population takes resources – and can make the WiFi device slower than it should be.

    Besides the constantly changing and differing population issue, there’s the security needs. WEP, WPA, WPA2, AES, CCMP, TKIP… The list of security protocols and standards is endless, and changes frequently. Managing security in any WiFi conversation takes resources – and can make the WiFi device slower than it should be.

  • Can you actually see a computer from the Access Point? With WiFi, if you don’t have a clear line of sight visibility between the network devices, you’ll not get a full strength signal. Distance is another factor. Signal strength falls off as distance increases. Put the computer in one room, and the AP in another (a normal use for WiFi), and see what signal strength you get. Walls and floors are a major signal problem. Signal loss will be higher if the signal has to travel diagonally thru the wall or floor, rather than at a right angle.
  • Look at the antennas on the AP and the computer, and see how much they are parallel – you will get maximum signal strength only when the 2 are perfectly parallel. Draw an imaginary line, extending at a right angle, from one antenna towards the other. Does it intersect the other? Try and make a line between the two intersect at a right angle. Signal loss will be higher if one network device is located directly above the other, and on another floor, if both antennas are pointed vertically.

    To make this simplest to understand, look at some examples.

    • If the AP and a computer are in the same room, locate both devices so both antennas are the same height off the floor. Point both antennas vertically.
    • If the AP and a computer are on different floors, locate both devices so the antennas are immediately above and below each other. Point both antennas horizontally.
    • If the AP and a computer are in different rooms, position both so a line from one to the other goes at a right angle thru the wall. Locate both devices so both antennas are the same height off the floor. Point both antennas vertically.
    • When you can’t be so precise in physical placement, point both antennas parallel to each other, per the above strategies.
  • An Ethernet cable is a media that YOU own, and physically control. With WiFi, you have to share the channel with all of your neighbours. And, with CSMA/CA, the sum of your bandwidth plus your neighbours bandwidth will never add up to 54M. Relying upon Collision Aviodance will always require wait time, where neither of you is transmitting. And the more neighbours that you have, the more time that your equipment will be waiting to use the channel.
    • If your equipment is compatible, you may benefit from using NetStumbler, which is free. Find out how many of your neighbours are also using WiFi, and how close each is.
    • Try using a channel that isn’t being used by a neighbour close to you. With 802.11G 54M, only channels 1, 6, and 11 don’t overlap in frequency. If you have 2 neighbours – one on channel 1, and the other on channel 6, your best choice is channel 11.
    • Remember that wireless networks may come and go, so watch over a period of hours, if not days. NetStumbler is great for this – leave it running, and it will make a running list, showing each observed access point, and graphing its signal strength by time.
  • Your wireless neighbours are interference sources outside your home. You probably also have interference sources inside your home.
    • Baby monitors.
    • Computers.
    • Cordless phones.
    • Microwave ovens.
    • Wireless stereo speakers.

    If you install a WiFi device on your desktop computer, try and get one with an antenna that you can move above, and away from, the computer. Signal loss will be higher with a PCI WiFi card, with the antenna stuck at the back of the computer. This is particularly the case if your computer is a tower, sitting on the floor. The higher the antenna from the floor, the better the signal level.

  • You will only get maximum performance from similar equipment, and with no WiFi neighbours. You will have to share the channels with your neighbours. In any WiFi neighbourhood, no two WiFi devices will be within range of the same complement of other WiFi devices. The hidden node problem is a well known WiFi issue.
  • Maybe the router configuration has a setting that’s causing your problem. Start by checking your Transmission Rate setting.
    • If it’s on Auto, try setting it to a realistic rate. Start by setting it at the rate you think you’re getting, and see if your bandwidth improves even slightly. If there is any problem with your signal, auto may make the router spend more time recovering from problems, and less time actually sending and receiving.
    • If it’s on a low rate, try setting it at a higher rate. See if your bandwidth improves.
    • When tuning your Transmission Rate, using NetStumbler to analyse performance would be a very good idea.
  • For more thoughts on this subject, see BBR Forums How Can I Boost My Range? (#10944).
  • And consider that, even though WiFi doesn’t use wires as heavily, general physical networking principles may still apply.

And however you set up your WiFi in the end, please secure your LAN. The performance hit you get, when your neighbours WiFi LAN comes on, pales in comparison to what happens if your computer is hacked, and joins a botnet.

Check Your Hosts File VERY Carefully

October 27, 2005

The bad guys have been using entries in YOUR Hosts file, to block you from accessing the websites that can protect YOU, for quite a while now. So instructing you to examine your Hosts file, for entries like:

is nothing new. This entry, if present in your Hosts file, will block you from getting access to the Symantec servers, including online help, and LiveUpdate. It’s one of the earliest hijacks used by the bad guys.

Anyway, I just copied the above example line from this example Hijacked Hosts file. Go there, and see if you can find the example.

“No”, you mighht answer. “The only non-comment line is: localhost”.

But, you would be wrong. Look again, but look more carefully.

  • The first line there (other than a lot of comments), and the only non-comment line in an otherwise empty file, will APPEAR to be “ localhost”.
  • Scroll to the end of the file, by hitting Ctrl-End.
  • Scroll back up to the top, page by page, looking for any unrecognised entries, possibly placed there by malware.
  • Look out for blank lines at the beginning and end of the file, after “localhost”, placed there by an exploit.
  • Do not assume that a file is empty simply because you see “localhost” followed by 50 blank lines!
  • Do not assume that a file is empty simply because you see 50 blank lines anywhere!

Now aware of this devious, and o so simple, mechanism that the bad guys can use, check YOUR Hosts file. To clean your Hosts file, if anything of interest is found, and assuming NO valid entries other than “ localhost”, simply:

  1. Place the cursor at the end of the “ localhost” line.
  2. Hold down “Ctrl” and “Shift”, and hit “End”.
  3. With everything after “ localhost” highlighted, hit “Delete”.
  4. Save Hosts, as name “Hosts.” (note the “.”!), as type “All Files”.

If you find that you have valid entries other than “ localhost”, which you need to retain, be aware of this hijack, and edit the file very carefully.

An Example Of A Hijacked Hosts File

October 27, 2005

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
# For example:
# # source server
# # x client host localhost


Irregularities In Workgroup Visibility

October 26, 2005

Let’s say you connect 2 computers, running any of the many versions and editions of Windows, with default configurations, in a network. To find each computer from the other, you open Windows Explorer (don’t confuse this with Internet Explorer, please), and look in My Network Places. On a fully working LAN, this will work just fine. In your case, it may not.

In your case, Computer A shows both Computers A and B, as it should, and files on Computer B are accessible. On Computer B, either you don’t see Computer A, or when you try to access Computer A, you get an error. You may, or it may not, see Computer B. This visibility problem may be observed constantly, or it may come and go.

Now before you start, you should be aware that you will enjoy it more, and frequently will be more successful, when you work on a properly designed and setup network. Having reviewed that, I recommend that you tackle the task at hand in this order.

Basic Diagnostics

  1. Look at the complete and exact text in any observed error messages. Some very obscure errors have very simple resolutions.
  2. Check for a personal firewall problem. A misconfigured or malfunctioning personal firewall, on either computer, can block browser access. Do you have antivirus protection? Make sure that your antivirus is not part of a package that contains a personal firewall, and does not contain a component that acts as a firewall.
  3. Look carefully for a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.
  4. Make sure that NetBIOS Over TCP is consistently set, in TCP/IP Properties for each computer in your network.
  5. Some newer, WiFi routers, have a complete firewall between ALL client computers, connected wired or wireless. Look for an “Isolation Mode” setting, if no computers are visible to each other.
  6. Check for several well known and lesser known registry settings, which will affect visibility of, and access to, your server.
  7. Look again at the content of the error message. Do you see either “error = 5” (aka “access denied”), or “error = 53” (aka “name not found”)? Read the appropriate article, and follow the links.
  8. Run, and examine output from, “browstat status”, “ipconfig /all”, and “net config server” and “net config workstation”, for each computer.
  9. Post output from the above step for expert interpretation and advice. Include relevant background details in your post. When including diagnostic logs, such as “browstat status”, “ipconfig /all”, or background details, format them properly when you post them.

Intermediate Diagnostics

  1. Make any changes in your network per the advice of the helpers in the forums. Retest as advised.
  2. Run, and examine, CDiag output for each computer. If you have more than 3 computers, post diagnostics for at least 3, and try and include some computers which show no symptoms of the problem (if any exist), as a control. The more data here the better.
  3. Post output from the above step for expert interpretation and advice. Again, format CDiag logs properly when you post them.
  4. Check that all necessary network components and services are provided. The necessary protocols and transports must be loaded and activated. The necessary services should be Started and Automatic.
  5. Run, and examine, CPSServ output for each computer. Try and do this on the same computers that you ran CDiag (above) on, to make the diagnostics more effective.
  6. Post output from the above step for expert interpretation and advice. Again, format CPSServ logs properly when you post them.
  7. Check for, and remove, unnecessary protocols and transports, like IPV6, IPX/SPX, and NetBEUI. Unnecessary protocols and transports can block Server Message Blocks, and cause problems. Check “browstat status” logs for evidence of IPX/SPX or NetBEUI. Check “ipconfig /all” logs for evidence of IPV6. Remove any protocols found. If you solve your immediate problems, you can re in stall any protocols removed, later.
  8. Check for LSP / Winsock / TCP/IP corruption. The mysterious LSP / Winsock layer in the network, on either computer, can malfunction, and similarly block SMBs. If you have more than 2 computers, the computer causing your problems may not be immediately apparent. Use CDiag to identify the computers to work on first.

Advanced Diagnostics

  1. Learn how to solve network problems.
  2. Try my comprehensive troubleshooting guide, Troubleshooting Network Neighborhood Problems. Use CDiag and / or CPSServ logs, to identify the computers to work on first.
  3. Read about The NT Browser and Windows Networking.
  4. Read about File Sharing Under Windows XP.

NOTE: The comprehensive troubleshooting guides, referenced in Advanced Diagnostics, contain all of the other sections and more, sequenced by network design (ie, physical connectivity issues first, and file sharing permissioning last). The last article talks about problems specific to File Sharing, such as authentication and authorisation, and it is most useful when all other problems (such as are discussed in the previous step) are resolved. This article, as a whole, emphasises the most productive procedures for resolving your symptoms. You are free to try any of the above steps, in any order which pleases you – it is, after all, your network.

These are simply the procedures which currently seem to produce the best results. So become familiar with them, because, if you ask for help and I am involved, I will likely ask you for the diagnostics discussed above. And, if we don’t get immediate results here or elsewhere, I’ll ask you to repeat each step above, one by one, as I examine the results. Read each linked article, and follow the links within each article.

Now I’m a Networking and Security advisor, and I don’t provide advice on security issues casually. Using the Internet, without considering the privacy and security implications, makes trouble for a lot of innocent people. When you’re considering the necessity of providing requested details about your computer network, in an open Internet forum, please read this brief Privacy Statement. Help us to help you.

Online Analysis Of Suspicious Files

October 21, 2005

Let’s say you run any one of my favourite problem analysis or detection tools, such as:

and you find one or more mysterious entries. What do you do now? Kill, then delete the processes? It may not be quite that easy – or that safe. Please, research what you’re deleting, and the possible consequences of deleting it, BEFORE you do so.

A lot of malware today will install itself in a package – creating 2 or more processes on your computer. Also, some security software, badly designed, may protect you, but may use names, or other identity elements, that may give it the appearance of malware.

It’s relatively easy to identify a single, active process that steals your passwords, throws ads on the screen, or creates links to distant, mysterious computers.

Some malware, though, will package itself in 2 or more components. It will include protective components, that ensure that the other process(es) continue running on your computer, even if you try to delete or kill them. When the protective processes detect that the active processes were deleted or terminated, it will make new copies of the other processes, frequently using different names, and restart the bad active processes.

Delete or kill one program, and suddenly you’ll have a second program (maybe with a different name), doing the work of the process that you just killed. You have to kill the background protective processes first. When you find a suspicious file or process, examine it, and ensure that there’s no other process referencing or protecting it.

There are two web sites where you can upload any suspicious file found on your computer, which will submit your uploaded file to multiple scanning engines for intensive analysis. Just go to either website and upload the file using the web page. This takes maybe 30 seconds to upload a file, then wait 5 – 10 minutes for a free analysis.

Examining the logs from Jotti and VirusTotal, do you see any malware identified? If so, don’t panic – do some research. Note which scanning engines detected the malware, and cross-reference those to free, online system scanning services.

In order for a protective bad process to restart a protected bad process (one that’s detected by HijackThis), the protective bad process has to contain some portion of, or reference to, the active bad process. Any individual scanning engine (called by Jotti and/or VirusTotal), that can find malware in an active bad process, should similarly be able to find the same malware in any other file on the computer, if additional bad files exist. Running a whole system scan, you look for other files that contain the detected malware.

Pick one or more of the scanning services which identified the malware, and do a complete system scan. Either a HijackFree, or a HijackThis, log is a good starting point; but both HJF and HJT are limited, in that they find malware using established patterns. Make sure the malware you are experiencing is not in other places too. Use all possible analytic tools.

In the case of very well written malware, it may be very difficult (if not impossible) for YOU to identify, and delete, all components of the malware simultaneously. Its protective processes may be written to detect your feeble human actions, and it can restart itself faster than you can kill or delete it.

But don’t despair! Just identify all components of the malware at any time (without killing and / or deleting anything). Then use Pocket Killbox. You identify ALL of the bad files or processes to Pocket Killbox, and Pocket Killbox takes care of them for you. It’s like having a team of well trained snipers, each aiming at a different bad guy. firing simultaneously, and killing all of the bad guys without warning any.

If you have any doubts about this technique, or if even Killbox can’t get rid of the bad stuff, remember the Expert Help Forums. Any time Jotti or VirusTotal identifies a bad file, spend some time searching thru 2 or 3 of these forums. Find out what techniques and tools are currently being used to remove the identified malware. Again, Strength Thru Diversity.

Just don’t guess at the problem. Use the power of the web, and work from the experience of those who have already dealt with your malware.

Now for the bad news. Some malware may protect itself, from being deleted or interrupted, by hiding itself. You cannot delete that which you cannot see.

Computer Uniqueness

October 16, 2005

My personal theorem is that, outside of computers owned by large corporations that have a standard hardware and software configuration, and a very strict Corporate Security Policy, there are not any 2 computers in the world that are identical. Consider just a basic list of factors:

  • Hardware configuration.
  • Software configuration.
  • Ownership policy (CSP, if one exists).
  • Individual usage.
  • Network usage / Internet connectivity.

Each of the above factors will cause some varying complement of files – configuration, data, software – to be placed on a given computer, or group of computers. This variance in files, and in computer use, affects what malware may or may not be found on an individual computer, or on any network.

That being the case, any set of computer problems (or symptoms) should also be regarded as unique. This is why I recommend diagnosing any computer problem as unique.

Take, for example, the “access denied” symptom. Look at how many possible causes there are for that simple message. Now consider how many different ways that message might be interpreted, by different people.

So, please do me the honour of not assuming any “one size fits all” application of a symptom to a diagnosis. One of my pet peeves is someone who accepts advice in a forum, is given a very simple solution (following considerable diagnosis work, to find the specific cause) to what appears to be a common problem, and then tries to apply that simple solution to other folks later asking for advice in that forum.

If you go to the doctor with a cough, he prescribes a certain medication to you, and you are cured, would you stand outside the pharmacy and recommend that medication to everybody approaching the door? I hope not. Please don’t be that guy.

Also, I hope that you wouldn’t go to the doctor and say “My neighbor had this cough, and you gave him x medicine. I have the same cough, and need the same medicine.”. Nor should you go into a forum, and post your problem report at the end of somebody else’s problem report. Solve one problem in one thread, please.

Approach every problem with basic and methodical diagnosis. Whether the complaint is about lack of Internet service, inability to share files, or unknown programs running on your computer, please diagnose each problem methodically, and from the bottom up. And protect your computers, using a layered security strategy.

Analyse every computer network, and its security needs, individually. To debate any one characteristic of an operating system, such as Linux vs Windows, as being inherently more secure or stable, while ignoring the infrastructure where it is used, is so much Hoya. The security of the operating system, on any computer, can only be assessed, and improved, based upon the total environment in which it operates.

MAC Addresses

October 10, 2005

The MAC, or Media Access Control Address, is one of the most vital identity elements in computer networking.

Every addressable network device, be it a managed switch, modem, network card, or router, is assigned a unique address when it is manufactured. The MAC address has a format


where each “x” is a hexadecimal character. Each of the 12 hexadecimal characters is assigned, intentionally, by the manufacturer, to prevent duplication by any other networked device, either now, or in the future.

Some misguided persons believe that changing the MAC address of their computer (network card) is a way to hide themselves, or to change their identity at will. This is an erroneous assumption, and can lead to worse problems.

  • You absolutely must have a unique MAC address on all networked devices. If you go changing this identity element, and cause a conflict, you could cause yourself and other people grief.
  • If you change your MAC address in an attempt to change your IP address on a public Internet service, you could cause pain for a few people, including another subscriber, and the ISP. Changing your IP address is yet another form of Security by Obscurity.

In short, Just Say No. No changing the MAC address. There is but one specific situation where your MAC address should be changed.

MVP Summit 2005

October 9, 2005

The Summit was almost 2 weeks ago. What can I say? I’m not so young any more that I can come home from an all night party, and go to work the next day.

This was a 4 day party, with but 4 to 6 hours at night, for sleep, as the only free time. I’m just now recovered enough (physically and mentally) so I can start to write about it.

I have started, separately, to write about Vista (and pray that I do not violate the NDA while doing so).

I didn’t do half the things I had hoped to do.

  • I didn’t meet half the folks I had hoped to meet.
  • Of the ones I did meet, I didn’t talk to them half as much as I’d want to.
  • I didn’t get half the technical training that I would have wanted, or would have found useful.
  • I got just a bit more than half as much sleep as I should have.
  • I did no sightseeing. Period.

I did twice as much as I’d have expected, anyway, knowing my personal history.

  • I drank more beer and wine then I should have (but not a lot more).
  • I ate more tasty food (some of it even healthy) as I have in recent past.
  • I involved myself in more heated philosophical (techie philosophy anyway) arguments, then I have been in recent past.
  • I spent too much time wandering around, lost (and the Microsoft folks know about some of these experiences).
  • I spent way too long sitting in the legendary Microsoft Conference Room chairs, then my butt would have wanted.
  • I spent a lot of time waiting for the bus (but some MVPs spent far more time, and had worse experiences).

None of the above detract from the positive memories though. This was a class event.

To put it simply, I was blown away by the intensity of the Microsoft experience. This was 4 1/2 star treatment (and Microsoft knows what the 1/2 star deduction was).

  • Accomodations. We were given our choice of any of half a dozen downtown and suburban Seattle hotels, 3 to 4 star I would guess. Having stayed at a couple Westin chains in the past, I chose the Seattle Westin. I was not disappointed.
  • Amenities. Internet access was covered. This included wired and wireless connectivity in the hotel, and wireless connectivity in the Microsoft Conference Center. I heard some say that they got wired connectivity when plugged into network jacks in the Microsoft offices – I didn’t try that myself.
  • Transportation. With the exception of getting to and from Seattle, and getting from the airport to the hotel on the first day, all transportation was covered. This was luxury class chartered busses. I should have it so good during the air flight. OK, there were communications problems between Microsoft and the bus folks. So what?
  • Food and Beverage. Three full class meals daily (well, one trippy box lunch), and snacks and soft drinks between meals. No vending machines in the Microsoft offices, just huge glass front refrigerators, with a dozen or so healthy / non-healthy beverages.
  • Serious Stuff. I did go for the instructive sessions. Really. And I was not disappointed. The focus was on Vista, but I did pick up a small amount of information on XP. We were promised online copies of the presentations, which I await patiently.
  • Not-so-Serious-Stuff. Four days, and a party each day. From the first afternoon, registering at the Microsoft Conference Center, thru the last day.
  • Overall Treatment. With the exception of being made to check my laptop and camera before the Executive Sessions (and even that was handled expeditiously), I was very impressed by the welcomes I received.

More details as I have a mind to write. Watch this space.


October 9, 2005

What can I say?

As countless other MVPs have already written, I spent an intense 4 days, in September 2005, in Seattle as a guest of Microsoft. This was my first MVP Summit (and I hope not my last), and the major focus was on Vista, the next step in the Operating System evolution process.

Vista looks like just another version of Windows XP. At least, its GUI can be dumbed down to look like Windows XP (which could, itself, be dumbed down to look like Windows NT).

But, Looks can be deceiving. Vista is not at all just another version of Windows XP.

  • Its core networking code has been rewritten, to make it simpler to use, and simpler for third party developers to write software. This should make it harder for the bad guys to bury their illegal code without your knowlege.
  • It contains improvements which will make 3/4 of the articles in this blog irrelevant and unnecessary.
  • It contains efficiency enhancements, which will possibly make Internet use smoother for everybody using it, regardless of connectivity (dialup to HSI).
  • It has several enhancements in the GUI, and desktop applets, which will make it easier for you to store and access your data. The emphasis is on organisation of massive volumes of audio-video and business type materials, in ways meaningful to you.

You, the public, will probably not be doing any serious work with Vista for (minimally) 6 to 12 months. Many of you will not see it until you buy a new computer, within 3 to 5 years.

I am one of the lucky ones in the world, and I hope to start testing it within the month. This will be as my limited hardware and time limitations allow. I’m not independently wealthy.

Watch this space.