Category: Life

Following my post last week, I decided to create a batch script that would let you see if your anti-virus product is also vulnerable to the “Vista Rootkit.”

You can download the script from here (Right-click, Choose “Save As.”)

Essentially, the script creates two identical files on your C:\ drive, in the C:\vistarootkit_test\ folder. These files contain contain a benign (read: non-viral) string of text that’s picked up by anti-virus products from all the leading companies. You can obtain more information on the test files here.

If the script works right, and your anti-virus product akin to mine, then it will pick up the “infected_file_detectable” (left image), but not the “infected_file_undetectable” (right image.)

What’s happening: Windows has a funky way of handling administrator accounts. Users, for instance, can chmod files to deny any other user read/write access to a set of files. What sets Windows apart from other operating systems in this regard is it’s adherence to these permissions for it’s root account equivalents – the Administrator/SYSTEM/etc. It is this fact which is being taken advantage of here.

By creating a dummy account, malware is able to run an instance of itself under that account, and deny read/write permissions to its files to all other accounts. This means that when home users run their anti-virus products, their AV will be denied read access to the malicious files. Meanwhile, the malware is able to continue to operate freely.

This demo script creates 2 identical files that should be picked up by any popular anti-virus product, and creates a new user account “viral_account.” It then sets the permissions for one of these files such that the viral_account has full access to it, but all other system accounts are denied access. When the anti-virus program is run, it should skip over the file whose permissions were edited, as it will be denied read access to the said file.

A simple way to rectify the issue would be for anti-virus products to modify the permissions of the files to grant itself access (Administrator accounts can do this – though they can’t read the file itself), screen it for known viral signatures, and then restore the file to the original permissions.

Report alleges Chinese Govt harvesting body organs of political prisoners

Australia has one of the lowest rates of organ donation in the developed world. The people who had kidney transplants in New South Wales last year, for example, had waited an average of eight years for a suitable organ.

That’s the kind of pressure that’s created the new phenomenon of “transplant tourism”, with patients going to countries like India and China for their operations.

Last year an Australian report highlighted the rate of HIV/AIDS or Hepatitis in patients who’d had such operations overseas.

Now a report from Canada says most of the organs in China are not donated at all. They’re taken from political prisoners who die after the organs are literally harvested from them.

Transplant doctors in Australia are alarmed and are calling for more Government controls on patients travelling to China.

Michael Edwards has this report.

http://www.canada.com/ottawacitizen/news/story.html?id…
http://www.abc.net.au/pm/content/2006/s1683142.htm
http://www.youtube.com/v/0wtSV_BEf14

Why has this received so little coverage? Is it because we don’t care? Is it because our own fear of dying trumps any kind of moral obligations? The original plan was that China was to be absorbed into global conventions with it’s economic rise. Now it looks like it’s rather the contrary: their economic strength is such that they risk no such thing, and we are the ones who cannot afford to speak out for fear of retribution.

We allow our citizens to murder political prisoners for only £50,000 a shot. It seems like though as much as we value our freedom, we allow ourselves to be used as tools to diminish those of others, under the pretext of economic strengthening. We admonish Yahoo for the slightest bit of privacy invasion in the US, but if they give up the IP address of a Chinese Blogger to the government – it’s good business. It’s all about business. We live in a world so economically competitive that we would rather shut up and allow atrocities to take place, rather risk hurting the economy. That’s part of the reason for which we are supporting the oppressive regime known as Saudi Arabia, isn’t it? We’d rather have their oil, and some of their territory for military purposes, rather than confront them about the beheadings of political prisoners?

So what does that make freedom. A worthless buzzword, a piece of economic garbage. If we allow our morals to be so pliable for the sake of economic power, then it is meaningless, and in danger of extinction altogether.

Those who deny freedom to others deserve it not for themselves.
~Abraham Lincoln

Region encoding. This is the component of DVDs, BluRay, and HD-DVDs that dictates where those discs can be played. For instance, a DVD bought in England is forbidden from being played in Canadian DVD players. This is enforced through the copy-protection technologies implemented in those discs.

Let’s talk about why region encoding is good: It allows the movie industry to set variable pricing on their media. For instance, DVDs in Latin America will be cheaper than those in Canada. As such, the industry can milk each region for the most they can individually offer. Now this might sound nefarious, but it really isn’t. Think about the alternatives: either a single global price, or variable pricing with no enforcement scheme. If DVDs were globally the same price, then it might end up being too expensive for one region to afford. Likewise, without some kind of means to enforce the region encoding, then Canadians could import cheap DVDs from Latin America, at the expense of the movie studios.

But it’s not all good: region encoding, when implemented, also kills indy movies. I just spent $45 importing a docu-drama from Great Britain. It’s called “Ghost“, and it’s a great movie. Now there are two technical barriers that prevent me from playing this film. The first is that it’s PAL, the television format of UK televisions. This problem is easily solved by playing the film on my computer. The second issue is that it’s region encoded. In other words: Canadians aren’t allowed to watch the movie. Now I can bypass this, but soon, that will be made illegal as Canada adopts DMCA-like legislation. Illegal to watch a legally purchased movie, even when bought from the movie maker themselves – imagine that.

So I really don’t like region encoding. Now some might attribute this to misuse of region encoding, as DVDs can be made to be without such measures. Misuse or not doesn’t change the fact that the problem is still there to begin with. But there is a solution: tariffs on imports. Make people pay more, such that the purchases of cheaper DVDs from elsewhere would be dissuaded.

Now an economist would say: tariffs are bad. The more easily the goods flow through, the better off we all are. And frankly, I agree. But think about what region-encoding actually does: it cuts off that flow entirely.

So one has to ask: which is worse? No flow, or impeded flow. I’d go with the latter. Now the advantage of region encoding is that it’s government independent. The movie industry takes the control of the flow into their own hands, and they don’t have to rely on the slow process of democracy to stop shipments of authentic DVDs about. But let’s also not forget that there’s also a tariff system out there that already is government independent: shipping costs. That last DVD I bought from the UK cost me $13 for the customs alone, and the CD I had imported previously was much the same.

This also brings me to my next point: CDs. CDs do not have region encoding. I can buy a CD from Japan (as I have), and from the UK (as I have), and it will still play in my CD player. There is no scheme there to say “oh – you’re in North America. I refuse to let you play this CD.” Yet, I have yet to hear any stories about how the music industry is suffering because of this lack of implementation. Yes, we hear stories about how the music industry wants better protection systems, but that’s different – we’re talking about legitimate content here, not pirated goods. So what does that say of the usefulness of region encoding in the first place?

The only option to play these region-encoded movies is to obtain the pirated version. Yep, the pirated versions don’t include region encoding, and are thus devoid of such issues. I think that when the pirated version will play, but not the legitimate DVD, there’s a real problem at hand.

Thus concludes my rant.

Simply said, 時をかける少女(Toki wo Kakeru Shoujo, The Girl Who Leapt Through Time) is a great anime full-feature film.

When you get into anime, you usually start right off with the cream of the crop – Princess Mononoke, Cowboy Bebop, Perfect Blue, etc. Then as you go on, exceptional titles come fewer and fewer.

It is thus with great delight that I stumbled upon this film. It’s essentially the story of a tad irresponsible girl on the verge of graduating high-school. One day, she somehow gains the ability to leap back in time, and begins to use these powers to better her life.

Captivating story, incredible artwork, and solid soundtrack. That’s all I’ll say without ruining it for you.

The DVD came out in Japan last month. I’m hoping that it’s going to be re-released in North America with English subtitles at some point in the future, as I’ll buy it instantly.

Windows Vista has an especially annoying implementation of file permissions. As I’ve ranted on before, Administrator accounts within Vista aren’t really like the “root” accounts of *nix systems. The main difference lies with the fact that Administrators in Vista do not have outright permissions to access all files on the hard drive.**

This poor implementation of the permissions structure can be exploited by malware to make files that are undetectable to Anti-Virus products. Let’s go through the following demo to show you just how this works:

First off, I downloaded the eicar malware test file from here. It’s a file that’s detected by pretty much all anti-virus products out there.

I then ran the free version of AVG. AVG detected, and removed, the suspicious piece of malware. This is what’s supposed to happen. Now let’s introduce into here the Windows Vista Rootkit Deluxe aka. Windows Permissions.

This time I created a new account in Windows Vista, with user-level permissions. While the fact that I chose this account type is rather irrelevant, it does highlight the fact that programs don’t need to run with admin-level permissions to make this rootkit work. And new accounts in Vista can be made with ease when you’re on an administrator account to begin with; something which nearly all Vista home users are. A program only has to run a script with the command:

net user testaccnt /ADD

Now running as the user testaccnt, I downloaded the eicar file again, only this time I used the permissions to deny access to all but my own account. This included denying access to the main Administrator account.

And what happened? Because all but the dummy account had read/write access to the file, when I ran AVG as any account but the dummy one created, it didn’t detect the viral file.

Admins can’t delete the file manually through Explorer either (below, left.) That dummy account, however, can (below, right.) In fact, the easiest way to delete the file is for admins to use the CLI tool cacl, and re-assign the file’s permissions to match those of other “normal” files. The admin can then use del command or Explorer to rid themselves of the file.

There you have it folks: programs can create dummy accounts, and use those in conjunction with Windows permissions to evade themselves from the detection of anti-malware products. For all intents and purposes, a rootkit, included with every copy of Windows Vista out there. Because this is all permissions-related, I have a sneaking suspicion that anti-rootkit software won’t pick this up.

AVG’s Anti-Virus program has been confirmed, via this demo, to be susceptible to this kind of trickery. I have not tested the susceptibility of other anti-malware products.

**jabzor points out: System’ vs ‘Admin’; users run as admin or less while services and especially AV will run as ‘nt authority\system’ or ‘nt authority\networkservice’ unless they specify a custom account. Administrators can change the permissions to any file they want with ‘cacls’ a handy built-in cli tool I use all the time, similar to chmod for windows but more powerful.

Greetz: DanielG (pointed me to Eicar), jabzor, Murd0c, droops, slick0, StankDawg, RightCoast, BinRev, GameRadio (C4 & Kobar).