The software giant gives every second Tuesday of the month of security updates for Windows. This time six, of which only one criticism.

The critical flaw is in the Remote Desktop Protocol (RDP), which allows users to access other computers, for example, to offer remote assistance. RDP is disabled by default, so the vulnerability affects only PCs running the service on.

Microsoft warns that the leak may have very serious consequences and that a PC can be taken over completely. Quick update is therefore desirable.

Furthermore, there are four security updates this month for “important” vulnerabilities in Windows components.

This includes DNS Server, Windows Kernel Drivers, Visual Studio and Expression Design.

Finally, there is a leak of average severity poem in the Windows component Direct Write.

The flaw in Internet Explorer during the Pwn2Own hacker contest was discovered is not yet repaired.

The monthly patches through Automatic Updates or Windows Update for Windows XP, Vista and 7. Go – like every month – a new edition of Microsoft’s ” Windows program for the removal of malicious software “check your computer off at some of the worst threats.

]]> http://www.about-antivirus.com/six-security-updates-for-windows-in-march.html/feed 0 http://www.about-antivirus.com/microsoft-antivirus-removed-chrome.html http://www.about-antivirus.com/microsoft-antivirus-removed-chrome.html#comments Wed, 28 Mar 2012 09:47:31 +0000 Mich Kabay http://www.about-antivirus.com/?p=2155 Continue reading →]]> A recent update of the antivirus software from Microsoft’s Internet browser Google Chrome, a short time as a virus seen.

The program was blocked and in some cases the computer thrown.

That has Microsoft on Friday. The software maker said the problem have been solved with a new update.

The update, consumers and businesses through the antivirus program can download, makes all changes from previous undo.

About three thousand customers have suffered from the problem, said a spokeswoman from Microsoft.

In the new virus definitions were updated, including one that saw a danger in Chrome. Affected customers should reinstall Chrome.

Bank details

The antivirus thought Chrome was a virus that embeds itself surreptitiously on computers to steal users’ bank details.

The software giant is not the first accidental false virus definition ban. Companies such as McAfee, Symantec and Trend Micro also happened to al.

Abstract

This paper will discuss methods viruses use or might use in the future to attack anti-virus programs. Attacks of this kind are becoming more common, as virus writers seem to be constantly looking for ways to make their viruses more efficient and vigorous. This paper also suggests how to make anti-virus products more resistant against such attacks. The scope of this paper is limited to PC compatible machines.

1. Introduction

There is a constant battle going on between computer virus authors and virus fighters. Virus writers are looking for methods to create more complicated, more difficult-to-analyse and more inconspicuous viruses. At the same time the anti-virus people are building methods to address these threats.

It’s not surprising that virus authors have realised that anti-virus tools are one of the worst enemies for their creations. The logical step for them was to make …their viruses fight back, either directly or indirectly..

Several viruses explicitly target anti-virus programs. The attack routines might be generic or targeted against a specific program. Obviously many virus authors consider attack to be the best defence, when the objective is to keep the virus alive in order to spread as widely as possible.

There is a battle going on in computer systems world-wide – it’s survival of the fittest, one might say. Hopefully this paper will provide some ideas to make anti-virus applications fitter than the viruses.

2. A virus that fights back

For the purpose of this paper, a retrovirus is defined as follows:

Retrovirus is a computer virus that specifically tries to by-pass or hinder the operation of an anti-virus program or programs. The attack may be specific to a known product or a generic one.

Retroviruses are sometimes known as anti-anti-viruses. Anti-anti-viruses should not be confused with anti-virus-viruses, which are viruses that will disable or disinfect other viruses. To avoid confusion, the term retrovirus will be used here.

The creation of a virus which has retro-routines included is not necessarily a difficult task. In most cases, the virus writers have access to the anti-virus programs they want to by-pass. All they need to do is to experiment by trial and error until they find a way to attack the anti-virus program in a way that the anti-virus developer has not foreseen. [Siilasmaa]

Some virus authors have gone all the way and disassembled the offending anti-virus programs in order to find the most effective way to attack it. They often look for methods to attack a product in such a way that it would be most difficult to circumvent in future versions of the product.

As the virus authors are pretty efficiently connected to each others via different types of electronic networks, information on how to attack specific products spreads quickly.

It should be noted that the virus writers typically have access to only those antivirus products that are available as freeware or shareware. Some virus exchange BBS systems are known to make pirated copies of commercial products available, but the shareware products seem to be targeted most [Fellows].

It can be expected that more retroviruses, using more advanced retro-routines will be seen in the future.

3. Rules of the game

Viruses using retro-routines started to show up during late 1980′s – before that there was no point in creating retroviruses, as anti-virus products weren’t widely used. As anti-virus programs have increased in popularity, more viruses attempt to subvert them in some way.

Several approaches are possible, including:

modifying the code of an anti-virus program file or the image in memory
detecting when an anti-virus program is activating, and either hiding itself, stopping the execution of the program or triggering a destructive routine
altering the computing environment in a way that affects the operation of an anti-virus program
using methods in the virus code that cause problems for anti-virus programs
exploiting a specific weakness or a backdoor in an anti-virus program
using generic methods that generally make it difficult or potentially dangerous to detect, identify or disinfect the virus

The basic principle is that the virus must somehow hinder the operation of an anti-virus program in such a way that the virus itself benefits from it.

Methods like encryption, stealth, polymorphic routines, code armouring, anti-debugging tricks and confusion code can also be considered as an attack against anti-virus programs. However, they are often generic in type and are outside the scope of this paper.

4. Attacks against non-resident scanners

Non-resident scanners are probably the most commonly used anti-viral products. They are also the favourite target of real-world retroviruses.

There are several different ways a scanner can be attacked against.

4.1 Deletion and replacement

A virus can locate the anti-virus program and delete it. A more sophisticated attack would be a modification or a patch that would alter the operation of the scanner in a way that would be beneficial to the virus. A virus could locate the search strings used by the scanner and overwrite them, making the scanner unable to find any virus, but still appear to be functional.

A virus could replace the scanner program with a Trojan horse which could trigger a damage routine when run or just simply display an error message and abort. Such an error message would also make the scanning product look bad in the eyes of the users, especially if the error message would be something like ‘only 620kB of free DOS memory, unable to run’ or ‘BRUN30 GW-Basic run-time library not found, aborting’.

If the virus stays resident in memory, it can do similar attacks when it sees that the anti-virus program is executed. It can also by-pass a self-check routine of an anti-virus program by patching it only after the application has finished the check on its own code.

4.2 Modification of parameters

There is at least one known case of a virus that modifies the command-line parameters when it sees a specific anti-virus program to be started (see below). Such technique would allow the virus to modify the operation of the scanner to its advantage without patching the actual program code.

A similar attack might be possible by modifying the configuration file of an anti-virus program – these are often left unencrypted and are not checked for such modifications.

4.3 Altering the output

If the visual interface of the anti-virus program isn’t complex (ie. command-line driven), it might be feasible for a retro-virus to mimic the operation of the program. This way, the user might not notice anything strange.

A variation of the theme would be that the virus would patch the texts displayed by the product. If the text string ‘Virus found!” were to be changed to ‘All clear!’, a typical user wouldn’t probably doubt anything.

In many installations, anti-virus programs are run automatically and the alarms are set off depending on the exit codes (errorlevels) returned by a program. A successful attack in such a system might consist of a retrovirus that would always set the return-code of an anti-virus program to zero.

4.4 False false alarms

Scanners are also prone to false alarms ie. detecting a virus in a clean file. Viruses can use this as one way to attack. If a virus incorporates code sections from popular applications, it is quite possible that an anti-virus vendor without a proper false-positive testing routine might include a search string that would cause a large amount of false positives.

One way to implement this kind of attack would be to include an encryption routine to a virus, but borrow the decryption code from some known application – the encryption would limit the traditional search strings to only strings that would cause false positives, and this in itself would cause problems for some scanning products.

4.5 Problems with packed files

Several scanners are able to scan inside compressed executables that have been packed with some of the most popular EXE-packers. Some scanners do not scan packed files at all, but only flag them as packed so the user is aware of them. This provides one way a virus could cause problems for a scanner. If a virus would use a section of fake code that would make an infected program look like it has been packed, it would by-pass the scanning by such a product completely. The virus could also replicate in packed form, making it even more difficult to detect by some scanners.

A similar attack might be possible against products that actually unpack the programs and scan underneath the packing. In order to uncompress the program, the scanner fetches program info from the unpacking code. If this code would contain irrational values, it could cause some scanners to crash or run out of memory.

4.6 One man’s data is another man’s code

Almost all scanners default to scanning only the executable files instead of all files. File type is usually determined by the extension (ie. COM, EXE, SYS).

Since a virus can control the system in any way it wants, one way to by-pass a scanner would be to change the file-extension of every infected file to a non-executable one, for example from EXE to XEX. While the virus is resident in memory, it would use stealth techniques to hide this change – but would make sure that all executables copied to floppies would contain to valid extension to ensure the virus gets a chance to spread. The advantage of such a method would be that even if the machine was booted up from a clean diskette and all executables would be scanned with a scanner that could detect the virus, it would only be found in the inital carrier file.

4.7 Exploitation of technical limits

A virus writer could analyse in detail how a scanner actually does the scanning and develop infection methods that cause detection problems for a specific scanner. The virus doesn’t have to be difficult to find – it is enough that it would be very slow to search for it.

The Command Bomber virus is an example of this: it inserts it’s code in the middle of the host file and builds a complicated series on branching commands to transfer the flow of the program code to the actual code. The detection of such virus would force some scanners to scan the whole file from the beginning to the end – which would be enough to make them unusably slow.

5. Attacks against resident scanners and behaviour blockers

Resident anti-virus programs are vulnerable to special attacks. Since DOS does not provide any kind of memory protection, a program can modify the memory space of another program. This makes it possible for a virus to locate and patch or disable a resident scanner or a behaviour blocker.

5.1 Unloading the protection

Some anti-virus TSRs can be unloaded from memory (actually, they will have to be unloadable if the product is wanted to be Novell-certified). If such mechanism exists, they can be called by a virus. This method is quite successful and well-known with some products.

5.2 Through the back door

Practically every TSR scanner has a back door, which is used by the non-resident scanner of the same package. This back door either turns off the checking done by the TSR or provides an alternative access method to the filesystem. If such back door would not exist, the TSR part would clash with the normal scanner, as the TSR would notice an infection when the non-resident part would open an infected file for scanning.

A virus could use such back doors for its own benefit, either disabling the resident part or by using the clean path to filesystem provided by the TSR.

Yet another way for a virus to attack a resident scanner would be to observe the display routines, and trap the alarm messages displayed by it. If the user never sees the alarm messages of the TSR, the protection is not doing its job.

6. Attacks against disinfectors

A retrovirus can attack programs that try to disinfect boot sectors and files. The purpose of such an attack might be to cause the disinfector to damage the host files while disinfecting. If a disinfection program does not do an exact identification on the virus before disinfecting, any virus that contains a known search string for another virus might cause such damage during disinfection process.

6.1 Cleaning the clean

There even exists a virus called Mirror, which is the exact opposite of a stealth-virus: it makes all programs look like infected by itself when the virus is resident in memory. This could be potentially dangerous when disinfection is attempted, but this technique poses no danger if the disinfection is done in a proper way, ie. after a clean boot.

6.2 Complicating the recovery

The recovery process of an infected machine can be severely complicated if the virus would deny access to the hard drive. Several MBR-viruses (for example, members of the Monkey family) do this by modifying the partition data in such a way that no logical DOS drives exist when the machine is booted from a clean floppy. A recovery done by overwriting the MBR code with the FDISK /MBR or similar command would not regain access to the hard drive.

The ExeBug virus family uses another way to make it difficult to boot up an infected machine from a clean diskette. The virus modifies the BIOS Setup information to indicate that the machine does not have A: drive at all. Such machine will always boot up from the hard drive. Once the booting has started and the virus code is executed, the virus will check if there is a diskette in drive A: and if so, it will continue the booting from there. In most cases the user is unable to notice this, and thinks that the machine has been booted clean when the virus is already resident.

Yet another way to complicate the recovery process would be to set the BIOS boot-up password on with a random password during an activation routine. The method of doing this is documented on most new BIOS brands.

Some integrity checkers are capable of performing a generic disinfection. This means that they try to restore the original file according to the information the checker has saved on it (typically length, checksum, first and last bytes). Such generic routine is unable to work if the virus makes extensive changes to the program files, for example, if the host file is encrypted during infection.

6.3 Attacking heuristic cleaners

A different kind of attack against disinfection programs is related to heuristic cleaners. A heuristic cleaner works by loading the infected file to memory and emulating the program code. It uses a combination of disassembly, emulation and sometimes execution to trace the flow of the virus and to emulate what the virus is normally doing. When the virus restores the original first instructions of the host file and jumps back to the original entry point, the cleaner stops the emulation. The repaired start of the program is copied back to the program file on disk and the part of the program that gained ‘execution’ will be removed. [Veldman]

The risk in heuristic cleaning is that if the cleaner tries to emulate everything the virus might get control inside the emulated environment and finally escape from it – after which it can propagate further or trigger a destructive retaliation routine. There are documented cases of at least one virus doing this, see below.

7. Attacks against integrity checkers

The operation of integrity checking programs varies between vendors but they almost always rely upon some form of a database which contains details of objects (typically files and boot sectors) to be checked.

7.1 Deleting the database

Several viruses have attacked integrity checkers by locating the integrity database and deleting it. In some cases the result of deleting the database files is that the integrity checker will blindly assume that the original checksums have not been calculated yet, and proceeds to initialize the database without informing the user that something might be amiss. This was exactly the case with the Peach virus.

Peach attacked an integrity checker which worked by creating a checksum file, containing checksums of all executable programs. Peach attacked by deleting this file. After the database was deleted and the checker was executed again, it would recreate the file, calculating new checksums from the infected files and fail to indicate any change in the system [VB1].

It should be noted that the Peach virus will not be successful against newer versions of this integrity checker, as the name of the checksum file has been changed in newer versions of the product. Similar types of attack still seem to be possible, though.

Even if a checksumming package does alert the user that the database has been deleted without approval, it would be difficult to find the affected files if no recent backup of the database exists.

7.2 Making checked unchecked

A similar attack works also against programs that do not store the integrity data to a separate database, but add it to the end of the executable files themselves. Since there is no info about which files have been checksummed, a virus can just remove the validation data without any side effects – and the checker will not complain that the file has changed.

Several generic attack methods against integrity checkers are discussed in length in [Bontchev].

8. Real world retroviruses

When looking at viruses that attack directly against specific anti-virus products, the most targeted ones seem to be McAfee Associate’s ViruScan (SCAN.EXE), Microsoft Anti-virus from MS-DOS 6 (MSAV.EXE), Central Point Antivirus (CPAV.EXE) and the resident parts of these applications (VSHIELD and VSAFE). This is not surprising, as these are some of the most popular anti-virus products, and thus good targets for retroviruses.

Here are some examples of known viruses that incorporate retro-routines:

CPW virus family:

• tries to delete programs called TOOLKIT, GUARD, CHKVIRUS, SCAN, CLEAN, CPAV and VSAFE
• deletes CHKLIST.CPS files created by CPAV

Cybertech:

• deletes CHKLIST.CPS files
• removes the validation information added by SCAN and CPAV

Firefly:

• uninstalls VSAFE from CPAV or MSAV
• contains a segment of nested loops to confuse F-PROT’s heuristic scanning
• deletes files called IM, VIRX, PCRX, VIRSTOP, MSAV, NAV, SCAN, CLEAN, TBAV,
• TBCSCAN, TBCLEAN, TBCHECK, TBMEM, TBSCANX, TBFILE, VC, and VCHECK

Goldbug:

• by-passes VSAFE.COM and DISKMON.EXE
• deletes or stops the execution of programs called SCAN, CLEAN, NETSCAN, CPAV,
• MSAV, TNTAV – and deletes the contents of CMOS memory at the same time
  specifically by-passes the TBAV boot-sector check
  deletes CHKLIST.* files, by-passing CPAV and MSAV

Lemming:

• disables TBDriver from TBAV by patching it in memory
• when TBScan is executed, adds the command-line parameter ‘co’, which will allow the stealth routines of the virus to operate
• patches text strings inside TBScan’s code to make the operation of the program look like it has been started without the ‘co’ switch

Lockjaw virus family:

• deletes F-PROT, SCAN, IM, CPAV
• uninstalls VSAFE MtE.Groove and MtE.Encroacher:
  • tries to delete files belonging to following products: Central Point Anti-Virus, Certus Novi, Fifth Generation Systems Untouchable, Norton Anti-Virus, Dr. Solomon’s Antivirus Toolkit and VDS Virus Secure.

November_17th.890:

• overwrites the first 256 sectors of first hard disk whenever SCAN is run Peach:
  • deletes CHKLIST.CPS files Sandra:
  • tries to delete files belonging to CPAV, NAV, Untouchable, Dr. Solomon’s Antivirus Toolkit and Integrity Master
  • will not infect when FluShot is installed

Satanbug:

• tries to remove the validation codes added by SCAN
  • guards it’s own are-you-there interrupt call to make it difficult to detect the virus in memory with it [CM-Base]

Tequila:

• deletes files that have validation codes added by SCAN
  • does not infect EXE-files which have the letters SC or V in name

Tremor:

• hooks INT 13h via a VSAFE back-door
  • modifies it’s own memory allocation when F-PROT is executed [VB2]

Varicella:

• tries to escape and go resident during the cleaning process of TBClean

9. Is there a real problem with retroviruses?

Do retroviruses pose a realistic threat against current anti-virus products? The most popular anti-virus tool is a stand-alone scanner, which by itself is almost always helpless against any new virus. Are there any special risks in a virus that, in addition to being a new one, also specifically tries to by-pass a product?

9.1 Dangers of optimized virus analysis systems

If a retrovirus exploits a specific flaw or back door in a product, it cannot be considered a very special case, as a new virus requires usually an update to the product anyway. At the same time it is possible to upgrade the product so that the attack-method used by the virus can be circumvented or made obsolete.

The main problem in this case is whether the anti-virus vendor notices what the virus is trying to do. Today, when several new viruses are found every day, there is limited time to analyse any single virus. Virus analysis systems are automated as much as possible, and a virus typically only gets a cursory look – which is usually enough to add detection, identification and disinfection. Such analysis will not reveal any special features the virus might contain. This also explains why there is no anti-virus product that could provide detailed information about every virus.

If a retrovirus is run through a standard analysis system, and the product is tested by running it against a sample that is not resident in memory, the retro-features of a virus might not become known until they are featured in the real world – after which the virus will certainly get more attention, but this might already be a bit too late. The virus might also start its attack behaviours only after a certain latency time.

9.2 Opening the door to other viruses

It should also be noted, that a virus which disables an anti-virus product in some way could also be making the system vulnerable to other viruses, which the product would otherwise have handled fine.

In many cases this is the only benefit a retrovirus gains from unloading a resident scanner. The scanner can’t be unloaded before it is resident. Once the scanner is resident, it will not let the virus run, if it is known to the scanning engine. If the virus is unknown to the scanner, it could have operated even when the resident scanner is active. The case is different with behaviour blockers, as they are not trying to find known viruses.

There is very little a product can do against an attack which consists of deleting or replacing the program file itself – if the virus gets control before the anti-virus, the virus makes the rules.

10. How should an antivirus product protect itself?

It is obvious that viruses can utilize a variety of tricks against anti-virus products. However, anti-virus programs can fight back just as efficiently.
10.1 Making the program difficult to locate

First of all, the anti-virus program itself should be renameable by the user. This alone would make it a lot harder for a virus to locate it’s enemy. Unfortunately many anti-virus products refuse to run if they find that their program file has been renamed.

As the virus can try to locate the anti-virus program by it’s contents as well as by name, the structure or contents of the program file should change with each update.

The best way to make sure that no retrovirus is making its tricks is the old, well-known recipe: boot from a clean diskette and run a fresh copy of the anti-virus program from diskette.

10.2 Self-checks

Since many attack-routines are based on modification of an anti-virus program, it is imperative that any anti-virus program should make thorough checks on its own code. A cursory check against modifications that would result from an infection is not enough: If the code is not protected internally against patching, the integrity of the whole program code should be checked during start-up.

It is not enough to ensure that the program code has not been changed. As demonstrated earlier in this paper, it is enough for a retrovirus to modify the texts or configuration info belonging to the application.

Even though the size of an anti-virus application probably changes during every update, a clever retro-virus could still locate the code it wants to patch by using a search string. This can be overcame by encrypting the application. The protection would be even better, if the encryption method or key would change with every update. Another, easier way to achieve the same results is to provide the executable in packed form, as the packing algorithm will invalidate search strings between different versions of the same program.

10.3 Resident security

Since it is often much easier to patch a program in memory rather than on disk, an antivirus application should make checksum checks on its memory image to ensure that no unwanted changes have taken place. This is important especially with the resident anti-virus utilities.

The communication channels to a resident part of the anti-virus program should be carefully thought out. If the TSR needs to have an uninstallation routine, it should be implemented so that it is difficult to have another program request for the uninstallation without the user noticing it.

10.4 Prohibiting disassembly

It can be expected that determined virus writers will try to disassemble anti-virus products in order to find out what makes them tick. Thus, some anti-debug and armouring code to protect the application might be a good idea – although nothing will stop a dedicated cracker.

At least three different scanners are known to have been analysed by crackers, up to the point of extracting all search strings of the program. Such attack can be harmful in several ways: the virus writers get to see exactly what they will have to change in a virus to make a new undetectable variant, and well-chosen search strings are also closely guarded trade secrets.

Popular, easy-to-get programs are the most probable targets for attack routines. This makes the commercial products theoretically more safe than shareware or freeware products.

11. Conclusions

Retroviruses are nothing new – the first ones were found in the late 1980′s. There are several attack methods that will certainly be used in future viruses – and some of these can be quite efficient. Therefore, extreme care should be taken by producers of anti-virus software to avoid the possible pitfalls.

It’s time to make sure your anti-virus product is not vulnerable to an attack it could avoid.

It’s an elegant, lucid, and mature program that’s easy enough for alert non-technical users, but packed with fine-grained options for advanced users, including the ability to convert backed-up images into “virtual disks” that can be run as “virtual machines” by VMware software or by Microsoft’s Hyper-V technology.

Norton Ghost has come a long way; once a simple disk-cloning tool, it now combines imaging features with incremental backup at the disk, partition and file level, to deliver what Symantec calls “professional grade backup”.

With Norton Ghost, lost or damaged files can be recovered and restored in the event of a system failure, even if the computer’s operating system does not start. It also allows backup of an entire system or specific files and folders while saving recovery points to offsite locations using FTP. Norton Ghost is also flexible, allowing users to decide when to back up their system, either on a schedule or based on an event.

System Requirements

Windows XP SP2 Home / Professional:

• 300MHz processor or higher.
  512MB RAM (1 GB recommended).
  430MB free hard disk space.
• Windows Vista Home Starter / Home Premium / Business / Ultimate:
• Must meet the minimum system requirement of Windows Vista.
• Windows 7 Starter / Home Basic /Home Premium / Professional / Enterprise / Ultimate:
• Must meet the minimum system requirement of Windows 7.

Required for all installations:

• CD-ROM or DVD drive for software distribution on media..
• Super VGA (800×600) resolution or higher video adapter and monitor.

Supported File Systems and Devices:

• FAT16, FAT16X, FAT32, FAT32X.
• NTFS, GUID Partition Table (GPT).
• Dynamic Disks.

Supported Hard Drives and Removable Media.

• CDR/RW, DVD+-R/RW, Blu-Ray drives.
• USB and FireWire (IEEE 1394) devices.
• Iomega Zip and Jaz drives.

Smooth, But Lengthy, Installation

Installation was smooth, but slow. After installing Ghost 15.0 and restarting my computer, the application downloaded and installed a new version of itself, and required me to restart a second time. After the second restart, it greeted me with a wizard that offered to create a backup of my complete system. The wizard also included options to limit the backup to one or more partitions instead of the complete system, plus an option to backup individual files, folders, or types of files.

I like Ghost 15.0′s spacious, up-to-date interface, which offers all the information that intelligent, but non-technical users need to create backups on local disks, remote network drives, or detachable USB drives. A well-designed Offsite Backup option, for example, guides you through the process of creating backups on USB drives or on writable optical disks, including CDs, DVDs, and even Blu-Ray disks. Drive image backups were reasonably quick but slower than rival products: Ghost 15.0 needed 32 minutes to back up a 38GB partition that ShadowProtect Desktop and Acronis Backup & Recovery 10 both imaged in 24 minutes.

Symantec Norton Ghost 15.0 Features

• • Full backups are easy – with only a few clicks, you can backup your whole computer. If something goes wrong, a few more clicks will restore it to its original state!
• • Event based backups – you can have Ghost backup your computer when specific events happen, or even on specific dates automatically
• • Backup changed files only – instead of backing up your whole computer every time, Ghost can backup only files that have changed, saving time and space!
• Benefits
• • Automatically backup your files, photos and more

• o Safeguards your photos, videos, music and other files with automatic backup
  o Takes periodic snapshots of your entire computer hard drive to be able to completely restore your computer system to a specific backup version in the case of hard drive failure
  o Automatically backs up when online threats raise an increased need to save the latest version of your system

Poor Help Page

Ghost 15.0′s dialog boxes are packed with clearly-written information suitable for casual users. Unfortunately, expert users who click on the “Advanced” button in some of Ghost 15.0′s dialog boxes may be less satisfied with the level of help provided. For example, when I defined a drive-image backup, an “Advanced” button opened a dialog with options for encrypting and password-protecting a backup, and also an option labeled “Perform full VSS backup.” A helpful-looking “Tell me more” button in the same dialog leads to a help page that explains every option on the Advanced dialog—except for “Perform full VSS backup.” Nothing else in the documentation explains what that option means. System administrators will know that it means that you can choose that option to backup Exchange Server and similar data even while the server’s database is active. Unfortunately, even the full-VSS option doesn’t fix Ghost 15.0′s refusal to back up cached Outlook data in an .OST file.

Details:
———-
Name: Win32.Elkern.A
Aliases: N/A
Type: File Infector, written in Assembly language
Size: N/A
Risk: Low
ITW: No

Description:
—————-
Win32.Elkern.A is a file infector that spreads with the help of Win32.Klez.A@mm, being included in this worm. It runs on Windows 98 and ME platforms.

When executed, the virus copies the host in the Windows system directory under the name wqk (extension .exe or .dll) and writes the following key in the registry:

Software\Microsoft\Windows\CurrentVersion\Run\Wqk

using as value the path to the copied file, allowing it to be reactivated every time Windows is started.

The virus remains active, hiding from the application list, and searches for files to infect.

File infection is accomplished by searching for cavities in the host file to avoid increasing the file size, and if this cannot be done then the last section of the executable will be extended to include the virus body.

At the same time, the virus is capable of infecting the local network.

The spreading potential of the virus is increased because Win32.Klez.A@mm also aids in spreading, Klez is a mass-mailer and network infector.

In order to make detection more difficult, the virus uses some of its body layers in encrypted form, and the names of the system functions it uses are not included in it, integrating only a checksum associated to each name. In order to use these functions it calculates a checksum for each name of the system function, and when the virus finds this checksum in its list, it takes out the function’s address to use it.

Avast an acronym for “anti-virus advanced set” was first designed and developed by Czech researchers.

It’s close to perfect core protection is solid and its intelligent virtualization processes are great features.

They envisioned a company called ALWIL software which was recently transformed into Avast Software.

It introduces the new WebRep website reputation get better.

There are certainly a lot of things to love about this internet security especially if they consider an upgrade to more complete Avast Internet Security.

System Requirements:

Keep your email inbox safe and clean

Internet Security’s antispam feature blocks both spam and sophisticated “phishing” attempts, to keep you from clicking “harmless” links that really can cause damage.

Operating Systems Supported

• Windows 7 (any Edition, 32-bit or 64-bit)
• Windows Vista (any Edition excl. Starter Edition, 32-bit or 64-bit)
• Windows XP Service Pack 2 or higher (any Edition, 32-bit or 64-bit)

Minimum Hardware Requirements:

• Pentium 3 Processor
• 256 MB RAM
• 380 MB of free hard disk space

Please note that avast! Internet Security runs only on PCs with Windows XP and newer. Older Windows operating systems (Windows 95/98/ME/NT/2000) are not supported.

Installation

Avast has improved its installation process so it’s faster than before. It’s not the fastest on the market, not by a longshot, but a standard installation took us about three minutes.

Some items of note during the installation that will come up later in the review: to avoid the new Windows 7 and Vista desktop gadget, or the new WebRep browser add-on, you must choose the Custom install option and uncheck those here.

Automatic installation of these features is frowned upon, although Avast does provide a clear method for uninstalling them. It’s just not as simple as a check box that gets its own installation window, since you have to go through the Customize menu, which makes the auto-install sort of surreptitious.

The current versions of Firefox and Internet Explorer both block forced add-on installation. When you run one of those browsers for the first time after installing Avast, they’ll ask you if you want to allow the new add-on.

On the plus side, installing Avast doesn’t require a reboot, and using its uninstall tool we detected no remnants in the Registry or on the desktop. Avast has said that the installer has shrunk for all three versions by about 20 percent, although it’s still a large download at around 70MB for the free version.

A new Avast installation option, available only from the custom install menu, lets you sideload Avast as a secondary security program to supplement your main one. We’re not big fans of this option from a security point-of-view, because it can bog down your system resources without actually making you safer. However, for seeing if you like Avast, it’s not a bad thing as long as you remember to choose one security suite to go with.

Security Features

The Avast internet security suite has all the tools you need to protect your identity and your computer. However, it is not intended to protect a family. It does not have parental controls for monitoring what children do online and it will not block their access to restricted websites. Nevertheless, if you don’t have children to monitor, Avast is suitable for unrestricted adult usage. It has powerful tools for protecting credit card numbers, personal information and browsing history. 

You can run custom scans with this application as well as schedule scans. It has a game mode and fullscreen mode for reducing interruptions and system usage during game playing or video viewing. It does not have a virtual keyboard for bypassing keyloggers, but when you are browsing using the SafeZone it will protect your login information and card numbers.

Firewall Protection

Avast has a firewall solution for your present location. It will ask you to specify the zone for your network – Home, Work or Public. With the Home network, the firewall will allow all activity without any restrictions. In the Work zone, it will control the precise level of network and internet access to the program. Public zone is the most secure and will block all incoming communication and network access to programs that don’t already have application rules defined.

Avast Internet security 2012 has an impressive suite of tools and we are confident many users will find it sufficient for their online protection needs.

Major Improvements In Latest Version

Improved Silent Firewall:Avast has improved its silent firewall for latest version. The firewall is more robust in denying un-authorized communication for your PC and has excelled in terms of its execution too. Our test this time is far better as compared to its previous release.

Fully Integrated Anti Spam:Smart anti-spam module takes care of shielding against all malware communicated through incoming emails. Avast anti-spam flags emails based on certain criteria such as suspicious URL, big attachments and then maintains two queues: blacklist and whitelist containing email address of senders. It constantly updates these lists and matches all incoming emails against them to analyze and reject any spam emails. This module works in conjunction with all popular mail clients such as Microsoft Outlook, outlook Express. Though it would not work against web based email accounts such as yahoo, gmail or hotmail, they have their own anti-spam filtration process.

Anti-Phishing Protection: the combination of the avast! Antispam and the integrated URL blocking feature in avast! Internet Security provides sufficient anti-phishing protection.

It can also be used to run any other applications which you think may be suspect – you can run the program inside the sandbox to determine whether or not it is safe while remaining completely protected against any malicious actions that it may try to carry out.

Help & Support

Avast Internet Security is easy to use, but there are also several support resources available for extra help.The product is backed up by professional help & support documentation, as well as specialized staff ready to offer remote assistance at any time of the day. Online you can find support through a searchable knowledgebase, tutorial videos and help documentation. Avast technical support provides good turn around time of 1.5 days (on average) to solve any issues.
Another great support outlet is the user forum, especially since Avast has a huge dedicated user base. For English-speaking phone support, Avast has partnered with iYogi to provide help with installation, configuration and troubleshooting. They do not yet provide instant chat support. For timely update and threat information, you can follow Avast on Facebook and Twitter.

Conclusion

When it comes to your security, Avast 2012 gets a lot right. It’s got a usable, uncluttered interface, solid although not stellar benchmarks, and a set of features that keeps it at the forefront of Windows security. Avast has created an excellent, constantly improving security product for individual or adult users. Few people want security that makes a good machine run like an old one, and on that count, Avast has your back. However, if you need a product to protect your entire family, you will want to look to one of our higher-ranked products that include parental controls and the ability to manage unique user profiles.

Details:
———-
Name: Win32.Klez.A@mm
Aliases: N/A
Type: Internet and Network Worm, written in Visual C language
Size: 57345 bytes
Risk: Medium
ITW: Yes

Description:
—————-
Win32.Klez.A@mm is an Internet worm capable of spreading through the local network. The infected e-mails include the virus as attachment with a random name (but with an .exe extension), and the subject of the e-mail is one of the following:

Hello
How are you?
Can you help me?
We want peace
Where will you go?
Congratulations!!!
Don’t cry
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don’t you reply to me?
How about have dinner with me together?
Never kiss a stranger

The message body is as follows:

I’m sorry to do so,but it’s helpless to say sorry.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don’t call my names,I have no hostility.
Can you help me?

It uses an exploit (a security hole) that allows the attachment to be executed when viewing the message with Microsoft Outlook Express or Outlook (without Service Packs installed). This method is similar to the one used by Nimda or Kak worms.

The e-mail message does not look as if coming from an infected person, but from different addresses among which are the following:

king@21cn.com
flag@21cn.com
super@21cn.com
zhangcheng77@online.sh.cn
broused@online.sh.cn
lbhuangsy@21cn.com
kqlbaby@21cn.com
jiemin@citiz.net
feiyiming@citiz.net
lllwww@online.sh.cn
tomyjiang18@21cn.com
luxianchu@21cn.com
kqlbaby@21cn.com
lin_yuezhi@citiz.net
zhangcheng77@online.sh.cn
zbzwy@21cn.com
sarge2010@21cn.com

Once executed, the virus decrypts all series containing text (to avoid them to be seen by somebody who is trying to study what the virus includes) and it tries to hide itself from the application list.

The virus creates an execution thread, which monitors all running applications, and if there are any applications belonging to an anti-virus program, it closes them.

The next thing the virus does is creating a file named wqk.exe in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body. This virus is a file infector that runs on Windows 98 or Windows Me.

After creating the wqk.exe file, the worm executes it and copies itself in the whole Windows system directory under the name krn132.exe and creates a key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Krn132

using as value the path to this file, allowing it to be reactivated every time Windows is started.

The virus launches other execution threads: one for infection through the Internet, one for network infection and other 26 to scan through each drive searching for files with one of the following extensions: txt, htm, doc, jpg, bmp, xls, cpp, html, mpg, mpeg.

The thread dedicated to Internet infection searches for all contacts in Outlook Address Book and generates a maximum of 10 e-mail addresses with a random name but ending in @yahoo.com, @hotmail.com or @sina.com.
In order to send messages to these addresses it also generates a SMTP server list using the domain name from the e-mail addresses and adding the .smtp prefix. For example, if the e-mail address list includes an address like contact@domain.com
The virus will include in the SMTP server list: stmp.domain.com.

The thread for network infection reactivates every 8 hours and scans the network, leaving in certain shared directories copies of the virus, but bearing an apparently random name and a double extension. This name is actually the name of the last file that the execution threads scanning the local disks went over, adding to it the extension .exe.

If the system’s set date is a uneven month (January, March, etc) and the day is 13th, the virus starts its payload routine scanning local disks (or drives mapped from the network) and fills the files it finds with random data, permanently destroying them.

Details:
———-
Name: W32/Klez-E
Aliases: Win32.Klez.E@mm
Type: Internet and Network Worm, written in Visual C language
Size: ~80Kb
Risk: High/Medium
ITW: Yes

Description:
—————-
W32/Klez-E is a slight modification of Worm/Klez-A is an Internet worm capable of spreading through the local network under Windows 32-bit systems and infected EXE Files. In order to be able to remain as a resident virus in the workspace, it infects the file KERNEL32.DLL.

The worm arrives through e-mail in the following format:

Subject Lines include (but not limited too):
- Fw: A nice game
- Re: A WinXP patch
- Re: Good removal tools
- Fw: A humour website
- how are you
- For more information, please visit

Body Text (examples):
- This is a nice game
This is my first work.
Your’re the first player.
I would expect you would enjoy it

- Hello,This is a humour game
This game is my first work.
You’re the first player.
I expect you would like it.

Attachment (examples):
- kitty.exe
- rock.exe
- play.scr

It uses an exploit (a security hole) that allows the attachment to be executed when viewing the message with Microsoft Outlook Express or Outlook (without Service Packs installed). This method is similar to the one used by Nimda or Kak worms.

Microsoft has issued a patch which protects users against this vulnerability.

Once executed, the virus decrypts all series containing text (to avoid them to be seen by somebody who is trying to study what the virus includes) and it tries to hide itself from the application list. It creates a new paragraph at the end of an infected .exe file, in which it stores its code. The virus does not infect all EXE Files or programs.

When infecting the KERNEL32.DLL the virus stores this file under the file name KLEZED.TT6 and when the system is then restarted the KERNEL32.DLL is replaced (with the help of an appropriate entry in the WININIT.INI by the file KLEZED.TT6). The virus changes the address ranges of the external Windows instruction, so that these are included into the program code of the virus. Thererfore, modifiying the sixteen KERNEL32 functions: delete, modifying the file attributes and many more open, copy file, etc.

The virus creates an execution thread, which monitors all running applications, and if there are any applications belonging to an anti-virus program, it closes them.

The following files are terminated:

N32SCANW.EXE, NAVAPSVC.EXE, NOD32.EXE, NAVAPW32.EXE, NAVWNT.EXE, NAVLU32.EXE, NAVRUNR.EXE, NPSSVC.EXE, NSCHEDNT.EXE, SCAN.EXE, SMSS.EXE, _AVP32.EXE, _AVPM.EXE, NSPLUGIN.EXE

The next thing the virus does is creating a file named wqk.exe in the system directory, which includes the Win32.Elkern.A virus, which it kept compressed in its body. This virus is a file infector that runs on Windows 98 or Windows Me.

The virus launches another execution threads: one for infection through the Internet, one for network infection. If the system’s set date is a uneven month (January, March, etc) and the day is 6th, the virus starts its payload routine scanning local disks (or drives mapped from the network) and fills the files it finds with random data, permanently destroying them, the files with the following extensions are damaged: .bak, .c, .cpp, .doc, .htm, .html, .jpg, .mp3, .mpeg, .mpg, .pas, .txt, .wab, and .xls. If the month is equal to January or July the main payload is carried out.

The thread dedicated to Internet infection searches for all contacts in the Windows Address Book. In order to send messages to these addresses it also generates a SMTP server list using own SMTP rountine and the domain name from the e-mail addresses and adding the .smtp prefix.

The thread for network infection reactivates every 8 hours and scans the network, leaving in certain shared directories copies of the virus, but bearing an apparently random name and a double extension. This name is actually the name of the last file that the execution threads scanning the local disks went over, adding to it the extension .exe.

Its been quite long until we did Kaspersky Pure review. Lets begin by saying that Kaspersky Pure’s advantage lies in its ease of use.

Packed with the entire range of network protection features, it is easy to manage as it simplifies and centralizes your entire home virus protection system.

Given its focus on combining functionality with simplicity vis-à-vis its use, the Kaspersky Pure is a full-fledged protection system that works well for professionals as well as occasional home users.

This Kaspersky premium security suite combines stalwart protection with a complete suite of tools designed to protect your family, your identity and your computers.

A single license purchase can protect up to three PCs, and you can remotely manage all PCs from one computer.

You can also remotely manage parental controls to protect your children and supervise their time spent online from anywhere.

It can even block your children from sharing sensitive information online, such as phone numbers, your home address or credit card numbers.

Unlike other all-in-one-security suites that also offer system tune ups like cleaning up the computer and defragmenting, it solidly focused on features that provide you with fool-proof security.

Kaspersky Pure is certainly worth checking out if you are a home user needing great protection in an all-in-one package.

The system will provide you with firewall, phishing protection, and backup and restore functions, a secure vault data and a file shredder.

Add to that the fact that it’s easily manageable and you have got a very comfortable and highly efficient protection system working for you.

System Requirements and Installation

The new program, Kaspersky PURE is designed to work in Windows 7, Vista and XP systems. The install process requires no reboot until you finish installing the program updates. The user interface of Kaspersky PURE is very user-friendly; computer beginners should not find it confusing to manage.

Kaspersky PURE uses 69.9MB of hard-disk space and will install two start-up items in Windows: avp.exe and stpass.exe. Avp.exe is Kaspersky’s main module, while the latter is the password manager application.

The installer will modify the browser by installing add-ons for Firefox and Internet

Minor Tribulations

The product installed without difficulty on my 13 malware-infested test systems, though the initial update was slow to complete. A full installation required as much as 15 minutes, most of it devoted to that lengthy update.

Several of the test systems crashed with a blue screen of death during the cleanup process. However, on restarting, all of them managed to complete the full malware cleanup scan.

One malware sample resisted the product’s every attempt at removal. I ran the suggested special disinfection routine over and over without success. After every required reboot, the same warning reappeared. A full scan didn’t help. A full scan with the supplied bootable Rescue Disk didn’t solve the problem.

On advice from tech support, I used the product’s impressive array of built-in diagnostic tools and supplied them with the resulting logs. The next day, support responded with a problem-specific cleanup script that solved the problem. This wasn’t special treatment; any user could get this type of help for stubborn malware problems. Still, I would have been happier had the product taken care of this threat without help from tech support.

Premium Features

Kaspersky PURE features security tools and protection for Window without compromising the performance of the computer.
Everything that you might need to protect and secure Windows is included in Kaspersky PURE:

• My Computer Protection - Selecting this menu in the program’s interface will display the list of protection solutions by Kaspersky PURE, such as real-time protection against malicious file, e-mail scanner, IM protection, firewall, proactive defense, application control, network attack blocker, network monitor, anti-spam, anti-phishing and anti-banner.
• My Backup - An option to backup your documents or computer to another partition, removable media or network drive.
• My Parental Control – Restricting kids or other user accounts when using the computer.
• My Control Center - Guards the security of computers in home network and helps to secure Wi-Fi connections.
• Security+ Toolkit – An option to tune-up the computer, rescue disk, use a virtual keyboard, scan for vulnerable applications or settings, data encryption and password manager.
• Scheduler - An option to schedule a scan or update.
• Safe Run Mode - This nice feature in Kaspersky products allows you to to run an application using its sandbox technology
• Digital Identity Protection - Personal and financial information such as credit card or social security numbers are protected.

All features of the program were installed for trial during this Kaspersky PURE review. The features work as they should, but the anti-spam training has flagged a lot of legitimate emails as spam. It’s a bit annoying to restart the computer whenever I will add an application in safe run mode feature, but the feature is quite useful.

Best AntiVirus

Awards and Certifications

Kaspersky has always scored highly on various tests conducted by different labs and organizations. Given this track record, this software is designed to meet the company’s high standards. Kaspersky scored 15.5 points in a test conducted by AV-Test.org for certification under Windows Vista. Only one of its competitors managed a higher score at 16. In a parallel test for Windows 14, Kaspersky scored 14 points, which is well above what is required for certification. The company has also received the Platinum Checkmark certification from West Coast Labs. Kaspersky’s technology for virus removal and detection has been certified by ICSA Labs and West Coast Labs. In a round of tests conducted by AV-Comparitives.org, Kaspersky was rated in the Advanced category for its ability to detect malware and its ability to black new threats.

Identity theft

Password vault – Kaspersky PURE features the ability to conveniently store users’ passwords in a secure, encrypted vault. To access the information contained in this vault, users only need to remember one master password.

Phishing protection – While Kaspersky PURE does offer protection from phishing websites, the level of protection provided is pretty poor. In most instances, our browser was able to easily access phishing URLs. Effective phishing-protection software should hide and block most of these URLs; this is something that Kaspersky PURE did not do well.

File shredding – Kaspersky PURE has the ability to securely delete files. When a user deletes a file through Kaspersky PURE’s file shredder, it overwrites the file’s data to ensure that it can never be recovered. This is a handy feature that most users will need at some point.

Effectiveness & Performance

It scores high in terms of effectiveness because it gives you a top-notch, premium, all-in-one, security system that is extremely easy to manage. Its key feature is of course its easy controllability. From managing all your systems via the dashboard of your main PC to remote management of parental control, the system makes security operations on your computer that much more manageable. As far as ease of use is concerned; the Kaspersky Pure does have a great advantage over its competitors.

It’s also a tough system for malicious software and viruses to breach. This is because the system has several layers of protection. The database of malware signatures is huge and the scanning is frequent and unobtrusive. As a Kaspersky Pure user, you can rest assured that your system is safe from Trojans, worms, root kits and key loggers. The Urgent Detection System will red flag any previously unknown malware, so that your system is always protected against newly emerging threats. The two way firewall also shores up your system’s defenses. Even as it prevents the entry of hackers, it ensures that malware does not send out your personal information to the outside world. The strong anti-phishing defense ensures that your digital identity and confidential information is always safe.

Help & Support

Should you need support, Kaspersky products have FAQ sections, online knowledge bases, user manuals and a very easy-to-use help option. Kaspersky is readily available. Kaspersky is a global company and provides global support. Their website is localized in over 30 languages and they have a presence on every continent.You can use online forms to communicate any issues. For quicker results, you can use the telephone or live chat to contact tech support and resolve issues. They provide direct support to North America by telephone, email and instant chat. Kaspersky Pure does this by frequent, incremental updates to the database and in sometimes to the program itself. Incremental updates help in keeping down the size of the updates. Frequent updates ensure that the program always stays updated even when new threats surface. Customers are also granted access to a large FAQ database that provides information concerning several common technical issues.

Summary

Kaspersky Pure is recommendable by us, it got a excellent protection but Norton takes the advantage slightly and file insight report card feature. Kaspersky has grown to become one of the top four IT global security vendors. The software comes with good clean up tools too, further adding on to its list of advantages. The firewall controls the level of access provided to applications and the software is very effective when it comes to eliminating root kits.

However, as seen this year with the arrest of several hackers, authorities are not as powerless as many have believed.

The bluster of hackers is increasingly followed by a surprise visit from local police. How do researchers capture the criminals of the new era?

Internet addresses

To begin, you need to step back and understand how people can hide your identity online.

Many assume, correctly, that if you connect to the Internet is given a unique address (its IP, which stands for Internet Provider) and that can be used to track any activity that comes from that direction until you reach an individual. But not so simple, and certainly not as fast, for several reasons.

First, many years ago the number of devices on the Internet requesting IP address exceeded the number of possible directions.

Therefore, when any of us ask our Internet service provider (ISP, for its acronym in English) that we connect, we only IP is leased.

These IP addresses typically expire and are renewed very quickly if you want to stay connected, or given to someone else if we have become disconnected. His next connection gives a completely different direction.

When looking for an address, usually just say who the ISP, not who was the tenant of the address in a specific time.

So even if an investigator detect illegal activities linked to a specific address is unlikely to easily identify the user with information publicly available.

The authorities have to go to the service provider and ask for records that show exactly who was using that address when the illegal activity.

But police agencies must obey the law that usually requires a court order, which requires researchers to show that the illegal activity was taking place and that seemed to come from a particular ISP. They can not simply go on a “fishing trip”.

However, researchers have become increasingly efficient in this process so that hackers (at least those that have not been caught yet) have long ceased to rely on that, although rightly know, that authorities will be slower than the hackers.

Coordination complications

All this assumes that service providers keep records of who had a leased address particular.

In the UK do, but not all countries are so diligent, and not necessarily at a level of detail to locate physically perpetrating illegality.

But the amount of information is enormous and can not be preserved indefinitely. In the United Kingdom are creating legislation that requires ISPs to keep records but not required to be preserved forever.

The third is that, being a global network, the Internet is covered by multiple jurisdictions. If it takes time for an investigator to obtain a court order in own country, imagine how difficult it would get in a foreign one.

Not surprisingly, many hackers tend to attack sites that are outside their country. In addition, hackers from different jurisdictions cooperate with each other, adding additional complexity to a situation in itself complicated.

However, in the case of arrests of members of Lulzsec highlighted the role of cross-border cooperation with arrests made in the UK, Ireland and USA

Increasingly, international bodies such as Interpol and Europol are taking the lead in facilitating collaboration between agencies in several countries simultaneously.

The server “proxy”

So assuming you can navigate the complexities described above, may find the Internet address and capture the perpetrator.

Well, not necessarily so because, as always, technology is way ahead of the legislative and judicial systems.

There are a couple of additional tricks that allow you to cover their tracks on the web. The most widely used is called the server “proxy” or proxy.

By using a proxy server anyone can turn their activity to a system that is in a distant country or one in which no records are kept of where the activity was generated, or worse, both.

The agents gained popularity among those who perform illegal downloads because they can not be tracked.

Proxy servers are widely available, often for free. They have developed a very important role in allowing the citizens of regimes hostile to express their views anonymously.

Of course they can be used in illegal purposes, such as copyright theft, hackers quickly realized the potential.

But all is not lost. Researchers can do what they call “traffic analysis” based on the use of a combination of several ISP records, which manage to pull the proxy server of the cycle.

Not surprisingly, this takes even longer and that the added complexity inevitably implies less reliable results when setting up the legal case.

However, one of the great advantages of the authorities is that they are patient: they do not boast about what they are doing quite the opposite, and are willing to grind the details until they reach their man or woman.

A dark red

Of course, hackers know this and so the fight has continued. Most hackers today, as well as rely on everything described above, use what is called “onion routing”.

This practice began as an investigation to protect the communications system of the U.S. Navy, but since it was published in a workshop on information hiding made in 1996 (Data Hiding Workshop), people have seen it as a way to keep anonymity on the Internet.

The most used is called Tor, which has many valid ways to be used. But hackers love to use it too; Tor type projects are those that represent the front line of researchers today.

Currently has few answers to the “onion routing” and when combined with other complex systems, authorities face significant challenges. But do not give up yet.

Some global service providers are working with researchers on projects such as the Saturn of British Telecom (BT), which was originally developed to identify threats to critical infrastructure in the UK.

Origin and destination activities of hackers
The illustration shows the sources of intrusion attempts (in red) and the fate of such attempts (in green). The size of the circles indicates the number of events.

Dominos

Parallel to all this technological development is good police work to the old and the already mentioned patience.

The principle is simple: everyone makes mistakes. Take for example the case of the hacker known as Sabu.

Sabu talked regularly with others using an Internet chat room. In reading the purported messages from Sabu, apparently leaked by disgruntled fellow hackers, you can see it was very boastful about what he had attacked his invulnerability and their technical skills.

This would put itself as an obvious target to be monitored.

Apparently only once, Sabu joined the chat service without using Tor. Your IP address was revealed and the FBI managed to track it. That led to charges against other suspected hackers.

We’ll see more of this tactic: the beheading by arresting the big fish and then attempts to wipe out the smaller pieces based on what is learned in the process.

In summary, the lack of news does not mean that hackers are getting away with it, although that is what they want you to think.

As the battle continues in cyberspace, what is clear is that it is a work which combines the old and the vuevo.