About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

Of ThinkPads & Trojans

Week of December 3, 2004

Equipped with the XPT and a rocket science knowledge of how Windows works, you can - in theory - survive. But lacking in either you don't stand a chance.

A curious thing happened to us the other day. We went to visit a friend and the first words out of her mouth when we'd come through the door were 'I got a virus! You gotta help!'

She'd had a ThinkPad with Windows 98 for about a year; before that she'd never touched a computer in her life. A friend who worked in IBM mainframe support had given it to her and set it up 'all good and tight' to protect her. She wanted to learn word processing and all that MS Office schlock to be able to get a new job.

We picked up her ThinkPad the next day and set to work. I'd never really used a ThinkPad before and I didn't look too closely at it. The plan was simple: install the XPT, spelunk around, and gut it completely of all foreign and unwanted stuff. It's a plan that basically can't fail.

But after a while we noticed that she didn't have an Ethernet connection, didn't have a CD drive, and didn't have a floppy drive either. We were not about to go onto the net without a clean box, and to clean it we would need access to an XPT CD - and first after that Sydney would download and install Firefox and Thunderbird for the poor girl.

We drove back and asked her about the CD drive. Remember: she knows nothing about computers. She gets what she calls 'porn storms' now and again and just pulls the connection out of the wall, and according to her, if she waits long enough before turning the machine back on, the storm is gone.

She found an external IBM CD drive in a closet somewhere. She hadn't used it in a year. It's what she used to get her DSL working, she told us. (She doesn't even know what a CD drive is, or if this was a CD drive, but told us that if it was, then maybe her DSL CD would still be inside.)

She also gave us a bunch of other gadgets and sent us back, wishing us well.

Her DSL hookup used USB, not Ethernet (which was not available) and when attempting to hook up this box through an ordinary telephone line the line blew - it started smoking and Sydney had to run with the danged thing out of doors to stop everyone from getting asphyxiated. The CD drive didn't work: it had three year-old batteries inside (which Sydney replaced) but seemed to need an adapter as well which we had not been given.

No safe Internet access, and no way to get the XPT on the box. But I am not one to give up easily, so I set to work anyway.

I was lucky: the bad stuff she had on the box was not particularly intelligent. It was not self-replicating, and removing its 'Run' entries was all that was needed to stop it running again (it didn't monitor the Registry either).

After that it was a few walks through the Registry looking for bad stuff and removing it and of course correlating what was found with files on disk and removing them too. After a few boots we had a clean machine, set about defragging her disk, and sent it back to her earlier today.

The poor girl would never have been able to cope on her own - that's why she asked us for help. What's worse - and this is the clincher - it was painfully obvious for all the hours we worked on this poor ThinkPad that running with only the miserable tools Microsoft give people a user really has no chance at all.

We were lucky: the malware was not particularly intelligent. Had it been so, we would have been cooked without the XPT.

We would have had no way to check running processes; Microsoft doesn't give you that on 9x. We would only have seen application windows Microsoft wanted people to see. We would have had no way to kill off clones all at once.

And how - how could one expect an ordinary user to navigate the Registry? The ThinkPad Registry, it was impressed on us, was an unfathomable jungle of CLSIDs that no one not in graduate rocket science would be expected to dare peek into - and even then it would be a minor miracle if anyone found anything - unless of course they knew how to look as we did.

Mile after mile of CLSIDs - what's a user to think, even if said user dares go in there?

'Oh that's very technical stuff. I don't know what that is, so I'd better stay away.'

And yet it'll be exactly there the malware authors choose to hide their dirty secrets.


When the Radsoft crew decided three years ago to pack up and leave Windows forever, it was as much an aesthetic deliberation as anything else. For we can hold our own on Windows if we have to - it's just that we didn't see any longer why we should be making the effort.

But that's us - that's not your middle of the road AOL user, your newbie with a hand me down ThinkPad. Those poor people don't stand a chance.

Gurus might complain that OS X leaves all the pretty stuff in plain view and hides the details around the corner, but at least OS X is safe. And if really put to it, an OS X user would be able to fight back.

No such luck for a Windows user without the XPT. We can see into running processes, dump (and view) any section of them as they're running in memory, we can see programs that were obfuscated on disk fully expanded in memory in all their naked shamefulness. We can even see what programs are going to do before they do it. We can pluck data out of every nook and cranny in that so-called operating system.

We can write to disk, directly to disk, underneath the Windows disk cache; we can edit any file, of any size, at any time. We can go anywhere with our file tools, set and reset any of thirty two existent and non-existent file attributes. There is no file or directory anywhere that can keep us out.

We can find anything we want on any disk drive in a matter of seconds. We can correlate a real authentic process list with the on-disk images and in a fraction of a second see what other files (DLLs and so forth) they've loaded, and look directly into these files. We can follow dependency chains all the way to their origins.

We can edit anything, any time, anywhere. If we find a trojan, even a self-replicating one, we can observe its activities, quickly compare file times and file sizes, and see who is replicating who, and then kill them all on one zap of the right mouse button. We can then go into the Registry and pull out their 'Run' calls and go to disk - we see immediately where they are on disk - and remove them as well.

We can run E3 at any time and get a list of what junk - and possible threats - have accumulated. We can keep SysGuard running in our tray and immediately see when malware tries to get at those 'Run' keys. We can keep Sneakers running and see at any instant what programs are scheduled to run on the next boot.

An XPT desktop is a formidable thing. The lower right corner looks like an armada. Thirty tray apps cornered by another thirty dock apps. That's a lot of power at one's disposal.

We have total task control. We see not only the application windows Microsoft wants people to see, we see them all. Even the hidden ones. Even the ones without title bars, the ones Microsoft get too fuddled to deal with.

We can see each and every doodad visible and invisible on our desktops. Each and every push button, scroll bar, list box, combo box, and so forth. And we not only see them, we also see all possible information the system has about them. All at a click.

We get at all running processes - even programs, in other words, that don't have windows. We see what modules they have loaded, where they have allocated memory, what is in that memory, how many threads they have launched, what is in those threads, and each and every byte of what they're taking up as they run. If they tried to be coy on disk and stay compressed or even encrypted, we expose them now for what they truly are.

An XPT desktop is a formidable thing. The lower right corner looks like an armada. Thirty tray apps cornered by another thirty dock apps. That's a lot of power at one's disposal.

But take that away and the user has nothing. The users are literally at the mercy of the malfeasants - and Microsoft who deliberately leave them totally exposed and defenceless. There is no way but no way you can defend yourself with 9x's Taskman. Or with Explorer. Or with any of the other crippled kiddie tools that ship with Windows. No way. It's like leaving a christian in the Coliseum with ten thousand lions. It's a slaughter and Microsoft know it.

Which again brings home the realisation, stronger than before, that what Microsoft are doing is unconscionable and simultaneously deliberate. Granted that Microsoft have never attracted the real minds of computer science, but there is the awareness somewhere in the darkness of Redmond that the poor suckers who buy this crap are really getting it stuck to them.

We found a Registry entry for Unix man pages. Windows doesn't have Unix man pages! The whole mishmash of Windows is put together in such haste, in such panic, that no one worries about ironing out the wrinkles and correcting the minor and major faults - the one obsession Microsoft have, always have had, and always will have, is to get to market before anyone else and then bully the other guys out.

The devastating lack of integrity and quality in Microsoft products was never more apparent. They've never had a vision, an idea, a dream. They produce third rate products and count on being able to get rid of the competition as long as they have a product of their own. It doesn't matter if that product is bad or good; its merely being there is good enough - Steve Ballmer and his mafiosi sales staff will take care of the rest.

And does it show? Oh does it ever. Again: equipped with the XPT - and a knowledge of how Windows works - you can, in theory, survive.

But lacking either of the above you don't stand a chance.

Anti-spyware utilities will, on the average, not find more than half the malware on your machine. They're not flexible. They work from 'signature lists' like AV tools. They're not human. They have no flexibility. They have no eyebrows to raise when they see something that, given years and years of experience with the platform, looks out of place and strange - and maybe malfeasant.

The anti-spyware utilities can't do this. They're not artificially intelligent. We humans can however do this. Most of us are hopefully more than artificially intelligent.

It's still a bad choice to take Windows, even with the XPT; but if you're determined to stick it out, sorry but you don't have a chance unless you're a grad student - and we mean a good grad student, an exceptional grad student - in Comp Sci, and unless you're intimately acquainted with your copy of the XPT.

Rick

PS. The first thing we did with the ThinkPad was run the resident Ad-aware and SpyBot Search & Destroy. Neither program picked up any of the resident trojans we found on our own.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.