Windows Secrets Newsletter • Issue 152 • 2007-12-13 • Circulation: over 400,000

If you suspect you have a spyware infection you should download the free HiJackThis! utility from here [1], then run it and paste the generated log to a security forum where experienced users can help you interpret the results. I normally recommend the Tom Coyote forums [2] for this purpose, but subscriber "John" suggests a smaller site run by Tom Mercado because: "if a user posts their HiJackThis! log in this forum [3] they get help within minutes or hours compared to the bigger sites that can take days." I tried it out anonymously and John is totally correct. Better bookmark this site, you might need it.
[1] http://www.spywareinfoforum.info/downloads.php
[2] http://www.tomcoyote.org/hjt/
[3] http://temerc.com/phpBB2

Joint Winners: SandBoxie and DefenseWall

2006 should have been called "The Year of the 0-day Threat."

0-day threats are security problems involving brand new exploits. Typically these include new virus threats or exploits of previously unknown flaws in computer products.

Normal security products like anti-virus and anti-spyware scanners provide only limited protection against such threats. Your AV program can’t fully protect you against a new virus that’s not yet in its signature database nor can your anti-spyware program prevent you from being infected by a previously unknown flaw in a product like Microsoft Office.

Unfortunately these threats have recently escalated to unprecedented levels. Hostile web sites that use 0-day threats to secretly infect your PC have proliferated rapidly while new email threats have arisen that only require you to open an HTML email to get infected.

Although the overall level of such threats has increased they are not yet common. Users who surf widely and use P2P networks are currently most at risk. However if the problem continues to escalate, 0-day threats will pose a serious threat to all users in the near future.

In this context it is appropriate that my award for the product of the year for 2006 should go to a security product that protects your PC against 0-day threats.

Well, two computer security products. The two winning products are both so good that I really couldn’t choose one over the other.

SandBoxie and DefenseWall are both sandboxing programs designed to isolate your PC from internet based threats. Unlike anti- virus programs that rely on signatures to detect threats they protect your PC by fencing off and isolating potentially dangerous programs so they can’t infect your PC. They don’t replace your AV program but rather are designed to provide an additional layer of protection.

SandBoxie and DefenseWall have a lot of similarities but they operate quite differently.

SandBoxie works by allowing you to run your web browser, email program and any other program of your choosing in a virtual environment that’s totally corralled off from your real PC. Any malware programs that are downloaded through your browser or email can run in this virtual environment without infecting your real PC. When you have finished you can shut down the sandbox and all the infected programs will be erased without ever getting onto your real PC.

DefenseWall offers a similar capability but with a twist. While SandBoxie requires the user to consciously decide what programs to sandbox, DefenseWall automatically sandboxes your browser, email program, instant messaging, FTP utility and any other program it considers a potential vehicle for introducing infection onto your computer.

It does this using an inbuilt list of "untrusted" programs. This list includes Internet Explorer and all the common browsers plus email clients and lots of other utilities as well. You can also manually add programs to this list.

Any program or process that is started by an untrusted program inherits the untrusted (i.e. sandboxed) status. So if you visit a hostile website in your browser, any malicious programs that run secretly are automatically sandboxed as they inherit the untrusted status of the browser.

This policy based approach used by DefenseWall brings about distinct differences in use compared to SandBoxie.

With DefenseWall, your browser is automatically sandboxed every time you run it unless you choose to run it unsandboxed. With SandBoxie your browser is only sandboxed if you choose to start it sandboxed.

This is a critical difference, particularly when the PC is being operated by less experienced users.

There is another important difference. SandBoxie corrals off all downloaded and changed files into a special area of your disk: the sandbox. These files are not easily accessible unless you go hunting around in the sandbox and choose to move them to the normal working areas of your disk

In contrast DefenseWall downloads files to the normal locations on your PC. That’s because DefenseWall is not seeking to control infection by physical isolation but rather by preventing malware programs from running.

Each approach has its strengths and weaknesses.

SandBoxie can be annoying when you download a legitimate file and then have to go hunting for it. This is an inconvenience but can be tolerated. The situation with email files is much more serious. Keeping all your email files in the sandbox is so awkward that it verges on the impracticable.

On the other hand it’s comforting with SandBoxie to be able to clear the sandbox and know everything you downloaded is gone. And that comfort extends to privacy as well as security.

DefenseWall doesn’t interfere with the normal location of your downloaded files or email and that’s a real convenience. However if any of these downloaded files are infected they could pose a risk in the event you ever accidentally run them.

I say "accidentally" because DefenseWall allows you to run downloaded files quite safely by selecting the "run as untrusted" option from the mouse right click context menu. In this case they are completely sandboxed and your PC cannot become infected. However if you didn’t use this option and absent-mindedly double click an infected download, then you could get infected.

On balance DefenseWall may be better suited to average users as its policy based approach requires less user intervention. On the other hand, more experienced users may prefer Sandboxie as it leaves the decision making firmly in their hands.

Despite the differences in operation, both products offer outstanding protection. Both are totally resistant to termination by a hostile agent. Both provide near perfect isolation of malware programs including 0-day threats. Both are small and efficient and will hardly use any of your computer resources.

Anyone who surfs widely on the internet or uses P2P networks should consider using one of these products. Should 0-day threats continue to escalate in 2007 as they have in 2006, we may all need them.

I congratulate the program authors, Ronen Tzur and Ilya Rabinovich on their achievements.

http://www.sandboxie.com/ Donationware, Windows 2000 and later, 242KB

http://www.softsphere.com/ Shareware, $29, 30 day trial, Windows 2000 and later, 1.02MB

Winner: TorPark

TorPark is a special version of the Firefox browser that has been configured to work with the free Tor anonymizing service and run directly from a USB flash drive. It’s a neat idea; just plug in your USB stick to any PC with a USB port and Firefox V1.5.0.7 is automatically launched, set up for secure and private surfing.

The most obvious application is internet cafes, public terminals or indeed any PC including your own where you don’t want to leave any trace of your private surfing activities. However, what attracts me is not so much the privacy side as the security potential. That’s because TorPark creates a secure encrypted connection between the PC you are using and the Tor servers. This allows you to safely transmit information without fear of interception. This makes it ideal for surfing on open Wi-Fi networks. Previously, secure surfing on such networks required the use of private VPN networks, an option only available to corporates??, the well heeled and the technically savvy. Now, using TorPark, any surfer can reap the same security benefits for their browsing.

It won’t help the security of your email though. And there are other security limitations too. For example, don’t think TorPark will now mean you can now securely conduct your internet banking at an internet cafe. I’m sorry, it’s still a no-no. That’s because, if a keylogger is installed on the PC you are using, it will grab your confidential data before it gets encrypted.

Similarly, don’t think TorPark can provide you with total anonymity; last month the German police seized a whole batch of Tor servers. And there are other caveats. Expect your surfing to slow down as it’s relayed across multiple Tor surfers. The slowdown may be small or intolerable; it all depends on how heavily the network is loaded. Expect, too, that some web sites won’t work correctly, either because they don’t allow anonymous surfing or because they use features that won’t work in the Tor environment. Happily, this inconvenience can be minimized as TorPark allows you to easily switch between Tor based browsing and normal browsing. You will, of course, loose your anonymity in the process but at least the site will now work.

These reservations aside, TorPark is a terrific product. All users of open Wi-Fi networks and public computers should use it as a matter of course while many other users will see immediate application in their own environment. I’ve set it up on a spare USB stick and on my hard drive as well. I suggest you do, too.

http://torpark.nfshost.com/index.php Freeware, Windows NT and later, 9.02MB

Usually you can identify the program you need to open a file by the file type, but what if it hasn’t got one? This free service allows you to upload the file and have it identified. I tied it with a PDF file with the .pdf extension removed and it worked just fine. Thanks to subscriber Christian Dorfmair for the suggestion.
http://mark0.net/onlinetrid.aspx

If you enjoy your Support Alert subscription why not share the good news and send a friend a gift subscription to the Premium SE Edition? At $10 it’s an economical Christmas gift and one the receiver will thank you for every time they receive a monthly issue. You can set up your gift subscription here [1]  in a couple of minutes. And here’s another Christmas idea. Subscriber Amber Carvan operates a children’s craft site that is currently featuring a guide [2] showing how your kids can make their own hand-made Christmas cards using simple household materials. She also has another guide for Christmas ornaments [3] that young children can make all by themselves.
[1] http://www.techsupportalert.com/gift-subscription.htm
[2] http://www.kidscraftweekly.com/christmas_cards.html
[3] http://www.kidscraftweekly.com/christmas_ornaments.html

In issue #146 [1] I mentioned KGB, an archiving program that can compress text files down much smaller than many popular archivers though it takes a lot time and computing power in the process. This prompted subscriber Erik Wasberg to write in about a site called maximumcompression.com [2] that compares dozens of different archivers on the basis of compression efficiency, resource usage and time taken across various file types. This outstanding site is essential reading for those who needs to archive large amounts of data or indeed, anyone who has a general interest in file compression.
[1] http://techsupportalert.com/issues/issue146.htm#Section_2.2
[2] http://www.maximumcompression.com

There are lots of these lists; none is complete but here are two of the best. The first covers free software while the second includes commercial products as well.
http://www.portablefreeware.com/
http://en.wikipedia.org/wiki/List_of_portable_software

Want to copy one of your DVDs or strip the sound track to a CD? Need to join several video files? Like to convert from one video format to another? These sites show you how to do all these things and more using free software.
http://www.doom9.org/index.html?/search
http://www.videohelp.com/

You can pay $49 for a utility to do this or go to this web site where they will do it will do it for free. They also can convert HTML pages to PDF as well.
http://www.expresspdf.com/

In my April 2007 Editorial [1] I rated some of the most popular free and commercial AV scanners. Since then I’ve located an excellent additional data source [2] for assessing AV performance. It’s a near real-time listing of how well the major scanners detect new threats identified by the Malware Incident Reporting & Termination (MIRT) team. The results support my previous findings namely the class-leading new threat detection rate of AntiVir and the relatively poor performance of AVG and Avast! with Kaspersky and NOD32 falling in the middle. Perhaps more important than the product ranking, is the relatively poor performance of ALL products in detecting new threats. This reinforces the point I have been making in recent issues that you can no longer rely exclusively on signature based anti malware products to protect you from the current onslaught of new threats. That said, it should be noted that the detection of new threats is only one of several criteria you need to consider when assessing the performance of AV products. See my April [1] editorial for more details.
[1] http://techsupportalert.com/issues/issue144.htm#Section_0
[2] http://winnow.oitc.com/malewarestats.php