Yesterday's Security Alert

>>Today's Alerts

---

6/21 Do you shred your confidential financial documents? If you want to depend upon shredding to keep you safe, make sure you know the risks. E-Week Secure Your Shredding describes new technology that makes simple shredding not-so-effective.

---

6/19 Happy Father Day from your FTC. Don't get hooked by the phishers.

---

6/16 Last month, I alerted you to how the bad guys are getting personal, in their attempts to deceive you. Now we see how personal, as SecurityFocus Phishers look to net small fry discusses how the phishers are targeting customers of the smaller credit unions and other small businesses. Since your account is in a small credit union that nobody would know about, you're safe, right? Wrong. No longer going after Citibank customers, thy're going after customers of YOUR credit unon. And maybe even YOU.

The good news is, software is being developed to look for deceptive email. And you're getting smarter, too. At least, you read this column.

---

6/14 Bad news from the home front today. The experts have admitted that the bad guys are winning.

Citing examples like Glieder aka Bagle, and Mytob, SecurityFocus Stealthy Trojan horses, modular bot software dodging defenses provides the opinion that "the battle is one that the good guys are losing", because money drives the bad guys now.

The attackers are well motivated--no longer by fame, but by money, said Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security and now an independent consultant.

Moreover, because the effort to clean an infected computer is much greater than the effort to infect one, PCs claimed by an attacker are much more difficult to restore to a user's control, especially if the user does not understand security issues.

In other words, while the protection provided by Routers and Firewalls, and by AntiVirus and AntiSpyware products are still essential parts of a layered defense, you cannot ignore the importance of Common Sense and Education.

Keep reading this blog, but bookmark the websites that I link. Start exploring those websites too - thats where you will find the details that you need to protect yourself effectively. The future depends upon YOU.

---

6/13 A couple of weeks ago, I mentioned how insecure WEP is, and how easy it is to crack, and provided links to the Toms Networking WEP Cracking For Dummies, which is now in 3 parts (links to parts 2 and 3 in the referenced article).

Now an unknown benefactor (we think), calling himself Digi, has thoughtfully made WEP Cracking For Dummies: The Video where you can watch an entire WEP crack being done before your very eyes. You may not totally understand it the first time you watch, but you can at least catch the gist of it, and see how simple a WEP crack is to execute, with the right tools.

The example shown uses packet injection, which is an active attack. A properly monitored WLAN would detect a packet injection attack in progress, but the only option upon detecting an attack would be to shut down, and upgrade to WPA. A passive attack would be undetectable, but would take a bit longer.

It's a 25M Flash file, so if you have a slow broadband connection, give it a few minutes and get a cup of coffee while it loads. But it's worth the time spent to download and watch it. Excepting a few typos, it's pretty well done, with good captioning and editing; total watching time is less than 5 minutes. The Flash control provides good video manipulation; besides the standard Play and Pause, you have a slider which lets you (with the video paused) move back and forth one frame at a time, to more easily watch any portion of the process that interests you.

After you watch the video, check out SecurityFocus: WEP: Dead Again (published just 6 months ago), and compare the tools mentioned in that article to what is shown by Digi's video.

Again, folks, if you have a wireless LAN with WEP for "protection", upgrade to WPA. Tomorrow, if not today.

---

6/10 If you're using software products to protect yourself against malware, as you should be in any layered defense, please be selective about what software you depend upon for protection.

Today, Eric Howes Rogue/Suspect List reached a dubious milestone, in that Eric has now identified 200 anti-malware products that you should absolutely not depend upon.

For those of you who aren't familiar with Eric, he's probably the #1 recognised expert, on useless and harmful anti-spyware products, in the world. Before installing any product that will clean your computer, or remove unwanted software, please consider his advice. And bookmark his website.

---

6/10 And the hackers keep up with current events. Just recently, hackers used rumours about Osama's capture to spread their products. Now, a massive spam campaign is spreading rumours about Michael Jackson's attempted suicide, and attempts to lure the unwary to a website which will download yet another botnet agent onto your computer.

In my accelerating opinion, using blogs will soon become the only way for friends to communicate about current events.

---

6/9 A couple weeks ago, I alerted you to the Mytob email worm. The earlier variants of Mytob would arrive as a simple email from a friend, with an attachment. When you would innocently open the attachment, it would infect your computer, and email itself to all of your friends. That's almost too easy to identify - hopefully, any of you would look suspiciously at any email with an attachment, even if it came from me (especially if it came from me).

Well, the authors of Mytob have not been lazy - they've been diligently crafting new versions of their work, for your enjoyment. The Symantec database currently lists over 80 versions of Mytob, with more arriving daily.

The latest variants, according to SecurityFocus Mytob variant hides sting in the tail, have replaced the bulky attachment with a sleek and sophisticated URL. Now arrinving in your Inbox crafted as a notice from your IT department or ISP, you are urged to click on a URL to confirm your account. Just as many phishing emails, the URL that you see contains a hidden URL, that takes your browser not to the apparent server belonging to your IT department, or your ISP, but to a server with malicious code that downloads Mytob to your computer. Your computer then starts distributing Mytob, as previous variants would do, to all of your friends.

Please carefully examine any email from your IT department, or your ISP, before clicking on any URLs in the message.

---

6/2 The Bagle worm, which has been around many months and has come in so many versions, has now become worse. The new version is more complex, and leaves a more lasting effect on your computer, and one security company has given it a new name.

Glieder, as Computer Associates now calls it, as described in ZDNet Security Bagle variants punch, punch and punch again, combines several elements in a way not seen before. In this staged approach, viruses seed their victims, then disarm them, and then finally exploit them.

Glieder starts as its predecessor Bagle, by emailing itself to all of your address book contacts. But it doesn't stop there.

Glieder then downloads two additional worms, one which blocks antivirus software updates, and Microsoft updates; and a second worm which disables firewalls and antivirus software, and then joins your computer to the latest botnet.

Please make sure that your antivirus software is up to date at all times. Mine has updated itself several times daily this week. If yours doesn't update itself at least daily, please get a new antivirus product. For all your friends sake.

---

5/29 Have you gotten any interesting email from Microsoft recently? The Gibe worm, which infects by posing as an emailed security update, is apparently still in the wild, and looking for new victims.

The worm will arrive as an email from Microsoft, mentioning security vulnerabilities affecting Internet Explorer and MS Outlook/Express.

And I restate, for those of you who don't know (and there are apparently some who don't): Microsoft does not email security updates.

---

5/27 Most rabid antispam activists in forums like news . admin . net-abuse . email have been blocking all email from countries like Brazil, China, Nigeria, etc for some time. The rationale behind that was three-fold.

1. They needed to control the amount of spam hitting their customers email boxes.
   
2. Their customers had no legitimate need to get email from any of those countries.
   
3. There weren't any real senders of email in those countries - just spam haven ISPs, that were abusing US, by providing safe harbour for OUR spammers.
   

Now, third world countries, just like the USA etc, use email in business and other daily activities. And, thanks to heavy handed attention by Spamhaus, SPEWS, and other blocklist publishers, developing countries are becoming very abused. See Developing nations losing spam battle, report says for more discussion about this situation.

In short, our economic system (which has employed the spammers for a long time) is providing a hindrance to what could be a major tool in helping third world countries take a step up economically.

---

5/26 The bad guys are getting personal. They've realised that form letter email, especially written badly, won't get them as many vicitims as personal sounding email. So they're starting out with details about you, and dropping those details into the email so you'll believe that they're legit.

Where do they get those details, like what is your favourite sports team, where do you live, or how do you like to spend your time? Not from hacking some super secret database - they make their own database, based upon the traces that you leave on the Internet.

Stephen H. Wildstrom of BusinessWeek Online invented a person, and registered him in a dozen or so websites. Then found that those websites, popular ones like Major League Baseball, The Post, Victoria's Secret, and L.L. Bean, would happily verify to anybody that the fictious person (email address) had registered with them.

In Leaky Web Sites Tell All About You, he describes how easy it is for the bad guys, with a little automation and network time (both of which the bad guys have in surplus), to find all about you. Once they have the details, they can use your email address to attack you, masquerading as someone who legitimately knows about your preferences.

Once again, can you say "Identity Theft"?

---

5/25 Two Instant Messenging attacks have been reported today. Users of AOL IM and Yahoo IM may get references to the new Star Wars move, "Star Wars Episode III: Revenge of the Sith", both with links that take the unwary recepient to malicious websites.

The website referenced in the AOL IM attack will try to download a worm to the computer, which will then continjue to propogate itself to those in the Contacts list. The website in the Yahoo IM attack will ask for Yahoo credentials, and mail the provided information to another email address.

---

5/24 Are your systems up to date with their patches? Here's an example why you should be.

You surf to a malicious website (said website has since been taken offline), which loads malware based upon an exploit that was patched late last year, encrypts some of your key files using a password known to the bad guys, and leaves you a ransom demand. Your money or your data.

This is real life, not a bad late night made for TV movie. Patch your systems, please.

---

5/24 Good news or bad? You decide.

The U.S. House of Representatives on Monday voted to establish new penalties for purveyors of Internet "spyware" that disables users' computers and secretly monitors their activities.

Superficially, this looks like good news. But,

• I doubt that our lawmakers can regulate a media that extends outside the borders of the country.
  
• The contents of this bill are vulnerable to modification by the lawyers for the industries that will be affected by the bill. It's highly unlikely that the bill will make it into final form in any useful state.
  
• Here's what makes me worry. Once there is a bill, effectively defining what is and what isn't spyware, look out. Anything that can't be defined as spyware may have a legal footing, to prevent us from removing it from our computers. This is one case where I think I agree with Microsoft. I just hope we don't get to the point where you have to worry Is Deleting Spyware A Crime?.
  

---

5/23 The Sober worm, previously being used to distribute German language political spam related to a German election today, is also scheduled for reactivation today. TechWeb recently published Aggressive, Mass-Mailed Sober.p Worm Poised To Smack Users, which provides a very interesting overview about how cummingly the Sober worm was designed, to allow its creator to update it today without any chance of being detected. Included was an interview with Dmitri Alperovitch, a research engineer with an Alpharetta, Ga.-based security firm CipherTrust.

"He's accumulated a number of machines," said Alperovitch, but he wouldn't hazard even an estimate as to the size of the network of infected machines, also called a "botnet."

Good people, if you don't have a layered protection strategy on your computer right now, please put one in place. The reality of botnets like the Sober one, and the casual way Alperovitch referred to its unknown size, is appalling. The private computer owners of the world have to start taking responsibility for their possessions.

---

5/23 Be careful when you install any Macromedia products as an extension to Internet Explorer.

Macromedia Flash, and Shockwave, are two common and reliable add-ons for every well known browser, and provide useful content (My personal opinion). You have to be a bit more paranoid than I am to block both from your computer. Unfortunately, it looks like Macromedia is bundling other products that you may not want or need, when you install their products.

When you install a Macromedia product, look carefully at the selections offered. If you don't want Yahoo Toolbar, or Weatherbug, be sure to opt-out during the install process (in other words, look for the screen where installation of the extra product is selected by default).

---

---

5/18/2005 The Honeynet Project published Know Your Enemy: Phishing, which describes how devious the phishers are becoming, in hiding their identities, and in using botnets and hijacked servers to conduct their fraudulent activities.

5/13/2005 For an answer to many different questions about malware, check out this PandaLabs Malware Trend and Analysis Report for 1Q2005. It's an Acrobat document enclosed in a .zip folder, but it's worth the effort spent opening it.

5/11/2005 ISC SANS has a series of articles that offer a fascinating look at how malware gets loaded onto an unprotected system. The fifth episode in the series Follow The Bouncing Malware was published today.

4/9/2005 BBC-TV interviewed a reformed hacker, connected an unprotected computer to the internet, and watched as their sacrificial computer was hit by 3 worms in 25 minutes, and crashed before 30 minutes had elapsed. Watch the Video, it is not too technical in detail, it's technically relevant, and only 6 minutes long.

11/22/2003 The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."

---

Congratulations

You found what you need. Help Me To Help You.

Irregularities In Workgroup Visibility

Let's say you connect 2 computers, running any of the many versions and editions of Windows, with default configurations, in a network. To find each computer from the other, you open Windows Explorer (don't confuse this with Internet Explorer, please), and look in My Network Places (aka Network Neighborhood). On a fully working LAN, this will work just fine. In your case, it may not.

In your case, Computer A shows both Computers A and B, as it should, and files on Computer B are accessible. On Computer B, either you don't see Computer A, or when you try to access Computer A, you get an error. You may, or it may not, see Computer B. This visibility problem may be observed constantly, or it may come and go.

This visibility problem is possible on LANs with Windows 2000, Windows XP, and / or Windows Vista, in any combination.

Now before you start, you should be aware that you will enjoy this more, and frequently will be more successful, when you work on a properly designed and setup network. After you review that tutorial, I recommend that you tackle the task at hand in this order.

• Basic Diagnostics
  
• Intermediate Diagnostics
  
• Advanced Diagnostics
  

Basic Diagnostics

1. Check for a personal firewall problem. A misconfigured or malfunctioning personal firewall, on either computer, can block browser access. Do you have antivirus protection? Make sure that your antivirus is not part of a package that contains a personal firewall, and does not contain a component that acts as a firewall.


2. Look carefully for a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.


3. Some newer, WiFi routers, have a complete firewall between ALL client computers, connected wired or wireless. Look for an "Isolation Mode" setting, if no computers are visible to each other. Each vendor uses a different name for this feature, so read your user guide carefully, if you suspect that this is a problem.


4. Make sure that NetBIOS Over TCP is consistently set, in TCP/IP Properties for each computer in your network.


5. Does your LAN include any computers running Windows Vista? If so, be aware of the additional issues involved in Windows Vista and Windows Networking.


6. Do you have a share setup on each computer? With Windows XP / Vista, only computers with non-administrative shares (not ending in "$") will be visible in My Network Places (aka Network Neighborhood).


7. Make sure that all computers are in the same workgroup, if you expect to see them in the root of Network Neighborhood (My Network Places).


8. Check for several well known and lesser known registry settings, which will affect visibility of, and access to, your server.


9. Look at the content of the error message. Do you see either "error = 5" (aka "access denied"), or "error = 53" (aka "name not found")? Read the appropriate article.


10. Look again at the complete and exact text in any observed error messages. Some very obscure errors have very simple resolutions.


11. Run, and examine output from, "browstat status", "ipconfig /all", and "net config server" and "net config workstation", for each computer.


12. Post output from the above step for expert interpretation and advice. Include relevant background details in your post. When including diagnostic logs, such as "browstat status", "ipconfig /all", or background details, format them properly when you post them.

Intermediate Diagnostics

1. Make any changes in your network per the advice of the helpers in the forums. Retest as advised.


2. Run, and examine, CDiag output for each computer. If you have more than 3 computers, post diagnostics for at least 3, and try and include some computers which show no symptoms of the problem (if any exist), as a control. The more data here the better.


3. Post output from the above step for expert interpretation and advice. Again, format CDiag logs properly when you post them.


4. Check that all necessary network components and services are provided. The necessary protocols and transports must be loaded and activated. The necessary services should be Started and Automatic.


5. Run, and examine, CPSServ output for each computer. Try and do this on the same computers that you ran CDiag (above) on, to make the diagnostics more effective.


6. Post output from the above step for expert interpretation and advice. Again, format CPSServ logs properly when you post them.


7. Check for, and remove, unnecessary protocols and transports, like IPV6, IPX/SPX, and NetBEUI. Unnecessary protocols and transports can block Server Message Blocks, and cause problems. Check "browstat status" logs for evidence of IPX/SPX or NetBEUI. Check "ipconfig /all" logs for evidence of IPV6. Remove any protocols found. If you solve your immediate problems, you can re in stall any protocols removed, later.


8. Check for LSP / Winsock / TCP/IP corruption. The LSP / Winsock layer in the network, on either computer, can malfunction, and drop SMBs. If you have more than 2 computers, the computer causing your problems may not be immediately apparent. Use CDiag to identify the computers to work on first.

Advanced Diagnostics

1. Learn how to solve network problems.


2. Try my comprehensive troubleshooting guide, Troubleshooting Network Neighborhood Problems. Use CDiag and / or CPSServ logs, to identify the computers to work on first.


3. Read about The NT Browser and Windows Networking.


4. Read about File Sharing Under Windows XP.

NOTE: The comprehensive troubleshooting guides, referenced in Advanced Diagnostics, contain all of the other sections and more, sequenced by network design (ie, physical connectivity issues first, and file sharing permissioning last). The last article talks about problems specific to File Sharing, such as authentication and authorisation, and it is most useful when all other problems (such as are discussed in the previous step) are resolved. This article, as a whole, emphasises the most productive procedures for resolving your symptoms. You are free to try any of the above steps, in any order which pleases you - it is, after all, your network.

These are simply the procedures which currently seem to produce the best results. So become familiar with them, because, if you ask for help and I am involved, I will likely ask you for the diagnostics discussed above. And, if we don't get immediate results here or elsewhere, I'll ask you to repeat each step above, one by one, as I examine the results. Read each linked article.

Now I'm a Networking and Security advisor, and I don't provide advice on security issues casually. Using the Internet, without considering the privacy and security implications, makes trouble for a lot of innocent people. When you're considering the necessity of providing requested details about your computer network, in an open Internet forum, please read this brief Privacy Statement. Help us to help you.

Hacking Redefined

Modern malware is constantly taking on new forms; it's hard for those of us who aren't dedicated security experts to comprehend how deviously, and methodically, it's designed and deployed. How do you fight it? Well, first, you have to know what's out there. With that goal in mind, I will provide here a brief overview of malware.

• Delivery mechanisms.
• Payload.
• Protection Mechanisms.
• Detection Procedures.
• Detection Tools.

I would first like to apologise to those good guys, like Steve Wozniak and John Draper, who called themselves hackers, and who insist that the proper term for the bad guys is crackers. If you're calling yourself a hacker, and you're a good guy, you're swimming upstream, and there's a strong downstream current.

Even though we abhor malware in general, it's hard NOT sometimes to (objectively) admire how professionally it's designed and deployed. Computer owners, who become victims of hacking, will NOT (subjectively) admire the tools, or the attackers.

One of the problem is how you describe what's happening? Which came first - the chicken or the egg? How do you define hacking, other than what a hacker does?

For the purpose of this article, I will define the following terms.

• Hacking is aggressive, deceiptful, or intentional misuse of any computer not legally owned by any Attacker, for commercial, financial, or personal purpose.
• Hacker is the person, or groups of people, doing the Hacking.
• Malware is the tool used for Hacking, AND the payoff of the Hacking.
• Victim is the legal owner of the computer Attacked by a Hacker (or user of a corporate computer).

Malware includes:

• Adware.
• Hijacks.
• Spam.
• Spyware.
• Trojan.
• Virus.
• Worm.

The people performing the Hacking Attacks have been referred to as, variously:

• Adware / Spyware Writers.
• Hackers (Classically).
• Crackers.
• Spammers.
• Virus Writers.

In the past, this cross-referencing was not necessarily done. Classically, Malware was of a distinct nature, and one type of malware was not used by another type, or group, of Attackers. Today, we have combined Attacks, where:

• Spam is used to deliver Trojans to be installed on Victims computers.
• Adware / Spyware is installed as Trojans.
• Trojans, installed on Victims computers, are used in the delivery of Spam, or Worms, to other Victims.
• Viruses are used to attack people or software used to defend against Adaware, Spam, and Spyware.
• Viruses, having infected the Victims computer, can become Worms, and attack other computers on the same Network.
• Viruses or Worms were used to Attack the data on the Victims computer, rendering the data unusable unless actual money was paid by the Victim to the Attacker. No, this is NOT fiction.

Hacker
The classical Hacker was a disenfranchised teenager, hiding in his bedroom, attacking an individual computer owned by a single Victim, for amusement. See, for instance, War Games, one of the earliest movies about Hackers.

Today, Hackers use programs that they may release as Trojans, as Viruses, or as Worms. The Hack, which when installed on the Victims computer, may make that computer part of a Botnet. A Botnet, or army of computers controlled by a successful Hacker, can be sold to individuals or corporations for delivery of Spam, for hosting of Trojans, or for the creation of even more Botnets. As of June 2005, the reported value of ONE bot was $.55 USD, thus a 10,000 member Botnet (a not at all abnormal number) could net the Hacker $5,000 or so.

Spam
The term Spam comes from a legendary skit by the British comedy group Monty Python, which maligned a very controversial food product made by Hormel, called "Spam". It was originally used to describe unwanted email, which would typically be used to advertise commercial products of varying legitimacy. Now, following the links in spam email, or spam postings in various forums or on various websites, will typically take your computer to websites that are used to serve trojans to your computer, or possibly to manipulate search engines, making them favour websites serviced by (again, for a fee) a hacker.

So spam too becomes both the medium (email / Internet postings), and the payload (websites benefitting from the spam).

Trojan
The term Trojan refers classically to the mythical story of the Trojan Horse in Greece. A Trojan is software which is packaged (by the hacker) with Host software that is trusted by, and intentionally installed by, the Victim.

A Trojan can be anything as innocent as an extra toolbar, installed as a part of the Victims browser, and used to "enhance the browsing experience", to software that makes the Victims computer act in a three role Spam delivery capacity. A Trojan is intentionally installed on a server (by a Hacker), with the Host software. It then requires the intentional installation of the Host software (by the Victim), for propagation onto the Victim's computer. A trojan travels as a server to client infection - from a server to a client (victim) and then no further.

Virus
A virus is software that travels, from one computer to another, in trusted Host software, such as an application or data file passed by one victim to the next. A virus requires the intentional installation of the Host software (by the Victim), for propagation, but automatically repackages itself on the Victim's computer, for transport to the next computer. A virus travels as a peer to peer infection - from any computer to other computers, and then to more computers later.

Worm
A worm is software that travels, from one computer to another, in a trusted media, such as the computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place). A worm requires no intentional action, by the Victim, for propagation. A worm travels as a peer to peer infection - from any computer to other computers, and then to more computers later.

Malware - Classified By Delivery Mechanism

• Trojan - A server to client infection, that requires action by the Victim to propagate. A trojan starts out life packaged, by a hacker, with software trusted by the Victim. When the Victim installs the trusted software, the malware gets installed. Once installed on the Victims computer, a Trojan travels no further. A trojan can be used targeted against a specific set of victims - maybe players of a specific game, or visitors to a specific website.
• Virus - A peer to peer infection, that requires action by the Victim to propagate. A virus starts out on a Victims computer, and packaged with software trusted by the next Victim. When the next Victim installs the trusted software, the virus gets installed. Unlike a Trojan, a Virus automatically repackages itself, on the Victims computer, for transport to the next Victim. A virus is simply broadcast - its spread cannot be controlled, excepting by the media in which it spreads. A successful virus spreads indiscriminantly.
• Worm - A peer to peer infection, that requires no action by the Victim to propagate. A Worm is malware that travels, from one computer to another, in a trusted media, such as a computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place).

Malware - Classified By Payload

• Adware - Malware that delivers, or influences the delivery of, commercial material (aka advertisements) to the Victims computer.
• Hijack - Malware that makes the Victims computer do things not intended by the Victim.
• Spam - Malware consisting of unwanted Messages delivered to the Victims computer.
• Spyware - Malware that collects and transmits personal information about the Victims computer, or about the Victim, to persons who have no legal entitlement to that information.

Malware Protection

We use differing defense mechanisms, to protect against differing malware.

Since worms travel as network traffic, a firewall, or a NAT router, will protect against them. A firewall examines the content of the network traffic, detects the malware, and (possibly) alerts us to its activity. Since a NAT router passes traffic between specifically defined endpoints (a distant server, using a specific IP address / port / protocol, mapped using NAT to a specific local computer / port), a worm (which has as its destination only the public IP address / port) goes nowhere. It's simply ignored by the NAT processor.

If we care to learn of worm activity in our neighbouring public address space, we would connect a computer with firewall directly to the Internet service, and configure its firewall to log and / or report worm activity. If we don't care, a NAT router simply discards worm traffic. In either case, no worms can attack the computers on a properly protected LAN.

Since trojans and viruses travel as application traffic, a mere firewall or NAT router is useless here. Firewalls and NAT routers examine and pass packets. An infected file (virus) or a page from a web site with malicious content (trojan) will be broken down into multiple packets. A firewall or NAT router has no ability to filter or inspect multiple packets statefully.

Trojans and viruses can only be detected after reassembly of the packets into application data, and in some cases, after multiple files or web pages have been received by the client. Protection against a trojan or virus is generally by detection, after the malware has landed on the client, but hopefully before it has installed its payload.

Malware Detection

So, if there's malware out there, how do we know what's out there? More importantly, how do we describe what's out there? And how do we remove what's on our computers, and then hopefully, keep it from coming back?

You have to know what's there before you can fight it. Knowing what's there is a matter of detecting it. Basic malware detection is based upon two alternate processes.

• Behaviour analysis and detection.
• Signature analysis and detection.

Behaviour analysis, also known as heuristic analysis, takes a suspect file (or a computer system), opens it (operates it), and sees what it does. Sophisticated heuristics are used by some antitrojan / antivirus products, which contain a sandbox, which is a replica of the operating system, within the AT / AV product code. A suspect file is copied into the sandbox, opened from within, and watched. When opened, if it makes suspicious use of system resources provided by the (replica) operating system, it is determined to be malware, and examined further.

Signature analysis takes the actual contents of the various bytes in a suspicious file, and mathematically calculates a hash of the contents. The hash becomes the signature, which is compared against a database listing known malware. If suspected malware has a hash matching known malware, it is determined to be malware.

Malware analysis can be done heuristically against the entire system. Note the difference between adware and spyware. The first will typically generate incoming network traffic; the second, outgoing.

By statefully looking for incoming or outgoing traffic, compared against what should be expected, malicious activity can be detected. Software designed to look for malicious incoming traffic will be better at detecting adware, software designed to look for malicious outgoing traffic will be better at detecting spyware.

Signature analysis is a much simpler process, but demands more repetitious work. To do a signature analysis of the system (a trojan or virus scan) requires taking each file, one at a time, on the entire system, generating a signature from the file, and comparing the signature against each entry in a very long list (database) of known malware. Multiply the number of files in your typical system, against the number of possible (known) malware, and you see what a massive effort that is. And each time a new set of signatures is produced (and with some antivirus products, it's multiple times / day), a rescan could be appropriate.

Some malware is encrypted, to fool the signature scanners. Malicious code is taken, and subjected to rearrangement (packing), with some packing containing random operations which makes unpredictable results. Simple signature checking (and the bad guys, in some cases, know what procedures are followed to produce the signatures) won't detect packed code, which follows no known pattern. So suspect files have to be examined for unpacking code embedded in the code, and in some cases, the unpacking has to be allowed to execute so the signature checking can take place. This makes signature checking even more complex, and more time consuming.

On the other hand, its somewhat possible that having unpacking code in a file indicates that it's malware. Most legitimate code (excepting openly compressed files) does not use unpackers, as most legitimate code is already in an executable state. So when an AT / AV scan finds a file with an embedded unpacker, it's a strong possibility that the file contains malware. Of course, the malware still has to be analysed, to determine just what malware it is. But the scanner doesn't have to continue the heuristic analysis, just switch to the signature check.

Malware Detection and Removal Tools

So all of the above is good background information, but what do you do about the problem, once you understand it?

The traditional way of scanning for viruses, the first malware that was distributed so long ago, was by examining each file on the computer that might carry a virus. This is where the signature and heuristic checks would be done. I'll discuss the tools required in Dealing With Malware.

The problem with scanning each individual file on the computer is several:

• You need a database on the computer being scanned, that describes each known malware.
• Scanning each file on the computer is labourious; as the signature database gets larger, scanning each file on the computer times the length of the database gets larger still.
• You still have to do heuristic scanning. If you limit your analysis to known malware, you risk overlooking undiscovered malware, that hasn't been added to the database.
• Since the scanning process constantly gets longer, the tendency is to scan only when convenient. Malware that propagates between the scans travels with ease.

The new procedure is to observe the computer as one large process. With the exception of malware that has no payload, except to travel from computer to computer, all malware has to surface with secondary symptoms. Generally, those secondary symptoms have to include one or more rogue processes, running on the victims computer.

If we treat the computer itself as one large file, we can do signature and heuristic checks against all of the processes and files, or whole computer heuristic analysis. I'll discuss that process in Dealing With Malware Version 2.

How To Get The Most Out Of PChuck's Network

Welcome to PChuck's Network! Pchuck's Network is a Blog, and it's written in Hypertext. Note my general principles, that I state repeatedly in my various articles.

Please observe Legal Discretion when referencing articles posted here.

Please note my Privacy Statement, when you ask for advice in an open forum. There are several ways to contact me - in an online forum, by email, or thru my Guestbook. Most urgent help can be gotten by the first of the three.

Contacting Me
If your message contains a question about a network issue, I strongly suggest that you post a problem report in an open forum, where helpers like me can be found. There are two forums where I normally spend my time ("too much time", some would say):

• Microsoft Windows XP Networking.
  
• DSL Reports Networking.
  

Using online forums for help requests is a good idea, for several reasons.

• You'll get better help with all the helpers able to see, together, the status of your problem, as it's resolved.
• Many helpers keep their email addresses secret, and won't be interested in sharing them with strangers.
• You encourage a spirit of community, which is what drives these forums in the first place.
• You help provide an online record of problems and solutions, again strengthening the idea of using online forums for problem resolution.

If you're uncomfortable asking for help in an open forum, I'll ask that you read a some of my articles, to start:

• Identifying A Reliable Forum.
  
• Properly Writing A Problem Report.
  
• Including Details To Help The Helpers To Help You.
  

If you feel the need to message me, whether to tell me how great PChuck's Network is (or to tell me what needs improvement, I can take it), or to ask for assistance (my resources and time permitting), Please Sign My Guestbook. If you provide an email address, only I will see it, and I will be able to write to you. And if you wish to leave additional, confidential details, you can make your entire message Private.

Until I start getting a lot more hits in my GuestBook, though, I'll probably not check it as often as the open forums. Also, my GuestBook doesn't integrate well with email, so I can't guarantee a quick (or immediately helpful) reply. So start with one of the above forums, if you require immediate assistance. Send me a private message, in my GuestBook, if you need special help, and are prepared to wait a while.

A Blog
A Blog is a work in progress. What you see here today may be rewritten, with more detail, tomorrow.

That being the case, you should not plan to get all the information in one visit. Read, what you have time to today, and plan to return here soon, and regularly. But when you return, how will you know what articles have been rewritten? I spend a lot of time rewriting existing articles, as well as writing new ones. Like this article.

As I write, and rewrite articles, I link the various articles to each other, and to other websites. I don't spend any time identifying each new article, or each updated article, in a list that you can examine. Any list would be only as useful as it is customised to fit the needs of each reader, and since each person is unique, this would be an impossible task.

If you would like to create and maintain a list of your own, so you can keep up with changes here, you can get a Newsfeed Reader. This will let you keep up with this website, and any others that interest you, without you having to tediously surf to each website, to look for changes.

The Newsfeed Reader, in combination with the newsfeed attached to the website, will tell you, at your convenience, when an article on PChuck is changed, and let you view the article. There are two conventions for newsfeeds - Atom, and RSS.

Right now, PChuck has an Atom feed, so you will need a Newsfeed Reader that is Atom compatible. If you have Firefox (and I hope that you do), you may get Sage, a free lightweight RSS and ATOM feed aggregator, as a Firefox extension. You could also get a standalone Newsfeed Reader. There are a dozen or so listed at AtomEnabled.

Hypertext
A Hypertext document is a document with many pages, and the various pages linked to each other. It uses the same structure as the web, except that all of the pages are part of the same website, and have the same style.

When you read a book, and you see a reference to another page in the book, you have to interrupt what you're reading, find the other page, read there, then find your way back. When you read Hypertext, you simply read what's there, and hit the Back button in your browser. You have to be able to recognise the links.

The links are there to simplify the reading process. If you're just looking for an overview, you can simply read each page.

Have I lost you? Click on one, and see what you get. Please. You'll be helping both of us.

Legal Permissions
PChuck's Network is subject to change at any moment. You, and your friends, will benefit the most by directly linking to the articles here. Permission is expressly granted for you to extract relevant contents of any article in PChuck's Network, and post the extracted material elsewhere on the web, or include it in email, if, and ONLY if, you include a working link, to the article from which you are extracting, in your extract. This is for your own good. The web, and this web site, is dynamic, so please use it that way.

You may, if you wish, extract relevant portions of articles, for inclusion in any paper documents. I strongly suggest that you include a link to the original article, and date of copying, if at all possible. Again, this is for your own good.

>> Top

How To Post On Usenet And Encourage Intelligent Answers

Usenet is an interesting place to hang out. You can meet all sorts of interesting personalities there - from helpful to helpless, and from technical to totally irrelevant. Depending upon your current needs, whether to get serious advice or to just waste time, you can affect who you want to converse with in several ways.

• What forums do you post in?
  
• What is the content, demeanour, and style of your posts?
  
• What time of day, and day of week, do you typically post?
  

• General Advice
  
• Please Use Proper Grammar, Spelling, and Other Refinements
  
• Don't Rely On Spell Check Too Much
  
• Hijacking Threads
  
• MultiPosting
  
• Munging Your Email Address
  
• Replying To Other Posts
  
• Starting a New Thread
  
• Testing
  
• Bottom vs Top Posting
  
• Waiting For, And Reacting To, Replies
  
• Followup When The Problem Is Solved
  

If you have spent very much time at all on Usenet, you know that there are some forums where, even if you ask a serious question, you are just as likely to get total time wasting insults, and stupid remarks, as anything else. That's if you don't get totally ignored, which would probably be better for you in the long run.

On the other hand, if you post in a forum which is known for good technical advice, and you format, style, and and word your questions properly, you can encourage useful answers from the helpful and knowledgeable folks who hang out there.

If you're new to this, the best way to start is to find the forums where the serious discussions take place. Find threads which contain intelligent, well written responses, then observe how the initial posts, in those threads, were worded. When you find threads containing responses similar to what you'd like to get, try and imitate the original posts.


I highly recommend that you read several useful articles on Usenet.

• How To Ask Questions The Smart Way.
  
• (KB555375): How to ask a question.
  
• How Not To Look Like An Idiot.
  
• Making Good Newsgroup Posts.
  
• news.newusers.questions Links Page
  

The best suggestion - Try and Fit In - Help Us To Help You.

>>Top

Please Use Proper Grammar, Spelling, and Other Refinements

Usenet is a wide and diverse medium, and it is recognised that not everybody there speaks the same language. And in the more serious forums, the more serious helpers will try and be tolerant of those who were not born with English as their mother tongue. Many of us have been to foreign lands, and have experienced for ourselves the frustration of being part of a minority culture.

That said, there are several posting styles, other than broken English from not speaking it as well as one would like, which will not be received graciously.

• Grammar and Phrasing. Usenet is NOT English class, and nobody expects perfect documents. But when you type incomplete or run-on sentences, don't start sentences with capital letters, or your entire post is just one long paragraph, your post is hard to read. Many helpers will ignore your post and find better written ones to read.
  
• Shouting. Please don't type in all capital letters - that is considered shouting, and will not get you polite treatment. As with grammar, many will simply ignore your posts, as use of mixed case is much easier to read.
  
• Spelling. Were you typing conversations in an Instant Messenger program, you would be expected to make a few odd spelling mistakes from time to time. When you post in Usenet, take the time to review what you type before hitting Send. Use a spell checker, but don't depend upon it completely. If it's important enough for the helpers to read, it's important enough for YOU to read once after you write it.
  
  In a chat forum, it's mere courtesy to write in the same style as the others. In a technical help forum, where YOU are looking for help, it's common sense. Help the helpers to help YOU.
  
  And please don't use "leet speak" in the serious Usenet forums; techies don't appreciate it and will quickly tag you as a newbie.
  

Read the above linked documents for more discussion on each of these concepts.

>>Top

Don't Rely On Spell Check Too Much

ODE TO SPELL CHECKERS...

I have a spelling checker
I disk covered four my PC.
It plane lee marks four my revue
Miss steaks aye can knot see.

Eye ran this poem threw it.
Your sure real glad two no.
Its very polished in its weigh,
My checker tolled me sew.

A checker is a blessing.
It freeze yew lodes of thyme.
It helps me right awl stiles two reed,
And aides me when aye rime.

Each frays comes posed up on my screen
Eye trussed too bee a joule.
The checker pours o'er every word
To cheque sum spelling rule.

Bee fore wee rote with checkers
Hour spelling was inn deck line,
Butt now when wee dew have a laps,
Wee are not maid too wine.

And now bee cause my spelling
Is checked with such grate flare,
There are know faults in awl this peace,
Of nun eye am a wear.

To rite with care is quite a feet
Of witch won should be proud,
And wee mussed dew the best wee can,
Sew flaws are knot aloud.

That's why eye brake in two averse
Cuz Eye dew want too please.
Sow glad eye yam that aye did bye
This soft wear four pea seas.

>>Top

Hijacking Threads

When you have a problem, it's a good idea to spend a few minutes (or hours) reading previous discussions in a forum. Maybe there's a thread in there with your problem, and a solution to your problem. But remember, howver similar your problem may appear to be to the posted problem, there will always be some degree of variance.

If there is a thread with your problem in it (and however similar it may be), check out the discussion, silently. Please don't add your post in there "I have the same problem. Can someone help me too please?", or worse yet "I have the same problem, except... Can someone help me too please?". When you do this, it's called thread hijacking.

When you hijack the thread, it splits into two sub-threads, one addressing the Original Poster, the other addressing you.

• This doesn't benefit the Original Poster, because you're taking attention away from his problem, and directing it towards yours.
  
• This doesn't benefit the helpers, because they have to consider two problems, or at least to direct responses towards two (or more) people.
  
• Since you don't know what causes your problem (if you did, you could fix it yourself, couldn't you?), you don't really know that the symptoms are exactly the same as the Original Poster's. As the helpers address both problems, they may find that the two problems are totally different.
  
• Your thread, which is now under the Original Poster's thread, may not be seen by as many people. You may not get the attention of a qualified helper.
  
• As the helpers continue to address your problem, they have to repeatedly search for your thread, which is under the Original Poster's thread. This causes confusion and inability to find your thread, and less help for you.
  
• When there are multiple people asking for help in the same thread, everybody has to keep constantly looking at each post, and wondering if its addressing the right subthread. It's like being in a large party, with 6 people talking at once about 6 different subjects. How can you carry on an intelligent conversation, with 6 people talking simultaneously? It's worse than a mixture of bottom and top posting.
  

In short, hijacking a thread benefits nobody.

When you have a problem, start a new thread. Let the helpers decide if your problem is the same as somebody else's. Solve one problem in one thread.

>>Top

MultiPosting

The Internet as a whole, and Usenet specifically, is an infinitely diverse and large population. When you use Usenet, and you post thru a newsreader, you can post in any of thousands of different forums. Many times, a question that you have may be of interest to (may be helped by) folks in several different forums. Maybe you have a question about pinging a computer running Windows XP; in which case, your question might be answered by folks in microsoft.public.windowsnt.protocol.tcpip, or in microsoft.public.windowsxp.network_web. You might get help from folks in either group, or maybe some advice from folks in each group.

If you use a Usenet newsreader, any articles that you write can be posted into both groups simultaneously, and folks reading in either group can reply, with their replies going to both groups. Why should this be of any interest to you?

It's just this. When you get advice on Usenet, you benefit from collaboration. With the experts in both groups able to see what is being written about your problem, you are more likely to get accurate and timely advice. This is called cross-posting.

On the other hand, if you post your question into both groups separately, you'll be getting advice separately. With folks helping you separately, you are more likely to get contradicting or incomplete advice. This is called multi-posting.

Please! Cross-post, don't Multi-post. And please cross-post conservatively and thoughtfully. Cross-posted articles get better results than Multi-posted articles, and properly Cross-posted articles get results that are better still.

For more discussion about the differences between cross-posting and multi-posting:

• Crosspost, don't multipost.
  
• Multiposting vs Crossposting.
  
• What is cross-posting? How do I do it?.
  

>>Top

Munging Your Email Address

For those who don't yet know, posting your email address on Usenet, in plain text, is not a good idea. I have just 2 rules about posting email addresses on Usenet:

• Don't post your address on Usenet.
  
• Don't post someone else's address on Usenet.
  

If your email address is "myaddress@myisp.com", either "myaddressnospamplease@myisp.com" or "myaddress@myispnospamplease.com" may be somebody else's address. If either of the latter addresses don't exist now, they may in the future. And "anything@nospam.com" could cause problems for the domain "nospam.com". Neither of these are acceptable munging techniques.

For more information, see Munging Your Email Address and Spam-Blocking Your Email Address.

>>Top

Replying To Posts By Others
When you converse with another person, in a voice conversation, face to face, you speak to that person. You should do likewise when conversing in Usenet.

When you reply to someone, reply to the post that was made. When someone answers your post, reply directly to that person.

• Don't reply to your own post; that looks like you're talking to yourself. Qualified helpers may not see your reply, if it's to your original post. Also, when you reply to your own post, you leave out my immediately previous reply to you. Having all portions of our conversation in one sequential file helps me to help you better.
  
• Don't reply thru a second person, when answering the first person. That's rude, and looks like you're trying to ignore the second person.
  
• Don't start a new thread, restating your problem. This produces an effect similar to thread hijacking. The helpers can help you better if your entire problem is attacked in one unique thread. Solve one problem in one thread.
  
• Don't change your name in the middle of a thread. Trying to guess if "JD" is the same as "James Doe" is frustrating to the helpers.
  
• Don't use the name field as part of the message. When you post as "The above advice didn't work", or similar, in the name, it makes you look like a newbie, and will not enhance your chances of getting prompt and effective results.
  

>>Top

Starting a New Thread

When you start a new thread, briefly summarise your problem in the Subject of your post. Think of the Subject as part of the index - an index entry with Date, Subject, and Name of Poster (you). Make the Subject a brief, unique categorisation of your problem - 6 - 8 words is enough.

• Before you start a new thread, make sure that you don't have any dangling threads. If you just posted your question in this same forum, a few hours ago, or a couple days ago, it's possible that somebody has answered your previous post. If you keep your problem resolution in one thread, rather than spreading it out over two or three threads, you'll make it easier on everybody. Solve One Problem In One Thread.
  
• Please don't make the Subject "Help Me!", or "Network Problem". When you do that, your post shows up in the same thread as half a dozen other posts. Trying to help in a thread like that is like trying to deal with a hijacked thread, or with someone who doesn't know how to reply in a thread properly.
  
• To the other extreme, please don't try and describe the problem completely in the Subject, with "Help please!" in the body. If your problem is so simple that it can be adequately described in that way, then either:
  
  
  
  • You have no problem. This is typically not the case.
    
  • You don't understand the problem. Alternately, you can't provide enough details for an effective diagnosis.
    
  • Your Subject is way too long. You cannot fit enough details about a typical network problem in a Subject line of proper length.
    
  
  
• Please don't start out your message with "My problem is the same as (this other thread)...", or "My problem is the same as (the one below)...". This is similar, in effect, to a hijacked thread, except for one extra detail.
  
  
  
  • The other thread may not be visible to anyone qualified to help you. It will almost certainly not be the one below yours in everybody else's index.
    
  
  
• Please summarise your problem in the Subject, and provide details in the Body of the post, as text. Don't just provide a link to another article, and please don't put the problem description in an attachment.
  
  
  
  • The ones qualified to help you may not know what your problem is, unless you provide some description.
    
  • The ones qualified to help you may not read a malicious or non-relevant website.
    
  • The ones qualified to help you won't open attachments. Attachments are well known security risks, and anybody who is best suited to help you will ignore them.
    
  
  

Always state your problem on its own, and provide background information. Let the helpers try and correlate multiple threads. If details about a problem can best be provided in another article, include links to the other article in your problem report. But provide a good description about your problem in your report, so the helpers will know the nature of your problem.

>>Top

Testing

If you're going to use your computer, you have to learn to test; but you need to test properly. Posting test messages in a non-test forum is not proper testing.

• Test messages clutter up the forums, making it hard to find relevant posts.
  
• Finding your own test message in a non-test forum may not be too easy either.
  

There are several forums setup specifically for posting test messages.

• alt.test
  
• alt.test.a
  
• alt.test.b
  
• microsoft.public.test.here
  

Please use the test forums for testing, and the non-test forums for relevant discussions.

>>Top

Bottom vs Top Posting

In a forum where technical help is provided, bottom posting is much more useful. That allows the helpers to review the previous conversation in one long sequential, smooth flow. This results in a more accurate and efficient work process, and better help for you.

Here's a hypothetical example, between the Original Poster ("OP"), and one Helper, as viewed in a news reader in thread view.

OP: I have a problem.
  Helper: OK, try this and let me know the result.
    OP: Here is the result.
      Helper: OK, now try this and see what happens.
        OP: Here is what happens now.
          Helper: OK, This should fix it.
            OP: Yes, it did.  Thank you.

When viewed by Helper, while preparing the 6th entry, the thread, accumulated in the 5th entry, looks like (both OP and Helper bottom posting):

I have a problem.
OK, try this and let me know the result.
Here is the result.
OK, now try this and see what happens.
Here is what happens now.

On some days, I might be participating in as many as a dozen threads, with some threads having several entries / day, and others having several days between each entry. To prevent embarassment and useless posts, I have found it very helpful for me to review each conversation before posting.

When each entry in the thread contains multiple lines, and I can review the thread as in the above example, with each entry in the thread in perfect sequence, top to bottom, it helps me greatly.

Compare the example above with (the OP top posting, and Helper bottom posting):

Here is what happens now.
Here is the result.
I have a problem.
OK, try this and let me know the result.
OK, now try this and see what happens.

Or with (both the OP and Helper top posting):

Here is what happens now.
OK, now try this and see what happens.
Here is the result.
OK, try this and let me know the result.
I have a problem.

Imagine either of the above examples, with a page or so of lines in each individual post. Could you read that, and figure out progress to date?

Now depending upon what product you use for reading and posting to the forums, you may have different possibilities here.

• The Google web interface to the forums, for instance to microsoft.public.windowsxp.network_web.
  
• The Microsoft web interface to the forums, for instance to Windows XP Networking and the Web.
  
• Outlook, or Outlook Express.
  

Anytime you're using any of the above products, and you are preparing to reply in the thread of your interest, the current thread contents will typically be presented below the cursor. If you start typing with the cursor positioned there, you will be top posting. This is not an insurmountable obstacle though.

Simply read thru the thread, and move the cursor. When you get to the bottom of the thread, position the cursor at the end of the thread, and begin typing. This is bottom posting.

I'm trying to help you. Help me to help you. Type your replies below my replies.

>>Top

Waiting For, And Reacting To, Replies
When you ask for help, post your question, and check back in the forum periodically to look for answers. Internet forums, Usenet or Web based, provide help in group based conversations. Here, multiple people post articles of similar nature in common forums, and the experts, who try to help you, find subjects that they're experienced with.

Please don't post a request for help, and ask to have answers emailed to you. Asked here, answered here. For everybody's benefit.

• You'll get better help with all the helpers able to see, together, the status of your problem, as it's resolved.
• Many helpers keep their email addresses secret, and won't be interested in sharing them with strangers.
• You encourage a spirit of community, which is what drives these forums in the first place.
• You help provide an online record of problems and solutions, again strengthening the idea of using online forums for problem resolution.

Getting help in Usenet requires both patience and persistence, carefully balanced.

Post once, with a carefully summarised problem report, and wait. You may get a reply back in an hour, or a day. You may get a reply back in an hour, and a better reply in a day.

There are two ways of posting that probably won't get you a reply. Or if a reply, not always an answer to your problem. One is posting repeatedly. The second is posting a second (or third) time, asking "Why has nobody answered my first post"?

Both strategies, if you're lucky, will simply get you replies pointing you to articles like this one. In some forums, you'll get rude replies telling you to shut up. Remember most helpers have lives outside of the forums, and the more knowledgeable ones may have several activities that prevent them from reading here very often. Be patient.

Also remember that most forums are unmoderated, and few forums have social hosts (hostesses). If you post a question, and nobody knows the answer, you may get no reply. Many knowledgeable helpers will not post, if they have nothing to say to you. Beware of the answers from some helpers - they may be post trolls, or may be posting simply to advertise their services in a forum or website elsewhere.

When you do get replies, try and answer them promptly. If a response is serious, and appears genuine, trust and help the person responding, and provide relevant details that can help diagnose your problem. And don't expect the first answer to provide an instant resolution to your problem. Some problems could take several days, or longer, to resolve. Your posting occasionally "Nothing works. I think I'll give up." won't encourage help. Try and remember that the ones trying to help you have their own problems, and they need encouragement too.

Remember the style of advice given may vary, depending upon the helper, and upon the nature of your problem. Some advice may contain all relevant information in the body of the Usenet post. Other advice may contain links to articles discussing technical issues in detail.

Sometimes, as we work on a problem together, my questions may seem intense; at other times, they may seem rather irrelevant, and idle. Appearances may be deceiving, in this case. If you're going to trust me for advice, you need to trust my style of problem diagnosis, and work with me.

If you don't get a reply within a couple of days, look at the forum as a whole. Are there other folks posting, and getting answers? If so, reread this article, revise or upgrade your problem report, and try again. If there's no activity in the forum, either wait for a while longer, or find another forum. Some forums have activity each minute, others may have days between posts. Be observant.

>>Top

Followup When The Problem Is Solved
If you do eventually (or immediately) get an answer that solves your problem, post one last time, and let everybody know that the problem is solved, and what helped you the most. Nobody gets paid to help here, so a "Thank You" should not be too much to ask. What you can tell about your experience, whether negative or positive, may help the next guy with a similar problem - and that's what the forums are all about.

>>Top

Troubleshooting Internet Service Problems

Next to "I can't access files on Computer B from Computer A", the complaint "My Internet service doesn't work" is almost as common. There's good news here, and there's bad news. The good news? A problem with your internet service, since it only depends upon TCP/IP, will be a lot easier for you to diagnose. The bad news? Since it depends upon something outside your house, and in some cases outside your city or state, many problems will be ones that you can't fix - you have to get your ISP involved.

This article, like Troubleshooting Network Neighborhood Problems, is structured like the OSI 7-Layer Network Model. If you have multiple problems with your network, you have to diagnose and fix the lower level problems first. If you don't, how can you diagnose the higher level problems?

Now before you start troubleshooting, note that you will enjoy it more, and frequently will be more successful, when you work on a properly designed and setup network. Once you've reviewed that, I recommend that you tackle the task at hand in this order.

• Physical Network Problems.
  
• Logical Network Problems.
  
• Address Resolution Problems.
  
• Security Problems.
  
• Network Components and Services.
  
• Virtual Private Networking.
  
• Asking For Help.
  

So what are the differences between this article, and Troubleshooting Network Neighborhood Problems? Well, there is good new, and bad news. The good news - less protocols to deal with. The bad news - more distance and juridictional issues.

With Windows Networking, if there's a problem, it's yours (or maybe the vendor of the hardware that you own, if the problem involves hardware failure on a component under warranty). With Internet Service, the responsible party could be:

1. You.
   
2. Your ISP.
   
3. If your ISP leases the connection between you and their offices, the Local Exchange Carrier (your local phone service if you have DSL) might be involved.
   
4. The vendor, if the problem involves hardware failure on a component under warranty.
   
5. Any number of individual network and server operators. Except in special cases, you will never know these parties, let alone contact them with any chance of getting useful results.
   

Physical Network Problems
Your problem could be caused by a simple physical network problem.

Of course, the card, cable, port, any other network component, could be one owned by your ISP, or by the LEC, if not your ISP. Or by any of the other parties described above.

Try and diagnose physical network problems from the bottom up.

>>Top

Logical Network Problems

Did you just connect a new router, or a different computer, to your broadband modem? You can't do that casually - you may have to reset your Internet service, to register a different network device with the service.

Given a little preparation (have the correct device drivers available), you should be able to re install the drivers for the network adapter without too much trouble. This is usually one of the last things tried, but can be one of the easiest.

TCP/IP is the language of the Internet, and proper TCP/IP settings are essential. If you're unfamiliar with IP configurations and networking, ask for help.

Also, a corrupt LSP / Winsock layer can have an effect any TCP/IP connectivity. If you've just removed adware / spyware, this is always a possibility.

Did you already run the Network Setup Wizard? You have to read the wizard selections carefully.

• If your computers all connect to a NAT router (My absolute recommendation), select Option 2 for all computers.
  
• If you have a host sharing Internet service to the other computers, select Option 1 for the host, and Option 2 for the clients.
  

Finally, if you have a problem accessing only some websites, but not others, or if this problem seems to come and go, you may have an MTU setting problem.

>>Top

Address Resolution Problems
With Windows Networking, you have the process of Address Resolution (Local Computer Name to Address). With Internet service, you have the process of Address Resolution (Distant Computer Name to Address). Address resolution is essential.

In addition to preventing an LSP / Winsock problem from interfering with address resolution, you need to ensure that you have access to an active Domain Name System (DNS) server for address resolution. You can have a DNS server for resolving addresses on your LAN, if you wish, but your Internet access will depend upon another DNS server somewhere outside your LAN.

If your Windows XP computer is part of a domain, make sure that the domain is setup properly to provide both internal addresses and external (Internet) addresses.

The DNS infrastructure is pretty transparent to us, when it works, but sometimes it doesn't work. Right now, the bad guys are exploring ways to use DNS to get us to surf to their malicious websites. There have actually been 3 attacks, in the early months of 2005, where folks have surfed - without their intention or permission - to a malcious website - and in some cases, have downloaded software that they didn't want, nor realise. This practice is called pharming, and it is an ongoing possibility for problems.

Besides DNS resolution, you may have your Hosts file to consider.
>>Top

Security Problems
You need a personal firewall on each computer, but your personal firewall has to be properly setup and used. A misconfigured or misbehaving personal firewall, on your computer, can block access to the Internet. Your personal firewall may need setup, to trust the host - either an ICS server, or a router - providing Internet service to your computer.

If you disable your personal firewall, and the problems stop, then you at least know where to start working. But if the problems don't stop, don't assume that the firewall is not the problem. Many personal firewalls do not react properly to being disabled, and will continue to cause problems after being disabled. And look for a previously overlooked firewall, such as one bundled with your antivirus protection.

Besides a personal firewall causing problems, there are security features in your browser that can cause problems, if misconfigured.

>>Top

Network Components and Services
This section, as I hinted above, is relatively simple. Your computer requires TCP/IP. You must have "Internet Protocol (TCP/IP)", in the network items list in Local Area Connection - Properties.

If your computer is going to be supplying Internet service to other computers (using ICS), you'll need ICS running. Check that the service supplying ICS, under one of two possible names, is Started and Automatic.

• For XP SP2, check the Windows Firewall / Internet Connection Sharing (ICS) service.
  
• For XP pre-SP2, check the Internet Connection Firewall / Internet Connection Sharing (ICS) service.
  

If your computer is going to be supplying Internet service to other computers (using ICS), and ICS isn't running, rerun the Network Setup Wizard, and choose Option #1, This computer connects directly to the Internet. If there's a problem with the NSW, or if running the NSW doesn't produce acceptable results, check the Event Viewer for diagnostic messages.

>>Top

Virtual Private Networking
Internet usage, in general, involves casual connectivity. Any client, within reason, is encouraged to connect to any server. This is many to many connections.

What if you have two offices, located at distance from each other, and want to use the Internet to provide communications between the two? This would be a point to point connection, formally setup between the two offices. A Virtual Private Network is a pre-configured, secure communications tunnel, through an otherwise insecure network (aka the Internet), between two locations.

Setting up a VPN isn't done casually, or between changing locations; a VPN has to be deliberately designed and setup, from both ends.

>>Top

Asking For Help
If you're reading this article because you need help, please start by reading my Privacy Statement.

Spend a few minutes reading about How To Solve Network Problems.

Provide some background information about the problem, and about your network in general.

Ensure that each computer is Physically, and Logically, connected to your network, to your best ability.

>>Top

Diagnose the problem, on each computer involved, using my test outlined in Identifying A DNS Problem In Your Internet Service. Note, and report, the results of the tests.

Localise the problem (Where is it happening?), and identify its time scope (When is it happening?). If the problem is NOT in your LAN, and you have to go to your ISP for support, having solid time of day / day of week documentation could be very helpful.

How long has the problem been happening? Contrast that with how long have you had this computer setup as it is right now (And how was it setup previously?). And what was changed (hardware / software) just before the problem started?

I use PingPlotter (free) to document all my network issues, and have it running on at least one computer on my LAN, on a 24 x 365 basis. Set PingPlotter up regularly pinging a server outside your LAN, say your ISPs DNS server. If you see the trace stop somewhere when your problem is happening, where does it stop? Does it show loss of contact with your router, or with the ISPs DNS server? Make a file, if appropriate, and send it to the tech support at your ISP. A picture (or PingPlotter graph in this case) could be worth a thousand words.

>>Top

Finally, provide ipconfig information for each computer. You'll do this from a Command Window.

1. Type "ipconfig /all >c:\ipconfig.txt" (less the "") into a command window (or a command window in Windows Vista). Note the spaces in the command, and note the difference between the "/" and "\" characters! Only type the command into a command window - do not type Start - Run - "ipconfig /all".
   
2. Type "notepad c:\ipconfig.txt" (again, less the "") into the same command window.
   
3. In Notepad, make sure that Format - Word Wrap is NOT checked!.
   
4. Copy (Ctrl-A Ctrl-C) from the Notepad window, and paste (Ctrl-V) the entire contents of the ipconfig log, into your next posted message, properly formatted.
   
5. Identify operating system (by name, version, and Service Pack level) with each ipconfig listing.
   
6. Please don't munge or omit any detail, as there is nothing provided by ipconfig that could provide help, to any bad guy, in identifying an entry point to your LAN. The good guys, on the other hand, may need any or all of the details, to accurately diagnose your problem. Help Us To Help You.
   

Did you just run ipconfig, and get good output (similar to what's described in the ipconfig article?). Ok, fine, continue and examine the output as instructed below. If you ran it, and got no response, or no output, or if a window opened and closed so quickly you couldn't read anything, please read my article on Using The Command Window.

With IPConfig logs in hand, you may take a look at Reading IPConfig and Diagnosing Network Problems, if you're interested.

>>Top