1.Maintain at least two email addresses. You should use your private address only for personal correspondence. The public address should be the one you use to register on public forums, in chat rooms, to subscribe to mailing lists etc.
2.Never publish your private address on publicly accessible resources.
3.Your private address should be difficult to spoof. Spammers use combinations of obvious names, words and numbers to build possible addresses. Your private address should not simply be your first and last name. Be creative and personalize your email address.
4.If you have to publish your private address electronically, mask it to avoid having it harvested by spammers. Joe.Smith@yahoo.com is easy to harvest, as is Joe.Smith at yahoo.com. Try writing Joe-dot-Smith-at-yahoo-dot-com instead. If you need to publish your private address on a web-site, do this as a graphics file rather than as a link.
5.Treat your public address as a temporary one. Chances are high that spammers will harvest your public address fairly quickly. Don't be afraid to change it often.
6.Always use your public address to register in forums, chat rooms and to subscribe to mailing lists and promotions. You might even consider using a number of public addresses in order to trace which services are selling addresses to spammers.
7.Never respond to spam. Most spammers verify receipt and log responses. The more you respond, the more spam you will receive.
8.Do not click on unsubscribe links from questionable sources. Spammers send fake unsubscribe letters in an attempt to collect active addresses. You certainly don't want to have your address tagged as active, do you? It will just increase the amount of spam you receive.
9.If your private address is discovered by spammers - change it. This can be inconvenient, but changing your email address does help you avoid spam - at least for a while!
10.Make sure that your mail is filtered by an antispam solution. Consider installing a personal antispam solution. Only open email accounts with providers who offer spam filtration prior to mail delivery.
Types of Spam
Today spam is a household word, since 70-80% of all email traffic is spam. Although spam written in English is the most common, it comes in all languages including Chinese, Korean and other Asian languages. In most cases spam is advertising, and experience shows that spammers have targeted specific goods and services to promote. Some goods are chosen because a computer user is likely to be interested, but most are grey or black market goods. In other words, spam is usually illegal not only because of the means used to advertise the goods, but also because the goods and services being offered are illegal in themselves.
Other mass mailings are outright fraud, such as the notorious 419 messages which offer the recipients a share of funds which allegedly cannot be accessed by the sender for political reasons, in return for the recipient's help in legalizing these funds. The recipient is asked to provide bank account details; of course, if the recipient provides these details, the bank account will be emptied without their consent. This type of spam is usually called a 'scam'.
The commonest types of spam
Spam worldwide tends to advertise a certain range of goods and services irrespective of language and geography. Additionally, spam reflects seasonal changes, with advertisements for Christmas items and car heaters being replaced by air conditioner advertising in summer.
However, when averaged out over the course of the year, 50% of spam falls into the following categories:
* Adult content
* Health
* IT
* Personal finance
* Education/training
Adult content
This category of spam includes offers for products designed to increase or exhance sexual potency, links to porn sites or advertisments for pornorgraphy etc. Examples (we include basic texts but no graphics for ethical reasons):
Subject: very cheap erection tool :-)
Good day!
We would like to offer cheapest Viagra in the world!
You can get it at:
{LINK}
Sincerely,
Liza Stokes
Subject: i think you're gonna like watching me get off :-)
Hi...im Brooke..and I just got a webcam...lets have a little chat.. while you watch me get dirty .. haha;-)
{LINK}
Health and Medicine
This category includes advertisements for weight loss, skin care, posture improvement, cures for baldness, dietary supplements, non-traditional medication etc. which can all be bought on-line.
Examples:
Subject: Lose up to 19% weight. A new weightloss is here.
Hello, I have a special offer for you...
WANT TO LOSE WEIGHT?
The most powerful weightloss is now available
without prescription. All natural Adipren720
100% Money Back Guarantée!
- Lose up to 19% Total Body Weight.
- Up to 300% more Weight Loss while dieting.
- Loss of 20-35% abdominal Fat.
- Reduction of 40-70% overall Fat under skin.
- Increase metabolic rate by 76.9% without Exercise.
- Burns calorized fat.
- Suppresses appetite for sugar.
- Boost your Confidence level and Self Esteem.
Get the facts about all-natural Adipren720: {LINK}
Subject: Legal Low prices for Valium (Diazepam) (Caffeine FREE)
Rx Shopping Service Brings You our Newest Product:
Your personal shopping service that legally provides
Over the Counter (OTC) approved drugs from Canada and
around the world.
Order Valium (Diazepam) and it will be
guaranteed Delivery within 7 DAYS!
Do not miss out *Limited Quantity!
Visit Here: {LINK}
IT
This category includes offers for low-priced hardware and software as well as services for web site owners such as hosting, domain registration, web site optimization and so forth.
Examples:
Subject: Huge savings on OEM Software. All brand names available now stewardess
Looking for not expensive high-quality software?
We might have just what you need.
Windows XP Professional 2002 ............. $50
Adobe Photoshop 7.0 ...................... $60
Microsoft Office XP Professional 2002 .... $60
Corel Draw Graphics Suite 11 ............. $60
and lots more...
Personal finance
Spam which falls into this category offers insurance, debt reduction services, loans with low interest rates etc.
Examples:
Subject: Lenders Compete--You Win
Reduce your mortgage payments
Interest Rates are Going Up!
Give Your Family The Financial Freedom They Deserve
Refinance Today & SAVE
*Quick & EASY
*CONFIDENTIAL
*100's Of Lenders
*100% FREE
*Get The Lowest Rate
Apply Today! {LINK}
All credit will be accepted
To clear your name from our database please {LINK}or use one of the optins below.
Thank You
Call 1-800-279-7310
Or please mail us at:
1700 E. Elliot Rd. STE3-C4
Tempe, AZ. 85283
Education
This category includes offers for seminars, training, and on-line degrees.
Examples:
Subject: get a degree from home, Mas#ters, Bachelors or PHD
Call {Phone Num.} to inquire about our degree programs.
Whether you are seeking a Bachelors, Masters, Ph.D. or MBA
We can provide you with the fully verifiable credentials to get your career BACK ON TRACK!
No testing or coursework required Call: {Phone Num.}
we are sorry if you did not want to receive this mail.
To be removed from our list please call {Phone Num.}
Some new trends in spam content
Spammers are constantly seeking to enter new markets and develop new techniques. Some areas are evolving rapidly and should be monitored closely.
Political spam
This category includes mudslinging or political threats from extremists and possible terrorists. Though these are merely nuisance messages to end users, security and law enforcement officials need to be aware of such mailings, since they can provide clues to genuine potential threats, or be actual communication between terrorists.
Antispam solutions
Spammers advertise supposed antispam solutions in an effort to cash in on the negative publicity generated by spam itself. However, such offers often lead the user to sites where a Trojan will be downloaded to the victim machine, which will then be used for future mass mailings.
Example:
Subject: Join the thousands who are now sp@m-free
FORGET SPAM BLOCKERS!
Get SMART Spam Control That Always Delivers The Email You Want!
Finally, we discovered the ultimate solution that is guaranteed to stop all spam
without losing any of your important email! This revolutionary advanced technology
also protects you 100% against ALL email-borne viruses - both known and unknown.
We didn't believe it either until we actually tried it. So you be the judge and see for yourself.
{LINK}
Spam, viruses and junk email
Today, most people class all unsolicited email as spam, including automatic replies, emails containing viruses and unsolicited, but legitimate business propositions. Classifying all such emails as spam is broadly correct, but it must be highlighted that some categories of spam are more dangerous than others.
In particular, the alliance developing between virus writers and spammers is worrisome. The first half of 2004 brought several virus epidemics where viruses were circulated using spammer techniques. These outbreaks were classic examples of how botnets can be created by virus writers, and then sold to spammers for use in future mass mailings.
Other mass mailings are outright fraud, such as the notorious 419 messages which offer the recipients a share of funds which allegedly cannot be accessed by the sender for political reasons, in return for the recipient's help in legalizing these funds. The recipient is asked to provide bank account details; of course, if the recipient provides these details, the bank account will be emptied without their consent. This type of spam is usually called a 'scam'.
The commonest types of spam
Spam worldwide tends to advertise a certain range of goods and services irrespective of language and geography. Additionally, spam reflects seasonal changes, with advertisements for Christmas items and car heaters being replaced by air conditioner advertising in summer.
However, when averaged out over the course of the year, 50% of spam falls into the following categories:
* Adult content
* Health
* IT
* Personal finance
* Education/training
Adult content
This category of spam includes offers for products designed to increase or exhance sexual potency, links to porn sites or advertisments for pornorgraphy etc. Examples (we include basic texts but no graphics for ethical reasons):
Subject: very cheap erection tool :-)
Good day!
We would like to offer cheapest Viagra in the world!
You can get it at:
{LINK}
Sincerely,
Liza Stokes
Subject: i think you're gonna like watching me get off :-)
Hi...im Brooke..and I just got a webcam...lets have a little chat.. while you watch me get dirty .. haha;-)
{LINK}
Health and Medicine
This category includes advertisements for weight loss, skin care, posture improvement, cures for baldness, dietary supplements, non-traditional medication etc. which can all be bought on-line.
Examples:
Subject: Lose up to 19% weight. A new weightloss is here.
Hello, I have a special offer for you...
WANT TO LOSE WEIGHT?
The most powerful weightloss is now available
without prescription. All natural Adipren720
100% Money Back Guarantée!
- Lose up to 19% Total Body Weight.
- Up to 300% more Weight Loss while dieting.
- Loss of 20-35% abdominal Fat.
- Reduction of 40-70% overall Fat under skin.
- Increase metabolic rate by 76.9% without Exercise.
- Burns calorized fat.
- Suppresses appetite for sugar.
- Boost your Confidence level and Self Esteem.
Get the facts about all-natural Adipren720: {LINK}
Subject: Legal Low prices for Valium (Diazepam) (Caffeine FREE)
Rx Shopping Service Brings You our Newest Product:
Your personal shopping service that legally provides
Over the Counter (OTC) approved drugs from Canada and
around the world.
Order Valium (Diazepam) and it will be
guaranteed Delivery within 7 DAYS!
Do not miss out *Limited Quantity!
Visit Here: {LINK}
IT
This category includes offers for low-priced hardware and software as well as services for web site owners such as hosting, domain registration, web site optimization and so forth.
Examples:
Subject: Huge savings on OEM Software. All brand names available now stewardess
Looking for not expensive high-quality software?
We might have just what you need.
Windows XP Professional 2002 ............. $50
Adobe Photoshop 7.0 ...................... $60
Microsoft Office XP Professional 2002 .... $60
Corel Draw Graphics Suite 11 ............. $60
and lots more...
Personal finance
Spam which falls into this category offers insurance, debt reduction services, loans with low interest rates etc.
Examples:
Subject: Lenders Compete--You Win
Reduce your mortgage payments
Interest Rates are Going Up!
Give Your Family The Financial Freedom They Deserve
Refinance Today & SAVE
*Quick & EASY
*CONFIDENTIAL
*100's Of Lenders
*100% FREE
*Get The Lowest Rate
Apply Today! {LINK}
All credit will be accepted
To clear your name from our database please {LINK}or use one of the optins below.
Thank You
Call 1-800-279-7310
Or please mail us at:
1700 E. Elliot Rd. STE3-C4
Tempe, AZ. 85283
Education
This category includes offers for seminars, training, and on-line degrees.
Examples:
Subject: get a degree from home, Mas#ters, Bachelors or PHD
Call {Phone Num.} to inquire about our degree programs.
Whether you are seeking a Bachelors, Masters, Ph.D. or MBA
We can provide you with the fully verifiable credentials to get your career BACK ON TRACK!
No testing or coursework required Call: {Phone Num.}
we are sorry if you did not want to receive this mail.
To be removed from our list please call {Phone Num.}
Some new trends in spam content
Spammers are constantly seeking to enter new markets and develop new techniques. Some areas are evolving rapidly and should be monitored closely.
Political spam
This category includes mudslinging or political threats from extremists and possible terrorists. Though these are merely nuisance messages to end users, security and law enforcement officials need to be aware of such mailings, since they can provide clues to genuine potential threats, or be actual communication between terrorists.
Antispam solutions
Spammers advertise supposed antispam solutions in an effort to cash in on the negative publicity generated by spam itself. However, such offers often lead the user to sites where a Trojan will be downloaded to the victim machine, which will then be used for future mass mailings.
Example:
Subject: Join the thousands who are now sp@m-free
FORGET SPAM BLOCKERS!
Get SMART Spam Control That Always Delivers The Email You Want!
Finally, we discovered the ultimate solution that is guaranteed to stop all spam
without losing any of your important email! This revolutionary advanced technology
also protects you 100% against ALL email-borne viruses - both known and unknown.
We didn't believe it either until we actually tried it. So you be the judge and see for yourself.
{LINK}
Spam, viruses and junk email
Today, most people class all unsolicited email as spam, including automatic replies, emails containing viruses and unsolicited, but legitimate business propositions. Classifying all such emails as spam is broadly correct, but it must be highlighted that some categories of spam are more dangerous than others.
In particular, the alliance developing between virus writers and spammers is worrisome. The first half of 2004 brought several virus epidemics where viruses were circulated using spammer techniques. These outbreaks were classic examples of how botnets can be created by virus writers, and then sold to spammers for use in future mass mailings.
The Evolution of Spam
In the beginning
Spam (unsolicited bulk advertising via email) made its first appearance in the mid 1990s, i.e. as soon as enough people were using email to make this a cost-effective form of advertising. By 1997, spam was regarded as being a problem, and the first Real-Time Black List (RBL) appeared in the same year.
Spammer techniques have evolved in response to the appearance of more and better filters. As soon as security firms develop effective filters, spammers change their tactics to avoid the new spam blockers. And this leads to a vicious circle, with spammers re-investing profits into developing new techniques to evade new spam filters. The situation is spiralling out of control.
The development of spammer techniques
Direct mailing
Initially, spam was sent directly to users. In fact, spammers didn't even need to disguise the sender information. This early spam was easy enough to block: if you black listed specific sender or IP addresses, you were safe. In response, spammers began spoofing sender addresses and forging other technical information.
Open Relay
In the mid-1990s all email servers were open relay - any sender could send an email to any recipient. Spam and other security issues led administrators to start reconfiguring mail servers worldwide. However, the process was relatively slow, and not all mail server owners and administrators were willing to cooperate. Once the process was well underway, security analysts began scanning for the remaining open relay mail servers. These DNS RBLs were made available, making it possible for,security conscious administrators to block incoming mail from listed servers. However, open relay servers are still used for mass mailing.
Modem Pool
As soon as sending spam via open relay became less efficient, spammers began to use dial up connections. They exploited the way in which ISP providers structured dial up services and utilized weaknesses in the system:
* As a rule, ISP mail servers forward incoming mail from clients.
* Dial-up connections are supported by dynamic IP addresses. Spammers can therefore use a new IP address for every mailing session.
In answer to spammer exploitation, ISP providers began to limit the number of emails a user could send in any one session. Lists of suspect dial-up addresses and filters which blocked mail from these addresses appeared on the Internet.
Proxy servers
The new century saw spammers switching to high-speed Internet connections and exploiting hardware vulnerabilities. Cable and ADSL connections allowed spammers to send mass mailing cheaply and quickly. In addition, spammers rapidly discovered that many ADSL modems had built-in socks servers or http proxy servers. Both are simply utilites that divide an Internet channel between multiple computers. The important feature was that anybody from anywhere in the world could access these servers since they had no protection at all. In other words, malicious users could use other people's ADSL connections to do whatever they pleased, including, naturally, sending spam. Moreover, the spam would look as if it had been sent from the victim's IP address. Since millions of people worldwide had these connections, spammers had a field day until hardware manufacturers began securing their equipment.
Zombie or bot networks
In 2003 and 2004 spammers sent the majority of mailing from machines belonging to unsuspecting users. Spammers use malware to install Trojans on users' machines, leaving them open to remote use. Methods used to penetrate victim machines include:
* Trojan droppers and downloaders injected into pirate software which is distributed via file sharing P2P networks (Kazaa, eDonkey etc.).
* Exploiting vulnerabilities in MS Windows and popular applications such as IE & Outlook.
* Email worms
Anyone who has the client part of a program which controls the Trojan that has infected a victim machine controls the machine or network of victim machines. The resulting networks are called bot networks, and are sold and traded among spammers.
Analysts estimate that Trojans are installed on millions of machines worldwide. Modern Trojans are sophisticated enough to download new versions of themselves, download and execute commands from specified websites or IRC channels, send out spam, conduct DDoS attack and much more.
The development of spam content
Content Analysis
Many spam filters work by analysing the content of a message: the message subject, body, and attachments. Spammers today expend significant resources on developing content which will evade content filters.
Simple text and HTML
Originally, spam was simple: identical messages were sent to everyone on a mailing list. These emails were laughably easy to filter out due to the quantity of identical texts.
Personalised mail
Spammers then began to include a greeting based on the recipient's address. Since every message now contained a personalised greeting, filters which blocked identical messages did not detect this type of spam. Security experts developed filters that identified unchanging lines, which would then be added to filtration rules. They also developed fuzzy signature matching, which would detect text which only had minor changes, and statistic based self-modifying filtration technologies such as Bayesian filters.
Random text strings and invisible text
Spammers now often place either text strings from legitimate business emails, or random text strings at the beginning or end of emails in order to evade content filters. Another method used to evade filters is to include invisible text in HTML-format emails: the text is either too tiny to see or the font color matches the background.
Both methods are fairly successful against content and statistical filters. Analysts responded by developing search engines that scanned emails for such typical texts, which also conducted detailed HTML analysis and sophisticated content analysis. Many antispam solutions were able to detect such tricks without even analysing the content of individual emails in detail.
Graphics
Sending spam in graphics format makes it very hard to detect. Analysts are developing methods for extracting and analyzing text contained in graphics files.
Paraphrasing texts
A single advertisement can be endlessly rephrased, making each individual message appear to be a legitimate email. As a result, antispam filters have to be configured using a large number of samples before such messages can be detected as spam.
Spam (unsolicited bulk advertising via email) made its first appearance in the mid 1990s, i.e. as soon as enough people were using email to make this a cost-effective form of advertising. By 1997, spam was regarded as being a problem, and the first Real-Time Black List (RBL) appeared in the same year.
Spammer techniques have evolved in response to the appearance of more and better filters. As soon as security firms develop effective filters, spammers change their tactics to avoid the new spam blockers. And this leads to a vicious circle, with spammers re-investing profits into developing new techniques to evade new spam filters. The situation is spiralling out of control.
The development of spammer techniques
Direct mailing
Initially, spam was sent directly to users. In fact, spammers didn't even need to disguise the sender information. This early spam was easy enough to block: if you black listed specific sender or IP addresses, you were safe. In response, spammers began spoofing sender addresses and forging other technical information.
Open Relay
In the mid-1990s all email servers were open relay - any sender could send an email to any recipient. Spam and other security issues led administrators to start reconfiguring mail servers worldwide. However, the process was relatively slow, and not all mail server owners and administrators were willing to cooperate. Once the process was well underway, security analysts began scanning for the remaining open relay mail servers. These DNS RBLs were made available, making it possible for,security conscious administrators to block incoming mail from listed servers. However, open relay servers are still used for mass mailing.
Modem Pool
As soon as sending spam via open relay became less efficient, spammers began to use dial up connections. They exploited the way in which ISP providers structured dial up services and utilized weaknesses in the system:
* As a rule, ISP mail servers forward incoming mail from clients.
* Dial-up connections are supported by dynamic IP addresses. Spammers can therefore use a new IP address for every mailing session.
In answer to spammer exploitation, ISP providers began to limit the number of emails a user could send in any one session. Lists of suspect dial-up addresses and filters which blocked mail from these addresses appeared on the Internet.
Proxy servers
The new century saw spammers switching to high-speed Internet connections and exploiting hardware vulnerabilities. Cable and ADSL connections allowed spammers to send mass mailing cheaply and quickly. In addition, spammers rapidly discovered that many ADSL modems had built-in socks servers or http proxy servers. Both are simply utilites that divide an Internet channel between multiple computers. The important feature was that anybody from anywhere in the world could access these servers since they had no protection at all. In other words, malicious users could use other people's ADSL connections to do whatever they pleased, including, naturally, sending spam. Moreover, the spam would look as if it had been sent from the victim's IP address. Since millions of people worldwide had these connections, spammers had a field day until hardware manufacturers began securing their equipment.
Zombie or bot networks
In 2003 and 2004 spammers sent the majority of mailing from machines belonging to unsuspecting users. Spammers use malware to install Trojans on users' machines, leaving them open to remote use. Methods used to penetrate victim machines include:
* Trojan droppers and downloaders injected into pirate software which is distributed via file sharing P2P networks (Kazaa, eDonkey etc.).
* Exploiting vulnerabilities in MS Windows and popular applications such as IE & Outlook.
* Email worms
Anyone who has the client part of a program which controls the Trojan that has infected a victim machine controls the machine or network of victim machines. The resulting networks are called bot networks, and are sold and traded among spammers.
Analysts estimate that Trojans are installed on millions of machines worldwide. Modern Trojans are sophisticated enough to download new versions of themselves, download and execute commands from specified websites or IRC channels, send out spam, conduct DDoS attack and much more.
The development of spam content
Content Analysis
Many spam filters work by analysing the content of a message: the message subject, body, and attachments. Spammers today expend significant resources on developing content which will evade content filters.
Simple text and HTML
Originally, spam was simple: identical messages were sent to everyone on a mailing list. These emails were laughably easy to filter out due to the quantity of identical texts.
Personalised mail
Spammers then began to include a greeting based on the recipient's address. Since every message now contained a personalised greeting, filters which blocked identical messages did not detect this type of spam. Security experts developed filters that identified unchanging lines, which would then be added to filtration rules. They also developed fuzzy signature matching, which would detect text which only had minor changes, and statistic based self-modifying filtration technologies such as Bayesian filters.
Random text strings and invisible text
Spammers now often place either text strings from legitimate business emails, or random text strings at the beginning or end of emails in order to evade content filters. Another method used to evade filters is to include invisible text in HTML-format emails: the text is either too tiny to see or the font color matches the background.
Both methods are fairly successful against content and statistical filters. Analysts responded by developing search engines that scanned emails for such typical texts, which also conducted detailed HTML analysis and sophisticated content analysis. Many antispam solutions were able to detect such tricks without even analysing the content of individual emails in detail.
Graphics
Sending spam in graphics format makes it very hard to detect. Analysts are developing methods for extracting and analyzing text contained in graphics files.
Paraphrasing texts
A single advertisement can be endlessly rephrased, making each individual message appear to be a legitimate email. As a result, antispam filters have to be configured using a large number of samples before such messages can be detected as spam.
Contemporary Spammer Technologies
Spammers use dedicated programs and technologies to generate and transmit the billions of spam emails which are sent every day. This requires significant investment of both time and money.
Spammer activity can be broken down into the following steps:
1. Collecting and verifying recipient addresses; sorting the addresses into target groups
2. Creating platforms for mass mailing (servers and/or individual computers)
3. Writing mass mailing programs
4. Marketing spammer services
5. Developing texts for specific campaigns
6. Sending spam
Each step in the process is carried out independently of the others.
Creating address databases
Collecting and verifying addresses; creating address lists
The first step in running a spammer business is creating an email database. Entries do not only consist of email addresses; each entry may contain additional information such as geographical location, sphere of activity (for corporate entries) or interests (for personal entries). A database may contain addresses from specific mail providers, such as Yandex, Hotmail, AOL etc. or from on-line services such as PayPal or eBay.
There are a number of methods spammers typically use to collecting addresses:
* Spoofing addresses using common combinations of words and numbers - john@, destroyer@, alex-2@
* Spoofing addresses by analogy - if there is a verified joe.user@yahoo.com , then it's reasonable to search for a joe.user@hotmail.com, @aol.com etc.
* Scanning public resources including web sites, forums, chat rooms, Whois databases, Usenet News and so forth for word combinations (i.e. word1@word2.word.3, with word3 being a top-level domain such as .com or .info)
* Stealing databases from web services, ISPs etc.
* Stealing users' personal data using Trojans
Topical databases are usually created using the third method, since public resources often contain information about user preferences along with personal information such as gender, age etc. Stolen databases from web services and ISPs may also include such information, enabling spammers to further personalize and target their mailings.
Stealing personal data such as mail client address books is a recent innovation, but is proving to be highly effective, as the majority of addresses will be active. Unfortunately, recent virus epidemics have demonstrated that there are still a great many systems without adequate antivirus protection; this method will continue to be successfully used until the vast majority of systems have been adequately secured.
Address verification
Once email databases have been created, the addresses need to be verified before they can be sold or used for mass mailing. Spammers send a variety of trial messages to check that addresses are active and that email messages are being read.
1. Initial test mailing. A test message with a random text which is designed to evade spam filters is sent to the entire address list. The mail server logs are analysed for active and defunct addresses and the database is cleaned accordingly.
2. Once addresses have been verified, a second message is often sent to check whether recipients are reading messages. For instance, the message may contain a link to a picture on a designated web server. Once the message is opened, the picture is downloaded automatically and the web site will log the address as active. Most email clients no longer download pictures automatically, so this method is on the wane.
3. A more successful method of verifying if an address is active is a social engineering technique. Most end users know that they have the right to unsubscribe from unsolicited and/or unwanted mailings. Spammers take advantage of this by sending messages with an 'unsubscribe' button. Users click on the unsubscribe link and a message purportedly unsubscribing the user is sent. Instead, the spammer receives confirmation that the address in question is not only valid but that the user is active.
However, none of these methods are foolproof and any spammer database will always contain a large number of inactive addresses.
Creating platforms for mass mailing
Today's spammers use one of these three mass mailing methods:
1. Direct mailing from rented servers
2. Using open relays and open proxies - servers which have been poorly configured, and are therefore freely accessible
3. Bot networks - networks of zombie machines infected with malware, usually a Trojan, which allow spammers to use the infected machines as platforms for mass mailings without the knowledge or consent of the owner..
Renting servers is problematic, since antispam organizations monitor mass mailings and are quick to add servers to black lists. Most ISPs and antispam solutions use black lists as one method to identify spam: this means that once a server has been blacklisted, it can no longer be used by spammers.
Using open relay and open proxy servers is also time consuming and costly. First spammers need to write and maintain robots that search the Internet for vulnerable servers. Then the servers need to be penetrated. However, very often, after a few successful mailings, these servers will also be detected and blacklisted.
As a result, today most spammers prefer to create or purchase bot networks. Professional virus writers use a variety of methods to create and maintain these networks:
1. Exploiting vulnerabilities in Internet browsers, primarily MS Internet Explorer. There are number of browser vulnerabilities in browsers which make it possible to penetrate a computer from a site being viewed by the machine's user. Virus writers exploit such holes and write Trojans and other malware to penetrate victim machines, giving malware owners full access to, and control over, these infected machines.
For instance, porn sites and other frequently visited semi-legal sites are often infested with such malicious programs. In 2004 a large number of sites running under MS IIS were penetrated and infected with Trojans. These Trojans then attacked the machines of users who believed that these sites were safe.
2. Using email worms and exploiting vulnerabilities in MS Windows services to distribute and install Trojans:
1. Most recent virus outbreaks have been caused by blended threats, which included installation of a backdoor on infected machines. In fact, nearly all email worms have a Trojan payload.
2. MS Windows systems are inherently vulnerable, and hackers and virus writers are always ready to exploit this. Independent tests have demonstrated that a Windows XP system without either a firewall and antivirus software attacked within approximately 20 minutes of being connected to the Internet.
3. Pirate software is also a favorite vehicle for spreading malicious code. Since these programs are often spread via file-sharing networks, such as Kazaa, eDonkey and others, the networks themselves are penetrated and even users who do not use pirate software will be at risk.
Spammer Software
An average mass mailing contains about a million messages. The objective is to send the maximum number of messages in the minimum possible time: there is a limited window of opportunity before antispam vendors update signature databases to deflect the latest types of spam.
Sending a large number of messages within a limited timeframe requires appropriate technology. There are a number of resources developed and used by professional spammers available. These programs need to be able to:
1. Send mail via a variety of channels including open relays and individual infected machines.
2. Create dynamic texts.
3. Spoof legitimate message headers
4. Track the validity of an email address database.
5. Detect whether individual messages are delivered or not and to resend them from alternate platforms if the original platform has been blacklisted.
These spammer applications are available as subscription services or as a stand alone application for a one-off fee.
Creating the message body
Today, antispam filters are sophisticated enough to instantly detect and block a large number of identical messages. Spammers therefore now make sure that mass mailings contain emails with almost identical content, with the texts being very slightly altered. They have developed a range of methods to mask the similiarity between messages in each mailing:
* Inclusion of random text strings, words or invisible text. This may be as simple as including a random string of words and/or characters or a real text from a real source at either the beginning or the end of the message body. An HTML message may contain invisible text - tiny fonts or text which is colored to match the background.
All of these tricks interfere with the fuzzy matching and Bayesian filtering methods used by antispam solutions. However, antispam developers have responded by developing quotation scanners, detailed analysis of HTML encoding and other techniques. In many cases spam filters simply detect that such tricks have been used in a message and automatically flag it as spam.
* Graphical spam. Sending text in graphics format hindered automatic text analysis for a period of time, though today a good antispam solution is able to detect and analyze incoming graphics
* Dynamic graphics. Spammers are now utilizing complicated graphics with extra information to evade antispam filters.
* Dynamic texts. The same text is rewritten in numerous ways so that it is necessary to compare a large number of samples before it will be possible to identify a group of messages as spam. This means that antispam filters can only be updated once most of the mailing has already reached its target.
A good spammer application will utilize all of the above methods, since different potential victims use different antispam filters. Using a variety of techniques ensures that a commercially viable number of messages will escape filtration and reach the intended recipients.
Marketing spammer services
Strangely enough, spammers advertise their services using spam. In fact, the advertising which spammers use to promote their services are a separate category of spam. Spammer-related spam also includes advertisements for spammer applications, bot networks and email address databases.
The structure of a spammer business
The steps listed above require a team of different specialists or outsourcing certain tasks. The spammers themselves, i.e. the people who run the business and collect money from clients, usually purchase or rent the applications and services they need to conduct mass mailings.
Spammers are divided into professional programmers and virus writers who develop and implement the software needed to send spam, and amateurs who may not be programmers or IT people, but simply want to make some easy money.
Future Trends
The spam market today is valued at approximately several hundred million dollars annually. How is this figure reached? Divide the number of messages detected every day by the number of messages in a standard mailing. Multiply the result by the average cost of a standard mailing: 30 billion (messages) divided by 1 million (messages) multiplied US $100 multiplied by 365 (days) gives us an estimated annual turnover of $1095 million.
Such a lucrative market encourages full-scale companies which run the entire business cycle in-house in a professional and cost-effective manner. There are also legal issues: collecting personal data and sending unsolicited correspondence is currently illegal in most countries of the world. However, the money is good enough to attract the interest of people who willing to take risks and potentially make a fat profit.
The spam industry is therefore likely to follow in the footsteps of other illegal activities: go underground and engage in a prolonged cyclic battle with law enforcement agencies.
Spammer activity can be broken down into the following steps:
1. Collecting and verifying recipient addresses; sorting the addresses into target groups
2. Creating platforms for mass mailing (servers and/or individual computers)
3. Writing mass mailing programs
4. Marketing spammer services
5. Developing texts for specific campaigns
6. Sending spam
Each step in the process is carried out independently of the others.
Creating address databases
Collecting and verifying addresses; creating address lists
The first step in running a spammer business is creating an email database. Entries do not only consist of email addresses; each entry may contain additional information such as geographical location, sphere of activity (for corporate entries) or interests (for personal entries). A database may contain addresses from specific mail providers, such as Yandex, Hotmail, AOL etc. or from on-line services such as PayPal or eBay.
There are a number of methods spammers typically use to collecting addresses:
* Spoofing addresses using common combinations of words and numbers - john@, destroyer@, alex-2@
* Spoofing addresses by analogy - if there is a verified joe.user@yahoo.com , then it's reasonable to search for a joe.user@hotmail.com, @aol.com etc.
* Scanning public resources including web sites, forums, chat rooms, Whois databases, Usenet News and so forth for word combinations (i.e. word1@word2.word.3, with word3 being a top-level domain such as .com or .info)
* Stealing databases from web services, ISPs etc.
* Stealing users' personal data using Trojans
Topical databases are usually created using the third method, since public resources often contain information about user preferences along with personal information such as gender, age etc. Stolen databases from web services and ISPs may also include such information, enabling spammers to further personalize and target their mailings.
Stealing personal data such as mail client address books is a recent innovation, but is proving to be highly effective, as the majority of addresses will be active. Unfortunately, recent virus epidemics have demonstrated that there are still a great many systems without adequate antivirus protection; this method will continue to be successfully used until the vast majority of systems have been adequately secured.
Address verification
Once email databases have been created, the addresses need to be verified before they can be sold or used for mass mailing. Spammers send a variety of trial messages to check that addresses are active and that email messages are being read.
1. Initial test mailing. A test message with a random text which is designed to evade spam filters is sent to the entire address list. The mail server logs are analysed for active and defunct addresses and the database is cleaned accordingly.
2. Once addresses have been verified, a second message is often sent to check whether recipients are reading messages. For instance, the message may contain a link to a picture on a designated web server. Once the message is opened, the picture is downloaded automatically and the web site will log the address as active. Most email clients no longer download pictures automatically, so this method is on the wane.
3. A more successful method of verifying if an address is active is a social engineering technique. Most end users know that they have the right to unsubscribe from unsolicited and/or unwanted mailings. Spammers take advantage of this by sending messages with an 'unsubscribe' button. Users click on the unsubscribe link and a message purportedly unsubscribing the user is sent. Instead, the spammer receives confirmation that the address in question is not only valid but that the user is active.
However, none of these methods are foolproof and any spammer database will always contain a large number of inactive addresses.
Creating platforms for mass mailing
Today's spammers use one of these three mass mailing methods:
1. Direct mailing from rented servers
2. Using open relays and open proxies - servers which have been poorly configured, and are therefore freely accessible
3. Bot networks - networks of zombie machines infected with malware, usually a Trojan, which allow spammers to use the infected machines as platforms for mass mailings without the knowledge or consent of the owner..
Renting servers is problematic, since antispam organizations monitor mass mailings and are quick to add servers to black lists. Most ISPs and antispam solutions use black lists as one method to identify spam: this means that once a server has been blacklisted, it can no longer be used by spammers.
Using open relay and open proxy servers is also time consuming and costly. First spammers need to write and maintain robots that search the Internet for vulnerable servers. Then the servers need to be penetrated. However, very often, after a few successful mailings, these servers will also be detected and blacklisted.
As a result, today most spammers prefer to create or purchase bot networks. Professional virus writers use a variety of methods to create and maintain these networks:
1. Exploiting vulnerabilities in Internet browsers, primarily MS Internet Explorer. There are number of browser vulnerabilities in browsers which make it possible to penetrate a computer from a site being viewed by the machine's user. Virus writers exploit such holes and write Trojans and other malware to penetrate victim machines, giving malware owners full access to, and control over, these infected machines.
For instance, porn sites and other frequently visited semi-legal sites are often infested with such malicious programs. In 2004 a large number of sites running under MS IIS were penetrated and infected with Trojans. These Trojans then attacked the machines of users who believed that these sites were safe.
2. Using email worms and exploiting vulnerabilities in MS Windows services to distribute and install Trojans:
1. Most recent virus outbreaks have been caused by blended threats, which included installation of a backdoor on infected machines. In fact, nearly all email worms have a Trojan payload.
2. MS Windows systems are inherently vulnerable, and hackers and virus writers are always ready to exploit this. Independent tests have demonstrated that a Windows XP system without either a firewall and antivirus software attacked within approximately 20 minutes of being connected to the Internet.
3. Pirate software is also a favorite vehicle for spreading malicious code. Since these programs are often spread via file-sharing networks, such as Kazaa, eDonkey and others, the networks themselves are penetrated and even users who do not use pirate software will be at risk.
Spammer Software
An average mass mailing contains about a million messages. The objective is to send the maximum number of messages in the minimum possible time: there is a limited window of opportunity before antispam vendors update signature databases to deflect the latest types of spam.
Sending a large number of messages within a limited timeframe requires appropriate technology. There are a number of resources developed and used by professional spammers available. These programs need to be able to:
1. Send mail via a variety of channels including open relays and individual infected machines.
2. Create dynamic texts.
3. Spoof legitimate message headers
4. Track the validity of an email address database.
5. Detect whether individual messages are delivered or not and to resend them from alternate platforms if the original platform has been blacklisted.
These spammer applications are available as subscription services or as a stand alone application for a one-off fee.
Creating the message body
Today, antispam filters are sophisticated enough to instantly detect and block a large number of identical messages. Spammers therefore now make sure that mass mailings contain emails with almost identical content, with the texts being very slightly altered. They have developed a range of methods to mask the similiarity between messages in each mailing:
* Inclusion of random text strings, words or invisible text. This may be as simple as including a random string of words and/or characters or a real text from a real source at either the beginning or the end of the message body. An HTML message may contain invisible text - tiny fonts or text which is colored to match the background.
All of these tricks interfere with the fuzzy matching and Bayesian filtering methods used by antispam solutions. However, antispam developers have responded by developing quotation scanners, detailed analysis of HTML encoding and other techniques. In many cases spam filters simply detect that such tricks have been used in a message and automatically flag it as spam.
* Graphical spam. Sending text in graphics format hindered automatic text analysis for a period of time, though today a good antispam solution is able to detect and analyze incoming graphics
* Dynamic graphics. Spammers are now utilizing complicated graphics with extra information to evade antispam filters.
* Dynamic texts. The same text is rewritten in numerous ways so that it is necessary to compare a large number of samples before it will be possible to identify a group of messages as spam. This means that antispam filters can only be updated once most of the mailing has already reached its target.
A good spammer application will utilize all of the above methods, since different potential victims use different antispam filters. Using a variety of techniques ensures that a commercially viable number of messages will escape filtration and reach the intended recipients.
Marketing spammer services
Strangely enough, spammers advertise their services using spam. In fact, the advertising which spammers use to promote their services are a separate category of spam. Spammer-related spam also includes advertisements for spammer applications, bot networks and email address databases.
The structure of a spammer business
The steps listed above require a team of different specialists or outsourcing certain tasks. The spammers themselves, i.e. the people who run the business and collect money from clients, usually purchase or rent the applications and services they need to conduct mass mailings.
Spammers are divided into professional programmers and virus writers who develop and implement the software needed to send spam, and amateurs who may not be programmers or IT people, but simply want to make some easy money.
Future Trends
The spam market today is valued at approximately several hundred million dollars annually. How is this figure reached? Divide the number of messages detected every day by the number of messages in a standard mailing. Multiply the result by the average cost of a standard mailing: 30 billion (messages) divided by 1 million (messages) multiplied US $100 multiplied by 365 (days) gives us an estimated annual turnover of $1095 million.
Such a lucrative market encourages full-scale companies which run the entire business cycle in-house in a professional and cost-effective manner. There are also legal issues: collecting personal data and sending unsolicited correspondence is currently illegal in most countries of the world. However, the money is good enough to attract the interest of people who willing to take risks and potentially make a fat profit.
The spam industry is therefore likely to follow in the footsteps of other illegal activities: go underground and engage in a prolonged cyclic battle with law enforcement agencies.
Spam - What exactly is it?
In order to combat spam effectively it is necessary to define exactly what spam is.
Most people believe that spam is unsolicitied email. However, this definition is not entirely correct and confuses some types of legitimate business correspondence with true spam.
Spam is anonymous, unsolicited bulk email.
This is the description that is being used today in the USA and Europe as a basis for the creation of anti-spam legislation. Let's take a closer look at each component of the definition:
* Anonymous: real spam is sent with spoofed or harvested sender addresses to conceal the actual sender.
* Mass mailing: real spam is sent in mass quantities. Spammers make money from the small percentage of recipients that actually respond, so for spam to be cost-effective, the initial mails have to be high-volume.
* Unsolicited: mailing lists, newsletters and other advertising materials that end users have opted to receive may resemble spam but are actually legitimate mail. In other words, the same piece of mail can be classed as both spam and legitimate mail depending on whether or not the user elected to receive it.
It should be highlighted that the words 'advertising' and 'commercial' are not used to define spam.
Many spam messages are neither advertising nor any type of commercial proposition. In additon to offering goods and services, spam mailings can fall into the following categories:
* Political messages
* Quasi-charity appeals
* Financial scams
* Chain letters
* Fake spam being used to spread malware
Unsoliticited but legitimate messages
A legitimate commercial proposition, a charity appeal, an invitation addressed personally to an existing recipient or a newsletter can certainly be defined as unsolicited mail, but not as spam. Legitimate messages may also include delivery failure messages, misdirected messages, messages from system administrators or even messages from old friends who have previously not corresponded with the recipient by email. Unsolicited - yes. Unwanted - not necessarily.
How to deal with spam
Because unsolicited correspondence may be of interest to the recipient, a quality antispam solution should be able to distinguish between true spam (unsolicited, bulk mailing) and unsolicited correspondence. This kind of mail should be flagged as 'possible spam' so it can be reviewed or deleted at the recipient's convenience.
Companies should have a spam policy, with system administrators assessing the needs of different departments. Access to different unsolicited mail folders should be given to different user groups based on this assessment. For instance, the travel manager may well want to read travel ads, whereas the HR department may wish to see all invitations to seminars and training sessions.
Most people believe that spam is unsolicitied email. However, this definition is not entirely correct and confuses some types of legitimate business correspondence with true spam.
Spam is anonymous, unsolicited bulk email.
This is the description that is being used today in the USA and Europe as a basis for the creation of anti-spam legislation. Let's take a closer look at each component of the definition:
* Anonymous: real spam is sent with spoofed or harvested sender addresses to conceal the actual sender.
* Mass mailing: real spam is sent in mass quantities. Spammers make money from the small percentage of recipients that actually respond, so for spam to be cost-effective, the initial mails have to be high-volume.
* Unsolicited: mailing lists, newsletters and other advertising materials that end users have opted to receive may resemble spam but are actually legitimate mail. In other words, the same piece of mail can be classed as both spam and legitimate mail depending on whether or not the user elected to receive it.
It should be highlighted that the words 'advertising' and 'commercial' are not used to define spam.
Many spam messages are neither advertising nor any type of commercial proposition. In additon to offering goods and services, spam mailings can fall into the following categories:
* Political messages
* Quasi-charity appeals
* Financial scams
* Chain letters
* Fake spam being used to spread malware
Unsoliticited but legitimate messages
A legitimate commercial proposition, a charity appeal, an invitation addressed personally to an existing recipient or a newsletter can certainly be defined as unsolicited mail, but not as spam. Legitimate messages may also include delivery failure messages, misdirected messages, messages from system administrators or even messages from old friends who have previously not corresponded with the recipient by email. Unsolicited - yes. Unwanted - not necessarily.
How to deal with spam
Because unsolicited correspondence may be of interest to the recipient, a quality antispam solution should be able to distinguish between true spam (unsolicited, bulk mailing) and unsolicited correspondence. This kind of mail should be flagged as 'possible spam' so it can be reviewed or deleted at the recipient's convenience.
Companies should have a spam policy, with system administrators assessing the needs of different departments. Access to different unsolicited mail folders should be given to different user groups based on this assessment. For instance, the travel manager may well want to read travel ads, whereas the HR department may wish to see all invitations to seminars and training sessions.
How to Detect a Hacker Attack
Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack.
Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user. This article gives a few basic guidelines to help you figure out either if your machine is under attack or if the security of your system has been compromised. Keep in mind just like with viruses, there is no 100% guarantee you will detect a hacker attack this way. However, there's a good chance that if your system has been hacked, it will display one or more of the following behaviours.
Windows machines:
* Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet.
* Increased disk activity or suspicious looking files in the root directories of any drives. After hacking into a system, many hackers run a massive scan for any interesting documents or files containing passwords or logins for bank or epayment accounts such as PayPal. Similarly, some worms search the disk for files containing email addresses to use for propagation. If you notice major disk activity even when the system is idle in conjunction with suspiciously named files in common folders, this may be an indication of a system hack or malware infection.
* Large number of packets which come from a single address being stopped by a personal firewall. After locating a target (eg. a company's IP range or a pool of home cable users) hackers usually run automated probing tools which try to use various exploits to break into the system. If you run a personal firewall (a fundamental element in protecting against hacker attacks) and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is that if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific FTP service running on your system which has been made accessible to all. In this case, the solution is to block the offending IP temporarily until the connection attempts stop. Many personal firewalls and IDSs have such a feature built in.
* Your resident antivirus suddenly starts reporting that backdoors or trojans have been detected, even if you have not done anything out of the ordinary. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside.
Unix machines:
* Suspiciously named files in the /tmp folder. Many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as 'home'.
* Modified system binaries such as 'login', 'telnet', 'ftp', 'finger' or more complex daemons, 'sshd', 'ftpd' and the like. After breaking into a system, a hacker usually attempts to secure access by planting a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are 'stealthed' against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.
* Modified /etc/passwd, /etc/shadow, or other system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.
* Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines. This is accomplished by modifying /etc/services as well as /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.
Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user. This article gives a few basic guidelines to help you figure out either if your machine is under attack or if the security of your system has been compromised. Keep in mind just like with viruses, there is no 100% guarantee you will detect a hacker attack this way. However, there's a good chance that if your system has been hacked, it will display one or more of the following behaviours.
Windows machines:
* Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet.
* Increased disk activity or suspicious looking files in the root directories of any drives. After hacking into a system, many hackers run a massive scan for any interesting documents or files containing passwords or logins for bank or epayment accounts such as PayPal. Similarly, some worms search the disk for files containing email addresses to use for propagation. If you notice major disk activity even when the system is idle in conjunction with suspiciously named files in common folders, this may be an indication of a system hack or malware infection.
* Large number of packets which come from a single address being stopped by a personal firewall. After locating a target (eg. a company's IP range or a pool of home cable users) hackers usually run automated probing tools which try to use various exploits to break into the system. If you run a personal firewall (a fundamental element in protecting against hacker attacks) and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is that if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific FTP service running on your system which has been made accessible to all. In this case, the solution is to block the offending IP temporarily until the connection attempts stop. Many personal firewalls and IDSs have such a feature built in.
* Your resident antivirus suddenly starts reporting that backdoors or trojans have been detected, even if you have not done anything out of the ordinary. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside.
Unix machines:
* Suspiciously named files in the /tmp folder. Many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as 'home'.
* Modified system binaries such as 'login', 'telnet', 'ftp', 'finger' or more complex daemons, 'sshd', 'ftpd' and the like. After breaking into a system, a hacker usually attempts to secure access by planting a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are 'stealthed' against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.
* Modified /etc/passwd, /etc/shadow, or other system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.
* Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines. This is accomplished by modifying /etc/services as well as /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.
New Computer Virus List
OPRAH WINFREY VIRUS: Your 200MB hard drive suddenly shrinks to 80MB, and then slowly expands back to 200MB.
AT&T VIRUS: Every three minutes it tells you what great service you are getting.
MCI VIRUS: Every three minutes it reminds you that you're paying too much for the AT&T virus.
PAUL REVERE VIRUS: This revolutionary virus does not horse around. It warns you of impending hard disk attack---once if by LAN, twice if by C:>.
POLITICALLY CORRECT VIRUS: Never calls itself a "virus", but instead refers to itself as an "electronic microorganism."
RIGHT TO LIFE VIRUS: Won't allow you to delete a file, regardless of how old it is. If you attempt to erase a file, it requires you to first see a counselor about possible alternatives.
ROSS PEROT VIRUS: Activates every component in your system, just before the whole darn thing quits.
MARIO CUOMO VIRUS: It would be a great virus, but it refuses to run.
TED TURNER VIRUS: Colorizes your monochrome monitor.
ARNOLD SCHWARZENEGGER VIRUS: Terminates and stays resident. It'll be back.
DAN QUAYLE VIRUS #2: Their is sumthing rong wit your komputer, ewe jsut cant figyour out watt!
GOVERNMENT ECONOMIST VIRUS: Nothing works, but all your diagnostic software says everything is fine.
NEW WORLD ORDER VIRUS: Probably harmless, but it makes a lot of people really mad just thinking about it.
FEDERAL BUREAUCRAT VIRUS: Divides your hard disk into hundreds of little units, each of which does practically nothing, but all of which claim to be the most important part of your computer.
GALLUP VIRUS: Sixty percent of the PCs infected will lose 38 percent of their data 14 percent of the time. (plus or minus a 3.5 percent margin of error.)
TERRY RANDALL VIRUS: Prints "Oh no you don't" whenever you choose "Abort" from the "Abort" "Retry" "Fail" message.
TEXAS VIRUS: Makes sure that it's bigger than any other file.
ADAM AND EVE VIRUS: Takes a couple of bytes out of your Apple.
CONGRESSIONAL VIRUS: The computer locks up, screen splits erratically with a message appearing on each half blaming the other side for the problem.
AIRLINE VIRUS: You're in Dallas, but your data is in Singapore.
FREUDIAN VIRUS: Your computer becomes obsessed with marrying its own motherboard.
PBS VIRUS: Your programs stop every few minutes to ask for money.
ELVIS VIRUS: Your computer gets fat, slow and lazy, then self destructs; only to resurface at shopping malls and service stations across rural America.
OLLIE NORTH VIRUS: Causes your printer to become a paper shredder.
NIKE VIRUS: Just does it.
SEARS VIRUS: Your data won't appear unless you buy new cables, power supply and a set of shocks.
JIMMY HOFFA VIRUS: Your programs can never be found again.
CONGRESSIONAL VIRUS #2: Runs every program on the hard drive simultaneously, but doesn't allow the user to accomplish anything.
KEVORKIAN VIRUS: Helps your computer shut down as an act of mercy.
IMELDA MARCOS VIRUS: Sings you a song (slightly off key) on boot up, then subtracts money from your Quicken account and spends it all on expensive shoes it purchases through Prodigy.
STAR TREK VIRUS: Invades your system in places where no virus has gone before.
HEALTH CARE VIRUS: Tests your system for a day, finds nothing wrong, and sends you a bill for $4,500.
GEORGE BUSH VIRUS: It starts by boldly stating, "Read my docs....No new files!" on the screen. It proceeds to fill up all the free space on your hard drive with new files, then blames it on the Congressional Virus.
CLEVELAND INDIANS VIRUS: Makes your 486/50 machine perform like a 286/AT.
LAPD VIRUS: It claims it feels threatened by the other files on your PC and erases them in "self defense".
CHICAGO CUBS VIRUS: Your PC makes frequent mistakes and comes in last in the reviews, but you still love it.
ORAL ROBERTS VIRUS: Claims that if you don't send it a million dollars, it's programmer will take it back.
AT&T VIRUS: Every three minutes it tells you what great service you are getting.
MCI VIRUS: Every three minutes it reminds you that you're paying too much for the AT&T virus.
PAUL REVERE VIRUS: This revolutionary virus does not horse around. It warns you of impending hard disk attack---once if by LAN, twice if by C:>.
POLITICALLY CORRECT VIRUS: Never calls itself a "virus", but instead refers to itself as an "electronic microorganism."
RIGHT TO LIFE VIRUS: Won't allow you to delete a file, regardless of how old it is. If you attempt to erase a file, it requires you to first see a counselor about possible alternatives.
ROSS PEROT VIRUS: Activates every component in your system, just before the whole darn thing quits.
MARIO CUOMO VIRUS: It would be a great virus, but it refuses to run.
TED TURNER VIRUS: Colorizes your monochrome monitor.
ARNOLD SCHWARZENEGGER VIRUS: Terminates and stays resident. It'll be back.
DAN QUAYLE VIRUS #2: Their is sumthing rong wit your komputer, ewe jsut cant figyour out watt!
GOVERNMENT ECONOMIST VIRUS: Nothing works, but all your diagnostic software says everything is fine.
NEW WORLD ORDER VIRUS: Probably harmless, but it makes a lot of people really mad just thinking about it.
FEDERAL BUREAUCRAT VIRUS: Divides your hard disk into hundreds of little units, each of which does practically nothing, but all of which claim to be the most important part of your computer.
GALLUP VIRUS: Sixty percent of the PCs infected will lose 38 percent of their data 14 percent of the time. (plus or minus a 3.5 percent margin of error.)
TERRY RANDALL VIRUS: Prints "Oh no you don't" whenever you choose "Abort" from the "Abort" "Retry" "Fail" message.
TEXAS VIRUS: Makes sure that it's bigger than any other file.
ADAM AND EVE VIRUS: Takes a couple of bytes out of your Apple.
CONGRESSIONAL VIRUS: The computer locks up, screen splits erratically with a message appearing on each half blaming the other side for the problem.
AIRLINE VIRUS: You're in Dallas, but your data is in Singapore.
FREUDIAN VIRUS: Your computer becomes obsessed with marrying its own motherboard.
PBS VIRUS: Your programs stop every few minutes to ask for money.
ELVIS VIRUS: Your computer gets fat, slow and lazy, then self destructs; only to resurface at shopping malls and service stations across rural America.
OLLIE NORTH VIRUS: Causes your printer to become a paper shredder.
NIKE VIRUS: Just does it.
SEARS VIRUS: Your data won't appear unless you buy new cables, power supply and a set of shocks.
JIMMY HOFFA VIRUS: Your programs can never be found again.
CONGRESSIONAL VIRUS #2: Runs every program on the hard drive simultaneously, but doesn't allow the user to accomplish anything.
KEVORKIAN VIRUS: Helps your computer shut down as an act of mercy.
IMELDA MARCOS VIRUS: Sings you a song (slightly off key) on boot up, then subtracts money from your Quicken account and spends it all on expensive shoes it purchases through Prodigy.
STAR TREK VIRUS: Invades your system in places where no virus has gone before.
HEALTH CARE VIRUS: Tests your system for a day, finds nothing wrong, and sends you a bill for $4,500.
GEORGE BUSH VIRUS: It starts by boldly stating, "Read my docs....No new files!" on the screen. It proceeds to fill up all the free space on your hard drive with new files, then blames it on the Congressional Virus.
CLEVELAND INDIANS VIRUS: Makes your 486/50 machine perform like a 286/AT.
LAPD VIRUS: It claims it feels threatened by the other files on your PC and erases them in "self defense".
CHICAGO CUBS VIRUS: Your PC makes frequent mistakes and comes in last in the reviews, but you still love it.
ORAL ROBERTS VIRUS: Claims that if you don't send it a million dollars, it's programmer will take it back.
Install and Run Windows XP from a USB drive
As i wanted to install Windows on my USB, and thought it was a good idea to run Windows XP off a USB Hard drive / Pen Drive that I just plug in when i need it, and boot from it. I wanted an easy guide that allows creating a modified version of the Windows XP CD, for painless and transparent installation to as many systems as you want.
Requirements
1. An existing Windows install for carrying out the steps in this tutorial
2. A USB2-compliant Hard disk drive (or a big USB2 stick, see remarks below)
3. An original Windows XP CD (tested only against SP1 so far, but reported to work on other versions)
4. A registered version of WinISO (or any other software that allows direct editing of ISO files)
5. The Microsoft CAB SDK
6. A CD-burning software that can handle ISO files. I like the free burnatonce
How To:
Summary:
We will dump the contents of your original Windows XP CD , extract a few files from the Image using ISO modification software, edit the files, and put the modified versions back on the ISO. The resulting ISO image is burnt back onto a CD media, and can then directly be used to install Windows on your USB drive.
I am also covering a few pitfalls that happened to me, in hope they will save you a bit of time.
1) Does your computer support booting from USB?
Usually, if its an option in your BIOS boot sequence menu, the answer to this is yes. If its not there, look for BIOS updates. If you are not sure, proceed and see what happens ;-)
2) Sorting out the "Bootability" of your USB-Drive
Connect your USB drive to your computer, directly, without a Hub. Then, shut down your computer, disconnect any other hard disk drives from it, and insert your original Windows XP CD into the drive. Start the installation, and proceed to the section where you are allowed to pick a hard drive. If it goes beyond the partition selection, your drive is already fine for booting Windows XP. If not (seems to be the cases with many of the Freecom USB HDDs for example), you will get an error like "Windows is unable to find your drive, partition, data etc bla". This is usually not a big problem. All you need to do is "properly" format the drive. Reboot into your normal Windows, and get this HP tool , and use it to format your HDD completely. I chose NTFS format, worked fine everytime i tried. After this, my drives are recognized as valid installation devices by the Windows XP installer.
(In fact, i did not manage to create a USB primary partition with FAT32 that was recognized as being installable)
3) Dumping the original Windows CD into an ISO File
Pretty easy one. Simply open WinISO, and select Actions -> Make ISO from CDROM, and save your CD image.
4) Extracting the files we need to work on
After the CD dump is done, close and reopen WinISO. Then, open the ISO file you just created using File -> Open. Now, click the I386 folder, and select the following files (Ctrl key to multi-select)
* TXTSETUP.SIF
* DOSNET.INF
* USB.IN_
* USBPORT.IN_
* USBSTOR.IN_
Select Actions -> Extract and put the resulting files into some folder to work on them.
5) Unpacking IN_ files
Use the Cab SDK (from the command line) for extracting the contents of the .IN_ files. Each of them contains exactly one .inf file. If you are unsure how to use the Cab SDK, here is an example command line: "cabarc x USBSTOR.IN_" . You should end up with three new files in the folder, called:
* usb.inf
* usbport.inf
* usbstor.inf
You can now delete the .IN_ files.
6) Editing the files
This is the main job. i ll also try to explain a bit whats happening. Use a simple Texteditor like Notepad.
6-A) TXTSETUP.SIF
This file is loaded on the initial install step by the Windows XP CD installer. In this file, we will change the way Windows treats USB devices during system setup -- the default is to only treat them as input devices during installation -- we will change this to include mass storage driver support (which needs to be loaded into the installer much earlier in order to work).
First, move the following entries from [InputDevicesSupport.Load] to the [BootBusExtenders.Load] section , as shown here
[BootBusExtenders.Load]
pci = pci.sys
acpi = acpi.sys
isapnp = isapnp.sys
acpiec = acpiec.sys
ohci1394 = ohci1394.sys
usbehci = usbehci.sys
usbohci = usbohci.sys
usbuhci = usbuhci.sys
usbhub = usbhub.sys
usbstor = usbstor.sys
[InputDevicesSupport.Load]
usbehci = usbehci.sys
usbohci = usbohci.sys
usbuhci = usbuhci.sys
usbhub = usbhub.sys
usbccgp = usbccgp.sys
hidusb = hidusb.sys
serial = serial.sys
serenum = serenum.sys
usbstor = usbstor.sys
... now the same for [BootBusExtenders] and [InputDevicesSupport]
[BootBusExtenders]
pci = "PCI-Bustreiber",files.pci,pci
acpi = "ACPI Plug & Play-Bustreiber",files.acpi,acpi
isapnp = "ISA Plug & Play-Bustreiber",files.isapnp,isapnp
acpiec = "Integrierter ACPI-Controllertreiber",files.none,acpiec
ohci1394 = "IEEE-1394-Bus-OHCI-konformer Anschlusstreiber",files.ohci1394,ohci1394
usbehci = "Erweiterter Hostcontroller",files.usbehci,usbehci
usbohci = "Open Hostcontroller",files.usbohci,usbohci
usbuhci = "Universeller Hostcontroller",files.usbuhci,usbuhci
usbhub = "Standard-USB-Hubtreiber",files.usbhub,usbhub
usbstor = "USB-Speicherklassentreiber",files.usbstor,usbstor
[InputDevicesSupport]
usbehci = "Erweiterter Hostcontroller",files.usbehci,usbehci
usbohci = "Open Hostcontroller",files.usbohci,usbohci
usbuhci = "Universeller Hostcontroller",files.usbuhci,usbuhci
usbhub = "Standard-USB-Hubtreiber",files.usbhub,usbhub
hidusb = "HID-Parser",files.hidusb,hidusb
serial = "Treiber f�r seriellen Anschluss",files.none,serial
serenum = "Enumerator f�r seriellen Anschluss",files.none,serenum
usbstor = "USB-Speicherklassentreiber",files.usbstor,usbstor
usbccgp = "USB Generic Parent Driver",files.usbccgp,usbccgp
Next, we also have to write several keys into the registry. Convieniently, the txtsetup.sif allows you to specify files that are parsed and instered into the registry at install time. Insert the following in the [HiveInfs.Fresh] section:
[HiveInfs.Fresh]
AddReg = hivedef.inf,AddReg
AddReg = hivesys.inf,AddReg
AddReg = hivesft.inf,AddReg
AddReg = hivecls.inf,AddReg
AddReg = hiveusd.inf,AddReg
AddReg = dmreg.inf,DM.AddReg
AddReg = usbboot.inf,usbservices
and also in [SourceDisksFiles]
[SourceDisksFiles]
usbboot.inf = 1,,,,,,_x,3,,3
bootvid.dll = 1,,,,,,3_,2,0,0,,1,2
kdcom.dll = 1,,,,,,3_,2,0,0,,1,2
Finally, save and close TXTSETUP.SIF. We are done with it.
6-B) DOSNET.INF
Now, open DOSNET.INF , and change the second [Files] section to look like this:
[Files]
d1,usbboot.inf
d1,_default.pif
d1,12520437.cpx
d1,12520850.cpx
....
6-C) usb.inf
Change the bolded lines in the [StandardHub.AddService] and [CommonClassParent.AddService] sections:
[StandardHub.AddService]
DisplayName = %StandardHub.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbhub.sys
LoadOrderGroup = Boot Bus Extender
[CommonClassParent.AddService]
DisplayName = %GenericParent.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbccgp.sys
LoadOrderGroup = Boot Bus Extender
6-D) usbport.inf
Change the bolded lines in the [EHCI.AddService], [OHCI.AddService] , [UHCI.AddService] and [ROOTHUB.AddService] sections:
[EHCI.AddService]
DisplayName = %EHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbehci.sys
LoadOrderGroup = Boot Bus Extender
[OHCI.AddService]
DisplayName = %OHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbohci.sys
LoadOrderGroup = Boot Bus Extender
[UHCI.AddService]
DisplayName = %UHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbuhci.sys
LoadOrderGroup = Boot Bus Extender
[ROOTHUB.AddService]
DisplayName = %ROOTHUB.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbhub.sys
LoadOrderGroup = Boot Bus Extender
6-E) usbstor.inf
Change / Add the bolded lines in the [USBSTOR.AddService] section
[USBSTOR.AddService]
DisplayName = %USBSTOR.SvcDesc%
ServiceType = 1
StartType = 0
Tag = 3
ErrorControl = 1
ServiceBinary = %12%\USBSTOR.SYS
LoadOrderGroup = Boot Bus Extender
6-F) new file: USBBOOT.INF
Create a new file called USBBOOT.INF in the same directory as your other changed files, and put the following content into it:
[usbservices]
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","DisplayName",0x00000000,"USB Mass Storage Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","ImagePath",0x00020000,"system32\DRIVERS\USBSTOR.SYS"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","Type",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","DisplayName",0x00000000,"USB 2.0 Enhanced Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","ImagePath",0x00020000,"system32\DRIVERS\usbehci.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","Type",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","DisplayName",0x00000000,"USB2 Enabled Hub"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","ImagePath",0x00020000,"system32\DRIVERS\usbhub.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","Type",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","DisplayName",0x00000000,"Microsoft USB Universal Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","ImagePath",0x00020000,"system32\DRIVERS\usbuhci.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","Type",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","DisplayName",0x00000000,"Microsoft USB Open Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","ImagePath",0x00020000,"system32\DRIVERS\usbohci.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","Type",0x00010001,1
7) Repack the inf files into their original IN_ format
If you have not already deleted your extracted .IN_ files, do so now. They need to be replaced. Open a DOS shell again, and navigate to the folder with your changed files. Then exceute the following commands:
cabarc n USB.IN_ usb.inf
cabarc n USBPORT.IN_ usbport.inf
cabarc n USBSTOR.IN_ usbstor.inf
The three IN_ files should now exist again.
Congratulations. All out modifications are done.
8) Inject the changed files into the ISO
Open your Windows CD image again with WinISO. Navigate to the I386 folder, and delete the following files from the ISO, saving the changes to the ISO afterwards:
* DOSNET.INF
* TXTSETUP.SIF
* USB.IN_
* USBPORT.IN_
* USBSTOR.IN_
Just to be sure all is updated in the ISO, cloase and repoen the ISO in WinISO. Now, again go to the I386 folder and select "Add Files". Now add your changed files, in detail:
* USBBOOT.INF
* DOSNET.INF
* TXTSETUP.SIF
* USB.IN_
* USBPORT.IN_
* USBSTOR.IN_
Save the ISO. You are done.
9) Burn the ISO back to CD
Feel free to use any burning package you want. I used the free and simple Burnatonce
10) Install Windows XP from the CD
Shut down your computer. Disconnect ANY internal and external hard drives (so Windows cannot find them during installation and mess up their Master Boot Records hehe). Some computers will have trouble to boot without an internal HDD attached, check in your BIOS and, if possible, remove the HDD from the boot sequence and set the USB Harddisk as the first boot device, and the CDROM as second.
Also, now connect your USB Harddrive directly to the computer, without any Hubs in between.
Windows should install just fine, with the exceptions noted below.
Issues you will encounter during installation:
* During driver installation, the USB drivers will prompt you, as they are "not certified" - This is normal. Our changes invalidated the checksum, and therefore the driver is no longer signed. Just press "yes" a couple of times.
* Upon completion of the install, the system will complain once on the first bootup that the pagefile does not exist. You can ignore this for now, as Windows will work fine without it. People are looking at fixing this issue, but its not critical for now.
Once everything is up and running , shut down and reconnect all your drives.
Requirements
1. An existing Windows install for carrying out the steps in this tutorial
2. A USB2-compliant Hard disk drive (or a big USB2 stick, see remarks below)
3. An original Windows XP CD (tested only against SP1 so far, but reported to work on other versions)
4. A registered version of WinISO (or any other software that allows direct editing of ISO files)
5. The Microsoft CAB SDK
6. A CD-burning software that can handle ISO files. I like the free burnatonce
How To:
Summary:
We will dump the contents of your original Windows XP CD , extract a few files from the Image using ISO modification software, edit the files, and put the modified versions back on the ISO. The resulting ISO image is burnt back onto a CD media, and can then directly be used to install Windows on your USB drive.
I am also covering a few pitfalls that happened to me, in hope they will save you a bit of time.
1) Does your computer support booting from USB?
Usually, if its an option in your BIOS boot sequence menu, the answer to this is yes. If its not there, look for BIOS updates. If you are not sure, proceed and see what happens ;-)
2) Sorting out the "Bootability" of your USB-Drive
Connect your USB drive to your computer, directly, without a Hub. Then, shut down your computer, disconnect any other hard disk drives from it, and insert your original Windows XP CD into the drive. Start the installation, and proceed to the section where you are allowed to pick a hard drive. If it goes beyond the partition selection, your drive is already fine for booting Windows XP. If not (seems to be the cases with many of the Freecom USB HDDs for example), you will get an error like "Windows is unable to find your drive, partition, data etc bla". This is usually not a big problem. All you need to do is "properly" format the drive. Reboot into your normal Windows, and get this HP tool , and use it to format your HDD completely. I chose NTFS format, worked fine everytime i tried. After this, my drives are recognized as valid installation devices by the Windows XP installer.
(In fact, i did not manage to create a USB primary partition with FAT32 that was recognized as being installable)
3) Dumping the original Windows CD into an ISO File
Pretty easy one. Simply open WinISO, and select Actions -> Make ISO from CDROM, and save your CD image.
4) Extracting the files we need to work on
After the CD dump is done, close and reopen WinISO. Then, open the ISO file you just created using File -> Open. Now, click the I386 folder, and select the following files (Ctrl key to multi-select)
* TXTSETUP.SIF
* DOSNET.INF
* USB.IN_
* USBPORT.IN_
* USBSTOR.IN_
Select Actions -> Extract and put the resulting files into some folder to work on them.
5) Unpacking IN_ files
Use the Cab SDK (from the command line) for extracting the contents of the .IN_ files. Each of them contains exactly one .inf file. If you are unsure how to use the Cab SDK, here is an example command line: "cabarc x USBSTOR.IN_" . You should end up with three new files in the folder, called:
* usb.inf
* usbport.inf
* usbstor.inf
You can now delete the .IN_ files.
6) Editing the files
This is the main job. i ll also try to explain a bit whats happening. Use a simple Texteditor like Notepad.
6-A) TXTSETUP.SIF
This file is loaded on the initial install step by the Windows XP CD installer. In this file, we will change the way Windows treats USB devices during system setup -- the default is to only treat them as input devices during installation -- we will change this to include mass storage driver support (which needs to be loaded into the installer much earlier in order to work).
First, move the following entries from [InputDevicesSupport.Load] to the [BootBusExtenders.Load] section , as shown here
[BootBusExtenders.Load]
pci = pci.sys
acpi = acpi.sys
isapnp = isapnp.sys
acpiec = acpiec.sys
ohci1394 = ohci1394.sys
usbehci = usbehci.sys
usbohci = usbohci.sys
usbuhci = usbuhci.sys
usbhub = usbhub.sys
usbstor = usbstor.sys
[InputDevicesSupport.Load]
usbehci = usbehci.sys
usbohci = usbohci.sys
usbuhci = usbuhci.sys
usbhub = usbhub.sys
usbccgp = usbccgp.sys
hidusb = hidusb.sys
serial = serial.sys
serenum = serenum.sys
usbstor = usbstor.sys
... now the same for [BootBusExtenders] and [InputDevicesSupport]
[BootBusExtenders]
pci = "PCI-Bustreiber",files.pci,pci
acpi = "ACPI Plug & Play-Bustreiber",files.acpi,acpi
isapnp = "ISA Plug & Play-Bustreiber",files.isapnp,isapnp
acpiec = "Integrierter ACPI-Controllertreiber",files.none,acpiec
ohci1394 = "IEEE-1394-Bus-OHCI-konformer Anschlusstreiber",files.ohci1394,ohci1394
usbehci = "Erweiterter Hostcontroller",files.usbehci,usbehci
usbohci = "Open Hostcontroller",files.usbohci,usbohci
usbuhci = "Universeller Hostcontroller",files.usbuhci,usbuhci
usbhub = "Standard-USB-Hubtreiber",files.usbhub,usbhub
usbstor = "USB-Speicherklassentreiber",files.usbstor,usbstor
[InputDevicesSupport]
usbehci = "Erweiterter Hostcontroller",files.usbehci,usbehci
usbohci = "Open Hostcontroller",files.usbohci,usbohci
usbuhci = "Universeller Hostcontroller",files.usbuhci,usbuhci
usbhub = "Standard-USB-Hubtreiber",files.usbhub,usbhub
hidusb = "HID-Parser",files.hidusb,hidusb
serial = "Treiber f�r seriellen Anschluss",files.none,serial
serenum = "Enumerator f�r seriellen Anschluss",files.none,serenum
usbstor = "USB-Speicherklassentreiber",files.usbstor,usbstor
usbccgp = "USB Generic Parent Driver",files.usbccgp,usbccgp
Next, we also have to write several keys into the registry. Convieniently, the txtsetup.sif allows you to specify files that are parsed and instered into the registry at install time. Insert the following in the [HiveInfs.Fresh] section:
[HiveInfs.Fresh]
AddReg = hivedef.inf,AddReg
AddReg = hivesys.inf,AddReg
AddReg = hivesft.inf,AddReg
AddReg = hivecls.inf,AddReg
AddReg = hiveusd.inf,AddReg
AddReg = dmreg.inf,DM.AddReg
AddReg = usbboot.inf,usbservices
and also in [SourceDisksFiles]
[SourceDisksFiles]
usbboot.inf = 1,,,,,,_x,3,,3
bootvid.dll = 1,,,,,,3_,2,0,0,,1,2
kdcom.dll = 1,,,,,,3_,2,0,0,,1,2
Finally, save and close TXTSETUP.SIF. We are done with it.
6-B) DOSNET.INF
Now, open DOSNET.INF , and change the second [Files] section to look like this:
[Files]
d1,usbboot.inf
d1,_default.pif
d1,12520437.cpx
d1,12520850.cpx
....
6-C) usb.inf
Change the bolded lines in the [StandardHub.AddService] and [CommonClassParent.AddService] sections:
[StandardHub.AddService]
DisplayName = %StandardHub.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbhub.sys
LoadOrderGroup = Boot Bus Extender
[CommonClassParent.AddService]
DisplayName = %GenericParent.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbccgp.sys
LoadOrderGroup = Boot Bus Extender
6-D) usbport.inf
Change the bolded lines in the [EHCI.AddService], [OHCI.AddService] , [UHCI.AddService] and [ROOTHUB.AddService] sections:
[EHCI.AddService]
DisplayName = %EHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbehci.sys
LoadOrderGroup = Boot Bus Extender
[OHCI.AddService]
DisplayName = %OHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbohci.sys
LoadOrderGroup = Boot Bus Extender
[UHCI.AddService]
DisplayName = %UHCIMP.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbuhci.sys
LoadOrderGroup = Boot Bus Extender
[ROOTHUB.AddService]
DisplayName = %ROOTHUB.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 0 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbhub.sys
LoadOrderGroup = Boot Bus Extender
6-E) usbstor.inf
Change / Add the bolded lines in the [USBSTOR.AddService] section
[USBSTOR.AddService]
DisplayName = %USBSTOR.SvcDesc%
ServiceType = 1
StartType = 0
Tag = 3
ErrorControl = 1
ServiceBinary = %12%\USBSTOR.SYS
LoadOrderGroup = Boot Bus Extender
6-F) new file: USBBOOT.INF
Create a new file called USBBOOT.INF in the same directory as your other changed files, and put the following content into it:
[usbservices]
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","DisplayName",0x00000000,"USB Mass Storage Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","ImagePath",0x00020000,"system32\DRIVERS\USBSTOR.SYS"
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\USBSTOR","Type",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","DisplayName",0x00000000,"USB 2.0 Enhanced Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","ImagePath",0x00020000,"system32\DRIVERS\usbehci.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbehci","Type",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","DisplayName",0x00000000,"USB2 Enabled Hub"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","ImagePath",0x00020000,"system32\DRIVERS\usbhub.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbhub","Type",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","DisplayName",0x00000000,"Microsoft USB Universal Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","ImagePath",0x00020000,"system32\DRIVERS\usbuhci.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbuhci","Type",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","DisplayName",0x00000000,"Microsoft USB Open Host Controller Miniport Driver"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","ErrorControl",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","Group",0x00000000,"System Reserved"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","ImagePath",0x00020000,"system32\DRIVERS\usbohci.sys"
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","Start",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\Services\usbohci","Type",0x00010001,1
7) Repack the inf files into their original IN_ format
If you have not already deleted your extracted .IN_ files, do so now. They need to be replaced. Open a DOS shell again, and navigate to the folder with your changed files. Then exceute the following commands:
cabarc n USB.IN_ usb.inf
cabarc n USBPORT.IN_ usbport.inf
cabarc n USBSTOR.IN_ usbstor.inf
The three IN_ files should now exist again.
Congratulations. All out modifications are done.
8) Inject the changed files into the ISO
Open your Windows CD image again with WinISO. Navigate to the I386 folder, and delete the following files from the ISO, saving the changes to the ISO afterwards:
* DOSNET.INF
* TXTSETUP.SIF
* USB.IN_
* USBPORT.IN_
* USBSTOR.IN_
Just to be sure all is updated in the ISO, cloase and repoen the ISO in WinISO. Now, again go to the I386 folder and select "Add Files". Now add your changed files, in detail:
* USBBOOT.INF
* DOSNET.INF
* TXTSETUP.SIF
* USB.IN_
* USBPORT.IN_
* USBSTOR.IN_
Save the ISO. You are done.
9) Burn the ISO back to CD
Feel free to use any burning package you want. I used the free and simple Burnatonce
10) Install Windows XP from the CD
Shut down your computer. Disconnect ANY internal and external hard drives (so Windows cannot find them during installation and mess up their Master Boot Records hehe). Some computers will have trouble to boot without an internal HDD attached, check in your BIOS and, if possible, remove the HDD from the boot sequence and set the USB Harddisk as the first boot device, and the CDROM as second.
Also, now connect your USB Harddrive directly to the computer, without any Hubs in between.
Windows should install just fine, with the exceptions noted below.
Issues you will encounter during installation:
* During driver installation, the USB drivers will prompt you, as they are "not certified" - This is normal. Our changes invalidated the checksum, and therefore the driver is no longer signed. Just press "yes" a couple of times.
* Upon completion of the install, the system will complain once on the first bootup that the pagefile does not exist. You can ignore this for now, as Windows will work fine without it. People are looking at fixing this issue, but its not critical for now.
Once everything is up and running , shut down and reconnect all your drives.
Inside the World's Greatest Keyboard
From the satisfying click of its keys to its no-nonsense layout and solid steel underpinnings, IBM's 24-year-old Model M is the standard by which all other keyboards must be judged.
Inside IBM's Model M Keyboard
Chip Taylor
IBM's Model 5150 PC, released in 1981, was a classic, perhaps the computer most responsible for launching the PC revolution. Sadly, however, its keyboard did not live up to that standard. This 83-key model was IBM's first, and critics hated it, complaining about its awkward layout and nonstandard design. Stung by the criticism, IBM assembled a ten-person task force to craft a new keyboard, according to David Bradley, a member of that task force and of the 5150's design team. Their resulting 101-key design, 1984's Model M, became the undisputed bellwether for the computer industry, with a layout that dominates desktops to this day. As we peek under the hood of this legend, you'll soon see why many consider the Model M to be the greatest keyboard of all time.
Meet the Model M
This is my keyboard. It's just a few months shy of 22 years old, and I use it every day.
The first thing that may strike you about the Model M is the layout: It's so normal. There's no pesky "Windows" key here; nor are there buttons to turn your computer off, play a CD, or start your car. Just the basics, as IBM defined them 24 years ago. Some would say its only flaw is the prominent placement of the Caps Lock key (in lieu of "control" on earlier keyboards). But it's a minor error compared with the modern keyboard's multitude of sins
Beneath the Keycaps
When designing the Model M, IBM engineers thought ahead. Almost every key on the keyboard has an easily removable keycap that allowed the user--or IBM--to easily change the layout or color of the keyboard. This was especially important for IBM's international keyboard releases, which incorporated subtle layout differences from the U.S. version. The keycaps are also durable; the label on each key is molded into the plastic itself, ensuring that it wouldn't wear off with use.
Cable Flexibility
As with the keycaps, the Model M's cable design supports modular extensibility. One 6-pin port on the back of the keyboard (left) allows for a number of configurations, from the traditional 5-pin AT connector seen here (right), to the PS/2 connector, and various IBM terminal connectors. Any compatible connector upgrade is only a new cable away.
The Flip Side
The Model M provides two sturdy, retractable feet on the base of the unit to change the operational angle of the keyboard. The speaker grille you see here is a holdover from an earlier terminal keyboard mold that was used with the Model M--the M contains no speaker.
22 Years of Service
As you can see by this label, IBM manufactured my Model M on August 13th, 1986. That's almost 22 years ago, and the keyboard still gets daily use (I even wrote this article with it). It still feels and sounds just as good as any newer Model M I've used--a powerful testament to its durability and relevance. Stop for a second and consider how many 22-year-old computer parts you still use on a daily basis. Exactly.
Under the Hood
Every keyboard hides a dirty secret: a years-long accumulation of dust, dirt, hairs, crumbs, and whatever else fell between the key cracks. But after splitting open the case, I was surprised at how clean my Model M was, especially when compared with a particularly nasty Apple II+ keyboard. The Model M's design ensures smooth operation even when dirty .
Buckling Springs
They call IBM keyboards "clicky" for a reason: With every keystroke, the keys produce a satisfying click-thunk-click via a patented mechanism called the "buckling-spring actuator." Every key press compresses the key spring until it suddenly snaps against the side of a black plastic cylinder (seen here), producing the "click" sound. Meanwhile, the spring, thus compressed, pushes a tiny pivoting rocker beneath each key that registers the key press on a membrane below.
A Durable Design
The Model M owes its incredible life span not only to its buckling-spring design, but also to the fact that each plastic key covers the only hole leading to the switch below, which in turn is covered by a rubber membrane, making it very hard for dust, dirt, or even liquid to reach the operational core of the keyboard. But cleaning an M is easy. Even under the force of a powerful vacuum cleaner, the small springs you see here don't budge--they're thankfully attached to elements beneath each key.
Built Like a Tank
The Model M is a hefty piece of hardware. Fully assembled, my unit weighs over 5 pounds. A large portion of that weight comes from the solid steel back plate on the bottom of the keyboard assembly (seen here removed from its plastic chassis and flipped over). The weight afforded by the steel is nice; it prevents the unit from sliding around while you're typing. If necessary, the Model M can also function as a battering ram or makeshift ballistic shield.
Also, that's the M's controller board sitting atop the base. You'll see the other side of the controller on the next slide.
The Man Behind the Curtain
Within every Model M is a tiny computer--a Hitachi 6805 microprocessor--that encodes key presses and interfaces with your PC. This board connects to the keyboard assembly via two thin plastic ribbon cables (not pictured), while the big black connector to the upper left receives the 6-pin external keyboard cable we talked about earlier. The white 4-pin connector to the right powers the Num Lock, Caps Lock, and Scroll Lock indicator LEDs, and the braided cable to the far left is a grounding wire.
Plastic Armor
Another important component of the Model M's durability is its thick, rugged plastic shell, seen here devoid of any contents. It'll take a sizable beating without cracking, and it won't fly away in a breeze, even when empty. When you put all its components together, the Model M is a formidable keyboard that will serve a user reliably for years.
A Pale Imitation
Let's take a look at the Model M's competition. Here we have a modern, generic, $1-bill-of-materials, Chinese-made keyboard, the kind they toss out as confetti during parades and give away with PC clones as mere afterthoughts in a mouse-centric world. Compared with the tanklike Model M, this fragile, 1.5-pound keyboard is a lightweight (you could easily break it over your knee). Like most modern keyboards, it includes several extraneous keys and buttons that either annoy the seasoned typist or threaten your computer's stability because of the drivers required to make them work.
The No-Click Solution
Unlike the Model M, this keyboard's keys snap into place over silicone-rubber dome switches. The keyboard is very quiet, which can be a plus in certain environments, but it won't last nearly as long as keyboards built on the buckling-spring design. Dome-switch keyboards are also much less expensive to produce than keyboards with more complicated mechanical switches, which is why they dominate the keyboard market today.
Hardly Bulletproof
Here's a look inside a typical modern keyboard. Beneath each key lies a free-floating silicone dome switch that can easily wear out over time or degrade in harsh environments. When depressed, the dome buckles and pushes together two contact-laden plastic membranes, completing the circuit and registering a key press.
For many users, a keyboard like this is probably good enough. After all, if it wears out, it's cheap to replace. But for serious typists, or those who simply appreciate a solid keyboard beneath their fingers, an IBM Model M is, without question, the only way to go.
Subscribe to:
Posts (Atom)