Microsoft plans to release an R2 edition of Windows Server 2008 in 2009 or 2010. Here are the key features of the R2 release that you need to know.

—————————————————————————————————————

When Windows Server 2008 R2 is released in 2009 or 2010 (that is the current projected timeframe), there will be some important features about this release. The most prominent is that Windows Server 2008 will solely be an x64 platform with the R2 release. This will make the upgrade to x64 platforms not really a surprise, as all current server class hardware is capable of 64-bit computing. There is one last window of time to get a 2008 release of Windows still on generic brand for cialis a 32-bit platform before R2 is released, so do it now for those difficult applications that don’t seem to play well on x64 platforms.

Beyond the processor changes, here are the other important features of the R2 release of Windows Server 2008:

Hyper-V improvements: The Hyper-V is planned to offer Live Migration as an improvement to the initial release of Quick Migration; Hyper-V will measure the migration time in milliseconds. This will be a solid point in the case for Hyper-V compared to VMware’s ESX or other hypervisor platforms. Hyper-V will also include support for additional processors and Second Level Translation (SLAT).

PowerShell 2.0: PowerShell 2.0 has been out in a beta release and Customer Technology Preview capacity, but it will be fully baked into Windows Server 2008 R2 upon its release. PowerShell 2.0 includes over 240 new commands, as well as a graphical user interface. Further, PowerShell will be able to be installed on Windows Server Core.

Core Parking: This feature of Windows Server 2008 will constantly assess the amount of processing across systems with multiple cores, and under certain configurations, suspend new work being sent to the cores. Then with the core idle, it can be sent to a sleep mode and reduce the overall power consumption of the system.

All of these new features will be welcome and add great functionality to the Windows Server admin. The removal of x86 support is not entirely a surprise, but the process needs to be set in motion now for how to address any legacy applications.

The other evening my wife was working on her Windows Vista laptop and encountered an unexpected result. She double-clicked on a .PNG image file and up popped the QuickTime PictureViewer. It displayed the .PNG image perfectly, but she had been expecting the image to be displayed by Windows Photo Gallery, like it always has in the past. Claiming that she didn’t have any idea how such a thing could happen, she asked me to fix it.

I knew right away what had happened. She had recently installed Apple QuickTime to view a movie that a friend had sent to her and must have clicked Yes when the installation procedure prompted her to alter the default programs. As such, QuickTime had taken over all the default graphic file associations. Fortunately, my assumption that it would be an easy fix was indeed true; however, I decided to take the procedure one step further and remove QuickTime from the Open With list by using a quick Registry edit.

In this edition of the Windows Vista Report, I’ll show you how to clear out Vista’s Open With list.

This blog post is also available in PDF format as a TechRepublic download.

Using default programs

As I began my investigation, the first place I looked was in the Default Programs tool. To launch it, just type Default in the Start Search box on the Start menu and press [Enter]. When you launch the Default Programs tool, shown in Figure A, you’ll see that there are four links that allow you to configure how Windows Vista works with programs:

Figure A

The Default Programs tool provides you with four different ways to configure your default program options.

For this type of investigation, I selected the file type association option — Associate a File Type or Protocol with a Program. I then scrolled through the list of file types until I located .PNG, as shown in Figure B. As you can see, the .PNG file type is associated with QuickTime PictureViewer.

Figure B

You can see that the .PNG file type is associated with QuickTime PictureViewer.

To reset the file type association back to Windows Photo Gallery, I selected the Change Program button. When I did, the Open With dialog box displayed. At this point, all I had to do was choose the Always Use the Selected Program to Open This Kind of File check box and select Windows Photo Gallery from the list, as shown in Figure C. To complete the operation, I just clicked the OK button.

Figure C

Using the Open With dialog box, you can easily reset the default program that you want to open a particular file type.

Testing the result

I then returned to Windows Explorer, double-clicked a .PNG file, and watched Windows Photo Gallery pop up. However, when I right-clicked on a .PNG file and accessed the Open With submenu, I discovered that PictureViewer was still linked to the .PNG file type even though it wasn’t set as the default program, as shown in Figure D.

Figure D

The QuickTime PictureViewer was still linked to the .PNG file type even though it wasn’t set as the default program any longer.

Now, I am not totally against Apple (even though I’m a PC guy), but I was annoyed that the program had taken over the .PNG file type and so I really wanted to remove all traces of it.

Investigating the Registry

Doing a bit of research on Vista’s Registry structure, I discovered that there are five registry keys that have the potential to control the list of programs that display on the Open With submenu:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\FileExts\.xxx\OpenWithList

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\FileExts\.xxx \OpenWithProgIDs

HKEY_CLASSES_ROOT\.xxx\ OpenWithList

HKEY_CLASSES_ROOT\.xxx\ OpenWithProgIDs

HKEY_CLASSES_ROOT\SystemFileAssociations \PType\OpenWithList

Where .xxx is the file extension you are concerned with and PType for a file extension could be audio, image, system, text, or video.

In my case, I found that the link between the QuickTime PictureViewer and the Open With submenu was located in the HKEY_CLASSES_ROOT\.png\ OpenWithProgIDs registry key, as shown in Figure E.

Figure E

The link between the QuickTime PictureViewer and the Open With submenu, was located in the HKEY_CLASSES_ROOT\.png\ OpenWithProgIDs registry key.

After deleting the QuickTime.png Binary Value from the Registry, the QuickTime PictureViewer disappeared from the Open With submenu. (Keep in mind that whenever you delve into the Registry, you are potentially playing with fire. So make sure that you have a recent backup.)

In most cases, you’ll find the item that you want to remove from the Open With submenu in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer \FileExts\.xxx\OpenWithList registry key as a String Value.

For example, I later went to that registry key to remove Windows Movie Maker from the Open With submenu. In that case, I had to delete the free cialis pills moviemk.exe String Value and the MRUList String Value, shown in Figure F. The reason is that while the moviemk.exe String Value represented the actual application link, the MRUList String Value contains the actual list.

Figure F

In some cases you may have to delete more than one registry key.

It would be nice if you could just pull out a directory and look up the e-mail address of anyone you wanted to contact. Unfortunately, a bit more resourcefulness is required. Here’s an assortment of strategies to try when you can’t seem to run down an e-mail address you need.

---

Technology is great… when it works. It seems, though, that the more advanced our technology grows, the more complex the simple tasks become. Finding someone’s e-mail address is a perfect example — there’s no huge yellow book full of e-mail addresses. The system at large is huge, and individual choices are still too elusive. Hunting down a current e-mail address is a challenge, but it isn’t impossible.

Note: This information is also available as a PDF download.

#1: Look in your own e-mail folders

This tip seems obvious, but if you haven’t corresponded with someone in a long time, you might not remember that his or her e-mail address is sitting in one of your folders. To find an e-mail address in one of your own mail client folders:

#2: Be an anarchist — call them

At the risk of sounding flip, a quick call can solve your problem, as long as the person wants you to have the e-mail address. You don’t even have to talk to the person directly. The receptionist who answers the phone will probably have a list of e-mail addresses for employees. If, on the other hand, you’re trying to find a long lost lover or friend, that’s probably not going to work (unless, of course, you know where they work… and if you know where they work, chances are they’re not lost).

#3: Check a business card

Most people include an e-mail address on their business cards, so make a quick pass through the ones you have. You don’t have to look for the specific person; pull out a card from anyone at the same company or organization. Just knowing the domain can help you (see #1 and #8).

#4: Search user groups and newsgroups

Just about everyone who’s online takes advantage of a newsgroup or user group. Sometimes, you can find a message, including a person’s e-mail address, using an Internet search engine, such as groups.google.com. If the person has posted on any UseNet group, Google will return a link to the post, which might lead to a full e-mail address. (UseNet is a network of worldwide Internet discussion systems, or user groups and forums.)

#5: Use an Internet search engine

Google is now a verb! Simply Google the person and see what turns up. Now, the problem with this solution is that you might get nothing  – or you might get dozens of hits, especially if the name is common or shared with a public personality. Use this method early in your search, but check only the first few links. Reviewing dozens of links takes too much time. If the other methods fail, you can always return to a search engine.

A general search will generate more hits than a filtered search, such as searching newsgroups (see #4). Google is just one search engine among many, so don’t limit yourself; try others. A meta search engine is often a better choice because they rely on many search technologies, not just one.

#6: Search for an address

An Internet search engine, such as Google, can find more than names. If a name doesn’t turn up anything, search on something else, like the person’s street address or employer. The more unique the search, the more likely you are to find something useful.

#7: Guess!

If you know the person’s domain, you can guess at the name component. This is especially easy if the domain is a business or organization because most companies and organizations use consistent rules for creating e-mail addresses. Find the right rules and you might get lucky. When there’s no discernable pattern, just keep guessing. There are a number of common patterns:

• firstname.lastname@domain.com

  free cialis coupon

• firstname_lastname@domain.com
• firstnamelastname@domain.com
• firstinitiallastname@domain.com
• firstinitial_lastname@domain.com
• lastname@domain.com
• firstnamelastnameinitial@domain.com

If you don’t know the domain, use an Internet search engine to search for the company or organization’s name. Doing so might turn up a domain name. If there’s a Web page, but no contact information, try the Web site’s domain name. If there’s a contact name, but not the one you’re looking for, check existing e-mail contacts for a consistent pattern. If you find a pattern and you know the contact’s full name, apply the pattern, send a message, and hope for the best. Or simply send a message to the listed contact and ask for the person’s correct e-mail address.

#8: Find a new e-mail address

E-mail addresses change all the time. A person can go through several in just a few years. A few online services can help if the e-mail address you have no longer works:

• EmailChange.com
• Find mE-Mail
• FreshAddress
• Return Path

But don’t get the wrong idea about these services. There’s no huge network running spiders to glean addresses. People must register their old and new addresses with these services. When it works, it works great. But mostly, this type of service is a long shot.

#9: Try an online directory

It would be nice if the Internet had a phone book or even a 411 service. Unfortunately, e-mail addresses, by nature, are elusive, at best. There are a number of online directory services to try:

• address.com
• search.bigfoot.com
• peoplesearch.lycos.com/whitepage
• peekyou.com
• wink.com

These directories aren’t generally too reliable. A quick search on them returned only one business-related e-mail address for myself. Many online directories charge for their services, so be careful.

#10: Search online networking sites

A number of people enjoy social networks, both for business and pleasure. Most will make you register to search their membership, but generally, registering is free. If the person you’re looking for belongs to one of these networks, you can contact them via the service’s online contact feature:

• classmates.com
• facebook.com
• friendster.com
• icq.com
• linkedin.com
• mychurch.org
• plaxo.com
• pogo.com
• shelfari.com

#11: Take a long shot

When all else fails, try soc.net-people. This newsgroup allows you to ask for help locating someone you believe has an e-mail address. To use this service, post a message asking for help. Describe the person to the best of your abilities, including as much relevant information for positively identifying them as possible. Be sure to include your e-mail address so members with information can contact you. It’s a long shot, for sure, but it can’t hurt to try.

Michael Kassner recently asked TechRepublic members to submit questions about botnets, promising to forward them to the experts at Arbor Networks. Dr. Jose Nazario volunteered to provide the following informative answers.

---

Note: This information is also available as a PDF download.

#1: Could you define what a bot or zombie is and how they become part of a botnet?

A botnet is a collection of machines that have been compromised by software installed by the attacker so that they now respond to commands sent by the attacker. This malcode can be installed by exploits on the base OS (e.g., as in the Sasser worm), through browser exploits, or through Trojan horse activities such as fake games or pornography codecs.

#2: What are botnets used for — are they profitable?

Botnets are used by the attackers for a wide variety of tactics: spamming, hosting phishing sites, harvesting information from the infected PCs for use or resale (such as credit card or banking information), denial of service for pay or extortion, adware installations, etc. The botnet is a platform for the criminal underground, providing unfettered access to the compromised PC and its resources — disk, bandwidth, IP reputation, personal information, etc. — for the attacker. It’s a way to load arbitrary software onto the machine, as well as to pull arbitrary information off of the machine.

We see botnets used all over the world: the United States, Europe, Russia and the Ukraine, China, Korea, Japan, South America — all over. The main motivations in the past few years have become monetary, as opposed to curiosity or joy riding.

#3: If I understand correctly, there are different command and control philosophies used by botnets. Could you explain how they work and their effectiveness?

The two main types of command and control structures used by botnets are a centralized mechanism and a decentralized, peer-to-peer mechanism. There is also a third, hybrid approach. Command and control refers to the server(s) that the infected hosts, the bots, contact to receive new commands from the attacker.

IRC botnets are the classic centralized structure, with one or more single IRC servers acting as the main hub. This is still the most popular way to run a botnet, using IRC, HTTP, or other protocols with a single hub. The storm worm used a hybrid approach, where it would pass messages to other bots using P2P, but it would use a central set of servers for files and updates. Finally, the Nugache botnet is the biggest and most well known true P2P botnet.

Obviously, if you can take one server out and disrupt a botnet, that is the most desirable way to approach it. If we take out the hubs of the botnet, the bots are still infected but not acting on commands. P2P botnets are far harder to disrupt and shut down.

#4: Are all operating systems equally vulnerable to rootkits? Is there any advantage to using one operating system versus another?

Almost all commonly available operating systems — Linux, BSD, Mac OS X, Windows — are vulnerable to rootkits, either kernel-mode or user-land rootkits. These can be used to hide processes or files from the user. In the end, given that all systems have flaws and can be attacked, the only advantage one OS has over another is the research time devoted to it by an attacker.

#5: My computer’s CPU usage is more than 50%, and outgoing network activity is far from normal, so I suspect my computer may be part of a botnet. How can I confirm this?

AV scans can be of some help, through a number of means, assuming it’s up to date. First, if you can scan with multiple scanners, this can make a significant difference in the detection rates. This can be easily done with free online AV scanners, as every major AV vendor has them.

Second, scan with something like a rootkit detector to see if a rootkit has been installed; this is usually not a major source of traffic and CPU usage, but would indicate malware infections that may be hidden from AV or manual inspection.

Third, look at your external IP using a check my IP service and then query a tool to see if the IP address is blacklisted for spamming. This is another sign than your system is infected and is a spam bot. The tools at Robtex can be very helpful at this.

Finally, a tool like Trend Micro’s RUBotted can help spot some signs of botnet participation. All of these tools can be used freely. But always be wary of software that claims to be free until it charges you a sum to clean up your system; that’s usually a scam product.

#6: I’ve heard that rootkit scanners aren’t effective. Is that true? If scanners are effective only for certain types of rootkits, how do I know which ones to use? Which scanners would you recommend?

They’re somewhat effective, but they’re being defeated by newer rootkits. GMer is one of the better rootkit scanners. It is kept up to date with new techniques and appears to address almost all common rootkits.

#7: I thought my computer was protected by a firewall and antivirus program, yet the computer became infected with Rustock.B and ultimately a member of some botnet. I was told my only option was to completely rebuild the computer. I did, but what if anything can I do to prevent my computer from getting rooted again?

Keep up to date with AV software, keep updated on patches, don’t run as Administrator (or with equivalent permissions), and run a personal firewall. If possible, if you’re running Windows, run Vista, which does much of this for you. If not, use XP SP2. Make sure that your AV is enabled for e-mail and Web browsing.

#8: I’m a systems administrator for a typical company network. I assume that there’s more risk, just from the sheer number of computers. Is there any information I can pass on to the users (especially mobile workers) that will minimize the risk?

Mobile workers are probably the most susceptible, as they enter hostile networks (e.g., the broadband networks they may use at home). They should be told to not ignore software updates, keep their AV updated, and not to cancel such updates or to disable such software. The benefits of these simple hygienic approaches can’t be understated.

#9: Could you suggest any good sources of information related to rootkits and botnets (Web sites, forums, RSS feeds) that would allow me to stay current?

I maintain a website, InfosecDaily that covers some of the better blogs and news sites. It’s freely available. I also recommend a handful of major sites:

I use an RSS reader to fetch and maintain my news; RSS is vital to simplifying your daily news digestion in this business!

#10: From all that I’ve read, it appears as though there’s very little I can do to prevent my computer from becoming a member of some botnet. Is that really the case?

I don’t think so; I feel this is a winnable battle. The best things you can do are to keep your software updated; the base OS, your browser (most important), and any add-ons. Most bots and malcode get in by using well known vulnerabilities.

The next best thing to do is to keep your AV software updated; most people don’t update their AV software — hourly or even daily, in some cases — and have no real benefit from it as a result. Finally, a good anti-spam filter can do wonders to prevent threats via e-mail.

Final thoughts

I’d like to thank Dr. Nazario of Arbor Networks for answering these questions and Jessica Sutera, also of Arbor Networks, for helping to make the question and answer session possible. I found the links to be especially illuminating. Oh, almost forgot GMer, which already has a special spot in my rootkit scanner toolbox.

 

 

Malware-based rootkits fuel a multibillion dollar spyware industry by stealing individual or corporate financial information. If that weren’t bad enough, rootkit-based botnets generate untold amounts of spam. Here’s a look does female cialis work at what rootkits are and what to do about them.

---

Rootkits are complex and ever changing, which makes it difficult to understand exactly what you’re dealing with. Even so, I’d like to take a stab at explaining them, so that you’ll have a fighting chance if you’re confronted with one.

Note: This information is also available as a PDF download.

#1: What is a rootkit?

Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a UNIX/Linux term that’s the equivalent of Administrator in Windows. The word kit denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit — all of which is done without end-user consent or knowledge.

#2: Why use a rootkit?

Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer’s configuration. Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren’t malicious at all.

One famous (or infamous, depending on your viewpoint) example of rootkit use was Sony BMG’s attempt to prevent copyright violations. Sony BMG didn’t tell anyone that it placed DRM software on home computers when certain CDs were played. On a scary note, the rootkit hiding technique Sony used was so good not one antivirus or anti-spyware application detected it.

#3: How do rootkits propagate?

Rootkits can’t propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.

The dropper is the code that gets the rootkit’s installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.

Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:

IM. One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it’s from a friend), that computer becomes infected and has a rootkit on it as well.

Rich content. The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it’s all over.

#4: User-mode rootkits

There are several types of rootkits, but we’ll start with the simplest one. User-mode rootkits run on a computer with administrative privileges. This allows user-mode rootkits to alter security and hide processes, files, system drivers, network ports, and even system services. User-mode rootkits remain installed on the infected computer by copying required files to the computer’s hard drive, automatically launching with every system boot.

Sadly, user-mode rootkits are the only type that antivirus or anti-spyware applications even have a chance of detecting. One example of a user-mode rootkit is Hacker Defender. It’s an old rootkit, but it has an illustrious history. If you read the link about Hacker Defender, you will learn about Mark Russinovich, his rootkit detection tool called Rootkit Revealer, and his cat-and-mouse struggle with the developer of Hacker Defender.

#5: Kernel-mode rootkit

Malware developers are a savvy bunch. Realizing that rootkits running in user-mode can be found by rootkit detection software running in kernel-mode, they developed kernel-mode rootkits, placing the rootkit on the same level as the operating system and rootkit detection software. Simply put, the OS can no longer be trusted. One kernel-mode rootkit that’s getting lots of attention is the Da IOS rootkit, developed by Sebastian Muniz and aimed at Cisco’s IOS operating system.

Instability is the one downfall of a kernel-mode rootkit. If you notice that your computer is blue-screening for other than the normal reasons, it just might be a kernel-mode rootkit.

#6: User-mode/kernel-mode hybrid rootkit

Rootkit developers, wanting the best of both worlds, developed a hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristics (stealthy). The hybrid approach is very successful and the most popular rootkit at this time.

#7: Firmware rootkits

Firmware rootkits are the next step in sophistication. This type of rootkit can be any of the other types with an added twist; the rootkit can hide in firmware when the computer is shut down. Restart the computer, and the rootkit reinstalls itself. The altered firmware could be anything from microprocessor code to PCI expansion card firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business. John Heasman has a great paper called “Implementing and Detecting a PCI Rootkit” (PDF).

#8: Virtual rootkits

Virtual rootkits are a fairly new and innovative approach. The virtual rootkit acts like a software implementation of hardware sets in a manner similar to that used by VMware. This technology has elicited a great deal of apprehension, as virtual rootkits are almost invisible. The Blue Pill is one example of this type of rootkit. To the best of my knowledge, researchers haven’t found virtual rootkits in the wild. Ironically, this is because virtual rootkits are complex and other types are working so well.

#9: Generic symptoms of rootkit infestation

Rootkits are frustrating. By design, it’s difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in operating efficiency. Sorry for being vague, but that’s the nature of the beast. Here’s a list of noteworthy symptoms:

If the rootkit is working correctly, most of these symptoms aren’t going to be noticeable. By definition, good rootkits are stealthy. The last symptom (network slowdown) should be the one that raises a flag. Rootkits can’t hide traffic increases, especially if the computer is acting as a spam relay or participating in a DDoS attack.

#10: Polymorphism

I debated whether to include polymorphism as a topic, since it’s not specific to rootkits. But it’s amazing technology that makes rootkits difficult to find. Polymorphism techniques allow malware such as rootkits to rewrite core assembly code, which makes using antivirus/anti-spyware signature-based defenses useless. Polymorphism even gives behavioral-based (heuristic) defenses a great deal of trouble. The only hope of finding rootkits that use polymorphism is technology that looks deep into the operating system and then compares the results to a known good baseline of the system.

#11: Detection and removal

You all know the drill, but it’s worth repeating. Be sure to keep antivirus/anti-spyware software (and in fact, every software component of the computer) up to date. That will go a long way toward keeping malware away. Keeping everything current is hard, but a tool such as Secunia’s Vulnerability Scanning program can help.

Detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, any one of the following rootkit removal tools will most likely work:

• F-Secure Blacklight
• RootkitRevealer
• Windows Malicious Software Removal Tool
• ProcessGuard
• Rootkit Hunter (Linux and BSD)

The problem with these tools is that you can’t be sure they’ve removed the rootkit. Albeit more labor-intensive, using a bootable CD, such as BartPE, with an antivirus scanner will increase the chances of detecting a rootkit, simply because rootkits can’t obscure their tracks when they aren’t running. I’m afraid that the only way to know for sure is to have a clean computer, take a baseline, and then use an application like Encase to check for any additional code.

Final thoughts

Opinions vary when it comes to rootkit removal, as discussed in the NetworkWorld article “Experts divided over rootkit detection and removal.” Although the article is two years old, the information is still relevant. There’s some hope, though: Intel’s Trusted Platform Module (TPM) has been cited as a possible solution to malware infestation. The problem with TPM is that it’s somewhat controversial. Besides, it will take years before sufficient numbers of computers have processors with TPM.

If you’re looking for additional information, I recommend the book ROOTKITS: Subverting the Windows Kernel, by Gary Hoglund and James Butler, of HPGary.