Crack = Virus?

People are often too much worried about legal side of using cracks that they're completely ignoring another one which is just as important and that is the fact that most crack downloading websites are actually a disguised lairs of viruses and other maleware targeting for inexperienced users and the ones too lazy to have their antivirus scan files :)

Most of the time you get what you searched for, but even more often the files you get are trojans or come with a whole bunch of other files which pose a great threat to your PC. This fact made me do some research. So i spent about an hour downloading cracks for basically any software i could think of. Results were quite shocking. My bitdefender would find a trojan or a virus in virtually every executable (you most likely won't get a worm that way because it's not their way of spreading).

Take a look at this picture
In this particular case it is a crack for "Need for speed: most wanted". Now what do you think which one of these files is an actual crack? Is it crack.exe? Perhaps patch.exe? The answer is no. Neither of these files is a crack, and this is a perfect example of social engineering as an inexperienced user would just take crack.exe as a logical answer and simly ingnore the others. If this is the case then why are all other files present, i mean you may think that crack.exe alone is enough to do the job. Is it really? What if a user expects some crack that patches a program executable, in that case it would contain a word "patch" in its name, or what if user actually expects the keygen? Now you're begining to see the picture do you? A malicious user who packed these files didn't actually knew what software user wants to crack so he compiled the package to be all-in-one solution, you have patch, crack, keygen, install, and even that neat runme.bat that will do all the job for you. How convenient :D

Don't fall for that, always check the executable file size (they should be similar in size, but there are exceptions to this rule), and if you see more executable files in one package BE VERY CAREFUL, also if the files you downloaded have that default application icon avoid them because in 9/10 cases they are up to no good.

Also bear in mind that because of the way some cracks work, your antivirus might identify them as a trojans. Unfortunately it's very difficult to tell the difference between real trojans and crack because most trojans actually do what user expects them to do, but com with a hidden payload also.

General guidlines:

• crack is in 99% of cases named exactly like original executable
• crack and original executable are often similar in size
• cracks usually come with .nfo file witch is basically a text file written by some group who cracked the app
• there can also be a small executable witch is a demo made by group who cracked the software
• keygens are usually very small in size (10-100kb but there are exceptions)

DISCLAIMER: i'm not supporter of cracked software, but i'm not supporter of maleware either; and that made me write this post ;)

Try Firefox

Some of you may remember that damn annoying spyware called "Cool Web Search", if you had it, you know how much pain in the ass it is (redirecting your homepage, trying to connect to internet if PC was disconnected, and generally slowing entire system down). I tried a whole dozen methods of removing it but to no avail because each time i started Internet explorer i would get it again. Then i remembered an article in one PC magazine, about firefox, the new browser (for that time) that is far more secure than internet explorer. I immediately installed it.. and kept using it ever since :)

What's so special about firefox you might ask. Why a computer giant like microsoft can't make their own web browser (internet explorer) more secure than some open source one (firefox)? Ever heard of ActiveX? Thats a Microsoft invented technology which allows for integration of media player and internet explorer, it also base for their windows update and a number of other things. The thing with this technology is that it's full of security holes and that's what makes IE and Media Player so vulnerable. Firefox on the other hand has no support for activeX and consequently it doesn't share it's vulnerabilities.
But it goes beyond that. Firefox was among first browsers with integrated popup blocker and support tabbed browsing. From the technical side it is based on java script which in turn makes it run somewhat slower. Some other advantages of firefox?

• Open source
• Supports vast number of internet standards (probably will be first one to support CSS3)
• Highly extendable (they are made in javascript so it's easy to write them resulting in a great number of add-ons available)
  
• Highly portable (you can run firefox on virtually every modern OS)
• Automatic plugin search
• It is really easy to optimize your website for it because of it's open nature
  

Disadvantages? Well there are some:

• Slower speed
• Memory allocation problems (mostly fixed now, but in the past they were really unpleasant)

Convinced? Give it a try:
Download
Add-ons

Virus, Trojan, Worm?

Common users mostly refer to any malicious computer program as a "virus". But it is important to know the difference between those three.

Why? Because they operate differently and are designed for different goals, so if you get infected by one of you can prepare your self for the possible outcome.

Virus
Spreads by running infected files and infecting other files. Look here for a list of potentially dangerous file types. Damage type can range from flashing BIOS, thrashing hard disk data to pranks and jokes. In all cases it can cause problems to the user other than intended ones (for example when i was infected with jeffo virus, winamp would spit out error every time i closed it)

Trojan
You can usually get these with cracks and other warez. They appear as legitimate executables (doing what user expects them to do) but often come with hidden payload which can range from opening a backdoor to your computer (thus compromising security), downloading viruses, or logging keys you press and sending these logs to the malicious user (imagine sending all passwords you type, or worse - credit card numbers). They are usually easy to remove manually (by simply deleting them) as they do not infect other files, but they are hard to be identified as malicious because they look so innocent.

Worms
These usually target networks and network traffic, they are also used as a tools in preforming DoS attacks. In a majority of cases they leave user files intact but there are exceptions to this rule. They usually aren't targeted against average home users, but they are used to gain control of such systems and in turn use them to preform various attacks against some bigger targets. Worms spread by using security holes in computer systems (so you don't even need to run infected file as you can get them by simply visiting malicious website) and usually require no action from user to make them run.

Conclusion: if you have critical files on your hard drive try your best to avoid viruses, if you have data on your hard drive which needs to be confidential, or you often pay with credit card online stay away from trojans. Worms are harder to avoid always have a firewall running (or some other form of protection such as NAT) and update your software to minimize security holes.

Potentially dangerous filetypes

First of all: why potentially? Because these filetypes are common on a tipical system and some of you may already know this, some of you don't but not all file types can pose a threat to your system, and even those that can, are most usually clean (in fact vast majority of them are needed for proper system operation). File types that can potentially pose a threat to your system are the ones which contain executable code, or some metadata that involves internet.

So you have two groups:

1. System executable code
2. Some scripting language code or metadata information

Group one: system executable code
File types in this group are the ones containing machine code, system executes these at its lowest level by basically loading them in the memory and jumping to the first instruction. These file types pose greatest threat because they are limited only by the creativity of the malicious user who wrote them. There are basically three things a malicious program in this group can do to ensure its loading every time:

• Infect other files of the same type
• Overwrite some system file which gets run every time, with its own code
• Install itself in some system folder under some obscure filename and use system registry so that OS can run it automatically on every boot up

First option is most commonly used by viruses and can be most destructive. Here is how the infection gets done:
first the virus appends its own code to some executable file, when user tries to run such file the virus temporarily disinfects that file so that it can be run normally and prevent user from becoming suspicious. When user quits the program it gets infected again. When you receive infected file its enough just to run it and voila you're infected.
Please note that you can theoretically have infected file sitting on your hard drive and not get yourself infected but if and only if you don't run it. I delete such files with DOS "del" command (usage "del ") and not from windows because i don't trust windows when clicking on infected files. Note that in win2000 and later instead of dos you have CMD which emulates dos.
Other two option are mostly used by worms and trojans because they're much simpler. You can easily remove them all by yourself if you can find them (first you need to kill their process because windows does not allow deleting program files which are currently running)
Most common extensions of files in this group are: .exe, .dll, .ocx, .sys, .bin, .vxd, .com

Group two: Scripting language code and metadata
Files in this group cannot be run on their own, they depend on other apps to run interpret their code and as such they pose no threat when not opened in their appropriate application. Malicious files of this group always use some exploit in application that runs them to achieve their goals.
Most common representatives of scripting files are javascript and visual basic script which are reliant on web browser to execute them (because they're used combined with html pages to make websites more interactive)
Other representative of script files are MS office macros which, as you can already tell, can only harm you if you have MS office installed and damage they can do is limited to your office documents not the entire system.

And lastly you have various metadata exploits within some popular media types (most commonly quicktime, windows media video, and windows media audio) these can contain links that automatically takes you to some malicious website or something similar. Such files are generally spread across P2P networks.
For example you search for "Billy Idol - white wedding" which is 3+ minutes song, and among results you get something like "Billy Idol - white wedding 1.0 full crack" which is like 400kb in size. Do not meddle with these, if you're suspicious of some file use .mp3 instead, they cannot contain any malicious tags.
Most common extensions of files in this group are: .js, .jar, .vbs, .qt, .mov, .wmv, .wma, .asf

What is NAT

NAT stands for Network Address Translation. It is actually a service which your router preforms for your local PC-s.

Why it does that? Because every computer must have its own IP address. Local addresses (ones in your home network) are usually 192.168.1.X (where X can range form 1-255) and they all need to connect to the internet. How they accomplish that? They connect to the gateway which can be actual PC or ADSL modem configured to be in a router mode, which is connected to the internet. Because you have only one line, you can have only one internet connection and consequently you can get only one external IP address at a time. This is what gateway is for.
It connects to the internet and gets its external IP address and then it redirects all computers in a Local Area Connection to the outside world (internet). Because of this, they all appear to have the same IP address (when in fact this is actually IP address of a gateway.) Their real internal IP addresses are HIDDEN from outside world, only Gateway knows about them and can access them. Thats why you are completely safe when behind a router (which in this case serves also as a gateway). Malicious user cannot even see you, let alone access you (well unless you open some ports but thats unlikely for beginners to do)
In diagram above you can see how IP addresses get distributed, as well as you can see that gateway has two IP addresses. One which is used in Local Area Network so other PC-s in a LAN can access it, and external one, which is assigned to it by Internet Service Provider. External IP address changes every time gateway reconnects to the ISP (unless you are paying for the static IP address) and local IP addresses tipically stay the same.

Do I need a firewall?

What is firewall? Firewall is a software which blocks intrusions to your PC from outside. Intruders are almost always malicious users which try to dig out some sensitive informations from your PC (credit card numbers, important documents...)


Are you behind NAT (router)? Because of the way NAT works you do not need a firewall when using routers, you are safe just the way you are... If you are interested in how NAT exactly keeps you safe take a look here

If your modem does not work in a router mode then you definitely need a firewall.

Unfortunately ZoneAlarm is no longer free for personal use, you can still download older versions of it which are free at: http://www.oldversion.com/program.php?n=zalarm

Alternatively you can use free comodo firewall which is also quite good.

How to remove adware and spyware for free?

Ok, first to explain few things...
There's nothing bad in commercial anti spyware tools, but this post will be focused only on free anti spyware tools. Because it can yield same results as commercial tools, and is definitely more fun and educating
.Here we go...

ingredients needed:

• Process explorer
• HijackThis
• AdAware free edition
• or Spybot search and destroy

Process Explorer and HijackThis are only diagnostic tools while AdAware and Spybot SND are actual cleaning software...

Process explorer - This is basically more advanced task manager (you can open default windows task manager with Ctrl + Alt + Del). You can view all running processes on your PC, and more importantly, you can see their actual filenames. If you see something that you think shouldn't be running, or you're just curious about what does what, you can just google filenames you see in the process list and get quick info about it (right click on process and choose "google" from the menu that pops out), you can also find phisical location of the file thats running also by right clicking desired process and choosing properties from the menu. You can quickly and easily identify and
kill malicious software running on your PC using that method.

HijackThis - While process explorer gives you control of programs running on your machine, HijackThis gives you control of services and applications that are set to run every time you PC starts. You cant prevent from running almost anything that way INCLUDING some windows components, so be careful. This particular tool has saved my ass a few dozen times and it's completely free... The easiest way to use it is to run it a few times and scan your system while it's in a good shape... and after malicious software gets on your PC you just scan again and look for newcomers compared to your last list, that way you can easily prevent them from running next time you start your PC (keep in mind that you will actually have to kill their process before removing them from this list otherwise they will just add themselves to the list again, you can use process explorer to kill them)

Spybot SND & AdAware - i will not describe each program separately because they both preform quite similar.
These are automated cleaning tools and are among the very best anti spyware products. There's not much to say about using them too. You install them, let them update from the net (they need definition updates otherwise they soon become useless just like antivirus software), and then you let them rip and shred scum that lurks somewhere on your disk.
For the best cleaning success always scan from the safe mode when possible. To enter Safe mode you need to press F8 when windows start loading (or little sooner) and then choose "Safe mode" from the menu that pops up :)

MSN messenger worm(s)

Why i chose to write about this worm? Simple. Because i'm tired of it... seriously, when you keep getting 2-4 new conversation windows every minute, and each of them spits out the infamous "Check out my pictures" message, you can either do something about this or uninstall messenger.... permanently.

First to explain that "worm(s)" from the title:

Yes, unfortunately there are multiple mutations of this worm, and infection spreads faster than ever because of naive and inexperienced PS users. Typically infected computer sends messages and/or some file through MSN messenger. You will get a message saying something like "hey check out these pics of mine", which is followed by a link or a file which user can accept and download to his PC. Just decline the file and everything will be fine, if you already downloaded the file DO NOT open it.

This is what happens when you run the .exe contained within this .zip (or .rar) file: A window will pop up and will close instantly, and nothing else will happen... unless you have antivirus software (which you should have) you will not be able to tell are you infected or not, but you will soon hear complaints from your friends, on your MSN contacts list, about "that file" that you keep sending them on and on... bear in mind that you will not see message that worm sends to your friends, so unless they tell you about it you will be completely clueless.

What can you do after you get infected? Simple: let antivirus sweep your hard drive, PLEASE NOTE that your antivirus needs to be updated, and event then some antivirus software just seem to be unable to detect goddamn thing and if this is the case with your antivirus software it is time for a change. Currently tested antivirus which is guaranteed to remove damn thing is Sophos Antivirus which can be downloaded and evaluated for free (which is more than enough to remove the blasted thing) download it here

Now what is the real purpose of this worm you may wonder? Well obviously it's not to annoy users, it would be quite harmless if it would be only about that, but no, it doesn't stop there what it really does is open a back door to your PC so that malicious user can access your files on your hard drive.

Hopefully you will get something useful out of this post, and even few prevented infections due to this post would make it worth vile :)