how malware prevents programs from running

In today’s battle with malware, I learned a couple of interesting new places in the registry to check:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Place a key in here named after the file you want to prevent running, then place a STRING value under the key named “debugger”. Now, set the value of “debugger” to cmd, or some other relatively harmless executable that ignores its standard input – and presto, the application matching the keyname won’t run. BAD MALWARE. NO COOKIE.

Ironically, this is also quite useful for the GOOD guys keeping relatively clueless but persistent users from running things they really shouldn’t, like notorious P2P clients. For extra points, create a file C:\null.cmd or similar that simply exits, and use that as the “debugger” – they don’t even see anything happening at all, it just “doesn’t work”. This will probably frustrate them enough to desist, at least for a while… particularly given how used they probably are to the machine not working, if they’re that persistently malwaring it up in the first place.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Place a STRING value in here, and ditto above. (This is where GPO disallowing particular mutexes (I think it’s by mutex, not filename) to run takes effect.)

The More You Know…

setting locale to UTF-8 in Debian

If you have to deal with foreign languages and character sets (Cyrillic, Katakana, Hiragana, Kanji, etc) you need to have UTF support on your server. If you don’t already have it, here’s how you get it:

1. nano /etc/default/locale.gen and uncomment the line with en_US.UTF-8 (assuming your default language should be English)
2. locale-gen
3. edit /etc/profile and /etc/bash.bashrc and add the following: export LANG=en_US.UTF-8

When you next start a shell (exit, call bash manually, run sudo -s, whatever) you should then see UTF support available:

me@box:~$ locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

And you’re done.

RDP Client under Ubuntu

The performance of the built-in RDP clients in Ubuntu as of 10.04-LTS Lucid Lynx (and previous) is plagued with difficulties – Windows machines, among other things, frequently have events which refresh the local desktop every second or so which Windows’ native RDP client doesn’t trigger on, but for some reason the TS Client and Remote Desktop Viewer in Ubuntu does, making using same to control a Windows box a real hassle.

Fortunately, there’s a solution – as of 11.04 (Natty Narwhal?), Ubuntu will be migrating to Remmina as its RDP and VNC client. Better yet, Remmina is already available in the repos for 10.04 Lucid Lynx!

me@box:~$ sudo apt-get update && sudo apt-get install remmina remmina-gnome

After installation, you’ll find Remmina in Applications->Internet. Be sure to turn on the performance features “enable bitmap caching” and “enable compression”, they make a big difference. Also, you’ll find that Remmina supports transferring sound (leave it off if you don’t need it!), sharing local printers, and even sharing local drives! Pretty sweet. I’ve been very impressed with it so far. I haven’t experimented with the sound / folder / printer share options, but the performance difference is night and day.

setting a mail smarthost in exim on a Cpanel box

add a Router block to the end of /etc/exim.conf.local:

@ROUTERSTART@
            smart_route:
                driver = manualroute
                domains = !+local_domains
                transport = remote_smtp
                route_list = * host.name.of.smart.host.server

then run the scripts to update configuration and restart exim:

root@box:~$ /scripts/buildeximconf  
root@box:~$ /scripts/restartsrv_exim  

You’re done.

Using APC cache on Magento 1.4

First, of course make sure APC is installed. On Debian or a Debian-derived system (like Ubuntu), you can do this with sudo apt-get install php-apc. Once you’ve got APC installed and working, add the following snippet to app/etc/local.xml under your Magento site, in between the <global> and </global> tags:

<global>
        ...
        <cache>
            <backend>apc</backend>
            <prefix>SOMETHINGUNIQUE_</prefix>
        </cache>
        ...
</global>

“SOMETHINGUNIQUE” should be just what it says – something unique to the site you’re caching. This is a prefix that lets the webserver figure out what bits of cache go with what sites; so if you’ve got two different sites running, both with the same APC prefix set, you will have serious problems later. I recommend using your domain name, without the periods – so if your site is mystore.com, your prefix would be MYSTORE_ in the snippet above.

Make sure cache is enabled under System/Cache Management, and refresh it. You’re done.

When Outlook stops getting new IMAP mail

The problem is almost certainly that its local cache is corrupt… which happens disturbingly frequently. The easiest way to fix it is to simply close Outlook, delete the local cache, then start Outlook again – the good news being that it works and your new mail starts showing up; the bad news being, of course, that it starts synchronizing /everything/ again.

Stick this command in a batch file, and you’ll have something that users can simply double-click to fix the issue. Just remember to tell them to CLOSE OUTLOOK FIRST! =)

del "%UserProfile%\Local Settings\Application Data\Microsoft\Outlook\*IMAP*-0*.pst"