Security in Windows 98

[herbalist]

Kerio 2.1.5 is also available at OldVersion.

Regarding "why Windows XP is bad", IMO, most of that article is quite true. If you follow the evolution of windows, since Win95 at least, every "improvement" or increase in functionality has come at the expense of user choice and control. With WinME, users couldn't boot into pure DOS (what the paper calls real mode) without a 98 bootdisk. With the release of the NT systems, DOS was taken away. DOS was claimed to be obsolete and nearly useless, primarily by the self proclaimed experts who don't understand the value of command line and the need to be able to access system files and components without interference from Windows. From a security standpoint, this is a disasterous move. Think in terms of rootkits. On the NT based systems, the only sure way to know you've removed all traces of a rootkit is to boot with a tool like Barts PE and examine the file system independent of interference from Windows. On 9x, a simple boot into true DOS mode did that.

With the NTFS file system also came the ability to conceal files, processes, and registry entries from the operating system and most conventional tools that ran under windows. This was supposed to be a security improvement. While the NT systems do a better job at limiting what can be accessed from individual user accounts, this "security improvement" is also the primary reason for the existence of botnets, most of which are XP units compromised by rootkits that take advantage of this "improved security". If viewed solely from a security perspective, was this an improvement? I don't see it.

In addition to the security implications, there's also privacy concerns here. With the DOS based systems, user activities were kept in index.dat files, hidden history, file and cookie folders, and an applog folder. With the exception of the index.dat files, all these could be accessed in DOS mode. Even the index.dat files could be regularly deleted with a simple batch file that ran at bootup. With each new NT based system released, more user activity records were kept and they're more difficult to get rid of. There's more places to hide them. Look up alternate data streams and narrow your search to data concealment. This was impossible on DOS based systems.

If these aren't enough to make you question the motives behind the entire file system, enter Vista and it kernel patch protection. It already takes specialized rootkit tools to detect what is running at a kernel level in XP, tools that are beyond the average users ability to use. This has made it necessary for security software vendors to code their apps to work at the kernel level in order to detect and defeat malware running that deep in the OS. With Vista, Microsoft has locked these security vendors out of the kernel, save for a limited set of APIs. In theory, locking everything else out of the kernel would be good from a security perspective, although very questionable from a privacy standpoint, especially given M$ track record of storing as much user activity data as possible. The problem is the kernel isn't locked. It's already proven it can be compromised with just a bit more work than it takes on XP. It's only locked in a legal sense. In order to gain the access needed to monitor and protect the kernel, vendors need to hack it with methods M$ doesn't allow, with potential legal ramifications for that vendor. That "legal lock" isn't going to stop a malware writer. The end result can only be an OS that's controlled by anyone except a law abiding user.

Why would M$ lock security software and users out of the kernel when they know they can't truly protect it. Enter DRM, digital rights management, a privacy and security nightmare whose sole purpose is to make sure you've paid those few bucks to an already filthy rich entertainment industry for that piece of music or video you want to view. In order to prevent a user from defeating DRM, it has to run as deep in the OS as possible. The entire concept of DRM would not be possible on operating systems like 98, where true DOS or "real mode" as the article called it could be used to defeat it.

Something more to think about. If you and security vendors are legally locked out of the kernel, is it a criminal act to gain sufficient access to actually secure it, or to remove the malware that will be running there soon enough? You know it'll be there. Microsoft can't effectively secure the box Windows comes in, let alone the OS. With DRM running at a kernel level, what are the legal ramifications here, considering that file sharing has been equated with terrorism and organized crime? Those of us who have been fighting malware for years, is this legally tying our hands? If while tring to remove a rootkit from Vista, you find an unknown process running there, is revealing that information proof that you've committed a criminal act? This is a potential legal nightmare. Given the present political climate, would you rule out something more running there at some point in time, installed via an update process over which you'll have no control? I've already told my clients that they're on their own if they go to Vista. I won't work on it.

If that's not sufficient motive, how about M$ own anti-piracy solutions, or WGA, which should stand for Windows Grievous Aggravation? Their sole purpose is to make sure they've got your money. A computer is a tool. Name one other tool that regularly demands you prove you own it before you can use it. I can't understand anyone tolerating this treatment when alternatives are available.

The articles point about services is basically true as well. Try to close all the ports on an XP box without running a firewall. It's not hard on 98. Having all the unnecessary services on XP running by default is one of several reasons so many XP units are regularly compromised. If there's any improved security designed into the NT file system, and one has to ignore rootkits to even think that, it's more than offset by the sheer number of open access points.

The articles statement about XP being a lightning rod for attacks is true as well. The sheer number of security patches proves that. 98 didn't need a weekly patch day. Here's a few more examples. Remember the .wmf exploit? Quoted from SANS on 1/7/2006 shortly after the discovery of the exploit:

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

I have several variants of that exploit and can't force any of them to run on a 98 box. The recent .ani exploit can run code on XP. So far, the worst I've been able to get it to do on 98 is crash explorer, which restarts.

In addition to the NT file system and open ports, one of the problems with XP, and soon enough with Vista, is the sheer amount of code. It's simple math, the more code, the more potential for flaws and weak points that can be exploited. Consider Vista from that point alone.

I have to agree with the article. XP is bad news. Vista will be a nightmare. I've often wondered how M$ can produce code with so many vulnerabilities. Doesn't anyone double check anything? At times I think XP is deliberately designed to be vulnerable, made easily accessible to the powers that be. I can't prove it one way or another, just a suspicion based on observation and the M$ track record of collecting data and taking user control. Maybe the malware writers are doing us a favor by pounding that point home. I've come to the conclusion that XP and especially Vista are nothing more than spyware disguised as operating systems.

Rick

[BenoitRen]

I'd like to add a couple things.

On the NT based systems, the only sure way to know you've removed all traces of a rootkit is to boot with a tool like Barts PE and examine the file system independent of interference from Windows. On 9x, a simple boot into true DOS mode did that.

Not if the rootkit is part of the Master Boot Record.

With the DOS based systems, user activities were kept in index.dat files, hidden history, file and cookie folders, and an applog folder.

This is part of the integrated IE webby desktop that ships with Win98 and with IE4. Without it, this 'logging' doesn't exist.

[Offler]

so if i am running DOS mode as a security choice for repairing system (i do it for some time) how much possibilities it offers if i need to repair system or contact friend for help (dos based applications):

Arachne Web Browser - rather old applications which can browse graphics based environment. Quite useful but quite obsolete - it is comparable with IE 3.0. No frames, no flash.

http://www.arachne.cz/

Toffee - IRC client for dos. i tried it without any limitations except state that it is text mode and singletasking app.

http://www.rowan.sensation.net.au/programs.html

at this point i want to ask about "GDI Exploit" and if following aplications can prevent its usage, then how safe can dos environment can be since only protection is offered by hardware (as i know) and the last thing - is there any antivirus able to run from dos environment and if it is still updated?

i know about various solutions - antivirus booting from CD, but i am looking for pure dos application - if there is any.

here is latest arachne and some other apps

http://www.cisnet.com/glennmcc/arachne/

Edited April 16, 2007 by Offler

[awergh]

Here are some antivirus products for DOS

F-prot Antivirus for DOS

http://www.f-prot.com/products/home_use/dos/

Avast Antivirus for DOS

http://www.avast.com/eng/avast_77_for_dos.html

however i dont think you really need an AVS in DOS somehow i think it is unlikey

your going to get the waterfall virus or anything, after all who is going to write

a new virus to attack your dos box

what about the browser Lynx

text based internet should work fine

about Arachne, would you really want flash in DOS, are you going to load a sound driver in DOS

[Analada]

Kerio 2.1.5 is also available at OldVersion.

<snip>

Why would M$ lock security software and users out of the kernel when they know they can't truly protect it. Enter DRM, digital rights management, a privacy and security nightmare whose sole purpose is to make sure you've paid those few bucks to an already filthy rich entertainment industry for that piece of music or video you want to view. In order to prevent a user from defeating DRM, it has to run as deep in the OS as possible. The entire concept of DRM would not be possible on operating systems like 98, where true DOS or "real mode" as the article called it could be used to defeat it.

Something more to think about. If you and security vendors are legally locked out of the kernel, is it a criminal act to gain sufficient access to actually secure it, or to remove the malware that will be running there soon enough? You know it'll be there. Microsoft can't effectively secure the box Windows comes in, let alone the OS. With DRM running at a kernel level, what are the legal ramifications here, considering that file sharing has been equated with terrorism and organized crime? Those of us who have been fighting malware for years, is this legally tying our hands? If while tring to remove a rootkit from Vista, you find an unknown process running there, is revealing that information proof that you've committed a criminal act? This is a potential legal nightmare. Given the present political climate, would you rule out something more running there at some point in time, installed via an update process over which you'll have no control? I've already told my clients that they're on their own if they go to Vista. I won't work on it.

If that's not sufficient motive, how about M$ own anti-piracy solutions, or WGA, which should stand for Windows Grievous Aggravation? Their sole purpose is to make sure they've got your money. A computer is a tool. Name one other tool that regularly demands you prove you own it before you can use it. I can't understand anyone tolerating this treatment when alternatives are available.

<snip>

In addition to the NT file system and open ports, one of the problems with XP, and soon enough with Vista, is the sheer amount of code. It's simple math, the more code, the more potential for flaws and weak points that can be exploited. Consider Vista from that point alone.

I have to agree with the article. XP is bad news. Vista will be a nightmare. I've often wondered how M$ can produce code with so many vulnerabilities. Doesn't anyone double check anything? At times I think XP is deliberately designed to be vulnerable, made easily accessible to the powers that be. I can't prove it one way or another, just a suspicion based on observation and the M$ track record of collecting data and taking user control. Maybe the malware writers are doing us a favor by pounding that point home. I've come to the conclusion that XP and especially Vista are nothing more than spyware disguised as operating systems.

Rick

In light of your comments, thought you might be interested in this snippet: The NSA has said that "it has helped in the development of the security of Microsoft's new operating system", in order, it is said, " to protect it from worms, Trojan horses and other insidious computer attackers."

What *precisely* they did is not told to us.

Article here: http://www.washingtonpost.com/wp-dyn/conte...7010801352.html

[herbalist]

That's a scary thought. I wouldn't put it past them to eventually install surveillance-ware in a legally locked kernel via windows update. What really suprised me is that they've "helped" with some Linux flavors as well. The article mentions Novell, but I wonder how many other flavors this affects and what versions, files, etc.

Since it's been demonstrated that Vista's kernel can be compromised, one or more of these 3 applies.

1. Their "contribution" is ineffective or insufficient.
   
2. It has not yet been implemented.
   
3. It serves another purpose entirely.
   

If I had to bet on it, I'd bet on 2 and 3 applying equally.

As far as Windows is concerned, I can't bring myself to trust anything newer than 98. After hearing that they've had their hands in Linux, it becomes difficult to know what would be a trustworthy alternative. For now, it's 98 for me, and an old Knoppix live CD.

Rick

[PROBLEMCHYLD]

Well I use

All Windows 98SE updates Unofficial/Official

MDGx's HOSTS file

Domain Blocklist

Kerio Personal Firewall v2.1.5 32-bit

I used to have Mcafee but i don't have my disk no more

all i need now is a up to date Virus scanner because i extract my files

then scan them before i install them.

I'm thinking of NOD32 or Mcafee i'll just have to buy another disk.

And this should secure your computer well atleast it does mines

[Offler]

to Awergh:

i want to use dos based apps as alternative environment in case of emergency when system fails due any reason. Also i want to use it as safe place to begin system recovery. I was able to clear system from virus infection some months ago, simply by finding files which are not part of system (they are too new) and then i used scanreg to return the registries.

system was completely cured manually in 10-15 minutes after initial symptoms. but i am still looking for tool which can make virus test in dosmode to prove that all malicious files are deleted. also in dos mode most infected files are not running or required by system so their removal is easier.

i like arachne because its way of displaying web pages is quite compatible with today's standards and as i have heard it is still being developed. Also i have in dos drivers for most devices which i use. Sound driver, lan card driver, and i also found driver for my TV tuner.

[oscardog]

to Awergh:

i want to use dos based apps as alternative environment in case of emergency when system fails due any reason. Also i want to use it as safe place to begin system recovery. I was able to clear system from virus infection some months ago, simply by finding files which are not part of system (they are too new) and then i used scanreg to return the registries.

system was completely cured manually in 10-15 minutes after initial symptoms. but i am still looking for tool which can make virus test in dosmode to prove that all malicious files are deleted. also in dos mode most infected files are not running or required by system so their removal is easier.

i like arachne because its way of displaying web pages is quite compatible with today's standards and as i have heard it is still being developed. Also i have in dos drivers for most devices which i use. Sound driver, lan card driver, and i also found driver for my TV tuner.

Install mindows onto a cdrom disk, using subst.exe w: c:\cdrom in your autoexec.bat after creating the cdrom directory. After the initial setup stage where it reboots for device detection drop to the dos prompt from f8 ren setupx.dll to setupx.bak then type win. It will moan and groan about this file missing but install will complete. What you have here is a barebones win9x cd which will boot on any machine to do any repairs you might wish to. The methods of creating a bootable read only win9x cdrom are all over the internet. It can even fit onto a cd business card if you so desire. One method i use to revert back to a pc in a state i am happy with is to simply copy over the contents of the windows folder ignoring the swap file to another folder called for example zindows this can be rar ed if you want to reduce its chances of being compromised. If at any time I wish to revert back to the original state I can either in dos or from the mindows cd ren windows to delete then ren zindows windows, unraring if needs be and i am back where i wanted to be within seconds without having to search for added files or remove an application i am not happy with. Securing your important data with pgp and i think you are good to go

[PROBLEMCHYLD]

Extra security

http://www.wilderssecurity.com/showthread.php?p=955924

check it out

[PROBLEMCHYLD]

I'm trying to get this program to run but don't understand it

http://www.schooner.com/~loverso/no-ads/

[PROBLEMCHYLD]

?

Edited July 2, 2007 by PROBLEMCHYLD

[Offler]

to Oscardog:

i have several system backups - that is not a problem. Real problem is if i shall be unable to reach some valuable data in short time even if the system is not repaired yet. If the problem is hard to detect the most quick way how to reach them is to use DOS with set of apps able to copy and view them and eventuallty send them throught internet.

[oscardog]

to Oscardog:

i have several system backups - that is not a problem. Real problem is if i shall be unable to reach some valuable data in short time even if the system is not repaired yet. If the problem is hard to detect the most quick way how to reach them is to use DOS with set of apps able to copy and view them and eventuallty send them throught internet.

My analogy was more pointing to an instant system restore, lfn\internet and driver friendly scenario with a gui, making detection of any problems other than hardware unnecessary.

[Offler]

to oscardog: i shall take a look at it.

Few days ago i met strange behaviour of newer viruses. I clicked to infected link and my system was being attacked by some trojans. In attempt to run themselves the viruses fail to run (program performed illegal operation)

Viruses just crashed

has someone of you met this behaviour caused by lower compatibility with mainstream systems?