FanJ
August 12th, 2002, 07:06 PM
We were talking in this thread about SockLock and the CRC32-feature in TDS-3:
http://www.wilderssecurity.com/showthread.php?t=2872
You can find SockLock here:
http://www.nsclean.com/socklock.html
Info about SockLock from that website:
[hr]
Privacy Software Corporation is giving this program away at no charge because of the extremely widespread nature of a trojan horse which originally appeared as the "SKA Trojan." It has reemerged under the name "Happy99.exe" and owing to publicity and awareness, is now appearing under a number of other names. Antivirus software does not protect against this trojan and variants because of its extremely unique design as well as the fact that it changes the Microsoft winsock the instant it is started. There's no time to stop it from activating. We created this special protection utility as part of our continuing commitment to our BOClean customers and consider this particular trojan to be especially dangerous because it modifies the winsock, the prime building block of connecting Windows machines to the internet. While the trojan itself is minor in comparison to others, it can damage your system ESPECIALLY if you're running Windows98. We've heard horror stories from a number of people about having their machine require a trip to the repair shop after this trojan has been delivered to them. The Happy99 trojan is rampant with reports of hundreds of new victims every day. That was our motivation.
For the first time, a trojan horse is capable of MODIFYING your windows dialup networking (winsock) to include the trojan within Microsoft's own internet code, placing the trojan INSIDE the winsock itself. This is unprecedented. Happy99 and the SKA class of trojans will send an email containing the trojan to each person you send an email to or when you post to usenet newsgroups using YOUR email address as the sender. Those who get infested by this trojan horse will blame *YOU* for giving it to them even though you may have no idea it's on your system. You won't even be warned that this trojan horse is on your system unless you use our BOClean product. Anti-virus software cannot remove it even if it happens to detect it at some point in the future. Once you've been infested with "Happy99" or any of the other SKA variants, your system is hosed and may require a trip to the repair shop to function again unless you know how to recover your winsock from your install disks and also remove the additional files the trojan installs.
This SockLock product, if used BEFORE you fall victim to Happy99 or other SKA class trojan attack will protect you from infestations by this trojan horse. You can actually download and enjoy the fireworks display presented by the Happy99 trojan without any risk of infestation or spreading the trojan further to other hapless victims as SockLock PREVENTS any SKA class Winsock infesting trojan from being able to do anything more than display the cute distraction. They CANNOT infest your machine (or anyone elses) if SockLock has been used to lock your winsock against modification. SockLock also creates two 72 byte files which prevent SKA class trojans from being able to install at all on your machine once you activate the protection using SockLock.
How do I use SockLock?
SockLock is designed to automatically seal off access to your winsock files by using the same code Microsoft developed to prevent Internet Explorer users from deleting the records kept of internet activities for users of Internet Explorer. By locking down the winsock, SockLock prevents deletion or modification of the winsock. Locking your winsock with SockLock will not affect your system in any way and only uses a total of 144 bytes of hard disk space to protect you. Your winsock and dialup networking continues to operate normally but the files cannot be modified by external forces.
To secure your winsock, all you need to do is press the button marked "Protect winsock with SockLock" and SockLock will adjust the winsock's file attributes as well as place a system lock on the file(s). Thereafter, no program or user can delete, modify or change the winsock. The remove button capability was provided solely for those who might suspect a problem and want to disable SockLock until the actual problem (if any) is discovered. SockLock can be deleted once your system has been protected or you can keep it if you have any concerns about SockLock locking down your winsock. SockLock does not interfere in any way with your connection and does not do anything beyond locking the file so it cannot be overwritten, modified or deleted by external forces. SockLock is completely passive once it's protected you.
Will SockLock protect me against other trojans?
Sadly, the answer is NO ... SockLock was designed to eradicate the threat of a particularly dastardly trojan and only protects ONE very serious avenue of invasion. If you've already fallen victim to the "Happy99" trojan or similar, SockLock has been applied too late. This software is designed to be installed *BEFORE* you've been nailed by Happy99 or similar and already have a "clean" system you wish to protect.
If you truly want to protect yourself against trojan horses, even anti-virus software is of no help. You need to arm yourself with our BOClean software which is designed to detect and defeat trojan horses IMMEDIATELY before they can grab a foothold on your system. Even with the use of BOClean, we strongly recommend the use of SockLock to prevent winsock-infesting trojans from being capable of grabbing any foothold at all. SockLock exists solely because the "SKA" class of trojans is so extremely dangerous that NO other protection means can be effective other than protecting the winsock itself.
Will SockLock interfere with other programs or upgrades?
NO ... not at all. SockLock sets the file attributes for the winsock to hidden, system, read-only and then applies a file share lock on it. When SKA class trojans encounter a locked winsock, they will then write an SKA.EXE and SKA.DLL file in hopes of being able to force windows to modify the winsock on the next bootup. SockLock creates bogus SKA.EXE and SKA.DLL files which actually contain a single line of text as a file marker and then apply locks to those "bogus" files to prevent them from being replaced by the trojan's own files. Now how could we charge for so simple a solution?
You can use SockLock to turn on protection and keep it, or you can delete it once you've used it and if you ever want another copy in the future to turn off the locks, you can always come back and grab another copy. SockLock will not interfere with reloading windows if you ever need or want to.
http://www.wilderssecurity.com/showthread.php?t=2872
You can find SockLock here:
http://www.nsclean.com/socklock.html
Info about SockLock from that website:
[hr]
Privacy Software Corporation is giving this program away at no charge because of the extremely widespread nature of a trojan horse which originally appeared as the "SKA Trojan." It has reemerged under the name "Happy99.exe" and owing to publicity and awareness, is now appearing under a number of other names. Antivirus software does not protect against this trojan and variants because of its extremely unique design as well as the fact that it changes the Microsoft winsock the instant it is started. There's no time to stop it from activating. We created this special protection utility as part of our continuing commitment to our BOClean customers and consider this particular trojan to be especially dangerous because it modifies the winsock, the prime building block of connecting Windows machines to the internet. While the trojan itself is minor in comparison to others, it can damage your system ESPECIALLY if you're running Windows98. We've heard horror stories from a number of people about having their machine require a trip to the repair shop after this trojan has been delivered to them. The Happy99 trojan is rampant with reports of hundreds of new victims every day. That was our motivation.
For the first time, a trojan horse is capable of MODIFYING your windows dialup networking (winsock) to include the trojan within Microsoft's own internet code, placing the trojan INSIDE the winsock itself. This is unprecedented. Happy99 and the SKA class of trojans will send an email containing the trojan to each person you send an email to or when you post to usenet newsgroups using YOUR email address as the sender. Those who get infested by this trojan horse will blame *YOU* for giving it to them even though you may have no idea it's on your system. You won't even be warned that this trojan horse is on your system unless you use our BOClean product. Anti-virus software cannot remove it even if it happens to detect it at some point in the future. Once you've been infested with "Happy99" or any of the other SKA variants, your system is hosed and may require a trip to the repair shop to function again unless you know how to recover your winsock from your install disks and also remove the additional files the trojan installs.
This SockLock product, if used BEFORE you fall victim to Happy99 or other SKA class trojan attack will protect you from infestations by this trojan horse. You can actually download and enjoy the fireworks display presented by the Happy99 trojan without any risk of infestation or spreading the trojan further to other hapless victims as SockLock PREVENTS any SKA class Winsock infesting trojan from being able to do anything more than display the cute distraction. They CANNOT infest your machine (or anyone elses) if SockLock has been used to lock your winsock against modification. SockLock also creates two 72 byte files which prevent SKA class trojans from being able to install at all on your machine once you activate the protection using SockLock.
How do I use SockLock?
SockLock is designed to automatically seal off access to your winsock files by using the same code Microsoft developed to prevent Internet Explorer users from deleting the records kept of internet activities for users of Internet Explorer. By locking down the winsock, SockLock prevents deletion or modification of the winsock. Locking your winsock with SockLock will not affect your system in any way and only uses a total of 144 bytes of hard disk space to protect you. Your winsock and dialup networking continues to operate normally but the files cannot be modified by external forces.
To secure your winsock, all you need to do is press the button marked "Protect winsock with SockLock" and SockLock will adjust the winsock's file attributes as well as place a system lock on the file(s). Thereafter, no program or user can delete, modify or change the winsock. The remove button capability was provided solely for those who might suspect a problem and want to disable SockLock until the actual problem (if any) is discovered. SockLock can be deleted once your system has been protected or you can keep it if you have any concerns about SockLock locking down your winsock. SockLock does not interfere in any way with your connection and does not do anything beyond locking the file so it cannot be overwritten, modified or deleted by external forces. SockLock is completely passive once it's protected you.
Will SockLock protect me against other trojans?
Sadly, the answer is NO ... SockLock was designed to eradicate the threat of a particularly dastardly trojan and only protects ONE very serious avenue of invasion. If you've already fallen victim to the "Happy99" trojan or similar, SockLock has been applied too late. This software is designed to be installed *BEFORE* you've been nailed by Happy99 or similar and already have a "clean" system you wish to protect.
If you truly want to protect yourself against trojan horses, even anti-virus software is of no help. You need to arm yourself with our BOClean software which is designed to detect and defeat trojan horses IMMEDIATELY before they can grab a foothold on your system. Even with the use of BOClean, we strongly recommend the use of SockLock to prevent winsock-infesting trojans from being capable of grabbing any foothold at all. SockLock exists solely because the "SKA" class of trojans is so extremely dangerous that NO other protection means can be effective other than protecting the winsock itself.
Will SockLock interfere with other programs or upgrades?
NO ... not at all. SockLock sets the file attributes for the winsock to hidden, system, read-only and then applies a file share lock on it. When SKA class trojans encounter a locked winsock, they will then write an SKA.EXE and SKA.DLL file in hopes of being able to force windows to modify the winsock on the next bootup. SockLock creates bogus SKA.EXE and SKA.DLL files which actually contain a single line of text as a file marker and then apply locks to those "bogus" files to prevent them from being replaced by the trojan's own files. Now how could we charge for so simple a solution?
You can use SockLock to turn on protection and keep it, or you can delete it once you've used it and if you ever want another copy in the future to turn off the locks, you can always come back and grab another copy. SockLock will not interfere with reloading windows if you ever need or want to.