SockLock and some Integrity Checkers

We were talking in this thread about SockLock and the CRC32-feature in TDS-3:

http://www.wilderssecurity.com/showthread.php?t=2872

You can find SockLock here:

http://www.nsclean.com/socklock.html

Info about SockLock from that website:

[hr]

Privacy Software Corporation is giving this program away at no charge because of the extremely widespread nature of a trojan horse which originally appeared as the "SKA Trojan." It has reemerged under the name "Happy99.exe" and owing to publicity and awareness, is now appearing under a number of other names. Antivirus software does not protect against this trojan and variants because of its extremely unique design as well as the fact that it changes the Microsoft winsock the instant it is started. There's no time to stop it from activating. We created this special protection utility as part of our continuing commitment to our BOClean customers and consider this particular trojan to be especially dangerous because it modifies the winsock, the prime building block of connecting Windows machines to the internet. While the trojan itself is minor in comparison to others, it can damage your system ESPECIALLY if you're running Windows98. We've heard horror stories from a number of people about having their machine require a trip to the repair shop after this trojan has been delivered to them. The Happy99 trojan is rampant with reports of hundreds of new victims every day. That was our motivation.

For the first time, a trojan horse is capable of MODIFYING your windows dialup networking (winsock) to include the trojan within Microsoft's own internet code, placing the trojan INSIDE the winsock itself. This is unprecedented. Happy99 and the SKA class of trojans will send an email containing the trojan to each person you send an email to or when you post to usenet newsgroups using YOUR email address as the sender. Those who get infested by this trojan horse will blame *YOU* for giving it to them even though you may have no idea it's on your system. You won't even be warned that this trojan horse is on your system unless you use our BOClean product. Anti-virus software cannot remove it even if it happens to detect it at some point in the future. Once you've been infested with "Happy99" or any of the other SKA variants, your system is hosed and may require a trip to the repair shop to function again unless you know how to recover your winsock from your install disks and also remove the additional files the trojan installs.

This SockLock product, if used BEFORE you fall victim to Happy99 or other SKA class trojan attack will protect you from infestations by this trojan horse. You can actually download and enjoy the fireworks display presented by the Happy99 trojan without any risk of infestation or spreading the trojan further to other hapless victims as SockLock PREVENTS any SKA class Winsock infesting trojan from being able to do anything more than display the cute distraction. They CANNOT infest your machine (or anyone elses) if SockLock has been used to lock your winsock against modification. SockLock also creates two 72 byte files which prevent SKA class trojans from being able to install at all on your machine once you activate the protection using SockLock.

How do I use SockLock?

SockLock is designed to automatically seal off access to your winsock files by using the same code Microsoft developed to prevent Internet Explorer users from deleting the records kept of internet activities for users of Internet Explorer. By locking down the winsock, SockLock prevents deletion or modification of the winsock. Locking your winsock with SockLock will not affect your system in any way and only uses a total of 144 bytes of hard disk space to protect you. Your winsock and dialup networking continues to operate normally but the files cannot be modified by external forces.

To secure your winsock, all you need to do is press the button marked "Protect winsock with SockLock" and SockLock will adjust the winsock's file attributes as well as place a system lock on the file(s). Thereafter, no program or user can delete, modify or change the winsock. The remove button capability was provided solely for those who might suspect a problem and want to disable SockLock until the actual problem (if any) is discovered. SockLock can be deleted once your system has been protected or you can keep it if you have any concerns about SockLock locking down your winsock. SockLock does not interfere in any way with your connection and does not do anything beyond locking the file so it cannot be overwritten, modified or deleted by external forces. SockLock is completely passive once it's protected you.

Will SockLock protect me against other trojans?

Sadly, the answer is NO ... SockLock was designed to eradicate the threat of a particularly dastardly trojan and only protects ONE very serious avenue of invasion. If you've already fallen victim to the "Happy99" trojan or similar, SockLock has been applied too late. This software is designed to be installed *BEFORE* you've been nailed by Happy99 or similar and already have a "clean" system you wish to protect.

If you truly want to protect yourself against trojan horses, even anti-virus software is of no help. You need to arm yourself with our BOClean software which is designed to detect and defeat trojan horses IMMEDIATELY before they can grab a foothold on your system. Even with the use of BOClean, we strongly recommend the use of SockLock to prevent winsock-infesting trojans from being capable of grabbing any foothold at all. SockLock exists solely because the "SKA" class of trojans is so extremely dangerous that NO other protection means can be effective other than protecting the winsock itself.

Will SockLock interfere with other programs or upgrades?

NO ... not at all. SockLock sets the file attributes for the winsock to hidden, system, read-only and then applies a file share lock on it. When SKA class trojans encounter a locked winsock, they will then write an SKA.EXE and SKA.DLL file in hopes of being able to force windows to modify the winsock on the next bootup. SockLock creates bogus SKA.EXE and SKA.DLL files which actually contain a single line of text as a file marker and then apply locks to those "bogus" files to prevent them from being replaced by the trojan's own files. Now how could we charge for so simple a solution?

You can use SockLock to turn on protection and keep it, or you can delete it once you've used it and if you ever want another copy in the future to turn off the locks, you can always come back and grab another copy. SockLock will not interfere with reloading windows if you ever need or want to.

 

Why did I start this thread?
Because on my Windows 98SE system, some "Integrity Checkers" are able to check wsock32.dll and others not.

The CRC32-feature in TDS-3 seems to have a "problem" to check that file, while NIS File Check and ADinf32 Pro don't seem to have that "problem".

I wrote "problem" instead of problem, cause it is open to discussion whether it is in fact a problem.....

 

SockLock enabled:

[hr]

Using File Finder in Ontrack Powerdesk Pro:
(Note: this is not an Integrity Checker)

SockLock enabled:
Wsock32.dll 40.960 11-8-99 14:13 rhsa C:\WINDOWS\SYSTEM\


Using CRC32-feature in TDS-3:

SockLock enabled:

21:57:14 [CRC32] Started - verifying 118 files ...
21:57:15 [CRC32] File doesn't exist: C:\WINDOWS\System\wsock32.dll
21:57:16 [CRC32] File doesn't exist: C:\WINDOWS\System\Ska.dll
21:57:16 [CRC32] File doesn't exist: C:\WINDOWS\System\Ska.exe
21:57:19 [CRC32] Test finished.


Using NIS File Check Beta 1.0.0.7:

SockLock enabled:

Application: c:\windows\system\wsock32.dll
Status: Unchanged
Version old: 4.10.1998
Size old: 40960
Date old: 1999-08-11 14:13:18
RMD160 Hash old: BEC911836E9672BEF5620544E28CA8B9471B48E3

Application: c:\windows\system\ska.dll
Status: Unchanged
Version old: N/A
Size old: 72
Date old: 2001-08-26 22:30:12
RMD160 Hash old: 282BF2358FDC1B6812E2D78BC90AD6AB13C0D8C3

Application: c:\windows\system\ska.exe
Status: Unchanged
Version old: N/A
Size old: 72
Date old: 2001-08-26 22:30:12
RMD160 Hash old: 282BF2358FDC1B6812E2D78BC90AD6AB13C0D8C3

 

SockLock disabled:

[hr]

Using File Finder in Ontrack Powerdesk Pro:
(Note: this is not an Integrity Checker)

SockLock disabled:
Wsock32.dll 40.960 11-8-99 14:13 a C:\WINDOWS\SYSTEM\


Using CRC32-feature in TDS-3:

SockLock disabled:

21:55:46 [CRC32] Started - verifying 118 files ...
21:55:47 [CRC32] File doesn't exist: C:\WINDOWS\System\Ska.dll
21:55:48 [CRC32] File doesn't exist: C:\WINDOWS\System\Ska.exe
21:55:50 [CRC32] Test finished.


Using NIS File Check Beta 1.0.0.7:

SockLock disabled:

Application: c:\windows\system\wsock32.dll
Status: Unchanged
Version old: 4.10.1998
Size old: 40960
Date old: 1999-08-11 14:13:18
RMD160 Hash old: BEC911836E9672BEF5620544E28CA8B9471B48E3

Application: c:\windows\system\ska.dll
Status: Changed: (Deleted, File not found error)
Version old: N/A
Size old: 72
Date old: 2001-08-26 22:30:12
RMD160 Hash old: 282BF2358FDC1B6812E2D78BC90AD6AB13C0D8C3

Application: c:\windows\system\ska.exe
Status: Changed: (Deleted, File not found error)
Version old: N/A
Size old: 72
Date old: 2001-08-26 22:30:12
RMD160 Hash old: 282BF2358FDC1B6812E2D78BC90AD6AB13C0D8C3

 

About ADinf32 Pro:

It doesn't seem to make a difference in checking wsock32.dll.

It only warns on ska.dll and ska.exe in case I change from SockLock-enabled to SockLock-disabled, and back.

[hr]

SockLock disabled:

 

And then back to SockLock enabled, ADinf32 Pro says:

 

So:

The CRC32-feature in TDS-3 seems not able to "read" wsock32.dll if SockLock is enabled, and NISFileCheck and ADinf32 Pro seem to be able to "read" wsock32.dll in any case.

 

Jan,

This doesn't appear to be a TDS issue, but a locked file issue that would apply equally to all scanners, not just TDS. Are you absolutely certain that NISFileCheck/ADinf32 can read the file when it is locked? SockLock appears to lock read access to the file. If that's the case, no programs can read those files - not TDS, and not NISFileCheck/ADinf32. TDS will alert you if it cannot read a file, other programs may not. Some scanners may not be able to read a file, but won't report it - a security issue.

Here's a little test you can do to see if NISFileCheck/ADinf32 can actually read the file when TDS can't --
Disable SockLock to free up the Winsock file. Make a small modification in that file so that the checksums should be different (eg. just change "MZ" to "mz" or something similar). Now, turn SockLock back on, and scan the file with NISFileCheck/ADinf32. Both programs should alert you (as the file - and consequently checksum - has changed). If neither of them complain about the change, you know that they're simply silently skipping over files that they can't read, without alerting you (compromising your security by keeping you in the dark).

Best regards,
Wayne

 

FanJ

thanks Jan for the heads up.....although for some reason I can't access the nsclean website to get the download.....maybe it needs activeX or java....whatever the case I'll have to pass on this program for this reason..
my monitors should pick up an changes that want to be made,,,,if not.....reformat time...an if that does not work...walmart time.... lol

snowman

 

just dawned on me.....arent there firewalls that work at the winsock level?? how would...if it does at all....this sockloc program effect such firewalls?? admittedly I have no knowledge in this area..so please consider this a question.....

snowman

 

Hi Snowman,

I just tried to get to that SockLock-website: not any problem.

With respect to your question: I think I could best quote something from that site:

So my answer: no, your firewall is not affected by using SockLock.

 

Hi Wayne,

Thanks very much for your answer: much appreciated !

I'm not sure whether I'll be able to make a change in wsock32.dll to perform the test you suggested. I tried but it seems I'm not able to do that (SockLock was disabled). Maybe I made a mistake while trying to do it.

In general:
My posting of this thread was in no way aimed to hurt any company or any person; all of you: please be assured of that.

 

socklock takes the wsock32.dll.. changes it from just archeive..to read only and hidden..that being the case you can still find in in your" find > files and folders

"Hidden" means you can not see it or use it unless you know it name.


"Read only" means it can not be changed or accidentially delete.


That is it..no more no less....I have read you entire post...but still do not follow what you want each one of those programs to do in this test..but it all seems great fun.

 

Hi John,

I'm trying to understand why one Integrity Checker seems to be able to "read" wsock32.dll, and another not.
It could be my fault, it could be (as Wayne suggested) a fault in one or more of the other Integrity Checkers.

Glad you're having fun.

 

I wonder from when is that program with telling none of the other scanners would detect that? As far as i know the SKA is detected by all scanners by long, as is HTA, one of the other alarms with free tools there... Wasn't there also a recommendation to fix /update IE/OE/Windows for some possible exploits or to upgrade to at least version 5.5 to be better protected for running such things if they would come with emails? WormGuard blocks them very well.

But i'm interested to read the results of accessing the protected file like winsock with various scanners like suggested, of course!
You could of course make a copy of it somewhere, even on a diskette outside the system.

 

I was thinking about all that as I posted..this integrity check thing...since we know what socklock does..and this stops happy and others..that is good.

Since it (wsock32.dll) is no longer setting there as we would normally expect to see it on an out of the box install..
but yet certainly a legit file never the less..what I would like a third party program to tell me about the "state" I had put it.

I guess if happy is fooled into thinking it is not there..I would also want a checker to tell me the file was not.

 

Try WinInterrogate from SourceForge. (It's on the same page as WinFingerprint, I believe.) Will hunt up URL shortly.

For an executable, it provides something like 32 attributes of the file; don't know if it will show anything different in this case, however.

Also, going back to an earlier set of discussions. There are different ways to walk the directory looking for files to check. I know this because David Stockbridge did it one way in his original file authentication scripts; I did it slightly differently in the Excel and Access macros I built using his scripts as a starting point, and I think Albert may well use another method in NIS File Check. (At any rate, there are discrepancies in the file count.) It seems quite possible to me that this SockLock may be messing with a parameter that influences whether winsock is getting tagged or not. Indeed, that may well be all that this connotes.

 

About ADinf32 that makes no difference in reading wsock32.dll whether SockLock is enabled or not.

ADinf32 doesn't use windows to check the files.
Quote from the Helpfile:

"When checking your disks, ADinf bypasses the operating system and reads disk sectors through direct BIOS calls."

So I guess that this must be the explanation for Adinf.


Thanks to Paul who suggested me to have a look at that BIOS-call by ADinf.