CATCHING THIEVES RED-HANDED

Most of us hate to think about it, but crime is a fact of everyday life. When you grew up, did you live in a neighborhood where you didn’t have to lock the door? Seems like a long time ago in a galaxy far away.

These days, we all seek ways to protect our homes and families. Some people – in fact, a lot of people – go for “burglar bars.” In Israel, we call them soragim. But bars ruin your view and are far from burglarproof. The alternative, of course, is a burger alarm. But both alarms and bars can be very expensive.

Hence this column.

You can set up a comprehensive security system throughout your house for very little money with the help of your PC and one or more Web cams. Although they don’t make noise or keep out bad guys, Webcams can be used to set up a surveillance system, and with signs displayed in a prominent place, they may be just as effective a deterrent as the "big-boy" systems.

Don’t think they work? Well, a Web cam surveillance system caught a thief red-handed earlier this year.

If computer equipment could be compared to neighborhoods in a big city, Web cams would be in the red-light district; that’s the reputation they have.

True, they’re useful for setting up live video chats with friends and family, but with the proliferation of digital video and digital cameras that can take up to three minutes of video of much higher quality than you get with a cam, the popularity of those little orbs has waned dramatically – and the current low prices reflect that unpopularity.

But forget their iffy reputation and iffy pictures. Web cams have other features that can win them a place of honor in your electronics stable. Most Web cams, for example, can take still photos, and software which I will describe can take a still photo when the camera detects movement, zip it into e-mail, and buzz your cell phone with an SMS alert.

And if you invest in Wi-fi Web cams, the sky’s the limit; you can build a full-service surveillance system to keep an eye on every corner of your house.

Of course, you need a Web cam, or a bunch of Web cams, in order to get this done. There’s a cam for every purse, but of course the more you spend, the more you get. Simple no-name cams cost as little as $10 these days, while "professional" cameras cost between $50 and $100.

Many of the cams in that price range can do all sorts of tricks, like panning and turning, which make them far more effective for surveillance. Then there are wireless Web cams costing $200 and up. They of course have the advantage of "traveling" anywhere in the house, and usually have all the bells and whistles.

But the guts of a Web cam surveillance system is the software, which can make the equipment go a long way. A plain vanilla Web cam costing 10 bucks can be attached to the USB port of a computer and controlled with an application like the highly rated PC-Alarm and Security System .

With this program, you can set your cam to automatically "perk up," take a picture and send a message if the microphone detects sound in the room.

You may have to experiment a bit to make sure the camera can distinguish between the buzzing of the refrigerator and the sound of objects being stuffed into a sack.

It will also automatically e-mail a picture when the Web cam’s software detects someone within range of the camera. And the program will dial a phone number and play an alert that a picture was e-mailed if the computer is connected to a phone line. For $20, you get a pretty complete piece of surveillance software.

The program supports only a single Web cam on a USB port, but Jaxcam supports a nearly unlimited number of cams, which would be a great way to really keep an eye on things.

All you need is a couple of USB splitters (such as the one at http://www.vpi.us/hubs.html) – preferably with their own source of power, and appropriately long USB cables to extend your cameras’ coverage. Jaxcam (which costs $25) will also e-mail files and send an alert when it does, and will also alert you if someone gets too close to the host PC or plays with the keyboard.

Note: I live in a building with fourteen apartments in a beautiful section of Jerusalem. We have extensive webcam coverage, in addition to traditional security measures.

Now for a correction.

Last week I discussed that Sony CDs were spyware, creating a ‘rootkit’ in which to hide. I suggested a free application that would uninstall the ‘rootkit’, called TweakUI.

It seems I was premature.

Last week’s bad news about Sony installing rootkits on their customers’ computers was inevitably followed up this week with malware that uses the rootkit to hide.

The antivirus vendor community is abuzz over the release of Trojan horse programs that are unremarkable except for their use of the rootkit installed, as I explained last week, by certain Sony BMG music CDs.

Because it is relatively easy for existing malware programs to take advantage of the rootkit, everyone knew it was coming. But BitDefender was first out of the gate with an alert. The rootkit and its potential for abuse by malware was first discovered by Mark Russinovich of Sysinternals Software.

There is a second variant of the Trojan discovered by BitDefender. The Synd.B variant of the Trojan is an improvement on the Synd.A variant. Expect many more variants, and don’t be surprised if other malware "families" adopt the technique used to exploit the rootkit.

On systems with the rootkit installed and running, all files and registry entries beginning with the string ‘$sys$’ are hidden from user and programmatic view, including that of the antivirus scanner.

When it executes, it first attempts to determine if it is running in a protected environment or sandbox, and exits if it is.

It then attempts to copy itself to %SYSTEM%$sys$xp.exe (to take advantage of the rootkit). If it fails, it retries this every second. It sets run keys using the $sys$ scheme to execute itself at Windows start time. It also attempts to bypass the Windows firewall by setting itself as a trusted program in the firewall’s list, and then sends a notification that it is running to a specific IP address on port 8080.

The second and subsequent times it runs it connects to several IRC servers and awaits commands from remote attackers.

How to avoid it: First and foremost, don’t use Sony BMG copy-protected music CDs in your Windows computer.

Don’t download and don’t execute programs from Web sites or as e-mail attachments unless you know exactly what they are and trust their source.

Install anti-virus software and keep it up to date.

Consider installing a rootkit-detection program, such as Sysinternals RootkitRevealer.

How to remove it: The safest way to disable the rootkit’s cloaking of files is to use the Start-Run dialog or a command prompt and execute:

sc delete "$sys$aries"

and then reboot the system. At this point, you can disable the Trojan by removing the run keys that begin with $sys$ and rebooting again.

Dennis Turner