Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Tool HijackThis Goes Open Source

samzenpus posted more than 2 years ago | from the check-it-out dept.

Open Source 101

wiredmikey writes "The popular free security tool HijackThis has been open sourced by its owner, Trend Micro. The tool scans systems to find settings that may have been modified by spyware, malware or other programs that have wiggled their way onto a system and caused problems. Downloaded over 10 million times, HijackThis generates reports to help users analyze and fix an infected or problem computer. But the tool is not designed for novices – and doesn't actually determine what's good or bad. That's up to you, but it is a good way to keep an eye on things and possibly locate anomalies that may have been missed by other security products. Trend Micro warns that if you don't know what you're doing, it's probably not a good idea to make any changes to your computer settings and system files. Trend Micro acquired the tool from creator Merijn Bellekom in 2007, and has offered it for free ever since, but now is making the code available to the public. The code, originally written in Visual Basic, is now officially available at Sourceforge here."

cancel ×

101 comments

Sorry! There are no comments related to the filter you selected.

Where? (0)

Anonymous Coward | more than 2 years ago | (#39093513)

'src' directory is empty.

Free = no good (4, Funny)

Ritz_Just_Ritz (883997) | more than 2 years ago | (#39093519)

My PHB says that free stuff can't be any good. Surely, we'd be much better off by throwing 7 figures at Symantec. ;)

Re:Free = no good (4, Insightful)

bws111 (1216812) | more than 2 years ago | (#39093557)

More likely he says that free stuff without vendor support is no good, and for most businesses he is right.

Re:Free = no good (4, Insightful)

Creepy (93888) | more than 2 years ago | (#39094033)

That is if you need to have accountability, such as selling or providing to a customer (this would be the latter - IT provides for its "customers" which are end users to them) but I think our developers use notepad++ for editing files more than any other program, so there are exceptions, and let's face it - if that tool breaks, there's always notepad. It is on our site license approved software download page even (for free and commercial tools we have a site license to download and self install), so it has passed through upper management and legal, but I'll admit the one there is an old GPL-2 licensed version - I don't know if it hasn't been updated because of legal concerns about GPL-3 or they just haven't gotten around to it, though (I know GPL-3 libraries are forbidden, but not sure about apps).

In the case of HijackThis you are responsible for your own accountability, since it doesn't remove anything unless you tell it to, and a good IT person will back up the registry before making any changes to it (and know what is and is not a legit program).

Re:Free = no good (1)

X0563511 (793323) | more than 2 years ago | (#39097043)

I can't see how a program could be forbidden just by being GPL3. From my understanding, the GPL does not "protect" or "infect" (depending on your perspective) program output - merely said program's code (be it for execution or linking (and execution)).

Re:Free = no good (1, Insightful)

mysidia (191772) | more than 2 years ago | (#39094105)

More likely he says that free stuff without vendor support is no good, and for most businesses he is right.

It's not just about Vendor support; it's also about Tool capabilities, Tool quality, and meeting a business need. Businesses don't want to spend a lot of time manuallg "cleaning up" after malware infections; they want to prevent them.

If the infection beats the protection, then the cleanup must be fast and fully automated, otherwise it's more efficient to re-image in this situation.

HJT is for home users and hackers not working on company time, who can afford to spend hours upon hours manually digging through a log and removing suspicious components, at risk of breaking the system further.

For day-to-day business use, HijackThis has nothing on Trend Micro OfficeScan, Malwarebytes Pro, PrevX Business, Webroot Secureanywhere Endpoint, eEye Blink, Defensewall/Parador, SuperAntiSpyware PRO, ESET, and plenty of others.

Real-time protection, automation/periodic scans, and central monitoring capabilities are a must for good endpoint security.

HJT has limited use cases. Symantec's product don't make the Top10 list.

Perhaps since they've open sourced HJT now, there will be more developers working on it, and its capabilities could improve -- for example, automatically identifying items that are suspicious, and automatically identifying items that are system critical, and verifying their integrity.

Re:Free = no good (0)

Anonymous Coward | more than 2 years ago | (#39094191)

...none of which has anything to do with whether it's free or not.

Re:Free = no good (1)

X0563511 (793323) | more than 2 years ago | (#39097047)

Wrong. Kind of hard to improve upon a program when it's closed source and only distributed via a compiled binary.

Re:Free = no good (1)

NJRoadfan (1254248) | more than 2 years ago | (#39094969)

More likely he says that free stuff without vendor support is no good, and for most businesses he is right.

It's not just about Vendor support; it's also about Tool capabilities, Tool quality, and meeting a business need. Businesses don't want to spend a lot of time manuallg "cleaning up" after malware infections; they want to prevent them.

So whats the business need of Symantec's Endpoint Client? Malware steamrollers over it all the time, even with the latest definitions.

Re:Free = no good (2)

mysidia (191772) | more than 2 years ago | (#39095247)

So whats the business need of Symantec's Endpoint Client? Malware steamrollers over it all the time, even with the latest definitions.

That's because the software fails to do what it's actually supposed to do. If the software were effective, the featureset would make it a clear winner over the free product. Because in actual practice the Symantec software doesn't do what it's supposed to do, an Engineer experienced with it could tell you that all those checkboxes are worthless.

In a number of large companies, corporate management fails to make a distinction between what the software vendors' salespeople say their software does, and what it actually does in practice.

I'm definitely not holding up Symantec as a product you should consider using. But there are many alternatives that do what they are supposed to do, and have the must-have features you really need for assuring Enterprise security.

And HJT still isn't the answer for endpoint security.

Re:Free = no good (2)

onepoint (301486) | more than 2 years ago | (#39096925)

it's a tool, and the tool is only as good as the person using it.
I love it since it helps me examine the problems before trying a solution.
is it and endpoint solution for the masses ... nope not one bit.
is it a good tool for the IT department to have on the flash drive at all times ... Yep, it's a tool to look inside before doing the surgery.
 

Re:Free = no good (1)

mysidia (191772) | more than 2 years ago | (#39119743)

it's a tool, and the tool is only as good as the person using it.

A tool is also only as good as the functionality it provides. You don't use a hammer to make a chocolate cake.

HiJackThis is a useful tool, but its application is extremely constrained -- its a tool to be used by an expert/specialist to attempt to manually remove an infection.

This has many applications, but its uses are not compatible with IT best practices for Enterprise security. In the Enterprise, the main job of security software is to prevent the infection, if a machine becomes infected, than that machine from now on is questionable, the security risks of just attempting a manual removal are great (if some remnant is missed, corporate secrets or customer data may be at risk, huge possible liabilities), and the only appropriate resolution is really to reimage.

Again HJT is more suitable for home users and "PC Repair shops"; where the objective is to repair an arbitrary home computer with least expense to the owner, and malware removal can be a full-time job.

In well-managed Enterprises, "manual malware removal" is not a job at all let-alone a full time one, where the skills required to utilize HJT would be valued specifically.

Now, the security consultants or hackers the Enterprise hires to help clean up after a massive security incident, would be HJT experts.

Re:Free = no good (2)

Rakishi (759894) | more than 2 years ago | (#39095295)

If the infection beats the protection, then the cleanup must be fast and fully automated, otherwise it's more efficient to re-image in this situation.

Define more efficient. Does the hours upon hours someone spend re-installing and re-configuring their system after a re-image count? What about the time spent reloading data from backups? And the time making an image because the last backup was a week ago? Then having to manually reload the files that have changed since that time?

Re:Free = no good (3, Insightful)

mysidia (191772) | more than 2 years ago | (#39095953)

Does the hours upon hours someone spend re-installing and re-configuring their system after a re-image count?

The image is supposed to be taken after the install is fully configured with all the role-specific software.

What about the time spent reloading data from backups?

No data requiring backup is allowed to be on endpoints. Any documents should be in the user's profile which gets redirected to a place on the server.

Re:Free = no good (2)

X0563511 (793323) | more than 2 years ago | (#39097063)

Not everyone works in a functional cubicle where they all use the same software to do the same thing, and the only thing that shouldn't be persistent is the output data itself.

You're confusing bean counters, data entry, and script readers with just about everyone else who needs some flexibility.

Re:Free = no good (1)

Kalriath (849904) | more than 2 years ago | (#39103363)

You manually reinstall your software? We just network boot the machine to reinstall Windows from our gold image, and once done the software will automatically push to it and install with no user intervention. Reconfiguring indeed.

Re:Free = no good (1)

hairyfeet (841228) | more than 2 years ago | (#39096819)

While I agree about meeting a business need sometimes free works quite well. For example i give my SMBs Comodo Internet Security [comodo.com] which is free for BOTH home and business use and works great. if later on they run into some situation where they actually need support Comodo will be happy to sell them support so if they have no problems then it costs nothing. I've found if you use Win 7 (with its ASLR and DEP) along with Comodo Dragon with ABP (Dragon supports Win 7 low rights mode by default) and then finally comodo Time machine so if they DO somehow manage to bork something they can just hit the rewind button, even if they screw it up so bad it won't boot? Well you end up with a machine that short of hardware failure is pretty damned hard to kill or screw up. That of course makes both my business and home users VERY happy. When you have customers that could kill a Sherman tank with a toothbrush (I swear they must have like an electromagnetic field or something the way things just die around them) then you quickly learn how to harden a system.

As for TFA as another noted maybe by being FOSS now they will have developers work on the usability, maybe have a "dummy mode" for the less skilled. because while HJT is a great tool it is NOT for the faint of heart and if you don't know what you are doing you could quickly break more than you fix. Maybe someone can tie it in with the signatures for Housecall or clamAV so it has a default nasty list?

Re:Free = no good (1)

berzerke (319205) | more than 2 years ago | (#39097379)

...i give my SMBs Comodo Internet Security which is free for BOTH home and business use and works great..

While I do use Comodo myself, don't think for a second that it's anti-virus engine is very good. It's not. If you want a good AV scanner, go with Kaspersky or Bitdefender, although neither are free :(.

Where Comodo shines it's defense plus engine, which let's you know that something suspicious is going on. Answer properly the pop-ups, and nothing will get through. But that's the key, "Answer properly". I don't believe the average computer user can do that.

...Maybe someone can tie it [HJT] in with the signatures for Housecall or clamAV...

I can tell you that from my testing, relying on clam is extremely risky. I'd love to recommend a FOSS solution, but I'm submitting stuff it misses virtually every time I find malware and test clam against it.

Re:Free = no good (1)

hairyfeet (841228) | more than 2 years ago | (#39110045)

Actually you must not have tried Comodo CIS lately as they now don't ask the user much at all and has a "default deny" policy that covers a good 90%+ of use cases. The only false positives I've seen is my gamer relatives using trainers which considering trainers work by modding others code i don't know if that should count as a false positive or not. But I agree you shouldn't rely on ANY AV by itself, defense should be in depth which is why i give them Comodo CIS along with Comodo Dragon on Windows 7 with Comodo Time Machine. Those four work quite well together, with Win 7 blocking nasties with low rights mode, ASLR and DEP, the Dragon has SecureDNS and phishing protection and Time Machine is for PEBKAC problems. But if you look at the reviews Comodo CIS usually is in the top 5 pretty regularly which is really good for a free AV IMHO. The only one that scores higher in the freeware category is Adaware and its home use only.

Re:Free = no good (1)

phorm (591458) | more than 2 years ago | (#39115489)

I'll update that to say:
    More likely he says that free stuff without *good* vendor support is no good, and for most businesses he is right.

I've seen several cases these days with large vendors where their support was quite shoddy. Their support people don't seem to know much about their product (especially for win-centric products with a linux component), they take forever to turn around a case and love to play wheel-of-blame where they'll try and put any possible issues on your system/configuration before accepting that yes, perhaps their product does have a bug.

IMHO, companies I've found that have seem to good support include:
    Cisco: very good at turnaround for hardware failures
    RedHat: good turnaround on tickets. They usually manage to focus in on the problem within a decent timeframe
    Dell Corporate: good RMA process with cross-shipping (do not confuse this with consumer-level support, which can be very different)

Of those and others, the trend seems to be that hardware companies have good support. Software companies are not quite so great for support (RedHat being good especially considering they're not necessarily the creator of said software)

Re:Free = no good (3, Funny)

jo_ham (604554) | more than 2 years ago | (#39093647)

If you use Symantec you'll certainly be throwing *something* at them.

Re:Free = no good (0)

Anonymous Coward | more than 2 years ago | (#39093911)

chairs?

Re:Free = no good (4, Funny)

Lumpy (12016) | more than 2 years ago | (#39093717)

7 figures? you guys only buylow grade garbage. you should by 8 or 9 figure solutions.

Re:Free = no good (0)

Anonymous Coward | more than 2 years ago | (#39094761)

Naw...that stuff is only for the government, banks, and insurance organizations.

Re:Free = no good (1)

Ardyvee (2447206) | more than 2 years ago | (#39093787)

I'll assume that the beeping I hear so loud is the sarcasm-meter.

It's a move that'll give them good PR with the Open Source guys AND possibly leave them off the hook on maintaining the tool. Or maybe they just want to be good guys and let the tool evolve by other means (if it evolved at all in these past few years). No idea, tho.

Re:Free = no good (0)

Anonymous Coward | more than 2 years ago | (#39095051)

Since I was part of the group that decided to open source this I can tell you that it was either kill it eternally or make it open source. We are actually trying to do a good thing and let it evolve and help out the community.

Re:Free = no good (0)

Anonymous Coward | more than 2 years ago | (#39095935)

I used to work for a shop, cleaning up infected computers. You guys rock now, and you rocked then.

Re:Free = no good (1)

newcastlejon (1483695) | more than 2 years ago | (#39093847)

Back when I was in high school I heard about something called "Lee-nux", so I asked our network admin, who was more knowledgable than the actual IT teachers. His reply could be summed up as "Pfft! It's a waste of time! You get what you pay for, boy."

Thinking back, I could kick him for setting my curiosity back by what must have been years.

These days I still don't use Linux, but not because it's free. I did recently retire an old fileserver running BSD, though.

Re:Free = no good (1)

tnk1 (899206) | more than 2 years ago | (#39094177)

Thing is... he was right, from a professional perspective. Do not underestimate the amount of work that was needed to turn Linux into a kernel that could support an enterprise level requirement. If anything Linux was more a triumph of the open source model than a triumph of Linus' code (although that certainly was not terrible).

If you were a hobbyist, Linux was great, and it goes without saying that it had what it took to be turned into something great. Still, when you ask a pro what he thinks of what was, at the time, a toy, the response was predictable.

Re:Free = no good (2)

newcastlejon (1483695) | more than 2 years ago | (#39094345)

If you were a hobbyist, Linux was great, and it goes without saying that it had what it took to be turned into something great. Still, when you ask a pro what he thinks of what was, at the time, a toy, the response was predictable.

What galls me in retrospect is that I was a hobbyist, and the admin was not what I now consider a pro, considering how badly run the network was in those days. With respect to your comment on Linux being a toy at that time, all I can say is that you've overestimated my age by quite a bit: at that time Red Hat were doing pretty well, all things considered.

Of course, if I was looking for enthusiastic encouragement then talking to an overworked admin that had to deal with a couple of thousand students was probably a bad idea.

Re:Free = no good (0)

Anonymous Coward | more than 2 years ago | (#39094595)

Still, when you ask a pro what he thinks of what was, at the time, a toy, the response was predictable.

Ok, tnk1. When was newcastlejon in high school?

Me thinks you know nothing about what you're talking about.

Re:Free = no good (1)

tnk1 (899206) | more than 2 years ago | (#39117723)

Get off my lawn.

Re:Free = no good (1)

dimko (1166489) | more than 2 years ago | (#39094895)

Sure thing, and companies like IBM are wrong. And Red Hat makes no money.

Re:Free = no good (1)

bws111 (1216812) | more than 2 years ago | (#39095435)

I'm pretty sure IBM and Red Hat were some of the major players that did the work he is talking about.

Still in Visual Basic (5, Informative)

svick (1158077) | more than 2 years ago | (#39093533)

Since it was "originally written in Visual Basic", I wonder what language does it use now?

It turns out, it still uses Visual Basic. Not sure why was the summary written that way.

Java trapped (2)

tepples (727027) | more than 2 years ago | (#39093595)

Say I find a Windows PC, remove its hard drive for analysis, put it in a USB enclosure, and mount it read-only on a Linux box to make the scan process immune to boot-sector malware. Is there a Free compiler capable of compiling Visual Basic code? As of a year ago [stackoverflow.com] , there wasn't. If not, the program is Java trapped [gnu.org] .*

* The term's origin is historical; Java itself is no longer Java trapped, but plenty of other languages and APIs are.

Re:Java trapped (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39093611)

You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

Re:Java trapped (5, Informative)

Voyager529 (1363959) | more than 2 years ago | (#39093757)

You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

This.

If you're that averse to installing Windows on something, check out some of the bootable diagnostic tools like the UBCD4Win project, the newer releases of Hiren's Boot CD (That are now pirated-software free), or HawkPE. They run right off the disc and have HijackThis - along with a plethora of other cleanup tools - pre-configured.

Re:Java trapped (1)

Creepy (93888) | more than 2 years ago | (#39094183)

there are a bunch here
http://livecdlist.com/purpose/windows-antivirus [livecdlist.com]

I've had better luck finding rootkits with bitdefender and kaspersky than Hiren, but taking a look at their page it looks like they've shored up the rootkit detection (MalwareBytes is pretty good at that - didn't have any luck with rootkitrevealer when I tried it, though - it failed to detect a rootkit that bitdefender found, and I knew the machine was rootkitted as well as the rootkit name - I also pulled off 3 yet unidentified virus variants off of that box and submitted them, and they began appearing in antivirus software within 2 days). I also have my trick of finding rootkits while windows is running, as most don't hide file complete (usually I find a registry entry with HijackThis and then go to the location and start typing in the name and hit tab - if I see the file but don't see it if I just do dir filename, I know I'm working with a rootkit and probably not an ordinary virus). I prefer to have antivirus software remove viruses and rootkits, but can do it by hand if necessary (would rather have it magically go away rather than poking around system files for hours to see what all it corrupted).

Re:Java trapped (1)

icebraining (1313345) | more than 2 years ago | (#39094187)

That are now pirated-software free

How so, if they contain Windows?

Re:Java trapped (1)

Voyager529 (1363959) | more than 2 years ago | (#39097323)

To be honest, I too questioned that a smidge, given that the UBCD4Win project distributes a builder that requires a Windows CD to work, whereas Hiren distributes an ISO. While common sense says "if you have an XP disc for the purpose you've fulfilled the legal requirements", especially if you also have a hosed hard disk that carries a licensed copy of Windows requiring disinfecting, it'd be down to a group of lawyers to determine whether it's entirely legal or not.

What I was referring to was the fact that the older editions included a laundry list of commercial software, such as Norton Ghost, PowerQuest Drive Image, Acronis Disk Director, and plenty more. The project has more recently opted to contain exclusively freeware/shareware/FOSS titles instead.

Re:Java trapped (1)

Kalriath (849904) | more than 2 years ago | (#39103423)

Hiren's Boot CD (That are now pirated-software free)

No they're not. Windows PE is only licensed for use with approved software under a contract arrangement with Microsoft. Hiren's Boot CD is not one of them, hence the Windows environment used on Hiren's CD is pirated.

Re:Java trapped (0)

Anonymous Coward | more than 2 years ago | (#39094373)

You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

And if I don't have another Windows machine?

Re:Java trapped (1)

LordLimecat (1103839) | more than 2 years ago | (#39094443)

Then you will have a hard time reading the Windows registry anyways, since HijackThis uses Windows APIs to do that.

Re:Java trapped (0)

Anonymous Coward | more than 2 years ago | (#39094563)

Which is kinda the point of this subthread....

Re:Java trapped (2)

LordLimecat (1103839) | more than 2 years ago | (#39095413)

The point of the thread was whether it would compile under linux. It might, but it wouldnt do anything as it would be relying on functions that Linux does not supply.

I mean, im sure HJT runs fine under Wine, but Ill bet the scan comes up empty every time.

Re:Java trapped (0)

Anonymous Coward | more than 2 years ago | (#39095973)

The point of the thread is that even though the software itself is open source, it's limited by its dependency on a proprietary platform.

Re:Java trapped (2)

LordLimecat (1103839) | more than 2 years ago | (#39098343)

Because its goal is to scan said proprietary platform, using said proprietary platform's system files?

Im not seeing the problem here. It was written for windows, using Windows APIs, to scan the Windows registry, using a MS programming language.

Do you really have the nerve to ask them to rewrite the whole thing in Java or C++, and also would you please re-implement all the registry and NTFS APIs so that it can run from Linux? How bout everyone be greatful that we have some source, instead of being whiney OSS fanatics?

Re:Java trapped (1)

Kalriath (849904) | more than 2 years ago | (#39103435)

Considering it's designed to clean up problems specifically on that proprietary platform, I don't see that as an issue at all.

Re:Java trapped (2)

jackbird (721605) | more than 2 years ago | (#39097151)

Then you boot from a windows repair DVD that you burned from an ISO downloaded from Microsoft, open a shell, and type either fixmbr \device\harddisk0 or bootrec /fixmbr to overwrite the boot sector with a good one. Then you can at least trust the boot sector.

Re:Java trapped (2)

eldorel (828471) | more than 2 years ago | (#39095541)

I hate to feed the troll, but people reading this thread might not be aware of this.

FACT: Attempting to clean a virus with the same os it was designed to infect is NOT a good idea.

There are a lot of viruses that are designed to exploit things like malformed shortcut files, bugs in the way windows mounts hard drives, or even bugs in the code that checks for the amount of free space on a drive. Ref:(google: "lnk exploit")

If you connect a drive infected with one of these viruses to a windows computer, it WILL get infected.

Most of the examples I gave have been hotfixed via windows update, but new exploits are discovered daily.

Move the drive to a different system, scan using live cds or a write protected linux drive, and flash the bios of the original pc.
Otherwise you run the risk of the virus infecting your cleanup system.

Registry (1)

tepples (727027) | more than 2 years ago | (#39095635)

You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

True, but why does mounting a USB hard drive read-only require modifying the registry [motersho.com] ?

Re:Registry (1)

fluffy99 (870997) | more than 2 years ago | (#39097289)

True, but why does mounting a USB hard drive read-only require modifying the registry [motersho.com] ?

Because 99.9999% of the users never have any desire to mount anything other than read/write.

I wrote a little app that toggles this registry setting back-n-forth. It's in the startup on all our machines containing sensitive data. By default all the usb stuff gets mounted read-only. If you want to write to it, you need to run the app prior to plugging it in to temporarily allow read-write mounting. (Yes I realize it's not a foolproof solution, but it does add some protection against accidental data spillage and virus propagation via thumb drives). The registry setting only comes into play at the time the device is mounted. Changing it after something is mounted only affects how future devices are mounted.

Re:Java trapped (1)

Robert Zenz (1680268) | more than 2 years ago | (#39097741)

Sure, do you have a 120 bucks for me?

Re:Java trapped (1)

jo_ham (604554) | more than 2 years ago | (#39093671)

So it's not open source enough?

It wasn't open source at all until recently!

Re:Java trapped (1)

lytithwyn (1357791) | more than 2 years ago | (#39093753)

Is there a Free compiler capable of compiling Visual Basic code?

A quick google search led me to several sites that say Mono now includes a Visual Basic compiler. I haven't verified this myself.

Re:Java trapped (2)

icebraining (1313345) | more than 2 years ago | (#39094223)

Despite the similar name, they're not the same. Mono supports Visual Basic .NET, which is a language both syntactically and semantically different.

Visual Fred (1)

tepples (727027) | more than 2 years ago | (#39095659)

Didn't Microsoft once provide a translation tool useful for porting a Visual Basic application to VB.NET, not unlike what the Python Software Foundation would later provide around the 2.6 days?

Re:Java trapped (2)

LordLimecat (1103839) | more than 2 years ago | (#39094433)

It doesnt matter terribly much. As anyone who does this type of thing might know, most (basically all) of these type of Windows-based programs which access the registry rely on kernel and system mechanisms to read/write the registry.

In other words, its great if you have it running under wine, but it wont actually do anything because Wine doesnt provide mechanisms for reading an actual NT registry. There are two programs I know of which re-implement those mechanisms under Linux: the NT Password reset / editor, and Raw Registry Editor [reboot.pro] -- either of which will allow Linux to open an NT registry.

And honestly it makes sense, since there is no reason to expect one to use HijackThis outside of Windows in 99% of the cases, and it would be rather like expecting The Gimp to implement ext4 read / write functions so that one can launch it under windows and access files on a Linux FS: it adds an enormous amount of complexity to the project with minimal gain.

Separate service to read the registry (1)

tepples (727027) | more than 2 years ago | (#39095687)

it would be rather like expecting The Gimp to implement ext4 read / write functions so that one can launch it under windows and access files on a Linux FS

You're right. A better idea is to implement a network redirector service and point GIMP at its drive letter. Likewise, a port of HJT to Linux might include a way to read registries other than that of the boot volume, possibly relying on a separate service to interpret the NT hive files.

Re:Still in Visual Basic (1)

sgt scrub (869860) | more than 2 years ago | (#39093645)

Not sure why was the summary written that way.

They are anticipating the translation to Javascript + HTML5. Isn't that what Microsoft replaced VisualBasic with?

Re:Still in Visual Basic (0)

Anonymous Coward | more than 2 years ago | (#39093665)

I think it's a snarky prod implying that the open source community should rewrite it in something else.

Easy enough to port to a faster language then (1)

Anonymous Coward | more than 2 years ago | (#39093835)

Like Borland Delphi, AND, that said? 64-bit ports are easy too (Delphi XE2).

* The reason I note this, is that this program, like so many others like it, read the registry (for malware traces, doubtless based on a single C/C++ style structure/Pascal-Object Pascal record variable that holds the signatures to look for so they can all be treated as a SINGLE variable whose elements get parsed & compared to a registry entry scanned...), and filesystems.

(No, I haven't SEEN the sourcecode, but I wager that's how it's done for efficiency's sake)...

Nice part is, that you'd end up with a faster program than VB yields as well (double bonus), AND, a 64-bit port's SIMPLE in Delphi (easier than any other language imo, that's not runtime interpreted that is - though you have that option in Delphi XE2 also (.NET)).

My guess is that it's a "Find First-Find Next" read of disks/files/folders AND registry entries for the most part (not a hell of a lot to learn & use really, once you "get the hang of it" in Win32/64)... but, that's just a guess (on how I'd design such a tool @ least).

APK

P.S.=> Porting VB to Delphi's pretty easy, and same with C++ to Delphi (or, vice-a-versa in both cases), so... there you are!

...apk

The reason I noted doing a 64-bit port... (1)

Anonymous Coward | more than 2 years ago | (#39093873)

Is that a 32-bit program does NOT have "full" registry hives access in 64-bit systems... hence, possibly WHY a 64-bit port's a GOOD idea - for now though? As long as malwares do NOT go "64-bit" as well?? 32-bit CAN & WILL "do the job"... for now, that is.

APK

P.S.=> Am I interested in this? No... got plenty of code to work on here myself, but it's worth pointing out for those who MAY indeed, be interested in this... apk

Re:The reason I noted doing a 64-bit port... (1)

LordLimecat (1103839) | more than 2 years ago | (#39094469)

Not an expert on this, but a program does not need to be 64-bit to access all parts of the registry, it just needs to be able to call another program that DOES have access to those parts. Theres no reason I couldnt write a 32-bit program which calls "reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node" in order to get its results.

Re:The reason I noted doing a 64-bit port... (0)

Anonymous Coward | more than 2 years ago | (#39094539)

That's "a way" for a 'workaround', per this article -> http://msdn.microsoft.com/en-us/library/windows/desktop/ms724072(v=vs.85).aspx [microsoft.com] but, that's NOT how it is "by default" (which is where I was leading to & hence, the suggestion for a 64-bit port, & not just because 64-bit's the 'future' but because of this 'issue').

* Problem is, by default (especially in "older" code) don't HAVE that "workaround" incorporated either (older work of mine included, shown below)...

Proof/pertinent quote/excerpt:

"By default, a 32-bit application running on WOW64 accesses the 32-bit registry view and a 64-bit application accesses the 64-bit registry view."

From -> http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx [microsoft.com]

APK

P.S.=> I wrote a registry cleaner YEARS (heh, 14++ yrs. ago now for 32-bit) -> http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22APK+Registry+Cleaning+Engine%22&btnG=Search&gbv=1&sei=wVdBT6WtO6Tv0gH9g6yXCA [google.com] and "ran into this 'snag'" once I moved to 64-bit Windows 7 ... One of these days, I'll be "porting it" to 64-bit code (via Delphi XE2) though, when I find the time!

... apk

Results on READS maybe, but not writes (DELETE) (0)

Anonymous Coward | more than 2 years ago | (#39094625)

"The RegDeleteKey function cannot be used to access an alternate registry view."

and

"Note The Wow6432Node key is reserved. For compatibility, applications should not use this key directly."

* For a "full-blown" antivirus/antispyware/antimalware program (unlike HiJackThis, which is ONLY a reader/reporter really)? It won't work... not that I know of @ least!

APK

P.S.=> Those are the 'snags' you'd hit when attempting to do a "malware removal" program that does BOTH 32/64 bit...

Simply because part of THAT kind of work? Deletes (of malware registry entries)!

So - hence, why a 64-bit port's a "good idea" & especially into a faster language than VB or runtime interpreted ones like JAVA/.NET... I'd lean to C++ or Delphi on that account (very fast, & faster build times than ASM)...

... apk

Apologies: Didn't cite my source (MS)... (0)

Anonymous Coward | more than 2 years ago | (#39094857)

http://msdn.microsoft.com/en-us/library/aa384129(v=vs.85).aspx [microsoft.com]

APK

P.S.=> I am GLAD I brought this point up, and that you cited your "workaround-objection" (in case anyone decides to use HiJackThis' sourcecode now that it's open) - the reason I mention this, is simple: IT GIVES OTHERS A 'FOUNDATION' TO BUILD ON, but, more importantly?

This codebase's a potential foundation for a new antispyware/antivirus/antimalware application and standing on the shoulders of giants here would be, a way.

(1/2 way there @ least, or rather, a 1/3... because HiJackThis is ONLY A READER/REPORTER, and you'd have to have the 'signatures' of the malwares too (do they provide that? I wouldn't *think* so, but who knows!))

Yes... that's the other part that might be "prohibitive" & possibly impossible to acquire fast WITHOUT licensing (and would demand upkeep) as far as detection signatures.

The thing holding one back as I noted for this?

The RegKeyDelete... Thus, it looks as if you'd HAVE to have a 64-bit port really, to work on 64-bit reg view via reflection.

Re:Easy enough to port to a faster language then (1)

DMFNR (1986182) | more than 2 years ago | (#39096655)

Chances are if the open source community choose to rewrite this they probably wouldn't choose another locked in proprietary language to do it. One way to ensure failure for a FOSS project is to use a language that people would have to pay to use. Kind of silly to have to pay hundreds of dollars to be able to develop free software for no pay. Also, far more developers are skilled with a language like C++ than Delphi these days. I have nothing against Delphi or the Object Pascal language, hell there's even a pretty decent open source implementation in FPC / Lazarus, but it is almost never the right tool if you want to grow an open source project.

For stringwork Delphi/Object Pascal's great (0)

Anonymous Coward | more than 2 years ago | (#39097093)

In tests vs. MSVC++, Delphi literally DOUBLED it in string processing and mathwork too (in Visual Basic Programmer's Journal Sept/Oct 1997 issue "Inside the VB5 Compiler" issue - Delphi swept the floor with both, & took 6/10 tests and in a competing language's publication no less ironically).

* A tool like this one would use stringwork for comparisons of regkey reads vs. type record/structure of "badware" mugshots/signatures - I'd want that "instant speed advantage" in fact... fact is, that's why I noted it, & "leaned towards it" - that, or C++ variants (due more to portability here though).

HOWEVER:

Via the Delphi/C++ Builder XE2 RAD Studio, I can also target even Apple stuff...

Linux's possible too, via Kylix (but it needed 'hacks' to its configuration to run on Linux past 2004 or so - was like Delphi 5 really and produced by Borland also).

Anyhow/anyways - I like it for that. Build fast like VB started the ball rolling with, & then get C++ (or better in math & string work) performance!

I also like & use C++ (via various compilers), & it's good stuff too, & porting's possible (more pain in it than in Delphi though I have found) going 32->64 bit though... but it is widely used, and a high-performance code generator.

APK

P.S.=> AND, for 32 and 64 bit versions, and the same exact codebase too (sometimes you have to do typecast conversions making them bigger/wider though, especially bringing up older Delphi code into it for 64 bit, but that's not THAT hard, lol).

Using it, you build fast GUI interfaces like VB, and yet have the power & speed (more even) of MSVC++ (but faster buildtimes + compiles (Pascal's always been noted for unbelievably fast compile time really afaik & that's been since 1992 using it here)), per that test above I noted for example done in respectable publication, in performance of code (especially math & strings)... apk"

Re:Still in Visual Basic (0)

Anonymous Coward | more than 2 years ago | (#39093991)

Looking at the code, it's would be pretty trivial to move it up to VB.NET, at which point it can be migrated over to any of the other .NET languages for easier maintaining. It'll always be tightly coupled to Windows though, as most of what it does is related to windows api calls.

Not just for helpdesk and your family (5, Interesting)

ReallyEvilCanine (991886) | more than 2 years ago | (#39093617)

Hijacjk This ain't jsut for helpdesk monkeys; we use it constantly in Enterprise software testing. Server works fine, Client works fine, OS checks out, software ain't working. Run HT and find the culprit pretty quickly, and when your customers are telcos and banks doing short-cycle upgrades for occasionally legit reasons, your on-site guys need to find fast answers.

Re:Not just for helpdesk and your family (4, Informative)

DigiShaman (671371) | more than 2 years ago | (#39093841)

I prefer Autoruns, Process Explorer, and Process Monitor.

Short of nuke and paving the machine, I can clean up even the most foul and neglected of servers and workstations. Sometimes it's just more cost effective to replace it with a new one including data migration. YMMV.

http://technet.microsoft.com/en-us/sysinternals/bb545027 [microsoft.com]

A second vote for Russinovich's tools (2)

Sycraft-fu (314770) | more than 2 years ago | (#39094097)

I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.

I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.

Re:A second vote for Russinovich's tools (1)

fluffy99 (870997) | more than 2 years ago | (#39097303)

I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.

I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.

They also got the author, Mark Russinovich, who knew the ins and out of some of the MS internals better then Microsoft themselves.

Yes, the sysinternals stuff really kicks butt.

Re:Not just for helpdesk and your family (2)

LordLimecat (1103839) | more than 2 years ago | (#39094493)

Second. HJT was replaced by the Sysinternals top 3 (Autoruns, ProcessExplorer, Process Monitor) about the time TrendMicro acquired it and stopped maintaining it.

It was useful for some things, but Autoruns very quickly surpassed it, and virus removal (what HJT was supposedly better at) wasnt really doable once advanced rootkits started appearing around that time and HJT took no countermeasures.

Autoruns is also a lot better laid out, and is constantly updated with new features.

Re:Not just for helpdesk and your family (3, Interesting)

ReallyEvilCanine (991886) | more than 2 years ago | (#39094593)

I love SysInternals and have the original Winternals files on an old 3.2 SCSI-II somewhere (or maybe buried somewhere in a /win//utils/OS/win directory on my server). Run as many SysInternals as you want and find me the BHO that's preventing an ActiveX control from passing info through a hidden helper browser window. You can sit all day with Proc* looking for that. I want to find a bad thread or spin or memleak, yeah, SysInternals all the way.

HT is by no means dead; you can spend a lot of extra time putting a screw through a board with a hammer but a screwdriver is probably the better and more efficient choice for the job.

Re:Not just for helpdesk and your family (2)

Trax3001BBS (2368736) | more than 2 years ago | (#39094943)

Oh ya I'm on top of www.SysInternals.com became a fan with Process Explorer.

Sysinternals Suite is in my path as I find Process Monitor very helpful as well as WHOIS.

I've found with WinXP and below at least. if you run process monitor (log) and get a blueScreenOfDeath
searching the log for faultrep.dll -your problem is just lines above it (depending upon your filters).

But I also use Hijackthis and have suggested it to a lot of people in my time on alt.24hoursupport.helpdesk

It's a down and dirty way of seeing how things look, I'll run it every so often then paste the results
to http://hijackthis.de/en [hijackthis.de] bypassing the need to log in to Trend Micro.

Re:Not just for helpdesk and your family (1)

Krneki (1192201) | more than 2 years ago | (#39098033)

I agree with you, but I still use Hijackthis, even if the time has passed and it's not that useful as it was on Windows XP.

Re:Not just for helpdesk and your family (1)

antdude (79039) | more than 2 years ago | (#39106285)

http://www.nirsoft.net/ [nirsoft.net] is also pretty good with its utilities.

I'd be interested... (1)

Okomokochoko (1490679) | more than 2 years ago | (#39093689)

...to see how HJT does what it does (in source). AFAIK, it's one of the better tools for finding things that get missed by most AV packages. Dangerous but comprehensive.

Re:I'd be interested... (1)

Lehk228 (705449) | more than 2 years ago | (#39093865)

How it works is pretty clear from it's output and how it categorizes it's output, rather than scanning the whole system it looks at all the places code malicious configuration can hook into windows and lists all items using those hooks, it does not evaluate said items for badness, which makes it very powerful and useful, it can just as easilly clean up a benign but botched install or botched uninstall that is still partially loading. Honestly microsoft should have acquired it and made it part of task manager or msconfig

Here was my guess on its "mechanics" (0)

Anonymous Coward | more than 2 years ago | (#39093909)

http://news.slashdot.org/comments.pl?sid=2680271&cid=39093835 [slashdot.org]

And, I'd wager I am pretty fairly CLOSE to how it does, what it does...

(I've written enough stuff like it since 1994's all the way through the Win16/32/64 strata's why (in the freeware/shareware and commercial software world)).

APK

P.S.=> I haven't SEEN the sourcecode, but... I'd wager my idea's @ least CLOSE to what it does, & how it goes about it... for those of you that DO look @ it?? Please - Feel FREE to correct me assuming my "guesswork's" wrong/off...apk

Which license, bitches? (-1)

Anonymous Coward | more than 2 years ago | (#39093747)

Saying "open source" is fairly useless...

Re:Which license, bitches? (5, Informative)

liamevo (1358257) | more than 2 years ago | (#39093793)

http://sourceforge.net/projects/hjt/ [sourceforge.net] /me looks under license /me looks at you

Was that hard?

Many thanks to HijackThis's creator! (3, Insightful)

acidradio (659704) | more than 2 years ago | (#39093763)

I think the IT world collectively owes Merijn Bellekom some beers. Think about how many of us his tool has helped out over the years!

Re:Many thanks to HijackThis's creator! (0)

Anonymous Coward | more than 2 years ago | (#39094741)

Amen.

Re:Many thanks to HijackThis's creator! (0)

Anonymous Coward | more than 2 years ago | (#39095071)

I suggest sending Merijn Bellekom a "kiva.org" gift card. He will surely appreciate that, and his good name will be recognized all around the world.

Auto detect? (2)

Anonymous Coward | more than 2 years ago | (#39093781)

I would like so much to have an HijackThis that runs after every program installation (and possibly every hour) that warns me each time my configuration has changed, just to know that something fishy has possibly happened.

Register a timer w/ the system, and... (0)

Anonymous Coward | more than 2 years ago | (#39094341)

Monitor for size changes (easy) to the registry files here -> C:\Windows\System32\config ... Pretty easy, & would signal that something has altered the registry. OF course, there'd be LOADS of "false positives" because the registry does change (gets read/written to, like mad, & especially harmlessly by apps saving recently used filelists, etc./et al)... this @ least, would "alarm/signal" changes are indeed, occurring, but?? It's NOT very specific and would yield "falsies"... Especially @ System Restart.

Now, barring that "primitive method"?

* You could do the same, & monitor SPECIFIC areas of the registry (or filesystem for that matter in folders/files you choose), by the same method (timers) - wouldn't be too difficult really in concept, especially considering that HiJackThis already monitors many of the areas concerned as far as malware, and all you'd have to do is set those routines into operation off said timer.

APK

P.S.=> It'd still be work, but... You'd be surprised that it's not "turning the sky green & grass blue" doing it, & again:

IF you were to start out with say, this HiJackThis codebase?? It'd be pretty short work imo/estimation because it has routines that already do the job (but, still work, but not "loads more" than the program source already does)... apk

Re:Auto detect? (1)

leuk_he (194174) | more than 2 years ago | (#39095021)

That is the whole issue with using a power tool like hijackthis. Define "fishy". Besides that, you are too late after the fact. With rootkits nowadays you only find 95% of the evil stuff.

You need some virtualisation/sandboxing/fine grained access list to have an early warning system.

Fixing after the fact is the same as system restore in windows....

Re:Auto detect? (1)

tokul (682258) | more than 2 years ago | (#39097471)

Search for SpyBot Search and Destroy in your favorite search engine and check TeaTime manual.

Re:Auto detect? (0)

Anonymous Coward | more than 2 years ago | (#39105547)

Mike Lin's Startup Monitor [mlin.net] is an ultra-simple version of what you're asking for.

Another unit test for the malware writers (1)

gringer (252588) | more than 2 years ago | (#39094915)

If they aren't already doing this, an open source product should make it a bit easier for the malware writers to test out how well hidden their product is (or how closely it represents the noise experienced during a normal day of computing).

High Jack This, Fags (-1)

Anonymous Coward | more than 2 years ago | (#39096339)

http://en.wikipedia.org/wiki/Fag_bomb

Maybe I'm stupid or something... (0)

idbeholda (2405958) | more than 2 years ago | (#39097021)

But has anyone else noticed the /src folder is empty?

Re:Maybe I'm stupid or something... (1)

Spacejock (727523) | more than 2 years ago | (#39097377)

Click on the Code tab and it'll give you the subversion command to download the source tree. You can also grab a tarball from this page: http://hjt.svn.sourceforge.net/viewvc/hjt/ [sourceforge.net]

And while I'm commenting ... as a VB programmer going way back to QB45, GFA Basic on the Atari, and Sinclair Basic on the Spectrum, it'll be nice to finally be able to download and play with the source for one of these utils.

Anyone Notice the value for sEncryptionPhrase (0)

Anonymous Coward | more than 2 years ago | (#39099255)

Muhaha... no respect these days.

how many people actually viewed the source code? (0)

Anonymous Coward | more than 2 years ago | (#39106807)

Looking at the source, specifically modEncrypt.bas,
        sEncryptionPhrase = "F*CK YOU SPYWARENUKER AND BPS SPYWARE REMOVER!"

Love it! Freedom of speech.. self expression.. now of course if you worked for someone who could fire you over such remarks. That could be a problem.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>