Forgot your password?
typodupeerror
Open Source Security News

Security Tool HijackThis Goes Open Source 101

Posted by samzenpus
from the check-it-out dept.
wiredmikey writes "The popular free security tool HijackThis has been open sourced by its owner, Trend Micro. The tool scans systems to find settings that may have been modified by spyware, malware or other programs that have wiggled their way onto a system and caused problems. Downloaded over 10 million times, HijackThis generates reports to help users analyze and fix an infected or problem computer. But the tool is not designed for novices – and doesn't actually determine what's good or bad. That's up to you, but it is a good way to keep an eye on things and possibly locate anomalies that may have been missed by other security products. Trend Micro warns that if you don't know what you're doing, it's probably not a good idea to make any changes to your computer settings and system files. Trend Micro acquired the tool from creator Merijn Bellekom in 2007, and has offered it for free ever since, but now is making the code available to the public. The code, originally written in Visual Basic, is now officially available at Sourceforge here."
This discussion has been archived. No new comments can be posted.

Security Tool HijackThis Goes Open Source

Comments Filter:
  • by Ritz_Just_Ritz (883997) on Sunday February 19, 2012 @01:46PM (#39093519)

    My PHB says that free stuff can't be any good. Surely, we'd be much better off by throwing 7 figures at Symantec. ;)

    • Re:Free = no good (Score:5, Insightful)

      by bws111 (1216812) on Sunday February 19, 2012 @01:50PM (#39093557)

      More likely he says that free stuff without vendor support is no good, and for most businesses he is right.

      • Re:Free = no good (Score:5, Insightful)

        by Creepy (93888) on Sunday February 19, 2012 @02:57PM (#39094033) Journal

        That is if you need to have accountability, such as selling or providing to a customer (this would be the latter - IT provides for its "customers" which are end users to them) but I think our developers use notepad++ for editing files more than any other program, so there are exceptions, and let's face it - if that tool breaks, there's always notepad. It is on our site license approved software download page even (for free and commercial tools we have a site license to download and self install), so it has passed through upper management and legal, but I'll admit the one there is an old GPL-2 licensed version - I don't know if it hasn't been updated because of legal concerns about GPL-3 or they just haven't gotten around to it, though (I know GPL-3 libraries are forbidden, but not sure about apps).

        In the case of HijackThis you are responsible for your own accountability, since it doesn't remove anything unless you tell it to, and a good IT person will back up the registry before making any changes to it (and know what is and is not a legit program).

        • by X0563511 (793323)

          I can't see how a program could be forbidden just by being GPL3. From my understanding, the GPL does not "protect" or "infect" (depending on your perspective) program output - merely said program's code (be it for execution or linking (and execution)).

      • Re: (Score:2, Insightful)

        by mysidia (191772)

        More likely he says that free stuff without vendor support is no good, and for most businesses he is right.

        It's not just about Vendor support; it's also about Tool capabilities, Tool quality, and meeting a business need. Businesses don't want to spend a lot of time manuallg "cleaning up" after malware infections; they want to prevent them.

        If the infection beats the protection, then the cleanup must be fast and fully automated, otherwise it's more efficient to re-image in this situation.

        HJT is for

        • More likely he says that free stuff without vendor support is no good, and for most businesses he is right.

          It's not just about Vendor support; it's also about Tool capabilities, Tool quality, and meeting a business need. Businesses don't want to spend a lot of time manuallg "cleaning up" after malware infections; they want to prevent them.

          So whats the business need of Symantec's Endpoint Client? Malware steamrollers over it all the time, even with the latest definitions.

          • by mysidia (191772)

            So whats the business need of Symantec's Endpoint Client? Malware steamrollers over it all the time, even with the latest definitions.

            That's because the software fails to do what it's actually supposed to do. If the software were effective, the featureset would make it a clear winner over the free product. Because in actual practice the Symantec software doesn't do what it's supposed to do, an Engineer experienced with it could tell you that all those checkboxes are worthless.

            In a number of large comp

            • by onepoint (301486)

              it's a tool, and the tool is only as good as the person using it.
              I love it since it helps me examine the problems before trying a solution.
              is it and endpoint solution for the masses ... nope not one bit.
              is it a good tool for the IT department to have on the flash drive at all times ... Yep, it's a tool to look inside before doing the surgery.
               

              • by mysidia (191772)

                it's a tool, and the tool is only as good as the person using it.

                A tool is also only as good as the functionality it provides. You don't use a hammer to make a chocolate cake.

                HiJackThis is a useful tool, but its application is extremely constrained -- its a tool to be used by an expert/specialist to attempt to manually remove an infection.

                This has many applications, but its uses are not compatible with IT best practices for Enterprise security. In the Enterprise, the main job of security software is

        • by Rakishi (759894)

          If the infection beats the protection, then the cleanup must be fast and fully automated, otherwise it's more efficient to re-image in this situation.

          Define more efficient. Does the hours upon hours someone spend re-installing and re-configuring their system after a re-image count? What about the time spent reloading data from backups? And the time making an image because the last backup was a week ago? Then having to manually reload the files that have changed since that time?

          • Re:Free = no good (Score:4, Insightful)

            by mysidia (191772) on Sunday February 19, 2012 @08:10PM (#39095953)

            Does the hours upon hours someone spend re-installing and re-configuring their system after a re-image count?

            The image is supposed to be taken after the install is fully configured with all the role-specific software.

            What about the time spent reloading data from backups?

            No data requiring backup is allowed to be on endpoints. Any documents should be in the user's profile which gets redirected to a place on the server.

            • by X0563511 (793323)

              Not everyone works in a functional cubicle where they all use the same software to do the same thing, and the only thing that shouldn't be persistent is the output data itself.

              You're confusing bean counters, data entry, and script readers with just about everyone else who needs some flexibility.

          • by Kalriath (849904)

            You manually reinstall your software? We just network boot the machine to reinstall Windows from our gold image, and once done the software will automatically push to it and install with no user intervention. Reconfiguring indeed.

        • by hairyfeet (841228)

          While I agree about meeting a business need sometimes free works quite well. For example i give my SMBs Comodo Internet Security [comodo.com] which is free for BOTH home and business use and works great. if later on they run into some situation where they actually need support Comodo will be happy to sell them support so if they have no problems then it costs nothing. I've found if you use Win 7 (with its ASLR and DEP) along with Comodo Dragon with ABP (Dragon supports Win 7 low rights mode by default) and then finally

          • by berzerke (319205)

            ...i give my SMBs Comodo Internet Security which is free for BOTH home and business use and works great..

            While I do use Comodo myself, don't think for a second that it's anti-virus engine is very good. It's not. If you want a good AV scanner, go with Kaspersky or Bitdefender, although neither are free :(.

            Where Comodo shines it's defense plus engine, which let's you know that something suspicious is going on. Answer properly the pop-ups, and nothing will get through. But that's the key, "Answer properly".

            • by hairyfeet (841228)
              Actually you must not have tried Comodo CIS lately as they now don't ask the user much at all and has a "default deny" policy that covers a good 90%+ of use cases. The only false positives I've seen is my gamer relatives using trainers which considering trainers work by modding others code i don't know if that should count as a false positive or not. But I agree you shouldn't rely on ANY AV by itself, defense should be in depth which is why i give them Comodo CIS along with Comodo Dragon on Windows 7 with C
      • by phorm (591458)

        I'll update that to say:
        More likely he says that free stuff without *good* vendor support is no good, and for most businesses he is right.

        I've seen several cases these days with large vendors where their support was quite shoddy. Their support people don't seem to know much about their product (especially for win-centric products with a linux component), they take forever to turn around a case and love to play wheel-of-blame where they'll try and put any possible issues on your system/configu

    • Re: (Score:3, Funny)

      by jo_ham (604554)

      If you use Symantec you'll certainly be throwing *something* at them.

    • by Lumpy (12016) on Sunday February 19, 2012 @02:12PM (#39093717) Homepage

      7 figures? you guys only buylow grade garbage. you should by 8 or 9 figure solutions.

    • by Ardyvee (2447206)

      I'll assume that the beeping I hear so loud is the sarcasm-meter.

      It's a move that'll give them good PR with the Open Source guys AND possibly leave them off the hook on maintaining the tool. Or maybe they just want to be good guys and let the tool evolve by other means (if it evolved at all in these past few years). No idea, tho.

    • Back when I was in high school I heard about something called "Lee-nux", so I asked our network admin, who was more knowledgable than the actual IT teachers. His reply could be summed up as "Pfft! It's a waste of time! You get what you pay for, boy."

      Thinking back, I could kick him for setting my curiosity back by what must have been years.

      These days I still don't use Linux, but not because it's free. I did recently retire an old fileserver running BSD, though.

      • by tnk1 (899206)

        Thing is... he was right, from a professional perspective. Do not underestimate the amount of work that was needed to turn Linux into a kernel that could support an enterprise level requirement. If anything Linux was more a triumph of the open source model than a triumph of Linus' code (although that certainly was not terrible).

        If you were a hobbyist, Linux was great, and it goes without saying that it had what it took to be turned into something great. Still, when you ask a pro what he thinks of what wa

        • If you were a hobbyist, Linux was great, and it goes without saying that it had what it took to be turned into something great. Still, when you ask a pro what he thinks of what was, at the time, a toy, the response was predictable.

          What galls me in retrospect is that I was a hobbyist, and the admin was not what I now consider a pro, considering how badly run the network was in those days. With respect to your comment on Linux being a toy at that time, all I can say is that you've overestimated my age by quite a bit: at that time Red Hat were doing pretty well, all things considered.

          Of course, if I was looking for enthusiastic encouragement then talking to an overworked admin that had to deal with a couple of thousand students was pro

        • by dimko (1166489)
          Sure thing, and companies like IBM are wrong. And Red Hat makes no money.
          • by bws111 (1216812)

            I'm pretty sure IBM and Red Hat were some of the major players that did the work he is talking about.

  • by svick (1158077) on Sunday February 19, 2012 @01:48PM (#39093533)

    Since it was "originally written in Visual Basic", I wonder what language does it use now?

    It turns out, it still uses Visual Basic. Not sure why was the summary written that way.

    • Say I find a Windows PC, remove its hard drive for analysis, put it in a USB enclosure, and mount it read-only on a Linux box to make the scan process immune to boot-sector malware. Is there a Free compiler capable of compiling Visual Basic code? As of a year ago [stackoverflow.com], there wasn't. If not, the program is Java trapped [gnu.org].*

      * The term's origin is historical; Java itself is no longer Java trapped, but plenty of other languages and APIs are.

      • Re:Java trapped (Score:4, Insightful)

        by Anonymous Coward on Sunday February 19, 2012 @01:57PM (#39093611)

        You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

        • Re:Java trapped (Score:5, Informative)

          by Voyager529 (1363959) <(moc.oohay) (ta) (925regayov)> on Sunday February 19, 2012 @02:17PM (#39093757)

          You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

          This.

          If you're that averse to installing Windows on something, check out some of the bootable diagnostic tools like the UBCD4Win project, the newer releases of Hiren's Boot CD (That are now pirated-software free), or HawkPE. They run right off the disc and have HijackThis - along with a plethora of other cleanup tools - pre-configured.

          • by Creepy (93888)

            there are a bunch here
            http://livecdlist.com/purpose/windows-antivirus [livecdlist.com]

            I've had better luck finding rootkits with bitdefender and kaspersky than Hiren, but taking a look at their page it looks like they've shored up the rootkit detection (MalwareBytes is pretty good at that - didn't have any luck with rootkitrevealer when I tried it, though - it failed to detect a rootkit that bitdefender found, and I knew the machine was rootkitted as well as the rootkit name - I also pulled off 3 yet unidentified virus vari

          • That are now pirated-software free

            How so, if they contain Windows?

            • To be honest, I too questioned that a smidge, given that the UBCD4Win project distributes a builder that requires a Windows CD to work, whereas Hiren distributes an ISO. While common sense says "if you have an XP disc for the purpose you've fulfilled the legal requirements", especially if you also have a hosed hard disk that carries a licensed copy of Windows requiring disinfecting, it'd be down to a group of lawyers to determine whether it's entirely legal or not.

              What I was referring to was the fact that t

          • by Kalriath (849904)

            Hiren's Boot CD (That are now pirated-software free)

            No they're not. Windows PE is only licensed for use with approved software under a contract arrangement with Microsoft. Hiren's Boot CD is not one of them, hence the Windows environment used on Hiren's CD is pirated.

        • by eldorel (828471)
          I hate to feed the troll, but people reading this thread might not be aware of this.

          FACT: Attempting to clean a virus with the same os it was designed to infect is NOT a good idea.

          There are a lot of viruses that are designed to exploit things like malformed shortcut files, bugs in the way windows mounts hard drives, or even bugs in the code that checks for the amount of free space on a drive. Ref:(google: "lnk exploit")

          If you connect a drive infected with one of these viruses to a windows computer
        • You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

          True, but why does mounting a USB hard drive read-only require modifying the registry [motersho.com]?

          • by fluffy99 (870997)

            True, but why does mounting a USB hard drive read-only require modifying the registry [motersho.com]?

            Because 99.9999% of the users never have any desire to mount anything other than read/write.

            I wrote a little app that toggles this registry setting back-n-forth. It's in the startup on all our machines containing sensitive data. By default all the usb stuff gets mounted read-only. If you want to write to it, you need to run the app prior to plugging it in to temporarily allow read-write mounting. (Yes I realize it's not a foolproof solution, but it does add some protection against accidental data spilla

        • Sure, do you have a 120 bucks for me?
      • by jo_ham (604554)

        So it's not open source enough?

        It wasn't open source at all until recently!

      • Is there a Free compiler capable of compiling Visual Basic code?

        A quick google search led me to several sites that say Mono now includes a Visual Basic compiler. I haven't verified this myself.

        • Despite the similar name, they're not the same. Mono supports Visual Basic .NET, which is a language both syntactically and semantically different.

          • Didn't Microsoft once provide a translation tool useful for porting a Visual Basic application to VB.NET, not unlike what the Python Software Foundation would later provide around the 2.6 days?
            • Yep... it was called Visual Basic.Net ... I haven't tried in the newer versions, but the first VB.Net (2005 was it?) did a pretty horrid job with my relatively small VB 6 apps. I actually ended up just re-writing them all.

      • It doesnt matter terribly much. As anyone who does this type of thing might know, most (basically all) of these type of Windows-based programs which access the registry rely on kernel and system mechanisms to read/write the registry.

        In other words, its great if you have it running under wine, but it wont actually do anything because Wine doesnt provide mechanisms for reading an actual NT registry. There are two programs I know of which re-implement those mechanisms under Linux: the NT Password reset / ed

        • it would be rather like expecting The Gimp to implement ext4 read / write functions so that one can launch it under windows and access files on a Linux FS

          You're right. A better idea is to implement a network redirector service and point GIMP at its drive letter. Likewise, a port of HJT to Linux might include a way to read registries other than that of the boot volume, possibly relying on a separate service to interpret the NT hive files.

    • by sgt scrub (869860)

      Not sure why was the summary written that way.

      They are anticipating the translation to Javascript + HTML5. Isn't that what Microsoft replaced VisualBasic with?

    • Like Borland Delphi, AND, that said? 64-bit ports are easy too (Delphi XE2).

      * The reason I note this, is that this program, like so many others like it, read the registry (for malware traces, doubtless based on a single C/C++ style structure/Pascal-Object Pascal record variable that holds the signatures to look for so they can all be treated as a SINGLE variable whose elements get parsed & compared to a registry entry scanned...), and filesystems.

      (No, I haven't SEEN the sourcecode, but I wager that's ho

      • by Anonymous Coward

        Is that a 32-bit program does NOT have "full" registry hives access in 64-bit systems... hence, possibly WHY a 64-bit port's a GOOD idea - for now though? As long as malwares do NOT go "64-bit" as well?? 32-bit CAN & WILL "do the job"... for now, that is.

        APK

        P.S.=> Am I interested in this? No... got plenty of code to work on here myself, but it's worth pointing out for those who MAY indeed, be interested in this... apk

        • Not an expert on this, but a program does not need to be 64-bit to access all parts of the registry, it just needs to be able to call another program that DOES have access to those parts. Theres no reason I couldnt write a 32-bit program which calls "reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node" in order to get its results.

      • by DMFNR (1986182)
        Chances are if the open source community choose to rewrite this they probably wouldn't choose another locked in proprietary language to do it. One way to ensure failure for a FOSS project is to use a language that people would have to pay to use. Kind of silly to have to pay hundreds of dollars to be able to develop free software for no pay. Also, far more developers are skilled with a language like C++ than Delphi these days. I have nothing against Delphi or the Object Pascal language, hell there's eve
  • by ReallyEvilCanine (991886) on Sunday February 19, 2012 @01:58PM (#39093617) Homepage
    Hijacjk This ain't jsut for helpdesk monkeys; we use it constantly in Enterprise software testing. Server works fine, Client works fine, OS checks out, software ain't working. Run HT and find the culprit pretty quickly, and when your customers are telcos and banks doing short-cycle upgrades for occasionally legit reasons, your on-site guys need to find fast answers.
    • by DigiShaman (671371) on Sunday February 19, 2012 @02:28PM (#39093841) Homepage

      I prefer Autoruns, Process Explorer, and Process Monitor.

      Short of nuke and paving the machine, I can clean up even the most foul and neglected of servers and workstations. Sometimes it's just more cost effective to replace it with a new one including data migration. YMMV.

      http://technet.microsoft.com/en-us/sysinternals/bb545027 [microsoft.com]

      • I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.

        I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.

        • by fluffy99 (870997)

          I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.

          I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.

          They also got the author, Mark Russinovich, who knew the ins and out of some of the MS internals better then Microsoft themselves.

          Yes, the sysinternals stuff really kicks butt.

      • Second. HJT was replaced by the Sysinternals top 3 (Autoruns, ProcessExplorer, Process Monitor) about the time TrendMicro acquired it and stopped maintaining it.

        It was useful for some things, but Autoruns very quickly surpassed it, and virus removal (what HJT was supposedly better at) wasnt really doable once advanced rootkits started appearing around that time and HJT took no countermeasures.

        Autoruns is also a lot better laid out, and is constantly updated with new features.

      • by ReallyEvilCanine (991886) on Sunday February 19, 2012 @04:27PM (#39094593) Homepage
        I love SysInternals and have the original Winternals files on an old 3.2 SCSI-II somewhere (or maybe buried somewhere in a /win//utils/OS/win directory on my server). Run as many SysInternals as you want and find me the BHO that's preventing an ActiveX control from passing info through a hidden helper browser window. You can sit all day with Proc* looking for that. I want to find a bad thread or spin or memleak, yeah, SysInternals all the way.

        HT is by no means dead; you can spend a lot of extra time putting a screw through a board with a hammer but a screwdriver is probably the better and more efficient choice for the job.

      • Oh ya I'm on top of www.SysInternals.com became a fan with Process Explorer.

        Sysinternals Suite is in my path as I find Process Monitor very helpful as well as WHOIS.

        I've found with WinXP and below at least. if you run process monitor (log) and get a blueScreenOfDeath
        searching the log for faultrep.dll -your problem is just lines above it (depending upon your filters).

        But I also use Hijackthis and have suggested it to a lot of people in my time on alt.24hoursupport.helpdesk

        It's a down and dirty way of seeing

      • by Krneki (1192201)
        I agree with you, but I still use Hijackthis, even if the time has passed and it's not that useful as it was on Windows XP.
      • by antdude (79039)

        http://www.nirsoft.net/ [nirsoft.net] is also pretty good with its utilities.

  • ...to see how HJT does what it does (in source). AFAIK, it's one of the better tools for finding things that get missed by most AV packages. Dangerous but comprehensive.
    • by Lehk228 (705449)
      How it works is pretty clear from it's output and how it categorizes it's output, rather than scanning the whole system it looks at all the places code malicious configuration can hook into windows and lists all items using those hooks, it does not evaluate said items for badness, which makes it very powerful and useful, it can just as easilly clean up a benign but botched install or botched uninstall that is still partially loading. Honestly microsoft should have acquired it and made it part of task manage
  • by acidradio (659704) on Sunday February 19, 2012 @02:18PM (#39093763)

    I think the IT world collectively owes Merijn Bellekom some beers. Think about how many of us his tool has helped out over the years!

  • by Anonymous Coward

    I would like so much to have an HijackThis that runs after every program installation (and possibly every hour) that warns me each time my configuration has changed, just to know that something fishy has possibly happened.

    • by leuk_he (194174)

      That is the whole issue with using a power tool like hijackthis. Define "fishy". Besides that, you are too late after the fact. With rootkits nowadays you only find 95% of the evil stuff.

      You need some virtualisation/sandboxing/fine grained access list to have an early warning system.

      Fixing after the fact is the same as system restore in windows....

    • by tokul (682258)
      Search for SpyBot Search and Destroy in your favorite search engine and check TeaTime manual.
  • If they aren't already doing this, an open source product should make it a bit easier for the malware writers to test out how well hidden their product is (or how closely it represents the noise experienced during a normal day of computing).

Passwords are implemented as a result of insecurity.

Working...