Girl Geekette dotNet

Needless to say, I was inspired by an article on Windows Security that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that opens in a new window):

ADS test using Windows XP

1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 8/23/2001 8:00AM and the size is 112KB.

Here is a listing in DOS that shows the directory with the copied calc.exe file.

2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).

Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change.

3. Next, I executed the new ADS notepad.exe using the standard command start.

On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.

4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows XP displayed the calc.exe name and ADS command.

This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different. Would the average user look at the Task Manager and know that something was different about the calc.exe program that was running? Probably not. Would the average user think anything of the notepad program popping up when the Windows Calculator was used? Some would, others would pass it off as a coincidence or accidentally hitting the wrong key.

I was thumbing through my website and checking the theme, working on come CSS when I happened to look at my logs. It seemed every time I clicked on a post to check some alignments of the theme, that there was another entry right under mine - from a different IP address. The 2nd time I noticed it, I figured that maybe it was a coincidence and someone happened to click on the post the same time I did. The third and fourth time it happened, I had to wonder. Below is a copy and paste from my logs. The 192 address is mine, but look at the log entries right below mine:

192.168.1.100 - - [17/Sep/2005:00:03:39 -0400] "GET /category/security/ HTTP/1.1" 200 8538
66.249.65.172 - - [17/Sep/2005:00:03:40 -0400] "GET /category/security/ HTTP/1.1" 200 8520
192.168.1.100 - - [17/Sep/2005:00:04:05 -0400] "GET /2005/09/06/hacking-to-learn-what-the-media-doest-tell-you/ HTTP/1.1" 200 11431
66.249.65.172 - - [17/Sep/2005:00:04:06 -0400] "GET /2005/09/06/hacking-to-learn-what-the-media-doest-tell-you/ HTTP/1.1" 200 11440
192.168.1.100 - - [17/Sep/2005:00:04:17 -0400] "GET /2005/09/06/comp-tias-securitycheet-sheet/ HTTP/1.1" 200 7178
66.249.65.172 - - [17/Sep/2005:00:04:18 -0400] "GET /2005/09/06/comp-tias-securitycheet-sheet/ HTTP/1.1" 200 7247
192.168.1.100 - - [17/Sep/2005:00:05:11 -0400] "GET /2005/09/05/wireless-networking-warchalking/ HTTP/1.1" 200 7950
66.249.65.172 - - [17/Sep/2005:00:05:12 -0400] "GET /2005/09/05/wireless-networking-warchalking/ HTTP/1.1" 200 7947
192.168.1.100 - - [17/Sep/2005:00:05:29 -0400] "GET /2005/09/05/wireless-networking-all-the-wars/ HTTP/1.1" 200 8180
66.249.65.172 - - [17/Sep/2005:00:05:30 -0400] "GET /2005/09/05/wireless-networking-all-the-wars/ HTTP/1.1" 200 8272
192.168.1.100 - - [17/Sep/2005:00:05:40 -0400] "GET /2005/09/04/wireless-networking-the-wifi-movie/ HTTP/1.1" 200 7207
66.249.65.172 - - [17/Sep/2005:00:05:41 -0400] "GET /2005/09/04/wireless-networking-the-wifi-movie/ HTTP/1.1" 200 7177
192.168.1.100 - - [17/Sep/2005:00:06:00 -0400] "GET /2005/09/03/wireless-networking-borrowing-an-internet-connection/ HTTP/1.1" 200 8244
66.249.65.172 - - [17/Sep/2005:00:06:01 -0400] "GET /2005/09/03/wireless-networking-borrowing-an-internet-connection/ HTTP/1.1" 200 8242

Someone? Something? Was mimicking my every move. By this time, I became extremely curious. I wondered who/what was mimicking my every move and how. I decided to do a whois on the IP address:

OrgName: Google Inc.
OrgID:
GOGL Address: 1600 Amphitheatre Parkway City: Mountain View
StateProv: CA
PostalCode: 94043 Country: US

NetRange: 66.249.64.0 - 66.249.95.255
CIDR: 66.249.64.0/19