The Claim: Lockdown2000 Detects And Removes ALL Internet Trojans
The claim at the top of this page is made by Harbor Telco in so many words in a variety of places. It is also conveyed in no uncertain terms, by a series of statements which tell the prospective Lockdown user:
[1] The main Lockdown2000 homepage titled "The Complete Fire Wall For Windows: LockDown 2000!": "With LockDown 2000 you will never have to worry about Hackers invading your privacy, deleting your files, attaching a virus or a trojan horse program without your knowledge." Also, "LockDown 2000 prevents anyone from any computer in the world from getting into your computer."
[2] Page titled "The BO Internet Trojan": "LockDown 2000 has been designed to detect and remove ALL Internet Trojans for you. It now detects and removes ALL of the different versions of the BO Trojan. LockDown 2000 will keep you safe from all Internet Trojans by using highly advanced detection methods."
[3] Page titled "The NetBus Internet Trojan": "LockDown 2000 has been designed to detect and remove ALL Internet Trojans for you. It now detects and removes ALL of the different versions of the BO Trojan. LockDown 2000 will keep you safe from all Internet Trojans by using highly advanced detection methods."
[4] Page titled "The Setup Internet Trojan": "LockDown 2000 now provides protection for Trojans that haven't been written yet. Currently no other protection software has this functionality built-in. Only LockDown 2000 provides this ability to destroy ALL Trojans -- You do not need to upgrade LockDown 2000 every time a new Trojan raises its ugly head."
[5] Page titled "Lockdown 2000 - The Complete Fire Wall For Windows!": "Features Found In Lockdown 2000 ...The ability to 'turn off' remote user access to your computer system completely. ... Complete control over connections to your computer whether on Internet or local network."
[6] Page titled "Signature File Updates For LockDown 2000": "LockDown 2000 includes a 'Generic Detection Engine'. This generic detection engine will detect and remove future unknown Trojans."
[7] Page titled "A List of Trojans Detected and removed By LockDown 2000": "The Trojans below will be detected and removed by name. [list of some 90+ trojans/variants]"
[8] This page, titled "Reseller Fax Sheet," is an example page provided to Lockdown resellers for posting on their own sites or for faxing to prospective customers. It says: "LockDown 2000 detects and removes ALL Internet Trojans." Also, "LockDown 2000 was designed and developed to protect Internet users from being hacked by even the most sophisticated hacker. It provides absolute security and complete privacy whenever you go online. LockDown 2000's new and advanced features will block everyone out of your computer. With LockDown 2000 protecting you, no one can read or delete any of your important files."
[9] Page titled "Internet Security News": "LockDown 2000 was designed and developed to protect Internet users from being hacked by even the most sophisticated Hacker. LockDown 2000 provides absolute security and complete privacy whenever you go online."
[10] Page titled "Download Site Links": "This is the story of how lockdown 2000 can solve all of the trojan problems and others."
[11] TechEdge Radio interview with Michael Paris: "...So I think what you want to look for in a program is what we have embedded into Lockdown, which is a generic trojan engine. Windows has the means where you can actually know or tell if a trojan has been installed into the computer, even if it's a newly-developed trojan after you've installed a security program." Excerpted clip: .wav format, RealAudio, transcript
[12] Page titled "The Complete Fire Wall For Windows: LockDown 2000!": "LockDown 2000 was designed and developed to protect Internet users from being hacked by even the most sophisticated Hacker. LockDown 2000 provides complete security and privacy whenever you go online."
[13] Page titled "The Complete Fire Wall For Windows: LockDown 2000!": "LockDown 2000 will detect all of the Trojans that currently roam the Internet. LockDown 2000 does not need to be upgraded to detect and delete future unknown Trojans because this is handlet [sic] automatically by the core."
[14] Page titled "The Complete Fire Wall For Windows: LockDown 2000!": "Features Found In Lockdown 2000 ... The ability to "turn off" remote user access to your computer system completely. ... Complete control over connections to your computer whether on Internet or local network."
[15] Page titled "The Complete Fire Wall For Windows: LockDown 2000!": "LockDown 2000 was designed and developed to protect Internet users from being hacked by even the most sophisticated Hacker. LockDown 2000 provides complete security and privacy whenever you go online."
[16] Page titled "The Complete Fire Wall For Windows: LockDown 2000!": "At the core of LockDown 2000 you will find a technology that is called "generic detection". This is an extremeley powerful technique that makes this product able to detect all of the Trojans that currently roam the Internet. This also means that LockDown 2000 does not need to be upgraded to detect and delete future unknown Trojans - simply because it allready does this automatically."
[17] Page titled "DownLoad or Purchase Lockdown2000 - The Complete Fire Wall For Windows!": "Features Found In Lockdown 2000 ...The ability to 'turn off' remote user access to your computer system completely. ... Complete control over connections to your computer whether on Internet or local network."
[18] Page titled "Lockdown 2000 - The Complete Fire Wall For Windows!": "Features Found In Lockdown 2000 ...The ability to 'turn off' remote user access to your computer system completely. ... Complete control over connections to your computer whether on Internet or local network."
[19] Page titled "LockDown2000": "LockDown 2000 was designed and developed to protect Internet users from being hacked by even the most sophisticated hacker. It provides absolute security and complete privacy whenever you go online. LockDown 2000's new and advanced features will block everyone out of your computer. With LockDown 2000 protecting you, no one can read or delete any of your important files."
[20]
Page titled "LockDown2000": "LockDown
2000 detects and removes ALL Internet Trojans."
Despite careful searches, I have been unable to
find any instance anywhere, wherein Michael
Paris or any principal or seller of Lockdown2000 has ever qualified,
corrected or refuted the claim
that Lockdown2000 detects ALL trojans. Instead, they directly
state this as a fact as well as to promote the notion through
numerous suggestive statements.
Is Lockdown2000 Absolute Security Against Trojans?
The first step to answering this question is to establish some things about how trojans work, and what methods will detect and remove them.
Then, we need to examine what Lockdown does,
and whether it does what's necessary to locate and remove any and
all trojans.
How Are Trojans Detected And Removed?
The following is not only an analysis of
Lockdown; it also comprises a general outline of how
remote-access trojans can operate, and provides considerable
insight into what approaches are necessary to detect their
presence and deactivate them.
What Does Lockdown Do About Trojans?
Let's establish whether Lockdown does the
necessary...
Does Lockdown Scan Files?
NO.
Lockdown does not inspect the contents of any file. Its only means of determining whether a particular file is a particular trojan is to check the size of the file against its "trojan signatures" -- which is no more and no less than a list of file sizes.
Because any number of files on a computer may be the same size as one another, this is an invitation to false alarms. And in fact, I have numerous reports from Lockdown users of false alarms. Also, virtually any executable can have its size altered without affecting its function; therefore file size alone is an extremely unreliable means of identifying trojans. This propensity for false alarms works to the seller's advantage. The eval version of the software has trojan removal disabled; when a trojan (or whatever) is detected, the user is prompted to buy in order to remove the alleged trojan. Which it may very well not be. A panicked user is the usual result, with pocketbook wide open.
Simply changing the size of any trojan file will disguise it from Lockdown.
How to change the size? One needs only pad the end of an executable with zeroes (or anything at all) to make it unrecognizable to Lockdown. Any of a thousand freely available binary editors will do the job. Most executables will run just fine with any amount of data appended to the end of the program file; it is simply irrelevant to the program's function.
Or, use any one of the dozens of compression utilities (such as the one used by Harbor Telco to compress Lockdown2000 itself) to make the trojan much smaller. This often has the added benefit of obscuring the contents of the program file against antivirus scans.
Other trojans, such as Back Orifice and NetBus (probably the two most widely used) append configuration information to the end of the program file. There is no particular limit on the size of this config info, therefore the file size is widely variable. Back Orifice is also designed to attach to any file; which renders its file size almost infinitely variable.
One trojan in particular, called "phAse zero," is actually a random size, different every time it is installed. Why Lockdown's list of detected trojans includes this one is left to the reader's imagination.
Does Lockdown2000 Monitor Running Processes?
NO.
Lockdown monitors only two things: NetBIOS shares (indirectly), and three keys in the Windows Registry. The entries in those Registry keys typically point to program files (which may be running, but Lockdown doesn't know that). Lockdown's response to a new entry is to compare the size of the indicated file to its trojan "signatures." If the file exists and Lockdown finds a size match, Lockdown assumes it is a trojan without further inspection. It sounds the alarm, and offers to remove the trojan.
If the file is not a trojan, and the user elects not to remove it, Lockdown will sound the same alarm in perpetuity regardless of user input, every time it performs a trojan "scan." This renders Lockdown unusable to anyone with an unfortunate file size matchup, and serves to spotlight the seriously flawed nature of its "detection" as well as the poor design of its programming (it could easily have been programmed to ignore user-approved "signature" matchups).
If the user OKs removal, Lockdown will attempt to delete the file. Lockdown still has no idea whether it's a running process, nor, aside from file size, whether it's actually a trojan. If it is a currently-running process, which it usually is, Windows naturally won't allow its deletion. Although a competent programmer can easily write an application to halt virtually any Windows process, Lockdown makes no attempt to kill the program so it can be removed. Lockdown will instead merely remove the new Registry entry and advise rebooting. Upon reboot, Lockdown does not delete the trojan file; although at that point it would be easily done. The risk therefore remains that the trojan will be run again, either by the user or via some other startup vector.
At least one trojan I have examined always re-creates its Registry entry upon system shutdown. Lockdown has no means to deal with this situation. It would perpetually sound alarms on startup, fail to remove the trojan each time, demand a reboot and start the cycle again.
If Lockdown fails to identify a new entry in its monitored Registry keys as a specific trojan, it alerts the user to the entry and asks for confirmation. It will remove the entry if the user so desires. But it does NOT halt the process or recommend a reboot. Thus, an unidentified trojan, if trojan it is, will continue to run (and to grant access to intruders) until the next reboot without any interference from Lockdown.
Of course, any number of trojans which don't happen to use the monitored Registry keys might be running on the system; and Lockdown would, because it has no awareness of running processes, be oblivious of the fact.
In addition, if Lockdown is installed with a
trojan already running which uses its monitored Registry keys but
doesn't fit any of its file-size "signatures," it will
silently accept the trojan's presence, list its Registry entry as
valid with no notice to the user, and ignore it henceforth.
Does Lockdown2000 Monitor Network Activity?
NO.
The full extent of Lockdown's network monitoring is to open port 12345, the default port of some Netbus versions, whereupon it reports all TCP contacts which arrive at that port, though harmless in the absence of the trojan, as "attempted break-ins" which it has "disconnected."
Lockdown does monitor network contacts with shared resources, but it does so indirectly (by way of other Windows processes).
Meanwhile, any amount of network activity,
normal or abnormal, including open ports, file accesses, uploads,
downloads, and system manipulations, may go on without Lockdown
taking any notice.
Does Lockdown2000 Monitor All Startup Vectors?
NO.
Lockdown monitors only a tiny part of the wide array of startup methods available to trojans. Lockdown monitors just three keys in the Registry; three of the four whose primary function is to trigger programs at startup.
These monitored keys are in fact commonly used by many trojans. Thus Lockdown will often spot a trojan by its use of the Registry. Even so, aside from the file-size "signature," Lockdown really has no clue what it is to which a new entry really points. Frequently, neither will the user, who may well approve the new entry when prompted by Lockdown.
"Social engineering" aside, there are myriad ways to get a trojan to run persistently. The Registry is by no means the only one, but in the Registry alone, there are hundreds of keys by means of which a trojan might be run. Every time you double-click a file or icon to make Windows display an image, open a document, open a website, and so forth, you are invoking a command contained in the Registry, usually a file association with a given program. Any of those commands can be hijacked by practically any trojan by simply replacing the standard Registry command with the filename of the trojan; or by replacing the associated executable with the trojan's program file. The association may no longer work properly; but few users are likely to have the first clue what's wrong.
I looked for such Registry commands in one of my Windows machines at home. I stopped counting at 200! Although many are infrequently used and would be undesirable for the purpose, dozens would be quite effective as trojan-triggers. One real-life example of this strategy is the PrettyPark email worm, which is itself a trojan (and incidentally, quite invisible to Lockdown). It usurps the Registry command which is assigned to all .exe files! According to one report I've seen, Back Orifice 2000 may use a similar technique to run persistently on NT systems.
The Registry is not the only means of running a trojan at startup. A shortcut in the Startup Group (Windows\Start Menu\Programs\StartUp) works just fine. A command in the run= or load= lines in the win.ini file has the same effect. A similar entry in system.ini will run a trojan. A single line added to the autoexec.bat file can do it as well. (As it happens, I wrote all this up long ago in my analysis of Back Orifice. I also demonstrated the ease with which the various startup vectors can be manipulated.) Lockdown monitors none of these.
There are still more effective strategies. For instance, a trojan can replace a legitimate file which is frequently invoked at startup on targeted machines. One excellent example is the nearly-useless and typically invisible findfast.exe which is a feature of every standard installation of Microsoft Office, Excel or Word. The existing MS-installed command serves perfectly well to execute any program which replaces findfast.exe. By way of experiment, I created a tricky Back Orifice server, compressed and therefore unrecognized by a virus scan, and wrote a simple setup script which replaces the real findfast.exe with the trojan. This BO took no expertise to create; it required about 5 minutes. It sports the Findfast icon, stays where it's put and leaves no trace in the usual Registry location. I can imagine a slick pitch that would sell the victim on the trojan as a FindFast Enhancement. Ironically, it would actually improve system performance! And of course it installs and runs concurrently with Lockdown, with never a peep from the "firewall."
Almost every trojan I have inspected, including Back Orifice, NetBus and the new BO2K, is easily configured or modified to avoid telltale entries in the Registry keys Lockdown monitors.
At least two trojans, a recent one called Kuang2 as well as
some variants of the Master's Paradise trojan, are actually
highly infectious viruses. They can infect
hundreds, even thousands of program files on the victim's system,
and will run when any infected file is executed. Lockdown claims
to remove both. But in fact it is utterly incapable of removing
either one, once the infection has begun to spread. The file-size
"signatures" are totally useless against such an
onslaught, and Lockdown is helpless to remove a virus from any
file.
NO. Lockdown 2000 does not detect and does not remove all trojans. It detects some of them some of the time, removes almost none of them physically from the hard drive, and can easily be fooled into ignoring almost any trojan in existence.
Lockdown's partial coverage of the Registry is, despite the fact many trojans do use the keys it monitors, quite inadequate. It would be a simple matter to at least add coverage of the Startup Group, WIN.INI, SYSTEM.INI, and AUTOEXEC.BAT, things I mentioned in my review of v2.0 eight months ago; but Lockdown's programmer didn't even bother, in at least three versions since! This "generic detection" is holier than Swiss cheese and a far cry from the "highly advanced new technology" it is represented.
Lockdown2000 is not, by any stretch, total security against remote-access trojans. It omits not merely some, but most of the available avenues of inspection for the presence and activity of trojans. Its one method of trojan identification -- file size -- is fatally flawed, prone to false alarms (from which the seller benefits) and trivial to circumvent.
Analysis: Why is Lockdown's Trojan Protection So Weak?
In view of the ease with which Lockdown's trojan countermeasures could be vastly improved, it's quite impossible to avoid the obvious conclusion: the sellers of Lockdown aren't concerned with the program's actual effectiveness.
To the average user, Lockdown appears to do its job. For purposes of sales and marketing, this is quite enough to earn the sellers significant income. Users will occasionally find real trojans with Lockdown, and will thereafter be convinced of its prowess. Many will see and hear its impressive alarms when the NetBus port is scanned by some clueless script-kiddie, and marvel at its traceroute, unaware that it is no great trick and a fraction of what is easily possible.
Users will usually have no idea that in the absence of a running NetBus trojan on their machine, those scans on port 12345 are harmless, are not illegal, and response to them is of extremely limited use to combat prospective intruders; quite aside from the fact that the "tracing" is almost totally useless against any marginally intelligent hacker.
Average users are unlikely to be aware of the free utilities that abound on the Net with infinitely better capabilities for port monitoring and for tracing IP addresses. I have myself created simple DOS batchfiles using standard Windows and network query utilities which perform far more useful IP address and NetBIOS name resolution than Lockdown could begin to do. I give away one of these, the Network Tracer, for free.
The sellers of Lockdown rely on the technical ignorance of their clientele. So long as sales are successful and their product's quality remains unchallenged, they have little reason to expend the effort required to make the Lockdown product truly effective. Their history so far is to change version numbers or the product name when seriously challenged, and perhaps -- but not necessarily -- improve the product slightly in the process; and to continue blithely issuing their irresponsible marketing superlatives. They can then respond to queries about criticism with assertions that their critic is behind the times.
Harbor Telco clearly lacks the expertise to improve its own product. The original programmer of Hackerproof98 (the product's original name) appears to be long gone. Michael Paris is attributed sometimes as the product's author but he apparently lacks the necessary programming skills. On the Lockdown site, they are actively soliciting the help of outside programmers (archived page). I have corresponded with someone who says he's a friend of one programmer they have enlisted. If Harbor Telco ever does make its product worth buying, it will have done so by purchasing the required expertise with money earned by the betrayal of past buyers with false promises of total security which can never be met.
Michael Paris offers a beta test version of Lockdown to some registered users, particularly those who complain about the product's performance. According to numerous reports from my correspondents, he's been doing this for some months now, since about April. Reports indicate that the version 3.0 beta does no better job at share protection than v2.5.4, and its trojan detection remains virtually unchanged; the primary difference is a gaudier appearance.
Incidentally, I know of no case wherein Harbor Telco has ever granted a refund to an unhappy customer. They do not guarantee satisfaction in any way and they pointedly refuse to grant refunds. The only guarantee I have ever seen offered by Harbor Telco is on its Press Release page, and that guarantee reads: "We fully guarantee our own tests that have given us complete faith in our product."
Notice: Persons wishing to pursue a complaint about Lockdown 2000 are encouraged to mail their report to:
New Hampshire Consumer Protection Bureau
33 Capitol Street
Concord, NH 03301-6397
Please describe your experiences with Harbor Telco/Lockdown 2000 in detail, including all possible facts, dates and documentation. If you wish, they will mail you a complaint form. They answer their phones if you're persistent, at (603)271-3641 They are particularly interested in cases of failure to refund as well as the usual fraud and misrepresentation.