The BASHandSlash.com Feed

BASH Webcasts

Friday, April 6, 2007

How to protect yourself from malware

SHOW NOTES FROM BASH EPISODE 15: VIRUS!

This is the first in a few articles on BASH...the blog that will focus on the basics of computer/data safety while connected on line.


I'm embarassed.

No, I wasn't caught trying to steal women's underwear at the Walmart! Um...that was last month.

I am embarassed because I was infected by an internet worm a few weeks ago.

This "worm", a software program, took over elements of my computer and made it do various tasks without my consent or control.

Yup. I picked up a worm and it ruined my gaming life for about a week before I cleaned it off my computer. The embarassing part is that I should have known better.

I thought I understood something about internet security but I failed to act on that knowledge and it cost me one week of frustration. Could have been worse I suppose. I could have had to reformat my drive and re-install XP on my PC. Or it could have been really bad and I could have suffered from identity theft.

I have taken a week out of my gaming life to, number one, clean out my PC of any web-derived infestations and number two, protect myself from any future attacks.

This article will try to atone for my sins by providing you with what little I know or have learned about trying to protect your computer from these devlish creations (viruses, worms, trojans, malware...) and keep your online presence a safe and happy one. The focus here will be on the gamer who uses a PC running Windows XP and a cable-modem to connect to the world, but most of what you will read is applicable to anyone who ties a PC into the internet.

The Axes of Evil

There are many types of programs that are making the rounds on the internet that can cause you problems. The presence of these programs is a natural consequence of the versatility of the personal computer. It is very difficult to exclude programs that have good intentions from programs that have bad intentions.

It's hard to come up with a definition for these programs, you hear the word virus used a lot for these malicious pieces of code, but any program that somehow gets on your system and whose purpose is to alter the behavior of your computer without your permission is by definition malicious and has bad intent.

A decade ago these malicious codes could be very destructive, some for example some programs back in the 80's and 90's even attempted to erase your harddrive.

Nowadays, this "bad" software, or malware, is more than likely simply trying to:
  1. Use your computer to send out spam email for which the author of the malware is compensated.
  2. Spy on you and turn the information over to adverstising agencies for money.
    or
  3. Use your computer in conjunction with millions of other computers (botnets) to launch attacks on computer networks (denial of service - or DNS attacks).
The reason malware is not as destructive anymore is that most of the time the author does not even want you to know it's there. Because if you find out you have one of these little programs, you'll try to delete it and thereby removing the author's source of income.

Here is a quick list of such evil programs, or also known as malware... you have all heard their names before if you have ever used a computer:
Virus:
A computer virus is a program that can copy itself and infect a computer without permission or knowledge of the user. Viruses can spread to other computers by infecting files on a network (e.g. the Internet). Viruses spread by attaching themselves to other files they come in contact with.

Most of the viruses spreading nowadays are designed to take control over (hijack) your computer system, turning into what tech experts call a "zombie system". Why would anyone turn your computer into a zombie? Well, there may be some truth in the news that virus authors are getting nearly a dime for every computer they hijack. The virus author then turns the control over your zombie computer to an email spammer who makes your computer spit out spam emails. If you get spam email you'll see that the authors seem legit - these poor folks have had the control of their computer stolen right out from under them and have no idea their system is transmitting these emails. It is no wonder that there are four spam emails sent out for every "real" email.

There are some estimates that say that one-thirds of all computers on the net are zombies. According to the BBC, eighty percent (80%) of all the computers in China have been hijacked! PC Pitstop Spyware Center says that 20% of all computers have spyware!

You get a virus by running a program on your computer. More often than not the user clicks on a program without realizing that the program is a virus.

Trojan Horse
In the computer world, a Trojan is not that rubber thingy in your wallet that you've never used. It's a program where a hacker has hidden their evil-doing code inside what appears to be a harmless program or data file.

It's a program that claims to be one thing, but is in reality, something else. Some people who have used Kazaa (music sharing software) consider it a trojan program because it actually carries spyware inside.

Worm:
A computer worm is a program that can make copies of itself. It employs the internet to send these copies to other computers. You don't have to visit a specific internet site to pick up a worm. In fact you don't have to do anything other than connect to your computer to the net to get a worm.
Worms can spread through computers that have out of date operating systems. For this reason it is important that you constantly keep your operating system up to date by downloading the latest patch.
Some worms spread through email. Most through Microsoft Outlook or Outlook Express.

Worms and viruses are different in how they are transmitted: a worm is a stand-alone program, while a virus propagates by attaching itself to another program.

Spyware
Spyware describes a type of computer program that will try to advertise, collect personal information, or change the configuration of your computer without your permission. Some spyware tries to track visits to a website for example and then send this information to an advertising agency. More evil versions of spyware try to record your passwords or credit card numbers as you type them in on the web.

Spyware typically can get installed when you visit websites. Most websites, even very legitimate sites like CNN and Amazon will try to keep track of your on-line behavior. Usually this happens when your browser settings are not set to a sufficiently high security level and you visit a website that distributes spyware. This is sometimes called “drive-by downloading” since it installs itself when you “drive-by” a website.

Some of the more notorious websites will do more than track your presence on their website though. But it's all a matter of degrees.

How do you know you have been hacked?

The way I knew I was hacked was that the ping or latency I experienced on my favorite game servers had gone up. And I mean way up. For example, on my clan's server, the DD public server, I usually run a 45 ms ping. After being hacked I was running over 100ms all the time. I knew I was the problem and not the server, because I was using CoD2 built-in lag-o-meter running at all times when I'm playing CoD2. More about the lag-o-meter at another time.

As soon as I realized this was happening I immediately shut down my modem.

Another way to tell you have been hacked, that is, attacked by worms, or viruses, is that:

  • Your hard-disk light is constantly blinking, even though your computer is not running any program.
  • Your computer is running perceptibly slowly and it just feels like it's chugging along real slow.
  • Your network upload/download lights (usually little computer icons on your toolbar) are on when you are connected to the internet but you aren't surfing, playing games or downloading files.
  • You have emails in your sent folder that you never authored!
If you have spyware on your machine other symptoms include:
  • Pop-up ads will come up when you aren't even on the internet
    Your web browser home page keeps changing even though you keep tyring to set it back to your original home page.
  • Your web browser has new toolbars that you did not install.
  • Your browser crashes a lot
  • Your computer takes much longer to start and runs really slowly.

Things you should do to prevent yourself from being hacked?

Leo Laporte, a celebrity technology expert, has a saying that to prevent yourself from being hacked, you should change your online behavior.

For example, Microsoft has been saying that Vista has become hack-resistant in comparison to XP, but the reality is that you could fall prey to hackers using Vista if you fail to change your behavior. Here's an example:

Kaspersky, a well known anti-virus company, claims that there are already ways around Vista security and compounding this, Vista nags the user so much during an online session that many people might turn off the security suite inside Vista leaving the computer vulnerable to attack. See : Microsoft partner: Vista less secure than XP.

In attempting to change internet user behavior, Laporte mentions this interesting fact, many security experts do not run anti-virus programs.

None.

They rely on a few simple ideas to keep them safe. Here are the basics:

1. PATCH MICROSOFT WINDOWS

Make sure you are running XP with Service Pack 2 installed.

Make sure you are applying all of the critical Microsoft patches. Usually, on the second Tuesday of the month, Microsoft releases its critical patches to fix flaws in its operating systems. It is vital that you apply these patches, for one, to prevent yourself from getting worms. It is doubly important that you make these patches if you hear about them on the news as this can be looked upon as an invitation to the black hat programmers out there that there is an Microsoft vulnerability that they can exploit.

Did you know that if you try to connect an unpatched XP computer to the internet you will get a worm on that machine in under one minute!

Windows should download these patches automatically, but if you suspect you are NOT getting patched and that Windows Update is not automatically doing this check the following:

  1. Open Control Panel
    Click Security Center.
    Select Automatic Updates.
  2. Select your preferred settings according to your needs and then click OK :
  3. Close Windows Security Center.
  4. Important: For first time turning on the Automatic Update feature, please visit Microsoft Windows Update web site to make sure you have all the latest updates available from Microsoft at that time. Automatic Update will only help you to download any future updates but not the existing one for your computer.
If this is not working, or you wish to do this step manually, try this:
  1. Start Internet Explorer.
  2. Select Windows Update under Tools menu and then follow the instructions.
  3. Install at least Critical Update and all the updates for Internet Explorer.
  4. Install other updates if necessary.
2. USE A HARDWARE FIREWALL

What we are talking about here is a separate device that guards the entrance to a network. Behind that network you can link any number of computers.
The wireless router is today's most popular device that can be used as a firewall. Most people buy routers for home use to take a single broadband internet account and spread it to at least two or more computers.

I have a wireless router at home. I've hooked it up by routing my cable broadband connection through the modem my cable company gave me and then through the wireless router. My main computer is then connected to the router using an ethernet cable. I also have a laptop and that can be used anywhere in the house, because after all, it's a wireless router and it will broadcast the connection to the net over radio frequencies that the laptop picks up.

Here is a picture of the back of a wireless router showing the ethernet connections you'll need to plug into. More details on the hook up of a wireless router in later blogs.
How does the router shield you from potential attacks?

A router will prevent unrequested communication from reaching your computer. Think of it as a one way valve. It lets data go out to the internet from your computer, but will not let data in - unless you have requested it. If you are trying to browse a website for example you will send out a request for data to be sent to you, a webpage for example. The router will let the webpage in because you requested it. However, if someone is trying to send you data (an unsolicited malware program for example) the data will be stopped because you never asked for it.


In addition, the router hides the internet address (IP address) of the computers and devices you have that are in behind it. In this way, the outside world doesn't even know you have a computer running. All the world sees is the IP address of the firewall - but it knows nothing about the computer you are on. The router does this automatically as a virtue of its primary function, to take a single IP address and share it amongst many devices. If you didn't have a router you would have to purchase as many internet accounts as you had computers. This way you only buy one account and share it amongst all the computers you have.

Any port in a storm


An important thing to note at this point is the concept of how your computer connects to the internet. When your computer talks to other computers on the net it does so by opening a "channel" or "port". This is a confusing term because in the old days we used to have things like printer ports which was a real connection from a computer to a device. A "port" in this context is a virtual thing. It doesn't exist in hardware. It's a software concept. There are 65536 possible channels or ports that a software program running on your computer can use to communicate to the internet. When a program needs to talk to other computers on the internet it will open a port to communicate. Unfortunately, badly written programs can leave these ports open and once opened can be used by malware to enter into your system. Hackers look for open ports in the hopes of exploiting their existence. This is extremely common on the internet and is known as "port scanning".

Some ports are reserved for your operating system, the others are used by your applications.

Cod2 for example uses the following ports:

Call of Duty (COD2) Port Range

Call of Duty CD Key Validation (UDP) Port 20500
Call of Duty Master Server Monitoring / Browser (UDP) 20510
Call of Duty Master (UDP) Port 28960


The status of any port can be one of 3 things: OPEN, CLOSED, or STEALTH.

A router, or hardware firewall, automatically will block * or close* any unwanted data coming to you on any port. In addition, you can configure your hardware to STEALTH any of your ports. That is, your ports are made invisible to the outside world. No one knows you are even there. That is how you want to configure your firewall.

There are many sites that will allow you to determine what others can see on your computer. These sites will test your ports and detect whether you have any vulnerabilities.

This is my favorite site (www.grc.com): SHIELDS UP


Click on proceed and then when the Shields up site pops up, scroll to "Shields UP services"and click on any of the buttons there to test out your protection.

This is what you should see if you click on the File Sharing button for example:


If it says anything else, you may be at risk. More about what you can do about this in a future article.

Routers thus are excellent protection against worms and can defend against hackers who can remotely install spyware on your computer.

However there is still a risk from viruses; that is, viruses that can cross the firewall. Once they cross they can infect all the machines on your side of that wall.

One way for them to cross is for you to download executable programs (those with suffixes that end in *.exe for example) that have viruses. So be careful what you download.

Email is a typical way for viruses to cross the firewall because routers or firewalls allow email to cross over. If there are any attachments on those emails and you the user opens an infected attachment, whammo, you are infected - even though you had a firewall. Getting back to the changes you must make to your behavior, here are a few of the behavioral modifications you'll need to make:

3. EMAIL

Don't send or open email attachments except when you know for sure that they are safe - which is something very difficult to determine.

  • Don't trust the icons of attachment files. Worms often send executable files which have an icon resembling icons of picture, text or archive files - to fool the user.
  • Configure Windows to always show file extensions. This makes it more difficult to for a harmful file (such as an EXE or VBS) to masquerade as a harmless file (such as TXT or JPG).
  • Never open e-mail attachments with the file extensions VBS, SHS or PIF. These extensions are almost never used in normal attachments but they are frequently used by viruses and worms.
  • Never open attachments with double file extensions such as NAME.BMP.EXE or NAME.TXT.VBS.
  • When you receive e-mail advertisements or other unsolicited e-mail, do not open attachments in them or follow web links quoted in them. In fact it's best to turn off the HTML scripting in email.

4. SURFING

Be careful when you surf the net. If you tend to surf randomly, and most of us do, make sure you run anti-virus software. Don't download programs and run them unless you know they are safe.

  • Don't accept attachments from strangers in online chat systems such as IRC, ICQ, XFIRE, Ventrilo, Teamspeak or MSN Messenger.
  • Avoid downloading files from public newsgroups (Usenet news) or peer-to-peer services (Limewire). These are often used by virus writers to distribute their new viruses.
  • Do not share your folders with other users unless necessary. If you do, make sure you do not share your full drive or your Windows directory.
  • Disconnect your network or modem cable when you're not using your computer - or just power it down.