So you think your infested... your computer is behaving strangely, crashing , popups odd web pages you didn't request. Computer doing things when it should be idle... Computer seems really slow... Ok what to do... Lets assume you already have an infestation...
1) First using your browser navigate to www.google.com goto the more selection and download and install the googlepack that contains free versions Norton Antivirus and Spyware Doctor.
Run these two utilities before you do anything else. Infact I would suggest running Spyware doctor several times. I.e scan , reboot, scan, reboot until no more spyware is detected.
Now that you stand a chance of having a clean machine which you still might not we need to build up some protection to stop this kind of thing happening again.
If spy-ware/mal-ware was found on your machine the best thing to do is to wipe your machine and reinstall windows again I say this because you cannot really besure if the spy-ware is still on the machine lurking. This is because it might be smarter than the software your using to find and remove it. However that said , personally I dont like to reinstall so lets assume your software "Spyware Doctor" and "Norton Antivirus" have killed the nasties.
2) Ok make sure you have Microsoft updates turned on
3) Check to make sure that your firewall is switched ON XP service pack 2 ( required ) Control Panel->Windows Firewall
4) Turn on Hardware DEP ( Data Execution Prevention ) available in XP service pack 2 Control Panel->System->Advanced->Performance settings->Data Execution Prevention. Turn on DEP for all programs and services except those I select. This help prevent malware getting into your system.
5) Ok now where going to stop using Internet explorer and install Mozilla's Firefox which seems to be less likely to get infested by spy-ware and BHO's. Ok download and install Mozilla Firefox.
6) Ok now we are going to install two plug-ins for Mozilla Firefox called:
NoScript and CookieSafe. These will help prevent Mal-ware getting into your system
and also will help your personal details being grabbed by cross site scripting exploits.
http://noscript.net/
https://addons.mozilla.org/en-US/firefox/addon/2497
You will have to sometimes enable access to cookies and Javascript to allow some sites to run correctly. Personally. When i run into difficulties i just enable access to cookies/Javascript on a temporary basis.
7) Hosts file you can download and replace your existing hosts file with one that has been specially modified. These modifications prevent your computer from talking to bad sites out on the net. A good hosts file can be downloaded from this site: http://www.mvps.org/winhelp2002/hosts.htm
Ok now the computer is starting to become a safer place but where not done yet. If you want to go further then do the following although not essential will give you even more protection.
8) Install a Hardware firewall or NAT Router. This will stop bad people from accessing your computer from the outside and is much safer than just the software firewall alone that is built into XP.
9) Disable UPNP or Universal Plug and Play on your router firewall. This allows software inside of the firewall to alter its protection settings. This is bad because if you run a bad program by accident it can open up your system.
10) Install a program called SandboxIE. Configure it to run firefox within a sandbox. Now If anything gets past CookieSafe, and NoScipt! it will be erased from your hard disk once you close and reopen the browser.
11) Create an administrator account for administration use only for installations ( don't surf with it!!! ) etc and remove administration privileges from your main account. If something bad manages to get into your system, this will stop bad software from altering system files when running under your main account privileges.
12) Ultimate protection is to use virtualisation. This is where you run a virtualised windows setup you can surf and pick rubbish up upon a reboot everything is started from a good image you originally saved. Problem with this setup you cannot store any data but neither can any nasty software.
Important suggestions for safer browsing:
1) Never open emails that are from people you do not recognise and don't expect to be sending you email. They could contain nasty exploits that can open your computer to allow personal information to be leaked to the Internet. Often mal-ware/spy-ware infested machines will go through your email list and email your friends with infected emails which when opened will do the same to your friends PC's etc etc.
2) If your accessing your banking information at home , never start opening emails at the same time. Better to sign out/logout. Before opening any emails as this prevents cross site exploits. Which means the nasty people wont be able to grab your account information.
3) If you must sometimes use an public computer terminal and I don't advise it. Especially if your accessing your banking information never forget to sign out/logout and always clear the cookies and temporary cache
4) Never run programs that you have downloaded from fringe/untrusted internet sites. These bad sites are usually Free Porn sites or sites that advertise Serials and License Key Generators. Often bad sites can look very convincing so be very careful.
Tuesday 14 August 2007
Thursday 2 August 2007
Combating Spyware/Malware and Personal identity theft.
This post will be in two parts first will explain what this is all about , the second post what to do about it.
First of all I would like to start trying to explain what spy-ware is. Generally spy-ware as a term has a few different connotations. These are Ad-ware, Spy ware and Mal-ware. Quite often these are lumped together under a single description of Spy-ware.
Ad-ware
Quite simply this is software that is usually provided “Free” but with the caveat that it contains some sort of advertising that will be pushed to the user during the use of the software. If this advertising was not part of the software then the software could not be provided free of charge.
This type of “Spy-ware” can be considered pretty harmless usually, unless of course you don’t like advertising. If so don’t Install the software.
Spy-ware
Spy-ware is software that can find its way on your computer when surfing the web. Its sole purpose is to monitor your surfing behaviour and perhaps pop-up advertising when you are surfing. Spy-ware is usually non-malicious but issues of your privacy on the web can be concerning for some people. Sometimes spy-ware can also cause instabilities within the browser also.
Types tracking mechanisms that can be classed as spy-ware include:
Authorised tracking BHO’s ( Browser Helper Objects )
A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.
These BHO's are a feature of Microsoft Explorer and originally where designed by Microsoft to assist users of IE in navigating around the web. If your browser has a tendency to crash then it could be a poorly written BHO which has entered your system making it unstable.
Tracking Cookies
Large Web advertising cookies, use something build into our browsers called cookies to track our movement across the web. Cookies in general are not bad things but in this case they could be deemed a privacy issue. Simply each website you visit could deposit a cookie on your machine. Big advertisers then use the information of all the cookies on your machine to build up a picture of your surfing habits. This information can then be used for marketing purposes.
Web Bugs
Web bugs are simple HTML strings embedded in web pages or email. When a user opens an email that contains a web bug a message will be sent out to a web server on the web, indicating that you have read an email or clicked on a link etc. They are generally used for notification purposes.
Mal-ware
Mal-ware is a general term that usually describes software that causes your computer to behave in a way which you might not want it to. Mal-ware is the nastiest type of spy-ware and should be prevented if possible from getting onto your machine. Mal-ware can get onto our machines in a variety of ways.
Some of the key ways that Mal-ware might get onto your system are:
i) Installation/running of unknown software from 3rd parties e.g. Internet connection speed optimisation tools, Serial key generators, pirated Application software. These are sometimes fake applications.
ii) Opening email containing URL’s links from unknown people ( Phishing Attack )
iii) Opening email attachments from unknown people
iv) Opening email attachments that have executable extensions.
v) Navigating to the fringes of the Internet that may have content that is designed to exploit loop holes in browser technology. This type of exploit often works by
-Exploitation of software loop holes on Web sites using Microsoft Active X
-Exploitation of software loop holes on Web sites using Java Script
vi) Exploitation of Operating System loop holes.
If you have a machine that is connected to the Internet and it is not properly protected by a firewall and the latest patches from Microsoft and other 3rd party server software. It can come under attack from machines on the Internet. These machines will probe your machine and exploit issues within the operating system to allow the installation of Mal-ware.
So what does the Mal-ware do? Well Mal-ware’s first target would be to install what is called a “Root Kit”. This root kit allows the Mal-ware to use your system at a very high level of access. At the levels that a root kit would work rewriting system files is entirely possible.
Once a root kit is installed then a variety of Hacks can be put into place which may contain but are not limited to what is described in later paragraphs. It seems from analysing what Mal-ware is out there their seems to be two main types. The type that wants to control your machine for use as a BOT or the other type that is designed for Personal Identity Theft. I will detail each type.
Personal Identity Theft
Personal Identity theft is whereby your personal details have been stolen by some means then perhaps used to buy goods , gain access to material that belongs to you or perhaps to create a forged identity for someone else to use. Your Identity can be stolen in a number of different ways. However I am only going to concentrate on use of computers to steal identity. Mal-ware of the following types can be considered as designed to steal your most personal information and therefore allow personal identity theft.
Key Loggers
Key loggers are designed to record all keystrokes on a computer. The will then generally make available these keystroke logs to the people who managed to get the key logger onto your machine. Obviously the purpose is to catch sensitive data that may include log on credentials to email or perhaps financial sites or indeed retail sites like Amazon or EBay. Crooks will then use this information to rob you.
Unauthorised BHO’s
Unfortunately BHO's have been abused by malicious companies to manipulate your browser in anyway the malicious company wants. So for instance grabbing your credit card information and relaying it onto a 3rd parties or perhaps or it could just keep popping up advertising say every few minutes it really depends what the BHO was written to do in the first place. Key loggers have been found to be part of malicious BHO’s. In one particular case keystrokes where logged when accessing financial intuitions websites i.e for banking purposes.
Dialler's
Dialler's have been around for along time now but are still being used. They are designed for systems that connect to the Internet via dial-up modems. The idea is that a dialler will at some point make your modem dial a premium rate number(s). The persons owning the number will be gain lots of money from this call.
DNS ( high-jacking )
Once your system has been compromised by a root kit, it is possible to alter system files on your computer. One of the files that can be modified is called the Hosts file. By altering this file it is possible that when entering web addresses into the browser you can then be redirected to a fake web address. This will look like the real site , you enter your personal log-on details and now the hijacker can access the same site as you.
Internet BOTS
Internet BOTs have been around for quite some time but in recent years they have taken on a new and disturbing role in organised crime or what some people are calling computer terrorism. What is known as a BOT herder commands a large number of BOTs from a central location. These bots fleets are then used to target particular computer systems via their IP address. The bots then start sending large quantities of data to these addresses. This causes the web site on the targeted IP address to effectively be blown off the Internet. This kind of attack is known as a DDOS (Distributed Denial Of Service) attack. Generally in the organised crime scenario the crime syndicate would be paid not to start the DDOS attack by the web site owner.
So effectively your machine could have a BOT installed on it if you’re not careful about your security and could be taking part in organised crime or taking part targeting and bringing down foreign government’s computer systems. A sobering thought indeed.
What to do about this in part 2...
First of all I would like to start trying to explain what spy-ware is. Generally spy-ware as a term has a few different connotations. These are Ad-ware, Spy ware and Mal-ware. Quite often these are lumped together under a single description of Spy-ware.
Ad-ware
Quite simply this is software that is usually provided “Free” but with the caveat that it contains some sort of advertising that will be pushed to the user during the use of the software. If this advertising was not part of the software then the software could not be provided free of charge.
This type of “Spy-ware” can be considered pretty harmless usually, unless of course you don’t like advertising. If so don’t Install the software.
Spy-ware
Spy-ware is software that can find its way on your computer when surfing the web. Its sole purpose is to monitor your surfing behaviour and perhaps pop-up advertising when you are surfing. Spy-ware is usually non-malicious but issues of your privacy on the web can be concerning for some people. Sometimes spy-ware can also cause instabilities within the browser also.
Types tracking mechanisms that can be classed as spy-ware include:
Authorised tracking BHO’s ( Browser Helper Objects )
A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.
These BHO's are a feature of Microsoft Explorer and originally where designed by Microsoft to assist users of IE in navigating around the web. If your browser has a tendency to crash then it could be a poorly written BHO which has entered your system making it unstable.
Tracking Cookies
Large Web advertising cookies, use something build into our browsers called cookies to track our movement across the web. Cookies in general are not bad things but in this case they could be deemed a privacy issue. Simply each website you visit could deposit a cookie on your machine. Big advertisers then use the information of all the cookies on your machine to build up a picture of your surfing habits. This information can then be used for marketing purposes.
Web Bugs
Web bugs are simple HTML strings embedded in web pages or email. When a user opens an email that contains a web bug a message will be sent out to a web server on the web, indicating that you have read an email or clicked on a link etc. They are generally used for notification purposes.
Mal-ware
Mal-ware is a general term that usually describes software that causes your computer to behave in a way which you might not want it to. Mal-ware is the nastiest type of spy-ware and should be prevented if possible from getting onto your machine. Mal-ware can get onto our machines in a variety of ways.
Some of the key ways that Mal-ware might get onto your system are:
i) Installation/running of unknown software from 3rd parties e.g. Internet connection speed optimisation tools, Serial key generators, pirated Application software. These are sometimes fake applications.
ii) Opening email containing URL’s links from unknown people ( Phishing Attack )
iii) Opening email attachments from unknown people
iv) Opening email attachments that have executable extensions.
v) Navigating to the fringes of the Internet that may have content that is designed to exploit loop holes in browser technology. This type of exploit often works by
-Exploitation of software loop holes on Web sites using Microsoft Active X
-Exploitation of software loop holes on Web sites using Java Script
vi) Exploitation of Operating System loop holes.
If you have a machine that is connected to the Internet and it is not properly protected by a firewall and the latest patches from Microsoft and other 3rd party server software. It can come under attack from machines on the Internet. These machines will probe your machine and exploit issues within the operating system to allow the installation of Mal-ware.
So what does the Mal-ware do? Well Mal-ware’s first target would be to install what is called a “Root Kit”. This root kit allows the Mal-ware to use your system at a very high level of access. At the levels that a root kit would work rewriting system files is entirely possible.
Once a root kit is installed then a variety of Hacks can be put into place which may contain but are not limited to what is described in later paragraphs. It seems from analysing what Mal-ware is out there their seems to be two main types. The type that wants to control your machine for use as a BOT or the other type that is designed for Personal Identity Theft. I will detail each type.
Personal Identity Theft
Personal Identity theft is whereby your personal details have been stolen by some means then perhaps used to buy goods , gain access to material that belongs to you or perhaps to create a forged identity for someone else to use. Your Identity can be stolen in a number of different ways. However I am only going to concentrate on use of computers to steal identity. Mal-ware of the following types can be considered as designed to steal your most personal information and therefore allow personal identity theft.
Key Loggers
Key loggers are designed to record all keystrokes on a computer. The will then generally make available these keystroke logs to the people who managed to get the key logger onto your machine. Obviously the purpose is to catch sensitive data that may include log on credentials to email or perhaps financial sites or indeed retail sites like Amazon or EBay. Crooks will then use this information to rob you.
Unauthorised BHO’s
Unfortunately BHO's have been abused by malicious companies to manipulate your browser in anyway the malicious company wants. So for instance grabbing your credit card information and relaying it onto a 3rd parties or perhaps or it could just keep popping up advertising say every few minutes it really depends what the BHO was written to do in the first place. Key loggers have been found to be part of malicious BHO’s. In one particular case keystrokes where logged when accessing financial intuitions websites i.e for banking purposes.
Dialler's
Dialler's have been around for along time now but are still being used. They are designed for systems that connect to the Internet via dial-up modems. The idea is that a dialler will at some point make your modem dial a premium rate number(s). The persons owning the number will be gain lots of money from this call.
DNS ( high-jacking )
Once your system has been compromised by a root kit, it is possible to alter system files on your computer. One of the files that can be modified is called the Hosts file. By altering this file it is possible that when entering web addresses into the browser you can then be redirected to a fake web address. This will look like the real site , you enter your personal log-on details and now the hijacker can access the same site as you.
Internet BOTS
Internet BOTs have been around for quite some time but in recent years they have taken on a new and disturbing role in organised crime or what some people are calling computer terrorism. What is known as a BOT herder commands a large number of BOTs from a central location. These bots fleets are then used to target particular computer systems via their IP address. The bots then start sending large quantities of data to these addresses. This causes the web site on the targeted IP address to effectively be blown off the Internet. This kind of attack is known as a DDOS (Distributed Denial Of Service) attack. Generally in the organised crime scenario the crime syndicate would be paid not to start the DDOS attack by the web site owner.
So effectively your machine could have a BOT installed on it if you’re not careful about your security and could be taking part in organised crime or taking part targeting and bringing down foreign government’s computer systems. A sobering thought indeed.
What to do about this in part 2...
Subscribe to:
Posts (Atom)
