Sunday, February 25, 2007

Protecting your computer

This document is a summary based upon an AusCERT publication from here

The results of the 2006 Australian Computer Crime and Security Survey again shows that malicious software (malware) continues to be one of the greatest threats to information systems in Australia. The most common form of attack reported by large and small organisations was infections by viruses, worms and trojans.


The use of trojan horse malware to facilitate online identity theft has increased since 2004. You need to take a number of actions before conducting transactions including accessing or updating your personal information on a government web site, filling in a web form to apply for personal documentation, conducting Internet banking or making online purchases.


Even if these transactions use SSL encryption (typically recognised by the presence of a golden padlock during the browser session), it is important for users to understand that it will not protect the leakage of personal information to an attacker, if their computer is already compromised with certain types of trojan malware.


Viruses and worms are well known forms of malicious code but trojans, spyware and other types of attack tools and some mobile code also have the potential to harm the confidentiality, integrity or availability of your computer data or network, and can potentially cause more harm in terms of stealing your personal information.


This blog outlines effective strategies that will assist in minimising the risk of harm to confidentiality, integrity and availability of your computer data and systems when connected to the Internet. It provides practical advice for protecting the Windows desktop PC environment from malicious code for home users, and organisations without dedicated IT staff.

Minimum requirements to secure a windows systems on the internet:

  1. If using Windows 95, 98, ME or NT and connecting to the Internet, it is recommended you upgrade to Windows XP. Additionally, it is recommended you don't use Windows 95, 98, ME, NT and Windows CE for e-government or e-commerce services.

  2. Apply operating system patches, ideally via automatic updates.

  3. Perform day to day tasks under a user account with limited/reduced permissions. There will be a link to PEG on to how to setup a new user account

  4. Install and maintain security software: personal firewall, anti-virus and anti-spyware. link to our recommendations

  5. Install and configure anti-spam filtering software, consider using an ISP that performs some level of spam filtering or use a web-based email solution such as hotmail, yahoo or GMail.

Before you start

Once an unprotected computer has been connected to the Internet, it is difficult to guarantee that it has not been compromised. Therefore, installation and configuration of security software is most effective when applied to a fresh installation of Windows which has not been connected to the Internet. Once the computer is connected to the internet, the first thing to do is download and install the latest patches. Re-installing Windows may destroy data on your system and should not be attempted if you are not confident with this type of operation. Following these instructions on a system which has been previously connected to the Internet, while not as ideal, is still recommended.

Minimum recommended steps to securing a Windows PC

  1. If using Windows 95, 98, ME or NT and connecting to the Internet, it is recommended you upgrade to Windows XP or Vista. Additionally, it is recommended you don't use Windows 95, 98, NT, ME and CE for e-government or e-commerce services.

    2. Microsoft no longer provides support for Windows 95, 98, ME or Windows NT which means that it is no longer possible to patch these computers when new critical security vulnerabilities are discovered in them. Such computers, if connected to the Internet, face a very high risk of compromise.

    Also Windows 95, 98, ME and CE have features which make it easier for an attacker to steal stored secrets such as passwords or private keys necessary to provide security for use in certain situations, such as when accessing e-government or e-commerce services.


    If you wish to use a Microsoft platform, it is recommended you upgrade to Microsoft Windows XP with SP2 or Vista. Regardless of your choice of operating system, whether it is Microsoft, Macintosh, Linux etc, the following recommendations apply.

  2. Keep software patches up to date for all services in use on your network, especially for the operating system, browser and email applications

    3. Not all email viruses use attachments in order to cause damage. Some email and web-based malicious code exploit vulnerabilities in host applications, which allow the code to execute (e.g. Nimda and Klez worms). By applying relevant security patches for the operating systems, applications and services you are running, you will not only protect yourself from some forms of malicious code but also protect yourself against hackers seeking to remotely compromise your system by exploiting these same vulnerabilities.


    The recommended strategy is to check for updates on an automated basis wherever possible. For example, Microsoft's 'Automatic Updates' feature, when enabled on a machine, will automatically inform the user/administrator of the availability of new patches that should be installed. For home users and SMEs, using Windows Update http://windowsupdate.microsoft.com/ regularly is advisable, but automating this process is highly recommended.

  3. Perform day to day tasks under a user account with limited/reduced permissions

    4. Windows XP supports the concept of limited user accounts. Operating as a limited user also limits the access available to malicious code, should a system be infected. This limited access may inhibit the ability of malicious code to operate effectively. Performing day to day tasks such as browsing the web, reading email, creating documents and playing games should be performed as a limited user. But installing software or updating Windows should be performed as an Administrator. We show you how to to add a limited user account.

  4. Install a personal firewall and configure it to allow only essential connections

    5. A firewall blocks access to services on your computer except for those you permit. Generally, computers being used for email and web browsing do not need to allow any incoming connections. However, Internet chat (e.g. ICQ or MSN Messenger), peer to peer (P2P) and online gaming systems may require incoming connections to function correctly. Blocking incoming connections will protect your computer from worms, such as "MSBlaster".


    Some firewall products will also restrict outbound access from your computer to the Internet. The firewall will need to be configured (or trained) to allow the necessary outgoing connections, such as domain name service (DNS) look-ups, the sending and retrieving of email and web browsing. Also, some firewall products provide integrity checking to warn the user when programs are being replaced on your computer.


    Windows XP comes with a firewall built-in to block incoming connections, though this was not enabled by default prior to Service Pack 2. If you are operating a small network for business or home use with a number of hosts, then you may need additional forms of firewall protection.


    It is important to note that a computer should have only one personal firewall product installed.

  5. Install anti-virus software and perform twice-weekly updates and scans of your computer

    6. Having anti-virus software that has expired or is not being updated at least twice-weekly will not protect against new viruses or trojans that have been released into the wild since the last update.


    It is also possible you may already have a virus, trojan or other type of malicious code on your system performing harmful activities without your knowledge. Even if you are running up to date anti-virus software there is always a delay between when a new trojan, virus or worm is discovered in the wild, when vendors can develop a signature for it and when the client installs the new signature. For rapidly propagating worms and viruses this delay is often sufficient to cause widespread infection. By conducting regular scans you may be able to identify whether you have received a virus or other malware, by email or other source, which your anti-virus software did not detect and quarantine at the time of entry.


    A computer should have only one anti-virus product installed.

  6. Install spyware scanners and conduct twice-weekly updates and scans of your computer

    7. Spyware scanners do what anti-virus software often do not, ie detect and protect against a variety of "legitimate" tools which can be installed on your system by attackers for malicious purposes. Most spyware only collects profile information about your web browsing activities for the purposes of enhancing advertising but some spyware can install remote access trojans and keystroke loggers – which can directly harm your systems or be used to compromise or harm other people’s systems, and identify your computer or network as the source of the attack.


    It is possible to install multiple anti-spyware products. This is recommended as different products have different sets of spyware they can detect.

  7. Install and utilise spam filtering software for use with your email client

    8. Spam is unsolicited bulk e-mail that often advertises products or services. It can sometimes be explicit and offensive in nature and is increasingly used as an vector to spread malicious code. By reducing unwanted spam from entering your inbox, you reduce the risk of compromise by malware.


    Spam filtering software uses pre-defined rules to determine what is and is not considered to be spam. By scanning incoming email looking for certain characteristics it determines whether the email is likely to be legitimate or not, and either blocks the email or allows it to pass accordingly.


    While spam filtering software can be useful for helping to identify spam email, it will not successfully block all spam email. For this reason, do not assume that all email delivered to your inbox when using spam filtering software is legitimate, even if it appears to have originated from sources you know and trust.


    Some Internet Service Providers (ISPs) offer spam filtering services and some email clients such as Outlook 2003 include built-in spam filtering.

Additional steps to secure a Windows PC

  1. Don't open attachments or click on links in suspicious email.

    2. Just as important as the technology counter-measures are good practice counter-measures – these are the things that users and system operators can do and are important. There will be times that when despite your best efforts to keep your anti-virus, anti-spyware and system patches up to date, vendors will not have developed the signatures or the specific patches required for protection.


    Describing what is ‘suspicious’ is difficult, but this is where your instincts will help. Viruses can forge email ‘From’ fields, ie change the ‘From’ field of the source of the email so that tracking the source of the infection is difficult and it helps to confuse the recipient. Viruses can send infected emails from legitimate email addresses of persons known personally to you by collecting addresses from infected systems. For this reason, the email ‘From’ field provides only limited clues as to its potential to contain a virus.

    Look also at the body and subject of the message. If the email is from somebody personally known to you or your organisation, is the message content and subject line consistent with what you would expect that person to email you about? If words are misspelt; if there are grammatical errors; or the expressions used are culturally inconsistent such as "watchin’ the game, having a bud" or referring to imperial measurements when it is common to use metric measurements, then these are likely to be clues to regard the email with suspicion in which case you should delete it without opening the attachment or clicking on any of the links it contains. If you don’t personally know the person named in the ‘From’ field and the message was not expected then delete it. If you do know the person, then it would be a good idea to contact them and check they did in fact send the email before opening the attachment, clicking on the links it contains or replying to it.


    Be particularly wary of social engineering ploys, i.e. messages which are designed to increase your curiosity, concern or interest in opening the attachment or clicking links. For example, some of the random messages contained in the Fizzer worm were: "the attachment is only for you to look at; you must not show this to anyone and if you don't like it, just delete it"; others have claimed "you are under police investigation, click here to learn more"

  2. Configure instant messaging software to allow only those on your contacts list to send you messages

    3. Equally as important as blocking unwanted emails is blocking unwanted instant messages. Some malicious code uses instant messaging software such as MSN Messenger, AOL Instant Messenger, Yahoo Messenger or ICQ to spread.

  3. Securely configure email clients to turn off the “Preview pane” and to show and block potentially harmful attachments

    4. In the past, some email clients have exhibited vulnerabilities which allow malicious code to execute automatically as they are “previewed”. Additionally, HTML email may download and execute harmful mobile code such as Java.

    As a general rule don’t open attachments with any of the file extensions .exe, .com, .pif, .scr, .vbs, .js, .ocx, .shs, .reg and .bat. Some email applications, such as newer versions of Microsoft Outlook, block certain types of potentially harmful email attachments, and for other types of attachments, require the user to save the attachment to disk before it can be opened. The latter allows the user to scan the file before opening it if your anti-virus software is not integrated with your email program.

  4. Configure browser settings to be as secure as possible

    5. Surfing the net can be as dangerous as reading your email - if you don't take precautions. ActiveX controls, Java, JavaScript, Flash and Shockwave are all forms of mobile code which are designed to enhance the web experience when you view a web page but all have the potential to harm your systems. Unlike worms, viruses and trojans which are inherently malicious, mobile code for the most part performs a legitimate and harmless function. It is possible, however, for attackers to embed mobile code within their web pages so that when unsuspecting users access a web site through their browser, the code is automatically executed on the client machine. Some anti-virus software can help protect against malicious mobile code.


    While various browsers use different naming conventions, those that support scripting controls also provide mechanisms for disabling them. IFRAME is an HTML command which could be used to facilitate the execution of mobile code. In an office environment, administrators have access to tools which can limit the amount of configuration a user can perform to their browser or operating system. This will minimize the risk of users downloading malicious mobile code.

  5. Consider using a different web browser

    6. During 2004 and 2005 there was has seen a sharp increase in trojan attacks with the sole purpose of capturing credentials for financial transaction sites (such as Internet banking). The vast majority of these attacks attempted to exploit vulnerabilities in Internet Explorer. Therefore, a short to medium term solution is to use an alternative browser, such as Firefox, Mozilla, Netscape or Opera. If an alternative browser is chosen, then it is prudent to also limit the mobile code (such as Java and JavaScript) which can be executed by this browser.


    However, it is important to note that using alternative browsers is not an infallible defence. Vulnerabilities are being discovered and exploited in other browsers and they may become more commonly targeted as they increase in popularity. Similarly, some online financial transaction sites may not support less popular browsers.

  6. Consider using a modem/router device

    7. There are now an abundance of affordably priced modem/router combinations available within Australia, particularly for broadband access. By purchasing a dedicated device that handles the internet connection, your host computer is no longer directly connected to the Internet, but is now given a "private" address (common private address ranges start with 192.168 or 10.0). The modem router device handles the process of converting public to private IP addresses (and vice-versa), which is also known as "Network Address Translation" (NAT).


    This type of device can inhibit legitimate applications that require incoming connections, such as chat and online gaming, but devices can generally be configured to allow these applications to function. However, care must be taken when performing this configuration to allow only limited connections.

Recovering from an infection

The old adage 'prevention is better than cure' is especially true for malicious code. Depending on the nature of the malicious code, the solutions to recover will vary. If you believe you may be infected, the key is to correctly identify the nature of the malicious code and apply the recommended recovery solution. For some types of malicious code, recovery may simply require a reboot or the use of a purpose-built removal tool. Anti-virus vendors web sites may assist in providing specific advice. Microsoft has released a malicious software removal tool , which can remove several variants of malicious code on Windows 2000, Windows XP and Windows 2003 systems.

If the malicious code has installed a backdoor, gained administrator level access or changed system files, then the integrity (not to mention confidentiality or availability) of your system has been fundamentally damaged. This means you can no longer trust the operating system, applications or data files. The best solution is to ensure you have a backup of your data and then format the hard drive, reinstall the operating system and applications from trusted media and data files from back-up media.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)