Aug 23 2008 2:39AM GMT
Posted by: Ken Harthun
Cybercrime,
Anti-malware,
Anti-virus,
spam,
Malware,
Phishing,
Opinion,
Virus
According to Panda Security, the Oscarbot.UG virus, first detected on August 17, 2008, uses intelligent stealth techniques to avoid detection. “It deletes the original file from which it was run once it is installed on the computer. It uses several methods in order to avoid detection by antivirus companies [one of them being that it] terminates its own execution if it detects that it is being executed in a virtual machine environment, such as VMWare or VirtualPC.”
As reported by Help Net Security, the worm “stops running if it finds that it is being tried on virtual machines such as vmware, a sandbox or in a honeypot (these tools are often used to check in a controlled environment if an executable file is running malicious commands).
The good news is that anyone running a virtual environment is safe from infection: The worm won’t run and when you shut down the virtual machine, it’s gone. The bad news is that malware using this type of intelligent stealth is on the rise, raising the bar for anti-malware researchers.
At what point do we switch from a reactive anti-malware approach (blacklisting) to a pro-active one (whitelisting)? The day is fast approaching (it may already be here) when the programs designed to protect us become so huge and so invasive that they prevent us from getting any useful work done.
The best way to combat malware would be to take the profit out of spam, phishing scams, and other cyber-fraud crimes.
I don’t have the answer for that one.
Aug 5 2008 1:01AM GMT
Posted by: Ken Harthun
Anti-malware,
Anti-virus,
Firewalls,
HIPS,
Intrusion detection,
Secure Computing
I recently posted the last article in my How to Secure Your Computer series of security maxims (an eBook will be available shortly–stay tuned for details). While editing the book, I realized there’s a wealth of free and Open Source software available that can help anyone from the novice to the professional practice secure computing.
My “Nine Steps to System Security - 2008” (originally posted as “Seven Steps to System Security - 2004“) is the latest iteration of what is essentially the basis of all the maxims. It lays out a plan that’s been proven highly workable and will serve as a rough guide for the sequence of articles in the new series. The maxims will provide additional layers as the series develops.
At last count, there were 26 pieces of software mentioned in the main articles. Many of those will be grouped into a few general categories, but I believe the Software for Secure Computing series will be substantial.
First in the series will be “Software for Secure Computing: Secure Browsers.”
Jul 31 2008 3:32AM GMT
Posted by: Ken Harthun
Security,
Anti-malware,
Malware
I’m flattered that Windows Secrets took my suggestion and published an article based on it. (Thanks, Scott!) I can’t give you a link because the article is only available to paid subscribers of the newsletter, but I will give you an excerpt:
By modifying the Hosts file yourself, you can prevent anyone using the PC without an administrator account from accessing unwanted sites. Prime candidates for blocking via this method are sites that host advertising, which can sometimes be a conduit for malware, as I explained in my Apr. 17 story.
To block a file served by the DoubleClick ad server, for example, you would add this line to your Hosts file:
127.0.0.1 ad.doubleclick.net
My article on using a hosts file is the basis for this. Do it. You’ll be safer on the web.
Jul 29 2008 10:47AM GMT
Posted by: Ken Harthun
Security,
Anti-malware,
Anti-virus,
Firewalls,
Malware,
Routers
A good many people have responded to my various articles on system security. Most of the feedback has been positive, but many wondered if there might be a simpler approach, some basic things you can do to protect yourself without too much hard work.
You’re in luck. Call it the lazy man’s way to system security; if you install protection against the the three biggest threats to your on-line security–infections by viruses, worms and Trojans, malicious software (spyware, adware, browser hijackers) and crackers who wish to secretly access and control your PC–you’ll be protected from the worst of security problems. One caveat, however: if you go to questionable sites (you know the ones I mean!) and are in the habit of clicking on links in pop-ups and spam emails, you’re out of luck—nothing can help you because you’re inviting infection.
But, for those who generally try to avoid the bad stuff, these are the four bare security essentials: a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall. Simple, and highly effective for most users.
Before you ask, the answer is yes, you still need a software firewall, even if you already have a NAT router or hardware firewall. Most hardware firewalls are configured to keep bad traffic from getting in, but will let most traffic from your network out, so they don’t keep those sneaky tracking programs from phoning home. A software firewall will at least give you some warning when a program is trying to access the Internet and you can decide whether to allow it. Besides, it gives you an extra layer of protection, just in case.
I highly recommend you read and apply Nine Steps to System Security - 2008, but if you’re feeling a bit lazy today, the four essentials will get you by.
Jul 27 2008 4:09PM GMT
Posted by: Ken Harthun
Security,
Anti-malware,
Anti-virus,
Firewalls,
Malware,
Phishing,
Vulnerabilities,
Email security,
spam,
Microsoft Windows,
Browser,
NAT,
Routers,
Opinion,
Rootkit
It isn’t getting any better on The Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration, web-based attacks are more prevalent than ever, especially those that rely on JavaScript and other scripting languages.
CAN-SPAM did little to deter or eliminate spammers, and today the spam problem is even worse thanks to huge botnets run by organized cyber-crime syndicates. Phishing attacks are harder to detect and more frequent. Recently, I spent the better part of two days cleaning up the aftermath of a mass mailer worm infection for one of our clients; their email is still being blocked by some servers. In its September 2005 issue, Consumer Reports said, “One Third Of Net Users Damaged By Malware.” Considering that article is three years old, I’d wager that the number of infected computers has doubled since then.
In my job as a systems engineer for Connective Computing, Inc., I deal with the effects of malware nearly every day. My previous releases of this article, Seven Steps to System Security - 2004 and Seven Steps to System Security - 2005, and Eight Steps to System Security – 2005, listed the field-proven steps I recommend to everyone I know. It’s been nearly three years since I published my latest version, but those eight steps haven’t changed much; they just need to be brought up to date, and a new step involving disabling scripting in the browser has been added. Computer users still haven’t learned safe surfing practices, however (will they ever?), and must modify their on-line behavior–particularly by applying the first step–for rest of these steps to be truly effective.
Did I mention these things are proven? They are. These are practices have been protecting computer users in homes and businesses for as long as I’ve been using them. This is free advice that’s really worth something:
- Repeat after me: I will NEVER, EVER click on any pop-up of any kind - NEVER, EVER. Not even on the “X” (it’s usually safe, but why take the chance?). Use the key combination Alt-F4 instead; it safely closes the current window. In the slimy world of sleaze-ware, “No” means yes, “Cancel” means yes, “Close” means yes - ANY click on a button means yes. So many times users ask, “How did I get that? I clicked ‘no’ when it asked me!” Well, sorry, but you clicked, so they got you. NEVER, EVER CLICK!
- Although Internet Explorer 7.0 has enhanced security and has been detached somewhat from the Windows operating system, it is still too big a target. Crackers are still writing malware that exploits IE security flaws. I recommend you use Firefox or Opera to browse the Web. (Some web sites still require IE, so you’ll be forced to use it for those, but you should minimize its use otherwise.) Whatever browser you use, be sure you configure your preferences to block all unwanted pop-ups or install a pop-up killer like the Google Tool Bar. And while you’re at it, re-read #1!
- Patch your system. If you’re still running XP, make sure you have at least service pack 2. If you’re a home user, install service pack 3. (I still see systems that are running XP with service pack 1 or 1a, probably because they turned off automatic updates. While some argue against it, I recommend you turn them on.) And be sure to install any recommended security updates and patches for ALL software on your system, - especially Microsoft Office - not just Windows. If you’re running Windows Vista, you benefit from its enhanced security, but you still need to keep ALL of your applications patched. Secunia’s Online Software Inspector is an excellent tool for scanning your system’s applications to discover those that need updates.
- Besides installing a NAT router (see How to Secure Your Computer: Maxim #2), run a properly-configured, proven software firewall. Don’t rely only on Windows XP’s built-in firewall - it blocks inbound attacks only (see this article) and it has flaws of its own (see this article). It will not stop back-door trojans, adware, spyware, and the like from “phoning home” with your sensitive information. (See this article for more info.) While Vista’s firewall does offer outbound filtering, it isn’t much better (see this article for more information). My favorites are the Comodo Personal Firewall (free), and the Sunbelt Kerio Personal Firewall (full-featured for 30 days, then runs free in limited-feature mode, $19.95/yr for full version).
- Run a good anti-virus program. Choices abound. I have used AntiVir Personal Edition (free) and Grisoft’s AVG (free). Other good ones are Avast! and Comodo AntiVirus.
- Run multiple anti-spyware/anti-adware programs and keep them updated. I recommend: a. Spyware Blaster. This free program blocks adware and spyware from installing in the first place and is frequently updated; b. Ad-Aware. Scan weekly, more frequently if you are a heavy surfer; c. Spybot S&D. Run it on the same schedule as Ad-Aware; d. Microsoft’s Windows Defender is an excellent product and is installed by default in Windows Vista. Configure it for real time protection and automatic updates. One of the best commercial anti-spyware applications is Sunbelt Software’s CounterSpy. It is a PC World Best Buy award winner. Comodo BOClean:AntiMalware is also a good one and it’s free.
- Run a spam blocker to isolate junk e-mail. Most malware and all phishing attempts rely on spam. You want to isolate this stuff and delete it. NEVER, I repeat, NEVER, EVER click on a link in any e-mail you are not absolutely certain is legitimate. And to be as safe as possible, always type in the address of your bank, credit card companies, and any other site that you want to keep secure. (See #1 above and apply that principle to links, too!) One of the best programs is Open Field Software’s ella for Spam Control. It uses wizards to “train” it to your personal specifications. There are free and paid versions that work with Outlook, Outlook Express. My clients swear by it. Another good program is Sunbelt Software’s iHate Spam.
- On Windows XP, set up a restricted user account and use that for routine tasks. Only log on with administrative privileges when you need to install or configure software. This will prevent rogue programs from affecting your system - they won’t be able to install. You can activate the “run as” feature so you can do administrative tasks while logged in as a restricted user. Microsoft Knowledge Base article Q294676 explains how to activate and use this feature. If you are running Vista, you don’t have to worry about this step: User Access Control (UAC) takes care of it.
- Finally, disable scripting in your browser. If you use IE (you probably shouldn’t, see Step 2), Tony Bradley gives you an excellent step-by-step procedure to accomplish this. Firefox users have a more elegant solution in the form of an add-on: NoScript. I use it on every PC. Scripts are blocked globally by default, but you can selectively activate them if you trust the site. For example, you can trust the main site’s scripts but keep blocking any advertising or other third party scripts with no ill effects.
While total immunity is impossible - new infections and variations on existing exploits appear daily - these nine steps will help prevent, catch, or clean 98 percent of the junkware out there. As for the other two percent - or if you are already badly infected - you’ll need to hire a geek like me.
Jul 17 2008 1:07AM GMT
Posted by: Ken Harthun
Anti-malware,
Anti-virus,
Microsoft Windows,
Browser,
Security
A while back, I used the Microsoft Public Access Computer Security Tool, predecessor to Windows SteadyState, to secure a credit union’s public access computer. They wanted to make sure that no one could use the PC do do anything but work with their online banking site. After a short learning curve, I was able to deliver exactly what they wanted. They were impressed and so was I.
The other day, after yet another grueling session of cleaning up a family member’s malware-infested PC, it occured to me that I should just put SteadyState on it and set up several profiles, putting restrictions in place for the kids, leaving things a bit more open for Mom and Dad, and completely locking down a profile for guest users. Check out what you can do with this:
- Restrict access to programs and settings
- Return the computer to its original state with Windows Disk Protection
- Enforce time limits on use of the computer
- Control what programs show up in the menus
I haven’t teste this idea yet, but it seems to me that Windows Disk Protection alone would be worth a try. You could set up a profile that would allow completely safe surfing for everyone in the household.
I’m going to take a serious look at this, so stay tuned for my report.
Jun 14 2008 1:57PM GMT
Posted by: Ken Harthun
Security,
Malware,
Rootkit,
Opinion,
Anti-malware,
Security maxim
You’ve seen them: PCs with serious malware infections that seem to defy any and all attempts to clean them up. You persevere and eventually get rid of the files that regenerate upon deletion, clean up the autorun registry entries that keep the malware going, and kill all the malicious processes that keep showing up. You’re proud of yourself; you’ve conquered the beast, out-hacked the hackers. You’re the man: a real, live uber-geek! Pat yourself on the back–you earned it. Then, after you’ve finished congratulating yourself, reformat the hard drive and reinstall the operating system–you can never trust that machine again unless you do.
There’s no such thing as forgiveness in security; once a machine has been compromised, you can never be certain that it’s free of malware unless you completely wipe it out and start from scratch. Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware is designed to be tenacious and stealthy. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Rootkit technology is becoming so sophisticated that normal means of detection don’t work as this article in The Register explains.
It’s a matter of trust; it’s also a security maxim. So without further ado, I present How to Secure Your Computer, Maxim #12:
Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
