Fix PC Errors Blog

As this is my first blog entry I felt I had to write on something close to home. As a technical writer I have been writing pieces for online articles related to computer performance and security issues. I am three quarters of the way through an article about malware (“malicious software”) and it is taking far longer than I expected. I have tried to condense it as much as possible. It begins with a definition, lists the various types of malware, and briefly covers the transition from virus to malware. Recently, I did a first pass on a section related to attack vectors and security vulnerabilities and I am about to write on botnets and rootkits. As I work on this I am overwhelmed by just how much information is available on these subjects.

Last weekend I switched off my computer for the day and enjoyed an amazing day of bike riding and an incredible swim at a local lake. While warming in the sun and with the continuous reflection of light bouncing off the water, I attempted to explain to my new friend the work I was doing and the subject matter of my writing. Not only was it a challenge to bring this virtual existence into the refreshing day we were experiencing, but it was also difficult in another way. In the back of my mind, as I was talking, and even during the times I write, I can’t help but think… “Am I portraying a certain kind of message?” Am I saying in some way: “The virtual sky is falling… the virtual sky is falling”?

According to the available documentation malware and cyber crime is a serious issue and there is sufficient reason to be concerned. And yet, I don’t want to be an alarmist. How bad can it be? Most people that face this would be getting a few web cookies and popup ads. By some accounts, there will be those that will have their computers controlled by remote hackers (also known as “black hats” or “crackers”). Is this real and is there more to this?

Two days ago, the whole thing strikes close to home for me. A good friend of mine tells me that she has had some funds - a thousand dollars - taken from a bank account. The account is shared between her and her husband. When dealing with her bank, the rep assured her that this happens all the time and it was likely an error related to misdirected funds and they were investigating it. Soon after this someone from the bank tells her that it could be from malware or a virus and she should check her computer. She is using a MacIntosh and I find this interesting because from what I know, malware is not typically targeted at MacIntosh computers. I try and help from my end by attempting to find some free online scanning utilities. Finding some online scanning tool for the MacIntosh wasn’t leading to much success. She resolves herself to checking with the computer wholesalers, and the bank, the next day.

The next day, the Mac distributor that she speaks to says that there hasn’t been a virus on a Mac in 10 or 11 years. A contradiction from what I hear. The people I work with tell me that Macs are just as vulnerable but they are just not targeted as much because they have less of a market share. This was something I was fully aware of but I was glad to have confirmed it. My friend tells me in our next conversation that she had received an online correspondence a few days back which appeared to be from her bank. The email had seemed to look legit and it described a warning about an expiration which linked her to a web page where she had to submit her account credentials. Right away I knew what this was… a Phishing scam.

By using “hoax” or “spoof” emails these scammers appear legitimate. In some schemes, like this one, there is an urgent message, a web link is displayed, and the user is taken to a “spoofed” web page. The aim of the scam is to get a password, or PIN information, debit or credit card numbers, or social security numbers, or bank account information. Once you enter the credentials they can record the information and use it for other purpose such as transferring funds.

From what I know… it takes close examination of the email and the spoofed web page to detect that it is in fact a scam. The email message that my friend received stated that she must act immediately.

Here’s my little blurb… if in doubt of an email such as this, take some time to confirm it person-to-person or by phone with the financial institute. If you see a web page that looks like it could be a fake, examine the URL address to see if it is exact or if there are misspellings. Some of these tricksters are mimicking the web address by using two letter v’s (“vv”) instead of the letter w (“w”). You can also check to see if the address can be altered. If the site address is: “http://www.mybank.org/actow.html” you can try and truncate the URL so that you are taken to the home page: “http://www.mybank.org”. To read more about email spoofing, see: http://www.cert.org/tech_tips/email_spoofing.html.

One point of clarification has to do with PC’s and Macs. I usually slam Microsoft in my articles and here is an opportunity to balance the scales. Nothing against Macs but according to my online research, the first virus “in the wild” was spread via an Apple II floppy disc in 1981. There were viruses since then and up until the turn of the century. In May of 2001 there was the introduction of the first AppleScript worm. This virus uses Entourage or Outlook Express on Mac computers to spread emails to address book entries. All things considered, Macs are safer to use. However, as can be seen, no one is safe from the exploits of cyber crime and from the annoyance of viruses and security breaches.

When I research and study the reports available online I can’t help but write about this subject with a particular tone as this is important to me. I don’t know the full ramifications of it but it is a growing concern as we become more and more comfortable with our virtual conveniences. We rely on technology to be secure and to protect us from cyber nasties and we underestimate the potential of what is in fact a pandemic. I do not want to portray some message about disaster being eminent. It is a clear indication of our reliance on computer technology.

For many people who experience malware first-hand and take on their own private battle by trying to remove these items and regain control of their system, this is more than an a casual annoyance. As for other mass attacks and what the fallout will be… much of the outcome depends on how organized this threat is and how able users and solution providers are able to rally against it. There is the equivalent of an online “Neighborhood Watch”. You can check it out at: http://stopbadware.org/home/about.

There were very few people that were affected by the first virus that struck in 1981. It did include a little rhyme:

It will get on all your disks
It will infiltrate your chips
Yes it’s Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!

The cyber threats we face today have a greater impact and strike closer to home. They target and have an impact on our real world lives.

Last weekend, between 8,000 and 10,000 websites, mostly in Italy, were hijacked and used to host a malware package called MPack. Using several exploits, MPack silently infects any visitors to compromised sites. Attacks like these have been getting more frequent, with a larger number of legitimate sites getting used to spread malware.

It’s very important to understand one thing: avoiding the seedy side of the Internet is no guarantee that you will not get spyware.

There’s a lot of ways you can protect yourself, but you have to be careful as some spyware masquerades as anti-spyware tools.

Prevention

Prevention is always the best option for a lot of things, spyware included. You can prevent virtually every malware package out there by creating a regular user account and using that account to surf the Internet and read email. If you need to transfer files between your administrator and regular user account, just put them in the Shared Documents folder in My Computer. In Vista, if you can put up with it, User Account Control (UAC) is a decent compromise.

Unfortunately there are a lot of things you aren’t allowed to do as a regular user, like set the system time, install programs or certain hardware, change system settings, and so on. With Fast User Switching, this is less of an annoyance but it can still be a pain. If you decide this route isn’t for you, then a more complicated approach is in order.

The first thing to realize is the primary avenues of attack for spyware are infected websites and email. If you use a major webmail provider like Gmail or Yahoo mail, you’ll stand a better chance against spyware getting through. But if you use Outlook or Outlook Express (or Windows Mail in Vista) you are putting yourself at a greater risk. The same applies to IE, particularly IE6 on XP (IE7 on Vista is safer as it is prevented from making changes to the system).

Even if you replace these programs with safer alternatives, such as Mozilla Firefox, Thunderbird (for email) or Opera (another lesser known browser), the problem remains that your administrator account can install spyware that you may never be able to get rid of. There is a free tool that allows you to limit what these programs can do called DropMyRights, available here. When you install it, you should put it in C:\DropMyRights and install it so everyone can use it. Then you can change all of your browser, mail and file sharing program icons as follows:

1. Right-click on the icon and select Properties.
2. In the General tab, insert C:\DropMyRights\DropMyRights.exe in the Target: field before the path to the program (be sure to leave a space).
3. Change the Run: dropdown box to Minimized.
4. Click on the Change Icon… button, browse to the program’s executable (which is usually under C:\Program Files\\ or C:\Program Files\) and choose the appropriate icon. This keeps the icon from changing to a generic icon.

Again, this comes with some annoyances - you won’t be able to install anything directly from the browser, you’ll have to download it first and then install it. But it is easier than using a regular user account.

If you aren’t installing automatic updates, you really need to. In fact, some exploits are reverse-engineered from updates released by Microsoft, so as soon as updates are available, the clock is ticking, if the update itself wasn’t in response to an already known exploit. In the Control Panel, double-click Automatic Updates and set it to install automatically. If you are using a regular user account, you won’t be able to change this setting or install updates, so you’ll need to switch to your administrator account to change the setting, and log in periodically to install any new updates.

A healthy dose of paranoia is also a good prevention measure. Treat the Internet as you would the bad part of town where you live and don’t trust every website you run into or every email you read.

Detection

It used to be that spyware infections were obvious - slow performance, lots of popups, a home page that you could never change back, etc. While that still happens, the trend in spyware has been toward more silent infections - after all, if you’ve got spyware, you’ll try to clean it off. If you don’t know you have it, then you won’t.

The next best method for detecting spyware is getting anti-spyware software from a reputable vendor. There are even some free anti-spyware tools out there that will scan and remove most spyware infections. However, spyware authors are constantly writing new spyware programs (some of which can subvert anti-virus and anti-spyware programs!) and the anti-spyware companies are constantly playing catch up, so these programs may miss some infections.

Fortunately, there’s another way to determine if you are infected. If you haven’t already, read my blog posts on process pruning and Understanding Task Manager Part 1 to prepare for these next steps:

1. Trim down the number of processes that run at startup to as few as possible, particularly any instant messengers, file sharing programs, Adobe products and Java update.
2. Turn off Automatic Updates temporarily (don’t forget to turn them back on!).
3. Add the PID column in Task Manager.
4. Restart your computer and log in.
5. As soon as you can, go to Start -> Run…, enter cmd /c netstat -ano > desktop\netstat.txt and hit Enter.
6. Start Task Manager and switch to the Processes tab.
7. Open the netstat.txt file and look for any connections where the Foreign Address doesn’t start with one of these numbers:
1. 0
2. 127
3. 192.168
4. 172.16 - 172.31
5. 10
8. Check out the PID in netstat.txt with the ones in Task Manager. If you see an executable you don’t recognize, type it into Google and see what it is.

Cleanup

If it’s just a regular program or something you forgot to clean up, then you can breathe easy. If you find out it’s spyware, try running some more anti-spyware tools. Your search may also contain some removal methods. If you don’t find the executable in Google, and the anti-spyware programs you try don’t find anything, then you are really in trouble. It’s time to start backing up your data and a couple last-ditch efforts.

First, download and install these two programs: RootkitRevealer and HijackThis. You’ll need to log in as an administrator to run them. The first thing you should do is run RootkitRevealer (unzip it to a desktop folder). Check out the help file first to get an idea of what rootkits are and then run the program. Again, Google is your friend for checking out anything that RootkitRevealer finds. If you determine that you have a rootkit, there may be some way to remove it, but if not, you’ll have to re-install Windows. Good thing all your data is backed up, right?

If RootkitRevealer doesn’t find anything, it’s time to try HijackThis. Run the installer and make sure you allow it to put an icon on the desktop. Double-click the HijackThis icon and click on Open online HijackThis QuickStart. Follow the instructions on the site - there are also very useful links for cleaning up some nasty infections.

Passwords are probably the most widely used information security technique on the planet. You might have a couple PIN numbers for bank accounts but if you do anything on the Internet you probably have several or even dozens of passwords. I probably have at least 30 to 40 at any given time, and even as an information security professional, I think the number passwords the average person is supposed to remember is ridiculous.

There are two basic factors to consider when dealing with passwords:

1. How many passwords you use
2. How strong each of those passwords are

If you don’t have a separate password for every web site, your computer and whatever passwords are required at your job, you are putting yourself at risk. At the very least you should have separate passwords for different kinds of activities like your job, banking, shopping, social networks and informational sites. Your passwords should also be strong, which is defined a number of ways, but you should never write them down so they should also be easy to remember.

All in all, passwords can be pretty annoying to get right. So here’s a couple ways to make that a lot easier.

Creating Strong, Memorable Passwords

There is a lot of debate in regards to what constitutes a strong password. Some people say that length is all that matters, others will say that character complexity is the answer (numbers, punctuation, symbols which can only be produced using the Alt key and the keypad) and some say that the key is “bits of entropy”. What everyone pretty much agrees on are that short passwords, specifically words you can find in a dictionary or some common info like your birthday or anniversary, are very weak.

My personal password strength measuring stick combines all of those thoughts but mainly has to do with “chunks” of information. For example, if your password is “password”, that is one chunk of information, a single word. If you have a password like “d8dNkn,1”, that is 8 chunks of information because each character has nothing to do with the others and is essentially random. Fortunately there’s an easy way to compromise between a completely random password and a memorable password – the pass-phrase.

To create a pass-phrase, just think of a sentence that’s easy to remember. It could be a favorite quote or song lyric or jingle or advertisement or even something you make up, like “I’m sick of remembering all these stupid passwords!” Now, with that phrase in mind, take the first letter of each word and make a new password out of it, like so:

“I’m sick of remembering all these stupid passwords!” = Isoratsp!

You could expand it further by doing something like this:

“I’m sick of remembering all these stupid passwords!” = I’msoratsp!

Or this:

“I’m sick 0f remembering @ll these 5tupid passwords!” = Is0r@t5p!

That last password appears entirely random and will meet just about any complexity requirement you’re likely to run into, yet all you have to do is remember a sentence. You could even hide your password in plain sight – write yourself a note to do something and make a pass-phase out of it (although it shouldn’t conspicuously be the only post-it on your monitor for weeks on end).

Keeping Track of All Your Passwords

So now that you’ve got strong passwords down pat, how can you possibly remember them all? If only there was a secure way to store all of your passwords in one place! Luckily, someone else had this exact same problem and he also happens to be a security guru. A while ago, Bruce Schneier created a program called “Password Safe” which is literally a highly secure encryption database for passwords. Since then, open source programmers have improved the program, which is available for free from this site:

http://passwordsafe.sourceforge.net/

The most basic feature, naturally, is the storing of usernames and passwords but Password Safe goes beyond that – it allows you to safely copy the password to the clip board by double-clicking, offers a feature where a password can be typed into a web page automatically and provides a password generator for random passwords. You only have to remember one password to unlock the safe and the rest of your passwords are made available to you.

Passwords can be irritating and hard to use but pass-phrases and Password Safe make the pain a lot easier to bear.