 
|
Attack
What They Can Do To You
|
|
'What you can do' : these are brief pieces of advice for short-term or immediate action. For more detailed instruction see the Defence Section. The small cyan letters refer to the links in the Defence Table at the end of that section.
Virus :
Where they come from :
Email embedded in HTML code.
Email attachments, disguised as harmless files, but carrying a hidden 'double extension', one of which is executable.
Macros in Office programs.
Pre-infected files on CDs
Floppy discs with infected files or a Boot Sector V. These modify the MBR (Master Boot Record) of other floppies.
Rogue Applications, especially from net sources.
Crackers who enter your system illegally and covertly.
Ads and Parasites.
Many viruses have components that behave as worms and/or Trojans. One such is Lovgate (around 10 variants). As a mass-mailing virus it spreads through email, replying to every message received in Outlook or Outlook Express. As a worm it looks for Windows Shared Folders and leaves copies of itself in those with read/write access. It will also attempt to log on to other systems as Administrator, trying a catalogue of commonly used passwords (Hint : don't use a password or easily guessed numbers for your shared resources - use a random series of meaningless characters). As a Trojan it unleashes a backdoor component that opens ports, obtains information and passes it back to an email address. This can then be used to execute commands on the affected system.
|
"[Lovgate variants].. apart from the mass mailing functionality this worm can spread through Windows shared resources, and it can steal users' passwords. It also has backdoor capabilities, listening in at port 10168, allowing the attacker to perform different actions on the infected machine. In all variants A, B and C, a dropped DLL sets another copy of the backdoor on port 1192. It sends the private information to two addresses at 163.com, which appear to originate in China. It has key-logging capabilities and stores information it gathers in the following files: win32pwd.sys and win32add.sys If it gains access, it will copy itself to file named stg.exe in the System32 Windows folder and it will attempt to run it." |
Classification : Viruses are classified according to what they affect.
MBR, OSboot, Com/Exe Viruses : as their names suggest these infect Master Boot Records, Boot Sectors or executables.
Multipartite Viruses : infect both MBRs and executables.
Overwriting Viruses : replace original code with their own, thus damaging files irreparably, which then have to be deleted and replaced.
Companion Virus : creates a *.com file with the same name as a user's *.exe. DOS causes .com to execute before .exe
Resident Virus : stays in memory once executed and spreads without further action from the user.
Non-resident Virus : only replicates when the user runs the infected program.
Stealth Viruses : conceal themselves in such a way that the decrease in useable memory or the increase in size of an infected file goes undetected.
What you can do :
Get and run a Virus Scanner. Correct configuration is essential.
See Defence a1 and links a1 & a2
Check out the Virus Encyclopaedia at a3 or the alphabetic list at a1
For more virus information (latest information; most widespread) see : Top Ten * and 50 Latest*
For a searchable database of Pests see : a6
Worm : this is a section of code run on your system, and, once you've got it, does not need any further action from you. Worms work by exploiting security holes in your operating system or applications. They may do their stuff, which can include planting a Trojan, then lie dormant for a time. Viruses can have worm-like components. A virus scanner will not usually stop this sort of attack, but, if you're lucky, it may tell you one has taken place.
A notorious recent worm affecting IIS Servers (which most home desktop systems are not) is Code Red. Here are some of its unsavoury properties :
|
" [Code Red II]..installs a backdoor into systems it infects. The worm drops a Trojan program to '\explorer.exe' that modifies different IIS settings to allow a remote attack of the infected host. The standard command interpreter 'cmd.exe' is copied to '\inetpub\scripts\root.exe' and to '\progra~1\common~1\system\MSADC\root.exe'. The worm creates these files to both 'C:' and 'D:' drives if they exist. These copies of the 'cmd.exe' will allow any attacker to execute commands on the remote system really easily". |
What you can do :
Get the appropriate OS patches* from Microsoft, obtained through, for instance, Windows Update. Patches are written to plug security holes, and should be downloaded and applied as they become available.
See the Worm Encyclopaedia at a4
Trojan (Horse) : The 'great pretenders' of computing, trojans are programs that are put on your system and which then conceal themselves and run when you execute something else (the parent program). They are malicious programs disguised as something benign. Known disguises are games, utilities, and email attachments. Once activated, Trojan horses behave in ways you won't be expecting. Some are annoying and embarrassing, sending emails to everyone in your address book, for example. Others do serious damage, stealing passwords, confidential information and data files. Trojan Diallers may ring premium rate numbers - often to illegal porn sites. Unlike viruses, Trojan horses are not self-replicating, though viruses (and worms) can contain trojan elements.
Remote Access Trojan or Remote Administration Tool (Rat) : an advanced trojan, meant to open a backdoor into your system to make it easy for a cracker to enter. They use unprotected ports to open lines of communication, and ultimately give strangers control over your computer. An attacker uses his 'client' to control a victim's machine by way of a 'server' illegitimately added to it.
Where they come from :
A typical example of an efficient and versatile remote-access trojan is Sub7. It is popular, powerful and easy to use. It also :
|
Acknowledgement : based on the excellent and thorough research of Robert Graham*
What you can do :
Parasite : unsolicited commercial software designed to gather (mine) information about you and your habits, access the Internet and send back collected data to the originator. Like real parasites, and viruses and worms for that matter, they have a vested interest in not immediately killing the system they inhabit. Some of these programs are put there with your (perhaps unwitting) collusion when you download certain freeware (piggy-backing). If you remove the ads, the parent application may stop working. Their perpetrators consider them 'harmless commercialism'. You may beg to differ : they get installed on your computer without invitation, do things you don’t want, and make money for someone else. Since they make no attempt to replicate they are not classed as viruses.
What they are called : Adware, Spyware, Malware, Scumware, Foistware, Carpware, Browser Hijackers, Diallers, Resource Hogs, Conflictors etc. Some authors do not consider them a security risk.
What they can do :
Where they come from :
What you can do :
Acknowledgement : much of the above is based on the highly informative doxdesk* website - a treasure-house of information on the behaviour of parasites individually and collectively.
Hoaxes :
What you can do :
Browser Hijacking : the unwanted and unwarranted altering of your web browser settings (esp. Internet Explorer).
It may involve :
Sources of Infection :
Modus Operandi :
1. First the malicious code has to get into your system. It can do this by means of a download that can happen by simply visiting a website or passing your mouse over an ad. You may not even notice anything (Drive-by Downloading). It exploits a potential breach in the security settings of the Internet Zone in IE. This happens through not having your browser's Unsigned Active X Control levels set high enough (i.e.. to 'Disable'). Hijackers using this vulnerability plant one or more .hta (HyperText Application) files on your system which are executed on start-up by Windows Scripting Host. Sometimes renaming or moving all .hta files found after a Search will let you restore your settings, and they will stay restored. However, there are less subtle methods of attack. All they have to do is persuade you to run an executable such as an .exe file with their hidden additions concealed within. Hijackers will often disguise this as 'Browser Enhancements' 'Updates' and so on. They go to extraordinary lengths to get you to run their stuff, throwing free gifts and special offers into the transaction. The program you think you're installing is merely a cover. In the background it sneakily installs something far less desirable. This is known as piggy-backing.
2. The software gets to work usually by changing your browser's default homepage (Homepage Hijacking) to a page the hijacker wants traffic to be directed to. It may also add extra links to your Favourites list, or cause the IE window to re-size.
3. From now on your habits are an open book. The secretly included code keeps tabs on your surfing by recording the sites you visit and sends this information to its originating server. This is known as tracking.
4. The company then uses the information to bombard you with ads, links and pop-ups that it deduces you would find of interest. These are the products it is getting paid to push and they can appear at any time, anywhere. This is known as smacking.
"The Xupiter Toolbar is a typical browser hijacker. The code installs itself as an extra toolbar on your browser, automatically changing your Default Homepage. It also adds gambling and porn links to your Favourites. During its operation it causes frequent crashes. The official uninstallers tend to be ineffective because Xupiter makes multiple entries in the Registry, specifically to foil uninstallation attempts. Some hijackers will even set your system up so that you cannot access the Registry to delete their entries."
5. Browser Makeover : If the previous type of attack is covert, then this is blatant, in that your co-operation is required for successful operation, although there is a similar indifference to your preferences. It is symptomatic of the high profile, highly competitive commercial ISPs. They add unwanted titles, logos, toolbars, toolbar decoration, Search bars and so on, to both IE and Outlook Express - and will also hijack your homepage if you let them. They do this through Browser Helper Objects or BHOs. These are com.dll files that allow developers to customise and control Internet Explorer. When IE (4 and above) starts, it reads the Registry to locate installed BHOs and then creates them. Created BHOs then have access to all the events and properties of that browsing session, so that a developer has almost complete control. A BHO is built using an Application Programming Interface (API) which hackers can abuse to create their own BHOs and hence produce commercialised alterations to an affected browser. As there is often no user interface, you will not be aware what BHOs are running, and, in the normal course of events, you would not be able to reverse unwanted changes. Their software has not, of course, been added covertly : it was included when you chose them as your ISP and elected to install their system from the CD they so generously supplied. What you got will be described in the minutiae of the EULA. The crunch comes when you no longer want to be associated with them. Table 6, accessible from Contents above, is a list of what has been termed 'problematic' software. I have coined a less respectful though euphemistic term : Carpware. It is defined as an application or application suite that appears to benefit the user, but which has built into it a part that serves a less beneficial purpose, either as a primary or a secondary consideration. This includes aggressive or third-party advertising. When you've installed a half-decent media player, do you really want it asking you every few hours if you want to upgrade? Do you really want to know for evermore that your browser was 'supplied' by an ISP? Carpware may involve Browser Hijacking, Browser Makeover or both.
What you can do :
Drive-by Downloading : The hidden process by which programs install themselves on your system as you visit a website, or pass/click the mouse over an ad. You often have no idea anything has occurred. The 'close' button of an ad window is often nothing of the sort. Some will attempt to install in the guise of browser plug-ins. They could be genuine programs, viruses or spyware (trackers). They work by exploiting the fact that you are allowing Windows Scripting Host to run. Note that by embedding .hta script in their pages you can be infected merely by visiting the site.
What you can do :
stop .hta executing. Since this is needed for genuine files, disabling Windows Scripting Host or permanently turning off .hta are not very practical options. b
Dialler : Unless you are protected, drive-by downloading may install on your system a browser plug-in that allows rogue web sites to install Dialler software packages. These surreptitiously connect you to premium-rate lines, often pornographic, resulting in excessive phone bills. See Table 6*
Piggy-backing : A method of more or less covertly adding something to your system during the installation of the carrier or parent program. Pay particular attention to the Terms and EULA, and to any Options that arise during installation of 'offers' you have been invited to download. Almost always involved with information mining and tracking.
Web Bug : a booby-trap in the body of an email message, web page (HTML document) or image which when clicked provides information that you are a live, active address, and as such ripe for spamming. The trap can be in a link, graphic or ad. A favourite spot is in a 'Remove Me' or 'Unsubscribe' link, where clicking will have the opposite effect.
What you can do : Hold the click unless you know what it does - and as you won't, don't.
Spam : gratuitous 'offers' from often dubious sources, such as porn sites, on-line gambling, loan sharks, and shady pharmaceutical companies. It is the cyber equivalent of junk mail and cold-calling. It's a nuisance and time-wasting, it can be embarrassing, and it is intrusive. Nobody wants it.
What you can do : see Table 3*
Cracker : a person who tries to take over your system or perform some action with it or on it, using remote access. They will first ‘listen’ for you whilst you’re surfing, using a port scanner or snooper (sniffer) to find open ports. Successful cracking can make a slave of your machine without your knowing anything about it. Not to be confused with a hacker, who these days, I'm reliably informed, no longer does this sort of thing. Users whose systems have been compromised are unlikely to make the distinction though.
Smacker : a company or individual that adds nuisance items or parasites (eg. Trackers) to other peoples' systems that, had they been given the choice, they'd have been more than likely to have declined. If you are asked to give permission, the question is often buried deeply in the EULA small-print and disclaimers; or download of the item is refused if permission to subvert your resources is withheld. Their products ostensibly serve a useful purpose and are often free : in the sense of 'no initial financial outlay', rather than ' with no strings attached'. Their behaviour is reminiscent of the Browser Hijacker, though the execution of it may be not through the same channels. Their applications may also be considered 'problematic'. Decent freeware does not advertise third-party products.
What you can do :
see Table 6*.
Tracker : spyware that records your habits (eg. websites you visit) and passes this information back to the originating server via your DUC. Often piggy-backed with something more-or-less useful and installed as a back-door program or Trojan. Tracking Cookies perform a similar function.
Active Content : the code and script on a web page that enables plug-ins, such as Shockwave Flash and Adobe Acrobat to operate, to enhance the appearance or functionality of the site. The technology used to add these to the page can be subverted to infect your system. This includes Active X Controls, Active Scripting (such as JScript and JavaScript) and Java Applets. See also Browser Hijacking. The settings of the Internet Zone in IE have to be carefully adjusted as a compromise between security and web-page effects.
What you can do :
See Table 7*
Read the article on Active Content (link under Table 7)
HTML Embedded Images : if you set your email client to receive and preview HTML documents, then spammers can hit you by such tricks as embedding a booby-trapped link or graphic, (web bug) which, when you click it, runs their code and harvests your email details. Once you are known to have a live working address, the spamming will never let up. Replying to spammers telling them to 'unsubscribe' you has a similar effect. They might stop, but they're sure to pass on such valuable data to someone else.
What you can do :
Don't click anything (ads, links, graphics, close buttons) in unsolicited email.
Fraud or Phishing : Out and out fraudulent emails that purport to be from reputable Internet companies. The clue is in the often poor spelling or grammar, asking you to visit the spurious site to 'confirm' your details by re-entering credit card or other financial details. The example is a copy of one I received in August 2003 - and several times since with corrections. Only the formatting has been changed to take up less room.
|
Dear eBay Uder, During our regular udpate and verification of the accounts, we couldn't verify your current information. Either your information has changed or it is incomplete. As a result, your access to bid or buy on Ebay has been restricted. To start using your eBay account fully, please update and verify your information by clicking below https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?VerifyInformation Rgds eBay **Please Do Not Reply To This E-Mail As You Will Not Receive A Responce** |
What you can do :
Note carefully the exact URL of the site you are instructed to visit. EBay URLs use 'cgi.' (Common Gateway Interface) and not 'scgi'. Thus https://scgi.ebay.com/ has no connection with eBay.
Don't let the fact that it is secure server site ( https://) fool you.
Although spelling and grammar may be poor, later postings may have been corrected.
Do not even visit the site. It is listed by Google, but not open for inspection.
They're not
out to get you : they did that in the delivery room  |
|
|
|
Defence
What You Can Do About Them
|
|
The links to defence procedures have been placed in a convenient table at the end of the Section. Mouse-over the click buttons for details.
a1.
Configuration :
The following settings should be enabled by default when you install
a virus scanner, and shouldn't be disabled other than temporarily if an
installing application instructs you to. Don't forget to re-enable the
function afterwards.
Real-time or
On Access Scanning :
enable.
Disabling this option will leave your system in a vulnerable state. An icon should appear in the
Systray, which, when clicked, should give you the details of your
settings. There should also be a right-click menu entry for manual scanning of
files.
Scheduled Scan
: enable.
EMail Scanning
: configure to scan
by default - though make sure this does not conflict with the email scanner in
your firewall.
Virus Removal : the most important function of a Virus Scanner is to spot a virus or virus-like code and stop it from installing and executing. Although a scanner will disinfect your system by identifying, as far as it is able, the program causing the problem, it cannot delete (or quarantine) an affected file that is in use. If a virus (or the Trojan it may have dropped) has crept by your defences and is already installed, then Scan, followed by Clean, will no longer be enough. Further, your cleaning agent may well have got rid of a dormant file, but it might not have removed the instruction to run it, and this can cause unwanted error messages. The removal tool you use to disinfect your system will first remove any components running in memory. These have to be dealt with first, otherwise the virus detects they aren't there, and puts them back. If your scanner identifies and names a virus already installed, note the exact details and check either your scanner vendor's website or click the Virus Information Centre button at a1 below. There you will find a complete list of all known viruses and their variations, and it is always bang up to date. For an encyclopaedic list, grouping 30,000+ infective agents into 17 classes see a3. If yours isn't there, it's either a new virus or an unknown alias. The commonest viruses, and those active on a particular day, are listed here : Top Ten* and 50 Latest*. There is also a comprehensive list of hoax messages about bogus new threats, considered to be the industry standard : a2. Needless to say, identify these messages and do not pass them on.
The full instructions for ridding yourself of the virus you caught will be found at the SIC at a1 and should be followed exactly. Viruses often add their modified copies of Windows files which have the same name, though they will be located in different places. Never try to remove the genuine file : if you follow the deletion instructions mentioned you will not be caught in that trap. Viruses nearly always make changes to the Windows Registry, which has to be edited to reverse them. If doing this manually worries you, get into the habit of backing up the Registry frequently, and where this service is not part of the OS - XP for example - use Erunt*. Once all instructions (including reboots) have been carried out, run the scanner again to ensure all traces of the virus have been expunged.
a2. Worm Avoidance : worms sneak in through holes. Once in, they don't need your help. The strategy to employ therefore is to stop them getting in in the first place.
What you can do :
| Patch Download Site |
|
| Worm Encyclopedia | a4 |
| Avoiding Worms | c |
| Return to Table 0 |
|
b.
|
c.
Email and attachments : you are unlikely to catch a virus simply by
pre-viewing or reading an email, though it is possible. Other types of attack -
eg. spam - can be made by this
method) and the
JS.Offensive
worm
infects you in just this way. Far more commonly, viruses are spread
through email attachments. Do not
automatically open them, especially those that you are not expecting, even from
someone you trust. They may be infected without their knowing it.
Better still, you could avoid routinely sending or receiving
email attachments, though you may feel they have their place from time to time. With protection from an
up to date virus scanner, a firewall and common sense they should not cause
damage if dealt with properly. In any case, get into the habit of Saving
email attachments to your HD and running
your virus scanner over them before attempting to open them - even those from people you know and
trust. c
Return to Table
0 |
d. Email client : software that can receive, send, read and reply to email. Get one other than Outlook (Express) that can read the mail headers on your mail server without downloading anything. You can then delete any you find suspicious before they’ve had a chance to attack you. You can then run a vulnerable email client, such as Outlook Express quite safely. See d1 and d2
e. Security Check : Use the System Tests * button from here or from the Home Page to run a series of checks that will give you an idea of how safe your system is.
f. Plain Text : if you can live with it, send and receive only plain-text emails. Being able to use HTML and fancy stationery has its attractions - but beware. The embedding of images or links which you click to view can be exploited by spammers. The message itself can conceal script which will run when the message is previewed or when a part of it is clicked. (Web bug)
g. Parasites : use software to check downloaded files to see if they are known spyware.
What you can do :
|
Procedure |
|
| Install protection |  |
| Set your browser for security | |
| Check out problem software | |
| Discover what they can do to your browser | |
h.
Cookies :
In your browser, and Firewall Privacy section set Cookies control to the highest setting you
i. Adware cleaner : used to identify and remove known nuisances, but be aware that if you do ditch them, the parent application may stop working. Get one that doesn't harbour parasites.
j. Macros : in MS Office applications : disable them if you don’t need them. Do not open .doc or .xls files sent as email attachments.
k. Firewall : a good one has 5 main functions but it will not identify and remove viruses. (It may recognise them, though : see below) and should protect email.
|
Firewall Functions |
||
|
Port Closure |
To block access attempts by closing or stealthing (making invisible) your ports (numbered access points) to snoopers and sniffers (programs that scan for open ports). A NAT router also does this for a network To see what level of protection you have, run Shields Up etc. k |
|
|
Access Restriction |
To give you control of which applications (or components of them) can access the internet by ringing out through your DUC, and at what level that access is allowed. A Trojan would not be in the access list, and its attempts would therefore be alerted. |
|
|
Email Scanning |
To scan incoming email for script (worms) that could harm you if the mail is previewed. Any email attachment with a specified extension (eg. .exe, .bat) may be quarantined, disallowed or deleted. When quarantined, the attachment is put into a vault (folder) where it can be scanned for virus infection with the appropriate software. |
|
|
Zone Control |
To allow you to set the security levels for your browser Zones (eg. Trusted, Internet and Blocked in Internet Explorer) |
|
|
Privacy Protection |
To let you determine how your system will handle Cookies, Ads, Script and Embedded Objects. | |
|
Violation of any of these should result in an alert, the trigger-level of which should be settable |
||
|
|
|
|
l. Registry Protection : there is software that will inform you before any change is made to your Registry. Viruses often bury themselves deep within the Registry, but to do so they must change it. However, it may be difficult to distinguish a potentially harmful alteration from a legitimate one.
m. Encrypt : sensitive data and email. Don’t leave it open to inspection, unless you're in the habit of sending intimate details by postcard.
n. Wipe (shred) : files with private data. Don’t just Delete. n
o. Patch Verify : NT based systems only (eg, Windows 2000, XP Home and XP Pro). The scan at o1 ensures you have all the latest updates Microsoft have made available. The program at o2 patches a hole known as Data Source Object Exploit that Microsoft have not yet addressed, it seems.
p. Patches : keep your OS security up to date by downloading the patches as they become available. p
q. Windows Scripting Host : you could disable this. The method used depends on what Windows version is running. See q.
If you find you need to run script, leave WSH enabled and get a program that stops Outlook, Outlook Express, Win Zip and Internet Explorer from running script types that are commonly used to attack a system. See Table 1 #1.13, 1.14*r. Spam : precautions you can take to diminish junk email and its effects. This is a large subject, and a good discussion of how to protect yourself is found at r1 below, and the r2 site explains how your email address can be harvested. See also r3 : Protection Against Spam.
s.
Active Content : exploitation of this can leave you vulnerable to attack. Short of
removing Windows Scripting Host or not including MS Java Virtual Machine, there
is no 100% remedy. However, with Internet Explorer you can make your system
water-tight for all intents and purposes. Read this .pdf file 
or this
.doc 
t. Browser Hijacking : once Internet Explorer has been 'taken over' it is often not clear how to remove the additional commercial gunk, or to stop being re-directed to unwanted sites. It is possible to edit the Registry manually or via a third-party tweaker such as t1. You can also discover what BHOs are running to produce this stuff, and to deactivate them using t2. An in-depth overall discussion of this subject is found at t3 and the links from there. For more about Browser Hijacking, see t4 , and for removal instructions, see t5.
u. Reliable mail-hosting : this is the sort of email you should be getting :
| Dear Customer An e-mail addressed to you was intercepted by our mail systems because it contained a known virus. We have deleted the e-mail and the virus so that it poses no threat to your computer. The name of the virus was HTML/IFrame_Exploit*. The address it appears to have been sent from is hupatmac@btinternet.com. What do you need to do? The virus has been identified and deleted, therefore you don't need to do anything. If you know the person who the infected mail appears to have come from, you may wish to forward the details to them. However, this is entirely up to you. Please note, that we do recommend that you always run up-to-date virus protection on your own computer. No system is 100% effective and although the protection we offer will remove a significant threat from viruses, it is vitally important that you protect your computer as well. More information is available on our support website at http://support.freenetname.co.uk, should you need it. |
However, if you get a number of these messages, they themselves become a nuisance and may be considered spam....
Defence Links
|
|
There's no such
thing as an innocent bystander
You
are not alone and without succour in a hostile land
