[Philmont]: Dr. Bob's Report on Computer Security

Last week I promised I would get back to the List when I figured out
what was up with my spyware infestation. This is the followup report.
This has nothing to do with Philmont, and so if you are not interested,
please delete this message now, with my apologies. The intent is to
help my fellow List members avoid suffering what happened to me. I
intentionally sent this on a Holiday weekend when bandwidth use is low.

Please note that I am no propeller-head when it comes to computers.
This report is the best I could figure out, and may have some factual
errors. If you are an expert, and feel it's important, please feel free
to offer corrections of any mis-statements; I won't take it personally,
so long as you don't slam me for not being a software engineer.

----------

My sad tale of woe and dismay: As previously noted, my home PC was
recently "hacked" big-time, with a fairly sophisticated package of
viruses and "spyware". This has forced me to delve into various aspects
of computer security a lot deeper than I would have ever thought I
needed. It has been QUITE an education. Some pointers and
recommendations from my experiences:

Preliminary Notes: My PC is a standalone with a 56K dial-up modem,
using Windows NT 4.0, System Release 6a (that's the latest and greatest
of the NT 4.0 OS's). I have Symantec Systemworks 2002 Pro Edition,
which includes Norton Anti-Virus (hereafter AV). The AV program
automatically self-updates every two weeks. It was fully enabled to
check everything, and I also did a full system scan about once a week.
I delete all spam unopened and unread. I now have anti-spam protection
at my ISP level, but at the time of these problems, I did not, and
therefore received between 75 and 125 spam messages per day (again, all
deleted without being opened). I log off my ISP when I am not using it.

Preliminary indications of trouble: I had two warnings: First, my
telephone icon indicated my computer was occasionally communicating - a
lot - when I was on-line but otherwise not doing anything. Whenever I
noticed this, I would immediately log off, recognizing that this wasn't
righteous but also incorrectly assuming that I was stopping whatever
process was underway. Bad mistake. Second, my Norton AV would
occsionally warn me that it had detected a virus on my system - even
though I was scanning all emails and none had been detected that I
hadn't quarantined. I was mystified by this, but since an AV system
scan would then detect and quarantine the identified viruses, I didn't
pursue it further. Bad mistake number two. If there were any other
hints I missed them. Here is the chronology:

A) As previously noted, I was away on an extended Scout trip, and my
computer was therefore off-line for nearly a month. When I returned, I
again noted the above problems, but for some reason they seemed more
frequent and intense - or maybe I was more sensitized to how much
activity was occurring, since I had been off-line so long. So I kind of
committed to getting to the bottom of whatever was going on, including
cache cleanups, history cleanups, cookie removals, resetting security
factors to high, disk scanning, disk optimizing, WinDoctor and
DiskDoctor scans, etc. This was also about the time that the first
iteration of the blaster virus arrived, and as I previously reported one
of my co-workers had mistakenly managed to put that on my work computer.
  That was perhaps a blessing in disguise, because I had a long chat
with the computer guru who came by to remove it (the blaster virus), and
he suggested that because I had an Internet connection I also needed to
check for "spyware", a term which I had barely heard of before. To make
a long story a little shorter, spyware are programs that record various
aspects of your computer use and forward those recordings to a remote
server. They can be as mundane as reporting out your surfing habits, to
as instrusive as recording every keystroke and reporting that out. The
computer guy suggested I use a free, downloadable program from Lavasoft,
called Ad-Aware (hereafter AA). I did so that night, and it discovered
and cleaned off a pile of stuff, mostly cookies. None of it looked
particularly malicious. However, my two problems (telephone icon and
virus warnings) continued unabated, and now new problems began cropping
up, including a set of icons on my desktop for a "mybot" program.
Deleting these icons did nothing - they reloaded within 10 seconds of
deletion. In addition, my computer began bringing up sub-windows
indicating it was trying to contact a number of different servers, none
of which were my ISP. One of these was something called irc.voidz.net;
the rest were all the standard numeric codes (e.g., 215.XXX.XXX.XXX
whatever). Finally, a post-AA Norton AV scan revealed two new viruses,
a Backdoor virus and a Hacktool virus, even though a pre-AA Norton AV
scan had not found them (that is, the AA removals had revealed them to
Norton). Note the sequence: A full Norton AV scan (nothing found),
followed *immediately* by the Ad-Aware scan and removals, followed
immediately by another full Norton AV scan (Backdoor and Hacktool
found). At this point, with all this evidence staring me in the face,
it (finally) dawned on me that I was in deep kimchi.

B) Into Google I did go, a-hunting mybot, irc, spyware, and more. I
also chatted via email with some computer experts, most of whom were
kind enough to offer some commentary (Thanks especially to David Clark
of the University of Montana at Bozeman, Mike Phelan of the DEA Computer
Forensics Laboratory, and Charlie Spring, SM-151 here in Arlington).
There was frustratingly little on mybot and irc, but lots and lots on
spyware, and these searches finally got me to a list of available
anti-spyware programs (henceforth AS), at www.download.com. I tried
free downloads of half a dozen of these (the scanning programs are free,
the removal programs are what costs money). All of these indicated I
had problems, but oddly they all reported varying degrees of different
problems. It was about this time that Lee Smith recommended on this
list that PestPatrol (hereafter PP) might be the answer. I downloaded
and used the scanning function that night - and it was indeed the
answer, the best of any AS program scanner I had used, by far, picking
up everything that the other programs had collectively found, and more.
  Thanks Lee!!!

C) To make a long, sad tale a little shorter, I had a variety of
infections, including two more self-hiding viruses (that is, that hide
themselves from AV programs like Symantec/Norton or MacAfee), and a
variety of spyware programs, including Password Capturing programs,
Keystroke Recording programs, and "Trojan Horse" programs (that enable
infiltration of code that allows a computer to be "hijacked" for mass
attacks on servers). (However, and oddly, PP revealed nothing about
mybot or IRC.) You will note that I specified programs, not program - I
had multiple infections of allmost of these things. I will spare you
the grim and gory details. As previously noted, I had foolishly thought
that logging off-line except for short time frames needed for actual
uploading and downloading would help prevent such infections, but not so
- apparently they can upload small bits of code when you're on-line,
then assemble the complete program when everything has been received.
At least so I have been informed. It is critical to note that
ANTI-VIRAL SOFTWARE DOES *NOT* PROTECT YOU AGAINST SPYWARE!

D) I will specify again, ANTI-VIRAL SOFTWARE DOES *NOT* PROTECT YOU
AGAINST SPYWARE! You MUST have AS software to combat spyware! AS
programs are COMPLETELY DIFFERENT than AV programs. Based on my
experimentation, it appears that the best programs are PestPatrol and
Ad-Aware (with PP being far better; nonetheless, I would highly
recommend getting both). PP in particular was much more effective (in
my case) for rooting out malicious code versus anything else - including
the viral programs that were hiding themselves from Symantec/Norton. As
I noted, the scanning part of PP is a free download, while it runs
$39.99 for a downloadable copy of the full program, which includes the
removal functions (unfortunately, each copy can only be used for one
computer). Ad-Aware seems more effective for "cookie" type spyware, but
doesn't catch the real nasty stuff. But it is a free download for the
complete program, so what the heck.

E) Note that both programs (PP and AA) are not idiot-proof; they will
give you a generated list of suspicious programs and subroutines, some
of which are NOT malicious and that your computer needs to run - so you
can't just delete everything they identify. Rather, you need to inspect
the lists item-by-item, and figure out what's malicious and what isn't.
  For the most part, this isn't difficult to discern (the PP and AA
programs generically indicate what is what), but if you have any qualms
about doing so, go to a pro.

F) Even after doing all of the aforementioned removals, I still had the
"mybot" program. It took me quite a while to figure out that it was
somehow attached to my Internet Relay Chat program (ah ha, so THAT'S
what IRC stands for!) Apparently I had compromised it (mybot) somewhat
with AA, so it starting generating messages asking to be hooked up to
irc.voidz.net That was my hint, and doing a search on my PC for *irc*
(note the asterisks) I finally found I had an "mIRC" program that was
listed on my control panel but not in my program list, and doing a Ctrl
Alt Del when the irc.voidz.net message was generated indicated mIRC was
active. It took several efforts to delete this program (using the
Add/Remove Program function) - after which my telephone icon immediately
went quiet again. BTW, IRC programs are (I believe) the basis for
Instant Messenger programs. However, I never use IM services, so I am
not positive on this.

G) Once I got everything semi-figured out, I went ahead and re-did my AV
and AS program scans again, then re-checked or re-did my cache cleanups,
history cleanups, cookie removals, security factors, disk scanning, disk
optimizing, WinDoctor and DiskDoctor scans, etc. Once all this was
done, I installed a software based firewall (more on this below). That
brings this story up to current.

H) Recommendations and some Followup Comments:

* Make sure you keep your AV software up-to date. This is increasingly
important with new super-viruses coming out almost daily. For example,
sobig.g is due out around September 10th, and it promises to be the
worst yet. If your AV program is automatically checking for updates
once a month or every 2 weeks, etc., that ain't cutting it anymore. I
am now checking for updates FIRST THING every morning when I log on,
before I do anything else. It only takes a minute to check. Charlie
Spring (who works in the field) indicates even once a day isn't enough;
he recommends every six hours, to watch for late-breaking threats. He
also notes that even the best AV companies are 4 - 30 hours behind the
curve on having software updates to combat new threats. Therefore, he
also frequently checks a virus alert site
(http://vil.nai.com/vil/content/alert.htm), which very quickly reports
on newly developing threats.

* Go with a mainstream AV program; don't cheap out. The latest versions
have "heuristic" scanning properties, which enable the program to
generically recognize malicious file structures or behavior - whereas
the old versions relied on exact matches to known code. Heuristic
scanning helps protect you between software updates. As viruses have
become more sophisticated, so must your AV program. (PS: Don't ask me
to explain "heuristic" - I already have a headache as it is.)

* Watch that telephone icon. If it's talkin' when you're not, better
ask yourself "Who is my computer talking to here?" I have never owned a
fast-speed hook-up, so I'm not sure what recommendation to make on those
(if anyone else can, be my guest). I understand dial-up modem users are
now officially in the minority, so my status as a dinosaur remains
unchallenged.

* Even if you think you're secure, go ahead and download the free
spyware scanning software from PestPatrol and Ad-Aware, and do the
check. You may be surprised. I wasn't surprised - I was absolutely
floored.

* If you do get AS software installed on your computer, keep it up to
date same as your AV software, and for the same reasons - new
attack software can be generated anytime, and your computer may be wide
open to attack because your still X days or Y weeks away from your next
automatic update.

* As mentioned above, I am now running both my AV and AS programs daily,
on my entire computer system (maximum coverage). I *may* ease off on
that *IF* in a few weeks both programs indicate no new infections. One
thing I got from the various experts I communicated with is that both
program should also be run occasionally in "Safe" mode, like between
once a week and once a month. I didn't understand the nuances of why
this is recommended, but if you can boot up in safe mode, it's easy
enough to do.

* Scan any diskette you receive with both AV and AS programs. Failure
to do this simple thing with a Scout's diskette is almost certainly what
did me in. Never again.

* Consider going into your security settings and dumping all your
"cookies", then resetting your security level such that you are asked
(every time) whether a website can download a cookie. I had thousands
and thousands of cookies, from an unbelievable variety of websites. You
may also wish to dump your website histories and cache folders, and
start out "fresh".

* Consider getting a firewall program. Personally, I highly recommend
it as the third piece to the security triad (AV, AS, FW). Apparently,
Windows-based programs have many electronic "ports" that can be used by
malicious programs - a firewall program can (among other things) shut
these ports down. I tried a program called "Black Ice", but it was a
miserable failure, and has zero support from the manufacturer, so I
would personally advise everyone to stay away from it. Norton just came
out with something called "Internet Security 2003", but the box says you
have to have Windows 2000 Professional or Windows XP to use it (and I
don't). But it has a good rep already, among those who claim to know.
I have heard from several people to stay away from the MacAfee firewall
product, but they did not specify why. At present, I am using a free
downloadable product called ZoneAlert (www.zonelabs.com), which two
people recommended, and it was easy to install and set up, and seems to
be working well. Note that ZoneAlert and other firewall programs should
be downloaded and activated only *after* you have done a complete system
cleanup. Of note, as soon as I activated Black Ice (since removed) or
ZoneAlert, both programs immediately started warning me of hundreds
(thousands?) of "pings" per hour - automated programs trolling the net
looking for open ports. Apparently, 99.9+ percent of these are
innocuous, but still pretty scary. I had no clue.

* In followup to the previous paragraph, Charlie indicates that hardware
firewalls are better than software firewalls. This is because hackers
know all software firewall products, and are constantly working to
defeat or exploit them. Apparently this is nearly impossible to do with
a hardware firewall. A good residential PC hardware firewall goes for
between $50 and $75. However, he is not sure if you can get one for a
dial-up modem system. I am continuing to look at this issue. If anyone
can enlighten us, be my guest.

* Consider paying your ISP for anti-spam protection. I have done this
and my spam level dropped from 75-125 per day down to about 5-10 per
day. And of the latter, in two weeks, I have yet to receive a spam
message containing a virus - whereas before, I was getting at least a
dozen a week. It goes without saying, I never open any spam messages,
and neither should you - I delete them all, unread, and so should you.

* Last but not least, Charlie strongly urges everyone to dump Instant
Messenger, IRC, and any/all music sharing or file sharing programs (like
Napster or Kaaza). [This will not make you popular with your kids.] By
design, these programs open security holes in your system, holes that
can be and are exploited to insert viruses and spyware. As best as I
can tell, the malware I received on my Scout's diskette allowed mybot to
be appended onto my IRC subprogram, and that in turn allowed everything
else in. Live and learn.

Concluding remarks: Though I feel a lot better about all this, it is
important to understand that even with all this work, I am not
guaranteed to be secure - and if you find you have similar problems,
you're in the same boat. Charlie indicates that his engineers always
nuke a system and start over again rather than trying to remove
"malware" and rehabilitate a system - "it's easier and faster". And I
may end up being forced to do exactly that; time will tell.

I hope all this helps everyone avoid what happened to me!

- Dr. Bob Klein, SM-111, Arlington, VA

-------------------------------------------------------
Scouting E-mail Discussion Lists @ usscouts.org
Subscribe/Unsubscribe at http://usscouts.org/lists/
Listserv Commands at http://usscouts.org/lists/lc.asp
-------------------------------------------------------
Send listserv commands to: listserv@troop47.com
Send postings to: philmont@troop47.com
List FAQ found at: http://usscouts.org/lists/faq.asp
List Administrator: philmont_owner@troop47.com
-------------------------------------------------------
As you gather around this virtual campfire with fellow
Scouts and Scouters, do your best to be trustworthy,
loyal, helpful, friendly, courteous, kind, obedient,
cheerful, thrifty, brave, clean and reverent.
-------------------------------------------------------

 
Received on Sat Aug 30 06:49:50 2003