When installing and using MS Windows XP, there are some security practices you should keep in mind.

There are general security tips that apply to all operating systems, of course, but each operating system platform provides its own security challenges. The following tips are tailored to Microsoft Windows XP.

Installing MS Windows XP is only the first step to using it. If you stop there, you’re likely to run afoul of the various security threats roaming the wilds of the Internet. Make sure you take care to configure your system to best protect you against the dangers that lurk around every corner.

Michael Kassner recently asked TechRepublic members to submit questions about botnets, promising to forward them to the experts at Arbor Networks. Dr. Jose Nazario volunteered to provide the following informative answers.

---

Note: This information is also available as a PDF download.

#1: Could you define what a bot or zombie is and how they become part of a botnet?

A botnet is a collection of machines that have been compromised by software installed by the attacker so that they now respond to commands sent by the attacker. This malcode can be installed by exploits on the base OS (e.g., as in the Sasser worm), through browser exploits, or through Trojan horse activities such as fake games or pornography codecs.

#2: What are botnets used for — are they profitable?

Botnets are used by the attackers for a wide variety of tactics: spamming, hosting phishing sites, harvesting information from the infected PCs for use or resale (such as credit card or banking information), denial of service for pay or extortion, adware installations, etc. The botnet is a platform for the criminal underground, providing unfettered access to the compromised PC and its resources — disk, bandwidth, IP reputation, personal information, etc. — for the attacker. It’s a way to load arbitrary software onto the machine, as well as to pull arbitrary information off of the machine.

We see botnets used all over the world: the United States, Europe, Russia and the Ukraine, China, Korea, Japan, South America — all over. The main motivations in the past few years have become monetary, as opposed to curiosity or joy riding.

#3: If I understand correctly, there are different command and control philosophies used by botnets. Could you explain how they work and their effectiveness?

The two main types of command and control structures used by botnets are a centralized mechanism and a decentralized, peer-to-peer mechanism. There is also a third, hybrid approach. Command and control refers to the server(s) that the infected hosts, the bots, contact to receive new commands from the attacker.

IRC botnets are the classic centralized structure, with one or more single IRC servers acting as the main hub. This is still the most popular way to run a botnet, using IRC, HTTP, or other protocols with a single hub. The storm worm used a hybrid approach, where it would pass messages to other bots using P2P, but it would use a central set of servers for files and updates. Finally, the Nugache botnet is the biggest and most well known true P2P botnet.

Obviously, if you can take one server out and disrupt a botnet, that is the most desirable way to approach it. If we take out the hubs of the botnet, the bots are still infected but not acting on commands. P2P botnets are far harder to disrupt and shut down.

#4: Are all operating systems equally vulnerable to rootkits? Is there any advantage to using one operating system versus another?

Almost all commonly available operating systems — Linux, BSD, Mac OS X, Windows — are vulnerable to rootkits, either kernel-mode or user-land rootkits. These can be used to hide processes or files from the user. In the end, given that all systems have flaws and can be attacked, the only advantage one OS has over another is the research time devoted to it by an attacker.

#5: My computer’s CPU usage is more than 50%, and outgoing network activity is far from normal, so I suspect my computer may be part of a botnet. How can I confirm this?

AV scans can be of some help, through a number of means, assuming it’s up to date. First, if you can scan with multiple scanners, this can make a significant difference in the detection rates. This can be easily done with free online AV scanners, as every major AV vendor has them.

Second, scan with something like a rootkit detector to see if a rootkit has been installed; this is usually not a major source of traffic and CPU usage, but would indicate malware infections that may be hidden from AV or manual inspection.

Third, look at your external IP using a check my IP service and then query a tool to see if the IP address is blacklisted for spamming. This is another sign than your system is infected and is a spam bot. The tools at Robtex can be very helpful at this.

Finally, a tool like Trend Micro’s RUBotted can help spot some signs of botnet participation. All of these tools can be used freely. But always be wary of software that claims to be free until it charges you a sum to clean up your system; that’s usually a scam product.

#6: I’ve heard that rootkit scanners aren’t effective. Is that true? If scanners are effective only for certain types of rootkits, how do I know which ones to use? Which scanners would you recommend?

They’re somewhat effective, but they’re being defeated by newer rootkits. GMer is one of the better rootkit scanners. It is kept up to date with new techniques and appears to address almost all common rootkits.

#7: I thought my computer was protected by a firewall and antivirus program, yet the computer became infected with Rustock.B and ultimately a member of some botnet. I was told my only option was to completely rebuild the computer. I did, but what if anything can I do to prevent my computer from getting rooted again?

Keep up to date with AV software, keep updated on patches, don’t run as Administrator (or with equivalent permissions), and run a personal firewall. If possible, if you’re running Windows, run Vista, which does much of this for you. If not, use XP SP2. Make sure that your AV is enabled for e-mail and Web browsing.

#8: I’m a systems administrator for a typical company network. I assume that there’s more risk, just from the sheer number of computers. Is there any information I can pass on to the users (especially mobile workers) that will minimize the risk?

Mobile workers are probably the most susceptible, as they enter hostile networks (e.g., the broadband networks they may use at home). They should be told to not ignore software updates, keep their AV updated, and not to cancel such updates or to disable such software. The benefits of these simple hygienic approaches can’t be understated.

#9: Could you suggest any good sources of information related to rootkits and botnets (Web sites, forums, RSS feeds) that would allow me to stay current?

I maintain a website, InfosecDaily that covers some of the better blogs and news sites. It’s freely available. I also recommend a handful of major sites:

I use an RSS reader to fetch and maintain my news; RSS is vital to simplifying your daily news digestion in this business!

#10: From all that I’ve read, it appears as though there’s very little I can do to prevent my computer from becoming a member of some botnet. Is that really the case?

I don’t think so; I feel this is a winnable battle. The best things you can do are to keep your software updated; the base OS, your browser (most important), and any add-ons. Most bots and malcode get in by using well known vulnerabilities.

The next best thing to do is to keep your AV software updated; most people don’t update their AV software — hourly or even daily, in some cases — and have no real benefit from it as a result. Finally, a good anti-spam filter can do wonders to prevent threats via e-mail.

Final thoughts

I’d like to thank Dr. Nazario of Arbor Networks for answering these questions and Jessica Sutera, also of Arbor Networks, for helping to make the question and answer session possible. I found the links to be especially illuminating. Oh, almost forgot GMer, which already has a special spot in my rootkit scanner toolbox.

 

 

Malware-based rootkits fuel a multibillion dollar spyware industry by stealing individual or corporate financial information. If that weren’t bad enough, rootkit-based botnets generate untold amounts of spam. Here’s a look does female cialis work at what rootkits are and what to do about them.

---

Rootkits are complex and ever changing, which makes it difficult to understand exactly what you’re dealing with. Even so, I’d like to take a stab at explaining them, so that you’ll have a fighting chance if you’re confronted with one.

Note: This information is also available as a PDF download.

#1: What is a rootkit?

Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a UNIX/Linux term that’s the equivalent of Administrator in Windows. The word kit denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit — all of which is done without end-user consent or knowledge.

#2: Why use a rootkit?

Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer’s configuration. Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren’t malicious at all.

One famous (or infamous, depending on your viewpoint) example of rootkit use was Sony BMG’s attempt to prevent copyright violations. Sony BMG didn’t tell anyone that it placed DRM software on home computers when certain CDs were played. On a scary note, the rootkit hiding technique Sony used was so good not one antivirus or anti-spyware application detected it.

#3: How do rootkits propagate?

Rootkits can’t propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.

The dropper is the code that gets the rootkit’s installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.

Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:

IM. One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it’s from a friend), that computer becomes infected and has a rootkit on it as well.

Rich content. The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it’s all over.

#4: User-mode rootkits

There are several types of rootkits, but we’ll start with the simplest one. User-mode rootkits run on a computer with administrative privileges. This allows user-mode rootkits to alter security and hide processes, files, system drivers, network ports, and even system services. User-mode rootkits remain installed on the infected computer by copying required files to the computer’s hard drive, automatically launching with every system boot.

Sadly, user-mode rootkits are the only type that antivirus or anti-spyware applications even have a chance of detecting. One example of a user-mode rootkit is Hacker Defender. It’s an old rootkit, but it has an illustrious history. If you read the link about Hacker Defender, you will learn about Mark Russinovich, his rootkit detection tool called Rootkit Revealer, and his cat-and-mouse struggle with the developer of Hacker Defender.

#5: Kernel-mode rootkit

Malware developers are a savvy bunch. Realizing that rootkits running in user-mode can be found by rootkit detection software running in kernel-mode, they developed kernel-mode rootkits, placing the rootkit on the same level as the operating system and rootkit detection software. Simply put, the OS can no longer be trusted. One kernel-mode rootkit that’s getting lots of attention is the Da IOS rootkit, developed by Sebastian Muniz and aimed at Cisco’s IOS operating system.

Instability is the one downfall of a kernel-mode rootkit. If you notice that your computer is blue-screening for other than the normal reasons, it just might be a kernel-mode rootkit.

#6: User-mode/kernel-mode hybrid rootkit

Rootkit developers, wanting the best of both worlds, developed a hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristics (stealthy). The hybrid approach is very successful and the most popular rootkit at this time.

#7: Firmware rootkits

Firmware rootkits are the next step in sophistication. This type of rootkit can be any of the other types with an added twist; the rootkit can hide in firmware when the computer is shut down. Restart the computer, and the rootkit reinstalls itself. The altered firmware could be anything from microprocessor code to PCI expansion card firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business. John Heasman has a great paper called “Implementing and Detecting a PCI Rootkit” (PDF).

#8: Virtual rootkits

Virtual rootkits are a fairly new and innovative approach. The virtual rootkit acts like a software implementation of hardware sets in a manner similar to that used by VMware. This technology has elicited a great deal of apprehension, as virtual rootkits are almost invisible. The Blue Pill is one example of this type of rootkit. To the best of my knowledge, researchers haven’t found virtual rootkits in the wild. Ironically, this is because virtual rootkits are complex and other types are working so well.

#9: Generic symptoms of rootkit infestation

Rootkits are frustrating. By design, it’s difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in operating efficiency. Sorry for being vague, but that’s the nature of the beast. Here’s a list of noteworthy symptoms:

If the rootkit is working correctly, most of these symptoms aren’t going to be noticeable. By definition, good rootkits are stealthy. The last symptom (network slowdown) should be the one that raises a flag. Rootkits can’t hide traffic increases, especially if the computer is acting as a spam relay or participating in a DDoS attack.

#10: Polymorphism

I debated whether to include polymorphism as a topic, since it’s not specific to rootkits. But it’s amazing technology that makes rootkits difficult to find. Polymorphism techniques allow malware such as rootkits to rewrite core assembly code, which makes using antivirus/anti-spyware signature-based defenses useless. Polymorphism even gives behavioral-based (heuristic) defenses a great deal of trouble. The only hope of finding rootkits that use polymorphism is technology that looks deep into the operating system and then compares the results to a known good baseline of the system.

#11: Detection and removal

You all know the drill, but it’s worth repeating. Be sure to keep antivirus/anti-spyware software (and in fact, every software component of the computer) up to date. That will go a long way toward keeping malware away. Keeping everything current is hard, but a tool such as Secunia’s Vulnerability Scanning program can help.

Detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, any one of the following rootkit removal tools will most likely work:

• F-Secure Blacklight
• RootkitRevealer
• Windows Malicious Software Removal Tool
• ProcessGuard
• Rootkit Hunter (Linux and BSD)

The problem with these tools is that you can’t be sure they’ve removed the rootkit. Albeit more labor-intensive, using a bootable CD, such as BartPE, with an antivirus scanner will increase the chances of detecting a rootkit, simply because rootkits can’t obscure their tracks when they aren’t running. I’m afraid that the only way to know for sure is to have a clean computer, take a baseline, and then use an application like Encase to check for any additional code.

Final thoughts

Opinions vary when it comes to rootkit removal, as discussed in the NetworkWorld article “Experts divided over rootkit detection and removal.” Although the article is two years old, the information is still relevant. There’s some hope, though: Intel’s Trusted Platform Module (TPM) has been cited as a possible solution to malware infestation. The problem with TPM is that it’s somewhat controversial. Besides, it will take years before sufficient numbers of computers have processors with TPM.

If you’re looking for additional information, I recommend the book ROOTKITS: Subverting the Windows Kernel, by Gary Hoglund and James Butler, of HPGary.

Clickjacking has the potential to redirect unknowing users to malicious Web sites or even spy on them. We all need to be aware of clickjacking and how to avoid its trappings.

——————————————————————————————————————-

TechRepublic’s Paul Mah made first mention of clickjacking in this Security News Roundup. At that time, security researchers Robert Hansen, founder of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, weren’t able to divulge a great deal about the vulnerability, as they were in talks with the major browser developers as well as Adobe. I’d like to personally commend them for making the choice to act responsibly and give developers time to fix the problems.

What is clickjacking?

Clickjacking takes advantage of the fact that a Web page isn’t just two-dimensional. Web pages have virtual depth, and that’s where clickjacking lives. Clickjacking uses a vulnerability that allows code to be embedded on a Web page, changing how the Web page responds to input. In the following quote by the researchers, one can see the extent and variations of clickjacking that are possible:

“First of all let me start by saying there are multiple variants of clickjacking. Some require cross domain access, some don’t. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to pre-load data in forms, some don’t. Clickjacking doesn’t cover any one of these use cases, but rather all of them. That’s why we had to come up with a new term for it — like the term or not. As CSRF didn’t fit the requirements for clickjacking, we had to come up with a new term to avoid confusion.”

For example, let’s say I’m on what appears to be my banking Web site. I then click on a button that brings me to my accounts. The only problem is that button didn’t bring me to my accounts; it brought me to a page that looks like my account or it carried out a completely different operation than what I expected. Robert Hansen gave an interesting example of what’s possible with clickjacking:

“Say you have a home wireless router that you had authenticated prior to going to a legitimate web site. The attacker places a tag under your mouse that frames in a single button that could order the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”

The second example is more insidious as attackers wouldn’t have to worry about mimicking or compromising legitimate Web sites.

Smile, you’re on candid camera

You may have been wondering why I mentioned Adobe earlier. Well, they’re in the middle of this vulnerability, too. Exploiting a vulnerable version of Flash Player software with clickjacking could allow the attacker to turn on computer-connected webcams and microphones, actually spying on the user.

This vulnerability is already out in the wild; Flash developer Guy Aharonovsky published a proof-of-concept (PoC) demonstration on his Guya.net Wweb site. The actual demonstration is currently disabled, but the video depicts how the attack occurs. There are several interesting comments and references to other articles about clickjacking on the Guya Web site as well.

TechRepublic editor Selena Frye’s recent article “Flash Player 10 Performing Better on Linux, Mac OS” mentions several reasons why the new release is significant. Flash Player 10 is also significant because of the code Adobe recently added to eliminate the clickjacking vulnerability. In fact, in the security bulletin “Flash Player Update Available to Address Security Vulnerabilities” released on October 15, 2008, Adobe pointed out the only recourse users have is to update to version 10 of Flash Player. If you want to know what version of Flash Player is installed on your computer and where to download the latest version, you can do so at the Adobe Flash Player Web site.

More Clickjacking details

When Mr. Grossman and Mr. Hansen initially presented the details of this vulnerability, Adobe asked them to not go public with the exploit until they (Adobe) had a fix. With the release of the PoC on the Guya Web site and almost simultaneous release of Flash Player 10, the researchers finally didn’t have any reason not to discuss the details of cialis sales online the vulnerability. You can read about all 12 issues at the ha.ckers.org Web site.

How to eliminate the vulnerability?

The one obvious fix is to update to Flash Player 10 if at all possible. As for Web browsers, it’s more difficult. If you’re using Firefox, I’d suggest upgrading to version 3 and installing all the latest patches. You may have heard me mention NoScript before. Giorgio Maone the developer of NoScript has been in contact with Mr. Grossman, and both are of the mind that NoScript will in almost all cases prevent clickjacking attacks. The only problem is that NoScript isn’t intuitive, and a majority of users will get frustrated with it almost immediately.

As for other browsers Giorgio Maone published “Clickjacking and Other Browsers (IE, Safari, Chrome, and Opera)” on his Hackademix.net Web site, where he explained what, if anything, can be done to prevent clickjacking attacks while using IE, Safari, Chrome, or Opera.

Final thoughts

It’s still early in the discussion stage, so the fallout from clickjacking is hard to predict. Most experts believe clickjacking is a big deal and can only be truly rectified by redesigning the browsers. What I find more alarming is the following quote by Mr. Hansen:

“When Jeremiah and I were looking at clickjacking, we found all kinds of random browser bugs, tons of bugs and a mess load of flaws. A lot of them were unrelated to clickjacking. But as other researchers start looking at clickjacking, they’ll find their own interesting bugs.”

That’s not a very comforting thought, but I’m glad they’re looking.

Network security doesn’t end with the installation of a firewall or any automated security package. There are times when you’ll need to block certain ranges of IP addresses (or known hosts) based on a service and/or block specific IP addresses from gaining access to your network cialis plus (or machine). Peer Guardian 2 makes this task simple in a Windows (currently 98/ME/2000/XP) environment. The application is open source, so you can download the source code, modify it, and even create your own branch of the software.

This little gem of a software package makes blocking IP addresses very simple. But in its simplicity, Peer Guardian 2 does not lose either functionality or robustness. I’ll explain how to create lists of IP addresses to block in Peer Guardian 2, but first let’s get the software installed and up and running.

This blog post is also available in PDF format in a TechRepublic download.

Getting and installing

As with most all Windows software, installation of Peer Guardian 2 is a snap. Simply download the OS-specific binary from the Phoenix Labs download site and double-click the installation file. The standard installation steps will take place and, once the application is installed, you will be asked to walk through some initial setup configurations.

The first part of the setup will ask what types of lists to install. There are six types of lists as well as an option for always allowing HTTP requests. The options are shown in Figure A.

Figure A

Don’t worry if you select something wrong, you can always edit your lists manually.

The next phase in the setup is to configure updates. The setup system wants to know whether it is to update lists and/or software and how often these updates are to occur. Figure B illustrates the configuration options for automatic updates.

Figure B

Unless you plan on manually updating Peer Guardian 2, make sure you select to have it updated automatically along with the lists.

Once you have completed the updates section, you are finished with the configuration. After the configuration is complete, you will be greeted with a small window (Figure C) that shows the progress of the updates.

Figure C

Even if you’ve configured updates to occur automatically, you can check for them manually from the main window.

Once the updates are finished, click the Close button and you are ready to run Peer Guardian 2.

Fire it up

Go to your Start menu and look for the new entry for Peer Guardian 2. Within that menu you will find the entry to start system. When Peer Guardian 2 starts up, you will see the main window, shown in Figure D.

Figure D

Take a look at the number of blocked IP addresses: 774,193,650!

Now what we want to do is open up the List Manager. This is where blocked IP addresses are listed. From within the List Manager (Figure E) you can enable lists, edit lists, create lists, open lists, and remove lists.

Figure E

The lists shown are the default lists created when Peer Guardian 2 is initially set up.

Creating a new list

Click the Create List button. This will open a new window (Figure F) where the initial information for the list will be set up.

Figure F

This window sets up the type of list, the description, and the file name.

At first it seems a file has to exist in order to create the list. This is not so. When you click the Browse button in Peer Guardian 2, a Save As window will appear. Locate the folder where the file is to be stored and give the file a name. That’s it. Once the new list is saved, the list editing tool will open (Figure G).

Figure G

Once your list gets large enough, you might have to use the Search function to locate a specific IP address.

Click the Add button and a new text area will appear. This first text area is really just for a description of the IP range. Here’s an example: On an inside network there is a specific database server that houses all of the company’s private Human Resource data. This data is off limits to a large range of employees (IP addresses 192.168.1.100 – 192.168.1.200). To block those IP addresses from gaining access to this particular machine, you could set up a range, as shown in Figure H.

Figure H

Once you enter the description, hit Enter to move to the starting IP address and then hit Enter again to move to the ending IP address.

If that is the only range that is necessary to block, click Save and the list will appear in the List Manager.

Temporarily allowing lists

Going back to the Employee example, let’s say it is necessary to allow that range of employees access to the server for a short window of time. To do this, open up the List Manager, highlight the list containing the Employees range, and click Open List. Now highlight the entry containing the range of IP addresses to be allowed and right-click the entry. A drop-down list will appear, giving you four possible choices (Figure I).

Figure I

Unfortunately these options cannot be modified without going into the code (but since this is open source, it is possible).

From the drop-down list, select the option that best suits the situation and click Save. Depending on the system, there might be a brief stall on the machine as Peer Guardian 2 makes the necessary changes to allow the range of IP addresses. At this point a List Cache might be created, which will take a moment (again depending on the speed of the system).

Logs, history, and other features

Another nice feature of Peer Guardian 2 is the log file viewer. The log file actually keeps a running log that is retained by date. And until the history is cleared, all logs are retained. This is a great help when security audits are done.

From the Settings tab you can configure a few settings for Logs, History, and Notification. As you can see in Figure J, configuration is very straightforward.

Figure J

By changing the Log Allowed Connections to Archive and Remove, the Archive To option becomes available.

Click the Next button and the Settings tab will change to offer another group of straightforward configuration options (Figure K).

Figure K

The proxy setting is for when a proxy is needed to download updates.

Another nice Peer Guardian 2 touch is that with a single button on the main screen you can disable it. And with the same ease, Peer Guardian 2 can also be re-enabled. In addition, HTTP can be allowed or blocked with the click of a button.

Final thoughts

Peer Guardian 2 is an outstanding tool to add to your security arsenal. Not only is it good for network-wide security, it’s great for single server (or even desktop) security. Peer Guardian 2 is simple to set up, but its power is not diminished by that simplicity.