Like a lot of people who have worked in the business, I find myself in conversations about computer security with people who are having problems or know people who have problems. I wrote this to save me from explaining the same thing over and over again to different people, and to save them the trouble of having to make notes as we talked. It was meant to be something you could give to a ‘naive user’ and have them be able to read and follow it more or less unaided, and while not being a complete guide, at least be something that made them more secure than before they got it.
What is the danger?
That a machine will have ‘malware’ loaded onto it. This will then allow criminals to use it to send spam (often promoting pornography), hack other computers, make it dial up premium rate numbers, or steal information from it, including bank account numbers and passwords. In bad cases bank accounts can be stolen, in extreme cases identity theft is possible. The risks are mainly financial, but if a machine is captured by pornographers, they may also be legal. In the UK, for example, the existence of some kinds of material on a computer is going to be a strict liability offence. The onus is going to be on the holder to prove he/she was not the agent/owner, and it may not be easy.
How bad is it?
Bad and worsening. Here is one example. USA Today, in November 2004, set up 6 machines on the net and observed the results. In two weeks they attracted 306,000 attacks, and an XP SP1 machine was broken into in four minutes. The Denver Post did the same thing in February 2005, and attracted 45,000 attacks in a week. This is the risk from simply being connected. To it, you have to add user actions – unwittingly visiting fraudulent and malicious sites, receiving malicious emails or attachments. There have been 100,000+ Windows viruses, 2,500 Windows spyware releases, and some studies show 80% of home PCs may be infected with spyware broadly defined. The latest thing is Windows rootkits – essentially undetectable infections.
Who is at risk, and from who?
Anyone connecting to the net with Windows 95, 98, ME, or XP with Service Pack 1 or lower. Broadband makes the risk much greater. Fully up to date versions of XP SP2 are much less at risk. People running Unix based systems (including MacOS and Linux flavours) are much less at risk. People running firewalls are also much less at risk.
Basically, connect Windows XP SP1, 98 or 95 to the net without a firewall, and the evidence is, you’ll likely be hacked within an hour.
You are almost certain to get infected if you (or your children) use music sharing software, or if you agree to download and install software as a condition for free access to some kinds of services. Downloading ring tones for mobiles is a common source of infection. Downloading bootleg software (so called warez) is another.
You can find out how secure your machine is to some kinds of attacks by going to Steve Gibson’s Shields Up site: https://www.grc.com (go to the Shields Up section) to test the vulnerability of your firewall and system. Recommended. This tells you about liability to incoming attacks. Leak Test, from the same site, will tell you whether your firewall protects from outbound leakage.
The perpetrators are mostly criminals in it for profit. The days of the amateur teenage hacker in a suburban bedroom are over.
If I follow these recommendations am I safe?
No. You are safer. You are still running an Operating System with a proven record of security faults in a network environment. And this guide is not a complete account of the subject.
Are there alternatives to these recommendations?
Yes. Plan B is: go to a Unix based Operating System, like Linux or MacOS or one of the BSDs. Here are some thoughts on this one.
It helps because there’s been far less malware. Probably under 50 real viruses for both MacOS and Linux, even less for Commercial Unix. Spyware is so far unknown (according to Webroot).
Linux or BSD will run on your existing machine side by side with Windows. It is also free, so this is the cheapest of the Plans B. However, don’t try moving to Linux or a BSD without help. Your helper should agree to be available for support for six months after the installation. MacOS, which is similarly or maybe more secure, and also Unix based, one probably can do unaided. But you need a whole new computer for it, and new versions of your applications, so it gets expensive. The Mac Mini is worth considering if you are tempted.
The best bet in Linux/Unix for the end user is probably PCLinux, available free for download over the net as a single CD iso. Mepis is also very good. Either will come, free, with all the applications you are likely to need, including Office packages. Maybe fewer games than you would like. In BSDs, PCBSD and DesktopBSD are end-user oriented distributions. They are so far a lot less popular than the Linuxes.
How to safeguard Windows? Four rules go a long way.
Rule 1. Use a limited user account for normal work, and for connection to the net. Never connect from an account with administration privileges.
How to do this. Use the Users and Passwords control panel to create a new Administrator account. Reset your current account to limited user. Then only use the Administrator account to manage the system, install software etc, and then sign off. Never connect to the net when signed on as Administrator, except to do Windows Update. Enable privacy between user accounts, and have separate user accounts for everyone who uses the computer. Make a separate dedicated limited user account for shopping & banking.
Why this helps. Any attacks made on you while on the net will have the same privileges as the account you signed on with. (There have been some exceptions, but this is mostly true for up to date systems). Administrator accounts can do anything at all to the system. Limited user accounts can do relatively little. Signing on as a limited user restricts the attacker’s options. Microsoft’s default on this is for you to sign on as administrator. It is as if, in an hotel, every guest key opened all guest rooms and the main safe, kitchen and boiler room as well. Change it.
Note1: Windows 9x has only one account, so this won’t work with 95 or 98 or ME. Either upgrade to XP, but its not simple, or consider buying Anti-Executable from www.faronics.com. Learn to use it to lock down your machine. Note that I have not used this package – the recommendation comes from the product specification, user guide, and testimonials. Also use ZoneAlarm (below) to disconnect from Broadband when not actively using it.
Note2: Some older software, and all CD burning software, will have problems running as a limited user. Use the ‘run as’ function (right click on the program icon) to run them as Administrator.
Rule 2. Connect to Broadband via an ADSL Router, never just an ADSL modem.
How to do this. Either ask your provider to supply Broadband with an ADSL Router, or buy a combined modem/router yourself (cheapest by mail order). Make sure you have the right PC ports to connect it up and that you get cables. If you have a choice, use an Ethernet connection, in preference to USB. Find out how to address the hardware firewall it will have in it, and set it to high protection if it isn’t already.
Why this helps. If you just connect via a modem, your machine will be visible to hackers worldwide. If you use a Router, it will use a private address for your machine, and the only thing visible on the net will be the Router (a much harder target). If you set the hardware firewall to high, the router also will be invisible.
Rule 3: Only use secure software.
This falls into three parts.
First, don’t use the chronically insecure Microsoft Explorer and Outlook; get (free) Mozilla Firefox (Web) and Mozilla Thunderbird (Email). Also get the Firefox Spoofstick plugin and Adblock to guard against phishing. One or two UK banks require Explorer, and firewalls off. Avoid them. Use Mailwasher to screen and delete unwanted mail on the server.
Second, get the following:
ZoneAlarm is a free software firewall. You do need this as well as the router hardware firewall. Replace the weak XP built in firewall with it. Use it to disconnect from the net when inactive, and to control outbound traffic from applications.
AVG is a free anti virus package (Kapersky and McAfee are also very good, paid packages). Update at every connection.
AdAware & Spybot Search and Destroy are free anti-spyware packages. Get both, and update at least weekly. Microsoft’s own anti-spyware package is free and highly rated. Webroot’s Spysweeper is a paid, well regarded package, as is Pestpatrol. One anti spyware package is definitely not enough. Find all these by using Google, or on Tucows. Also, install SpywareBlaster for real time protection, but still sweep with the others weekly.
If using Anti-Executable, I wouldn’t rely solely on these scans, to clean up the system first, but would do a clean Windows reinstall as explained later.
WinPatrol is also highly rated, and protects against some system parameter changes.
Third, keep Windows up to date using the Windows Update control. You’ll have to sign on with an account with admin privileges. Check out Sans Institute Internet Storm Center, ‘Windows XP, Surviving the First Day’, for instructions on doing this safely – find it using Google. This helps because security updates for Windows come out often – as more holes are discovered and exploited. The quicker you get them in, the shorter the time you are at risk.
One should also disable insecure Windows services, as Greene’s book (below) explains. And never install anything when prompted to do so by a web site or email.
Rule 4: Keep as much personal information as possible off the machine, on paper.
Never have your browser remember passwords or logon information. Never keep NIS numbers, passport numbers, drivers license numbers, bank account numbers or branch addresses on disk. Never use Quicken or MS Money to connect to your bank to download data. Never dispose of a PC with a hard drive in it: take out the drive first, and destroy hard drives before disposal.
If you have children, have a dedicated machine for gaming, music downloads, chat etc, keep no personal data whatever on it, and if you allow it to share the Broadband connection, firewall it off totally from the other machines. Consider using Anti-Executable or even DeepFreeze (also Faronics) on it. All this will be fairly technical, and will probably require professional help. It will be worth it.
Microsoft has just published the ‘Shared Computer Toolkit’ for making a machine safe for multiple users in a walkup environment. Professional help will probably be needed to install and use this, and it may be overkill for home users.
Reading.
Thomas Greene’s book ‘Internet Security for the Home and Small Office’, is essential reading if you ever use Windows on the net, dialup or broadband, to bank or shop. Get it (from Amazon). Clear, detailed (lots of screen shots) how-to on hardening Windows. It explains how to disable insecure Windows services, which is a must, but which is too big a topic for these pages. Steve Gibson’s site, see previous page, is worth a visit. Secunia and SecurityFocus are very good but technical. Wilders.org has lots of good links and clear explanations.
How to know if your machine is infected, and what to do.
You’ll know because of slowdowns, crashes or unpredictable behaviour, especially of Explorer or Outlook, or because scans with anti-virus or anti spyware software tell you of infections. You may find lots of popups appearing, you may find yourself on sites which you have not clicked on. Your internet connection may be very active when you are not doing anything. Your ISP or other people may tell you your machine is sending spam. Trying to find out what is going on by Crtl-Alt-Delete may not permit you to examine running processes.
Take this very seriously and do not bank or shop online until fixed.
What to do? It used to be a very simple matter, get and run anti-virus software and keep it up to date. No more. In the last year, it has become decreasingly possible to be sure of having cleaned a badly infected Windows OS that one has booted from. The only method reasonably certain to succeed nowadays is, back up your work files to removable storage, then format and partition the affected hard drives and reinstall Windows, harden it, and then copy back the work files and reinstall software. I would personally do this by buying a new hard drive (Seagate Barracuda) with an OEM copy of XP, and starting from scratch. I would do the data backup by booting from Knoppix or similar Linux live CD.
Advice. Find a professional and say this is what you want done. If he tells you it is not necessary, and that simply running AdAware etc is enough, well, it may be. But there again, it may not be. The question is, how much do you want to bet?
I would demand (and pay for) a clean install…
Appendix: where does this problem come from?
If you are just trying to keep systems secure, this may seem a bit academic. But people do ask, so here is a very short account. First, to avoid being forced by anti-trust actions to give equal treatment to all browsers, Microsoft, during the ‘browser wars’, made Explorer part of the Operating System, and also linked Outlook to Explorer. This means it really cannot be removed. But it also means any vulnerability of Explorer or Outlook is a vulnerability of Windows. Second, it’s the social culture of Windows use – in particular, the universal practice of signing on with Administrator privileges. This means any infection is automatically a system wide infection. Third, its to do with myriad vulnerabilities in the way Windows handles services. As an example, the recent wmf flaw enables graphics, regardless of browser, to carry malicious code. This is because of flaws in the way thumbnails and graphics rendering is done in Windows. RPC (Remote Procedure Calls) is another example.
Bottom line: it is not going to go away any time soon.
Caveat
I’ve taken care over this, but its a very brief guide to a very complicated and rapidly changing subject. I can’t be responsible for any inaccuracies or any consequences of following these recommendations. Do not follow them blindly. Verify first, and then use them only as the basis for formulating your own security policy, and arriving at your own list of dos and don’ts.
–Alcibiades
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.
The writer does a nice job of being concise and offers an easy to read list of the basics. Of course it is somewhat over simplified, but it is titled a “naive user’s guide”.
I am continually amazed by friends who are highly infected by spyware and still continue to do their online banking. Sometimes I get hijacked to clean their systems or (worse case) reinstall Windows. I always tell them to change any passwords they have typed into the computer, but they rarely do so. At heart the human race is closely related to lemmings.
yes, lets hear it for the lemmings!
There is no chance for windows to be secure, and not in the future with their vista. There is basically little changes in security with vista. Even the company admits that you will need a firewall, antivirus, antispyware to be more protected online. I tried vista 5270 and went to some malacious sites intensionally and got vista gone wild. Windows will never be rewitten to be more secure, thats what happened since it was designed since VMS.
Your only chance is to by Mac OSX ( if you have money ) or download and install a linux OS ( if you don’t have money ).
Windows disadvantages does not lie in security alone. But it is a slow performer especially when you install 10 applications and more. on 10,000 rpm drive with 4.2 ms seek time windows xp +SP2 starts up in about 4 minutes (CPU 3GHz, RAM 1 GB), and if you check why then you will discover that vital services that I run to protect windows are causing it+ some faulty drivers of top manufacturers in sound (creative) and chipsets (intel), this is never seen on linux on the same machine with the same amount of software installed; my current os is RHEL4.2 which beats windows xp sp2 hands down. The only problem with linux will be that you will learn from scratch to deal with it, but I guess it will pay off.
Will forward to some ‘Naive Users’
I keep telling this to everyone who complains about virus and the bloat of some anti-virus: use Windows Update. Most of the exploits are fixed before they get exploited. Remember msblast, whose fix was available 1 month before the virus started to emerge.
In about 6 years using the Internet daily (most of the time in Windows) I have never been infected from a single virus, except one day I actually reinstalled Windows and forgot to enable the firewall before going to Windows Update.
I keep telling this. Nobody believes me, though.
Anyway, nice article. Follow its instructions and you will be ok.
Good thing for you, 2K and XP have automatic updates. Just set it up to automatically download and install updates at a time you KNOW their computer will be on, and no more problems.
Hummmmm, problem with that is what do you do (Like now with Microsoft Security Advisory 912840) when there is no patch?
Unplug the thing or pray you don’t get jacked? LOL!
Good luck!
Explaining that to the naive would be a bit more troublesome. Explaining that you have to de-register dlls is beyond the usual Windows Security lecture.
Just give them the patch on GRC.com
Most of the information is common sense stuff for those of us who work in the IT field or have an above average interest in computers.
Alcibiades’ description of the effects of malware assumes the user goes to every warez/porn/malware/social engineering/phishing site on earth. Usually to get trojaned by a porn dialer means you went to a porn site that supports the malware! Normal surfing in the US you would get the typical amount of spyware, and not much more. My 15 year old daughter goes to a number of sites that her friends send links to that I sometimes think are questionable, but she has not been hit. And I check her system weekly using Symantec AntiVirus, AdAware, Spybot Search and Destory.
I don’t necessarily agree with replacing Windows XP’s SP2 firewall with ZoneAlarm, while ZoneAlarm will definitely protect a machine better than Microsoft’s product, it is also harder to configure, which brings me to the second issue I have with this article. Much of this assumes a level of experience that the “typical” user doesn’t have, and the reason why most users don’t do this is because they either don’t know how, they see it as too hard, or that it severely limits the functionality of the system.
For this guide to be really useful, it would have to be written in layman’s terms and use lots of screen shots.
“Alcibiades’ description of the effects of malware assumes the user goes to every warez/porn/malware/social engineering/phishing site on earth”
Well not really. At least not around here. I have seen a pro shop down the street in the process of taking several hundred items off a family machine, and another family paying for a disinfection of similar scale – and the comment was, you don’t understand what normal use is these days, its ring tones and music downloads, and instant messaging, and that’s what does it.
Then I know of two machines in another family made essentially unusable by a family visit of a (girl) teenager. They didn’t know what she had done. But I doubt very much it was porn. It was probably just instant messaging. I know for sure of one case in which ringtones were to blame, because the mobile in question was charged with them. Then another local case in which the guy for sure had not been to any porn site or even warez, and he had quite a few pieces. All he ever does is probably read the papers and shop.
The really eye opening experience for me has been how innocently you can be infected. The cases I’ve seen, you really don’t have to have done anything deliberately ‘out of line’ or risky, just get a little careless. Scary.
Which is where user education comes into play, my wife and daughter know better because I take the time to educate them. With my daughter it is standard procedure, if she is not sure she asks me. Music downloads (and we all download music in our house) is limited to samples through approved web sites (CD Baby, Amazon, etc.). She also uses IM (both AOL and MSN), no downloads are allowed at all. The end result is few if any security issues.
Most of the users you reference fall into what I call the “clueless” category, either by accident or design. And unfortunately for many it is by design, they prefer not to know because it is “too hard to understand” or “too much to learn”. With children it is also a lack of parental control, or the parents being “too busy” to see or learn what Johnny is doing (thus the situation where the kids know more about computing than their parents). When I did phone support for Canon I took a call where the parents handed the phone over to their son because he knew more about the problem than they did!
It is too easy for many people to skate by and expect their more knowledgeable friends/neighbors/workmates to bail them out when they get into trouble (I know, I get the frantic calls from my wife’s friends). And until these people decide it is their responsibility to maintain their computer hardware and software, no amount of guides will help them out.
Home users should not run windows unless they want to become amateur security specialists…. Most home users should get a Mac.
Spend more time reading how to cover your own butt because Windows sucks then you do actually enjoying your PC.
But thanks for the hard work of putting this together. Most people talk the talk but dont walk the walk!
“Spend more time reading how to cover your own butt because Windows sucks then you do actually enjoying your PC.”
Umm… no. Depending on how “filthy” the machine is, it might take some time to clean it up and lock it down, but after that weekly anti-spyware scans should be enough. Contrary to what your trollish screen name claims, Windows is a decent platform that allows users to be productive and enjoy their PC. Security, after all, exists mainly between the chair and the keyboard.
You need to do much more then Spyware scans, you must also pay for and update virus scan, you must spend time trying to figure out if emails even from your friends can contain malware.
And how can you be productive if your machine is always having problems. The end user should not have to worry daily about if your PC is secure!
And what about this current WHM hole, no patch for that and it’s a BIG hole! What do you do with that.
I don’t see how people can say that windows is good. No other product known to man has as many problems as Windows. I mean here we are in the first week of the year and there are several major problems! You dont see that with any other piece of software on earth!
The kicker is that Microsoft has 50 billion in the bank! There is NO excuse for this crap!
“You need to do much more then Spyware scans, you must also pay for and update virus scan, you must spend time trying to figure out if emails even from your friends can contain malware.”
This is a weak argument. Since HTML itself cannot be executable, all you have to watch out for are the attachments. However, in this day and age, if you’re dumb enough to click on an attachement without making sure that it’s safe… well, you deserve to have your system borked by malware; maybe that’ll teach you the lesson of being careful online.
Secondly, periodically paying for an update to your virus scanner isn’t exactly a huge time-killer, since those subscriptions last a long time. Once again, with most of those services, you can schedule the frequency of getting the updates and scanning your system. Those processes will be run in the background, thereby not affecting your overall performance due to the fact that Windows is a multi-tasking OS. Your argument still doesn’t wash.
I will give you the WMF vulnerability. It does sound quite scary. Overall however, it fails to prove your point that Windows is hard to maintain periodically. Every OS is bound to have its “scary virus” once in a while.
I’m not going to bother replying to the emotionally charged anti-Windows ranting and raving that constitutes the rest of your post. I don’t like using Windows, but emotional appeals have nothing to do with logical reasoning.
Wow, so I wonder why I don’t have to pay for that stuff on any other OS.
I wonder why when on my Mac if I slip up and click on an attachment I dont have to worry that my computer is gonna die.
I wonder why there are more security applications for Windows then any other type of application.
And why should I pay for Microsofts problems?
So because MS has a ton of money and their products still suck, I am being emotional? Yet we all sit here day in and day out and compare MS’s products to products made by companies (Some of which like Ubuntu don’t even have an income)
You don’t find that odd? Come on now.
All I can say is that I showed my grandmother this page today and asked her if she wanted to do this to her machine so she could use Windows. She laughed cause she could not understand any of it.
All she could say is “Why don’t I have to do any of that on the Ubuntu machine you set up for me” LOL! All I could do whas shrug my sholders.
Oh, a so simple procedure por people who never update your windows, antivirus and don’t use firewalls…
I have an alternative, safer and simple procedure for them:
1- Put the CD #1 of any linux distribution on CDROM drive and reboot the computer
2- Follow the instructions to wipe, format and create necessary partitions
3- Follow the instructions to complete the linux installation
4- Begin to use and be happy !
Edited 2006-01-04 20:15
I have better solutions:
A: Get a tech geek to set you up with Linux on a machine.
B: Buy a Mac
1.) Enable automatic updates
2.) Download and install the Zonealarm firewall for free from http://www.zonealarm.com the windows firewall is pretty much crap
3.) Open up services.msc and disable many of the “unneeded” services. More information is available in the google cached version of Black Viper’s services guide: http://tinyurl.com/dcq5b DCOM, Messager, UPNP
are a few I remember off the top of my head.
4.) Install firefox and remove all references to IE from the desktop / start menu. Set firefox shortcuts
with the IE Icon in C:Program FilesInternet Exploreriexplore.exe
5.) Install adblock with the adblock filterset.g updater and make sure to update the rulesets. This blocks many of the “click me to download evil.exe” banner ads.
6.) Install all of the software the user needs and take them out of the Administrators / Power Users groups in the User control panel, or through mmc.
7.) Install the Microsoft Antispyware, Ad-aware, Spybot Search and Destroy trio and set them to run nightly when the user will be asleep.
http://www.microsoft.com/athome/security/spyware/software/default.m…
http://www.lavasoftusa.com/software/adaware/
http://www.safer-networking.org/en/download/
8.) Don’t let the user use Outlook! Mozilla thunderbird
or a webmail service like gmail/hotmail are perfectly
fine.
If you are super paranoid, secure windows xp according
to the US National Security Agency guidelines:
http://nsa2.www.conxion.com/winxp/
Properly following these steps and teaching the user
about evil things like email worms and bad websites
will prevent the inevitable for much longer…
Edit: I got tired of this crap on my parents PC,
they now use a customized version of Ubuntu and love it!
Edited 2006-01-04 20:19
This article is concise and the proposed measures are pretty effective against most typical attacks on windows.
Rule 4: Keep as much personal information as possible off the machine, on paper.
I fully agree.
Never have your browser remember passwords or logon information.
I’m not so sure about it – OK, I wouldn’t trust MS IE at all. It’s also a good strategy to avoid entering important passwords too often. Revealing the master password to a (remotely working) keylogger doesn’t automatically mean that you reveal all your stored passwords to the attacker in the same step – but it could just mean this, it depends on the overall vulnerability of your system and the software you use…
Btw, there’s a good reason not to enter important passwords directly into your browser if you use JavaScript. The broken same origin policy of JavaScript allows many remote keylogging attacks by definition. You not only have to trust the website you’re visiting, but also all included (even remote) JavaScript ads. These vulnerabilities are known for a long time but the vendors don’t bother to fix them because they consider them as a feature.
As one simply cannot win the battle by using windows on the long term, you can’t be sure that you never get compromised by some kind of keylogger or some other malicous software. Just think about it and the consequences… which lets me clearly favour Plan B
Edited 2006-01-04 20:52
The worst people of them all, is people like my friends – some of them never update, use the firewall or even have antivirus installed. The reason you ask?
“I never get infected”, “I havent noticed anything out of the ordinary”, “So what, thats my buisness”. Yeah sure! People like you ARE the ones spreading the god damn things. So why isnt it my buisness too? Dont you get that??? But they never listen.
Ignorance is a bliss?
There is a woman who lives just off the alley we share who doesn’t have time, or perhaps the desire to poison or pick the goat-head throns growing on her lawn. My father , on the other hand, religiously removes them from the alley, driveway, and periodically, from our yard. I doubt the woman down the street cares that my father does this, as she doesn’t see to care where the y grow at all. Her yard is the last oupost of them anywhere, and if they were picked, no one would have to worry about them at all.
Some people fail to recognize the consequences of their own actions, and their affects on other people. Be assured that just like that woman who slipped on the sticker patch last week, they’ll get the idea once it’s too late. try not to waste too much hostility on them, they’ll get theirs.
Application firewalls like zonealarm are not as useful as they once were. These products can only ask you whether or not you want to allow a particular application, as identified by the process image name, to access the internet.
Lots of newer spyware will not run in thier own process space. Instead a newer spyware application will install its bots and internet connection threads in an existing process.
Here is an example:
A spyware application, lets call it nasty.exe, starts up and drops a file containing its spyware code onto the disk. Lets say this file is called spy.dll. Next nasty.exe opens a handle to a well known process that people expect to access the internet, like iexplore.exe. Nasty.exe uses a standard process injection technique (you don’t need to be administrator to do this) to get the running copy of iexplore to load spy.dll into a new thread. Now the spyware code is running as a new thread in iexplore.exe.
In this scenario, zonealarm is totally useless. All access to the internet from the spyware code will look like it comes from iexplore.exe, which has proabably been set to OK by the user.
This sort of anti-detection is rather easy to do, and becomming quite common. The more common this gets, the less useful products like zonealarm become.
At this point, I don’t even bother with them.
Are you serious? You can actually cause other processes, than your own, to load libraries?
Is this possible on other systems?
Do you have any good reading material on this?
Yes you can do this, however you need to have permission to access the other process in this way.
On Windows, the way you do this is to:
1) Open a handle to the target process
2) Allocate memory in the other process space
3) Write the path to your DLL into that memory space
4) Create a thread in the target process space with the thread proc set to LoadLibrary and the parameter set to the memory address you allocated in step 2.
5) Your dll code is now running in the other process…
This is a very well known DLL process injection attack. The OS APIs used for this attack exist to allow debuggers to function (among other things). This is just an example of how powerful tools can be used for good and for bad.
A few things to keep in mind with this attack:
1) You can be attacked in this way even if you are not running as administrator. The attack can simply choose to inject into a process that your user account owns…. like iexplore.exe.
2) You cannot inject into a process if you don’t have permission to open the process and create remote threads. This would prevent even the administrator from attacking processes owned by the system without doing a bit more work.
I haven’t really looked into this style of attack on Mac OS X, or variants of Linux, however I wouldn’t be surprised to find that a similar attack is possible. For Mac OS previous to OS X and Windows 9x/ME/3.x would probably be rather easy to attack. IIRC they lacked protected memory so any process could access another process’s memory space.
There are plenty of sources on the net that describe this sort of thing. See http://www.rootkit.com for some examples.
Edited 2006-01-05 15:55
MacOS before OS X did lack memory protection. Windows 9x had a memory protection scheme, and I think it was the reason it was so unstable after a few weeks (it wasn’t very good).
I don’t know about 3.1. But I don’t know if the hardware could have even supported a protected mode in 16bit. IIRC you needed to be using 32bit code to get that.
I’d honestly be a bit surprised to see this attack possible on Unix systems. I googled around a bit, but “injection dll” is a whole lot better than “injection so” . I kept getting junk about mysql.
I’ll do some more digging using your instructions on how it’s actually done.
Windows 9x IIRC had 2Gig of memory space for each user process, and a shared 2Gig space for the system. This is all you would need.
3.x was even weaker.
Protected memory on windows became possible with the i386. This is because the processor had built in components to tie to a VMM.
With Unix, I wouldn’t worry about forcing another process to load a shared library. That is just a means to an end. The real goal is to get another process to execute your code. As I said, I haven’t really looked into this, but I suspect that one could use the proc filesystem to adjust the memory contents of another process owned by the same user. That could get your executable code into the other process… The trick then is to convice that process to execute it. I’m not sure if there is a way to create a thread in another process on Unix (the way you can on Windows).
If I were to attack a Unix like OS, or Mac OS, I would start by looking for exploits that allow me an elevation in privilage. From there I could load a kernel module and be able to do what ever I want.
The short story here is that _every_ OS is vulnerable to exploits of some sort. CERT has many for MacOS as well as Linux. The trick is to be consious of the risks and to act in a manner that protects you from harm. I would be concened if I had a Mac or Linux user on my network who felt so secure in thier OS that they started doing risky things (like executing random downloads, visiting questionable sites, etc…). Everyone, regardless of their OS, needs to be wary in thier computing practices.
-r–r–r– 1 root root 0 2006-01-05 14:31 maps
I don’t think you can manipulate things via the proc filesystem.
Even things which have permissions that look readable and writable I can’t even read:
lrwxrwxrwx 1 root root 0 2006-01-05 14:31 exe
[chris@rachelanne 3692]$ file exe
exe: unreadable symlink `exe’ (Permission denied)
I think there’s a big difference between vulnerabilities from problems in your code and vulnerabilities you designed into the system and documented…
Again, I’m very understanding of exploits. It’s unfixed design flaws that bug me.
In this scenario, zonealarm is totally useless. All access to the internet from the spyware code will look like it comes from iexplore.exe, which has proabably been set to OK by the user.
I’ve been running ZA for ages. It monitors for processes attempting network access via another process, I get warnings all the time for routine Windows operations. It detects via signature when trusted or known applications are modified (legitimately or maliciously). It will even monitor application actions after a new install in a learning-mode to determine some sort of rudimentary baseline reference for how the applications interact.
Sure, it’s not infallible, but I wouldn’t write off the relevance of personal firewalls, particularly for newer users. The popup windows may be confusing to some, but at least they force the users to think about what is running on their system. They’re no different than A/V filters, not an overall solution but simply a piece of one.
Good article. I am going to keep a copy to hand out to a few people who seem to call me regularly. If most of the Windows users out there would read and heed this article the internet would be a much safer place and it would probably cut down on the SPAM as well. 🙂
The only down side I see in this article is that it requires that “Naive” user to do a little research and a lot of reading. Chances are that because of that most will not do it.
Bill
… we have computer specialists to help them.
You simply cannot expect people to get under the hood of windows to ensure they are secure. It’s a wonderful thought, but it doesn’t work.
People want to switch on, do their task, a switch off.
Not everyone is a computer enthusiast, in fact, very few people are.
Ask the average person about firewalls ? – Huh ?
Fire what ?
Viruses are the realm of “computer boffins” and trust in windows is just blind.
The idea of your average person keeping their computers safe from attack is about as realistic as everyone checking the tyre pressure, brakes, suspension and clutch in their cars each and every time before they start driving.
It really is up to microsoft to keep the attacks at bay for the masses, however, I agree that simple education is a good thing, so long as it doesn’t detract people from using their computers as tools, as opposed to tooling about with their computers.
Just the basics is all we can hope for, along the lines of “don’t click too quick” – kinda like telling drivers to keep an eye out for traffic problems.
You’re perfectly right!
Until people get completely crashed by some malware they don’t feel the danger even if they are aware. This is like car driving: everyone thinks he drives better than his neighbour. For computers, everyone thinks he’s safe enough – safer than others.
The truth is most people don’t know what these popup windows are – well it’s a windows feature?, they do not know that some malware has read their adress book to send spam, they even don’t know that their computer may be hosting some pirated software or porn videos!
And the worse: they think their computer is perfectly designed, they totally trust microsoft and never wonder about why their system need so many addons to get safer (anti-virus, etc.)…
As the name implies, “computers” are intended to compute! One should expect work from a computer; not work for it!
I would hate to buy memory and cpu performance to run tons of anti-xxx software on them!
Linux is a good OS and it makes your computer work for you! Stop using an OS which even cannot spell its own name (Micros~1).
Edited 2006-01-04 21:44
I thought Darius’ was the best no nonsense guide.
… about all this is that you have to spend a few hours tweaking stuff and the user will eventually break it all. Then you will have to do it again.
Windows is not ready for JoeUser’s desktop
With all the CPU Cycles that those programs will consume, the user will need a quad-core cpu (one for each program)
Rant apart, I am shocked to see that windows does indeed need all this (I find it a little bit exaggerated).
An antivirus, Opera/FFox, MS Spyware and XP SP2 Firewall can cover most of the user stupidities. Outlook from Office XP is “ok” as well. Althought Thunderbird or OperaM2 may be better.
I don’t like the comment that reads: “Keep all you information out of your pc”…
Well… I have a Macintosh and I Keep it ALL, Organized, classified and “secured”. That’s the purpose of a computer, isn’t it?
The author mentions “live” viruses for MacOS. Since he described it as Unix based, he must be talking about OSX. I’d like for him to name these live viruses.
Good article, although I don’t think my mom could get through the whole thing and follow the instructions.
That pretty much describes how I setup computers for work use. If you’re doing support for home users, though – especially if you’re being paid to do it – you’re often limited by their willingness to make significant changes to their usage habits. E.g., most home users I’ve done support for would not tolerate the hassles that come along with running come with running as a non-Admin in windows. In a work environment, it’s not really an issue as the end users shouldn’t be installing software, making settings changes, accessing files belonging to other users on the PC, etc.
For home users, I’ve found that the less interaction required from them, the better. AVG + automatic scheduled updates, ditto with Spybot. I prefer spybot to adaware these days, because spybot has command line options that allow you to automate it using the windows task scheduler (/autoupdate /autoscan /autoclean /autoclose, etc).
This is a great article. Thanks!
Is it OK to print out copies to attach to a client’s Company Security Policy (which I am responsible for) ?
It will help to explain why my rules seem so harsh – no access to the hosted webservers from any Windows machine, any user account with passwords I can crack cut off until they are improved, and other such fascist measures. It will also help explain to the company’s boss why I have to go round and clean up the zero-day exploit off his machine tonight (he didn’t do anything particularly silly).