The last two weeks have allowed me less than the required allotment of sleep time due to some highly effective security exploits. But unlike most computer pundits you’ve been listening to recently, I’m not going to lay the blame completely at the feet of software vendors. Granted, some of the holes exploited by the worms and viruses are simply inexcusable (there is NO acceptable explanation for a body of code experiencing a buffer overflow, the basic method used by the MSBlaster worm). And some of those vendors, the anti-virus vendors in particular, are guilty of indefensible claims that they could have prevented these outbreaks. They couldn’t, of course, since their products are extremely inefficient at predicting the presence of a viral body and only effectively protect your system from known infection types. But, by far, the single greatest flaw which has allowed these worms to run rampant has been the ignorance of you and I, the body of users from whose machines these malignancies propagated.

During this rush to patch and shut down infected systems, I’ve again run across another phenomenon which never fails to astonish me. It comes from administrators and help desks and it is highly offensive; "Users are too stupid to learn how to protect themselves, to clean their own infected systems, and to follow simple directions." Of course, the assertion is based on singular events in their careers and is applied generally to the user base. The attitude also has a huge foundation in laziness.

I’d like to attack each one of those points and win completely. In order to do that, I’ll lay out the basics of how you, the user, can modify your behavior and succeed in the battle against worms, Trojans and viruses despite those insulting barriers thrown up by the folks who are paid to help you. Some of these suggestions are highly controversial amongst the more religious computer users. For those folks, please, just follow along and consider things along a subjective line.

Let’s Start by Modifying Our Behavior

These are the simplest rules to follow

• In your email application, create a signature and use it. Most worms do not create a new message which uses your signature.
  
  
• Make sure all your correspondents know you use a signature and why you want them to know it (if you get email from me that has an attachment and there is no signature, do not open the attachment!).
  
  
• Always warn your recipients that you’re going to send them an attachment before actually sending it. Doing this means they don’t have to guess whether the attachment that comes on the next message is infected.
  
  
• Do not assume that the infected mail actually came from soandso@hotmail.com. 2001 saw the first email virus in which the originator address was spoofed. And, as a result, I have some highly educated, but foolish, in-laws who still believe my machine was infected and sent them a virus. They were socially engineered, I wasn’t. I’m not too upset, though, that they have my domain blocked. They had another bad habit and haven’t learned any better that they really shouldn’t forward all those chain emails, etc. (see Dian’s “Please Forward This to Everyone You Know!!” article. I’m a little thankful to not get email from them anymore.
  
  
• Oh, yeah! Don’t make a habit of forwarding mail to huge volumes of recipients. Suddenly, doing so makes you as poorly behaved as most viruses. I already know that the little boy in the bubble message is a hoax.
  
  
• Check every scary message as a hoax until you know better. Suddenly getting mail from the long lost son-in-law of the President of some forgotten African nation? Still worried about the bubble boy? How about HIV infected needles or tabs of LSD in the coin return slot of a public telephone (geez, those things still exist?). Learn about Internet Hoaxes at HOAXBUSTERS (http://hoaxbusters.ciac.org/). This is a federally funded site (U.S. Department of Energy) with a wealth of information about hoaxes that just won’t die.
  
  
• Subscribe to a security mailing list or visit security sites. SecurityFocus.com, NTBugTraq.com, itsecurity.com, The Computer Emergency Response Team (CERT) of Carnegie-Mellon University (http://www.cert.org) ...all are excellent sources of information about current threats and techniques by which to mitigate today’s hot Internet threats.

But these rules, by themselves, are not enough to succeed in avoiding infection. Here are some slightly more effective and equally important User’s Rules for Internet Computing.

Basic Preventative Techniques

1. Keep your operating system up to date—Patches

   At this time, the most explosive worms are aimed at the Lowest Common Denominator (LCD) user. There is no doubt that the single largest installed base of operating systems on the Internet today are Windows based systems. Once exploited, a single Windows system becomes the catalyst which spreads the infection to other Windows machines. For several of these viral outbreaks, the simplest thing to do is to make a weekly visit to http://windowsupdate.microsoft.com and get your system scanned for missing security patches and Service Packs. And, for Pete’s sake, install those patches. Oh! Remember to reboot after they are applied. Many patches do not take effect until after the system has had a refreshing reboot!
   

2. Install the Windows Update tool (Automatic Updates)

   (http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp)

   To make it even easier to stay patched, Microsoft offers the Windows Update tool from this site. Now, you may have heard arguments to the effect that automatically allowing this tool to patch your machine is foolish because many patches break systems or from the fear that your personal security is compromised by allowing Microsoft to automatically do anything to your system.

   These are valid concerns. But, so far, they aren’t accurate. In fact, as time goes on, both assertions are, thankfully, losing validity. Service Packs for Windows systems are becoming incredibly reliable (I haven’t lost functionality due to a Service Pack in almost 3 years with only a single exception. That’s much better than past experiences with Windows NT 4 when I could expect to lose 2-3 systems to a failed Service Pack installation).
   
   From the security aspect, vigilance is the only cure. You should always be suspicious of allowing any entity unrestricted access to your system. I, however, find it to be amazingly inconsistent of people for them to automatically accept updated anti-virus files from their Anti-Virus vendor on a weekly basis but not accept updated OS files from the OS vendor. If you’ve installed Kazaa on your system and you still have this attitude against Automatic Updates, you’re proving those bad-attitude administrators and Help Desk personnel to be correct. Tools like Kazaa install SpyWare and essentially turn your computer into a public use distribution center for all manner of nasty code...and no one is asking your permission to do so after you installed the product. The same goes for IRC users. If you’re using IRC, you’ve educated yourself how to do so safely (I hope). To use either of these programs and not use Microsoft’s Automatic Updates because “You can’t trust Microsoft!!” is comedic.

3. Using an old Operating System? Upgrade, by gum!

   Admittedly, if you’re working with the operating system issued you by your IT shop, you’re stuck. If you’re on an old machine, you’re probably also stuck (assuming you prefer to stick with Windows). But if you’ve newer hardware and you’re running Windows 98, your job of staying up to date on your system’s security is a much bigger challenge than if you’re running Windows XP.

   Yes, moving ahead costs you time and some money. But ask yourself this question: If you don’t update your system to keep up with the threats of the day, the odds of losing a system to a security exploit go up. Which is more likely: you’ll have to clean or rebuild an old system damaged by a worm –OR- you’ll have to fix or rebuild a system due to a faulty patch?

4. Never, ever, connect a Windows system directly to the Internet
   
   Using a modem? Install a personal firewall. There are several available from a variety of vendors. McAfee (http://www.mcafee.com), Symantec (http://www.symantec.com) and a variety of other offerings are out there and go a long way toward shielding your system’s open ports and services from indiscriminate harvesting by worms and hackers. Another popular offering along this line is from ZoneLabs (http://www.zonelabs.com/store/content/home.jsp) called ZoneAlarm.Is your machine connected to the Internet by DSL, Cable or some other broadband provider? Use a hardware router instead of a soft firewall.
   
   By far, little home networking routers are much more reliable, robust devices and greatly complicate the matter of getting a worm onto a system or stealing information from it. Some broadband providers already have these firewall functions built into the equipment they install on the premises. Ask your provider if the device they installed provides firewalling. If it does, you’re covered. If it doesn’t, immediately shut your system down and get down to your favorite computer store to pick up one of these devices. Often, they cost the same or slightly more than the software variety of firewall. But, in addition to being much stronger solutions, they effectively firewall all the computers on your home network and, when they do fail, they fail in such a way that your systems are not reachable from the Internet. Software firewalls often fail in a much worse way by completely shutting down and leaving your system completely exposed to the Internet.

5. Don’t assume the only way to get a virus or worm is via email

   If you made this assumption and hadn’t already followed Items 1-4, well, I’d be willing to bet that July, 2003 was a little painful and embarrassing for you. The MSBlaster worm executes against a flaw which merely requires that your system be connected to the Internet with port 135 open and that your system is unpatched against Microsoft’s security alert, MS03-026 (http://www.microsoft.com/security/security_bulletins/ms03-026.asp). No email required.

6. You have Anti-Virus software installed? Good. Don’t trust it.

   I’ll admit this advice sounds strange so let’s consider the statement in more depth. Anti-Virus software protects you only against known viruses. The so-called Heuristic systems these tools use are essentially research tools. Heuristic Anti-Virus software is an attempt to predict that a file or process is viral in nature...and it often falsely identifies valid software as a virus. This is a ‘false-positive’ result and is as useless to you as not having Anti-Virus software.

   Also, consider that it often takes AV vendors a week to accomplish two key things in combating a new virus. First, they only update the anti-virus definition list which you update your system with on a weekly basis. Second, in those instances where the vendors do release a special update, the update is often raw and unreliable. In fact, these updates are sometimes worse than the disease. I’ve had systems scrubbed so badly by these updates in the past that recovery of the system required reinstalling the operating system. The virus I was attempting to clean at the time carried no system damaging payload. Therefore, I feel safe in laying all the blame for a destroyed system with the Anti-Virus tools.

   Again, remember that Anti-Virus products only reliably protect you from known viruses and probably not this week’s worm. Don’t abandon personal judgment to the idea that “I’m not worried. McAfee is installed and will catch any new virus!”

7. Using a Macintosh? Linux? Don’t assume you’re safe

   I know, I know, the argument is that Linux and the Mac simply aren’t vulnerable to hacks, worms and viruses. And it’s completely false. Let me say that again: Macintoshes, Linux machines, UNIX variants and mainframes are all vulnerable to hacks. Some are easier than others and none will prove to be any more difficult to exploit than a Windows system.

   Before you burn me in effigy (or stick pins in that little doll), consider these points. The first Internet worm was executed against UNIX machines. It doesn’t matter if you believe more security exploits are identified against Linux systems than Windows systems every month. The default installs of a Red Hat Linux system, until recently, enabled more exploitable Internet services than Windows boxes and most had no business being exposed to the Internet. Can you think of a reason for most Linux boxes to expose LPR (a printing protocol) to anyone on the Internet? I can't either.

   Net result? All systems are vulnerable. Assuming otherwise is safe only in the immediate future and definitely an assumption carrying increasing risk. When, or if, Windows is displaced by some other system as the majority installed base amongst computer users, we’re likely to see the number of attacks against these other systems rise exponentially.

   You’re on a Macintosh and think you’re safe? Well, if you’re running OS 9 or earlier, this is probably a safe assumption since you’re a smaller target in the mind of most virus authors. Those of you running OS X, however, may find yourself rudely awakened one day. OS X is built upon BSD, a UNIX variant. Someday the momentum will change and your system may be the next default target.

8. “I don’t use Outlook for email. I am, therefore, immune to these attacks.”

   This is another dangerous assumption and it’s here working against us today. First, as explained in item 5, sometimes email isn’t the vector in use for a viral exploit. MSBlaster and Welchia don’t use your email program. They don’t need it since they rely on other system services.

   If you’ve kept your Office applications patched then you haven’t really been vulnerable to an Outlook exploit in a couple of years. Go back and look at the email exploits executed in that time and you’ll see that darned few of the most successful worms required Outlook.

   In fact, the fastest spreading email virus to date, SoBig.f, doesn’t care what your email app is at all. It only requires support for attached files which makes Lotus Notes, Eudora, Outlook, and Netscape, ad infinitum, equally vulnerable. How? Because SoBig only requires you and Windows in order to succeed. It succeeds only marginally through social engineering (convincing a user to take some poor choice) and depends heavily on more fully exploiting each machine upon which it executes. In other words, fewer people need to activate the worm in order to make the same size mess on the Internet. And in not a single instance was an email application required to automatically fire the worm up. Only computer users launched this worm directly!

   All the evidence about SoBig points to it being a research project. The engineer (yes, this studious approach to the problem of propagating a worm deserves the title) creating this worm and evolving it over time is learning based on the responses of both the computer users and the machines infected. Personally, I’d be thrilled if we could make that bit of learning a little more difficult for that worm author.

The Nature of the Internet is to change

And there’s no doubt that it will continue to do so. Accepting that reality, we can conclude that the only things more exploitable than our machines are us. We can conclude, then, that the first thing to do in an effort to make ourselves immune to these threats is to change the way we think about using the Internet. Actively pursue changes to your habits. Change the way you think about computer security. Make fewer assumptions. Create basic guidelines for your behavior to create new habits. Other people will more easily know whether to trust that message which claims to be from you.

Next, change your habits about your computers and their maintenance. Protect them with firewalls, patch them. Stop using weak logic to rationalize your computing choices. Actually think about how the machine is used and how it is behaving in public. Have you adequately protected the system? Are those protections working or have they been compromised? Do you know how to tell?

Following the behavioral guidelines and acting upon the basic system guidelines described in this article will easily reduce your exposure to exploits. This is good for everyone and, while Yahoo may never get around to actually thanking you for not becoming one of the next infected hosts that attacks their network, it will be appreciated all around the Internet.

Important Update!
Shortly after this article was published, Greg posted yet another free, and extremely useful, utility to MouseTrax Downloads. As he recently explained in NT Bug Traq and Lockergnome:

"There are network managers all over the world who are actively engaged in patching their Windows systems... again. And there are many home networks that have been alive as attack vectors in recent times. All of them face a common problem in updating their machines. Microsoft has done a pretty good job of providing the patches and, sometimes, in providing tools to help identify machines in need of attention. However, the output of these tools is often not quite refined enough to allow technicians to locate the machines since that output is in the form of an IP address, and Windows networks are usually not organized by that data.

"To help [overcome] that problem, I've written a simple Windows Script Host / VBScript which produces a log based on Microsoft's scanning tool output. All you have to do is point the script to that list file and turn it loose. The data is returned in CSV format and contains the system's IP address, NetBIOS (or Windows Network) name and its MAC address."

Greg has received numerous kudos for this valuable tool. If you need to track systems on a large corporate network or a small home one, I'm sure you'll quickly realize you need to add this tool to your arsenal!