The last two weeks have allowed me less than the required
allotment of sleep time due to some highly effective security exploits. But
unlike most computer pundits you’ve been listening to recently, I’m
not going to lay the blame completely at the feet of software vendors. Granted,
some of the holes exploited by the worms and viruses are simply inexcusable
(there is NO acceptable explanation for a body of code experiencing a buffer
overflow, the basic method used by the MSBlaster worm). And some of those vendors,
the anti-virus vendors in particular, are guilty of indefensible claims that
they could have prevented these outbreaks. They couldn’t, of course, since
their products are extremely inefficient at predicting the presence of a viral
body and only effectively protect your system from known infection types. But,
by far, the single greatest flaw which has allowed these worms to run rampant
has been the ignorance of you and I, the body of users from whose machines these
During this rush to patch and shut down infected systems, I’ve again
run across another phenomenon which never fails to astonish me. It comes from
administrators and help desks and it is highly offensive; "Users are too
stupid to learn how to protect themselves, to clean their own infected systems,
and to follow simple directions." Of course, the assertion is based on
singular events in their careers and is applied generally to the user base.
The attitude also has a huge foundation in laziness.
I’d like to attack each one of those points and win completely. In order
to do that, I’ll lay out the basics of how you, the user, can modify your
behavior and succeed in the battle against worms, Trojans and viruses despite
those insulting barriers thrown up by the folks who are paid to help you.
Some of these suggestions are highly controversial amongst the more religious
computer users. For those folks, please, just follow along and consider things
along a subjective line.
Let’s Start by Modifying Our Behavior
These are the simplest rules to follow
- In your email application, create a signature and use it. Most
worms do not create a new message which uses your signature.
- Make sure all your correspondents know you use a signature and why you
want them to know it (if you get email from me that has an attachment and
there is no signature, do not open the attachment!).
- Always warn your recipients that you’re going to send them
an attachment before actually sending it. Doing this means they don’t
have to guess whether the attachment that comes on the next message is infected.
- Do not assume that the infected mail actually came from firstname.lastname@example.org.
2001 saw the first email virus in which the originator address was spoofed.
And, as a result, I have some highly educated, but foolish, in-laws who still
believe my machine was infected and sent them a virus. They were socially
engineered, I wasn’t. I’m not too upset, though, that they have
my domain blocked. They had another bad habit and haven’t learned any
better that they really shouldn’t forward all those chain emails, etc.
(see Dian’s “Please
Forward This to Everyone You Know!!” article. I’m a little
thankful to not get email from them anymore.
- Oh, yeah! Don’t make a habit of forwarding mail to huge volumes
of recipients. Suddenly, doing so makes you as poorly behaved as most viruses.
I already know that the little boy in the bubble message is a hoax.
- Check every scary message as a hoax until you know better. Suddenly
getting mail from the long lost son-in-law of the President of some forgotten
African nation? Still worried about the bubble boy? How about HIV infected
needles or tabs of LSD in the coin return slot of a public telephone (geez,
those things still exist?). Learn about Internet Hoaxes at HOAXBUSTERS (http://hoaxbusters.ciac.org/). This is
a federally funded site (U.S. Department of Energy) with a wealth of information
about hoaxes that just won’t die.
- Subscribe to a security mailing list or visit security sites. SecurityFocus.com,
NTBugTraq.com, itsecurity.com, The Computer Emergency Response Team (CERT)
of Carnegie-Mellon University (http://www.cert.org) ...all are excellent sources
of information about current threats and techniques by which to mitigate today’s
hot Internet threats.
But these rules, by themselves, are not enough to succeed in avoiding infection.
Here are some slightly more effective and equally important User’s Rules for
Basic Preventative Techniques
- Keep your operating system up to date—Patches
At this time, the most explosive worms are aimed at the Lowest Common Denominator
(LCD) user. There is no doubt that the single largest installed base of
operating systems on the Internet today are Windows based systems. Once
exploited, a single Windows system becomes the catalyst which spreads the
infection to other Windows machines. For several of these viral outbreaks,
the simplest thing to do is to make a weekly visit to http://windowsupdate.microsoft.com
and get your system scanned for missing security patches and Service Packs.
And, for Pete’s sake, install those patches. Oh! Remember to reboot
after they are applied. Many patches do not take effect until after the
system has had a refreshing reboot!
- Install the Windows Update tool (Automatic Updates)
To make it even easier to stay patched, Microsoft offers the Windows Update
tool from this site. Now, you may have heard arguments to the effect that
automatically allowing this tool to patch your machine is foolish because
many patches break systems or from the fear that your personal security
is compromised by allowing Microsoft to automatically do anything to your
These are valid concerns. But, so far, they aren’t accurate. In fact,
as time goes on, both assertions are, thankfully, losing validity. Service
Packs for Windows systems are becoming incredibly reliable (I haven’t
lost functionality due to a Service Pack in almost 3 years with only a single
exception. That’s much better than past experiences with Windows NT
4 when I could expect to lose 2-3 systems to a failed Service Pack installation).
From the security aspect, vigilance is the only cure. You should always
be suspicious of allowing any entity unrestricted access to your system.
I, however, find it to be amazingly inconsistent of people for them to automatically
accept updated anti-virus files from their Anti-Virus vendor on a weekly
basis but not accept updated OS files from the OS vendor. If you’ve
installed Kazaa on your system and you still have this attitude against
Automatic Updates, you’re proving those bad-attitude administrators
and Help Desk personnel to be correct. Tools like Kazaa install SpyWare
and essentially turn your computer into a public use distribution center
for all manner of nasty code...and no one is asking your permission to do
so after you installed the product. The same goes for IRC users. If you’re
using IRC, you’ve educated yourself how to do so safely (I hope).
To use either of these programs and not use Microsoft’s Automatic
Updates because “You can’t trust Microsoft!!” is comedic.
- Using an old Operating System? Upgrade, by gum!
Admittedly, if you’re working with the operating system issued you
by your IT shop, you’re stuck. If you’re on an old machine,
you’re probably also stuck (assuming you prefer to stick with Windows).
But if you’ve newer hardware and you’re running Windows 98,
your job of staying up to date on your system’s security is a much
bigger challenge than if you’re running Windows XP.
Yes, moving ahead costs you time and some money. But ask yourself this
question: If you don’t update your system to keep up with the threats
of the day, the odds of losing a system to a security exploit go up. Which
is more likely: you’ll have to clean or rebuild an old system damaged
by a worm –OR- you’ll have to fix or rebuild a system due to
a faulty patch?
- Never, ever, connect a Windows system directly to the Internet
Using a modem? Install a personal firewall. There are several available from
a variety of vendors. McAfee (http://www.mcafee.com), Symantec (http://www.symantec.com) and a variety of
other offerings are out there and go a long way toward shielding your system’s
open ports and services from indiscriminate harvesting by worms and hackers.
Another popular offering along this line is from ZoneLabs (http://www.zonelabs.com/store/content/home.jsp)
called ZoneAlarm.Is your machine connected to the Internet by DSL, Cable or
some other broadband provider? Use a hardware router instead of a soft firewall.
By far, little home networking routers are much more reliable, robust devices
and greatly complicate the matter of getting a worm onto a system or stealing
information from it. Some broadband providers already have these firewall
functions built into the equipment they install on the premises. Ask your
provider if the device they installed provides firewalling. If it does, you’re
covered. If it doesn’t, immediately shut your system down and get down
to your favorite computer store to pick up one of these devices. Often, they
cost the same or slightly more than the software variety of firewall. But,
in addition to being much stronger solutions, they effectively firewall all
the computers on your home network and, when they do fail, they fail in such
a way that your systems are not reachable from the Internet. Software firewalls
often fail in a much worse way by completely shutting down and leaving your
system completely exposed to the Internet.
- Don’t assume the only way to get a virus or worm is via email
If you made this assumption and hadn’t already followed Items 1-4,
well, I’d be willing to bet that July, 2003 was a little painful and
embarrassing for you. The MSBlaster worm executes against a flaw which merely
requires that your system be connected to the Internet with port 135 open
and that your system is unpatched against Microsoft’s security alert,
No email required.
- You have Anti-Virus software installed? Good. Don’t trust it.
I’ll admit this advice sounds strange so let’s consider the
statement in more depth. Anti-Virus software protects you only against known
viruses. The so-called Heuristic systems these tools use are essentially
research tools. Heuristic Anti-Virus software is an attempt to predict that
a file or process is viral in nature...and it often falsely identifies valid
software as a virus. This is a ‘false-positive’ result and is
as useless to you as not having Anti-Virus software.
Also, consider that it often takes AV vendors a week to accomplish two
key things in combating a new virus. First, they only update the anti-virus
definition list which you update your system with on a weekly basis. Second,
in those instances where the vendors do release a special update, the update
is often raw and unreliable. In fact, these updates are sometimes worse
than the disease. I’ve had systems scrubbed so badly by these updates
in the past that recovery of the system required reinstalling the operating
system. The virus I was attempting to clean at the time carried no system
damaging payload. Therefore, I feel safe in laying all the blame for a destroyed
system with the Anti-Virus tools.
Again, remember that Anti-Virus products only reliably protect you from
known viruses and probably not this week’s worm. Don’t abandon
personal judgment to the idea that “I’m not worried. McAfee
is installed and will catch any new virus!”
- Using a Macintosh? Linux? Don’t assume you’re safe
I know, I know, the argument is that Linux and the Mac simply aren’t
vulnerable to hacks, worms and viruses. And it’s completely false.
Let me say that again: Macintoshes, Linux machines, UNIX variants and mainframes
are all vulnerable to hacks. Some are easier than others and none will prove
to be any more difficult to exploit than a Windows system.
Before you burn me in effigy (or stick pins in that little doll), consider
these points. The first Internet worm was executed against UNIX machines.
It doesn’t matter if you believe more security exploits are identified
against Linux systems than Windows systems every month. The default installs
of a Red Hat Linux system, until recently, enabled more exploitable Internet
services than Windows boxes and most had no business being exposed to the
Internet. Can you think of a reason for most Linux boxes to expose LPR (a
printing protocol) to anyone on the Internet? I can't either.
Net result? All systems are vulnerable. Assuming otherwise is safe only
in the immediate future and definitely an assumption carrying increasing
risk. When, or if, Windows is displaced by some other system as the majority
installed base amongst computer users, we’re likely to see the number
of attacks against these other systems rise exponentially.
You’re on a Macintosh and think you’re safe? Well, if you’re
running OS 9 or earlier, this is probably a safe assumption since you’re
a smaller target in the mind of most virus authors. Those of you running
OS X, however, may find yourself rudely awakened one day. OS X is built
upon BSD, a UNIX variant. Someday the momentum will change and your system
may be the next default target.
- “I don’t use Outlook for email. I am, therefore, immune to
This is another dangerous assumption and it’s here working against
us today. First, as explained in item 5, sometimes email isn’t the
vector in use for a viral exploit. MSBlaster and Welchia don’t use
your email program. They don’t need it since they rely on other system
If you’ve kept your Office applications patched then you haven’t
really been vulnerable to an Outlook exploit in a couple of years. Go back and
look at the email exploits executed in that time and you’ll see that
darned few of the most successful worms required Outlook.
In fact, the fastest spreading email virus to date, SoBig.f, doesn’t
care what your email app is at all. It only requires support for attached
files which makes Lotus Notes, Eudora, Outlook, and Netscape, ad infinitum,
equally vulnerable. How? Because SoBig only requires you and Windows in
order to succeed. It succeeds only marginally through social engineering
(convincing a user to take some poor choice) and depends heavily on more
fully exploiting each machine upon which it executes. In other words, fewer
people need to activate the worm in order to make the same size mess on
the Internet. And in not a single instance was an email application required
to automatically fire the worm up. Only computer users launched this worm
All the evidence about SoBig points to it being a research project. The
engineer (yes, this studious approach to the problem of propagating a worm
deserves the title) creating this worm and evolving it over time is learning
based on the responses of both the computer users and the machines infected.
Personally, I’d be thrilled if we could make that bit of learning
a little more difficult for that worm author.
The Nature of the Internet is to change
And there’s no doubt that it will continue to do so. Accepting that reality,
we can conclude that the only things more exploitable than our machines are
us. We can conclude, then, that the first thing to do in an effort to make
ourselves immune to these threats is to change the way we think about using
the Internet. Actively pursue changes to your habits. Change the way you think
about computer security. Make fewer assumptions. Create basic guidelines for
your behavior to create new habits. Other people will more easily know whether
to trust that message which claims to be from you.
Next, change your habits about your computers and their maintenance. Protect
them with firewalls, patch them. Stop using weak logic to rationalize your
computing choices. Actually think about how the machine is used and how it
is behaving in public. Have you adequately protected the system? Are those
protections working or have they been compromised? Do you know how to tell?
Following the behavioral guidelines and acting upon the basic system guidelines
described in this article will easily reduce your exposure to exploits. This
is good for everyone and, while Yahoo may never get around to actually thanking
you for not becoming one of the next infected hosts that attacks their network,
it will be appreciated all around the Internet.
Shortly after this article was published, Greg posted yet another free, and
extremely useful, utility to MouseTrax
Downloads. As he recently explained in NT
Bug Traq and Lockergnome:
"There are network managers all over the world who are actively engaged
in patching their Windows systems... again. And there are many home networks
that have been alive as attack vectors in recent times. All of them face a
common problem in updating their machines. Microsoft has done a pretty good
job of providing the patches and, sometimes, in providing tools to help identify
machines in need of attention. However, the output of these tools is often
not quite refined enough to allow technicians to locate the machines since
that output is in the form of an IP address, and Windows networks are usually
not organized by that data.
"To help [overcome] that problem, I've written a simple Windows Script
Host / VBScript which produces a log based on Microsoft's scanning tool output.
All you have to do is point the script to that list file and turn it loose.
The data is returned in CSV format and contains the system's IP address, NetBIOS
(or Windows Network) name and its MAC address."
Greg has received numerous kudos for this valuable tool. If you need to track
systems on a large corporate network or a small home one, I'm sure you'll quickly
realize you need to add this tool to your arsenal!