Mar 17 2018, updated info on Secunia PSI and added Patch My PC and Belarc Advisor links; Added EMET info August 21; Updated and revised August 8, 2015, some extra content and links; July 2015, cleaned up numerous dead links.
So you spent hundreds, perhaps thousands of dollars on your computer and software. How well is it protected from viruses, trojans, worms and internet hacking? Do you assume your operating system, software and personal information are secure? Do you think the threat from hackers isn't that great?
Well, it is. My firewall's logs will attest to that, as will the logs of many others. Since August 2003, the amount of internet traffic at the average home PC has increased dramatically. Many of those port probes are from computers infected with malware (malicious software) looking for others to infect, or computers looking for other infected machines to do ill with. In 2008, infecting web sites is on the rise as the favoured way for the bad guys to spread their malware. More on that is detailed further on. In the "old days" most malware was written by "hobbyists" - today, it's organized crime. InformIT has a brief history on their site.
A report from silicon.com (no longer available) notes that more than 43,000 new variants of malicious remote control software were found in the first half of 2006. It said in the report: "Attackers, with financial gain in mind, are clearly concentrating a significant amount of development focus on this category of malware." The situation is not improving. F-Secure notes that as of February 12, 2008, they are adding over 1,300 detections a day. At that rate, they expect one million or more by the end of 2008.
Thousands of computers all over the world have been compromised, and their owners don't even know. According to this article from USA Today, "...as many as 47 million of the 681 million PCs connected to the Internet worldwide may be under the control of a bot network." Are you one of them? Botnets are big business now, and they are up to no good. For a chilling look at their power, read Attack of the Bots from wired.com.
The average "survival time" of an unpatched Windows PC is in the 16 to 25 minute range. This is the length of time before that computer will be infected with one of the many worms that still flourish on the internet. These worms and trojans persist because there are still computers on the internet that aren't protected. Protected means having a firewall, an operating system updated with the latest patches, and a good anti-virus program using the latest virus definitions available.
In a three hour period in November 2003, my firewall logged 280 inbound attempts to connect to my computer. On August 31, 2004, there were over 1000 in 90 minutes. The average from September 2004 to November 2004 is 991 per day*. A few years ago, I averaged less than 20 in a 24 hour period.
On November 29, 2004, USATODAY.com ran an article that fully illustrates this point. It's definitely worth a read. 2004-11-29-honeypot_x.htm Read it and cringe...
In early 2005 something called "DNS Cache Poisoning" began making the rounds. (A good overview of what DNS is can be found here.) A few internet DNS servers were affected by this. The result was that some people were directed to a website that dumped malware on their computers, instead of the intended website. Read the article from SecurityFocus here.
Hackers are getting more sophisticated, just as fast as the operating systems and anti-virus software are. Software companies scramble to patch security vulnerabilities as they are discovered, hoping that they are a step ahead of the malicious hackers. Sometimes they aren't, and don't find out about the vulnerability until a hacker has exploited it.
You can protect yourself. Self-education is a very good start, and some excellent software is available to help you - some of it is even free.
It is very important to have a good anti-virus (AV) program. Don't be cheap - you spent good money on your computer, you should be willing to spend a few bucks to keep it safe. It is also essential to keep your AV software up-to-date with the latest virus definitions. This should be done no less than weekly, if not daily.
AV software depends on a database of virus definitions to keep your computer safe. Most AV programs have the ability to download the latest virus definitions and update themselves. You can usually set the scheduling of this feature. Good AV software will recognize and stop virus-like activity, but only once the virus is running. But by then some damage has possibly occurred. If you have the latest virus definitions, then the chance of this is reduced.
As new types of threats evolve, so does AV software. The use of rootkits is on the rise, and older versions of AV software may not be able to detect them. Seriously consider upgrading to the newest AV software, preferably one that can detect rootkits. Most if not all good security products have this capability.
If you are running Windows, install the Enhanced Mitigation Experience Toolkit - EMET. EMET will "...detect and block exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software." Download it, install it, run it with recommended settings.
There are free online virus scans available, which some people I know use instead of an AV program on their computer. This is like locking the barn door after the horse has left the building. Online scans will not prevent a virus, trojan or worm from infecting your computer. All they can do is try to clean up the mess it left behind. Be proactive, not reactive: acquire and install anti-virus software on your computer.
Symantec, Kaspersky and McAfee are among the most popular AV programs. AVG offers a free version of their AVG Anti-Virus software, but there are a few catches, like no technical support. Trend Micro is another. VirusTotal has a large listing of anti-virus products (and links to their corresponding websites at https://www.virustotal.com/en/about/credits/
Most of all, be very cautious. Don't be the first person to be infected with a brand-new, undiscovered virus! The fact your AV software found no virus in that email doesn't mean it's guaranteed safe. Do not open email messages or attachments that are even remotely suspicious. Even if it's from someone you know. To be on the safe side, email or call them and find out if they sent you that email on purpose.
Many viruses spread by using the address book on the victim's computer to email itself to others. The latest generation of viruses also scan other files on your computer, including your email inbox and your browser's cache; if it finds an email address, it will use it. If the email is from an unknown person, be safe, not sorry - just delete it without opening it.
You can help prevent the spread of viruses and spam by doing two simple things. Whenever you forward that funny joke email to all your friends and family, delete all the email addresses that show in the email. When you send it, don't use the "To" field to address it - use the "BCC" (blind carbon copy) field instead. Then delete that email from the "Sent" folder.
Most virus writers play on the fact people are curious. An enticing subject line, attachment name, or some other curiosity grabber. Some try to exploit the trusting. A recent version of the Netsky worm adds a line at the end of the email saying the attachment has been certified virus-free by the New Norton Online Scan, and includes the URL to Symantec's Web Site. Like Fox Mulder said, TRUST NO ONE.
Be suspicious of even legitimate-looking emails. Now and then emails go around claiming to warn of a vulnerability in the operating system (usually Windows, but also including MAC OS and Linux), and provide either a link to download a patch to fix it, or an attachment. The vulnerability is always a hoax. The patch is 99.99% likely malware...
To be really safe, disable the ability to read HTML email and use plain text instead. Plain text is rather boring to look at, but a lot safer.
Not all viruses are spread by email, however. Many come from the internet, knocking directly on your computer's internet ports. There are 65,535 ports on your computer. You need to know if your computer is answering any of those knocks... especially if Windows file-sharing is turned on. If a scanner sees one port at your IP address, then it knows there is a computer there. You may then be the target of an attack that attempts to exploit vulnerabilities in your operating system, possibly enabling infection, and even opening a "back door" on your PC.
Another source of infection can be a web page. This is becoming a favoured method for the bad guys to infect computers. November 2004 saw several websites hacked; malicious code was inserted to exploit a known vulnerability in Internet Explorer, and in turn it allowed malicious code to be downloaded and run on the infected machines. (Microsoft released a patch for that around December 1, 2004. It's available at the Windows Update site.) Attacks on web sites occur with alarming frequency - MySpace has had it's share of issues, as have php-based bulletin boards, and many others. 2008 has seen an alarming number of otherwise "trusted" websites compromised. The Register has an article on a recent outbreak. SophosLabs notes their scanners identify a new infected web page every 14 seconds. Minimize your risk, and keep all your software up-to-date with all the patches. US-CERT has detailed information on how to help secure your web browsers.
Many of these malicious web sites attempt to exploit vulnerabilities on your computer, which can be aimed at the browser itself, or plugins it uses. These include such items as Flash players, Java, Adobe's Acrobat Reader, Winamp, QuickTime or RealPlayer media players. One can disable plugins, but making sure you have the latest, patched versions is wise. Other types of software, such as Skype and instant messaging programs, can also be targeted. Secunia used to have a free program for this, but after Flexera took over, it was eventually scuttled. You can still keep most of your applications updated with Patch My PC. The site's description says, "Patch My PC Updater is a free, easy-to-use program that keeps over 300 apps up-to-date on your computer. It is an easy way to update or install any of these programs on to your computer." Another product to keep you up-to-date is Belarc Advisor.
A hacked website isn't the only source of malware. Some websites purposely plant bugs on their pages. So be careful where you surf! That cute screensaver you just found on a website may be giving you more than you bargained for. You can help minimize your risk with free add-on's, such as WOT or McAfee's SiteAdvisor. All are available free for Internet Explorer and Firefox.
Peer-to-peer file-sharing software like Kazaa and all the others are another source for trojans and other malware. A good number of today's bugs are designed to spread using your file-sharing software. When run on your machine, the malware will put a copy in the share folder, giving it an enticing name to get others to download it. A description of one such worm can be seen here at Symantec's site. If you were thinking of getting some free, cracked security software from a file-sharing network, you may want to reconsider and get it legitimately...
If you are a broadband user (cable, DSL) then consider "pulling the plug" and disconnecting when you're not actively using the internet. Better yet, turn off the computer, too. If it's not hooked up and on, they can't get you. But be sure to do all your software updates and patching once you're connected again.
Important Note: More than a few trojans and other bugs rely on Microsoft software and it's vulnerabilities to infect a computer. Consider using an alternative web browser and email client, such as Opera, or Firefox, among others.
As mentioned previously, malware can be delivered to your computer without using email. Some infects computers directly from the internet. There are several sites that offer free port scans to test your computer's vulnerability. Two are mentioned here:
at grc.com tests your
computer's vulnerability to internet hackers. Run one or more of the
various port scans, and it will tell you just how secure your computer is.
You may be surprised at the results. This site also has a free utility you
can download to test a firewall's ability to stop unwanted outbound
internet traffic, such as from a trojan or worm. Look for the "Leak
- Symantec has a
very good online scanning service. Visit their Security
Check page, which will let you run a virus scan as well as an internet
security scan. It scans for web browser vulnerabilities as well as open
ports. Note that if you are still using Windows 95, (and why would you be at this date??) you will be unable to
use either of these services. Try Shields
UP! instead (and consider upgrading to Windows 7, at least.).
If your port probe results didn't all come back as "Stealth" then you need a firewall.
ZoneAlarm has a free version of their ZoneAlarm firewall software. ZoneAlarm is one of the best rated firewall programs available. It not only protects you from incoming threats, but it protects from unwanted outgoing internet traffic. If you picked up a trojan that tries to call home to it's master, ZoneAlarm will alert you before the connection is allowed. There are a few downsides to the free price. The annoying splash screen that comes up when you start your computer is one. (The splash screen disappears if you purchase ZoneAlarm Pro.) The other is a lack of extra features that some people may find useful.
Hardware firewalls are also quite effective. A good cable/DSL router will provide protection from unwanted intruders. Linksys, Netgear, and D-Link are a few of the manufacturers to check out. If you have a local area network (LAN) set up at home, then a router will definitely be of interest, as you can simultaneously share one internet connection among two to four (or more) computers.
The downside to these hardware firewalls is that they generally don't prevent outbound traffic based on the program that wants access. You can completely enable or disable an entire computer's access, but you can't set software permissions.
If you use a router, change the router's default password to one of your own. An article from Symantec's Weblog explains why: Drive-by Pharming in the Wild
Bear in mind that wireless routers have their own security problem... so to be safe, get the old-fashioned kind that uses wires. It is possible for people to drive by your house with a mobile scanner and tap in to your wireless connection unless you take steps to secure it. Check with the manufacturer for details.
Windows 95, 98, ME, 2000, and XP users should realize that most software companies no longer design software with these Windows versions in mind. Get a hardware firewall for the best protection. Of course, upgrading to a newer version of Windows is also a good idea, as Microsoft no longer supports Windows 95 through to XP and provides no patches for vulnerabilities. Limited XP support is available only if you pay for it.
Malware targets other things besides Windows computers - Mac, Linux, Android devices, iPhones and iPads. Get malware protection for those, too. Most larger AV companies offer it, such as Norton, McAfee, TrendMicro (Mac, Android, iOS devices), F-Secure (Mac and Android), and others. If you're too cheap to buy it, Sophos has free protection available for MAC, Android, and Linux. Yes, Linux!
This is critically important to your computer's operation. That fact cannot be stressed enough. If you don't have the latest security patches installed, you are vulnerable to publicly known exploits. A large number of the malware programs out there still target these known vulnerabilities that patches are available for, as there are still computers out there that have not been updated. Your anti-virus software may not catch them all.
The infamous Windows Metafile (WMF) vulnerability from 2005 is a prime example. (For more information on this ancient vulnerability please see http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx and https://isc.sans.edu/diary/WMF+FAQ/994.) The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Windows Explorer with 'Icon size' images will cause the exploit to be triggered as well. If you don't have the patch installed, you are vulnerable. So patch often - Windows and other software.
Using Windows? Make sure you visit the Windows Update site regularly once a week) to download and install any critical updates. If you use any Microsoft Office products, check for updates for those, too. Better yet, make sure Windows Automatic Update is turned on.
Those of you with Windows 2000 and newer can use Microsoft Update, which will check for both Windows and Office updates at once. This service is available at http://update.microsoft.com/. Windows 7 and up, it's built in.
Other operating systems, such as Mac and Linux, also need to be kept updated. Vulnerabilities exist in those operating systems, too.
That's another problem many people have, and most are unaware of it. Some computers get so infested with it that they run noticeably slower. A news item a while back told of one person's computer having over one thousand various spyware goodies on it. Nice...
Spyware ranges from tracking cookies to web dialers to trojans and keyloggers, and their purpose is to track where you go on the internet. Some do worse, including noting user names and passwords. If you didn't ask for it, what's it doing on your machine? Get rid of it!
There are good, free programs available to help. Like AV software, you need to check for updates regularly. Not all will do it automatically, so you may have to do it manually when you run the programs. These should take care of most of it, and they are free:
- Spybot Search & Destroy - available at www.safer-networking.org. If you have spyware, this will hunt it down and exterminate it for you.
- SpywareBlaster - from BrightFort. Prevents it from being installed in the first place. Don't forget to use the "Immunize" feature!
- SUPERAntiSpyware - available here. Detects and removes Spyware, Adware and Remove Malware, Trojans, Dialers, Worms, KeyLoggers, HiJackers, Parasites, Rootkits, Rogue Security Products and many other types of threats.
- Malwarebytes' Anti-Malware - from Malwarebytes.org. Free and paid versions available.
There are many others available. Check out my Links page for others not mentioned here.
Phishing is one of the more worrying things to crop up as of late. Phishing is an attempt to obtain personal financial information. This is generally done by email. The email appears to be from a legitimate company, such as a bank, eBay, PayPal or other company - even using graphics from the company's web site.
The email will make some claim that your account is in need of some action on your part. They hope that you will fall for it by giving them your account information, password, and whatever else they may want. Most will direct you to a website to do this. And it's always a fake site that looks like the real thing. The URL to the site may be very close to the real one, too.
Once the hapless victim inputs their user name and password, the phishers have access to the victim's account. Not a good thing.
To make matters worse, a vulnerability in Internet Explorer has been discovered that allows the URL in your address bar to be spoofed to look like the legitimate one. And the cute little padlock icon on the status bar indicating a secure site can be spoofed, too. Another technique has been seen in use, and it does not require you to click on a link to visit the phishing site.
Use these tips to keep yourself from being scammed:
- Be suspicious of any email with urgent requests for personal information.
- Don't be fooled by emails with upsetting or exciting (but false) statements that try to get you to react immediately.
- If you suspect the message might not be authentic, don't use the links within the email to get to a webpage.
- Don't fill out forms in email messages that ask for personal financial information.
- Communicate information such as credit card numbers only via a secure website or the telephone.
- To make sure you're on a secure Web server, check the beginning of the URL in your browser address bar. It should be "https"
rather than "http". The "s" stands for secure.
- Consider installing a Web browser toolbar such as EarthLink's Scamblocker or Netcraft's Anti-Phishing Toolbar to alert you before you visit known phishing fraud websites (eBay also has a similar tool).
- If an email message is not personalized, assume it's not a valid message.
- Log in to your online accounts regularly, and check bank, credit and debit card statements to ensure that all transactions are legitimate.
- Ensure that your operating system and browser is up-to-date and security patches have been applied.
For more information on phishing and other scams visit:
- Blog from Comparitech - Common phishing scams and how to recognise and avoid them
Speaking of scams, don't fall for the phone call from the person claiming to be calling from Microsoft or Windows support, who claims your Windows computer is infected. It's complete B.S., and they'll try to convince you to visit a website. That would be a really bad idea.
For an eye-opening experience, here are a few web pages to see:
SANS and the Internet Storm Center also have many links to other good resources. Check them out.
There are many more resources out there, including some interesting stories on grc.com about the attacks on their web site. One of those attacks used home computers which had been infected and taken over by a 13-year-old hacker.
How can I fight back, you ask? Get yourself a firewall, be it a router, or software or both. Set the firewall up to record a log file of the blocked intrusions. Then submit them to a reporting service.
To use such a service, you should install software to synchronize your computer's clock to an atomic clock server. There are several free ones available, including AboutTime, which is freeware. It is what I use, and it works quite well. Also make sure that your time zone is set correctly on your computer. That is rather important...
Some time servers you can use include:
Many more can be found at http://support.microsoft.com/en-us/kb/262680.
If you use ZoneAlarm, there used to be two programs available to submit reports to DShield - ZoneLog Analyser and VisualZone. Neither are available anymore...
If you have a router, you can most likely configure it to log the traffic. See your router's documentation on how to enable logging. To collect and submit these logs you will need some software.
- DShield has their own program, DShield Universal Firewall Client, that works nicely for submitting. It requires a separate program to record the logs, however. More information and links to software can be found on their How To Submit... page.
- An easier solution is WallWatcher. It will record the logs from the router, and also let you analyze them. A separate program, WW2DShield, is used to submit the logs. However, WallWatcher support ended February 1, 2011. The programs will remain available indefinitely, but without maintenance or enhancements, and no one is available to answer questions.
DShield submissions are used by the Internet Storm Center. As they say on their "About" page, "the Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is rapidly expanding in a quest to do a better job of finding new storms faster, identifying the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe." DShield will also submit abuse reports to an attackers' ISP if it's deemed appropriate.
Why am I here telling you all this? Because you need to know, and you need to educate yourself to stay safe.
A computer is not an appliance. It is a tool. Tools require some skill and training to use safely. To steal a brilliant quote from Tom Liston at the Internet Storm Center, "Computers are not appliances. If something goes wrong with your refrigerator, it doesn't attack your neighbour's microwave. If you don't patch your toaster oven, the chance that it will join up with other toaster ovens in a denial of service attack against the White House is negligible. Yet we persist in marketing computers in a way that presents their operation as requiring the same degree of knowledge and skill as is required to operate a toaster oven."
Not all computer salesmen will tell you about computer security - their job is to sell computers. They are not likely trained in IT Security. They are not paid to be computer security experts. They may have little or no knowledge about the subject. They may encourage you to buy the security software they are selling, of course, but that may not cover all the bases.
Internet Service Providers (ISPs) are reacting painfully slow on implementing any sort of port blocking to protect their customers. Even those ISPs that have anti-virus email protection won't protect you from new and undiscovered threats. At least some ISPs now provide free firewall and/or anti-virus software to their subscribers. In my neck of the woods, the two big ISPs have been doing this for the last few months. One offers ZoneAlarm Security Suite, the other F-Secure Internet Security.
Microsoft has been slow at implementing firewall technology in their operating system. Windows (XP and up) now comes with one, but any Windows operating system older than XP does not.
There is also the problem that will not go away: Microsoft is a huge target for hackers, and they continually look for vulnerabilities in Windows software. It's the biggest target, since the majority of computers in the world use a Microsoft operating system. Another line of defense is wise.
If you're not worried because you have nothing important on your computer, that's a poor reason. Not all hackers are there to steal your financial data, or your user name and passwords for your online banking. Some want to use your computer remotely as an HTTP proxy to mask other illegal activity, such as hacking into more interesting sites, surf for illegal porn, or use your computer as a spam relay. Your computer could be turned into a "bot" and used in an attack on some web site.
If your ISP is cooperating with law enforcement, it's your computer's IP address that will come up, not the hacker's. Why put yourself in the predicament of dealing with the police for something you didn't do?
Spend some time, maybe some money. Be part of the solution, not the problem. Protect yourself.