From CastleCopsWiki

Caution

The article below is currently in beta and has not been reviewed for factual errors.

Contents 1 Introduction 2 'Automatic' infection - misconfiguration or security exploit? 2.1 The different kinds of exploits or vulnerabilities 2.2 A note about terminology 2.3 Handling known exploits by patching 2.3.1 Sample list of software to keep updated 2.4 Dealing with known exploits without a patch 2.5 Zero Day exploits- The unknown exploits 2.6 Hardening your system 3 Conclusion

[edit] Introduction

This is the third part of the series on Understanding Computer Infections. In the first two parts, we covered ways to prevent infection from occurring by preventing unauthorized executable code or programs from running either directly by you clicking on the file to run it (in part one ), or from running indirectly via driveby downloads from browsers or automatically from other misconfiguration errors (in part two ). In this last part, we will cover one last way in which malware can get on your computer.

[edit] 'Automatic' infection - misconfiguration or security exploit?

We have all heard horrible tales of people getting infected when they just preview the email (without opening attachment) or people getting infected by just visiting a website, or even by just turning on the computer.

There are two ways this can happen. The most common way is that your system is wrongly configured so that executable content can run automatically. This possibility was covered in part two of this series of articles . For most people this means they have set poor security configurations for their browser that allows ActiveX to run and install automatically. A more advanced example would be someone setting up a firewall or wireless network wrongly so anyone can access his network. Unfortunately, Windows by default does not come with the most secure settings either so you may need to do some hardening work (see later).

But say you follow faithfully all the proper steps in setting up your computer, remain vigilant in choosing the types of programs to run, but otherwise you don't do anything else for one year, can you be sure that you will remain safe? No. That is because, as time passes, there might be security exploits found that bypass your defenses and that your 'safe' configuration becomes no longer safe.

Moreover, while none-executable content like image files (Jpg,png etc) are generally safe, vulnerabilities in applications that process them might lead to the running of malicious shell code,allowing the attacker to carry out whatever he wants. Typically this involves downloading a executable file of his choice from the net and running it.

[edit] The different kinds of exploits or vulnerabilities

There are many kinds of vulnerabilities that are found daily ranging in severity from the most trivial ones that have minor effects to highly critical ones that can totally compromise the system. For our purposes the ones we should focus on and probably the most dangerous kinds are those that allow the attacker to run any program or code they wish using our application.

A properly coded program generally doesn't accept or run other programs or code. In cases where running other programs is part of their function, it will give the user the choice to run them before starting but as we know security vulnerabilities in software are often exploited and this changes the rules of the game.

For example buffer overflows can lead to execution of 'alien' code. The terminology for these kind of exploits is generally termed as remote execution of arbitrary code . In other words the exploit allows the attacker to run any program (code actually) of his choice on the target's computer. A very dangerous situation obviously. Note: Other exploits such as denial of services attacks can be as dangerous or irritating, but this is the one that can hurt you directly.

Other dangerous exploits bypass content restrictions for example, this might allow ActiveX (or Firefox extensions) to install and run on sites that are not normally allowed to run in them.

Malware like worms, trojans etc can also use these exploits to their advantage , to self install.

For most home-users, you will encounter such attempts to exploit you in two contexts.

1) Random port scans - This occurs when worms or bots controlled by hackers randomly port scan IP blocks looking for targets that are vulnerable to a certain exploit they are trying. This only works if the target is running a server of some kind that is open to requests. For most homeusers, by default, the only thing listening will be a few default windows services (Netbios,RPC Locator etc). While worms in the past have exploited vulnerabilities in these services, keeping updated with patches should handle this, though you can use WWDC to close these services and related ports for you. Many people prefer to not even run this risk, so they run a firewall to block these probes. Some use either the build in windows firewall in Windows XP or vista or free third party firewalls (I recommend ZoneAlarm if you are looking for the easiest one to use).

2) Exploits embedded in files you come in contact with - Typically 95% of the cases involve browser exploits embedded on webpages, and the rest consists of files mailed to you in attachments.

[edit] A note about terminology

Strictly speaking the term 'vulnerability' is not interchangeable with the term 'exploit'. Vulnerability refers to a known weakness that can be exploited. Exploits refer to the actual code that is used against the vulnerability.

In practice, when most people announce a vulnerability, it is usually accompanied by exploit code known as proof of concept code to show how to exploit the vulnerability. Even in cases where it isn't, once they know where to look, hackers can quickly create a working exploit.

Hence for our purposes, we can assume that once a vulnerability is announced, we can expect exploits to come soon, and the two terms are pretty much interchangeable.

I would divide these kind of exploits into 3 categories:

• The first class of exploits/vulnerabilities are announced publicly (on bugtraq, Secunia , Sans and other security mailing lists) and patches are available by the vendor.
• The second class of exploits/vulnerabilities are also announced publicly, but no patches are available yet.
• The third class of exploits are unknown to the public and obviously no patches exist.

There's actually a fourth class of exploits/vulnerabilities which are reported by the discoverer privately to the vendor, but are not announced to the public yet, until the vendor comes up with a patch. Because we are not privy to that information, from our point of view however dealing with such problems is the same as dealing with exploits in the third class.

[edit] Handling known exploits by patching

The first order of business of course is to keep up to date with patches this will ensure that you are immune to the first class of exploits. These vulnerabilities are by far the most often targeted because they are known by everyone and it takes little skill to exploit them (the patch itself helps attackers figure out how to write the exploit code!). Still, large numbers of systems fall prey to such exploits because not everyone keeps up to date. Many botnets for example are built by using such exploits against unpatched systems.

To reduce overload, the best thing is to turn on autoupdate for all your programs including Windows if available. But if this isn't available and you don't have the time to keep up to date with every application you run, you should generally focus on common, popular applications mostly with network capabilities (browser, email client, IM, P2P client, online gaming, Office, Java and Windows!) and security software (antivirus, firewall). The reason why such items should receive special attention is because these applications are targeted most often, because hackers can generally count on you having them, while if you use more obscure software, the hacker will have to do specific research on you if he wants to target you. I would not rule out this possibility though, if you go around the forums posting the applications you use.

Sometimes it's unclear whether you have all the Microsoft updates available, you can use the Microsoft Baseline Security Analyzer to check this.

[edit] Sample list of software to keep updated

Below is a sample list of common software (besides security software) that you should keep updated.

1. Browser - Internet explorer, Firefox, Opera, Maxthon (or other IE shell), K-melon (or other Gecko browser) etc.

2. Browser plugins - Shockwave Player, Flash Player, Java, Acrobat Reader, Winzip (or other unzipper program).

3. Music application (also used as browser plugin) - Windows Media Player, RealPlayer, QuickTime Player, WinAmp etc

4. Content readers and handlers - PDF reader [Adobe PDF, Foxit etc], Image handlers [IrfanView] etc.

5. Instant Messenger client - ICQ, MSN Messenger, Yahoo Messenger, GAIM, Trillian etc

6. P2P client - Emule, Bearshare, Azureus, BitTornado etc

7. Windows, Office suite either MS Office or Open Office.

Regardless of popularity, I recommend always keeping up to date with programs that access the net as well as content readers, they are vulnerable because they are directly exposed to content from outside the system - you never know what kinds of content they will have to handle, some might try to exploit bugs in the system.

A very useful tool is Secunia Software Inspector. Run through a Java applet in your browser it informs you about various outdated apps on your system. It covers a wide range of applications (see list). A even more comprehensive tool is the downloadable Secunia Personal Software Inspector Personal, but that is currently (July 2007) in beta.

[edit] Dealing with known exploits without a patch

The second type of exploits generally exist for a short time, because most vendors react quickly (in about 30-60 days) to patch critical exploits once they are announced in public. Still, if you keep up to date daily by reading security related sites such as or Castlecops, Secunia etc, you can gain some protection from so called zero day exploits, by using the workarounds posted until a patch is available or simply avoiding the use of the application for that period of time until a patch is out.

High profile and critical exploits affecting browsers and Windows should certainly be carefully monitored!

[edit] Zero Day exploits- The unknown exploits

The third type of exploit is most feared by some because, there is very little you can do about them. You can reduce your area of vulnerability by tightening your system and close down unnecessary services, functions etc or functions that historically have often been exploited (Activex controls comes to mind), but you can never be 100% sure that some hacker isn't going to target you with a security exploit of something that you do happen to use.

Thankfully, the chances of a random low value target home user running into one is rare. Hackers who find out these secrets horde them jealously because of their high value. These exploits are valuable precisely because they are unknown. There are even security companies like Idefense that offer high payouts (four,five figures or more depending on severity) to hackers who will reveal to them as yet unannounced security problems. Idefense itself will not reveal these exploits either, though it will quietly ensure its customers (big corporate clients) are immune to them.

Once such exploits are employed there is a high chance they will be noticed and the cat will be out of the bag , so you should not expect to see many of these exploits wasted against a low value target which include most home users.

[edit] Hardening your system

Hardening your system has several benefits. Mostly, it closes down your area of vulnerability by disabling features or programs you don't use. If you don't run a feature or program, the exploit of that feature even if it exists cannot hurt you. This is the idea behind tweaks such as disabling guest accounts, unnecessary services(automated script to do so) (messenger,remote desktop etc.) Other times it's to change overly loose default settings in Windows. This includes disabling network shares, unbinding network shares over TCP/IP etc.

Ideally, you should carry out such hardening manually so you know what you are doing and how to reverse them. However there are lots of automatic hardening tools that can help achieve this.

In any case, these are two of my favorite links on the subject, Notok's page (with links to hardening tools) and Markus page (manual hardening).

[edit] Conclusion

If you understand the different ways malware gets on your computer, the battle is half won. By following some of the tips above, you have a much better chance of keeping malware off your machine. To summarize the three main piece of advise I can give you are

• 1)Choose wisely when deciding on software to install and how to take precautions to mitigate damage if you choose wrongly.

• 2)Configuring your system correctly, which includes both Windows and specific applications like your browser.

• 3)Keep updates with patches.

This greatly reduces the chance an attacker can keep you to run his code or program and increase security. Remember even the best homebrew undetectable rootkit is useless, if it can't get on your system because it doesn't have the chance to run.

Please note that while keeping malware off your computer from running is a big part of computer security, there are other ways you can be hurt even without the malware running on your computer.For example, poor password security can lead to hackers gaining access to your accounts, data and information whether those on systems you control or not. Phishing and Cross-site scripting (XSS) attacks also works without the need for any program to run on your computer per se. Packet sniffing on unsecured networks can get your password etc.