We have been down for nearly a week as a result of a DDoS. We needed to switch providers. We apologize for any inconvenience this may have caused.

There may be some bugs which occur as a result of the move. Please let us know if you find any.

Thank you --Robin 21:14, 15 July 2008 (UTC)

From CastleCopsWiki

[edit] Introduction

This is the second part of the series on Understanding Computer Infections. In the first part, we divided infections into three types. Firstly, there were infections that were self infected by yourself, choosing to run and install software.

Secondly, there were those that occurred automatically due to someone else exploiting a security vulnerability to attack your system. This second possibility will be covered in the the last part of the series.

In the first part, we covered the case where you chose explicitly to download the file, run and install the malware locally on your system by clicking on the file. But as we shall see this isn't the only way malware can get into your computer. In this part, we consider common ways of mis-configuring software that result in malware being automatically run.

[edit] A subtle way of infecting yourself

First let's get the obvious out of the way. If you are running Internet Explorer, and choose the run option when faced with a file download prompt, it is exactly the same as if you downloaded it, then used windows explorer to go to the file and clicked on it to run it. However there are other more subtle ways to unwittingly allow programs to execute.

[edit] Via Web browser

One of the most common ways of getting infected even if you don't download and install programs directly is via driveby downloads. This is a term that refers to a class of malware that is automatically installed on your computer via the browser when you visit the website.

Why does this happen? Browsers these days do not merely display static or passive content, they are capable of producing active content , via technologies such as Java, ActiveX, XPI installs for Firefox and by scripts etc. These powerful technologies can be abused by the website owner to run executable code and install programs on your computer against your will, if your browser is wrongly configured.

In theory while you didn't do anything to download and install the program, your poorly configured browser was in fact an implicit invitation to do so!

Depending on your settings it might prompt you for permission to download and install ActiveX controls (don't blindly click yes to everything) but in the worse case scenario, your browser can even automatically download and install programs without your permission at all.

The kicker is in most cases running either ActiveX or Firefox extensions is fully equivalent to installing and running a program by clicking on an exe file to run it, so allowing your browser to automatically run any of these without any user permission is pretty much suicidal.

How you choose to configure your browser settings depends a lot on the balance you desire between usability and security. The most secure settings automatically disallow any of these technologies from running but may break a lot of websites. The least secure settings automatically allow anything to run without any user interaction and is very user friendly but is very dangerous. Most people do something in between.

The two methods employed generally are:

• Secure settings that disallow all dangerous technologies for all websites automatically, with exceptions made only for known trusted sites.
• Secure Settings that 'prompt' the user for permission to run Java,ActiveX etc.

I personally prefer the second method, which gives you a lot of control , but places the burden on the user to decide wisely on how to respond to a prompt. Here is one recommended example of a secure browser setting . In addition to reduce the load from making decisions, you can also use tools like IEspyad and hosts file to neutralize known malicious sites. The former add a list of known malicious sites to your Internet Explorer restricted zone and the latter stops malicious sites from being loaded.

What follows is a quick overview of the different technologies and advise on how to decide whether to run them or not.

One thing to note is that, many email clients and even some Mediaplayers will try to handle and display html pages using the browser (particularly true for Internet Explorer). As such tight browser settings is a necessity for all browsers on your system , even if you don't use them much.

[edit] Handling ActiveX

The first thing you should understand is what a signed ActiveX control means; in particular a signed ActiveX does not in anyway signify that the ActiveX control isn't malicious! It just tells you who signed it. It is not unknown for spyware companies to buy verisign certificates. If the signer is Microsoft or some big reputable company like Trends Micro or Panda or Sun it is probably safe. Remember when in doubt do not accept! Spywareblaster is a good tool to use since it blacklists knownn malicious ActiveX controls and prevents them from being installed or running.

ActiveX starting screenshots

ActiveX prompt

ActiveX information toolbar

[edit] Handling Java

Java applets are somewhat safer because their activities are limited by a sandbox which restricts what each applet can do. But be careful of signed Java applets, if you accept such applets, they are not restricted and can access local system resources, e.g. to open or save files on local machine or to access the system's clipboard. Just as signed ActiveX controls can be malicious, signed Java applets can be equally malicious, so again do not accept unless you trust the signer or if the signer is verified by a trusted authority.

I cannot stress this enough, a single thoughtless click to a prompt can signify accepting a security certificate for the applet, and this can cause malware to be installed, so be vigilant! This is in fact one common way in which Firefox users get infected.

There are in fact two kinds of signed Java applets, the first is a self generated, self signed Java applet and the prompt that results is shown below (this is for version 1.5.0.7, earlier versions of 1.4 will look different) . Needless to say, such signatures are typically nearly worthless, since there is almost no way you can verify who they say they are, and even if you could, you wouldn't know if they are malicious.

Prompts from Self Signed Applet

Inital prompt

More information

Examining the certificate

Prompts from signed and verified Applet

Initial prompt

More information

Examining the certificate

If you never ever want to grant privileges to bypass the sandbox to any Applet, you can change the default settings of Java, by going to the Java Control Panel ,click on the "advanced" tab and uncheck the options "Allow user to grant permissions to signed content" and "Allow user to grant permissions to content from an untrusted authority". This may cause a lot of applets to fail particularly the Java based Trend Micro's online virus scanner.

You should be using Sun Java which is more secure instead of Microsoft's Java Virtual Machine. Newer machines that came with XP SP1 and above should not have any Java pre-installed. But earlier versions of Windows might have the Microsoft version. You can find instructions on how to remove Microsoft's Javamachine here.

Though this pertains to the latter section about patching another thing to note is that always remember to keep your Sun Java updated! Sandbox security bypass exploits are constantly being discovered and Java needs to be patched. In addition, when updating Sun Java either manually or via the automatic updater Sun updates have the odd policy of not removing older versions of itself, so remember to uninstall the older versions via add/remove program panels when done!

[edit] Handling Javascript

In theory Javascript (and VBScript which is supported solely in Internet Explorer) is considerably less dangerous than either Java , ActiveX or installing a Firefox extension because they as a rule do not or cannot install or run any new programs (unless these are allowed already) but merely carry out certain standard instructions on contents in the web-page and the browser. However in practice in the past, errors in implementation have enabled scripts to carry out disallowed actions in some browsers and are often used as a start to get other exploits off the ground. Also scripts can be a threat to privacy, are often involved in CrossSite Scripting attacks,spoofing etc without having the need to install any new program.

Whether you choose to totally forbid Javascript except on trusted sites (Firefox users can use Noscript ), allow Javascript totally on all sites, or take a middle road by allowing only some Javascript functions is up to you.

[edit] Handling Firefox extensions, Internet explorer tool-bars and add-ons

Needless to say, choosing to install any IE toolbar or add-on is exactly the same as running and installing a program. Tool-bars are often used by adware and malware to 'phone home' and are difficult to block by many personal firewalls because they are seen as part of the browser which typically has a wide outbound rule. Similarly choosing to install Firefox extensions runs exactly the same risks as running ActiveX controls. Always download and install Firefox extensions only from the main Firefox extension page.

[edit] Scripting and ActiveX in none-browser applications

Although browsers are often the main culprit in driveby downloads , other closely related applications like some email clients (Thunderbird, Outlook Express) , music players (Windows Media Player, RealPlayer) and even Instant Messenger clients are also linked to the browser and can run dangerous scripts or even ActiveX via the link to the browser. Ideally you should configure those applications such that this doesn't happen (E.g definitely turn off Javascript in email clients if the email client offers it). In most cases, though if your browser itself is tightly configured, damage is minimized because the application will inherit the configurations of the browser itself.

[edit] Instant Messaging and P2P programs

In general while these two types of programs provide new possible vectors of infections, they don't really pose any really interesting security questions. For example while IM worms and P2P worms provide new ways to spread to other uninfected users they still require the user to explicitly run them (barring security exploits) before the user gets infected. For example even if you were tricked into downloading via P2P a P2P worm, it would still not hurt you unless you choose to run it (see previous article. It is also prudent not to click on links sent via dubious IM messages, because you never know what exploit this can lead to, or possibly resulting in phishing attempts.

[edit] AutoPlay or AutoRun function for USB Flash drives and other removable media

With the rise in the use of portable rewritable USB Flash drives, malware has now found a new way to propagate. These malware constantly scan removable media and copies themselves to any plugged in USB drive. This itself is relatively harmless as long as they don't have a way to start themselves and rely on the user to run them (A wise user of course would recognize unknown programs and wouldn't run them!). However many malware abuse Windows AutoPlay function to automatically execute themselves when plugged into a computer. This is done by altering or creating the autorun.Inf file (see here for more details) in the USB Flash drive. AutoPlay function has also being used in the famous Sony's rootkit DRM incident to automatically install rootkits for DRM (Digital rights management).

As such it is critical that you turn off the AutoRun function, which will prevent executables from running automatically the moment you insert the USB drive or CD into your computer. There are many ways to do this, but if you are on XP Home using the free PowerToy called Tweak UI is probably easiest if you don't want to edit the registry.

[edit] Network shares and others

Unfortunately, there are many more ways that you can misconfigure your system resulting in the possibility of security breaches. This is particularly so if you do more than just surf the web and read email. The more software and activities you are involved with, the more likely you will misconfigure something, though some applications are more risky to use than others. Besides those already mentioned which probably account for the Lion's share of infections, others possibilities for error includes misconfiguration of file shares and file sharing for networked computers, usage and misconfiguration of Remote Administration Tools (such as VNC or remote assistance in Windows XP), web server configuration errors etc.

Still as I said for most ordinary home users, getting infected via driveby downloads and recently via IM and USB drives are still by far the most common reasons.

[edit] Sandboxing/virtualization of vulnerable software

In part one of this series of articles one of the tips given when installing or running untrusted dubious programs was to run it in sandboxing/virtualization software like Sandboxie, Bufferzone to mitigate damage if things turned out bad. Even though, your web browser is hardly dubious software, the risk of malware getting through your browser, makes it worth while to consider isolating your browser (and email client/Internet Messenger client and/or any internet facing application) from the rest of your system by running it in a sandbox. Sandboxes with virtualization capabilities give you the freedom to test out ActiveX control installs, Java applets, etc and flush them all away with a single click. Be careful you don't remove content that you want to keep such as bookmarks and passwords though.

A lesser solution would be to run your web browser using dropmyrights, this runs your browser with reduced privileges and prevents many malware from working because they require admin privileges. Be warned however that this isn't a perfect defense, since it is still possible for malware to cause some damage even with merely users privileges.Here are lists of free sandboxes and and virtualization software maintain on this wiki.

[edit] Conclusion of Part two

In the second part of this series of articles, we have shown you the dangers of surfing with improper browser settings, the tips here combined with those in the part one will enable you to keep your system free from unwanted infections assuming the system is working properly. However there is still a third way, malware can get in, even if your system is properly configured and you exercise prudence in software downloads, that is the subject of the third and last part of this series on computer infections , protecting yourself from security exploits.