Safe Computing on Windows:
An Evolving Guide to Virus and Worm Protection

Jeffrey Altman
The Kermit Project, Academic Information Systems
Columbia University
jaltman@columbia.edu

October 23, 2001

© copyright by the Trustees of Columbia University in the City of New York.

The document to which this notice is attached is protected by copyright owned in whole or in principal part by The Trustees of Columbia University in the City of New York ("Columbia"). You may download the document for reference and research purposes only.

COLUMBIA MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE DOCUMENT, OR ANY PART THEREOF, INCLUDING ANY WARRANTIES OF TITLE, NONINFRINGEMENT OF COPYRIGHT OR PATENT RIGHTS OF OTHERS, MERCHANTABILITY, OR FITNESS OR SUITABILITY FOR ANY PURPOSE.

Distribution and/or alteration by not-for-profit research or educational institutions for their local use is permitted as long as this notice is kept intact and attached to the document.

Any other distribution of copies of the document or any altered version thereof is expressly prohibited without prior written consent of Columbia.

For permission requests, licensing proposals, questions, or further information, please contact publications@columbia.edu.

This document borrows heavily from text included in CERT advisories. Especially in the descriptions of the viruses and worms. This is a work in progress. There are still significant amounts of work that need to be done on this document. Some sections are almost empty. It will be updated on a continuing basis until it is completed. Send questions and comments to the author.

[ Code Red ] [ SirCam ] [ Nimda ]


CONTENTS

 1. Introduction
    1.1.  What is a Virus?
    1.2.  What is a Worm?

 2. How Modern Viruses and Worms Spread
    2.1.  Human Curiosity
    2.2.  Buffer Overflows
    2.3.  Design Flaws
    2.4.  Ease-of-Use Features
    2.5.  Embedded Scripts
    2.6.  File Sharing
    2.7.  Back Doors

 3. What Viruses and Worms Can Do Once They Have Infected Your Computer

 4. Current Virus/Worm Activity
    4.1.  Code Red Variants
    4.2.  W32/Sircam
    4.3.  W32/Nimda

 5. Known vulnerabilities in Windows Operating Systems

 6. How to Determine If You Are Infected

 7. How to Recover If You Are Infected

    7.1.  Remove the Computer from the Network
    7.2.  Using a Virus-Specific Removal Tool
    7.3.  Using Norton Anti-virus to Clean the Computer
    7.4.  Backing Up Data Files
    7.5.  Reinstalling the Operating System

          7.5.1. Using the Recovery CD
          7.5.2. Installing the Operating System

    7.6.  Shutting Down Services (NT, 2000, XP)
    7.7.  Connecting to the Network
    7.8.  Applying Patches to the Operating System and Internet Explorer

          7.8.1. Windows 2000
          7.8.2. Windows NT 4
          7.8.3. Windows ME
          7.8.4. Windows 98 Second Edition
          7.8.5. Windows 98
          7.8.6. Windows 95 OSR2
          7.8.7. Windows 95

    7.9.  Installing and Patching Microsoft Office

          7.9.1. MS Office XP
          7.9.2. MS Office 2000
          7.9.3. MS Office 97
          7.9,4. MS Office 95

    7.10. Install Norton Anti-virus
    7.11. Restoring Disabled Services (NT, 2000, XP)
    7.12. Restore Backed Up Data
    7.13. Install Other Applications
    7.14. Additional Precautions

 8. How to Prevent Reinfection
    8.1.  Subscribe to Mailing Lists for Notification of Vulnerabilities
    8.2.  Behavior Modification

          8.2.1. Strong Passwords
          8.2.2. Preventing Password Theft
          8.2.3. Ignore Unexpected E-mail Attachments
          8.2.4. Beware of the unexpected when browsing the web

    8.3.  System Tuning
          8.3.1. Windows 95, 98, 98SE, ME
          8.3.2. Windows NT, 2000, XP

                 8.3.2.1. Baseline Security Checklists
                 8.3.2.2. IIS Lockdown Tool
                 8.3.2.3. Hotfix Network Check
                 8.3.2.4. Microsoft Personal Security Advisor website
                 8.3.2.5  IIS URL Scan Tool

    8.4.  Web Sites to Monitor
          8.4.1. Windows Updates
          8.4.2. MS Office Updates
          8.4.3. Microsoft Security
          8.4.4. NTBugTraq
          8.4.5. Symantec Security Response
          8.4.6  Computer Emergency Response Team (CERT)

    8.5.  Establishing a Backup Procedure
    8.6.  Personal Firewalls
    8.7.  Configuring Norton Anti-virus to Protect Your Computer
          8.7.1. Browsers and Downloads
          8.7.2. File Scans
          8.7.3. E-mail Scans

 9. Alternatives to Microsoft Products
    9.1.  IIS
    9.2.  Internet Explorer
    9.3.  MS Outlook
    9.4.  MS Office
    9.5.  Windows

10. Further Reading
    10.1. Books

          10.1.1. Hacking
          10.1.2. System Management
          10.1.3. Security Policy


1. Introduction

[ Top ] [ Contents ] [ Next ]

Over the last year the Internet has been hit by an ever increasing number of threats from viruses and worms. Not only have the number of threats increased but their sophistication has increased as well. Gone are the days when a virus received on a disk from a friend or even in an e-mail or newspost would limit its damage to the local machine. The latest breed of viruses is taking advantage of the 24/7 connectivity of computers at home, in the office, and even those with mobile links. Once infected the machine is used to further spread the virus or worm over the network.

Frequently, the virus or worm installs a backdoor to allow the computer to be further infiltrated at a later time. Machines that have been compromised in this manner can have all their data read or modified and the computer can be used in a coordinated denial of service attack against other hosts on the internet or worse. There can and probably will be deliberate attempts to destroy busineses, to compromise government security, to commit espionage, sabotage, and other kinds of crimes. The degree to which the economy and government depend on computers attached to public networks is the degree to which they are vulnerable.

This all sounds frightening and it is. But it is only the tip of the iceberg. What is not seen is the ever increasing cost in human hours spent trying to reduce the spread of these viruses/worms; the time spent rebuilding computer systems from scratch; and the time spent trying to guess what data might have been compromised and then ensuring that any data that might have been compromised is altered or otherwise secured.

1.1. What Is a Virus?

A virus is self-propogating program that requires some form of human interaction to infect its victim.

1.2. What Is a Worm?

A worm is a self-propogating program that does not require any human interaction to infect its victim.


2. How Modern Viruses and Worms Spread

[ Top ] [ Contents ] [ Next ] [ Previous ]

Viruses and worms are spread in an ever-increasing number of ways limited only by the imagination of the authors. Each virus builds on the experiences of previous viruses to increase the rate at that they spread. Viruses and worms now often incorporate more than one of the following methods:

2.1. Human Curiosity

The first method via which viruses spread is human curiosity. Virus writers frequently use attractive wrapping paper to encourage users to download a file, open an attachment, play a game, read a cybercard, or even view a picture as a means of tricking the user into infecting their computers. Once executed the virus has the identity and all of the permissions of the user. If the computing is running an operating system (such as Windows 95/98/ME) that does not provide user-based access controls or if the user accesses her machine with an Administrator level account (as is often done on Windows NT/2000/XP) the virus will have full control over the computer and any resources currently connected to the machine over the network (file shares, printers, ....).

2.2. Buffer Overflows

The second most common form of attack against computer systems takes advantage of a extremely common programming error known as a buffer overrun. A buffer is a fixed number of sequentially ordered addressable memory locations.

  +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
  | 1 | 0 | 1 | 0 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 |
  +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
  ^ 0x40032492

A separate buffer is allocated for each logical value that is addressed by a computer program. The memory of the computer is therefore broken up into a series of buffers.

  +-------+---+-----------------+-----+-------------------+----------+
  | buf1  |b2 | buffer3         |buf4 | unallocated       | buf5     |
  +-------+---+-----------------+-----+-------------------+----------+

A buffer overrun occurs when a computer program does not check the size of a buffer before writing into it and then writes more data into a buffer than will fit. When this occurs the extra data is written into the memory allocated to adjacent buffers. This overwrites the data stored in those buffers.

If someone knows that it is possible to force a program to overrun its buffers, and they can determine the purpose of the overrun buffers it is possible to cause the program to misbehave in well defined ways. This can be taken advantage of either to cause a service or application to crash; or under certain circumstances to cause the program to execute arbitrary commands on behalf of the attacker.

Buffer overrun attacks can occur against any type of computer application that accepts data from an external source. This includes all networked based services that accept connections such as web servers, file sharing services, remote procedure call services, and remote shell services. On the client side, potential victims are web browsers, e-mail clients, and any other application that processes data files.

When buffer overruns are used to cause services to crash and therefore become unavailable this is described as a "denial of service attack". When the overrun is used to allow a third party to execute arbitrary commands as the root or administrative user, the attack is referred to as a "root hack".

2.3. Design Flaws

In addition to buffer overruns it is often possible to take advantage of design flaws in computer programs to force them to misbehave in ways similar to the buffer overrun. A common example of this type of design flaw has been seen in applications that use the Unicode character set to represent internationalized data. Unicode is frequently transformed into different representations for the purposes of data storage, data transmission, or data manipulation. Unicode also has (for political and historial reasons) many forms of representing the same or visibly similar images. This increases the potential for several types of attacks. For example, it is necessary to apply security filters to obtain a canonical form of the data. Otherwise, attackers can use non-standard representations of Unicode data to bypass the filters and cause applications to perform operations their users have specificly requested not be performed.

Perhaps replace Unicode example with another design flaw from Microsoft list. The argument against doing this is that this Unicode flaw was used by the W32/Nimda virus to attack IIS.

2.4. Ease-of-Use Features

Another area of vulnerability is caused by the desire of application designers to provide ease of use. One example of these types of design decisions is the auto-detection and execution of attachments by popular e-mail and web clients. In the early 90s this was looked upon as a wonderful feature by which corporate administrators could update software by e-mailing the software to the end-user. Of course, this feature has quickly become a nightmare as it was used for virus distribution.

2.5. Embedded Scripts

In the same vein as ease of use for executing applications, many application suites developed sophisticated cross-application scripting languages that were originally designed to automate mail-merge applications between database and spreadsheet applications and word processors. As e-mail clients were added to the suites these languages were enhanced to be able to generate e-mail automatically. These scripting enhancements have now been used to automate attacks against the friends, family, and co-workers of the initial victims.

2.6. File Sharing

File Sharing has always been one of the core local area network services used within organizations. File sharing can be used in two ways to promote the distribution of viruses and worms. In the first case, the virus simply uses existing file shares mounted on the infected computer system to spread the virus onto as many computer systems as possible.

In recent months more sophisticated use of file sharing has been taking place. Virus writers are taking advantage of the ability to automate the establishment of new file share connections to attack new computer systems. This can be done either by querying the computer system for a list of related computer systems for that the current credentials may be accepted or by attempting random connections with the hope of finding a computer system with open file shares that are not protected with strong passwords. Once a file share has been established, the virus/worm attempts to install itself in locations that are likely to execute it. This can be performed by either replacing or modifying executable files. Other methods including copying curiously named programs or application data files that contain auto-executing script files in the hopes that the user's curiosity will cause him to open or execute the file as part of the process of determining the source of the file.

2.7. Back doors

A back door is an intentionally created vulnerability in a computer system that allows easy and undetected access to the computer system over the network. File sharing has also been used by viruses and worms as a back door. File sharing is used as a backdoor by creating file shares that provide read and write access to the file system that do not require the use of a password.

If appropriate access is given to the account used to mount the share it is even conceivable that the file share could be used to adjust system configuration information such as file and icon associations.

Back doors have become so common they are now a reasonable means of spreading additional worms. Since back doors may make use of standard computer system services they are not always detectable by the use of anti-virus programs. Nor are they closed automatically when vendor supplied patches to operating systems and applications are applied to the computer system.


3. What Viruses and Worms Can Do Once They Have Infected Your Computer

[ Top ] [ Contents ] [ Next ] [ Previous ]

The capabilities of viruses and worms are only limited by the creativity of the author and the privileges the virus is capable of acquiring on the infected computer system. Many PC based operating systems have no notion of user or process based privileges. On operating systems such as DOS, Windows 3.x, Windows 95/98/ME, OS/2 and MacOS, the virus is capable of performing any function that is installed on the computer. The virus can add, modify, delete or replace files; send e-mails; print documents; make phone calls; establish connections to other computers; capture passwords; read credit card information from electronic wallets; extract private keys used for authenticating to external hosts; and anything else the virus author can think of.

On operating systems that do provide user or process based privileges, such as Windows NT/2000/XP, Unix/Linux and MacOS X, the virus will have only those capabilities assigned to the process or user that was used to launch the virus in the first place. If the user or process has very limited capabilities on the computer, then the virus will have very limited capabilities for causing damage. It is for this reason that it is important that users of these operating systems do not login on a regular basis as the Administrator (or root) account. It is equally important that the accounts used to launch services such as web servers have the minimum capabilities necessary for providing its required functionality. Included in the list of capabilities are permissions to access the file systems of the local machine. Using the web server as an example, other than the files that the web server requires in order to run and the files it is serving to the web browsers there is no reason for a web browser to have access to any other files or devices on the machine. Therefore, the file system should be configured to deny access to all unnecessary files from the account used to start the web browser.


4. Current Virus/Worm Activity

[ Top ] [ Contents ] [ Previous ]

The vast majority of virus/worm activity in the last six months has been targeted against the operating systems and applications of Microsoft Corp. This is not to say that there have not been a significant number of vulnerabilities discovered in competing operating systems. However, Microsoft's products and users have been targeted due to their overwhelming majority of the marketplace and the huge number of known exploits that have been discovered and left unpatched on end-user systems. The following sections summarize the issues surrounding the most frequently seen viruses as of the current writing.

4.1. Code Red variants:

  http://www.cert.org/advisories/CA-2001-13.html
  http://www.cert.org/advisories/CA-2001-19.html
  http://www.cert.org/advisories/CA-2001-23.html

Code Red (and Code Red II and Code Blue) are all variants of a worm that attempts to spread by taking advantage of a vulnerability in the Microsoft Internet Information Service (IIS). IIS is Microsoft's professional strength web server. The vulnerability is a Buffer Overrun in the Indexing Service DLL. Vulnerable platforms include:

Other devices including Cisco 600 DSL routers were adversely affected by the attacks even though they could not be infected.

CERT reports that the time to infect all vulnerable IIS servers given the rapid propogation of this worm is approximately 19 hours from the first infection. It should be noted that IIS is often running on desktop computers without the knowledge of the user. This can be the case either because IIS was installed in an active state by an OEM or during an upgrade; or because the user installed and activated all features during the installation of the operating system but did not realize the risks involved with running unmanaged services.

The Code Red worm attack proceeds as follows:

  1. The worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service described in CERT advisory CA-2001-13.

  2. The same exploit (HTTP GET request) is sent to each of the randomly chosen hosts due to the self-propagating nature of the worm. However, depending on the configuration of the host that receives this request, there are varied consequences:

  3. If the exploit is successful, the worm begins executing on the victim host. In the earlier variant of the worm, victim hosts with a default language of English experienced the following defacement on all pages requested from the server:

      HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
    

Servers configured with a language that is not English and those infected with the later variant do not experience any change in the served content. Other worm activity on a compromised machine is time senstive; different activity occurs based on the date (day of the month) of the system clock:

Day 1 - 19
The infected host attempts to connect to TCP port 80 of randomly chosen IP addresses in order to further propagate the worm.

Day 20 - 27
A packet-flooding denial of service attack is launched against a particular fixed IP address .

Day 28 - end of the month
The worm sleeps; no active connections or denial of service.

The "Code Red" worm activity can be identified on a machine by the presence of the following string in a web server log files:

  /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
  NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
  u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
  b%u53ff%u0078%u0000%u00=a

Different variants of the worm use different letters to replace the series of 'N's. The presence of this string in a log file does not neccessarily indicate compromise. Rather it only implies that a "Code Red" worm attempted to infect the machine.

A host running an active instance of the original "Code Red" worm scans random IP addresses on port 80/TCP looking for other hosts to infect.

The text of the "... Hacked by Chinese!" message is stored exclusively in memory and is not written to disk. Therefore, searching for the text of this page in the file system may not detect compromise. Since the worm resides entirely in memory a reboot of the machine purges it from the system. However, it is important to note that the vulnerability:

  http://www.cert.org/advisories/CA-2001-13.html

allows arbitrary code to be executed in the Local System security context that gives the attacker complete control of the compromised server.

The only precondition for exploiting this vulnerability is that an IIS server is running with script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files. The Indexing Services do not need to be running. As stated by Microsoft in MS01-033:

"The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability."

The Code Red II variant is known to exploit this vulnerability to install a backdoor so that control of the machine may be regained after a reboot or application of a patch. It is reported that the presence of the back door is propogated to the hacker community via Internet Relay Chat (IRC).

Patches to the IIS vulnerability are available from Microsoft. Microsoft is also making available an IIS Lockdown tool to remove unused functionality and alter the privileges available to attackers.

  http://www.microsoft.com/technet/security/bulletin/MS01-033.asp 
  http://www.microsoft.com/technet/security/bulletin/MS01-044.asp 
  http://www.microsoft.com/technet/support/kb.asp?ID=Q300972 
  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp

Microsoft has released a "Tool to Remove Obvious Effects of the Code Red II Worm"

  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/redfix.asp

It should be noted that Microsoft states in the above link (case as quoted):

  "THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES
   NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM.

  "IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO
   ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS
   OF THE WORM - IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER
   ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED.

  "WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE CODE RED II
   WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER
   OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS
   BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE.
   IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN PUT AT RISK
   BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE REBUILT RATHER THAN
   BEING PLACED BACK INTO SERVICE. "


4.2. W32/SirCam

  http://www.cert.org/advisories/CA-2001-22.html

W32/SirCam is a virus that spreads through e-mail and unprotected network shares. Once the virus has been executed on a system it may reveal or delete sensitive information. All Microsoft Windows operating systems are vulnerable. The SirCam virus can disable the auto-protect features of Anti-virus programs by modifying entries in the Windows registry. In order to detect the SirCam virus, the anti-virus programs must be used to perform a full scan of all drives.

4.2.1. Propagation Via Email

Once a computer is infected with the W32/SirCam virus it begins to transmit e-mails to addresses found in the Microsoft Outlook Addressbook or in files stored in the local web cache. Therefore, it is most likely that you will receive this virus either from someone you know or from a mailing list that you subscribe to.

The virus can appear in an email message written in either English or Spanish with a seemingly random subject line. All known versions of W32/Sircam use the following format in the body of the message:

English
Hi! How are you?
(middle line)
See you later. Thanks

Spanish
Hola como estas ?
(middle line)
Nos vemos pronto, gracias.

Where [middle line] is one of the following:

English
I send you this file in order to have your advice
I hope you like the file that I sendo you
I hope you can help me with this file that I send
This is the file with the information you ask for
Spanish
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste

Users who receive copies of the malicious code through electronic mail might recognize the sender. We strongly encourage users to avoid opening attachments received through electronic mail, regardless of the sender's name, without prior knowledge of the origin of the file or a valid digital signature.

The email message contain an attachment whose name matches the subject line and has a double file extension (e.g. subject.ZIP.BAT or subject.DOC.EXE). The CERT/CC has confirmed reports that the first extension may be .DOC, .XLS, or .ZIP. Anti-virus vendors have referred to additional extensions, including .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, and .PS. The second extension is .EXE, .COM, .BAT, .PIF, or .LNK. The attached file contains both the malicious code and the contents of a file copied from an infected system.

When the attachment is opened, the copied file is extracted to both the %TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the affected system. The original file is then opened using the appropriate default viewer while the infection process continues in the background.

It is possible for the recipient to be tricked into opening this malicious attachment since the file appears without the .EXE, .BAT, .COM, .LNK, or .PIF extensions if the "Hide file extensions for known file types" is enabled in Windows. See IN-2000-07 for additional information on the exploitation of hidden file extensions.

W32/Sircam includes its own SMTP client capabilities, that it uses to propagate via email. It determines its recipient list by recursively searching for email addresses contained in all *.WAB (Windows Address Book) files in the %SYSTEM% folder. Additionally, it searches the folders referred to by the Registry key:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

for files containing email addresses. All addresses found are stored in SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder.

W32/Sircam first attempts to send messages using the default email settings for the current user. If the default settings are not present, it appears to use one of the following SMTP relays:

4.2.2. Propagation Via Network Shares

In addition to email-based propagation, analysis by anti-virus vendors suggests that W32/Sircam can spread through unprotected network shares. Unlike the email propagation method, that requires a user to open an attachment to infect the machine, propagation of W32/Sircam via network shares requires no human intervention.

If W32/Sircam detects Windows networking shares with write access, it:

If the share contains a Windows folder, it also:

When installed on a victim machine, W32/Sircam installs a copy of itself in two hidden files:

Installing in Recycled may hide it from anti-virus software since some do not check this folder by default.

Based on external analyses, there is also a probability that W32/Sircam will copy itself to the %SYSTEM% folder as ScMx32.exe. In that case, another copy is created in the folder referred to by the Registry key:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup

(the current user's personal startup folder). The copy created in that location is named Microsoft Internet Office.exe. When the affected user next logs in, this copy of W32/Sircam is started automatically.

The registry entry:

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32

is set to %SYSTEM%\SCam32.exe so that W32/Sircam runs automatically at system startup.

The registry entry HKEY_CLASSES_ROOT\exefile\shell\open\command is set to:

  "C:\Recycled\SirC32.exe" "%1" %*"

which causes W32/Sircam to execute whenever another executable is run.

A new registry entry, HKEY_LOCAL_MACHINE\Software\SirCam, is created to store data required by W32/Sircam during execution.

W32/Sircam searches for filenames with .DOC, .XLS, .ZIP extensions in the folders referred to by the Registry keys:

While the personal folder may vary with configuration, it is often set to:

  \My Documents or \Windows\Profiles\%username%\Personal

A list of these files is stored in %SYSTEM%\scd.dll.

W32/Sircam attaches its own binary to selected files it finds and stores the combined file in the Recycled folder.

W32/Sircam can have a direct impact on both the computer that was infected as well as those with which it communicates over email:

Breaches of confidentiality
The malicious code will at a minimum search through select folders and mail potentially sensitive files. This form of attack is extremely serious since it is one from that it is impossible to recover. Once a file has been publicly distributed, any potentially sensitive information in it cannot be retracted.

Limit Availibility (Denial of Service)
Fill entire hard drive: Based on external analyses, on any given day, there is a probability that it will create a file named C:\Recycled\sircam.sys that consumes all free space on the C: drive. A full disk prevents users from saving files to that drive, and in certain configurations impede system-level tasks (e.g., swapping, printing).

Propagation via mass emailing
W32/Sircam attempts to propagate by sending itself through email to addresses obtained as described above. This propagation can lead to congestion in mail servers that may prevent them from functioning as expected. NOTE: Since W32/Sircam uses native SMTP routines connecting to pre-defined mail servers, propagation is independent of the mail client software used.

Loss of Integrity
Published reports indicate that on October 16 there is a reasonable probability that W32/Sircam will attempt to recursively delete all files from the drive on that Windows is installed (typically C:).


4.3. W32/Nimda (or Concept Virus)

The Nimda virus/worm is the worst that we have seen with regard to the rate of infection and network traffic generated by the attacks. This is due to the large number of vulnerabilities and attack paths used to spread the worm. This worm can affect all Microsoft Windows operating systems. The worm opens the machine to further attacks by using the built-in file sharing capabilities to open all drives on the machine to anonymous users.

The attack vectors can be summarized as follows:

4.3.1. Email Propagation

This worm propagates through email arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html", but it contains no text, so the email appears to have no content. The second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe", that is a binary executable.

Due to a vulnerability described in CA-2001-06 (Automatic Execution of Embedded MIME Types), any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result, infects the machine with the worm. Thus, in vulnerable configurations, the worm payload is automatically triggered by simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running the attachment.

The email message delivering the Nimda worm appears to also have the following characteristics:

4.3.2. Payload

The email addresses targeted for receiving the worm are harvested from two sources:

These files are passed through a simple pattern matcher that collects strings that look like email addresses. These addresses then receive a copy of the worm as a MIME-encoded email attachment. Nimda stores the time the last batch of emails were sent in the Windows registry, and every 10 days repeats the process of harvesting addresses and sending the worm via email.

Likewise, the client machines begin scanning for vulnerable IIS servers. Nimda looks for backdoors left by previous IIS worms: Code Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also attempts to exploit various IIS Directory Traversal vulnerabilities (VU#111677 and CA-2001-12). The selection of potential target IP addresses follows these rough probabilities:

The infected client machine attempts to transfer a copy of the Nimda code via tftp (69/UDP) to any IIS server that it scans and finds to be vulnerable. Once running on the server machine, the worm traverses each directory in the system (including all those accessible through file shares) and writes a MIME-encoded copy of itself to disk using file names with .eml or .nws extensions (e.g., readme.eml). When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended to every one of these web-related files:

  <script language="JavaScript">
  window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
  </script>

This modification of web content allows further propagation of the worm to new clients through a web browser or through the browsing of a network file system.

In order to further expose the machine, the worm:

Furthermore, the Nimda worm infects existing binaries on the system by creating Trojan horse copies of legitimate applications. These Trojan horse versions of the applications first execute the Nimda code (further infecting the system and potentially propagating the worm), and then complete their intended function.

4.3.3. Browser Propagation

As part of the infection process, the Nimda worm modifies all web content files it finds (including, but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby infecting the browsing system.

4.3.4. File System Propagation

The Nimda worm creates numerous MIME-encoded copies of itself (using file names with .eml and .nws extensions) in all writable directories (including those found on a network share) to that the user has access. If a user on another system subsequently selects the copy of the worm file on the shared network drive in Windows Explorer with the preview option enabled, the worm may be able to compromise that system. Additionally, by creating Trojan horse versions of legitimate applications already installed on the system, users may unknowingly trigger the worm when attempting to make use of these programs.

4.3.5. System FootPrint

The scanning activity of the Nimda worm produces the following log entries for any web server listing on port 80/tcp:

  GET /scripts/root.exe?/c+dir
  GET /MSADC/root.exe?/c+dir
  GET /c/winnt/system32/cmd.exe?/c+dir
  GET /d/winnt/system32/cmd.exe?/c+dir
  GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
  GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
  GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
  GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
  GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
  GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
  GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
  GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
  GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
  GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
  GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
  GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

Note: The first four entries in these sample logs denote attempts to connect to the backdoor left by Code Red II, while the remaining log entries are examples of exploit attempts for the Directory Traversal vulnerability.

Intruders can execute arbitrary commands within the LocalSystem security context on machines running the unpatched versions of IIS. In the case where a client is compromised, the worm is run with the same privileges as the user who triggered it. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.

The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines.


5. Known vulnerabilities in Windows

[ Top ] [ Contents ] [ Previous ]

The complete list of vulnerabilities for all Microsoft products can be found at the Microsoft TechNet web site:

  http://www.microsoft.com/technet/security/current.asp


6. How to Determine If You Are Infected

[ Top ] [ Contents ] [ Previous ]

The best way to determine if you are infected is to install Norton Anti-Virus and scan all files (not just the executables) with an up to date set of virus definition files. Current virus definition updates can be downloaded from:

  http://www.symantec.com/avcenter/download/pages/US-NNT.html

Other ways of finding out you are infected are:


7. How to Recover If You Are Infected

[ Top ] [ Contents ] [ Previous ]

In the cases of all viruses and worms that do not leave back doors on your computer it is perfectly fine to download a revised anti-virus definition for your machine and allow it to delete or (if possible) clean the affected files. Under some circumstances you may have to uninstall and reinstall some of your applications if required files have been tampered with.

Unfortunately, this is not acceptable when the attacking virus contains a known back door. When a back door is present on the machine it is not possible for the anti-virus definition author to know what to look for in order to clean or delete additional tools that have been installed on the machine via the backdoor. The additional tools may be installed during a subsequent attack unrelated to the initial infection. Under these circumstances we strongly urge that a complete reformat and reinstall of the machine take place. Otherwise, your privacy, the integrity of your data, and the security of the machines you connect to from this infected system may very well be at risk.

We realize that it is very likely that you do not want or are not able to throw out all of your data. To do so would the equivalent of burning down the house you grew up in. The closets and attics of your hard drive are most likely filled with documents, pictures, and other memorabilia that you do not want to destroy. Therefore it is important for you to clean your data to the best of your ability before backing it up; reinstalling your operating system and applications; and then restoring your data.

A summary of the recommended process is as follows:

  1. remove the computer from the network
  2. run virus specific removal tools (if appropriate)
  3. install Norton Anti-virus on infected machine (if necessary)
  4. update to latest Anti-virus definitions (if necessary)
  5. use Norton Anti-virus to clean machine
  6. reboot computer to remove any virus images left in memory
  7. use Norton Anti-virus to clean machine (second time)
  8. backup data
  9. reformat while installing operating system
  10. shutting down services (NT, 2000, XP)
  11. connecting to the net
  12. apply patches to secure the operating system
  13. install a patched version of internet explorer (5.01 sp2, 5.5 sp2, 6.0)
  14. install MS Office (if appropriate)
  15. apply patches to MS Office (if installed)
  16. install and configure Norton Anti-virus
  17. update to latest Anti-virus definitions
  18. restore data
  19. scan all files
  20. install other applications

This is likely to take several hours and requires several tools:

We understand that time can be more valuable than money. If we did not believe these steps were absolutely necessary to ensure the integrity of your data, preserve the safety of the network community, and ensure the security of the Columbia University computing environment we would not be insisting that they be performed.

It is unfortunate that the ownership and use of a personal computer is not as maintenance free as a camera, vcr or toaster. Instead a personal computer requires about as much attention as a 1950s automobile.

7.1. Remove the Computer from the Network

The very first step once you are aware that the computer system is infected by a network virus is to disconnect the computer from the network. This is crucial to ensure that the computer can no longer attempt additional attacks or be further infected while you are attempting to disinfect it.

7.2. Using a Virus-Specific Removal Tool

If the virus in question has a specific removal tool, download and run that tool first. In the case of both Code Red II and Nimda there are specific tools available to remove the obvious symptoms of the virus or worm.

Microsoft Code Red II Removal Tool
http://www.microsoft.com/technet/security/tools/redfix.asp

Symantec Nimda Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

Symantec Code Red Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/codered.removal.tool.html

Symantec SirCam Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

Symantec Removal Tools for other viruses and worms
http://securityresponse.symantec.com/avcenter/tools.list.html

NOTE: These tools can only remove the obvious symptoms of the virus/worm. If the virus/worm installs a back door. The removal tool can close the back door but it cannot remove anything that was installed using the back door.

7.3. Using Norton Anti-Virus to Clean the Computer

The following procedure can be used only if we can assume that the infected computer does not contain a virus that is able to disable or corrupt the anti-virus program.

Norton AntiVirus is a virus scanning program developed by Symantec Corporation. AcIS has purchased a site license for the Columbia University community. You can download it from:

  http://www.columbia.edu/acis/software/nav/

or install it from the AcIS Internet Software CD-ROM. The AcIS Internet Software CD 8.0 for Fall 2001 is available for $10.00 in the following locations:

If you have not already installed the Anti-virus program you should purchase the AcIS CD (or borrow it from a friend.)

You should also download the latest Virus Definitions file using an uninfected computer. Three diskettes are required. The web address is:

  http://www.symantec.com/avcenter/download/pages/US-NNT.html

When you purchase the Norton Anti-virus CD the program can be executed off the CD in the case the machine has been infected. Can this be done from the AcIS CD?

can 102 Philosophy distribute diskettes with the latest virus definitions so that users do not have to connect to the network?

This section is flawed. I've been going through numerous scenarios in which the next virus has code to use the same hooks anti-virus programs use in order to prevent the installation or use of anti-virus programs. It does not actually need to uninstall the anti-virus program or destroy it, all it needs to do is corrupt the contents of the virus definition files (VDF). Since there are a relatively small number of VDF formats out there, this would be fairly easy to do. Once the VDFs become unreadable it would impossible to detect or disinfect the computer with the most common tools. In that case, the data must be removed onto removable media and disinfected on a previously uninfected computer.

Install the Anti-virus program.
When queried to update the virus definitions from the web choose to postpone the decision. Update the virus definitions using the files you downloaded from a friend's uninfected computer.

Configure the anti-virus program to scan all files.
Scan all drives. When prompted to process an infected file choose either "delete" or "clean". Reboot the computer when the scan is complete. After the computer reboots scan the computer a second time to ensure that any memory resident viruses have been removed from the system.

This process takes care of any known viruses. However, it does not protect you against any additional hacker tools that were installed by a back door.

7.4. Backing up Data Files

If your computer has been infected by a virus that installs a back door it is extremely important that you do not backup applications. In other words, do not back up any executable files (.EXE, .COM) or dynamic link libraries (.DLL, .OCX). Only backup your data files. Do not blindly select directory trees to backup. Select each file in each directory manually. This is important because the back door may have been used to install files that could be used to activate a virus or another unwanted tool in any directory.

Once you have selected all the files to backup you can copy them to a floppy or other removal media. If you have a CD-R drive and appropriate software you can write them to a CD-R. If you have a tape drive, you can back them up to tape.

Remember, only data files can be backed up. When the data files have been backed up and verified you may want to take the added precaution of scanning the backup copies (when possible) with Norton Anti-virus on an uninfected machine.

Be sure to use a backup method that lets you restore selected files after re-installing the operating system.

Once the backup is complete you can go ahead and re-install the operating system.

7.5. Reinstalling the Operating System

There are two legal ways the operating system was installed on your computer:

Since you are installing an operating system from scratch you might want to consider upgrading your operating system to a newer version.

7.5.1. Using the Recovery CD

The Recovery CD instructions are going to be computer manufacturer specific. Read the directions that came with the CD. In general, the CD restores the computer to the original state in which the computer was shipped from the manufacturer. This CD installs not only the operating system but also a number of hardware specific device drivers and end-user applications. These CDs usually erase everything on the machine.

7.5.2. Installing the operating system

This section needs to be expanded to contain os specific details.

The directions for each operating system (Windows 95, 98, 98SE, ME, NT, 2000, XP) are slightly different. The general rules are that when installing the operating system you want to repartition and reformat the drives the operating system is going to be installed onto. If you are installing NT, 2000, or XP, you want to use the NTFS file system instead of FAT.

If you need to create installation diskettes from the CD media use the commands:

  DOS           :  WINNT.EXE /OX
  32-bit Windows:  WINNT32.EXE /OX

During installation defer any questions about configuring the network or joining a domain. Do not install features you do not absolutely require. In particular, do not install Personal Web Server or Internet Information Service. If you are installing Windows 95/98/ME, do not install the File and Print Sharing services unless you require the ability to share your drives.

7.6. Shutting Down Services (NT,2000,XP)

If you just installed NT, 2000, or XP you must shut down several services before you can safely connect to the network since the computer has not yet been patched.

Insert instructions for turning off services on each OS version.

In general, open Services Control Panel. Record current Startup Type setting. Change setting to Disabled. If you cannot find the service in the Services Control Panel, then that service was not installed on your computer.

Restart Computer.

7.7. Connecting to the Network

If you need to connect to the network in order to download patches for the operating system. Now is the safe time to do this. When you are connected to the network: do not read e-mail; do not read newsgroups; only apply patches until the rebuilding process is complete.

7.8. Applying Patches to the Operating System and Internet Explorer

If you have a CD-ROM containing the operating system patches, follow the directions that came with the CD describing the patch procedure.

If you do not have a CD-ROM, you can use the Microsoft Windows Updates service.

  http://windowsupdate.microsoft.com/

This service requires that Internet Explorer 5 or higher be used. If the version of IE that comes with the operating system is earlier than version 5 you must perform an IE update before you can continue. If your IE version is earlier than version 4, you must download the IE 5 (or higher) installer from a friend's computer (~550K) and execute it on your machine to perform the download and installation (~17MB). If you have version 4 you can download the installer from

  http://www.microsoft.com/ie/

Once you have a version of IE installed that is 5.0 or higher you can start IE, select the Tools menu, and the Windows Update option. From the Windows Update home page select the PRODUCT UPDATES link. When a connection is established you are prompted with:

  Windows Update Security Warning
  Do you want to install and run "Windows Update Control Package"
  signed on 5/4/01 7:49 PM and distributed by "Microsoft Corporation"
  Publisher authenticity verified by Microsoft Code Signing PCA.

You will now see a dialog box "Checking Available Updates..." This will be replaced by a screen listing all of the available updates for your combination of Operating System, Internet Explorer, and Hardware.

To avoid this warning each time you use Windows Updates add the web site windowsupdate.microsoft.com to your list of Trust Web Sites:

The list of updates is likely to be quite long and potentially confusing. The following is a list for each operating system of the updates that are to be installed and the order in which they are to be applied. The general rules are as follows:

NOTE: We strongly advise against using Microsoft Outlook or Outlook Express as your electronic mail client. However, if the version of Outlook Express is not updated to the current version, there is the chance that known vulnerabilities related to the reading of e-mail messages in Internet Explorer will not be patched.

**Versions of Windows Media Player (6.4 to 7.1) contain a buffer overflow error that can allow arbitrary code to be executed when Media Station (.NSC) files are executed. These files can be launched automatically from within a browser. Users must either apply the patch to version 6.4 or upgrade to version 7.1 and then apply the patch.

  http://www.microsoft.com/technet/security/bulletin/MS01-042.asp

7.8.1. Windows 2000

The following updates must be installed on a Windows 2000 system:

Patches sometimes take weeks or months to appear on the Windows Updates web site. All security patches for Windows 2000 can be downloaded from:

  http://www.microsoft.com/technet/security/current.asp?productid=5&servicepackid=2

7.8.2. Windows NT 4

The following updates must be installed on a Windows NT 4 Workstation system:

There are many patches that are not supplied as part of Service Pack 6a. Microsoft has stated they will not issue further service packs for NT 4.

  http://www.microsoft.com/technet/security/current.asp?productid=1&servicepackid=7

7.8.3. Windows ME

Windows Millenium Edition comes with Internet Explorer 5.5. To access Windows Updates in IE 5.5 select Windows Updates on the Tool menu or use the Windows Update shortcut on the Start Menu.

There are no service packs available for Windows ME. From the Windows Update site you should install:

There is one security patch available at:

  http://www.microsoft.com/technet/security/current.asp?productid=19&servicepackid=89

7.8.4. Windows 98 Second Edition

Windows 98 Second Edition comes with Internet Explorer 5.0. To access Windows Updates in IE 5.0 select Windows Updates on the Tool menu or use the Windows Update shortcut on the Start Menu.

There are no service packs available for Windows 98SE. From the Windows Update site you can should install:

There is one security patch available at:

  http://www.microsoft.com/technet/security/current.asp?productid=11&servicepackid=88

7.8.5. Windows 98

Windows 98 comes with Internet Explorer 4.0 SP1a. To access Windows Updates in IE 4.0 select Product Updates on the Help menu or use the Windows Update shortcut on the Start Menu.

From the Windows Update site you can should install:

There are a large number of security patches available for Windows 98 that are not included in SP1.

  http://www.microsoft.com/technet/security/current.asp?productid=10&servicepackid=52

7.8.6. Windows 95, OSR2, and OSR2.5

Windows 95 comes with Internet Explorer 3.02. This version is too old to use with the Windows Update functionality. In order for Windows Update to be used a version of IE 4.0 or higher must be installed from:

  http://www.microsoft.com/windows/ie/

In addition, Microsoft has stopped supporting Windows 95. The Windows Update site contains only a small subset of all of the patches that are available for Windows 95 platform. Other patches including Service Pack 1 and updated versions of the Windows TCP/IP stack (winsock) are only available from the Windows 95 Download site:

  http://www.microsoft.com/windows95/downloads/default.asp

Patches that should be installed from the Windows 95 Download site include:

From the Windows Update site you can then install:

There are additional security patches available for all releases of Windows 95 not found on the previous two locations at:

  http://www.microsoft.com/technet/security/current.asp?productid=9&servicepackid=50

7.9. Installing and Patching Microsoft Office (if appropriate)

If you are going to install a version of Microsoft Office now is the time to do so. After the installation is complete, or if Microsoft Office was installed onto your computer as part of the Recovery CD you need to patch the vulnerabilities.

If you have a CD-ROM with the appropriate patches, install them from the CD-ROM. Otherwise, use Internet Explorer to open

  http://office.microsoft.com/productupdates

This web site is very similar to the Windows Update except instead of providing updates based upon the operating system version the MS Office version is tested instead. Like the Windows Update site you will need to accept an ActiveX control and you may want to add the office.microsoft.com hostname to the Trusted Sites list in the Internet Options.

The list of updates for each version of Microsoft Office follows.

7.9.1. MS Office XP

There are no service packs available for Office XP.

Office XP has one Security Patch available.

  http://www.microsoft.com/technet/security/current.asp?productid=116&servicepackid=0

7.9.2. MS Office 2000

The latest Office 2000 Service Pack is SP-2. Office 2000 has been shipped in three different versions: (original, SR-1 and SR-1a). Service Release 1a must be installed before Service Pack 2. Service Pack 2 must be installed before any of the other patches.

With SP-2 installed, there are still several security patches to be installed.

  http://www.microsoft.com/technet/security/current.asp?productid=42&servicepackid=11

The Windows Installer used by Office 2000 requires access to the original media. Here is Microsoft's explanation why it is required:

  http://support.microsoft.com/support/kb/articles/Q255/4/99.ASP

7.9.3. MS Office 97

Office 97 has had several service releases. The latest version is SR-2b. With SR-2b installed there are several security patches still to install.

http://www.microsoft.com/technet/security/current.asp?productid=70&servicepackid=29

7.9.4. MS Office 95

There were no service releases for Office 95.

There is one security patch to be installed on Office 95. Office 95 does not have the same types of vulnerabilities as later versions as it was not Internet aware.

  http://www.microsoft.com/technet/security/current.asp?productid=69&servicepackid=0

7.10. Install Norton Anti-virus

Follow the directions in Section 7.3 to install and update Norton Anti-virus. Configure it to scan all files.

7.11. Restoring original Services settings (NT, 2000, XP)

Now that the system is patched it is safe to turn back on services that were turned off in Section 7.5. However, unless you have a serious need to be using the services such as IIS, Telnet, or FTP, leave them off.

If you are using Internet Information Service (IIS) be sure to run the IIS Lockdown Tool 8.3.2.2. (8.3.2.2).

7.12. Restore backed up data

Restore the backed up data to your machine and following it with a full scan using Norton Anti-virus.

7.13. Install other applications

Once your data is restored it is now safe to begin to restore other applications that may rely on the backed up data.

7.14. Additional precautions

If your machine had a back door installed, everything the machine was used for while infected is at risk. All data that was on the computer should be considered compromised. The following items at the very least should be performed:


8. How to Prevent Reinfection

[ Top ] [ Contents ] [ Previous ]

As long as your computer is connected to outside sources of data it will not be possible to completely protect it from infection. Infections occur either because of a vulnerability in the operating system or applications that is actively attacked; or because a user unintentionally activates the virus during the course of their normal everyday activities. So what are the things we can do?

First, you can reduce the number of known vulnerabilities our computers are susceptible to:

Second, you must lower your trust level when interacting with information communicated to you by third parties. Security professionals will tell you that if you do not control the source of the communication you cannot be sure that it is safe. Virus authors attempt to use our trusting nature against us by using the accounts of our friends and family to send virus bearing e-mails or altering the web pages of trusted companies to convince us to download the virus to our machines. As the rate of incidents continues to increase we must respond with increased vigilance. We need to be conscious of our actions and how they may allow us to be taken advantage of. In other words, communicating over the web is not as safe as we would like it to be. In the same way that we must be careful of the things we say to someone that calls us on the phone saying they are from our bank, we must be careful of what we accept in e-mail or from web pages.

For those who are unaware, if someone calls you claiming they are from your bank or from any other company you have an on-going relationship do not give the caller:

All of this information is already known by your bank (or other company you are doing business with) and they have no reason to ask you for it. If there is a legitimate reason why they need this information the caller should ask you to call the phone number on the back of your credit card or on your monthly statement and speak with the appropriate representative. Only by initiating the call to a previously known phone number should you have a feeling of safety since you have no means of authenticating the caller is truly from your bank when you answer the call.

8.1. Subscribe to Mailing Lists for Notification of Vulnerabilities

The Microsoft Security Notification Service is a a free e-mail notification service that Microsoft uses to send information to subscribers about the security of Microsoft products. Anyone can subscribe to the service, and you can unsubscribe at any time.

The goal of this service is to allow Microsoft to provide you with information that you can use to inform and protect yourself from malicious attacks. Microsoft's security team investigates issues reported directly to Microsoft, as well as issues discussed in certain popular security newsgroups. When they publish bulletins, they'll contain information on what the issue is, what products it affects (if any), how to protect yourself against, what Microsoft plans to do to fix the problem, and links to other sources of information on the issue.

This service supplements the security bulletins and other information located at Microsoft product security.

Microsoft digitally signs all security bulletins. To verify the signature, please download their PGP key from

  http://www.microsoft.com/technet/security/MSRC.asc. 

  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: PGP 6.0.2

  mQENAziJZQwAAAEIALIflq+a5TJ5+rkJl6u4NtaEgeggoufIFy2O0luplLaE+3sw
  E0MfG7Hr9b9yNLjMOD7/ZakIy4/54ph910K7qx1r3swo97gPuiDf11AhPzpmMe3m
  iP2EV3XeoL0e69GF/AwZ/KB4im+/WMMqwHmF4OjWZX4PWG7QA3YM+mRg8x4768So
  thxKx1sMO/ll1lAqryyzkWO3hODuOs7UiCPy0PgFBtlZ/qJU8VR/8z1vWX6aTDcl
  3plT6MXiQuBGWXb/jHHfUEC7s5BtmWtA/Sdxf/oVDothMg48otI6tetzf/Rp6asa
  PmmOH99+QE2At4YYbtK3a7/ss7YTjRlJFDED9SsABRG0OU1pY3Jvc29mdCBTZWN1
  cml0eSBSZXNwb25zZSBDZW50ZXIgPHNlY3VyZUBtaWNyb3NvZnQuY29tPokBFQMF
  EDiJZQyNGUkUMQP1KwEBmCkH/ReYt47MhLQ8lk+thpNwnwWpFMYnhi1189sZy+GH
  p44pCdQ7dfubR2/JiCIjlXqtR6Mu5NzSnjt3l217ss11/X+iuZR4fjOTNFz1b77M
  /OwTPNNkZTxL5nJ3BIBcTDKRaErTk5oZt5nXUPpzIwM/GQ17A9okL6qOFcreNR/a
  6cO8DiPBgbvgrs560+NpEk2lBBP7yvaHJqwqQnRQCZ15uqhtIl/BlxEYE32XWgu+
  k1RxrRRuW3NX9Q0cEXmioSiI+1V31E0H6Pa8e7Vy/EORsNopRgiZr/JBON0vCrDf
  UTlwjUufpCnM2VBvNi/O3C2BhJoL9hEF0X0rzQN87j1wpO6JARUDBRA4jIFR/6uy
  0GMwPK8BAS5lB/9rOkn/35961yqfROBooGW1g9CrM/3hX+jZf0z4NUYOoLoXQQGM
  9kVDpmsnADytOJ2xNgle9WWEzPLfcwJv4C7o1Yp4UAHeNKOzUH6hFCz7QzfkQ+dY
  aZCoL8r0qrUyNQJ263FDupo5NBt4XCDTd0zYfbUkbeHKsECKTB6tJVtUzD9jMUjq
  9LVaqY/+4/NQSjOOhImlA1khF9oTypR+jloaAflEal3/Cuo1ibHgd6j1dYjHQy7p
  X3iOnlRAdpG445U+Y3uEzsqiZVY1hK46ICZF+r19Xm7gPC3p0Jo5/K7oXepKnfgn
  0zjm496p6l++ie973TTRW844JLMmLZ82h/14
  =3JpF
  -----END PGP PUBLIC KEY BLOCK-----

The key's fingerprint is 5E39 0633 D6B3 9788 F776 D980 AB7A 9432.

It is very important that when Microsoft announces a vulnerability and a patch that the advice be taken seriously and the patch installed. You can be sure that if you know about the vulnerability so do all of the potential virus writers and others that might want to attack your computer system. By installing the patches or removing services that are considered vulnerable you significantly reduce the chances that attacks against your computer will succeed.

8.1.1. Subscribing to the Service

To subscribe to the service send e-mail to:

  microsoft_security-subscribe-request@announce.microsoft.com

The subject line and the message body are not used to process the subscription request, and can be anything you like. Send the e-mail. You'll receive a response, asking you to verify that you really want to subscribe. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply You'll receive two e-mails, one telling you that you've been added to the subscriber list, and the other with more information on the notification the service and its purpose. You'll receive security notifications whenever Microsoft sends them.

8.1.2. Canceling Your Subscription to the Service

You can cancel your subscription at any time by following these steps:

Compose an e-mail to

  microsoft_security-signoff-request@announce.microsoft.com

The subject line and the message body are not used to process the subscription request, and can be anything you like. Send the e-mail. You'll receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply. You'll receive an e-mail telling you that your name has been removed from the subscriber list.

8.2. Safe Computing: Adjusting the Human Factor

The most important thing we can do to protect our computers after closing known vulnerabilities is to alter our online behaviors. When there are no vulnerabilities available to exploit via active attacks across the networks, the virus writers must wait for users to provide them an opportunity.

The most common ways for an attacker to take advantage of a user are:

To prevent these types of attacks requires a change in the way you interact with your computer.

8.2.1. Strong passwords

Enough cannot be said about choosing strong passwords. Passwords are still the most common form of end user authentication used. In security circles we often refer to the three forms of authentication:

The most secure systems require at least two of the three types. Unfortunately, most computer systems still only require a password. This means that it is extremely important that the password be strong. What does it mean for a password to be strong? It means that the likelihood of it being guessed is very remote.

You may have read about different strengths of cryptographic algorithms. There has been a large amount of debate over how strong the U.S. government should allow the algorithms to be. This is because the stronger the keys used to privatize the communications the harder it is for the government to perform electronic wiretapping. Of course, the harder it is for the government the harder it is for criminals to listen in as well.

Starting in the 1970s the U.S. government began to require that all sensitive government communications be protected by the Data Encryption Standard (DES). DES used 56-bit keys. At the time 56-bit keys were considered unbreakable with the computer equipment available at the time. Now in the year 2001, a 56-bit DES key can be broken in under a day with some specially designed equipment made from off the shelf parts. The U.S. government has recently approved a replacement for DES called the Advanced Encryption Standard (AES). AES has a minimum key strength of 128-bits and a maximum key strength of 256-bits.

Now you may be asking yourself why am I spending all this time talking about various numbers of bits when I started off talking about passwords. Its actually pretty simple. A password is nothing more than data that is used to generate a key. That key is then used to protect some other data by encrypting it with a cryptographic algorithm. The strength of the key has a direct impact on how secure the data is that is being protected.

Passwords consist of printable characters: upper and lower case letters, numbers, punctuation marks, and some other symbols. Each character in your password contributes less than 7-bits to the resulting key. This means that an 8 character password is no more than 56-bit key. Remember that the 56-bit keys used with DES could be broken in under a day. With a modern 1 GHz computer with a gigabyte of memory and several hundred gigabytes of disk space, an attacker can break an 8 chararacter password in a little more than a day using a brute force attack.

Unfortunately, most users do not choose even 8 character passwords and the passwords they do choose are frequently words that are found in dictionary. Attackers can therefore optimize the attack by checking all of these common words first; then combinations of words; then addresses; phone numbers; birthdays; etc. This cuts down the time it would take to discover a password to a matter of minutes when the attack can be performed off-line. An off-line is one where the attacker does not need to access the computer being attacked while attempting to determine the password. An on-line attack is one where the attacker must contact the computer in order to try out each potential password. On-line attacks are costly due to the time it takes to establish the connection used to test each password; and the high risk of detection caused by the failed attempts.

Passwords are used for two purposes: to authenticate the user to a service in order to gain entry; or to unlock an encrypted file so that it can be read. Windows NT/2000/XP has multiple accounts. At a minimum it has an "Administrator" and a "Guest" account. In addition to this are any accounts that you create to represent yourself while using the computer. Since it is possible to remotely connect to a Windows NT/2000/XP system over the network and perform attempt to authenticate a user it is very important that the passwords used for the accounts be strong.

Your Windows password is also used to protect any "saved passwords" associated with dial-up connections; web sites; e-mail accounts; and other services provided by Microsoft Windows. Other applications may require other passwords to protect files that contain SSH, X.509 or PGP private keys; or passwords used when connecting to other hosts. It is important that all of these passwords not only be strong but be different. If one of the passwords was to be compromised you do not want to lose all of your passwords.

If you have ever lost your wallet containing your drivers license, social security card, credit cards, bank cards, and student identification you understand the pain caused when you lose everything at once. Losing your driver's license is bad enough, but with the rest of your IDs you can easily convince the State to issue you a replacement. However, when you lose all of your IDs and credit cards not only must you cancel everything you have lost, but you have no easy method for acquiring replacements since you have no form of identification.

I have used the term strong password many times now without defining what it means. A strong password:

An 8 character password is no stronger than 40-bits. A 12 character password is no stronger than 56-bits. A password that is stronger than 128-bits would have to be at least 26 characters long. (Unfortunately, for compatibility with older Windows versions the Windows password is restricted to 14 characters or no stronger than 70-bits.)

8.2.2. Preventing password theft

Now that you have a unique strong password for each of your hosts, services, and applications that require one you have to learn to protect the password from being stolen. You might ask why? If the cryptographic algorithms used to protect your data are too hard to break and the passwords are too hard to guess, the attacker is going to look for ways to steal the password if that would be easier.

Passwords are often stolen because they are kept in plain view. Either by taping them to the computer on that they are used; or by storing them in a wallet, appointment book, or a personal digital assistant where they can be easily read. Clearly these are bad things to do.

Passwords are also frequently stolen by capturing unencrypted network traffic between your computer and a remote service you are attempting to login to. Passwords should never be sent over unencrypted connections whether that session be a HTTP (web), FTP (file transfer), TELNET (remote login), POP3 or IMAP (e-mail), or any other service. If you do not know that it is protected the password may not be sent.

Passwords are protected if the HTTP connection is secured by using SSL/TLS; when the FTP or Telnet sessions are authenticated using Kerberos, Secure Remote Password, or when the sessions are protected with SSL/TLS. Another service over which the risks of transmitting passwords is reduced is SSH.

Passwords should not be stored in the file system of a computer on which those passwords are used. If they do need to be stored on your computer they should be encrypted and protected with a super-strength password -- a password that is stronger than any of the passwords stored in the protected file.

8.2.3. Ignore unexpected E-mail attachments

The number one method for propogating viruses and worms is by using e-mail attachments. This has been the case for a long time. For as long as e-mail has been capable of transfering program and data files (whether uuencoded or using MIME) people have succumbed to the natural desire to share cool things with their friends. This meant that trojan horse viruses would be passed from person to person simply because someone thought that someone else should share the joke, the game, or office document. As the virus was activated on computer it would turn additional files into trojans to be used to spread the virus to other machines. This method is most frequently used with the macro viruses that infect data files for applications that contain integrated scripting languages (e.g., Microsoft Office applications.) By infecting documents which are frequently exchanged by users as part of their normal day to day activities a large number of computers can be infected in a passive manner.

Virus authors have learned to take advantage of the scripting languages and lower level operating system calls to write viruses which can not only infect local files but automatically mail themselves to e-mail addresses found in your electronic address books and files stored in your web cache. As application authors have placed restrictions on how e-mail can be sent using the built-in scripting languages, virus authors have written their own mailers to include as part of the virus. Viruses that actively mail themselves to others spread at a much faster rate than the older passive viruses. They also significantly increase the percentage of e-mail containing infected attachments.

The active attack e-mail viruses have produced a large increase in the amount of mail being sent on the Internet. E-week has estimated that the current e-mail infection rate is 1 out of every 300 e-mails. If the viruses continue to spread at their current rate it is thought that 1 in 10 e-mails will contain a virus by the end of 2002. It is therefore crucial that we stop treating attachments as harmless and instead treat them as something that must be quarantined and scanned for infection.

What rules should apply to e-mail attachments that will determine if the e-mail attachment you are receiving is safe to open?

The first rule is to determine if the e-mail itself is something we are expecting. If you have been partaking in an on-going dialog with a co-worker and then suddenly receive an e-mail with the same subject line saying nothing more than "Can you take a look at this for me?", you should be suspicious. Call or otherwise contact your co-worker to determine if she actually meant to send you the attached document. This is necessary because the virus has access to your mailbox. It is therefore possible for the virus to a reply to one of your received e-mails as a means for transporting itself to a new host. Even if your co-worker did intend to send the attachment, you must still scan it for viruses with your anti-virus software. You do not know if the attachment is free of known viruses unless you do.

The second rule is never to open attachments sent to mailing lists. For starters, mailing list etiquette states that attachments should not be sent for two reasons:

Instead of sending attachments, subscribers should post the data to be spread to a public web site that can be accessed via FTP or HTTP.

Unfortunately, being safe means that many conveniences that users are accustomed to must be disabled in PC based e-mail clients. No longer can we allow the use of preview modes; automatic display of messages simply by selecting the subject line; or the use of embedded scripting languages and executable program code. While these features do increase ease of use and allow for a more robust multimedia experience, these features increase the number of opportunities for a virus to be given access to the computer.

8.2.4. Beware of the unexpected when browsing the web

One of the standard rules in security is to beware of the unexpected. If someone walked up to you on the street and offered you the keys to a Ferrari, no strings attached, you would be suspicious. That is because this is not something that normally occurs while walking down the street. Nor is it something that has happened to your friends or family. When browsing the web you need to be just as cautious.

The are three actions that can be applied to a download from a web page:

Program files and documents should always be saved to disk, virus checked and then if they appear to be safe, executed or opened. Under normal conditions a web site will not contain any instructions to automatically attempt to download a file to your computer either for saving to a disk; or for automatic execution. If a web site has been modified to attack your computer (as was done by the Nimda virus) the browser will popup a window asking what you would like to do with the specified file (open, save or cancel). If you are not expecting a file to be downloaded, you should cancel the operation.

8.2.4.1. ActiveX Controls

ActiveX Controls are reusable software components that incorporate ActiveX technology. These components can be used to add specialized functionality, such as animation or pop-up menus, to Web pages, desktop applications, and software development tools. An ActiveX control may be signed or unsigned. A signed control is one whose author can be verified by the browser. All that means is that when the browser is about to execute an ActiveX control it can ask you if you want to install and run an ActiveX control from "XYZ Corp.". Signing does not tell you whether or not the ActiveX control is safe.

The verification of the ActiveX control is performed by comparing the signature associated with the control to a list of signing certificates which are stored in the browser's Certificate Authority Store. If a certificate can be found that matches the signature and that certificate is still valid, then the ActiveX control has been verified.

It is important to know that the security of this verification system is dependent on commercial companies such as Verisign that act as Certificate Authorities to not make mistakes. Unfortunately, no person or company is perfect. Verisign issued valid certificates to an unknown party which would give that individual the ability to sign ActiveX controls as "Microsoft Corporation". This forced Microsoft to issue a patch for Windows that disabled the ability of the mis-issued certificates from being validated by Windows. Unfortunately, any Windows system that is not patched is vulnerable to an attack by someone misrepresenting their ActiveX controls as being from Microsoft. The patch to correct this specific problem is available from the Microsoft Windows Updates web site.

ActiveX controls when signed can be marked as either as Safe for Scripting or Unsafe for Scripting. A Safe for Scripting control only indicates that the author of the control says that it is "safe". Microsoft describes the marking of a control as Safe for Scripting as the author entering into a legally binding contract with the user of the control. However, I doubt this would stop a virus author from abusing this flag.

ActiveX controls, unlike Java applets, have complete access to the computer using the identity of the user whom started the browser within which the control is executed. This makes the use of ActiveX controls a very tempting target for virus authors. The acquisition of the "Microsoft Corporation" signing certificate could have been used as part of a wide spread attack as most people will accept anything that Microsoft publishes to the web. The reason it is so important to ensure the "Root Certificates Update" be applied from the Windows Update site is to prevent these invalid certificates from being accepted as valid.

8.2.4.2. Java Applets

Java applets are a much safer method for web site developers to execute programs on your computer. Java applets are not executed directly by the operating system on which they are run. Instead, Java applets are executed within a virtual machine (a computer simulator.) The Java VM has a security policy associated with it that prevents many types of access to the computer: These restrictions make it very difficult for a virus author to use a Java applet to write a virus. The only way a virus author can use an applet to cause harm is by convincing the user to give the necessary permissions to the applet. When an applet attempts to access a privileged operation the browser will present a dialog box to the user asking if permission for the desired privilege should be granted. The rule is: if you are not expecting the request, the permission should be denied.

Permission is often requested when using web based installation routines. When java applets are used for this purpose, the web site should explain the permission request in their installation instructions. It goes without saying that you should not install software downloaded from the web that comes from a source that might not be trustworthy.

8.3. System tuning

It would be nice if computers were shipped from the factory in a safe and secure configuration. Unfortunately, they are not. New computers come without the latest operating system and application updates or patches. They frequently come configured with unnecessary features installed and activated. They may also not come configured with all of the security features turned on.

This section will attempt to highlight some of the features which may be unnecessarily putting you at risk as well as configuration options which can be applied to strengthen the security of the computer.

8.3.1. Windows 95, 98, 98SE, ME

Windows 95, 98, 98SE, and Millenium Edition operating systems are insecure. They were never designed to provide the security necessary to restrict the actions of users or viruses. All user accounts on these operating systems have the equivalent of administrator (or root) privileges. Services (those network application that accept incoming connections from other computers) should never be run. A vulnerability in the service will leave the entire computer at risk.

These operating systems can safely be used as a client only computer after several features have been disabled. Personal Web Server, File and Print Sharing, the Remote Registry Service should be uninstalled. Other remote access products such as PC Anywhere should not be installed.

Personal Web Server and Remote Registry Service are removed using the Add/Remove Programs Control Panel. File and Print Sharing is removed using the Network Control Panel.

It is strongly recommended that if your computer hardware will support Windows NT/2000/XP that you replace your operating system as NT/2000/XP can be configured in a significantly more secure manner.

8.3.2. Windows NT, 2000, XP

Windows NT, 2000, and XP are securable operating systems which were designed to support the simultaneous execution of applications by multiple users and background services. The fact that NT/2000/XP are securable does not mean that every installation of them are secure. Most installations are not either because they are not shipped in a secure manner from the computer manufacturer or because users of the computer do not know how to properly configure them.
8.3.2.1. Baseline Security Checklists
Microsoft has recently published a set of checklists for the NT and 2000 operating systems which explain how to configure them for a baseline level of security. Performing the steps described in the checklist will establish a baseline which will need to be maintained throughout the lifetime of the computer by maintaining appropriate access controls and continuing to apply patches to close newly discovered vulnerabilities.

Windows 2000 Server Baseline Security
http://www.microsoft.com/technet/security/tools/w2ksvrcl.asp

Windows 2000 Professional Baseline Security
http://www.microsoft.com/technet/security/tools/w2kprocl.asp

IIS 5.0 Baseline Security
http://www.microsoft.com/technet/security/tools/iis5cl.asp

Windows NT 4 Server Baseline Security
http://www.microsoft.com/technet/security/tools/nt4svrcl.asp

Windows NT 4 Workstation Baseline Security
http://www.microsoft.com/technet/security/tools/mbrsrvcl.asp

IIS 4.0 Baseline Security
http://www.microsoft.com/technet/security/tools/iis4cl.asp
8.3.2.2. IIS Lockdown Tool
IIS Lockdown Tool is designed for users that have IIS installed on their computers (NT4, 2000, XP) but do not have the expertise or the inclination to manage them. It has an Express Lockdown mode that shuts down all services that are not required.

  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32362
8.3.2.3. HotFix Network Check
HFNetChk is a command-line tool that enables an administrator to check the patch status of all the machines in a network from a central location. The tool does this by referring to an XML database that's constantly updated by Microsoft. HFNetChk can be run on Windows NT 4.0 or Windows 2000 systems, and can scan either the local system or remote ones for patches available for the following products:

  http://support.microsoft.com/support/kb/articles/q303/2/15.asp?id=303215&sd=tech
8.3.2.4. Web based Security Checks
Several companies provide a web based security check of your machine that usually involves the use of a locally run ActiveX control to probe your configuration for weaknesses that might be exploited by attackers.
8.3.2.4.1. Microsoft Personal Security Advisor website for NT, 2000, and XP
Microsoft Personal Security Advisor (MPSA) website:

  http://www.microsoft.com/technet/mpsa/start.asp

is an ActiveX control that scans Windows NT and Win2000 client systems (not servers) for a variety of vulnerabilities:

To perform a scan:

8.3.2.4.2. Symantec Security Check
The Symantec corporation provides a security check that utilizes an ActiveX control to probe the local machine by scanning the system for vulnerabilities in the following areas:

The scans are primarily useful to determine if your machine is currently harboring a known Trojan Horse and to determine if your Norton Anti-virus product is properly installed and the virus definitions are up to date.

The Network Vulnerability scan is an attempt to convince you to purchase a personal firewall product. See Section 8.6 for comments on personal firewalls. The scan works by attempting to establish a connection from the server to your workstation. The scan lets you know which ports (ie, services or trojans) are currently accessible on your machine.

WARNING: If you are behind a firewall these port scans may appear to be an attack to your system administrator. Do not run these scans unless you know that it is safe to do so.

NOTE: The fact that a port is accessible that is often used by a Trojan does not necessarily mean that a Trojan is running on your machine. All ports do have legitimate uses. The Internet Assigned Numbers Authority (IANA) publishes a list of the services assigned to each port number http://www.iana.org/assignments/port-numbers.

When executing the scan for the first time you are prompted to accept an executable file to be executed on your machine.

  Security Warning
  Do you want to install and run "Symantec Security Check Utilities"
  signed on 5/10/2001 7:08pm and distributed by "Symantec Corporation".

Select "yes" but do not check "Always trust content from Symantec Corporation".

You may be asked if it is okay to run ActiveX controls and scripts several times, say "yes" to each question asked from this page.

8.3.2.5. IIS URL Scan Tool
Microsoft has developed a URL filtering tool for use with IIS that allows System Administrators to determine which URLs may be processed by their system. The rule based system allows filters to be implemented in a flexible manner. The default rules provided with the tool filters out all current attacks against IIS and many of the attacks that might be attempted in the future.

  http://www.microsoft.com/technet/security/tools/urlscan.asp

8.4. Web sites to monitor

The following web sites (mostly from Microsoft) provide access to updates to Microsoft products and/or information about vulnerabilties in Microsoft products as well as descriptions of viruses/worms which take advantage of them. It is recommended that you check these web sites on a regular basis to keep your Windows and Office products up to date and keep yourself informed on the current attacks taking place via the Internet.

8.4.1. Windows Updates

The Windows Updates site provides a real-time report listing the updates to the installed version of Microsoft Windows which have not yet been installed. This site is not updated as frequently as the Microsoft Security site but it is a lot easier to use.

  http://windowsupdate.microsoft.com

8.4.2. Office Updates

The Microsoft Office Updates site only supports Office 2000 and Office XP. This site provides a real-time report listing the updates to the installed version of Microsoft Office which have not yet been installed. Users of Office 95 or Office 97 must use the Microsoft Security to query for the list of updates available for their version of Microsoft Office.

  http://office.microsoft.com/productupdates

8.4.3. Microsoft Security

The Microsoft Security web site provides access to a wide range of resources associated with securing Microsoft Operating Systems and Applications. These include references to newsgroups, anti-virus products, books, case studies, links to other web sites, training, and a variety of tools and checklists.

  http://www.microsoft.com/security/ 

In addition, the Microsoft Security site provides a query engine which can be used to produce a list of all updates released for a given version of an operating system or application (sorted by month of issuance.)

  http://www.microsoft.com/technet/security/current.asp

8.4.4. NTBugTraq

In the tradition of Aleph One's Bugtraq mailing list, NTBugTraq has been created to invite the free and open discussion of Windows NT Security Exploits/Bugs (SEBs). This site is not intended to be a forum to discuss "how to" issues, but instead should be used to report reproducible SEBs which have been encountered with Windows NT or its related BackOffice products. The discussions at this site and its related mailing list are highly technical.

  http://www.ntbugtraq.com

8.4.5. Symantec Security Response

The Symantec Security Response web site focuses primarily on anti-virus technologies. However, as viruses and worms have increasingly taken advantage of technological vulnerabilities instead of human curiosity as a means to spread, the web site has begun to include a wider range of information. As of this writing the web site provides access to a Virus Encyclopedia, lists of Security Advisories, as well as tools to help determine if you are reasonably secure against virus attacks.

  http://www.sarc.com/
  http://www.symantec.com/avcenter/

8.4.6. Computer Emergency Response Team (CERT)

The Computer Emergency Response Team (CERT) was formed under a grant from the Federal Government in the late 1980s in response to the Internet Worm. CERT performs the same function for computers that the Center for Disease Control (CDC) does for human infections. They monitor incident reports from around the world to detect new patterns of attack. They also catalog known vulnerabilities in a wide variety of operating systems and issue notifications to the Internet Community.

  http://www.cert.org/
The CERT web site contains information on a wide variety of topics associated with computer security. The information contained on this site is for the most part highly technical. However, there are some documents such as Home Network Security which are specificly targeted to the non-technical user.

8.5. Establishing a backup procedure

It is important to maintain current backups of your data. You never know when a vital piece of hardware might fail, the computer might be lost or stolen, or even destroyed in a fire, flood, or other accident. Insurance may cover the lost hardware but it is not going to be able to resurrect your data. Your data is priceless. You must treat it as such.

It does not matter whether you backup your data to a tape drive, a removable disk (zip, jaz, ...), or to a remote network based back-up service. What is important is that your data be backed up on a regular basis so that if your computer was lost tomorrow or if you needed to reformat your hard disk that you would not be in a state of panic.

    Need to find a reference to an online article on backup procedures 

8.6. Personal Firewalls

A personal firewall is a software application that enforces an access control policy between the network and your computer. The firewall allows the user to define access policies for inbound connections to the computers they are protecting. Many also provide the ability to control what services (ports) the protected computers are able to access on the Internet (outbound access). In other words, a firewall with defined access policies provide an intermediary state between not connected to the the network and connected to the network.

Software based firewall software can either be stateful or stateless. A stateless firewall can only apply access policies to connections to/from specific IP address ranges and/or specific ports. Stateful firewalls have a detailed understanding of the networking protocols used by each network services. They can use this information to apply access policies based upon the content of the communication and not just on who is communicating.

As an example, the personal firewall software ZoneAlarm has a MailSafe option that disables .vbs scripts in email (POP/IMAP) by 'quarantining' them with '.zlx' (x changes) extension. If the user tries to open it, he/she has to go through Zone Alarm and state the specific e-mail message being received should be allowed.

It is important to note that firewalls are not the answer to all security concerns. Blocking all connections to specific ports can break required applications. It can be a very complicated and time consuming process to develop the appropriate set of access policies for your computer. Many application errors that appear to be network related can be traced back to firewall access policies which block required access. Unfortunately, from the standpoint of the application, the failure is a network error as it does not know anything about the presence of the firewall.

8.7. Configuring Norton Anti-virus to protect your computer

Columbia University has purchased a site license for the members of its community so that everyone has the ability to be virus protected with the latest virus definitions. The Norton Anti-virus software can be downloaded from:

  http://www.columbia.edu/acis/software/nav/

It is important that after installation the Anti-Virus software be configured and regularly updated with the latest virus definition files in order for the software's effectiveness to be maintained. The Anti-virus options

8.7.1. Browsers and downloads

Web Protection should be enabled. This will ensure that file downloads are virus scanned before they are saved to your disk.

8.7.2. File scans

Auto-Protect should be started when Windows starts up. Auto-Protect can scan files when they are "Run or opened" or when they are "Created or downloaded". Both options should be selected. All files and not just Program files and documents should be scanned.

Manual scans should be configured to check all boot records on all drives as well as scan all files and all files within compressed files (.ZIP, .CAB, ...) The only type of files that should be avoided are those associated with database files since there can be incompatibilities between Microsoft Access or Microsoft SQL Server and anti-virus software.

If you are running Microsoft Office 2000 (or Office XP) the Office 2000 plug-in support should be enabled.

Manual scans of the computer should be scheduled at least once a week.

8.7.3. E-mail scans

E-mail protection in Norton Anti-virus works by installing an E-mail Proxy Server on your computer which intercepts the requests being made to the e-mail server belonging to your Internet Service Provider. Unfortunately, this proxy only works with a subset of the POP3 servers and cannot work at all with IMAP servers. This is important because although most e-mail clients support POP3, IMAP is both more efficient at delivering large amounts of e-mail to the client and more secure.

AcIS' Schuyler has put together a nice user level description of how to configure e-mail clients to safely read e-mail in conjunction with NAV.

  http://www.columbia.edu/acis/email/topics/safeattachments.html


9. Alternatives to Microsoft Products

[ Top ] [ Contents ] [ Previous ]

Microsoft products are used on the overwhelming majority of computers on this planet. Microsoft is a monopoly. Microsoft is an American company. The products have their fair share of vulnerabilities and the cost of ownership is so high that it is difficult even on a good day to keep up with the patches. Therefore, Microsoft products have become a more tempting target as each day goes by.

As there are only a finite number of resources for virus/worm authors, they spend their time attacking the systems that are most likely to allow them to cause the greatest havoc. At the moment these are the products of Microsoft. It is in the best interest of each of us to consider whether or not we should continue using products that have such a high incident rate of attacks. This is exactly the same analysis we would use to determine where to go on vacation. Do we head for the mystical land where people are being killed everyday or the quiet beach community half a world away.

This section attempts to provide some alternatives that might be considered if you believe that the total cost of using Windows and Microsoft Applications is higher than you can bear.

9.1. IIS

9.2. IE

9.3. Outlook

9.4. Office

9.5. Windows

[ Top ] [ Contents ] [ Previous ]


10. Further Reading

[ Top ] [ Contents ] [ Previous ]

10.1. Books

The following books are ones that I have used that have provided useful information to me in the past when attempting to secure my Windows installations.

10.1.1. Hacking

  1. Scambray, Joel; McClure, Stuart; Kurtz, George, Hacking Exposed, Second Edition, Osborne Press, McGraw Hill, 0-07-212748-1.

10.1.2. System Management

  1. Bragg, Roberta, Windows 2000 Security, New Riders, 0-7357-0991-2.

  2. Sanders, Lori M., Windows 2000 User Management New Riders, 1-56205-886-X.

  3. Tate, Steven, Windows 2000 Essential Reference, New Riders, 0-7357-0869-X.

10.1.3. Security Policy

  1. Hutt, Arthur E.; Bosworth, Seymour; Hoyt, Douglas B., Computer Security Handbook, Third Edition, Wiley, 0-471-01907-0.

  2. Hutt, Arthur E.; Bosworth, Seymour; Hoyt, Douglas B., Computer Security Handbook, Third Edition 1997 Supplement, Wiley, 0-471-17297-9.


Safe Computing on Windows: An Evolving Guide to Virus and Worm Protection / jaltman@columbia.edu / 23 October 2001