““Thou Shalt Not”Thou Shalt Not”

The Moses Guide to Internet The Moses Guide to Internet SecuritySecurity

By Devin Christensen

TSN Install Spyware!TSN Install Spyware!

• “According to a new report from EarthLink and Webroot Software, there's an average of almost 28 spyware programs running on each computer. More serious, Trojan horse or system monitoring programs were found on more than 30 percent of all systems scanned, raising fears of identity theft.

• “The report presents the results of scans of over 1 million Internet-connected computers. Many of the 29 million spyware programs that were found were harmless "adware" programs that display advertising banners or track Web surfing behaviors. However, the companies also found more than 300,000 instances of programs that are capable of stealing personal information or providing unauthorized access to computers, the companies say.”—Paul Roberts (PCWorld)

Spyware Attack VectorsSpyware Attack Vectors

"I LOVE GATOR!

It is the GREATEST!I love how it remembers and fills in all of my passwords at

the various websites that I visit. And of course I also love how it fills in the forms for me. I also love GATOR because it is very easy to use. I learned how to use it in seconds. GATOR RULES!"

Thanks,DFLas Vegas, Nevada

What Else Does Gator Do?What Else Does Gator Do?

• Gator (iegator.dll and others) Gator is the main software, which autocompletes Web forms [which is

completely unnecessary]... • OfferCompanion This is the advertising spyware module. It is responsible for spying on your

Web browsing habits, downloading and displaying pop-up ads, and transmitting (personal?) information to Gator.

• Trickler (fsg.exe, fsg-ag.exe, fsg*.exe) Trickler is an "install stub", a small program that is installed with the

application you really wanted. (Gator almost always appears on your system due to installing OTHER software, and not the installer available from Gator's website.) When installed, Trickler inserts a Run key in your Registry so that it is silently and automatically loaded every time you start your computer. Trickler runs hidden and very slowly downloads the rest of Gator/OfferCompanion onto your system. It is suggested that this "trickling" activity is intended to slip under the user's radar, the steady, low usage of bandwidth going unnoticed (cexx.org).

Attack Vectors [cont]Attack Vectors [cont]

Antivirus company Symantec last week reported the presence of "spyware" bundled with Grokster and Limewire, two popular file-swapping downloads. The code evidently does not damage computers, but it surreptitiously sends personal information such as user ID names and the Internet address of computers to another Web address.

Advertising software called "Clicktilluwin" that comes bundled with the file-swapping programs carries a program called "W32.DIDer," which Symantec has classified as a Trojan horse--a piece of code that takes over parts of a person's computer unseen in order to carry out its own instructions. (news.com)

Attack Vectors [cont]Attack Vectors [cont]From: Unsuspecting Person [unsuspecting@comcast.net]RE: Spyware - Virtual Bouncer - installed on PC as trial -

getting more popup ads than ever - unable to remove software from PC

I mistakenly allowed spyware/virtual bouncer to install its software on my computer on a trial basis to remove popup ads and detect parasites. Before the trial was over, I seemed to be get more popup ads than ever...I decided not to purchase the software.

Despite numerous attempts to remove the software from my computer, it finds its way back when I log on to my computer, reminding me to register and purchase the software. It's now acting like a parasite that I was trying to remove!!!!

I've contacted the computer [company] several times but no one there has offered any real solution to address my issue.

So... What To Do So... What To Do (Preemptive)?(Preemptive)?

1. Cultivate an attitude of distrust!2. Know that Nothing is Free!3. Unless you’re willing to read the

entire license agreement very carefully, Do Not Install Freeware!

4. Beware of the peer-to-peer services. They’ve got to make $$ somehow!

What do I do?What do I do?

What do I do?What do I do?

I Failed to “Shalt Notted”I Failed to “Shalt Notted”

What do I do Now?1. Blood Sacrifice is still probably avoidable…2. Start | All Programs (XP) or Programs (Win2k)|

Spybot Search & Destroy.3. If this does not exist, double-click on My

Computer & navigate to T:\Spybot\spybotsd1.3.exe. Follow the prompts to install Spybot.

I Failed to “Shalt I Failed to “Shalt Notted”[cont]!Notted”[cont]!

4. Update Spybot by clicking on ‘Search For Updates’:

I Failed to “Shalt I Failed to “Shalt Notted”[cont]!Notted”[cont]!

5. Now ‘Check for problems’. [Note: This can take a while as there are about 17,000 bad boys out there now...]

I’ve Got 65 Problems!I’ve Got 65 Problems!

I Failed to “Shalt I Failed to “Shalt Notted”[cont]!Notted”[cont]!

5. Now ‘Fix Selected Problems’. [Note: This might render some of your ‘freeware’ inoperable...]

6. If some of the malware is ‘resident’ in your operating system’s memory (i.e., it is running at the time), Spybot will not be able to fix this issue, and you may continue to get popups and general system instability.

7. For this you will need to call me.

ConclusionConclusion

• Freeware is seldom Free (unless you are using Linux...)

• If it is not worth it to you to read the entire license agreement (maybe 10-15 minutes), it is definitely not worth my 60+ minutes trying to get all the spyware off afterwards!

• If you wish to install something, call me first and I will check it out!

• Otherwise, Choose X or No or Cancel!• And if you don’t, yes, odds are we will remain

friends afterward...

TSN Execute Viruses!TSN Execute Viruses!• Mass Emailing Viruses & Hoaxes

• File Sharing Programs

Mailing TacticsMailing Tactics

• Interesting Attachments– AnnaKournikova.jpg.vbs

• Interesting Subjects– New bonus in your cash account – [Fwd: look] ;-)

• Good Samaritan Abuse– Please Help me with Script!!– Leukemia: Please Forward

Mailing Tactics [Cont]Mailing Tactics [Cont]

• Panic AttackIMPORTANT, URGENT - ALL SEEING EYE VIRUS!

PASS THIS ON TO ANYONE YOU HAVE AN E-MAIL ADDRESS FOR. If you receive an email titled "We Are Watching You!" DO NOT OPEN IT! It will erase everything on your hard drive. This information was announced yesterday morning from IBM, FBI and Microsoft states that this is a very dangerous and malicious virus, much worse than the "I Love You," virus and that there is NO remedy for it at this time.

FileSharing TacticsFileSharing Tactics

– C:\Program Files\KaZaA\My Shared Folder

– C:\Program Files\ICQ\shared files\ – C:\Program Files\Edonkey2000\

Incoming\ – C:\Program Files\Bearshare\Shared\ – C:\Program Files\Morpheus\My Shared

Folder\ – C:\Program Files\Grokster\My Grokster\

What are they Appealing What are they Appealing To?To?

El Mejor Sexo.pif

KaZaA Antivirus Era 2003.exe UnTouChabLeS KoRn.scr New Morpheus Edition 2003.exe Deftones Live in concert.scr Xbox Emulator V2.1.exe Play2 All Tricks BoX.pif Gatorade Screen Saver.scr THE EMINEM SHOW.pif

And What Else Do They And What Else Do They Do...Do...

1. Scan your entire hard drive and any network drives for email addresses

2. Intentionally corrupt common document types (Excel, Word, etc.).

3. Disable virus protection & prevent liveupdates.

4. Disable Personal Firewalls5. Copy themselves all over your hard drive.6. Render an operating system unusable.

So What Do We Do?So What Do We Do?

• First, Be Aware of What I do:– Every Night at 11:00 PM I have a server

go out & get the latest virus updates. Every machine in the building will get these definitions within the hour.

– The Bottom Line: Your Protection is Current!

– If a really bad virus appears on the radar screen, I will send out an alert email.

Nonetheless...Nonetheless...

Inevitably there will be a gap between the creation of a virus, its identification when out in the wild,

and the creation of a filter to detect it.• Therefore, se precisa que:

– Never (and Never does mean Never) open an attachment unless you are explicitly expecting the exact attachment from the exact individual who has sent it to you. *And the Extension (.pdf, .xls, .doc) must match the kind of file you are expecting!

Nonetheless [continued]...Nonetheless [continued]...• Se precisa que: [cont]

– We never open ANY attachment that ends in:• .com• .exe• .pif• .vbs• .scr

– In our own emails we explicitly identify the attachment we are intentionally sending (i.e., “I have attached an excel/word/pdf document detailing...”). This is known as “good netiquette”.

Nonetheless [continued]...Nonetheless [continued]...• Also, though this is lamentable, our

instinct must be one of distrust!• “Unless it is a Known Good, it must be

considered to be bad.”• Distrust all executables.• Be aware that all filesharing services are

delivery mechanisms for many modern viruses.

ConclusionConclusion

• Never open the unknown attachment, even when it is coming from an associate.

• Do not forward the hoax (they always ask you to do just this!). If forward you must, forward it to me first!!

• All executables (.exe, .com, .pif, .vbs) are to be distrusted! Absolutely!

Various “Shalts”Various “Shalts”

• TS Save onto the “S” Drive.• TS keep critical data in more than one place

(particularly if one of the places is a floppy, or, worse yet, a zip disk).

• TS “stop” USB flash drives before removing them.

• TS Lock your computer when you leave it for prolonged amounts of time [ctrl-alt-del | enter].

Any Q’s?Any Q’s?