projekt draco

Latest news

The latest updates; something you should read before continuing.

Origins Posted : 19 August 2004

After getting alot(~5K in a day) of port 0 ICMP ping requests and some weird port 80 requests at my IP, I’ve decided to find out where all these noises came from.

After some questions posted at GRC’s newsgroup, and going back to ISS’s website about MS Blaster, yes, I’ve found out. These requests are attempts by a new worm W32.Welchia.worm to see if your IP is online so it can try to compromise your system to disable any MS Blast infections it finds by downloading and installing the MSRPC patch from Microsoft to close the MSRPC vulnerability. For Win2K, it will also make use of the WebDAV vulnerability in Microsoft’s IIS 5 Web Server to perform its job. But it doesn’t install a firewall for you, so please get one for yourself if you still haven’t.

Although benign in nature, it’s still discouraging to see it compromised so many systems as recorded in my firewall log. Many still have not patched nor set up a properly-configured firewall yet.

But if you had set up a firewall, and receiving alot of incoming port 0 requests coming from the same internet service provider, don’t be alarmed, it’s probably just a benevolent worm working hard to disinfect and protect the Windows users.

One week after MS Blaster broke out, and after a new worm that makes use of the MSRPC exploit is out again, I am finally convinced that the golden rule of not accepting and running files from sources you don’t trust will no longer ensure your computer’s safety. If you are interested, please read this revised article again.

Point to note Posted : 19 August 2004

Just thought I could update this page to reflect the fact that I no longer use Norton products. For anti-viral, I’m already using Grisoft’s AVG for a while, and absolutely falling in love with it. It just stays there, and I don’t even feel it’s there! Precisely what I need for an anti-virus.

Likewise, I am also starting to use SpyBot S&D for better security and detection of those malwares, in case the primary detection fails me, the secondary will catch it.

Introduction

Computer threats can come from all directions - internet, diskettes, installed programs, etc. In this article I will like to tell you why you should, and how you can help to protect your computer from these threats, especially from the internet. I’ve discovered that this method of practising safe use of the internet and PC is known as safe hex. So if you see in my other articles about safe hex, it’s about this.

Internet is never a safe place that’s so filled with people wanting to harm or exploit your system, so the golden rule of the internet is to never accept or worse, run any unknown files from sources you don’t trust. Think twice about opening the files even if they’re from trusted sources - especially files from friends you are not expecting.

No, your friends don’t intend to harm you, but they might be infected unknowingly and are spreading the infection to you. Just like them, you will just be helping the spreading by simply (and innocently) running the infected file! Then your friends whom you(or the worms) sent to will probably do the same thing, and imagine how much people will get infected this way. This is generally how the viruses/trojans/worms spread on IRC and by e-mails.

E-mail worms have the ability to self-distribute themselves to every person on your address book, and continue the same journey if the innocent targets on your address book run the attachment the worm sent off. Cleaning may be easy with ready-made removal tools, but look how fast they can spread; within one day of being wild, they can wreck havoc and slow or even bring down many mail servers - SQL Slammer has been known to slow down internet due to its fast propagation! Although they’re quickly discovered, the damage has already been done.

You might think it won’t happen to you, but I can tell you that I have a friend who was hit by the W32.Klez twice. I fixed it with Symantec’s removal tool, and reminded her not to open unknown attachments again, and yet she was hit again by the same variant! Why she opened the attachment the second time was simply because she was "bored".

Point to note -

So don’t ever run attachments/files from sources you don’t trust and ignore files from sources you don’t know at all, be it on IRC, e-mail, websites or any other virtual world. You’ll never know when you’ll be the next carrier for another virus!

On a side note, don’t put your e-mail address(es) on the internet unless you know exactly where they will end up. Most addresses will end up in "spiders" crawling all over the net in search of target addresses to spam at. Mail list(such as home/maillist) is an especially nice target to crawl at. And before you know it, you’ll have ratio of spam mails exceeding good mails by at least many hundreds. This is a never ending process.

Please note that I am associating spam mails with threats because they might contain viruses/worms that you shouldn’t be exposed to in the first place if you have already condemned them with a spam filtering tool. They might also contain advertisements which might be considered unsuitable for minors.

Thus, using the net safely doesn’t ensure your computer’s safety, but also ensure your friends’ & the community’s safety.

MS Blaster! -

On August 12 2003, MS Blaster proved that remembering this golden rule will no longer thoroughly ensure your computer’s safety! Please read on for more information.

But I’ve been on the net for a long time without problems, why should I start now?

There’re new threats emerging daily - technology that can’t happen yesterday, can do so today. You never know when a virus/worm can just get into your computer without you knowing! Now you have seen W32.Blaster.Worm in action. Now you know.

In case you missed it which is probably a good thing, here’s a summary…

sdasd

On 12 of August 2003, a worm named LovSan/MSBlaster was in the wild, potentially looking for vulnerable NT-based Windows systems to infect.

And in case you didn’t know, you don’t even have to run/execute it to get infected! All you need is not to patch your Windows system, and not having a properly configured firewall installed and running to get infected.

And then you’ll be the carrier.

And now, things don’t concern you only. Viruses, backdoors, trojans can cause your friends and the community a large problem.

asdasd

I have a friend whose nickname’s password was somehow taken over by another party on IRC, and that offender used his nick to spam a few friends’ channels, resulting in a suspension of the channels, twice. After that he started to find out how to prevent such things from happening again in future, and I’ve told him to look for malwares spywares, download this and that. But still, the damage has already been done. Yes, it’s only IRC, but imagine if it were some credit card number theft, isn’t it too late?!

If only he did these preventive measures ahead of this, none of this will happen.

So what are you waiting for?

So maybe you’ll tell me you don’t have any information on your system worth someone’s time to steal. But they don’t have a target. They are just out to seek victims. If you’re chosen, they can use your computer to launch attacks against another party by using zombies planted in your computer, not just stealing your information. And guess what? Your IP will be used in such massive attacks, which means you’re the culprit - not them! It’s true.

Even if you don’t believe in all these, I still urge you to download and install a firewall. Because if you don’t, you’ll probably only contributing to the list of already compromised computers, waiting to take part in another planned Distributed Denial of Services(DDoS or something most will know as nuke). If you’re interested in knowing what the hell is a DDoS and what it does, click here to view the Classic DDoS Attack Report by Steve Gibson, he had it all written there. Lengthy, but definitely worth the read.

For dial-ups (56Kers or below)

Even if you’re using a narrowband connection such as 56k, you’re still of use because they’re using distributed technology to launch an attack, 5KB of packets is, afterall still packets, and when combined with other packets, it’s 5KB+many thousands of 5KB more to knock someone off the net! And the attack is going on, you will naturally take it as an usual lag routine and not suspect DDoS activity. And what’s more, your IP is dynamic, making tracing back more difficult than on static IPs. I strongly believe these are only some pluses for intruders! You can disagree with me, of course.

And now, with the outbreak of Blaster worm on 12 August, you’re vulnerable to the exploit too if you’re using an unpatched Windows NT-based systems. The worm is only 6176 bytes, which you can probably download in less than 2 seconds. And normally it’s also the 56Kers who don’t do regularly patching because they believe it’s too much a hassle to download heavy sized files off the net which makes them very vulnerable to such intrusions. So fire up a firewall now!

What’re you waiting for?

Okay! Tell me what I should do!

Following the golden rule is only but a precaution, it will not always ensure your safety, as already proven by the outbreak of MSBlaster. You will still need these tools in case all else fails. And it’s highly recommended you get these programs, or something similiar in nature to assist you in keeping your system safe.

So much hype about intrusions recently. I would like to say that I use and only ZoneAlarm Free(ZAF) as a firewall. And something as simple as ZAF will defend my computer from simple intrusion attempts such as W32.Blaster. Make firewall a necessity now! As long as you’re online, always use a firewall! It will not only safeguard your connection and system, it will also prevent others from getting infected from your system should you get infected! I strongly suggest you install a reputable firewall(such as ZoneAlarm). And configure it properly.

asasd

Looks like many are feared or troubled over messy installation of firewalls. Since I use and recommend ZAF, I will explain how easy and convenient it is to install ZAF. After downloading ZAF, disconnect all internet activities you have, such as ICQ, IRC because when you first installed ZAF, all internet activities will be halted. You’ll then start teaching ZoneAlarm what to allow or disallow into your computer, eg ICQ, mIRC, MSN, web browsers… Only allow what you think is neccessary and this is totally up to you.

Then go to ZoneAlarm configuration window(by double-clicking the ZA Icon in your system tray/notification area), click on "Alerts & Logs" tab, and set the option to OFF. This will disable non-program alerts. If you don’t do so you are probably going to be very annoyed. Remember to frequently review the programs in "Program" sub-tab in "Program Control" tab, remove or set to "ASK" for those you don’t really need to access the internet.

When you believe all’s done, head over GRC ShieldsUP! to test your new found firewall power! Scroll down till you come to a SHIELDSUP!! SERVICES bar, then select either Common Ports or All Services Ports. The rest is rather self-explanatory.

So, tell me what else is holding you back from using a firewall? Tell me! Maybe I can help you.

A properly configured firewall with outgoing and incoming packets analysing capability will also prevent spywares from sending back information about you, hence heighten the security of your online presence. What are you waiting for? Hassle during gaming because of incoming connections is not even a valid excuse anymore! A proper configured firewall should not have the problem. And what’s more? I can list more advantages for having firewall than you can list disadvantages! Feel free to mail in to tell me about your disadvantages.

asdasda

MS Blaster has taught us a valuable lesson - even if your system is not patched, a firewall will block any incoming attempts and therefore reduce chances of getting infected! Result? You won’t probably get infected and will save the hassle of getting disinfected.

Yet, with a firewall set up, it’s only the first step. You will need an anti-virus software to help you too. This will prevent you from running malicious files. An anti-virus software will also detect any virus-like activities and alert you. But now, if you’re not careful, you run the risk of running trojans into your computer. A trojan is a software that masquerades as a benign software, but in fact does damages to your computer. But the good news is that, chances of getting a trojan into your computer can easily be reduced by not running files downloaded off e-mails or IRC when you didn’t request for it. And that would be the golden rule.

For anti-viral purpose, I would suggest AVG Free Edition because it’s sleek, and not bloated like some other anti-viruses like Norton’s. Follow the link to see what it offers to be so welcomed. I don’t use any anti-trojans, but you might want to try Trojan Hunter, and I don’t think it’s free. Remember having an antivirus is definitely important, keeping the virus definition up to date is as important!

This isn’t really enough yet. You’ll need to have anti-adwares too! Anti-adwares are softwares that detect and (presumably) remove advertising softwares, spywares, and more… generally programs that intrudes your privacy. One such good program I am using is Ad-Aware! It needs to be registered to fully unlock its features, and that would be an additional monitor watching over you. But I don’t need that, I am quite happy with just an on-demand scan every fortnight. Another choice would be SpyBot S&D. I hate to think they serve different purposes, but I believe likewise with different antivirus softwares, they will have different definitions of adwares, so it’s advisable to have both, I use both of them, in case either one misses out something. SpyBot S&D is free but as its screenshot advised, USE AT YOUR OWN RISK!

Guarding against spams, I use K9 which deploys the Bayesian’s filtering methodology to help me separate good and spam mails for my easy reference. Reducing numbers of useless mails read is reducing chances of getting infected by useless mails that contain infected attachments. After 2 weeks of initial training, overall accuracy remains ~99.5%. If you wish for an initial training zip of 6K spam mails(real spams archive by hotpile!), please feel free to mail me for it - I’ve forgotten the link to hotpile’s archive. This archive sure helps.

What are needed?

Simply put, these are the kind of utilities you should (seriously) consider having… This list is not arranged in orders, they are all in equal strengths and you need them.

• Anti-virus (with regular definitions updates)
• Anti-trojan (with regular definitions updates)
• Anti-adwares (with regular definitions updates)
• Spam filters
• And very importantly, a good firewall.

Noticed I didn’t put the names of the utilities you should get, but the kind of utilities. It doesn’t matter what programs you use for those functions - just make sure they do what they claim to and not otherwise.

There’re evil versions of many softwares which actually are the bad programs you want to avoid, and they disguise as a benign software to go into your system and do the bad things intentionally or not! I strongly recommend the few personal favourites I mentioned. You may or may not like them, but they do the things they say they do - and that’s all I needed.

Doesn’t it apply to you as well?

Although new threats come out daily, maybe you would already have been protected if you patched against security flaws and against bugs that can still be exploited to your disadvantages. If you don’t, hackers will soon find their ways around your softwares’ bugs! And it is really sad to see systems getting compromised due to an exploit that should already be patched a long time ago. Remember your system is only as secure as you want it to be.

If you’re paranoid, go around your system disabling every unneeded functions. That should reduce chances of being hit. But please don’t over-do it, and crash your system! You’re doing it harm than good! So know your limits and know what you’re doing. I don’t encourage such moves if you’re not an experienced user.

If you have tried what are mentioned in this little article, you should have a more enjoyable time and be more at rest using the Internet. While they don’t ensure total safety on the Internet, your system will be a harder target to compromise than your friends’ who don’t deploy the same technology as you.

asdasd

I have been following most, if not all of the tips I’ve given in this article for over 3-4 years now. The last virus I had installed into my computer was CIH, and that is a long time ago and before I’ve learnt about the dangerous side of the internet. So now I hope after you read my little article, you’ve learnt what you need to protect yourself, and why.

After reading about so much, you should have figured that going after the golden rule and idolising it isn’t very useful already, in addition to the golden rule, you need to know and understand that these rules, you will need to follow religiously.

What has to be done?

• Don’t accept or/and run files from untrusted sources; think twice even if it’s from trusted sources.
• Don’t go to untrusted sites which could probably be waiting to exploit your computer.
• Patch & update your systems regularly - all softwares have bugs.
• Don’t run softwares that you don’t really need. More softwares running simply equates more exploits.
• Everything else would just be common sense.

Trustable and untrustable, it’s all at your own discretion. Even when you download patches/updates, please do so at reputable sites too. There’re many harmful sites in benign disguise waiting for their victims. If you should download things, develop a “Is this site safe?” attitude, not “I think it’s safe!”. I am rather skeptical at times too.

Don’t wait, start today. Now! And tell your friends about it too!