PCCITIZEN.com - SAFE COMPUTING/HOME NETWORKING/COMPUTING TIPS/CLEANUP-FIXUP-ADDUP
PLEASE DON'T LET YOUR PC BE A TERRORIST!!
On this page, I hope to list a few quick checks you can make to see if your PC has been commandeered by hacker/crackers to perform Internet terrorism. If you do not practice the safe computing tips listed on this site, and you have a high speed Internet connection, there is a chance that your PC has been compromised and there are hacker/crackers actually running your PC as "attack elements," called "zombies." It is actually your PC which is attacking the sites which the hacker/cracker wants to decimate. The latest cracker trick is to use your PC to relay spam email, using trojans implanted on your PC. Do you care?? I sure hope so. More and more ISPs are detecting these rogue PCs, and shutting them down! You may get an email, or a call some day and will have to do something about it! This page discusses how the Denial of Service Attacks work.
This is an evolving art, and there is no one certain way I know of to determine if your PC has been compromised or not. Typically, once your PC has been compromised, the smart hacker/crackers will go to great lengths to hide their presence on your PC. There are five approaches you can take to try to determine if your PC has been taken over by a hacker/cracker, and is being used as a zombie to perform DOS or DDOS attacks on other Internet sites, or as a spam relay, or "merely" to capture your important transactions, like monitoring your keystrokes when you enter passwords to banking sites.
First of all, if you are not running an antivirus program, or you are, but you are not keeping it up to date, please go to one of the free sites which will run an antivirus check on your PC. See here. Positive indications of a virus should set off warning bells in your head. Beware, however, that antivirus programs may not pick up these trojans, because they may masquerade as a "legitimate" program, possibly even 0ne you downloaded and installed!
Secondly, you should also run one of the antispyware programs, as these will detect a broader range of scumware/malware. Run especially ad-aware and spybot often. If the program gets past the antivirus checker, it may not get past the antispyware checker.
Thirdly, you should download and install a personal firewall program, which runs on your PC. This is now in addition to the NAT/router that you have protecting your home network at the front door, and in addition to the XP so-called firewall ICF. You should really consider disabling the Windows XP firewall, ICF, including the one that comes with SP2, because this simple firewall, does NOT do outbound monitoring, which is what we must do in order to detect a hacker/cracker using your PC after he has set up shop thereon.
With the advent of XP SP2, Microsoft is finally helping in the war against Internet terrorism. The firewall is much more useful than the ICF of pre-Sp2. The security center pesters you to keep your windows up to date, your antivirus running, and keeps warning you if you don't have your firewall turned on. If nothing else, security is brought much more into the forefront with SP2. I have summarized some of the good and bad points and recommendations about SP2 here. The SP2 firewall still does not do a good job of alerting you about outgoing programs.
The hacker/crackers cannot disguise the fact that they will be using your PC to send traffic on your Internet connection. In this case, the traffic will actually be leaving your PC as it travels to the Internet. Note that the NAT/router, and XP ICF or the SP2 Firewall that you should have installed, will block all inbound connections from the Internet, but will allow outbound connections to the Internet [see this page for a discussion of these TCP connections]. What you need to do is install the personal firewall and then watch the pop ups which occur to notify you when programs attempt to go out. Now this is not always easy to decipher the programs that will attempt to access the Internet. There are a host of normal Windows programs which make normal outbound connections, including IE, OE, svchost.exe, and others. This site has a very good listing for XP. You of course will have to be cognizant of your application programs which will also attempt to access the Internet. You antivirus program, your instant messenger program, will be among them. Here is list of most of the valid XP Windows programs:
services.exe, svchost.exe, inetinfo.exe (this is IIS), imapi.exe, cisvc.exe, msdtc.exe, alg.exe, clipsvc.exe, dllhost.exe, fxssvc.exe, lsass.exe, dmadmin.exe, mqsvc.exe, mqtgsvc.exe, mnmsrvc.exe, netdde.exe, smlogsvc.exe, spoolsv.exe, rsvp.exe, sessmgr.exe, locator.exe, tcpsvcs.exe, SCCCardSvr.exe, snmp.exe, snmptrap.exe, ups.exe, vssvc.exe, msiexec.exe, wmiapsrv.exe, msimn.exe (OE), iexplore.exe (IE).
You must watch for programs which the hackers install, which are named very similarly to some of the valid ones in order to try and fool you!!
This site actually cross correlates between programs and their executable names.
An alternate, and much more informative way to watch processes connect to the Internet is to use a program such as TCPView, from www.sysinternals.com . Run this program always on top, and set it for updating every second. Also, in the options tab, unselect "show unconnected endpoints" and this will show only the TCP connections to external sites. It is fascinating to watch the processes come and go and open up all the TCP connections to remote sites. The GUI will splash an initial TCP connection as green, and then splash it as red when it is torn down. It also resolves domain names from the IP addresses, so you can get a good idea of what program is attempting what. When you combine this with the subnet calculator tool from www.solarwinds.net you have a very powerful technique for determining what process is making those TCP connections, and by tracing the IP or domain name using the subnet calculator tool, you can find the responsible domain.
Update summer 2006: Sysinternals.com was actually bought by Microsoft, so the availability of these free tools will be in question. You may have to get them from archived sites.... stay tuned.
Using TCPView, along with your firewall program, which should ASK you whenever a new application tries to access the Internet will give you a very good idea of what is going on. In order to simplify this task, you should probably minimize the number of services that run on XP. The only ones "necessary" I can think about are 1) windows update checker, 2) antivirus update checker, 3) firewall update checker, 4) Windows time protocol, 5) Login to Windows messenger (if you must). This site gives a great summary on which services can easily be disabled in XP.
For extraordinary details in understanding the services on Win2K and WinXP, please refer to this article. It also explains how to remove the vulnerable services, one by one from those Windows machines. The easier way, of course, is just to install a firewall on the Windows machine, or operate the Windows machine behind a NAT/router or a hardwire firewall.
Catch22: Please remember to download the latest Zonealarm ZIP/exe from the web [if you are behind a NAT/router, you can ignore this] BEFORE you disable the existing zonealarm. And BEFORE you disable zonealarm, you MUST disconnect your PC from the internet. Once you are connected to the Internet without a firewall, the level of probing for unprotected, un patched PCS is so furious in this day and age that the chances of you catching another virus/trojan/worm is very great.
There have been reports of the hacker/cracker programs actually disabling zonealarm. What you want to do is clear the program list, and uninstalling/reinstalling will do this. Zonealarm will accumulate the pop ups which you can peruse at your leisure, and enable the ones that look permissible and disable the remaining. Zonealarm, as well as most of the others, actually does an integrity check on the program, and can detect when it has been altered. You will notice when you update windows, that it sometimes asks you to re-enable IE, for example.
You might want to consider uninstalling your existing personal firewall, and installing a different one, just to be sure that any existing scumware cannot re-disable the firewall! I have uninstalled zonealarm and installed McAfee Personal Firewall Plus. McAfee sells their "Personal Firewall Plus" which is very similar to Zonealarm, but which I consider a little better. I have been using it and learning about it here.
Fourthly, you can download and run some anti-trojan program to try to detect existing trojan programs. This particular technique is not very straightforward yet, because of the difficulty of keeping up with all the potential trojans. I intend to investigate this a little further, because I know there are now some anti-trojan programs available.
If you detect that your PC is accessing the Internet for unknown reasons, and you suspect you have scumware/malware/trojans running on your PC, and your antivirus, and other techniques are unable to clean up your PC, you may have to begin over again, as discussed on this page! DSLReports also has a very good FAQ to consult when you suspect that you are already have uninvited guests, and you do not seem to be able to get rid of them. Beware that this can get very complicated. You may be better off just starting over!
Fifthly, you can actually go to some sites which will check your browser and your email client for being properly secured. This is discussed through out this web site. Here is a place which tries to list them all. Good luck!!!.
Sixthly, you need to run a scanner to detect the presence of "rootkits" on you PC. This is the worst kind of trojan, the kind which can be completely hidden from you. You can go to www.sysinternals.com/utilities/rootkitrevealer.htm and download the free checker. Do it today!! You may need to read the info at the sight to interpret any data that gets reported.
UPDATE Jan 2004:
Rik Farrow in the latest Network magazine reports that there are indications the crackers are getting very very sophisticated. Through various exploits, they are able to install a trojan onto your system, just like they have been doing for years. This particular trojan then makes an outgoing connection - through your firewall - and on port 80. It looks like a regular web page request. All the cracker exploits are then tunneled inside the http protocol. This stuff is VERY hard to defend against. If you visit questionable sites, download illegal stuff, open questionable emails, this stuff could wind up on your PC. No normal spyware checker or virus checker can find this trojan. It just looks like a regular program! By using TCPView you should be able to see the TCP HTTP connection if you are alert - that is your only chance. You will have to record the program name and then go find it..... Stay tuned for more info.
Copyright John D Loop Wednesday October 26, 2005