Now I don't want to scare you to death, but there are some things you really need to know about to insure your PC is safe while riding the wild wild west range of the Internet, AND to make sure you are a good Internet citizen.  They both go hand-in-hand of course. 

I want to convince you that an out of date, unpatched, unprotected PC can be a very bad citizen on the Internet.  You can be one of those scumbag outlaws, and not even know it!   Basically, if you run an unsafe PC, you are liable to crackers who can install their own nefarious code on your systems.  This is not to say that you are really a bad citizen in the ...normal... sense of that word, but your PC may in fact be one if you are not careful.  This nefarious code may spew spam, steal valuable info, send itself to people in your address book, scan other PCs for vulnerabilities, often at the cracker's command [in the case of trojans], to do many despicable things.  That PC, unlike you, will just execute any software that it gets it hands on.  Crackers have perfected the ability to command hundreds, or thousands of these unsafe PCs to perform "Denial of Service  (DOS)" attacks on targets, such as corporations and individual users, once they are executing their trojan software.  These DOS attacks basically take down those sites.  The worst part of it is that it is very difficult, and becoming even more difficult, to track down the real culprits. 

If you have an old Win95 or Win98 or WinME, and you haven't been careful to keep it patched, and you haven't bothered to keep the antivirus program up to date, you very likely have a PC that is very very sick.  This is especially true if you have it connected to the Internet with a high speed connection, and the connection is not protected, and the PC is not monitored for nefarious interlopers.  Even if you only use dialup, the chances that you have acquired viruses, spyware,  and scumware from rogue http emails and un patched Windows vulnerabilities is very high.  The newer OS's such as Win2K, WinXP, Linux and most of the MAC OS's are less likely to be infected, unless you have a habit of visiting some pretty shady sites!  If your browsing habits are shady at best, you are likely very infected just by visiting web sites, unless you have taken the time and energy to understand the dangers, and have protected yourself!  Sounds kinda like real life, doesn't it. 

With the advent of XP SP2 in fall 2004, the XP OS is a lot more secure out of the box, so you should definitely do this update.  Most new PCs after fall 2004 will include an OEM version of XP SP2.  You will still have the problem of keeping the OS up to date, and your antivirus current.  See this section for initial info on SP2.

These unsafe PCs can also be a way station for "warez" - pirated software, games, music and movies, and of course porn. That means a cracker has used you as a temporary, anonymous storage for his trash - to keep him from being caught and prosecuted!  Well, what about you???  If you are ever caught with child porn on your PC, they can put you in jail, no questions asked...  Your PC could be serving up all this trash and you may not even know it unless you are vigilant.  This is especially true if you have server versions of WinNT, Win2K, WinXP,  where the web and ftp servers may be installed by default, or if you have somehow installed these services on your Win98 or ME PC, OR you have unpatched versions of these OS's which have well-known exploits which crackers can use!.   See below on how to detect the running of these services.  If these versions are not brought up to the latest version [by running winupdate or using the auto update feature], they are easily compromised.  Their presence on an "always-on" high speed connection to the Internet via a cable modem or ADSL connection makes the  potential problem much worse.  Running Linux PCs has often been a problem in the past because many of the machines were installed with all the servers on by default.  More recent distributions have become much better PC citizens.  Most Apple OS's are much less susceptible, just because there are a lot fewer of them, but beware of the Word macro viruses which can come in email - these are not OS specific. 

Your unsafe PC may be the one which is being used, along with thousands of others to essentially bring down entire web sites or sections of the Internet.  Yahoo, CNN, and some other sites effectively disappeared off the Internet in early 2001 due to the denial of service (DOS)  cracking activity of one young cracker in Canada.  IN 2005, DOS and DDOS attacks are seemingly routine.  You may also be serving up porn and warez if you are running servers and not keeping your PC up to date and protected!  If you are lucky, some hacker has just defaced your default web page, or crashed your PC, or given you a virus.  If you are unlucky, some cracker has taken over your PC's server and is using it for porn and warez storage!  In early 2004, the Internet is suffering a plague of worms which perform spam spewal for the spammer slime.  That is right, they don't have to do it - they can get your PC to do it! 

Most recently, spammers and scum artists have performed DOS attacks against some of the corporate citizens of the Internet who attempt to keep track of them.  The ISPs are not able to query these free databases because they are being DOS'd to death.  And even worse, the spammers and scum artists are finding the vulnerable PCs, and planting trojans on them in order to use THEM to distribute and relay the scumware and spam.  Lastly and most currently, and most alarming, the international criminal elements have discovered the Internet and actively trade in/participate in all the scumbag practices out there.   There really is a war in cyberspace, and it is for the very heart and soul of the Internet.  The terrorists are trying to take down our Internet as well.  Don't you let them use your PC to do this!!!

The other side of this problem, of most importance to you personally,  is that you may be compromising your own personal data which you may be keeping on your PC.  Let me see, do you do your taxes via tax preparation software?  Do you tell Windows to save all those passwords for you, so you don't have to enter them yourself.  What sort of passwords do you have on that PC?  Do you do your investing on your PC?  Do you subscribe to gator or Microsoft Passport and some of those sites which keep track of all your personal data for you so you don't have to enter it on all those forms?  Do you keep business correspondence on that PC?  Do you then TAKE IT INTO WORK and connect it to the company LAN? Your local sysadmin would not think very highly of you.  

The proactive task that you can do is to follow some of the discussions on this site, and especially, implement the minimal safe computing measures here [next topic below].  The entire civilized population of the Internet will greatly appreciate your efforts, and your PC may run much better, AND you may not lose/compromise some of your most intimate data!  You will have a "PC Citizen!" 

Another task that you need to do before, and after you have done all the proactive tasks is to actually scan your Internet connection, and test your PC and/or your Router for vulnerabilities.  There are many good sites, such as www.grc.com and www.pcflank.com which will scan your Internet connection for open ports.  Open ports are the most obvious vulnerabilities, and are the place where the crackers can implant their nasty stuff.  I will even perform a scan for you and analyze it personally! There are also some sites which will scan your email client and your browser for vulnerabilities, such as www.gfi.com/emailsecuritytest.htm and the Microsoft baseline security analyzer at the tools security section at www.microsoft.com/technet/default.asp which provides a security scanning service for NT4, XP and W2K.  2003 and I am sure, 2004 will see a ton of viruses, scumware.  2005 is the coming of age of phishing attacks.  Most of this stuff enters through unpatched Windows vulnerabilities, and opened html email, or not-so-bright people who reply to requests from unknown sources to renew their credit card or their bank account.

At this writing, Steve Gibson has turned up his superb port checker at www.grc.com.  Select the "Shields Up" link, and select a scan of the common ports.  This is a fantastic security checker for open ports, and it is very fast!  Please visit this site and check your Internet connection for open ports.

Below are a few discussions I have found which really highlight the potential of an unsafe PC.  I have included them in-line, since I want you to scan them quickly.  I hope their authors will not mind too much.  This is all done pretty much in the spirit of public service.  We are all going to lose some of our Internet  freedoms in the future unless we can exercise some self-government.  Of course it is the computer terrorists, the crackers, spammers, criminals, and virus writers,  much like the terrorists in the real world, who continue to abuse any freedoms they might have, and take advantage of our open society and the openness of the Internet and make it more challenging to live in our world.  These are some fascinating and eye-opening discussions: 

After you have scanned these discussions below, go to the safe computing (NEXT TOPIC) tips page and try to implement some of the steps.  The TCP/IP Stuff, ADSL/Cable Modem stuff, and PC Stuff topics are parallel tracks with lots of good information.








1) You think there aren't problems with "unsafe computers?"  Read this from www.idg.net :

Notice especially the quote by Alan Paller, director of the SANS Institute:

"There's no easy fix for preventing DOS attacks, and the time is fast approaching when ISPs (Internet service providers) are not going to allow users on the Internet if they pose a threat to the other users by not meeting a minimum standard of security, Paller added."

This is directly from the article:

WASHINGTON - Over the last eight months major new hacker tools have been released or revealed, ending a lull in activity among hackers that followed the Sept. 11 terrorist attacks and the enactment of legislation that enhanced law enforcement's ability to prosecute people who break code and wreak havoc on networks by exploiting software vulnerabilities, hacking consultant Ed Skoudis said Thursday.

LibRadiate, Paketto Keiretsu, Setiri and The Defiler's Toolkit are just some of the newest tools that have cropped up since March and that are keeping security specialists awake at night, according to Skoudis, who gave a threat update briefing here at a SANS Institute Inc. conference. SANS is a security education and research organization in Bethesda, Maryland.

Skoudis, the vice president of ethical hacking and incident response at consultancy Predictive Systems Inc., in New York, said the June-through-September period saw massive exposures of security vulnerabilities in OpenSSH, Apache Web server software and Internet Explorer (IE).

"This summer has been a huge summer for hackers. There were huge issues discovered all summer long, and things really opened up between March and now," Skoudis said. "The Golden Age of Hacking rolls on."

One of the latest developments involves the security of wireless LANs (local area networks) and the ease with which people are able to detect them. For one week in early September, amateur wireless LAN sniffers used freeware called NetStumbler to detect hundreds of insecure business and home wireless LANs in North America and Europe in an exercise called a "war drive." [See "Worldwide 'war drive' exposes insecure wireless LANs," Sept. 9.]

Skoudis said attackers have "flocked to this area" and are finding that many wireless LANs are set up without basic security. After they detect the wireless LAN, they can use a tool that's been available since May called LibRadiate, an API (application programming interface) that allows developers easily to capture, create and transmit arbitrary packets on a wireless LAN using the IEEE 802.11b standard. The tool runs on Linux (kernel 2.4) with wireless cards that have the Intersil Corp. Prism 2 chipset, Skoudis said.

LibRadiate makes it possible for hackers, using "fairly simple C code," to capture TCP/IP packets or inject them into a network. Among the wireless attack tools expected to become available for use with LibRadiate, according to Skoudis, are Wired Equivalent Privacy (WEP) crackers, which exploit flaws in the WEP protocol, allowing a hacker to determine encryption keys even when WEP is in use; and malformed packet generators, which inject strange and noncompliant packets into a network in an attempt to crash systems that cannot handle unusual packet structures.

"With tools like LibRadiate, the computer underground is starting to develop far more sophisticated attack tools than what we have seen in the past," Skoudis said.

Another tool released, two weeks ago, is called Paketto Keiretsu, which Skoudis referred to as a suite of tools for doing TCP/IP (Transmission Control Protocol/Internet Protocol) tricks. One of its most fundamental capabilities involves rapid port scans, which it does by separating the packet sender from the receiver.

Skoudis also described Setiri, a new Trojan horse back door. The tool bypasses personal firewalls, Network Address Translation (NAT) devices, proxies and advanced firewalls by starting up an invisible browser on the victim's PC. Then Setiri, running on the victim's system, uses OLE (Object Linking and Embedding) to communicate with the hidden browser. As long as the victimized PC's browser can access the Internet, Setiri can reach across the network and get the attacker's commands. The personal firewall, NAT (network address translation), proxy and stateful firewall do not know whether the access is caused by a user surfing the Internet or Setiri getting commands.

Setiri, developed by a small group of South African security consultants and demonstrated in August at Def Con [See "Trojan horse technology exploits IE," Aug. 8 PCWorld.com.], hasn't been seen in the wild yet, Skoudis said. Nevertheless, he included it in his presentation because its existence has been acknowledged within the security community and writing the code is something a moderately skilled coder could do.

Skoudis said the system strips out information about the user by going through anonymizer.com, so blocking access to that site is a way of defending against Setiri. Another solution would require changes in IE that limit the actions of an invisible browser, and Skoudis said Microsoft. Corp. has publicly said it will address the matter.

In the new area of "antiforensics," hackers have had access to a tool called the Defiler's Toolkit since July. It's able in a number of ways to foil the Coroner's Toolkit, a tool that has been used by computer forensic specialists for several years, Skoudis said. For example, it can destroy or hide the traces of a hack that the Coroner's Toolkit looks for. The Defiler's Toolkit targets Linux Ext2fs file system, but Skoudis said the concept could be extended to other platforms.

Commenting on the recent distributed denial of service attack on the Internet that happened Monday, [See "Major Net backbone attack could be first of many," Oct. 23.] Skoudis said major U.S. law enforcement agencies are investigating, but he didn't know whether they had developed any theories about where the attack originated.

Alan Paller, director of the SANS Institute, said the attack is being characterized by security professionals as a Smurf attack that could have been much worse if all 13 root servers had been affected.

"Had it knocked out all of them, there's a reasonable expectation that over a certain amount of time ... the way that you use the Internet would have ceased to work," Paller said.

There's no easy fix for preventing DOS attacks, and the time is fast approaching when ISPs (Internet service providers) are not going to allow users on the Internet if they pose a threat to the other users by not meeting a minimum standard of security, Paller added.

"DOS attacks are not going to be solved because we get some new hardware in the system," Paller said. "You are going to have to re-engineer the whole Internet. That's going to take close to a decade. While we are doing that, we are going to have to start protecting ourselves from (users who) are not going to be careful."

2) This was recently posted at news.mynetwatchman.com :

I'm thinking that while it isn't a crime for a computer to be infected with a virus, if the computer is infected with a virus that installs a back door, then that computer becomes available for use by cyber-criminals and cyber-terrorists.  The FBI expects that the attacks on the root servers will be traced back to machines infected with Nimda and Code Red.  ISPs and companies who don't respond to, say 10, 20, 30, 40, 50, escalation letters are allowing such compromised conditions to persist.  So shouldn't your FBI be looking into ISPs who sit on reports of customers with compromised computers?
And shouldn't the FBI be looking into websites like blackcode that openly distribute trojan kits to all comers?  FBI chief: Lack of incident reporting slows cybercrime fight http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10 801,75532,00.html <<snip>>  "You're not enabling us to do the job," Mueller said, referring to the lack of incident reporting coming from the private sector. Without more companies stepping forward and cooperating with law enforcement on prosecuting known or suspected cybercrimes, the FBI's analysis and prediction capability will not improve, nor will the overall state of security on the Internet, said Mueller. "We understand that there may be privacy [and public relations] concerns," said Mueller. "We, as an organization, have learned that you don't want us [responding] in raid jackets, you want us there quietly." However, for the attacks to stop, "there has to be a sanction." <<snip>> In addition to making cybercrime and cyberterrorism one of the bureau's top three priorities, Mueller said the FBI has changed its hiring practices to focus on recruiting "a new type of agent" that can bring a "bedrock of experience" from the world of IT. <<snip>> http://www.fcw.com/fcw/articles/2002/1028/web-fbi-11-01-02.asp http://www.wired.com/news/politics/0,1283,56139,00.html Root-Server Attack Traced to South Korea, U.S. http://www.washingtonpost.com/wp-dyn/articles/A46872-2002Oct31.html <<snip>> "We've tracked a total of at least 80,000 zombie machines in South Korea that are trivially exploitable and usable for these kinds of attacks," said Johannes Ullrich, chief technology officer for the Internet Storm Center, which tracks the source and type of cyberattacks worldwide. "These are machines that have ready-made back doors that allow them to be used to target other networks." According to several recent studies, only the United States surpasses South Korea as an origin of computer attacks. <<snip>>
However, Paller noted that lists of machines that are known to have been compromised by hackers or worms such as Code Red and Nimda are frequently traded on the Internet. Investigations into the source of the Oct. 21 attack will likely lead back to those compromised machines in the U.S., Korea and elsewhere. <<snip>>

3) This is an excerpt from the book "Hacking Exposed" by Joel Scambry et. al.  pp 508. 

It shows the actual procedure used to hack in, through a firewall.  This procedure predates the appearance of Code Red, and Nimda worm in 2001, which used a buffer overflow vulnerability on IIS to infect the machine.  This was the most widespread exploit to date.

Case Study:  Using all the dirty tricks to get in

A friend of mine had set up a web site for her new company on her home DSL connection.  She was concerned that a competitor or random attacker might deface her new site, so she asked me to try and hack into her server and fix any problems I found, so I agreed to her request.

My first step was a simple ping to gather the IP address in question and then to fire off Fscan.exe ( www.foundstone.com ) to round up a listing of the services running.  I knew it must have been an NT server because she doesn't know UNIX, but there were no signs of NetBIOS ports anywhere.  Maybe she knew how to harden an NT system and remove all unnecessary NetBIOS services, or more likely she had a personal firewall set up?  Well, the Fscan results were in: 80 and 5631 were all I had to work with.  Personal firewall, prepare for battle..

I started with the most basic attack I had available, pcAnywhere password guessing.  I only tried two guesses for fear that it had been configured to limit logon attempts to only three.  I tried administrator with no password.  No dice.  Next guess, "password."  Nope.  It was time to move on to phase two:  port 80 attacks.

I gathered definitive information about the web server and its version.  Telnetting to port 80 and typing HEAD /index.html gave me the information I needed: Microsoft's IIS, version 4.0.  I wondered if she had installed option pack 4 with patching Rain Forest Puppy's lovely MDAC vulnerability.  The webping.pl script, found on the Hacking Exposed web site ( http://www.hackingexposed.com ), worked like a charm for that.  Yes!  The web server was vulnerable to the MDAC attack.  A few seconds later the exploit worked.  Bang! - remote prompt with "Administrator" access.

My next move was to Pwdump the box and to get John the Ripper cracking Lanman passwords.  Then i decided to hunt down that password for pcAnywhere.  A simple dir*.cif /s from the root of the drive searched the system for any .cif files.  Once I found it, I used TFTP to transfer it back to my machine, where Robin Keir's ShoWin ( www.keir.net ) awaited.  Using ShoWin I obtained the password "use_from_work!"  for pcAnywhere from the .cif file.  I brought up pcAnywhere to connect to the system with the newly discovered password.  Ugh...I made a typo, and it just stopped responding (the three-failed-logins lockout feature had been enabled).  Now what?  No GUI access?  I needed my GUI!

I went back to my remote console and used TFTP to grab files from my system.  The tools I needed for this missionwere available components of the NT Resource Kit: Pulist.exe from the NTRK to list out the running processes and Kill.exe to stop services.  After listing out the processes, I found the Process ID (PID) for the firewall service.  Using the PID, I used the kill executable to stop the firewall in its tracks.

A quick port scan confirmed I had unrestricted access to all my favorite NetBIOS ports.  Conveniently, John the Ripper made short work of the alphanumeric password "g00dluck!"  I used my new-found "Administrator" password with the nt use command to share out the Administrative  C$ (entire C drive) share for my viewing pleasure.  Since I was locked out of pcAnywhere, I need to devise a way to reset it.  Smiling nefariously, I copied over files for the WinVNC remote administration tool.  I used the NT scheduler to execute a batch file that intalled the WinVNC service.

Finally I used my VNC client to connect to the server with the password I specified in my batch file.  I switched the client from read-only mode to interactive mode.  Voila! I had my interactive GUI!

The first thing I did was unlock pcAnywhere through the GUI so I could log in later.  Then I tagged the desktop wallpaer with a little JPEG file that I had made of a mocked-up invoice charging my friend for my services.  Next, I restarted the firewall with the GUI to protect the system from other attackers.  This killed my WinVNC connection (as expected), so I reconnected to the system using pcAnywhere and the password I had heisted.  Once connected, I closed the WinVNC connection, stopped the service, and deleted the WinVNC files.  To be thorough, I deleted Pulist, Kill, Netcat, and Pwdump, and closed out my remote MDAC session.  FInally, I patched the MDAC vulnerability using the strategy detailed by Rain Forest Puppy ( http://www.wiretrip.net/rfp ).  Once I had rebooted the machine (for the MDAC patch to take effect), the attack and fix were complete and my job was done. 

4) Steve Gibson's excellent site:

www.grc.com contains an excellent article on a recent activity Steve experienced.

5.  Fascinating article about Symantec's "Hacker Control Center."

http://www.washingtonpost.com/wp-dyn/articles/A28625-2003Jan8.html  Most people even think this is a very low estimate of the cracking activity that goes on. 


Copyright John D Loop Wednesday October 26, 2005