Protecting Your Home Computer

Your home computer is a popular target for intruders. Why? Because intruders (the bad guys) want what is stored there. They look for, passwords, credit card numbers, bank account information, social security numbers, identity information and anything else they can find. But it's not just money-related information they're after. Intruders also want your computer's resources, meaning your hard disk space, your fast processor, and your Internet connection. They use these resources to attack other computers on the Internet, or, they can disrupt your home computer's ability to perform as intended.

Don't assume that your Internet Service Provider (ISP) will offer all the protections you need against home computer invasion. There are many security tools such as Antivirus and Antispyware, and Web filters that are completely free for home use.

8 Tips to Protect Your Home Computer

1. Patching – patch the operating system and applications monthly
a. Microsoft - Windows Update / Automatic Updates
b. Java, Adobe, iTunes – use a tool such as Secunia to scan monthly

2. Antivirus – current version with daily/weekly updates, real-time scanning
3. Personal Firewall – Windows or third party such as Zone Alarm
4. Antispyware – scan weekly
5. Internet Safety
a. Web Filter– blocks spyware, virus infected and other unwanted sites that can damage your computer and steal your data or identity information. Blocks inappropriate sites.
b. MySpace/Facebook – (Social Networking) – Use caution and become educated. Children must be 14 years old to legally have their own MySpace/Facebook account. Parental permission required. Many viruses and worms come in through Social Networking “invites”. Be careful with URLs, attachments. Also see “Family Meeting” below.
c. Instant Messaging – AOL, Yahoo Messenger, MSN/Windows Live Messenger. Avoid attachments and URL links. “Check out this new screensaver” … or “Pic of Beyonce….” Don’t fall for it.
d. Skype – keep it patched.
e. Have a Family Meeting – Talk to kids/teens about Internet safety. Do not give out personal information of any kind without parental approval! (Address, birthday, phone number, school, age etc.) Predators are out there and pose as children/teens in chat rooms, game rooms, blogs etc.
f. Online Gaming -Xbox / Wii. They support web cams. Form of Social Networking. Who are they playing games with?
6. Email - Attachments: don’t click unless you are sure! Spam – Never click “unsubscribe” unless you know you actually preciously subscribed.
7. Mobile Devices – Smart phones/PDA/iPhone threats increasing slowly. 400 threats.
8. Wireless – secure the connection, WPA. Change default passwords.

Tools & Tips

The below information is presented as a courtesy to conference attendees. The presenters do not recommend, sanction, or promote specific computer security applications and/or tools. Most of the tools noted below are free for home and/or non-commercial use on personal devices.

Home User Computer Security Tips
http://www.cert.org/tech_tips/home_networks.html

Antivirus
Avast! (http://www.avast.com/eng/download-avast-home.html)
AVG (http://free.avg.com)
ClamWin (http://www.clamwin.com)

Antispyware
Spybot Search & Destroy (http://www.safer-networking.org/en/index.html)
SuperAntispyware
Malwarebytes

Internet Filtering
K-9 (Blue Coat, Free)
Bsafe (purchase)
Sandboxie (virtualized browser)

Microsoft Patching
Windows Update – Automatic Updates

Application Patching
Java, Adobe Reader, Adobe Flash, Quicktime, iTunes – update monthly
Secunia – very nice free web tool

Malware Removal Tools
Malwarebytes
HijackThis
OTview
Process Explorer
Autoruns
WhatsRunning?
Msconfig
AV vendor specific removal tools: Symantec, McAfee, F-secure etc.

Password Database
Encrypt passwords and important information. Use a password database tool.
KeePass Password Safe (http://keepass.info)
AnyPassword

Browser Sandbox/Virtualization
Sandboxie (http://sandboxie.com)
VMWare Player
Microsoft VirtualPC

Common Malware Load Points:

Symantec tutorial: http://community.norton.com/norton/board/message?board.id=Announcements&thread.id=11

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\[user name]\Start Menu\Programs\Startup
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
C:\Documents and Settings\Default User\Start Menu\Programs\Startup
C:\WinNT\Profiles\All Users\Start Menu\Programs\Startup
C:\WinNT\Profiles\[user name]\Start Menu\Programs\Startup
C:\WinNT\Profiles\Administrator\Start Menu\Programs\Startup
C:\WinNT\Profiles\Default User\Start Menu\Programs\Startup
C:\Windows\Start Menu\Programs\Startup
C:\Windows\All Users\Start Menu\Programs\Startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\currentversion\runonce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\currentversion\runservices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\currentversion\runservicesonce
HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\windowsnt\currentversion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\runonceex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\runservices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\runservicesonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windowsnt\currentversion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windowsnt\currentversion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\windowsnt\currentversion\Windows\appinit_dlls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Explorer\sharedtaskscheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\SharedTools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\Software\Microsoft\SharedTools\MSConfig\startupreg

Task Scheduler
System.ini
Win.ini
BHO – Browser Helper Objects

Infected file Submission
http://www.virustotal.com/
http://www.cwsandbox.org/
https://submit.symantec.com/websubmit/retail.cgi


Tools for dissecting a computer virus:
• Vtrap (Virus Trap) – Virus honey pot
• ClamWin – Antivirus
• Avast! – Antivirus
• AVG – Antivirus
• Sysinternal’s Process Explorer – Locating the virus, looking at the threads tree and reading strings in DLL (dynamic link library) files
• Anywhere PE Viewer – Viewing strings compiled into the virus and finding registry (Windows’ configuration database) keys
• Sysinternal’s Autoruns – Locating/disabling the virus at system auto load points
• Windows Scheduled Tasks, Services.msc, appwizard.cpl and msconfig.exe – Locating/disabling the virus
• Regedit – Exploring registry keys to identify virus activity
• IDA Pro Free Edition – Decompiling to assembly code, strings and function calls; running the virus in debug mode
• Boomerang – Decompiling to assembly code, exporting functions and decompiling to C code
• GNU C Compiler (gcc) – Compiling a custom version of the virus


Process for dissecting a computer virus:
 Look for signs of viral infection (sluggish, popup ads, home page or default search page changed, strange error messages)
 Update anti-virus signatures
 Run anti-virus and look at the report. If anything was found, was it deleted successfully?
 Look for unusual system activity and strange programs/tasks/services that are running
o Two factors can facilitate and speed up this process: experience (quickly recognizing what an unusual activity or program would look like), and a baseline of the system (knowing with certainty what the standard programs and services are, so that anything above the baseline can be considered unusual)
 Look at user and system auto load points for anything unusual
o User auto load points include Explorer/Internet Explorer browser helper objects, ActiveX controls, registry run and runonce keys, Start Up folder in the Start Menu, etc.
o System auto load points include scheduled tasks, registry run and runonce keys, services, drivers, environment variables, system startup files, etc.
o Again, both previous experience and baselines can increase the rate of success and speed of this process
 Once the virus is located, attempt to identify it through virus databases, virus reports, help forums and similar sites on the Internet
 Search the virus files for strings, import libraries (DLLs it uses) and registry keys to determine what it could possibly be doing to the system and where it could be doing it
 Decompile the virus to assembly code to identify:
o Function calls and the sequence in which they occur
o Possible information about the author (user ID, language spoken, programming language used, geographic location, computer configuration such as logical drives, OS, etc.)
o Intended users (based on the language and grammar in user messages, if any)
o Files touched, read, updated and/or created, as well as DLLs used for gaining the appropriate file permissions
o Registry keys used and information stored in the registry (load points, timestamps for last time the virus ran or the next time it should run, icons, URLs, IP addresses, etc.)
o Network DLLs, IP addresses, URLs used to upload or download data, port numbers (important for worms), and any functions to support incoming connections (which would be the case for a Trojan horse or botnet)
o User information accessed (cookies, profile paths, user ID, user name, password databases)
o Antivirus, firewall and anti-spyware signatures (common in resident viruses that avoid detection)
o Run mode (if a virus can run in MS-DOS mode, chances are it will load before the system boots, infect a Master Boot Record, or load as fake hardware driver)
o Images and icons (used by spyware, logic bombs and Trojan horses to disguise themselves as innocent files or valid system or antivirus software)
o Use this information to identify what the virus is doing, how to stop it and how to catch the bad guy who created it.
 Reverse engineer the virus to C, C++ or another high-level language if needed to customize it (be careful -- this may not be ethical nor legal!) or to create a removal tool. Compile back to object code with the compiler appropriate for that language (e.g., GCC)