-=PCTechTalk=- Re-post:An Approach to Computer Security for the Average User
- From: "matrix.afghanz" <matrix.afghanz@xxxxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Tue, 01 Sep 2009 13:43:38 -0700
I hope it's okay to re-post this.
I found this excellent post that G-man wrote last April.
I thought it was well worthy of a repost/review. Thanks GMan, this is a very
helpful article!
Lisa K
From: Gman <gman.pctt@xxxxxxxxx>
Subject: -=PCTechTalk=- An Approach to Computer Security for the Average User
Date: Sat, 18 Apr 2009 20:37:50 -0400
I'm not necessarily looking to change anyone's approach to security here,
but there are a couple of points I'd like to emphasize on how this stuff
works (and sometimes doesn't). The thread on handling email attachments is
what got me started here, but I just couldn't stop typing (so, it gets its
own thread). ;)
Most AV scanners today have a module that can be used to scan entire email
files as they download to the computer. These modules are usually turned on
by default, but it's always worth checking to see for yourself whenever you
install a new one or experience a significant update (like moving from a 7.x
version to a newer 8.x version).
With the exception of some specialty scanners like ThreatFire (a purely
heuristic scanner that doesn't use any definition files), all modern AV
programs are designed to keep an eye on everythign that passes through your
system memory (RAM). Since nothing can run on a system without first being
copied to system memory, it means that these AV apps guard your system by
not allowing any bad stuff they recognize to run. In other words, the AV
looks for any matches between the code being copied and their definition
files as the code is being copied to RAM (before it has a chance to actually
be 'run' by the OS or other program that called for it). Think of it as
being similar to reading someone's speech before they ever get a chance to
open their mouth and you'll better understand how this works.
In order to 'use' an attachment, the system will first have to copy it into
memory. Since today's AV apps monitor that area (and read all the speeches
before they're allowed to be given), it stands to reason that your system
should be just as protected as your AV can make it, even if you don't take
the advice of first saving it to a folder on the hard drive and scanning
that before opening anything. For those who do save these items to a
separate folder first, these items also have to pass through system memory
on their way to their new location on the hard drive. As a result, it would
appear that relying on either method should work just as well to flesh out
any malware trying to sneak in.
Unfortunately, there are a couple of things that can not only get in the way
of fending off an incoming infection, they can also leave you with a
seriously false sense of security in what your security apps can do.
First, the attachment/email monitoring module is not the same tool as the
one used to monitor what passes through system memory. Since it's not the
'Main' scanning engine, its creators likely did not give it anywhere near as
much attention as they did to the one that looks after the entire system.
More often than not, it will consume more system resources and bog down the
computer a bit while it's doing its thing. All AV companies like to brag
about being the best, so by default, many of these email scanners will
attach their own signature at the end of everything you receive &/or send,
saying something like "This message was scanned with xxxx version x.x and
was certified to be free of malware before it was sent." Depending on how
much email you are receiving/sending, this can also slow down email scanning
even further.
The real eye opener comes when you realize that most of these email scanning
modules are not set up to penetrate deep enough into compressed files to do
their job properly. If I take a virus and combine it with a real program
(let's say, "elf bowling.exe") within an exe wrapper (these wrappers are the
way most programs are distributed, with various support files inside them)
using the same "elf bowling.exe" name & icon and send it to you, you will
receive an exe file that looks like it's the 'real' program. As long as
your security allows you to receive exe files as an attachment, you will not
know the difference unless you investigate the file well enough to discover
its hidden payload. Pretty much any email scanning module will recognize
that it's a wrapper and that there are files within it that should be
scanned. Assuming the virus is among those covered by your AV's definition
files, you'll see alarms go off and be able to stop it before it can do your
system and harm. So far, so good,!
But what happens if I first encrypt the contents of that exe wrapper file
and then enclose it inside a compressed Zip or RAR container? The file you
get is now a .zip or .rar file with my wrapper inside it and the virus
safely encrypted and hidden inside that. Assuming your email program allows
these types of attachments, your email scanner might not be set up to scan
inside that type of file. Or it may be set to scan Zip files but not RARs.
Even if it can scan inside the type I chose to send to you, is the email
scanning module smart enough to extract the files inside and REALLY take a
close look at them, or will it just see an exe and give it a quick glance to
make sure it seems ok enough? Remember, the virus code is encrypted and can
only be brought out into the 'open' if the original .exe wrapper is
'executed'. Chances are pretty good that this virus will slide right on
past your email scanner and I didn't even need to get all that creative in
how I get it to you. So what happens if I take a virus, encrypt it in a
wrapper all by itself, combine that with a real program and encrypt the two
of them together into another wrapper, compress it within a RAR file and
then send it out? I'm almost tempted to say that NO email scanning module
will ever pick it up for what it is, but since there may be one or two that
will still catch it, I'll hold off on being quite that bold. lol
Am I making anyone a little nervous? Better strap yourself in cause there's
more to cover.
Now, how long would you suspect it would take for an email scanner to
process one of these nasty attachments if it were designed to do everything
possible to scan extremely deep inside all attachments to make sure you're
not about to become a victim of a wrapped wrapper virus like I just
described? The blunt answer is 'too long'. No AV company wants to be known
as being the one that sells the slowest scanner, regardless of whether
you're talking about the email module or the main AV engine. As a result,
these modules are limited on just how deep they can go and what steps they
can take to identify whatever they find within an attachment. Limiting them
like this makes the scans go faster, but it leaves a lot to be desired in
the security most folks believe they provide.
Scared yet?
Ok, so your AV didn't go off when my email showed up in your Inbox. You
feel pretty safe, huh? You might even decide to open up the attachment
within your email. The first thing that happens is your system sees that
you're trying to open up a file with a .rar extension, so it looks up that
extension in its registry, finds out it belongs to WinRAR (or whatever app
you installed to handle RAR files) and then passes the Open command to that
program. WinRAR then opens up the file and shows you that there's a single
.exe file inside called "elf bowling.exe". You can easily double click on
that .exe file to run it. My question to you now is "With the computing
habits you have been using up to this point, are you likely to do that?"
Well, if you do, one of two things will happen. Either the virus will
eventually be unwrapped within system memory (RAM) and your system's
security will see it for what it really is, or it won't recognize the virus
and your system will become infected. The difference doesn't lie in whether
you have email scanning turned on or not. It also doesn't matter if I wrap
it in a wrapping within 5 layers of additional wrapping with ALL of them
encrypted. Simply put, the virus can't do anything in this case until it
has come out of 'hiding'. At that point, it's completely up to your AV's
main scanning engine and its definition files to recognize it and prevent it
from installing itself onto your system.
The whole point I'm trying to make here is that ALL AV programs are only as
good as their scanning engine and definition files. Everything else they
are designed to do towards preventing system infection is nothing more than
window dressing. The email scanning module uses the same definition files
as the main scanner. The same can be said of instant messenger scanning
modules and just about any other modules that are designed to watch specific
entry points along those lines. The majority of these extras don't make you
any safer than you would be if you turned them off. However, there IS a
catch to all of this logic that you MUST understand.
Here's the catch. Most modern malware are designed to try to take advantage
of the weakest part of every computer's security, the user. If anything can
be done to get YOU to actually "agree" to the installation of the malware,
none of the above matters. Of course, you would never agree if you knew
what was about to be installed, but they're not going to tell you that.
Instead, you might be presented with a pop-up claiming that an infection has
been found on your system. Click here to download the 'fix'. If you click
there, your system downloads and installs an infection instead of a fix
(which you didn't need in the first place). You might be happily surfing
YouTube and suddenlt find yourself being told that you need a certain codec
in order to view this next video. Click on the OK button to get the codec
and you'll be infected (Hint: the videos at YouTube and similar sites are
encoded for Flash - no extra codec is ever needed, but keep your Flash up to
date cause malware writers will try to infect that, too). Or maybe you just
go to a site you found in a Google search and simply showing up on their
doorstep is enough to give the site permission to infect your system.
I will understand perfectly if you're now feeling quite nervous about what
we're up against. Those of us who are more heavily involved with studying
these topics know how to avoid most of these pitfalls. It all comes down to
practicing safe surfing habits, having the right security in place on our
systems and never letting up your guard.
To put it bluntly:
1. If you see anything unexpected, question it! This includes pop-ups, a
site asking for permission to do anything, even a warning that appears to be
coming from your own system or security software. If you didn't expect it,
look it up and see if anyone else has experienced it and how it's been
handled BEFORE you respond to it. As you gain experience with these things,
you'll develop the ability to separate most of the benign items from the
'still suspicious' and malicious ones.
2. Make sure you're running security apps that actually work as well as
you think they do. A good security app is one that you can basically forget
exists because it doesn't allow you to get infected easily, doesn't bog down
or otherwise affect your use of the system and it doesn't nag the heck out
of you for every little thing. The exception here would be someone like me
who actually wants to be nagged the very firt time something comes up, but
also wants the option to tell the security app to allow that specific item
from that point on (yeah, I'm funny like that lol). These apps should
also be linked to the most reliable and up to date definition files
possible. Don't just rely on a computer magazine or a single website to
tell you what AV apps work the best. The best is the one that fulfills all
of the above requirements while being able to identify and remove the most
true infections without making a big fuss over lesser threats like cookies.
It should remove stuff like tracking cookies with hardly a peep, but tell
you when it catches a real threat trying to get in.
3. Make sure you have all of the entry points into your system covered by
some form of security. Whatever apps you choose to run must be able to
protect your system, not only from all of the malware out there, but also
from yourself. If your browser supports them, install some known good
security helpers to make it easier to spot a bad site. As an example, I
restrict my web activity to Firefox (I don't use Internet Explorer) and I
installed the NoScript extension to prevent the running of any scripts
unless I specifically allow it for a site (it takes some getting used to,
but it's the strongest browser security I have ever found). I also
installed the WOT (Web Of Trust) extension to help ID bad sites (not that
they can do much with NoScript installed). I have a few others installed
here, but that should give you the general idea.
4. Try to resist the urge to 'overprotect' your system. Having the top
two anti-malware programs installed on a system is SO much better than
having 6 mediocre ones. It's very important to understand that the entire
world of malware fighting is a constantly moving target. As a result,
today's best rated AV, AM or other security solution might only be an
afterthought six months from now. Keep up on the changes as best you can
and try your best to stay as far ahead of the threats as possible.
5. Learn how to set up & control the security you choose to install so
well that you KNOW how well you're protected. Once you take the guessing
out of it, you will know exactly what types of activity must be avoided,
which activities will need to be done carefully and what you're absolutely
free to do.
6. Finally, keep your most important stuff backed up somewhere other than
your hard drive, just in case. No plan is foolproof and they're just going
to keep making better fools anyway.
What to do if something gets through:
Assuming you can still get online after realizing you 'caught something',
there are always ways to get help with an infection if you are unable to
handle it yourself. There are numerous forums set up specifically to help
if something should ever sneak past your security. There are more online
scanners available than ever to help confirm and give a name to most
infections. Once you know the name of the infection, there are lots of AV
sites that have small downloadable 'remover' files for handling specific
infections. Even if you can't get to the site on your own system, you can
download the fix on a friend or neighbor's system, toss it onto a USB stick
and 'take it to the patient'. Google is also your friend here. If you get
ANY type of warning, error message opo-up, etc. Write down everything you
can see exactly as it appears and then Google those phrases with quotes
around them. You'll be surprised at how much info there is on just about
everything when you narrow down your search like that. In most cases,
directions to the 'fix' will be among the top two or three hits the search
produces.
Peace,
Gman
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To subscribe, unsubscribe or modify your email settings:
//www.freelists.org/webpage/pctechtalk
OR
To subscribe to the mailing list, send an email to
pctechtalk-request@xxxxxxxxxxxxx with "subscribe" in the Subject. To
unsubscribe send email to pctechtalk-request@xxxxxxxxxxxxx with "unsubscribe"
in the Subject.
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
To join our separate PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts:
- » -=PCTechTalk=- Re-post:An Approach to Computer Security for the Average User - matrix.afghanz
