I hope it's okay to re-post this. I found this excellent post that G-man wrote last April. I thought it was well worthy of a repost/review. Thanks GMan, this is a very helpful article! Lisa K From: Gman <gman.pctt@xxxxxxxxx> Subject: -=PCTechTalk=- An Approach to Computer Security for the Average User Date: Sat, 18 Apr 2009 20:37:50 -0400 I'm not necessarily looking to change anyone's approach to security here, but there are a couple of points I'd like to emphasize on how this stuff works (and sometimes doesn't). The thread on handling email attachments is what got me started here, but I just couldn't stop typing (so, it gets its own thread). ;) Most AV scanners today have a module that can be used to scan entire email files as they download to the computer. These modules are usually turned on by default, but it's always worth checking to see for yourself whenever you install a new one or experience a significant update (like moving from a 7.x version to a newer 8.x version). With the exception of some specialty scanners like ThreatFire (a purely heuristic scanner that doesn't use any definition files), all modern AV programs are designed to keep an eye on everythign that passes through your system memory (RAM). Since nothing can run on a system without first being copied to system memory, it means that these AV apps guard your system by not allowing any bad stuff they recognize to run. In other words, the AV looks for any matches between the code being copied and their definition files as the code is being copied to RAM (before it has a chance to actually be 'run' by the OS or other program that called for it). Think of it as being similar to reading someone's speech before they ever get a chance to open their mouth and you'll better understand how this works. In order to 'use' an attachment, the system will first have to copy it into memory. Since today's AV apps monitor that area (and read all the speeches before they're allowed to be given), it stands to reason that your system should be just as protected as your AV can make it, even if you don't take the advice of first saving it to a folder on the hard drive and scanning that before opening anything. For those who do save these items to a separate folder first, these items also have to pass through system memory on their way to their new location on the hard drive. As a result, it would appear that relying on either method should work just as well to flesh out any malware trying to sneak in. Unfortunately, there are a couple of things that can not only get in the way of fending off an incoming infection, they can also leave you with a seriously false sense of security in what your security apps can do. First, the attachment/email monitoring module is not the same tool as the one used to monitor what passes through system memory. Since it's not the 'Main' scanning engine, its creators likely did not give it anywhere near as much attention as they did to the one that looks after the entire system. More often than not, it will consume more system resources and bog down the computer a bit while it's doing its thing. All AV companies like to brag about being the best, so by default, many of these email scanners will attach their own signature at the end of everything you receive &/or send, saying something like "This message was scanned with xxxx version x.x and was certified to be free of malware before it was sent." Depending on how much email you are receiving/sending, this can also slow down email scanning even further. The real eye opener comes when you realize that most of these email scanning modules are not set up to penetrate deep enough into compressed files to do their job properly. If I take a virus and combine it with a real program (let's say, "elf bowling.exe") within an exe wrapper (these wrappers are the way most programs are distributed, with various support files inside them) using the same "elf bowling.exe" name & icon and send it to you, you will receive an exe file that looks like it's the 'real' program. As long as your security allows you to receive exe files as an attachment, you will not know the difference unless you investigate the file well enough to discover its hidden payload. Pretty much any email scanning module will recognize that it's a wrapper and that there are files within it that should be scanned. Assuming the virus is among those covered by your AV's definition files, you'll see alarms go off and be able to stop it before it can do your system and harm. So far, so good,! But what happens if I first encrypt the contents of that exe wrapper file and then enclose it inside a compressed Zip or RAR container? The file you get is now a .zip or .rar file with my wrapper inside it and the virus safely encrypted and hidden inside that. Assuming your email program allows these types of attachments, your email scanner might not be set up to scan inside that type of file. Or it may be set to scan Zip files but not RARs. Even if it can scan inside the type I chose to send to you, is the email scanning module smart enough to extract the files inside and REALLY take a close look at them, or will it just see an exe and give it a quick glance to make sure it seems ok enough? Remember, the virus code is encrypted and can only be brought out into the 'open' if the original .exe wrapper is 'executed'. Chances are pretty good that this virus will slide right on past your email scanner and I didn't even need to get all that creative in how I get it to you. So what happens if I take a virus, encrypt it in a wrapper all by itself, combine that with a real program and encrypt the two of them together into another wrapper, compress it within a RAR file and then send it out? I'm almost tempted to say that NO email scanning module will ever pick it up for what it is, but since there may be one or two that will still catch it, I'll hold off on being quite that bold. lol Am I making anyone a little nervous? Better strap yourself in cause there's more to cover. Now, how long would you suspect it would take for an email scanner to process one of these nasty attachments if it were designed to do everything possible to scan extremely deep inside all attachments to make sure you're not about to become a victim of a wrapped wrapper virus like I just described? The blunt answer is 'too long'. No AV company wants to be known as being the one that sells the slowest scanner, regardless of whether you're talking about the email module or the main AV engine. As a result, these modules are limited on just how deep they can go and what steps they can take to identify whatever they find within an attachment. Limiting them like this makes the scans go faster, but it leaves a lot to be desired in the security most folks believe they provide. Scared yet? Ok, so your AV didn't go off when my email showed up in your Inbox. You feel pretty safe, huh? You might even decide to open up the attachment within your email. The first thing that happens is your system sees that you're trying to open up a file with a .rar extension, so it looks up that extension in its registry, finds out it belongs to WinRAR (or whatever app you installed to handle RAR files) and then passes the Open command to that program. WinRAR then opens up the file and shows you that there's a single .exe file inside called "elf bowling.exe". You can easily double click on that .exe file to run it. My question to you now is "With the computing habits you have been using up to this point, are you likely to do that?" Well, if you do, one of two things will happen. Either the virus will eventually be unwrapped within system memory (RAM) and your system's security will see it for what it really is, or it won't recognize the virus and your system will become infected. The difference doesn't lie in whether you have email scanning turned on or not. It also doesn't matter if I wrap it in a wrapping within 5 layers of additional wrapping with ALL of them encrypted. Simply put, the virus can't do anything in this case until it has come out of 'hiding'. At that point, it's completely up to your AV's main scanning engine and its definition files to recognize it and prevent it from installing itself onto your system. The whole point I'm trying to make here is that ALL AV programs are only as good as their scanning engine and definition files. Everything else they are designed to do towards preventing system infection is nothing more than window dressing. The email scanning module uses the same definition files as the main scanner. The same can be said of instant messenger scanning modules and just about any other modules that are designed to watch specific entry points along those lines. The majority of these extras don't make you any safer than you would be if you turned them off. However, there IS a catch to all of this logic that you MUST understand. Here's the catch. Most modern malware are designed to try to take advantage of the weakest part of every computer's security, the user. If anything can be done to get YOU to actually "agree" to the installation of the malware, none of the above matters. Of course, you would never agree if you knew what was about to be installed, but they're not going to tell you that. Instead, you might be presented with a pop-up claiming that an infection has been found on your system. Click here to download the 'fix'. If you click there, your system downloads and installs an infection instead of a fix (which you didn't need in the first place). You might be happily surfing YouTube and suddenlt find yourself being told that you need a certain codec in order to view this next video. Click on the OK button to get the codec and you'll be infected (Hint: the videos at YouTube and similar sites are encoded for Flash - no extra codec is ever needed, but keep your Flash up to date cause malware writers will try to infect that, too). Or maybe you just go to a site you found in a Google search and simply showing up on their doorstep is enough to give the site permission to infect your system. I will understand perfectly if you're now feeling quite nervous about what we're up against. Those of us who are more heavily involved with studying these topics know how to avoid most of these pitfalls. It all comes down to practicing safe surfing habits, having the right security in place on our systems and never letting up your guard. To put it bluntly: 1. If you see anything unexpected, question it! This includes pop-ups, a site asking for permission to do anything, even a warning that appears to be coming from your own system or security software. If you didn't expect it, look it up and see if anyone else has experienced it and how it's been handled BEFORE you respond to it. As you gain experience with these things, you'll develop the ability to separate most of the benign items from the 'still suspicious' and malicious ones. 2. Make sure you're running security apps that actually work as well as you think they do. A good security app is one that you can basically forget exists because it doesn't allow you to get infected easily, doesn't bog down or otherwise affect your use of the system and it doesn't nag the heck out of you for every little thing. The exception here would be someone like me who actually wants to be nagged the very firt time something comes up, but also wants the option to tell the security app to allow that specific item from that point on (yeah, I'm funny like that lol). These apps should also be linked to the most reliable and up to date definition files possible. Don't just rely on a computer magazine or a single website to tell you what AV apps work the best. The best is the one that fulfills all of the above requirements while being able to identify and remove the most true infections without making a big fuss over lesser threats like cookies. It should remove stuff like tracking cookies with hardly a peep, but tell you when it catches a real threat trying to get in. 3. Make sure you have all of the entry points into your system covered by some form of security. Whatever apps you choose to run must be able to protect your system, not only from all of the malware out there, but also from yourself. If your browser supports them, install some known good security helpers to make it easier to spot a bad site. As an example, I restrict my web activity to Firefox (I don't use Internet Explorer) and I installed the NoScript extension to prevent the running of any scripts unless I specifically allow it for a site (it takes some getting used to, but it's the strongest browser security I have ever found). I also installed the WOT (Web Of Trust) extension to help ID bad sites (not that they can do much with NoScript installed). I have a few others installed here, but that should give you the general idea. 4. Try to resist the urge to 'overprotect' your system. Having the top two anti-malware programs installed on a system is SO much better than having 6 mediocre ones. It's very important to understand that the entire world of malware fighting is a constantly moving target. As a result, today's best rated AV, AM or other security solution might only be an afterthought six months from now. Keep up on the changes as best you can and try your best to stay as far ahead of the threats as possible. 5. Learn how to set up & control the security you choose to install so well that you KNOW how well you're protected. Once you take the guessing out of it, you will know exactly what types of activity must be avoided, which activities will need to be done carefully and what you're absolutely free to do. 6. Finally, keep your most important stuff backed up somewhere other than your hard drive, just in case. No plan is foolproof and they're just going to keep making better fools anyway. What to do if something gets through: Assuming you can still get online after realizing you 'caught something', there are always ways to get help with an infection if you are unable to handle it yourself. There are numerous forums set up specifically to help if something should ever sneak past your security. There are more online scanners available than ever to help confirm and give a name to most infections. Once you know the name of the infection, there are lots of AV sites that have small downloadable 'remover' files for handling specific infections. Even if you can't get to the site on your own system, you can download the fix on a friend or neighbor's system, toss it onto a USB stick and 'take it to the patient'. Google is also your friend here. If you get ANY type of warning, error message opo-up, etc. Write down everything you can see exactly as it appears and then Google those phrases with quotes around them. You'll be surprised at how much info there is on just about everything when you narrow down your search like that. In most cases, directions to the 'fix' will be among the top two or three hits the search produces. Peace, Gman --------------------------------------------------------------- Please remember to trim your replies (including this sentence and everything below it) and adjust the subject line as necessary. To subscribe, unsubscribe or modify your email settings: //www.freelists.org/webpage/pctechtalk OR To subscribe to the mailing list, send an email to pctechtalk-request@xxxxxxxxxxxxx with "subscribe" in the Subject. To unsubscribe send email to pctechtalk-request@xxxxxxxxxxxxx with "unsubscribe" in the Subject. To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/ To contact only the PCTT Mod Squad, write to: pctechtalk-moderators@xxxxxxxxxxxxx To join our separate PCTableTalk off-topic group, send a blank email to: pctabletalk+subscribe@xxxxxxxxxxxxxxxx ---------------------------------------------------------------