Computer
Security - Act now!
3 critical Windows security vulnerabilities - and stopping
pop-up ads
11 August 2003
(This is something of an archeological dig site with various layers
of
computer security advice - the most recent on top.)
I am sending this to friends
who
I think run computers with the Windows
operating system.
Sorry there's no time now for a personal Hello.
There's no short version of this
- its all important.
The latest version of this email
is at:
http://www.firstpr.com.au/security/
This message contains information
on three critical security
vulnerabilities which should be
fixed in all Windows computers which are
even occasionally connected to
the Internet. Not doing so will probably
or almost certainly lead to
infection by a virus/worm. I also discuss
how to stop the Windows
vulnerability to pop-up ads.
Computer security involves effort
on the part of all computer owners.
The nature of complex software is
that it can be effectively secure
until someone discovers a
vulnerability which was there all along. Once
malicious people write virus/worm
programs to exploit the vulnerability,
the software is *completely*
insecure. So your Windows machines were
perfectly secure from a practical
point of view before these
vulnerabilities were
discovered. Now that the vulnerabilities have been
discovered, your systems are
vulnerable to attack unless and until you
take steps to update the software.
Its a pain, but its a
responsibility which must be born, because a
hacked computer connected to the
Net will attack other machines. Also,
no matter how much of a pain it
is, its better to prevent attacks than
to have to clean up after an
attack as well.
1 - Buffer Overrun In RPC Interface
A vulnerability in all current
Windows operating systems was discovered
in mid July, which enables the
machine to be controlled by an attacker
who simply sends a packet to the
computer via the Net. This is not
related to email, and would not
be affected by traditional anti-virus
software. It was only a
matter of time before virus/worm writers
exploited this vulnerability, and
now there is at least one such worm
doing the rounds. I fixed
the vulnerability on one of my Windows PCs
but not the other - and the
second one was hacked.
A hacked computer will at a
minimum launch attacks against other
computers - and its everyone's
responsibility not to allow this to
occur. But it also gives
control to other people, who can read or write
files, run programs as they like
and - if they chose to do so, read and
export private information or
delete everything. The currently active
worm just launches further
attacks and may be able to form part of a
distributed denial of service
attack, where millions of computers are
co-ordinated by someone to send
packets to overload one or more Internet
computers.
If you regularly update your
Windows operating system - which means you
are a Microsoft customer using
Windows Update - then your system is
probably no longer
vulnerable. If your ISP filters out the kinds of
packets which are used in this
attack, then you may be safe as well -
but I don't know how to tell
whether an ISP does this, and one should
never rely on an outside system
for the security of the computer.
So unless you have a totally
updated Windows system, read on, because if
you don't do this now, you will
have to soon - and you will probably be
hacked in the meantime, if you
haven't already been hacked.
Being hacked with the current
worm - msblast.exe - has no immediately
obvious consequences other than
perhaps your modem's outgoing data LED
flashing as it sends out attack
packets to random addresses.
Below is information on fixing
the vulnerability, finding out if your
machine has been attacked - at
least by msblast.exe (there could be any
number of new worms in the near
future) - and getting rid of msblast.exe.
There are two other critical
vulnerabilities which affect MS Internet
Explorer - which likewise can
give an attacker control of your computer
if you receive a malicious email
or view a malicious web site. I
mention these later.
On 16 July 2003 (in North
America) Microsoft released a patch (software to
fix the problem) and a workaround
(configuration changes to disable the
"feature" which has the problem)
for a "critical" security vulnerability
which affects most Windows
computers.
If your machine runs one of the
following operating systems, and you
connect it to the Internet, then
you should take action to ensure your
machine's vulnerability is
fixed. This is not just for your benefit,
but for everyone else's, since a
hacked computer on the Net will launch
attacks on other computers.
Windows 2000
Windows XP
Windows Server 2003
Windows NT
But read on for problems
which also affects Windows 98/ME too.
The Microsoft page for this is:
http://microsoft.com/technet/security/bulletin/MS03-026.asp
The Polish outfit "The Last Stage
of Delirium Research Group" who found
the vulnerability, and who
reported it to Microsoft, publicly announced
their discovery only after
Microsoft released a patch. Their site is:
http://lsd-pl.net
The CERT advisories for this
vulnerability is:
http://www.cert.org/advisories/CA-2003-16.html
http://www.cert.org/advisories/CA-2003-19.html
http://www.cert.org/advisories/CA-2003-20.html
The vulnerability means that a
carefully constructed packet sent to the
computer (from anywhere in the
world, typically a computer which has
already been attacked
successfully) can give the attacker full control
of the machine.
This has nothing to do with
email, what browser you use, anti-virus
software etc. Just having your
computer dialled into the Net by any
means at all makes it vulnerable
to attack (unless the ISP filters the
packets, or your Windows
operating system has been appropriately updated
or configured). Initially,
you would not necessarily realise that your
computer has been hacked.
The vulnerability is with a
"feature" of Windows called DCOM which uses
RPC (Remote Procedure Call) which
enables one computer to run programs
on another. Most people
don't need this, and the Microsoft page has
instructions on how to disable
it, which is probably the easiest way of
fixing the vulnerability.
Another way to fix it is to
download and run a patch from the above
Microsoft page. For Windows
2000, this is a 0.9 Megabyte file, but it
can only be run if you have
already run Service Pack 3 or 4 on your
machine. So to deal with
this problem, and many others, probably the
best thing is to download and
install Service Pack 4. Unfortunately,
this is 132 Megabytes, which is
impractical for anyone with a dial-up
modem. That is found at:
http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/
If you don't want to, or can't do
this, then probably the best thing to
do is follow the "Run
Dcomcnfg.exe" workaround instructions on the
Microsoft page first mentioned
above, which means using Start > Run and
typing in "Dcomcnfg.exe" to run
this program and then following the
instructions on the page.
This disables the DCOM feature, which you
almost certainly don't need.
The msblast.exe (W32/Blaster)
worm is the subject of this Cert advisory
on 11 August 2003:
http://www.cert.org/advisories/CA-2003-20.html
This links to two pages which
describe how to get rid of msblast.exe and
make sure it does not run again:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
To see whether your computer has
been hacked by this worm, run the
"regedit" program (Start > Run
> type "regedit" and click OK) and then
navigate the registry (a huge
gobbledegook database of stuff on which
your computer depends - do NOT
alter anything unless you know what you
are doing!) to find the section:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
If msblast.exe has hacked your
machine, there will be a line there:
"windows auto
update"="msblast.exe"
This causes the worm to run at
system startup - so delete this line.
To stop the running program,
press the keys Ctrl, Alt and Del at the
same time and release them.
Select the "Task Manager" option and look
for the line with "msblast.exe"
in it. Select that and end that
process. Close the Task Manager
and try again to make sure it is gone.
To get rid of the msblast.exe
file itself, you need to find it first.
On my hacked Windows XP machine,
I used Start > Search and found it at:
C:\WINDOWS\system32\msblast.exe
Right clicking this line in the
search results enabled me to delete it.
I also found a file:
C:\WINDOWS\Prefetch\MSBLAST.EXE-09FF84F2.pf
I don't know what this is about,
but I deleted it too. Then I emptied
the "Recycle Bin" to really get
rid of them.
Assuming that msblast.exe has not
installed any other software, such as
a backdoor program, then once the
patches are installed (or the RPC
system turned off) then there
should be no further trouble.
There will no-doubt be more such
worms. Any such worm could, and
probably would, do some or all of
the following:
1 - Enable a hacker to control
your machine remotely, at any time
in the future
- by installing a "backdoor" program. This includes
the ability to
read and write files run programs, search your
computer for
passwords, email addresses, credit card details etc.
See http://www.cert.org/advisories/CA-2003-19.html
- which says
that some
exploits for this vulnerability do install a backdoor.
2 - Therefore, your computer
could be used to launch attacks on other
computers,
including "distributed denial of service" attacks where
an attacker
builds up a global network of hacked computers and can
make them all
fire packets at some computer he or she does not like,
overloading it
with traffic and therefore partially or completely
disabling
it. (Analysis of msblast.exe indicates it is ready
to launch a
distributed denial of service attack to overload the
Microsoft site
windowsupdate.com.)
3 - Also, computer viruses have
recently been used to install software
which makes
the hacked computer part of a "porn" network, making it
a web server,
(or at least a web proxy) for serving "porn" to
people all
over the world.
4 - Likewise, spammers have been
using hacked computers to send spam.
5 - Cause loss of your data,
divulging of your data to other people,
infection of
program files and so much damage that it is difficult
or impossible
to recover from except by formatting the hard drive
and installing
the operating system again (this time with the
security
patches!) and all the application software as well.
There is absolutely no "safety in
numbers" - the idea that you are safe
because a hundred million people
are also ignoring the need to fix this
vulnerability in their
computer. The number of vulnerable computers
just makes it worse.
2 - Buffer Overflow in Microsoft
Windows HTML Conversion Library
There is a second recently
announced vulnerability which should fixed:
http://microsoft.com/technet/security/bulletin/MS03-023.asp
http://www.cert.org/advisories/CA-2003-14.html
This affects all the
abovementioned versions of Windows, plus:
Windows 98
Windows 98 Second Edition
Windows Me
There are workarounds and patches
for machines which have a recent
service pack installed.
My understanding of this one is
that a specially crafted HTML email, or
web page, will crash the
vulnerable program and give control of the
machine to the computer code in
that email or page. So simply getting
email (in any email program such
as Outlook Express or Eudora which uses
Microsoft Internet Explorer
to view the HTML) could mean your computer
is hacked.
Likewise, if you look at a web
site on a malicious or hacked web site
(such as if an email tempts you
to click a link) then your machine would
be hacked as well.
Normally, one would think that a web site would
never have such malicious stuff
on it, but many servers run on Windows
machines (actually most run on
Linux or Unix, because Windows sucks) and
these machines could be
hacked. Also, any computer - including home and
some office computers - can be
made into a web server in a second or so
if it is hacked, which is what
the "porn" sellers have been doing.
Outlook Express is a can of worms
- it has so many security problems
that I think it is nuts to run
it. If you insist on running it, then
you should keep up with all the
security updates such as:
http://office.microsoft.com/Downloads/2000/Out2ksec.aspx
One friend of mine installed it
on his computer and within less than an
hour of having it dialled into
the Net, it was hacked (by an email virus
I guess), with his machine
sending out virus emails to all the addresses
in his address book.
Outlook Express (Eudora was, and may still be, as
bad) and related software is
terribly written. For instance, when it
reads an HTML email, it asks
Internet Explorer to display the email.
This is fine. The email has
an element which is supposedly (according
to its MIME type) a .wav file -
an audio file. Internet Explorer
doesn't know how to play that
file, so it runs Windows Media Player to
do the job. Media Player
looks at the file and decides it is not in the
proper .wav format. That is
where the story should end - but this
Microsoft software is written
with such a love of smarty-pants
"features" and such disregard for
security that Media Player has a
further look at the file, decides
it is a ".exe" executable, and then
automatically, without asking,
"helpfully" *runs* the thing! The
so-called .wav file is, of
course, the virus executable - so from that
moment on, the computer is hacked.
I never use Kazza, Outlook,
Outlook Express etc. I only use Internet
Explorer when a web site is so
badly written that it won't work on a
decent browser such as
Netscape. I do a *lot* of email and run my
computers all day on the
Net. I don't use anti-virus software and my
Windows computers don't get
viruses (with the exception of just now when
I knew that one of my machines
was in need of updating, because I just
installed the operating system,
and it was hacked by msblast.exe before
I did the update).
3 - Integer Overflows in Microsoft
Windows DirectX MIDI Library
The third vulnerability which
needs to be patched is mentioned here:
http://microsoft.com/technet/security/bulletin/MS03-030.asp
http://www.cert.org/advisories/CA-2003-18.html
This is similar to the second
vulnerability, but allows a maliciously
crafted MIDI (music instructions
- plays a tune) file to gain control of
the machine. From then, its
the same as the others - the attack
installs a worm to attack other
machines. Like the second one this is
spread via email and web
sites. The Microsoft page above leads to
patches for all the various
operating systems - and the CERT page has
some workarounds for disabling
the interpretation of MIDI files. Either
approach should protect your
computer, but the patch is the more
substantial way to do it.
This affects Windows 98/ME etc.
as well. The patch for Windows 98 is a
small program which then does a 10.6 Meg download from Microsoft - so
allow an hour or so for that via a dialup modem.
4 - Those damn Pop-Up ads
Windows has a deliberate
misfeature which causes the computer to create
an annoying "Messenger Service"
window simply by receiving a packet from
any other computer - such as any
computer on the Net. Only the
featuritis-addicted people at
Microsoft would think that this is a good
idea to have such a thing turned
on by default.
There's a bunch of stuff on the
Net about popups, but this is an early
page which I used to halt the
problem on my Windows 2000 machine:
http://www.mynetwatchman.com/kb/security/articles/popupspam/
This has simple instructions on
how to turn off the Message Service for
both Windows 2000 and Windows XP.
There is no disadvantage whatsoever in
turning off this dumb
"feature". Here is my version of the XP instructions:
* Right-click:
'My Computer' icon and select 'Manage'
* Open (press
the +) Services and Applications
* Open (click)
Services
* Scroll
downwards in the right pane until you can see "Messenger".
* Open (click)
'Messenger' Service
* Click: Stop
button (It is to the left of the right column.)
* Change
'Startup Type' to DISABLE (Double click the "Messenger"
item and in the General tab, use the pulldown list for "Startup
type" and set it to "Disable".)
* Click OK to
close everything.
5 - A better browser, not running
executable programs etc.
Microsoft software is best
avoided. Unfortunately, due to inertia,
Windows is the only operating
system which supports the majority of all
software someone might want to
run on a desktop computer. (For servers,
its totally different - Windows
is a far inferior approach compared to
Unix/Linux.) Microsoft
Internet Explorer has security problems (such as
those mentioned above), and it
has a really lousy bookmark system.
I use Netscape - version 7.1 has
just been released - for browsing (it
has a vastly better bookmark
facility), email and for web page editing.
(Unfortunately its printing
is bad when a graphic image straddles a
page boundary, and it has no
"Black text" option either, so I still use
Netscape 4.77 for some
printing. Also, this latest version of Netscape
does not allow for unsorted (=
manually ordered) bookmarks after you
sort them.)
The "offline
installer" at:
http://channels.netscape.com/ns/browsers/download.jsp
is 29 Megs. This is a
single file to install the program entirely,
rather than the other approaches
of installing it in dribs and drabs
whilst connected to the
Net. I have my own spam and virus filtering
arrangement on my server, so I
turn off the Junk mail detection system
in Netscape 7.1 via Tools >
Junk mail controls.
I use Netscape 7.1 for email and
Web browsing - only using Microsoft
Internet Explorer to view those
sites which violate proper standards
(such as using "\" for directory
signifiers in their links) and so which
do not work with Netscape.
(See also my rough page on
configuring
Netscape / Mozilla -
mainly its mail functions, with a special emphasis on IMAP
../web-mail/Mozilla-mail/ )
receive by email. How do
they, or you, know the program is not a virus,
or that it was really sent by the
person, rather than a virus? An
executable program has complete
control of your computer, so it can do
all the things a virus does -
though it will generally pretend to be
benign. This is how Trojan
Horse programs work - they do something
seemingly innocuous, but also do
malicious things, such as all those
listed above for viruses.
If you don't know how to spot a
Windows executable program, I don't
blame you - either do I! In
Windows, any file with one of the following
filename extensions may be an
executable program:
exe com
vbs vbe dll ocx cmd bat pif
lnk hlp msi msp
reg sct
inf asd cab shs shb scr cpl
chm wsf wsh wsc
hta vcd
vcf
(This is based on the
config file of the anti-virus Anomy Sanitizer
see: http://www.firstpr.com.au/web-mail/Postfix-SA-Anomy-Maildrop/
that list also
includes "eml and nws" but I don't think these are
executable.)
Worse still, the default
configuration of Windows makes it impossible to
see the true nature of a file in
an email attachment. The default is
for Windows to "hide the
extension of known file types" - and all these
executable formats are known file
types. This affects what you see in
directory listings in Windows
Explorer, but it also affects the display
of attachment file names in
Outlook Express. For instance, the viral
payload is an attachment
consisting of an executable program:
PrettyGirls.JPG.exe
and since ".exe" is a known
extension, it is hidden, and you see it as
PrettyGirls.JPG
So by clicking this you think you
are going to view a safe graphics
file, but you are actually
installing the virus on your computer!
I advise against running Outlook
(Express) - it has such a bad record of
security
vulnerabilities. If you insist on using it, then please at
least fix this hiding of file
name extensions, by running Windows
Explorer (on Windows 2000 it is
at Start > Programs Accessories) and
then from the Tools menu, >
Folder Options > View > Un-check the box for
"Hide file extensions for known
file types". Then click "Like Current
Folder" to make this the default.
I keep up with the latest
computer security developments via the BugTraq
mailing list, at http://www.securityfocus.com
. Often, as with the main
vulnerability mentioned above,
BugTraq is the first public announcement.
Pass this message on to other
people if you like, but *only* after you
have followed the links to the
above pages to satisfy yourself that what
is in this message is
valid. It may be best just to pass on the URL of
its web version:
http://www.firstpr.com.au/security/
*Never* simply forward an email
because the email says you should! That
is a chain letter, and it is a
common thing for virus hoaxes to spread
like this. Some such hoaxes
have been doing the rounds since 1996. If
you get such a message - and they
usually don't refer to any
authoritative web site as proof
of the claim - then don't send it to
anyone unless you have some
independent way of knowing it is valid, in
which case you should include
that validation in the email you
send. There are hundreds of
virus hoaxes listed at sites such as:
http://www.vmyths.com
http://vil.mcafee.com/hoax.asp
http://www.symantec.com/avcenter/hoax.html
{2009-02-20: I did have
this link: http://hoaxbusters.ciac.org
but that is dead and someone
kindly suggested this: http://www.mimosasystems.com/articles/how-to-avoid-trojans-in-your-email.html
as a replacement.}
I will post any updates to this
message at:
http://www.firstpr.com.au/security/
-
Robin
Robin Whittle 21 - 24 September 2001
Beyond securing my own computer systems, I am not a security
expert.
This
page is to help people who know less about computer security than I do.
Commonly
used programs such as many widely installed versions of Microsoft Internet Explorer (MSIE)
and Outlook Express have such security vulnerabilities, that your
computer will probably be infected (with you losing data,
infecting other computers, and probably having to
reformat your hard drive and install everything again) unless you take
action
to protect your machine.
There is no "safety in numbers" - the idea that because you are
doing
what
most people are doing (running Microsoft programs without any changes)
that
you are safe.
Update 22 -24 September 2001:
Microsoft has a
page http://www.microsoft.com/technet/security/topics/Nimda.asp
dedicated to the Nimda
worm/virus.
This is presuably more useful
and
authorative than the information below, but it may not apply to earlier
versions
of Internet Explorer.
The
information provided
below
is not complete or authoritative. Please consier the Microsoft
page
and those pages linked to below as being more authoritative than this
one. I
put this page together quickly in an effort to help people - but as
time
goes by, other pages may be more helpful.
Rather than trying to figure out how to update my version of Internet
Explorer (which was earlier than those mentioned at the above page) I
downloaded
version 6.0 of Internet Explorer, which includes a new Outlook Express.
This
is a 20 Megabyte download - so allow two hours or so via ordinary
modem.
I turned off Active Scripting, as noted below, since as far as I
know
this is still a security problem (but I haven't fully researched this
for
version 6.0). This means that certain web sites don't work - but
that's
fine, because I normally use Netscape and only use MSIE for those few
badly
written sites which don't work with Netscape.
I can't tell anyone exactly
what
they need to do to ensure their computer is secure - so please don't
ask
me to advise you. If you can't understand what to do and prove to
yourself
that your computer is secure based on the pages linked to here, then I
suggest
you either don't use the software (Microsoft Outlook Express and
Internet
Explorer) or download and install the latest versions, and make sure
you
don't use the old ones. I downloaded MSIE 6.0 via:
http://www.microsoft.com/windows/ie/default.asp
I think that many people who run Outlook Express or Internet Explorer
in
their usual state will have their computer system infected by the Nimda
worm
before long. So now is the time to act! Simply browsing
web-sites
with Internet Explorer (unless you update it and reconfigure it, or
unless
you are running a very recent version) will cause your computer to
become
infected if you access an infected web site. (the Microsoft page
above
is not really up-front about this being a problem with MSIE - but it
is.
They write as if the problem is in the infected server, which is
true,
but no browser should be so vulnerable as to allow simply web browsing
to
run an executable file on the computer.) Anti-viral programs do not, as
far
as I know, necessarily protect against all modes of infection - but I
would
not know since I have not researched them. If you use anti-viral
software
(which most people probably should) then it is vital you update it to
get
the post 18/19 September 2001 changes which attempt to protect against
Nimda.
(I found anti-viral software to be one more level of complexity I
could
do without - but most people are happier and their computers more
secure
with these programs than without.)
Please let me know any suggested improvements to this page, but do
not
ask
me for assistance with your computer security. I don't use
Outlook
Express, or Internet Explorer - I use Netscape 4.77 for browsing and
email.
This page does not give you all the
information you need to make your computer safe.
It gives you some information and some links on where to find out
more.
If you can't research these threats entirely and be sure that
your
computer's Internet Explorer and Outlook Express programs are
completely
secure, then I suggest you stop using them.
More virus and security information is in the links which follow.
You
may also like to look here for general security tips and links:
http://www.alphalink.com.au/~oleary/Virus/virus1.htm
While any program might have a security vulnerability,
most programs
don't.
All the problems mentioned below involve Microsoft programs -
which
have more than their share of security vulnerabilities. This,
coupled
with their widespread use, means that many hackers write viruses and
worms
etc. and that those malicious programs are able to spread rapidly all
over
the world. It is false to think that you are safe in using
widely
used software, just the same way almost everyone else uses it (without
security
updates). This does not make you safe - it puts you, your
computer
and all the data stored on it directly in the firing line. Nimda
has
more modes of infection than any virus or worm in the past, so there is
every
reason to believe it will spread widely - ultimately to most computers
which continue to use the insecure programs.
Nimda worm/virus
2001 September 21
The Nimda worm/virus became rampant on 2001 September
18,
almost exactly a week after the World Trade Centre terrorist attacks.
It only affects Windows computers - by exploiting some serious
security failings in commonly used Microsoft programs. If
Microsoft
had put security before featuritis, the Nimda worm/virus could not
exist.
If you do not use Microsoft Outlook Express (Outlook too?) and/or
Microsoft
Internet Explorer and if you do not run the Microsoft IIS web server,
then
you have nothing to worry about.
Nimda is by far the most sophisticated worm/virus yet written. It
has four
distinct modes of infection, including email, browsing web sites, via
the
LAN etc. This is a terribly destructive worm/virus and I am sure
it will
cause a lot of people a lot of grief - but only if they continue to use
the vulnerable Microsoft
programs without performing the appropriate configuration changes and
updates.
Here are some summaries of things you should do. These, as
far as I know,
will help protect you, but the full scope of the Nimda threat is
something
I don't fully understand and cannot document here. I provide
links to other
pages with more detailed information. You should read the CERT
advisory and the Datafellows pages too.
The security of your computer is your responsibility - for yourself,
for
the privacy of whatever data you have in in it, and to ensure that your
computer
is not used by a virus/worm and by hackers to attack other computers.
If you can't figure out how to run Outlook Express and Internet
Explorer in a safe way (and I am not sure I know how to ensure this
other than by
installing the latest version and probably disabling Active Scripting),
then
I suggest you use another email program and browser.
Finding out how to ensure your softare is not vulnerable is a pain.
Changing
email and browser programs is a pain too. But these are minor
inconveniences
compared to having your computer and many of its files infected with
Nimda.
Amongst other things, Nimba installs a backdoor so hackers
(people)
or other worms/viruses can install new worms or viruses in your
computer,
and/or use your computer to launch attacks against any computers the
hacker
desires. This backdoor also enables a hacker to read, alter,
write
and delete any file on your computer - so they can read passwords,
search
files for credit card numbers etc. or send out programs which do this
automatically.
Microsoft Internet Explorer (MSIE) web
browser
Simply browsing an infected web site
can cause your
computer
to become infected. About 22% of web sites run the Microsoft IIS
web
server program. This program can be infected by Nimda - and every
web
page on such pages will contain a hidden Javascript program so that a
vulnerable
web browser (MSIE in its normal state) will cause the browser computer
to
become infected. There is no way you can tell whether a site runs
MS
IIS or whether it is infected, until it is too late.
A simple solution is to stop using MSIE and use Netscape 4.7x instead.
I don't recommend Netscape 6.x yet.
There areat leaset two sorts of vulnerabilities at least in MSIE.
Firstly one
to do with "Active Scripting" (which you can fix by reconfiguring it)
and
secondly to do with a "MIME type" vulnerability which requires you
download
and apply a fix from the Microsoft site (or install the latest version
of MSIE).
Active Scripting
This is a stupid Microsoft-specific (that is, not an Internet standard)
"feature" which you can live without (or at least this is what I
thought
. . . read on . . . ) and which (as far as I know) you must disable
unless you want your computer
to become infected with Nimda and other such things.
Note:
When MSIE 5.0 and probably other versions runs
with
"Active Scripting" disabled or set to "Prompt", some web sites will not
work
or will be painful to negotiate due to excessive prompting. For
instance
the Commonwealth Bank
's otherwise excellent NetBank
site is painful to use with Active Scripting set to "Prompt" and I find
it impossible to use this facility, and sometimes even the main page of
the
Commonwealth Bank's site with Active Scripting disabled.
Netscape, which has no such thing as "Active Scripting" works fine, so
I
suggest you use Netscape! I don't use MSIE, so this is no drama
to
me. Since you can't be sure when on some website that an MS
"Active
Script" is not in fact a script which will infect your computer with
Nimda,
I think it would be mad to continue using MSIE with Active Scripting
set
to "Prompt".
If your version of Internet Explorer is older and does not have a
"Tools"
menu, as described below, then I can't advise how you can be sure your
version
is not vulnerable. For all I know, your browser has this problem,
but
I don't have such an older version and I don't know how to fix it.
I
understand that Microsoft does not support MSIE before version 5, so
you
may not get any help from them. I wouldn't use such a browser
unless
I could be sure it was not vulnerable as described here - so I suggest
you
get a later version of MSIE and any updates it needs, or use Netscape
instead.
Some web sites are so badly designed that they only work with
MSIE,
(due to MSIE correctly displaying pages which violate HTML rules) - but
that
it the fault of the web designers.
To disable Active Scripting: 1 - From the Tools
menu, select Internet
Options and then the Security
tab.
2 - For each of the four "zones":
Internet, Local
Intranet, Trusted
Sites and
Restricted Sites, click
the Custom Level button.
3 - For each of the
above, scroll down to about 80% of
the way down
and find:
Scripting
Active scripting
X Disable
Enable
Prompt
and select the
"Disable" option as
indicated above.
Then
click OK and select the next
zone, as per step 2.
4 - When all four are selected
like this, then click OK.
"MIME
Type vulnerability"
Many versions of MSIE are programmed in a damn-fool way so that what
appears
(to users and initially to the browser) as a graphics file or similar
in
a web page or email, can contain an executable file (typically Nimda or
similar)
and that MSIE will execute that fiile without asking the user!!!!
This is a terrible mistake - again a lousy piece of programming
to
make all sorts of smarty-pants automatic things happen to impress the
impressionalbe,
but which leaves the program wide open to a
virus/worm/malicious-web-site
attacking it and infecting the computer.
Please read the following Microsoft page in detail and determine your
best
course of action. Again, if your version of MSIE is not mentioned
here,
then it is probably not supported by Microsoft, is probably insecure,
and
therefore I strongly suggest you not use it!
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-020.asp
Outlook Express
Outlook Express is the standard
email program for Windows
machines. It relies on Microsoft Internet Explorer (MSIE) to
handle
certain kinds of emails - HTML emails (messages which are not plain
text,
but are like web pages, with fancy fonts and/or graphics etc.).
The above "MIME Type Vulnerability" in MSIE makes Outlook Express
vulnerable to the Nimda worm/virus.
If you are running
Outlook Express, and you have not updated
your Internet Explorer as described above, and an infected computer
sends
you Nimda email, then your computer will be infected with Nimda!!!
Such
infection means it will send out Nimda emails, corrupt all your
executable
and zip files, infect Windows computers on your LAN etc. etc. etc.
So if you continue to use Outlook Express, you must ensure your MSIE is
not vulnerable as described above.
I have received on Nimda infected email so far. It was 78 k bytes
long and had as its subject a very long word, over 100
characters, apparently made up of file and directory
names from the infected computer. If you get such an email,
delete
it. But if you have received it with a vulnerable system (Outlook
Express
with a vulnerable MSIE) then I think it is too late - your computer is
already
infected. If Nimda will be corrupting your files, sending itself
out
to other people, probing the Net to find vulnerable IIS servers and
infecting
any computers it is connected to via a LAN.
You
do not have to click on any attachments to have Nimda infect
your computer via email!
Outlook Express will execute the Nimda email as soon as it displays the
message, unless you have updated MSIE.
If you see such an email in your Inbox, but it is not displayed, then
maybe
you can delete it without displaying it - but I can't advise how, since
I
don't use Outlook Express. A better approach would be to close
Outlook
Express, never use it again and use some other email program, such as
Netscape's
built in email system (Messenger) or Eudora: http://www.eudora.com .
You could fix your MSIE and then run Outlook Express after
the fix and reconfiguration described above. But please remember
that
I am not an expert on any of this (I don't use these programs) and it
is
your responsibility to research these matters fully.
I hope what I have written helps, but I do not pretend it is all
you
need to know. It was your choice to run Outlook Express and MSIE
-
I never recommended you use them!
Nimda general information
Please refer to the following
sites for authoritative
information on Nimda. If you are running the Microsoft IIS web
server
than it is vital you get the updates for it - and if you haven't
already,
your machine will probably have been infected by SirCam and
increasingly
Nimda by now, so you need expertise to rid your system of the
infection.
This may involve a complete reformatting and installatin of
evertything.
I don't know how to disinfect a computer with Nimda. It sounds
really
nasty. The Datafellows site has some information on this.
http://www.cert.org
The authoritative source of information
on
computer security problems. See the CERT Nimda advisory: http://www.cert.org/advisories/CA-2001-26.html
http://www.datafellows.com/nimda/nimda.shtml
Good information on Nimda - see the links and the
detailed explanation on a related page: http://www.datafellows.com/v-descs/nimda.shtml
http://www.securityfocus.com
Lots of security
information on vulnerabilities
of all kinds, including many more problems with Microsoft programs
(including
MSIE, OE and IIS) than I mention here.
Also, the home of the BUGTRAQ mailing list. The only way to
ensure
computer secruity is to become aware of new vulnerabilities very
quickly.
Subscribing to BUGTRAQ is the way to acheive this.
Below are some other things I put on this page earlier, to do with
not
sending
or running executable programs via email, about the SirCam virus, which
is
still infecting machines (September 2001) and about some other
vulnerabilities
in Outlook Express.
Do
not send executable programs (.exe, .com, .vbs, .scr or .bat) via email
or Usenet newsgroups - or run or open them!!!!
. . . or
from any other
untrustworthy source, such as your friends, many web-sites (other than
reputable software sources such as Tucows),
or stuff received via IRC, ICQ, AIM etc.
This is serious! Many people have no idea about computer
security
and are running programs they have sent to them. Worse still,
they
are sending them on to other people.
It is the computer equivalent of:
Here's
something
you
have never seen before. I hadn't seen ituntil
recently either. I have no idea where it really came from
-someone
just gave it to me. Stick the needle into your arm andpress the plunger. Its GREAT!!!!
Click below to read the standard
text I send
to people
who send me an executable program via email. exewarn.txt
|
The above text was written when it could be assumed that the
only
way
of infecting your computer via a virus/worm/Trojan email was to click
on
the executable attachment it contains. However this is no longer the
case.
The widely used Microsoft Outlook Express program (unless updated with
the latest Microsoft "patches") will run certain executable components
of emails the moment the email is viewed. So there is nothing you can
do
to stop your computer being infected with a virus once your Outlook
Express
receives it.
Below is what I wrote in October 2000 about
this
problem.
The SirCam virus/worm
On 23 and 24 July I started getting and extraordinary number of
virus emails from people I have never heard of. Their computer is
infected with the "SirCam" virus/worm, because they foolishly clicked
on
the attachment in a virus email. This virus sends out
personal
files to people you know and don't know and can delete every file on
your
computer. Therefore everyone with a Windows computer connected to
the Net needs to make damn sure they do not allow their computer to be
infected - and if it is infected, to disconnect the computer to stop it
spreading more virus messages (each with their personal files from My
Documents
built in to the virus).
Click here to see what I am sending back to everyone whose
computers
send me such a virus email. This contains basic information on
identifying
viral emails of this type, and what you should do if your computer is
affected.
SirCam/
Executable programs via email and the
vulnerability of
Outlook Express
Everyone who runs a computer connected to the Net has a responsibility
to protect that computer against security intrusions, such as from an
email
virus or a Trojan Horse program (which is dangerous but pretends to be
benign). This is because your computer, once infected, will then be
used
to launch attacks against other computers. The fact that computer
security
is a deep and perplexing field does not detract from this
responsibility.
The costs of having your computer infected can be immense. Likewise the
costs of another computer being infected because you allowed your
computer
to be infected can be immense too. The costs include your files being
deleted
or corrupted, having your files, account passwords etc. read by an
attacker,
having to re-install your operating system and all application
programs,
and your computer generating infected emails and remotely controlled,
deliberately
targeted streams of Internet information designed to overwhelm other
computers.
To my friends who may be running Outlook Express, thinking they are safe
because millions of other people do.
Please pass this on - but only if it makes sense to you. You
shouldn't, in general, pass on emails, especially warnings, just
because the email tells you to do so! See:
http://www.datafellows.com/virus-info/hoax/
- Robin Whittle 28 October 2000
An up-to-date version of this file can be found at:
http://www.firstpr.com.au/security/
Summary
A friend who works for McAffee phone support told me that
there are now email viruses which exploit serious security
weaknesses in Microsoft's Outlook Express email program.
The short version of all this is that unless you apply the
appropriate updates (patches) from Microsoft to eliminate
these weaknesses, it is likely that sooner or later anyone
running Outlook Express will have their computer infected
with a virus, simply as a result of being sent an infected
email. There are now tens of thousands of computer viruses
- and many have them cause immense trouble and
irreparable damage.
So unless you want to investigate the various security
issues and apply the Microsoft updates, I suggest that
Outlook Express should not be used at all. Eudora Pro,
Netscape's built-in email program and of course web-based
services like Hotmail (which can be configured to access
any POP account) don't have this problem - but of course
you still need to avoid clicking (and so running) any
attachment which could contain a virus. More on that
below.
- - -
Outlook Express is so badly written that it is possible for the virus to
install itself into the computer simply by Outlook viewing the email.
So if you receive such an email, the moment you click on it to read it
- that's it - your computer is infected and will try to spread the virus
to others, such as everyone in your address book. (Normally, the only
way a virus can infect the computer via email is if you click on an
executable attachment.)
As you may already know all-too-well, a virus can do all sorts of things
to your computer, apart from using it to infect other computers. A
virus can install a backdoor program so someone anywhere on the Net can
read, write and delete any file on your computer, run any program, shut
the computer down, own and close the CD-ROM drive etc. A virus can
scramble the operating system's registry, or delete or corrupt its
programs - making a complete re-install of Windows necessary. The virus
can install itself into application programs, so you can't trust any
program on your hard disc - you need to start from scratch and reinstall
everything. A virus can rename and alter any type of file. Some
viruses slowly continually and randomly, change a single byte in a
random location of randomly chosen files throughout your entire
hard-drive - so the longer the computer is infected, the more your data
and applications turn to garbage. A virus can stop the computer
accessing particular web sites, including those for uploading updates to
anti-virus software.
A virus can install itself if you click on an executable attachment - no
matter what email program or web service you are using. So never click
on an attachment which ends with anything but .jpg or .gif. (Word files
- .doc - can have Word viruses in them, but that's another story.)
An executable attachment includes those ending in .exe, .com, .vbs,
.pif, .scr and quite a few other extensions. A common ploy is for the
virus to be in a file which is named to make you think it is a text
file, for instance: "FOR-YOU.TXT.vbs".
It may be impossible to restore the damage a virus does. At the very
least, removing a virus requires specialist knowledge and probably
special anti-virus software. A more likely scenario is backing up the
data files only from the PC and then reformatting the hard drive,
re-installing Windows and re-installing all applications. That backup
may need to be done by putting the hard drive temporarily in another
machine, since the virus may have made the computer's operating system
and application programs non-functional or at least untrustworthy.
Properly updated anti-virus software should detect an infection such as
that which can happen simply by viewing a virus email with Outlook, but
by then, it would probably be too late because the virus will have
installed itself, done some of its damage and started replicating to
others via the Net.
Many friends I know with Windows machines use Outlook, since it is the
default email program. They have little or no idea about security and
the dangers of clicking on attachments. Many of them have had their
computers really screwed up because of virus infections in recent
months.
My McAffee phone support friend tells horror tales of trying to support
a person whose computer seems to be infected by three separate viruses
at once!
I hope this helps you and your friends avoid such trouble.
Examples of a virus which infects directly by being viewed with Outlook
Express are:
http://www.europe.F-Secure.com/v-descs/bubb-boy.htm
http://vil.mcafee.com/dispVirus.asp?virus_k=98855&
This page has links to a patch from Microsoft for updating
Outlook to solve its security problems. It also describes how to
configure Windows to disable the "Scripting Host" facility which
is used by some viruses.
Virus information can be found at:
http://www.norton.com/avcenter/
http://www.datafellows.com/
http://www.mcaffee.com/anti-virus/
http://vil.mcafee.com/default.asp?
I am not a virus expert. I don't want to become one either!
- Robin
Please use this text yourself if you
think it is valuable, and send me
suggestions for improvements.
- Robin Whittle rw@firstpr.com.au
Back to the main index page of the First
Principles
site.