Introduction

According to the results of the 2005 Australian Computer Crime and Security Survey, malicious software (malware) has shown itself to be one of the greatest threats to information systems in Australia. The most common form of attack reported by large and small organisations was infections by viruses, worms and trojans.

Viruses and worms are well known forms of malicious code but trojans, spyware and other types of attack tools and some mobile code also have the potential to harm the confidentiality, integrity or availability of your computer data or network. Like other forms of computer network threats, malicious code continues to evolve and create new challenges for organisations seeking to protect themselves. But these challenges are not insurmountable and there are a number of practical and effective strategies to reduce the risk.

During 2004 and 2005, AusCERT has seen a sharp rise in the use of trojan horse malware to facilitate online identity theft. More than ever, it has become critical that home users feel confident in their system security before performing financial transactions online.

This paper outlines effective strategies that will assist in minimising the risk of harm to confidentiality, integrity and availability of your computer data and systems when connected to the internet. It provides practical advice for protecting the Windows desktop PC environment from malicious code for home users, and organisations without dedicated IT staff.

Minimum security requirements

The following is a summary of what AusCERT considers the minimum required to secure a desktop system for use on the internet:

1. Apply operating system patches, ideally via automatic updates.
   
2. Perform day to day tasks under a user account with limited/reduced permissions.
   
3. Install and maintain security software: personal firewall, anti-virus and anti-spyware.
   
4. Install and configure anti-spam filtering software and consider using an ISP that performs some level of spam filtering.
   

Before you start

Once an unprotected computer has been connected to the internet, it is difficult to guarantee that it has not been compromised. Therefore, installation and configuration of security software is most effective when applied to a fresh installation of Windows which has not been connected to the internet. Once the computer is connected to the internet, the first thing to do is download and install the latest patches. Re-installing Windows may destroy data on your system and should not be attempted if you are not confident with this type of operation. Following these instructions on a system which has been previously connected to the internet, while not as ideal, is still recommended.

The resources section contains links to some popular tools which are free for non-commercial use.

Minimum recommended steps to securing a Windows PC

Keep software patches up to date for all services in use on your network, especially for the operating system, browser and email applications

Not all email viruses use attachments in order to cause damage. Some email and web-based malicious code exploit vulnerabilities in host applications, which allow the code to execute (e.g. Nimda [1] and Klez worms). By applying relevant security patches for the operating systems, applications and services you are running, you will not only protect yourself from some forms of malicious code but also protect yourself against hackers seeking to remotely compromise your system by exploiting these same vulnerabilities. Information about the security vulnerabilities and patches affecting your systems can be found on the relevant vendors’ web sites or from AusCERT. AusCERT also offers a free security bulletin service: the AusCERT National Mailing List [2] as does Microsoft [3].

The recommended strategy is to check for updates on an automated basis wherever possible. For example, Microsoft's 'Automatic Updates' feature, when enabled on a machine, will automatically inform the user/administrator of the availability of new patches that should be installed. For home users and SMEs, using Windows Update [4] regularly is advisable, but automating this process is highly recommended [5]. The Microsoft web site [6] provides information, techniques, tools, and templates to assist with maintenance of a Microsoft environment through vulnerability assessment, application of security patches and countermeasures.

Perform day to day tasks under a user account with limited/reduced permissions

Windows XP Home and Windows XP Professional both support the concept of limited user accounts. Operating as a limited user also limits the access available to malicious code, should a system be infected. This limited access may inhibit the ability of malicious code to operate effectively. Performing day to day tasks such as browsing the web, reading email, creating documents and playing games should be performed as a limited user. But installing software or updating Windows should be performed as an Administrator. Microsoft publish information on using limited user accounts for Windows XP [7].

Install a personal firewall and configure it to allow only essential connections

A firewall blocks access to services on your computer except for those you permit. Generally, computers being used for email and web browsing do not need to allow any incoming connections. However, Internet chat (e.g. ICQ or MSN Messenger), peer to peer (P2P) and online gaming systems may require incoming connections to function correctly. Blocking incoming connections will protect your computer from worms, such as "MSBlaster"[8].

Some firewall products will also restrict outbound access from your computer to the Internet. The firewall will need to be configured (or trained) to allow the necessary outgoing connections, such as domain name service (DNS) look-ups, the sending and retrieving of email and web browsing. Also, some firewall products provide integrity checking to warn the user when programs are being replaced on your computer.

Windows XP comes with a firewall built-in to block incoming connections, though this was not enabled by default prior to Service Pack 2. For more information on using Windows Firewall, see [9]. If you are operating a small network for business or home use with a number of hosts, then you may need additional forms of firewall protection.

It is important to note that a computer should have only one personal firewall product installed.

Install anti-virus software and perform twice-weekly updates and scans of your computer

Having anti-virus software that has expired or is not being updated at least twice-weekly will not protect against new viruses or trojans that have been released into the wild since the last update.

It is also possible you may already have a virus, trojan or other type of malicious code on your system performing harmful activities without your knowledge. Even if you are running up to date anti-virus software there is always a delay between when a new trojan, virus or worm is discovered in the wild, when vendors can develop a signature for it and when the client installs the new signature. For rapidly propagating worms and viruses this delay is often sufficient to cause widespread infection. By conducting regular scans you may be able to identify whether you have received a virus or other malware, by email or other source, which your anti-virus software did not detect and quarantine at the time of entry.

A computer should have only one anti-virus product installed.

Install spyware scanners and conduct twice-weekly updates and scans of your computer

Spyware scanners do what anti-virus software often do not, ie detect and protect against a variety of "legitimate" tools which can be installed on your system by attackers for malicious purposes. Most spyware only collects profile information about your web browsing activities for the purposes of enhancing advertising but some spyware can install remote access trojans and keystroke loggers – which can directly harm your systems or be used to compromise or harm other people’s systems, and identify your computer or network as the source of the attack.

It is possible to install multiple anti-spyware products. This is recommended as different products have different sets of spyware they can detect.

Install and utilise spam filtering software for use with your email client

Spam is unsolicited bulk e-mail that often advertises products or services. It can sometimes be explicit and offensive in nature and is increasingly used as an vector to spread malicious code. By reducing unwanted spam from entering your inbox, you reduce the risk of compromise by malware.

Spam filtering software uses pre-defined rules to determine what is and is not considered to be spam. By scanning incoming email looking for certain characteristics it determines whether the email is likely to be legitimate or not, and either blocks the email or allows it to pass accordingly.

While spam filtering software can be useful for helping to identify spam email, it will not successfully block all spam email. For this reason, do not assume that all email delivered to your inbox when using spam filtering software is legitimate, even if it appears to have originated from sources you know and trust.

Some Internet Service Providers (ISPs) offer spam filtering services and some email clients such as Outlook 2003 include built-in spam filtering [10].

Additional steps to secure a Windows PC

Don't open attachments or click on links in suspicious email.

Just as important as the technology counter-measures are good practice counter-measures – these are the things that users and system operators can do and are important. There will be times that when despite your best efforts to keep your anti-virus, anti-spyware and system patches up to date, vendors will not have developed the signatures or the specific patches required for protection.

Describing what is ‘suspicious’ is difficult, but this is where your instincts will help. Viruses can forge email ‘From’ fields, ie change the ‘From’ field of the source of the email so that tracking the source of the infection is difficult and it helps to confuse the recipient. Viruses can send infected emails from legitimate email addresses of persons known personally to you by collecting addresses from infected systems. For this reason, the email ‘From’ field provides only limited clues as to its potential to contain a virus.

Look also at the body and subject of the message. If the email is from somebody personally known to you or your organisation, is the message content and subject line consistent with what you would expect that person to email you about? If words are misspelt; if there are grammatical errors; or the expressions used are culturally inconsistent such as "watchin’ the game, having a bud" or referring to imperial measurements when it is common to use metric measurements, then these are likely to be clues to regard the email with suspicion in which case you should delete it without opening the attachment or clicking on any of the links it contains. If you don’t personally know the person named in the ‘From’ field and the message was not expected then delete it. If you do know the person, then it would be a good idea to contact them and check they did in fact send the email before opening the attachment, clicking on the links it contains or replying to it.

Be particularly wary of social engineering ploys, ie messages which are designed to increase your curiosity, concern or interest in opening the attachment or clicking links. For example, some of the random messages contained in the Fizzer worm were: "the attachment is only for you to look at; you must not show this to anyone and if you don't like it, just delete it"; others have claimed "you are under police investigation, click here to learn more"

Configure instant messaging software to allow only those on your contacts list to send you messages

Equally as important as blocking unwanted emails is blocking unwanted instant messages. Some malicious code uses instant messaging software such as MSN Messenger, AOL Instant Messenger, Yahoo Messenger or ICQ to spread.

The following guides show how to configure your instant messaging software to block unsolicited instant messages for MSN Messenger [11], Yahoo! Messenger [12], AIM [13] and ICQ [14].

Securely configure email clients to turn off the “Preview pane” and to show and block potentially harmful attachments

In the past, some email clients have exhibited vulnerabilities which allow malicious code to execute automatically as they are “previewed”. Additionally, HTML email may download and execute harmful mobile code such as Java.

As a general rule don’t open attachments with any of the file extensions .exe, .com, .pif, .scr, .vbs, .js, .ocx, .shs, .reg and .bat. Some email applications, such as newer versions of Microsoft Outlook, block certain types of potentially harmful email attachments, and for other types of attachments, require the user to save the attachment to disk before it can be opened. The latter allows the user to scan the file before opening it if your anti-virus software is not integrated with your email program. For further information about these features, see [15].

Configure browser settings to be as secure as possible

Surfing the net can be as dangerous as reading your email - if you don't take precautions. ActiveX controls, Java, JavaScript, Flash and Shockwave are all forms of mobile code which are designed to enhance the web experience when you view a web page but all have the potential to harm your systems. Unlike worms, viruses and trojans which are inherently malicious, mobile code for the most part performs a legitimate and harmless function. It is possible, however, for attackers to embed mobile code within their web pages so that when unsuspecting users access a web site through their browser, the code is automatically executed on the client machine. Some anti-virus software can help protect against malicious mobile code.

While various browsers use different naming conventions, those that support scripting controls also provide mechanisms for disabling them. IFRAME is an HTML command which could be used to facilitate the execution of mobile code. In an office environment, administrators have access to tools which can limit the amount of configuration a user can perform to their browser or operating system. This will minimize the risk of users downloading malicious mobile code.

For more information on securing Internet Explorer, see [16] and [17].

Consider using a different web browser

During 2004 and the beginning of 2005 AusCERT has seen a sharp increase in trojan attacks with the sole purpose of capturing credentials for financial transaction sites (such as Internet banking). The vast majority of these attacks attempted to exploit vulnerabilities in Internet Explorer. Therefore, a short to medium term solution is to use an alternative browser, such as Firefox, Mozilla, Netscape or Opera (for vendor web sites, see the "Alternative web browsers" section of Resources). If an alternative browser is chosen, then it is prudent to also limit the mobile code (such as Java and JavaScript) which can be executed by this browser.

However, it is important to note that using alternative browsers is not an infallible defence. Vulnerabilities are being discovered and exploited in other browsers and they may become more commonly targeted as they increase in popularity. Similarly, some online financial transaction sites may not support less popular browsers.

Consider using a modem/router device

There are now an abundance of affordably priced modem/router combinations available within Australia, particularly for broadband access. By purchasing a dedicated device that handles the internet connection, your host computer is no longer directly connected to the Internet, but is now given a "private" address (common private address ranges start with 192.168 or 10.0). The modem router device handles the process of converting public to private IP addresses (and vice-versa), which is also known as "Network Address Translation" (NAT).

This type of device can inhibit legitimate applications that require incoming connections, such as chat and online gaming, but devices can generally be configured to allow these applications to function. However, care must be taken when performing this configuration to allow only limited connections.

For more information on NAT, see [17].

Recovering from an infection

If the malicious code has installed a backdoor, gained administrator level access or changed system files, then the integrity (not to mention confidentiality or availability) of your system has been fundamentally damaged. This means you can no longer trust the operating system, applications or data files. The best solution is to ensure you have a backup of your data and then format the hard drive, reinstall the operating system and applications from trusted media and data files from back-up media.

For more information on recovering from a trojan or virus infection, see [20], [21], [22] and [23].

References

1. AusCERT (2001) "AL-2001.15 -- W32/Nimda.A@mm worm"
   http://www.auscert.org.au/108
   
2. AusCERT "AusCERT National Mailing List"
   http://national.auscert.org.au/render.html?cid=3014
   
3. Microsoft Corporation (2003) "Get Notified Right Away of Important Security Updates"
   http://www.microsoft.com/security/bulletins/alerts.mspx
   
4. Microsoft Corporation "Microsoft Windows Update"
   http://windowsupdate.microsoft.com/
   
5. Microsoft Corporation (2005) "How to schedule automatic updates in Windows Server 2003, in Windows XP, and in Windows 2000"
   http://support.microsoft.com/default.aspx?scid=327838
   
6. Microsoft Corporation (2005) "Patch Management"
   http://www.microsoft.com/technet/security/topics/patchmanagement.mspx
   
7. Microsoft Corporation (2005) "Microsoft Windows XP - Types of user accounts"
   http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ua_c_account_types.mspx
   
8. AusCERT (2003) "AU-2003.011 -- AusCERT Update - Worm (MSBLASTER) propagation for recent Microsoft RPC vulnerability"
   http://www.auscert.org.au/3337
   
9. Microsoft Corporation (2004) "Understanding Windows Firewall"
   http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx
   
10. Microsoft Corporation (2005) "How to protect yourself from spam using Hotmail and Outlook"
    http://security.msn.com/articles/msmailprotect.armx
    
11. Microsoft Corporation (2005) "How you can help reduce instant message spam"
    http://security.msn.com/articles/imspam.armx
    
12. Yahoo! (2004) "All-New Messenger 6.0 Help - How do I ignore someone?"
    http://au.help.yahoo.com/help/au/messenger/win/abuse/abuse-02.html
    
13. America Online (2005) "Online Safety/Security FAQ - What do I do if I receive an IM that I don't want?"
    http://www.aim.com/help_faq/security/faq.adp?aolp=#unwanted
    
14. ICQ Inc. (2005) "ICQ Lite Help Center - Avoid Spam"
    http://www.icq.com/help/pages/category_faq_2_1710.php
    
15. Microsoft Corporation (2005) "Customizing Outlook 2003 to Help Prevent Viruses"
    http://office.microsoft.com/en-us/assistance/CH011480701033.aspx
    
16. Microsoft Corporation (2004) "How to improve browsing performance in Internet Explorer"
    http://support.microsoft.com/default.aspx?scid=kb;en-us;153790
    
17. Microsoft Corporation (2003) "Working with Internet Explorer 6 Security Settings"
    http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx
    
18. Microsoft Corporation (2005) "Overview of Network Address Translation (NAT) in Windows XP"
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/nattrnsv.mspx
    
19. Microsoft Corporation (2005) "Malicious Software Removal Tool"
    http://www.microsoft.com/security/malwareremove/default.mspx
    
20. Microsoft Corporation (2003) "Computer viruses: description, prevention, and recovery"
    http://support.microsoft.com/kb/129972
    
21. Symantec Security Services (2003) "Detecting And Recovering From A Virus Incident"
    http://www.symantec.com/symadvantage/019/recover.html
    
22. AusCERT (2005) "AusCERT, Windows Intrusion Detection Checklist"
    http://www.auscert.org.au/4323
    
23. AusCERT (2001) " Steps for Recovering from a UNIX or NT System Compromise"
    http://www.auscert.org.au/1974