Download PDF - Department of Navy Chief Information Officer - U.S. ...

you are searching while the rootkit is running.The only reliable way is to shut downthe system and reboot from a CD or writeprotectedexternal drive. The rootkit cannothide itself if it is not running.The only reliable way to cure a rootkit infectionis to re-install the operating systemand applications. If you save the data files,scan them until they are sterile to avoid reinfection.Make sure the firewall is on, neversurf the Internet in admin mode, and neverallow anything to install that needs administrativeprivileges unless you are very certainof what it will do.Man the BarricadesNow to No. 9 which is False. If you remember that most zombieattacks appear to originate here in the U.S.A., blocking incomingpackets from foreign IP addresses might stop a littleover a third of the attacks. But what you really want is controlover outgoing packets, particularly those heading to foreign IPaddresses. Regardless of where the zombies are located, there issome consensus that the people operating botnets live in countrieswith lax law enforcement regarding computer crime, andpossibly some countries may even encourage these nefariousactivities.While an infected PC might still be getting instructions from aforeign source, it will be far less effective if it cannot report backto its new master. Outgoing traffic, particularly to sites no onehas actually visited, might be a sign that there are infected PCsinside the firewall.No. 10 is False. Computer history is littered with the virtualbodies of early adopters who embraced version 1.0 (or beta versions)of an application, only to find that they had acquired thecomputer security equivalent of a cardboard flak jacket. Unfortunately,there are people who want the newest, brightest and“bestest” toys right now. Please resist the urge to rush a new systeminto operation unless there really is no other choice.Malware SymptomsHow can you tell if your computer has been infected? Hereare some typical symptoms:• You get pop-ups at random when you are not searching theInternet.• You get a funny video in e-mail and when you double clickon it you get a security warning. When you click OK to let thevideo run, nothing happens.• You click on a link in search results and immediately get popups.You close the pages but get error messages.• Your computer runs slowly and when you check system activityyou see unexplained memory, central processing unit, ornetwork bandwidth consumption.• Your computer is sending or receiving data (indicated by constantlyblinking lights on your modem or router) even though youdo not have a browser, e-mail or other Internet program open.Essentially, any time your computer does something that youdid not tell it to do, you should be suspicious. Granted, the lastexample could be some type of auto-update program, but anyreputable updater application should issue an alert and ask permissionbefore proceeding.We looked at Trojan horses earlier, but it alsomight be useful to look at the differences betweena virus, worms and Trojans.A computer virus is executable code thatattaches itself to a executable file and is activatedwhen a user runs the file it is attached to.Viruses range from annoying (displaying a jokemessage at a set time) to dangerous (damage toyour system or files). Because almost all virusesare attached to executable files they generallycannot infect a computer until a user runs oropens the host file.Please note that a virus cannot be spread withouta human action such as running an infected program or e-mailingan infected file.A computer worm is similar to a virus, with one important difference:It can travel without any help from users. Worms takeadvantage of the various file and information transport featureson computers and networks to travel. Once a worm is active itcan send thousands of copies of itself to any target it can find.A common worm tactic is to e-mail itself to everyone in a user'se-mail address book, or just wait until an e-mail is sent. Thisfeature can also help us detect worms because if they are tooactive and consume too many system resources, we may noticeloss in memory or an increase in bandwidth consumption.A worm may install a Trojan, or a Trojan may carry a worm orvirus. While worms try to operate below the radar, Trojans canbe more effective because they attempt to trick the system userinstead of the built-in security of the system. Sadly, it seems thathumans are easier to fool than computers.Another infection method that deserves a look is the "DrivebyDownload." This happens without knowledge of the userand occurs by visiting a Web page with malicious code, viewingan infected e-mail or clicking on a deceptive pop-up. The pagemay have only been open for a few seconds and nothing wasinstalled, but if the code is there, and the browser is vulnerable,the computer can be compromised.You do not even have to visit questionable Web sites to be attackedby a drive-by. In addition to looking for new PCs to infect,hackers probe legitimate corporate and government Web sitesscouting for vulnerabilities to try to upload malicious code thatwill attack PCs that visit those sites.Closing WordsThe global reach of the Internet provides great opportunities.But leaving your network or computer vulnerable to people infaraway places who will cheerfully add your computer to theirbotnet without caring what damage they may do along the waycan have catastrophic consequences, but if you do some fairlysimple, sensible things, you can be safe.So enjoy the Internet, but remember the words of PresidentRonald Reagan — “Trust, but verify.”Happy Networking!Long is a retired Air Force communications officer who has written regularly forCHIPS since 1993. He holds a master of science degree in information resourcesmanagement from the Air Force Institute of Technology. He currently serves asa telecommunications manager in the Department of Homeland Security.68 CHIPS www.chips.navy.mil Dedicated to Sharing Information - Technology - Experience