you are searching while the rootkit is running.The only reliable way is to shut downthe system and reboot from a CD or writeprotectedexternal drive. The rootkit cannothide itself if it is not running.The only reliable way to cure a rootkit infectionis to re-install the operating systemand applications. If you save the data files,scan them until they are sterile to avoid reinfection.Make sure the firewall is on, neversurf the Internet in admin mode, and neverallow anything to install that needs administrativeprivileges unless you are very certain<strong>of</strong> what it will do.Man the BarricadesNow to No. 9 which is False. If you remember that most zombieattacks appear to originate here in the U.S.A., blocking incomingpackets from foreign IP addresses might stop a littleover a third <strong>of</strong> the attacks. But what you really want is controlover outgoing packets, particularly those heading to foreign IPaddresses. Regardless <strong>of</strong> where the zombies are located, there issome consensus that the people operating botnets live in countrieswith lax law enforcement regarding computer crime, andpossibly some countries may even encourage these nefariousactivities.While an infected PC might still be getting instructions from aforeign source, it will be far less effective if it cannot report backto its new master. Outgoing traffic, particularly to sites no onehas actually visited, might be a sign that there are infected PCsinside the firewall.No. 10 is False. Computer history is littered with the virtualbodies <strong>of</strong> early adopters who embraced version 1.0 (or beta versions)<strong>of</strong> an application, only to find that they had acquired thecomputer security equivalent <strong>of</strong> a cardboard flak jacket. Unfortunately,there are people who want the newest, brightest and“bestest” toys right now. Please resist the urge to rush a new systeminto operation unless there really is no other choice.Malware SymptomsHow can you tell if your computer has been infected? Hereare some typical symptoms:• You get pop-ups at random when you are not searching theInternet.• You get a funny video in e-mail and when you double clickon it you get a security warning. When you click OK to let thevideo run, nothing happens.• You click on a link in search results and immediately get popups.You close the pages but get error messages.• Your computer runs slowly and when you check system activityyou see unexplained memory, central processing unit, ornetwork bandwidth consumption.• Your computer is sending or receiving data (indicated by constantlyblinking lights on your modem or router) even though youdo not have a browser, e-mail or other Internet program open.Essentially, any time your computer does something that youdid not tell it to do, you should be suspicious. Granted, the lastexample could be some type <strong>of</strong> auto-update program, but anyreputable updater application should issue an alert and ask permissionbefore proceeding.We looked at Trojan horses earlier, but it alsomight be useful to look at the differences betweena virus, worms and Trojans.A computer virus is executable code thatattaches itself to a executable file and is activatedwhen a user runs the file it is attached to.Viruses range from annoying (displaying a jokemessage at a set time) to dangerous (damage toyour system or files). Because almost all virusesare attached to executable files they generallycannot infect a computer until a user runs oropens the host file.Please note that a virus cannot be spread withouta human action such as running an infected program or e-mailingan infected file.A computer worm is similar to a virus, with one important difference:It can travel without any help from users. Worms takeadvantage <strong>of</strong> the various file and information transport featureson computers and networks to travel. Once a worm is active itcan send thousands <strong>of</strong> copies <strong>of</strong> itself to any target it can find.A common worm tactic is to e-mail itself to everyone in a user'se-mail address book, or just wait until an e-mail is sent. Thisfeature can also help us detect worms because if they are tooactive and consume too many system resources, we may noticeloss in memory or an increase in bandwidth consumption.A worm may install a Trojan, or a Trojan may carry a worm orvirus. While worms try to operate below the radar, Trojans canbe more effective because they attempt to trick the system userinstead <strong>of</strong> the built-in security <strong>of</strong> the system. Sadly, it seems thathumans are easier to fool than computers.Another infection method that deserves a look is the "Driveby<strong>Download</strong>." This happens without knowledge <strong>of</strong> the userand occurs by visiting a Web page with malicious code, viewingan infected e-mail or clicking on a deceptive pop-up. The pagemay have only been open for a few seconds and nothing wasinstalled, but if the code is there, and the browser is vulnerable,the computer can be compromised.You do not even have to visit questionable Web sites to be attackedby a drive-by. In addition to looking for new PCs to infect,hackers probe legitimate corporate and government Web sitesscouting for vulnerabilities to try to upload malicious code thatwill attack PCs that visit those sites.Closing WordsThe global reach <strong>of</strong> the Internet provides great opportunities.But leaving your network or computer vulnerable to people infaraway places who will cheerfully add your computer to theirbotnet without caring what damage they may do along the waycan have catastrophic consequences, but if you do some fairlysimple, sensible things, you can be safe.So enjoy the Internet, but remember the words <strong>of</strong> PresidentRonald Reagan — “Trust, but verify.”Happy Networking!Long is a retired Air Force communications <strong>of</strong>ficer who has written regularly forCHIPS since 1993. He holds a master <strong>of</strong> science degree in information resourcesmanagement from the Air Force Institute <strong>of</strong> Technology. He currently serves asa telecommunications manager in the <strong>Department</strong> <strong>of</strong> Homeland Security.68 CHIPS www.chips.navy.mil Dedicated to Sharing <strong>Information</strong> - Technology - Experience
Enterprise S<strong>of</strong>tware AgreementsListed BelowThe Enterprise S<strong>of</strong>tware Initiative (ESI) is a <strong>Department</strong> <strong>of</strong> Defense (DoD)initiative to streamline the acquisition process and provide best-priced, standardscompliantinformation technology (IT). The ESI is a business discipline usedto coordinate multiple IT investments and leverage the buying power <strong>of</strong> thegovernment for commercial IT products and services. By consolidating ITrequirements and negotiating Enterprise Agreements with s<strong>of</strong>tware vendors, theDoD realizes significant Total Cost <strong>of</strong> Ownership (TCO) savings in IT acquisition andmaintenance. The goal is to develop and implement a process to identify, acquire,distribute and manage IT from the enterprise level.Additionally, the ESI was incorporated into the Defense Federal AcquisitionRegulation Supplement (DFARS) Section 208.74 on Oct. 25, 2002, and DoDInstruction 500.2 in May 2003.Unless otherwise stated authorized ESI users include all DoD components, andtheir employees including Reserve component (Guard and Reserve) and the U.S.Coast Guard mobilized or attached to DoD; other government employees assignedto and working with DoD; nonappropriated funds instrumentalities such as NAFIemployees; Intelligence Community (IC) covered organizations to include all DoDIntel System member organizations and employees, but not the CIA nor otherIC employees unless they are assigned to and working with DoD organizations;DoD contractors authorized in accordance with the FAR; and authorized ForeignMilitary Sales.For more information on the ESI or to obtain product information, visit the ESI Website at http://www.esi.mil/.S<strong>of</strong>tware Categories for ESI:Asset Discovery ToolsBelarcBelmanage Asset Management - Provides s<strong>of</strong>tware, maintenance andservices.Contractor: Belarc Inc. (W91QUZ-07-A-0005)Authorized Users: This BPA is open for ordering by all <strong>Department</strong> <strong>of</strong> Defense(DoD) components and authorized contractors.Ordering Expires: 30 Sep 11Web Link: https://ascp.monmouth.army.mil/scp/contracts/viewcontract.jsp?cNum=W91QUZ-07-A-0005BMCRemedy Asset Management - Provides s<strong>of</strong>tware, maintenance andservices.Contractor: BMC S<strong>of</strong>tware Inc. (W91QUZ-07-A-0006)Authorized Users: This BPA is open for ordering by all <strong>Department</strong> <strong>of</strong> Defense(DoD) components and authorized contractors.Ordering Expires: 29 May 09Web Link: https://ascp.monmouth.army.mil/scp/contracts/viewcontract.jsp?cNum=W91QUZ-07-A-0006Carahs<strong>of</strong>tOpsware Asset Management - Provides s<strong>of</strong>tware, maintenanceand services.Contractor: Carahs<strong>of</strong>t Inc. (W91QUZ-07-A-0004)Authorized Users: This BPA is open for ordering by all <strong>Department</strong><strong>of</strong> Defense (DoD) components and authorized contractors.Ordering Expires: 19 Nov 09Web Link: https://ascp.monmouth.army.mil/scp/contracts/viewcontract.jsp?cNum=W91QUZ-07-A-0004DLTBDNA Asset Management - Provides asset management s<strong>of</strong>tware,maintenance and services.Contractor: DLT Solutions Inc. (W91QUZ-07-A-0002)Authorized Users: This BPA has been designated as a GSA Smart-BUY and is open for ordering by all <strong>Department</strong> <strong>of</strong> Defense (DoD) components,authorized contractors and all federal agencies.Ordering Expires: 01 Apr 13Web Link: https://ascp.monmouth.army.mil/scp/contracts/viewcontract.jsp?cNum=W91QUZ-07-A-0002PatriotBigFix Asset Management - Provides s<strong>of</strong>tware, maintenanceand services.Contractor: Patriot Technologies Inc. (W91QUZ-07-A-0003)Authorized Users: This BPA has been designated as a GSA Smart-BUY and is open for ordering by all <strong>Department</strong> <strong>of</strong> Defense (DoD) components,authorized contractors and all federal agencies.Ordering Expires: 08 Sep 12Web Link: https://ascp.monmouth.army.mil/scp/contracts/viewcontract.jsp?cNum=W91QUZ-07-A-0003Business and Modeling ToolsBPWin/ERWinBPWin/ERWin - Provides products, upgrades and warranty for ER-Win, a data modeling solution that creates and maintains databases, datawarehouses and enterprise data resource models. It also provides BPWin,a modeling tool used to analyze, document and improve complex businessprocesses.Contractor: Computer Associates International, Inc.(W91QUZ-04-A-0002)Ordering Expires: Upon depletion <strong>of</strong> Army Small Computer Program(ASCP) inventoryWeb Link: https://ascp.monmouth.army.mil/scp/contracts/compactview.jspBusiness IntelligenceBusiness ObjectsBusiness Objects - Provides s<strong>of</strong>tware licenses and support forBusiness Objects, Crystal Reports, Crystal Enterprise and trainingand pr<strong>of</strong>essional services. Volume discounts range from 5 to 20 percentfor purchases <strong>of</strong> s<strong>of</strong>tware licenses under a single delivery order.Contractor: EC America, Inc. (SP4700-05-A-0003)Ordering Expires: 04 May 10Web Link: http://www.gsaweblink.com/esi-dod/boa/CHIPS October – December 2008 69