PC Security for WICEN Members

On March 15th 2004, after receiving a number of reports from WICEN members of virus messages that apparently came from other WICEN members, I sent a message to the WICEN email list outlining how the more recent viruses operated. In this article I'll expand on the virus scanner & mailer information I included in that message, summarise the responses I got to the quick anti virus survey I conducted, and pass on some tips for recognising virus messages. After a quick look at firewalls I'll explain the measures WICEN has taken to protect members from spam, and finally discuss spyware and operating system configuration before concluding.

Here's the message I sent on March 15th:

From: "Mark A. Dods" <madods1@optusnet.com.au>
To: WICEN email list <sc@vic.wicen.org.au>
Date: Mon, 15 Mar 2004 09:24:31 +1100
Subject: WICEN SC: Recent Virus Messages

WICEN Members,

As I'm sure you know, for some time virus writers have used the address books on infected systems as a source of email addresses to spread the virus to. More recent viruses also use addresses selected randomly from the address book to forge the FROM address in the message rather than using the address of the infected machine.

This means that if you get a virus message the chances are that it DID NOT come from the address in the FROM field!

The viruses target Microsoft Outlook address books in particular as a source of email addresses.

Unfortunately, it seems that a WICEN member using Microsoft Outlook and with a number of WICEN member email addresses in their address book has been infected by such a virus. To minimise the problems caused by this, can I ask you to do the following:

1. Make sure your anti-virus software is up to date

2. Manually initiate a check of your PC by the virus checker

3. Ignore any virus messages you receive: Just delete them. (Fortunately the messages are not large, just annoying)

4. If you are using Microsoft Outlook (or Outlook Express) please consider changing to some other email package. Eudora & Pegasus Mail are both capable email packages, and both are free.

If you would like clarification of anything above, please contact me.

What I really want to avoid is an unproductive round of finger pointing and blame allocation.

Regards,

---
Mark A. Dods, VK3XMU, secretary@vic.wicen.org.au
WICEN (Vic.) Inc. State Secretary.
WICEN (Vic.) Inc. Website: http://www.vic.wicen.org.au

Top of page

Virus Scanners

Of course, all this assumes you have anti virus software installed. If you connect to the internet then viruses are just a fact of life, and a virus scanner is therefore a necessity. Thanks to those people who responded to my anti-virus survey by email, I can give you some stats on which anti-virus packages are popular with WICEN members.

Although some members reported selecting their anti-virus software on user interface or reputation, unsurprisingly, the overwhemling majority seemed to base their choice on price. Many used commercial packages supplied by their employers on their home machines which were therefore effectively free. Others used free or evaluation versions of commercial software, and some used free online virus scanners. Of those who purchased commercial software, price again influenced the selection.

I should say at this point that I use Vet from Computer Associates, and have done since the original author (Roger Riordan) wrote the first version to clean up his PCs at Chisholm Institute infected with the first DOS viruses. I've stuck with it as it was a local product with responsive support and of world class quality. Its now owned by the Computer Associates company.

Top of page
For those interested in the raw figures, here is the number of survey respondents using each anti-virus package:

PackageUsersLicensingWebsiteNotes
Norton Antivirus16Commercial & Trial http://www.symantec.com.au Norton Internet Security includes this, Norton Personal Firewall & other security packages
Vet Anti Virus14Commercial http://www.vet.com.au See declaration of bias above!
McAffee VirusScan6Commercial http://www.macaffee.com/ Also supply a personal firewall
AVG3Free, Trial & Commercial http://www.grisoft.com Also supply Kerio Personal Firewall
EZ Anti Virus3Commerical & Trial http://www.my-etrust.com/ Computer Associates product based on Vet virus scanner. Also supply EZ Firewall
Sophos2Commercial & Trial http://www.sophos.com.au/ Huge range of platforms: Windows, Mac, Linux, DOS, OS2, Netware, FreeBSD, SCO Unix, Solaris . . .
Trendmicro Housecall1Free http://housecall.trendmicro.com/ Online scanner. Not installed on local PC. Consumes no resources when not running. Check only, not constantly monitoring.
F-Prot Antivirus1Free & Commerical http://www.f-prot.com/ Supports Linux, BSD & DOS as well as Windows

One user supplied a good tip: As each product will have strengths & weaknesses, if you run two, the second should pick up anything the first misses.

A good feature of Norton Antivirus, Vet Anti Virus & McAffee VirusScan is that they monitor the incoming POP3 stream when your messages are being downloaded. This allows them to detect viruses before they even get written to your hard disk. Other products may do this also, check their web pages.

Top of page
However, despite all your best efforts, a virus message may slip through your defenses. Here are some suggestions to avoid activating the attached virus:

  1. Look at the sender. Do you know them? Are you expecting a file from them? If not, is the attached file adequately explained in the body of the message? Does the subject make sense coming from that person?
  2. If you're at all suspicious, don't launch attachments directly from your mailer. Save them to your hard drive, then open them from within the appropriate application. Don't double click on them.
  3. Be highly suspicious of attachments with two extensions EG myfile.doc.pif or yourfile.xls.scr

Top of page

Mailers

I mentioned in my email that it is worth considering using an email program other than Microsoft Outlook or Outlook Express as these programs are specificaly targeted by virus writers due to their popularity and have features that make them vulnerable. As I mentioned, two popular free alternatives are Eudora at http://www.eudora.com and Pegasus Mail at http://www.pmail.com It is possible to export your address books from Outlook and convert them for import into either Eudora or PMail.

Top of page

Firewalls

With the current prevalence of email based viruses, it is sometimes forgotten that viruses can arrive at your PC in other ways. In the DOS days, most viruses were transferred in the boot sectors of floppy disks. This type of virus is rarer now, but PCs with internet connections can be communicated with other than by email. The Blaster virus that wrought havock last year is an example of this. To protect your PC from viruses like the Blaster virus and from hacking attempts you need a firewall.

Traditionally firewalls are highly secure computers set up between a network and the Internet to protect the whole network from attack. In recent times, 'Personal' firewalls running on and protecting a single PC have become popular. You'll note that many of the anti-virus suppliers in the table above also supply personal firewalls. Several survey respondents reported using such firewalls and one uses a commecrial package called Black Ice Firewall (web site at http://blackice.iss.net/). Another user recommended the free ZoneAlarm firewall available at http://www.zonelabs.com/

Microsoft have had some bad press lately due to the raft of security patches they have had to issue. However this at least indicates they are reacting to the discovery of flaws in their software. Windows XP has its own personal firewall, but it may be worth using another instead or as well.

One personal firewall I've had some experience with is Sygate Personal Firewall (SPF) which is freely available at http://soho.sygate.com/ Once installed, SPF allows no traffic in or out of your PC. Instead, each time there is an attempt to communicate, a dialogue box pops up saying which program is trying to communicate with what Internet service. You can then 'train' SPF to remember whether to allow that type of communication or not. Sounds complicated? Not really. Once you've surfed the web and sent & received email once, SPF will hardly bother you again unless you get attacked.

Those with or wanting to set up home networks to share an Internet connection might like to check out Smoothwall Express at http://www.smoothwall.org/ Smoothwall Express is a free Linux distribution that can be installed on an old PC which will then act as a firewall between the Internet and your network. Don't Panic! Smoothwall can be installed & configured without a Linux tech-head. (Using old ISA network cards requires a bit more knowledge however.) Smoothwall works particularly well if you have an 'always on' Internet connection like Optus Cable or an ADSL connection, but I've also configured it for use with a modem connection as its Internet link.

Top of page

Spam

Unsolicited junk emails are known as 'Spam'. Spammers trawl through web pages in much the same way as search engines looking for email addresses to add to their lists. Email lists are a particular find for spammers: they can send their spam to one address and have it end up in dozens if not hundreds of mailboxes. WICEN's email lists are protected from spam by requiring any message that is resent to all the list members to come from a list member. Also, one of the reasons the email archive is password protected is to prevent spammers harvesting valid email addresses from it.

Some spam comes with instructions on how to remove yourself from the spammer's list at the bottom. Following these instructions is generally futile as it just confirms to the spammer that your's is a valid mailbox that gets read regularly.

The best way to deal with spam without having a coronary is to just delete it. However there is technological help for that available. The well known MailWasher software scores emails based on them containing certain words or phrases. It then suggests whether to delete, bounce (return to sender) or download each message. The user can override MailWasher's suggestions at this point. Email marked for downloading is then downloaded to your mailer normally. MailWasher is available at http://www.mailwasher.net/

Top of page

Spyware

Spyware is software that uses the capabilities of your web browser to track and report your web surfing habits. In extreme cases, spyware can force you to a particular web site when you ask for another. EG When you ask for a company's web site, spyware might force your browser to retrieve a competitor's web site instead. Adaware is the pre-eminent software for detecting and removing spyware. A free version is available at http://www.lavasoftusa.com/

Top of page

Operating System Configuration

As I mentioned earlier, Microsoft have recently issued many patches in response to the discovery of flaws in the various versions of Windows. The easiest way to keep your system up to date is to enable the auto update facility.

The Windows networking configuration can also reduce the security of your system. You should only make resources on your PC available to others if there is some reason for doing so. This means don't run the personal web server unless you actually want your machine to serve web pages to others. Have a look though your hard disk directory structure with Explorer. If you see any drives or directories marked with a cupped hand like so: (drive) or (directory) then those drives or directories are being "shared" or made available to other computers via the networking system. To unshare them:

  1. Right click on the directory or drive icon and click Properties.
  2. Click on the Sharing tab
  3. Click on the Not Shared option
  4. Click OK
The cupped hand should then be removed from the drive or directory. If you do want to share part of your hard drive, NEVER share the whole of Drive C:! I wouldn't recommend sharing the "program files" directory or the windows system directory ("windows" on Windows 95 and its sucessors, "winnt" on Windows NT and sucessors).

Top of page

Conclusion

Of course all this extra software places a load on your PC. There's no point in having a PC that's so well protected that its too slow to use. If you don't want to run all these utilities (and I don't), I'd prioritise them in this order (most important first):
  1. Virus scanner
  2. Firewall
  3. Spyware software
  4. Spam software

If you're going to share your internet connection, you can save some load on your PC by handing the firewall function off to a commerical firewall/router or a Smoothwall firewall or similar. As I still have a relatively slow PC, I'm running Vet on the PC itself, and Smoothwall on an old Pentium 133 which shares my Internet connection to my network stations. I have Adaware standing by to check for spyware, and I deal with the spam manually.

Although there is some excellent commerical software available to secure your PC, as you can see, there is free or evaluation software available to protect it adequately also. Please do it! If you need help, ask. Send a message to the WICEN email list sc@vic.wicen.org.au outlining your problem, and someone who runs that software is bound to see it. Securing your PC is analagous to public health measures. The more people who are protected, the harder it is for anyone to be infected, and the less rewarding it is to mount an attack. Eventually, if a large majority of PCs are protected, the effort required to mount a spam, virus, or spyware attack will not be worth the returns.

Mark A. Dods, VK3XMU madods@optusnet.com.au 16-03-2004
with contributions from Peter Wesltey VK3DXD vk3dxd@wia.org.au