Burlington Web Magazine is
Recovering From A Virus
(Or Something)

Burlington Web Magazine’s main computer is in the process of recovering from either a virus or a hack, we’re don’t know which. While I was reading the email Saturday night, the computer suddenly started sounding and acting funny. To fix this, I decided to shut down windows and then shut down the computer. After about 20 seconds, I turned the computer back on. The computer started to boot up normal and then displayed a message something to the effect of “file c:/windows/win.com not found.” Since we have a dual boot computer. I turned the computer back off and changed the removable IDE drive to a bootable one. Then I turned on the computer and asked the CMOS to boot from the IDE drive instead of the SCSI drive.

After the computer booted up, I found several files and directories within my c:/windows/ directory had been deleted. and several directory had the same invalid file name. I don’t know if this is the job of a virus, email bomb, or a hacker got in through the Internet. I had Norton AntiVirus 2001 running in full protection mode (including email) for viruses and Zone Alarm Pro for keeping out hackers and I still got zapped.

Security Measures

Norton AntiVirus has set up my email program ( Outlook Express) to use their server as a middleman from downloading the email. That means, Outlook Express will request the email from pop3.norton.antivirus, passing along the intended source of the email, the user-id, and password. The email is then downloaded to Symantec’s computer and checked for viruses and email bombs there. When it has been confirmed not to have any viruses, it is forwarded to my outlook express. This is all in real time. So I definitely didn’t expect to have any email bombs or downloaded viruses.

Zone Alarm Pro is set up in high security mode to watch for any incoming traffic that is not from a requested source, and automatically blocks such requests. It also makes sure that the only programs sending Internet traffic out of the computer onto the Internet are programs that I have given permission to do so, like Microsoft Internet Explorer and Outlook Express. Any other Internet requests are held off, as Zone Alarm asks the operator if it is okay if the program sends information out over the Internet. This prevents any malicious programs from sending personal information onto of the Internet without my permission. So, no one should be able to hack into my computer or get personal information from my computer without my consent.

The Unthinkable

Imagine my surprise when I realized that I just got attacked. I stare at astonishment as I realize someone somehow managed to get in and trash my operating system, anyway. But, how? And what is the damage.

As I surveyed the hard drive, I thought about the “From The Prez” article in the Champlain Valley Personal Computer Users’ Group March Newsletter, and how Steve informed us about the new viruses coming out with the ability to avoid detection by morphing themselves, so that it is hard to create a signature to match them against. Zmist is a little bit of everything: it is an entry point-obscuring virus that is metamorphic. Moreover the virus randomly uses an additional polymorphic decryptor. And there is a new virus out that can attach itself to both .COM and .EXE files.

Well, the damage is bad enough. The only serious thing hit is the mail. All the email sent in or out from the last time I back up in mid-February until March 31st is gone. So, if you sent anything you wanted me to put in the web magazine and it isn’t in the web magazine, you need to send it again, as that is one of the directories hit.

Security Holes - e-mail

When I told Steve what happened, he suggested, “Maybe you’ve been hacked.” As I assessed the damage and reviewed procedures, I realized that there were times when went to retrieve email and found Symantec email server was down. Feeling the need to check my email or needing some piece of information that I was expecting, I would manually change my email program to get my email directly from my server. After all, I have Norton AntiVirus running on my computer in full protection mode, don’t I? (In fact sometimes I think I see a difference in performance speed.) Down would come a flood of email. Then I would set it back to going through Symantec’s computer. After all, I want any extra measures of security I can get. Now that wasn’t so bad was it?

Microsoft will not do anything to let Symantec create an anti-virus plug-in for Outlook Express. Symantec made its Norton AntiVirus program so it will plug in an anti-virus filter plug-in into Netscape Communicator (email program), but Symantec has not been able to get Microsoft to release any information that would allow Symantec to Make a Norton AntiVirus plug-in for Outlook Express. Symantec finally came up with another solution. Symantec has figured out a way to get Outlook Express to look for your e-mail on Symantec’s server, passing along the internet address of your email service provider, your userid, and your password. There is only one catch. When Symantec’s email checking server is down or overloaded, you can’t get your email. And, what I’m just now realizing: if you go around their server, you are really turning off your protection. Oops.

Trogon Horses

In yesterday’s Burlington Free Press (a local Gannett editorial rag) was the weekly computer and electronics section, which has some good articles and stories about computers. Yesterday’s edition had an article about methods of protecting yourself from hackers and viruses. The author mentions about how innocent looking programs can really be trogon horses in disguise. The program can appear to do something cute or even useful, while also searching your system for useful information and sending that information back to the writer. These programs may be secretly watching for and sending personal information, like name, address, phone numbers, banking information, and credit card numbers. These programs can also simply act as an open doorway, that a wandering hacker can look for. When the hacker finds a computer hooked up to the Internet that is currently using his program, he hooks up to the trogon horse on that computer, and starts issuing requests. These programs make it easy to delete files and trash a person’s directories. In theory, my ZoneAlarm Pro should stop any programs from sending out any personal information without permission or from giving a hacker access to my hard drive, right? Maybe, Maybe not.

ZoneAlarm is designed to stop any program from communicating with the Internet without my permission. What if the program is designed to give you a weather reports from weather information that is already on the web and display them on your desktop? In order to work the program has to have access to the Internet. It has to be able to send and receive information. Since I’m expecting the program to go out and get me weather information, I’m going to authorize this program go get that information, right? So, who is to say this program isn’t also sending personal information? Could this program also act as an open door for a hacker? What is to stop that program from planting a second program that runs in the background? The second program could be the hacker’s door. How many of us really know what all these background programs do? Once installed and running, the original program could probably be deleted and you might not even realize you are still open for attack and invasion of privacy.

How many background programs do you think you have running right now? You might be inclined to look at your task bar and count up the number of icons and say, “I have six programs running right now.” Really? I have six icons showing. I also have 18 programs currently running! How do I know? While holding down the [CTRL] key, I pressed and held down the [ALT] key, and pressed the [DELETE] key. Yes, the old reboot sequence brings up the “close program” window in Microsoft Windows. You’ll find program running that you didn’t even know about. To the novice, this is useless information. To an experienced computer user like myself, it is often incomplete information. After all, how do I know whether hposts07 is really a program for my Hewlett Packard OfficeJet G85? (I believe it is, because not much has been installed on this computer, yet) I assume it is; but, can I sure? If a hacker could design a database that looked at this list and could guess what kind of printer I had, what would stop it from running a spy or hacking program called hpiris07. Since my Hewlett Packard software includes a program called Read Iris, How would I know whether hpiris07 is really part of my Read-Iris program, a virus, or a hacker’s back door?

Remember that unestablished weather program that is being called “New”? The author could design the program to display it’s cover page, look into my system find out I have a Hewlett Packard printer, install HPIRIS07, and start it up this virus program. My ZoneAlarm Pro would ask me if I want to let the program have access to the Internet and I would probably say yes, because I would figure it is the weather program looking for weather information, which would be on the Internet. Of course, when the weather program itself actually looked for weather information, I would get the same question again. How many times have I clicked on “yes” a second time? It has happen so many times on legitimate programs, like WS-PRO and Norton AntiVirus, that I no longer even question it. I automatically click on yes a second time. So now HPIRIS07 will run without any hindrance from me or my firewall. After all, I gave it permission, right?

So, I decide I don’t like this weather program and uninstall it. If the author is smart he put it this spyware/hacker program somewhere else on the hard drive, and it continues to run long after that stupid weather program is gone. I tried out this stupid weather program recently called Weather Bug. I didn’t like it. I wondered if the program was really for reporting weather or something else. I dumped it. After I dumped the weather program, I was not longer exposed, right?

Firewalls

Let’s talk about software firewalls. They seem good up to a point. I have ZoneAlarm Pro, which I feel is the best one out there. So I’m safe, right? Most of the firewall programs have been found to be easy to get around, even with Norton Internet Security. All a virus or trogon horse writer has to do is name their program the same thing as any program on the hard drive that already has access, and most firewalls will let the trogon horse right through, even though this same name program resides in a different directory. So, any good trogon horse writer is going to be able to name their trogon horse program IEXPLORER.EXE and stick it anywhere on the hard drive other than where the real Internet Explorer goes. Then most firewalls will gladly let the hacker right in. But my ZoneAlarm Pro has already fixed potential problems like that. So, I’m safe right?

When I started my piece on firewalls, my firewall wasn’t detecting any traffic. So, no one has tried to do anything. In fact I hadn’t seen a single blip on my fire wall graph icon that is located in the task bar. Knowing my cable modem is blipping away, I decided to click on the “stop” button and see what happens. Clicking on the stop button stops all Internet accesses immediately. I just I opened up access and started checking the “alerts” generated from denied incoming and outgoing Internet traffic. Among the non-traffic that my Zone Alarm registered during the last several minutes includes 12 probes from the University of Southern California and 64 times from an unknown address (no return address sent). Now, is it just a coincidence that somebody from California didn’t start probing until moments ago? Or, did my ZoneAlarm just see this Internet traffic as routine traffic? And, even if it was routine traffic why didn’t I see any blips?

Precautions?

Next time I’ll lay out some precautions you can take to patch some of these holes. Quite simply, I need to set up a system so the computer doesn't come down again. I'm thinking about several things, including the notion of have a separate IDE drive for Windows and programs that would be used for normal boot up. Then maybe having a second IDE drive for playing on the web and downloading programs I try out. But, that will have to be another week. The first week of every month is always committed to working on the Champlain Valley P.C. Users’ Group web site.