Five Simple Rules of Client Security Proved in Practice

Several days ago I helped friend of mine install Windows XP Professional on his home computer. I made default installation of XP SP2 and created two users with default options – these accounts were created with administrator rights.

After that he made a contract with local Internet provider and plugged into the Internet. My friend had admired by the Internet up to depth of his soul, – he was very happy to be able to visit internet sites at home.

But two days latter he phoned me complaining that his new computer had become very slow and he sees a lot of prompters from Kaspersky AV telling him that his computer is infected with malware. I should mention that he has 30-days evaluation version of Kaspersky with old virus base.

I downloaded latest CureIT and went to my friend’s place. But when I came I found that all my attempts to log on to Windows immediately ended with logging off. I found a number of materials about malware that change HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey and decided that problem was in that. Then I made a BartPE CD and loaded from it. I found that C:\Windows\System32\Userinit.exe simply absent. I copied it from I386 directory of XP installation CD. After that I decided to look at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I loaded offline registry and I found two suspicious programs that start from C:\Windows\system32 and C:\Windows\Temp. Unfortunately I don’t remember exact names but I have been assured, that they can be deleted safely. Finally, I started CureIT against whole C:. Remember, it was three days old XP SP2 installation, so C: didn’t contain much data. It ended with more that 50 different malware found! Mainly they were Trojans. I know that some malware block AV updates by editing C:\WINDOWS\system32\drivers\etc\hosts file so I decided to check it too. Well, I hadn’t mistaken – I commented 35 rows of well-known update services including Microsoft Windows update, Symantec Live update, etc.

After that long process of getting rid of viruses, assuming that my friend will not buy antivirus so computer will not be protected with AV and also he will not update Windows because it takes too much Internet traffic that costs money I wrote for him 5 simple rules that should help him to stay somehow protected against Internet threats. Here they are.

1. Do not surf the Internet with admin rights. Very simple – if you catch something, it won’t destroy your system, just your profile.
2. Do not use IE. Since you don’t update your Windows, IE is not updated as well. Use Firefox – it’s free and seems more secure.
3. If browser asks you something, read this carefully and only after this make your decision. If you feel lazy and don’t want to read – answer ‘No’.
4. Try to avoid unknown sites. I know that it’s difficult, – that’s why I said ‘try’.
5. Do not install plug-ins. Even if everything is OK with your browser core you still can be successfully attacked through plug-is. See, for example, page 7 here.

Additionally, it’s good idea to download CureIT and run test periodically, for example, once a week.

Inside myself I was very frightened because I don’t have AV on my home computer, my XP has only SP2 and no other patches and my wife like the Internet very much. The only defense I have – five above rules.

When I came home I ran CureIT against C:. I was very happy with result – ‘No viruses found’. I think it does really prove that 5 rules are working. Don’t misunderstand me, I don’t assert that we don’t need to use AV and install patches, no, but these rules are good trade-off.