Several days ago I helped friend of mine install Windows XP Professional on his home computer. I made default installation of XP SP2 and created two users with default options – these accounts were created with administrator rights.
After that he made a contract with local Internet provider and plugged into the Internet. My friend had admired by the Internet up to depth of his soul, – he was very happy to be able to visit internet sites at home.
But two days latter he phoned me complaining that his new computer had become very slow and he sees a lot of prompters from Kaspersky AV telling him that his computer is infected with malware. I should mention that he has 30-days evaluation version of Kaspersky with old virus base.
I downloaded latest CureIT and went to my friend’s place. But when I came I found that all my attempts to log on to Windows immediately ended with logging off. I found a number of materials about malware that change HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey and decided that problem was in that. Then I made a BartPE CD and loaded from it. I found that C:\Windows\System32\Userinit.exe simply absent. I copied it from I386 directory of XP installation CD. After that I decided to look at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I loaded offline registry and I found two suspicious programs that start from C:\Windows\system32 and C:\Windows\Temp. Unfortunately I don’t remember exact names but I have been assured, that they can be deleted safely. Finally, I started CureIT against whole C:. Remember, it was three days old XP SP2 installation, so C: didn’t contain much data. It ended with more that 50 different malware found! Mainly they were Trojans. I know that some malware block AV updates by editing C:\WINDOWS\system32\drivers\etc\hosts file so I decided to check it too. Well, I hadn’t mistaken – I commented 35 rows of well-known update services including Microsoft Windows update, Symantec Live update, etc.
After that long process of getting rid of viruses, assuming that my friend will not buy antivirus so computer will not be protected with AV and also he will not update Windows because it takes too much Internet traffic that costs money I wrote for him 5 simple rules that should help him to stay somehow protected against Internet threats. Here they are.
- Do not surf the Internet with admin rights. Very simple – if you catch something, it won’t destroy your system, just your profile.
- Do not use IE. Since you don’t update your Windows, IE is not updated as well. Use Firefox – it’s free and seems more secure.
- If browser asks you something, read this carefully and only after this make your decision. If you feel lazy and don’t want to read – answer ‘No’.
- Try to avoid unknown sites. I know that it’s difficult, – that’s why I said ‘try’.
- Do not install plug-ins. Even if everything is OK with your browser core you still can be successfully attacked through plug-is. See, for example, page 7 here.
Additionally, it’s good idea to download CureIT and run test periodically, for example, once a week.
Inside myself I was very frightened because I don’t have AV on my home computer, my XP has only SP2 and no other patches and my wife like the Internet very much. The only defense I have – five above rules.
When I came home I ran CureIT against C:. I was very happy with result – ‘No viruses found’. I think it does really prove that 5 rules are working. Don’t misunderstand me, I don’t assert that we don’t need to use AV and install patches, no, but these rules are good trade-off.
2 comments:
My two cent:
1. Never work as system administrator (+)
2. Never use IE or not updated Firefox. Opera - besh choiсe for lasy user. Turn off java script and flash. Use it only on trusted sites and only when you need it. Change agent version in a browser (IE->Opera, Firefox->IE, Opera->Firefox).(+)
3. Never use mail clients from Microsoft. Use only TheBat! or Sylpheed or WebMail.
4. Turn off at least Server service and Remote Registry service on your computer.
5. Dont use DHCP on fully unpatched windows.
6. Don't use AV, but sometimes run you favourite AV with full scan of disks. Ideally from livecd. (+)
7. If it will be comfortably for you turn on buildin windows firewall and block all inbound connections. But it is not necessary.
8. Dont use buildin utilities as music player, video player, image viewer.
This rules tested on unpatched Windows 2000 more than 2 years. Is is work.
May be Ubuntu will be more simple. :)
Additional links:
http://www.securityfocus.com/brief/623
Post a Comment