GoodGuy
Posts: 1506
Joined: 5/17/2006
From: Cologne, Germany
Status: offline
|
quote:
ORIGINAL: LarryP
There is a guy from Germany on these forums called Goodguy, and he knows a lot about this stuff. I was hoping he would come here and say a few things about firewalls.
*Flash and blue puff of smoke*
Who called my name? *serious and meaningful facial expression* 
EDIT:
K,.... here we go, i'll try to cut it short:
quote:
ORIGINAL: Scott_WAR
Viruses, spyware,..etc, dont come to you, unless someone goes out of there way to find you. So unless you have pissed a hacker off you have very little to ever worry about.
While this conclusion may sound reasonable for some people, i'd consider this to be one of the first comedy highlights in 2010.
You describe today's major online threats with a calmness and a level of unsuspicion, it's unbelievable. It may either be the result of a lack of knowldge or you just don't care, or you're indeed a kid, I dunno. 
Viruses: There are so many forms, worms, trojans, viruses... there's a reason that some Anti-Virus companies put out DAILY updates for their virus definition-databases. If you go to www.trendmicro.com and check out their Virus knowledge databse, you'll find a myriad of Viruses, Worms and Trojans listed, plus you'll get an idea how intrusive some of them are, as they're rated with a "Threat Level" grade, and you'll get an idea about how deep some of them can dig into the system, by looking at the removal instructions.
How Viruses spread: There are so many ways of spreading them, it would be a neverending post if I'd list them here.
Let's pick an example: The infamous "I love you" Loveletter-Virus/worm did it in a pretty sneaky way, and it caused real financially quantifiable damage in the economy... worldwide, just by targeting unsuspecting MS Outlook users. That virus assumed that 1) windows scripting host is enabled on most computers (even on monitored corporate machines) and 2) that file-extensions of common (or system) files won't be visible on standard PCs. Also, the programmer of the Virus knew that Outlook does not display more than one file-extension. So this is what happened:
The Loveletter contained a script file (filename.txt.vbs) but a "dummy" user would just think it was a harmless text-file, as he/she could only see filename.txt . Once "opened" the fun started, as the script used Outlook (via OLE automation) to send the letter to all addresses found in the address book. Even personal firewalls couldn't do anything about it, as the traffic from Outlook to the mailserver was authorized. They just detect the actual communication, but they don't analyze the content, anyways.
The next step was to replace files on the infected system AND on computers found in the (company or private) network, usually spreading itself or amending to existing config/system files. Some clone versions used to rename all jpg files to let's say .txt files. Last but not least I love you spread on the IRC network, via DCC (direct client-to-client) file-transfer, as many people had "auto accept" enabled, overwriting the IRC client's (ie. MIRC) "script.ini" file, so that on next launch the infected MIRC client would act as Virus "spreader" too, sending the Virus to everyone who entered the same IRC channel.
The Virus programmer's script inserted a serious sounding warning message (something like DO NOT DELETE this FILE - substantial MIRC system file) at the top of the ini-file, in order to scare newbie users and to avoid that they'd delete the ini-file.
That whole ordeal happened 9 years ago, and - since then - Virus routines and scripts have improved a lot. You also have to keep in mind that this virus was written by a college student, and that the routines used in the virus weren't very sophisticated.
Nowadays, eg. with all the worms floating around, it's even possible to ship around a half-assed maintained/configured firewall, as they try to misuse and exploit game executables, system services or - via IP tunneling - try to make the user believe an attack is a legit request from/to his browser (in theory, no incoming request is ever legit, unless you want to establish a direct {IP to IP} connection to a fellow gaming partner, a game server or a direct {real-time} chat - like earlier versions of ICQ, for example). Another common procedure of quite some worms is to disable AVIRA, Norton AV or other AV tools, where some AV icons in the system tray would still indicate that the AV suite is still active (and guarding the system), although the drivers had either been shut down or replaced by dead fake-services. In such a case, say Avira for instance, would still display the opened umbrella, but (right-) clicking on the icon or main executable wouldn't launch the application anymore. So, the programmers explicitly target AV services in order to create a "free for all"-environment for the virus.
Malware/spyware and the like:
These types contain some of the most sophisticated routines you can find, nowadays. They hide in webpage html-scripts and java applets, are pretty common in advertizing banners, but can be found in every unsuspicious page created with JAVA, flash (using java-script), or shockwave (Java-script), too, in theory. If I don't actually play a wargame/game that requires the "JAVA runtime environment" (JRE), I uninstall JAVA - to reduce my system's vulnerability, and I disable java-script in my browser. The JAVA "Ersatz"/clone that comes with either IE or XP (can't remember) is not a fully functional JAVA environment, so it's not as risky to have that.
With a firewall (but without Anti-Virus software), and even if you avoid XXX ( ), torrent or "warez" sites, you can get a script virus easily, as quite some legit webpages use banner rotations to refinance some of the server/traffic costs, but where they are not able to control the content of the banner feeds. Malicious webcode would first "just" inject a "downloader" application into the system, which would then download the actual Virus/Trojan from a remote website. Many AV programs won't detect the activity of the downloader, until the actual virus steps in. The execution of the Virus code may still be "invisible" for the AV suite, on some occasions, as they don't just disguise themselfs with system DLL names like some weaker viruses, but as they actually use and launch legit system DLLs in order to do their malicious business under the "protection" of a legit system process.
In the last resort, a properly configured firewall may display and deny the "downloader's" attempt to connect to the trojan URL, in case it attempts a direct connection, means IF the downloader does NOT misuse your browser, other legit applications or IP tunneling, in order to connect and download the virus.
I've read an interview with a guy who used to work for a company that authored mal- and spyware. He works for security companies and anti-virus companies now. His employer pushed him to come up with some more sophisticated methods to push content to people's computers (surely without users' consent), in order to improve the particular company's market share. He described how he reshaped tools and methods - from IP tunneling, to automated cloning/spreading to even altering system files {eg. replacling/editing "beep.sys" in the user's windows directory, ie : ensuring the malware will recreate itself even AFTER deleting/cleaning the other files of the malware-combo, just on next reboot).
Last but not least, the infamous Rootkits are probably the most sophisticated malware pieces these days. Really hard to detect, and until around 2-3 years ago, only few virus scanners actually attempted/offered a rootkit-scan. I doubt that more than a few rootkits are a)known and b)actually being detected.
Hackers:
Noone has to "piss off" a hacker in order to get him to actually do stuff, like you suggested.
There are so many different levels of hacker-skills, ranging from the kid around the neighborhood using some old win32-version of the "SubSeven" (1996/97?) trojan, who taught himself how to inject the "Sub7"-routine into some unsuspicious JPG file and who would then send it to some friend to make fun of him, scare him or spy on him, to hacking on some uber-professional governmental/military level to obtain secret infos about patents (like some chinese institutions/companies actually try to spy on US and German company AND government networks) or about military apps/installations. On a sidenote, the NSA's surveillance and "bugging" compound ECHELON, which used to reside in Germany (now in England, details can be found in the STOA report authored by the European Parliament - a report about surveillance tech and risk of abuse), is suspected to spy even on institutions AND companies of allied/friendly nations, another reason for EU authorities to recommend that EU companies use encryption for all sensible data and communication.
But even the average hacker "Joe", at least, will be able to run fully automated scans of IP ranges (let's say he decides to scan the common system ports on a US cable network), and he'll then take a closer look at those IPs which reply with a ping ECHO (the number ONE reason why you should set your firewall to deny/drop incoming ICMP requests - it will make your system completely "stealth"). If a particular IP/Computer replies on multiple ports, the hacker will know that either the firewall is badly configured, or that there is NO firewall at all = easy prey. He can then use several ways of gaining access to the target system, and this doesn't even necessarily involve trojan-injection ... there's a German slang term ("freischiessen") for what a hacker could do next, it would translate to "shoot one's way out", well.. one's way IN, in this case, i guess, eh? hehe
This means he could use a DOS ("Denial of service", look it up) attack, and just any type of RPC attack. After bombarding a non-firewalled (and unpatched) system, the particular Windows computer will finally "give" in and grant FULL remote access after a while, as the system can't handle the myriad of requests (per second) - virtually, the system drops its pants. Then the hacker can pretty much browse completely through the remote system, freely, as if he was using his file explorer on his own machine.
Some hackers, besides searching remote computers for "useful" data, may then hijack a given system and inject code so that it (randomly) attacks other computers on the internet (which some virus routines actually do, too). Sophisticated hackers often use entire "armies" of hijacked computers for their "projects".
Early (primitive) tools for intrusion detection:
Around 1998 I was using a tool called "lockdown" and lockdown 2000 later on. This tool protected one port only (I can't remember which one, probably port 135?). It had 2 other functionalities, where one was a traceroute-routine that would trace an attacker's IP (it did pretty much what the DOS command "tracrt" did, but it was incorporated into the program's GUI) and it could deny hijacking of programs/games running on the system.
Whatsoever, it didn't have ANY firewall functionality except for that one port:
http://www.pc-help.org/www.nwinternet.com/pchelp/lockdown/claims/firewall.htm#conclusion
If you only read the few lines about firewalls supposedly being pure "marketing tools" or terms, you may get the false impression that the author of the webpage above just rants about companies which "frighten" users "silly" by heavily pushing and implanting fears on the user's end. This is not the case. If you check the main page, you'll figure that he just tries to reveal that apps like "lockdown" are just attempts to make money, instead of really offering a tool that protects a windows user:
http://www.pc-help.org/www.nwinternet.com/pchelp/index.html
The author, just like me, recommends sites like "ShieldsUp" (www.grc.com - Links of interest: ShieldsUp, LeakTest, Freeware Listing) and freeware firewalls. He recommends ZoneAlarm (that's where I wouldn't follow him ), but Larry did a good pick with Commodo, I guess.
Back to Lockdown: Back then, McAfee/F-Prot etc still found some of those early viruses/trojans once in a while, so I talked to the Sys Admin of my father's internet company, and he recommended to get a personal firewall ASAP. He used TinyPersonalFirewall on his admin machine, but the company servers were protected by a set of different professional (expensive) firewalls, filters and anti-virus solutions. Since then, I've always used a firewall.
Common freeware FWs are pretty safe, if not a tick safer than TPF these days, and the net is packed with professional reviews and recommendations regarding personal firewalls. I recommend to do some research, maybe start with "ShieldsUp". You should also investigate on HOW (easily) Viruses can (and will) dance on an unprotected system and on how eg. worms or viruses can easily find their way to your system, even though NO hacker was being actively involved, since a worm can very well be sent automatically from a computer of some unsuspecting user (who happens to have an unprotected system), as I outlined above. Some hackers have thousands of unaware "accomplices", who, in most countries, -de jure- can't even be held responsible for their collaboration, as it's legal to have an unprotected system, right?
It's a bit sad, tho, that there are still ppl in 2010 who think that moving around on the internet is as safe as sitting around and aligning stamps in their hobby room. 
My 2 cents. (well not so short, sorry )
< Message edited by GoodGuy -- 1/7/2010 1:32:50 PM >
_____________________________
"Aw Nuts"
General Anthony McAuliffe
December 22nd, 1944
Bastogne
---
"I've always felt that the AA (Alied Assault engine) had the potential to be [....] big."
Tim Stone
8th of August, 2006
|
Printable Version
RE: Insane Steam Holiday Sale - 
He owns his own server cluster, and runs/maintains it and other clusters/servers owned by various companies, mainly inventroy management and such I think..................again 
Thank you sir! No pun intended since you live in England. 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread