How to save home PCs for being Zombies ?

(Test presentation for Altiris Certified Trainer January 2008)

Pascal Kottépk@adventis.ch

(c) 2008 - Free usage as long logo & name keep in there

Summary

• Be a fighter against Zombie PCs1.What ?

1.How this coming2.Why ?

Sources Risks

• How fighting?• Audience: IT professional (any job) people or « clever »

PC users, at Home.

01- What is a PC Zombie?

• Botnet = Network of Zombieso are build from hackers groupo Zombie = Infected computers with a « bot »

(like a Trojan virus, not a simple “spyware”)• How this curse is coming on PCs:

o Just plug a PC on Internet with ADSL/Cable using USB cable, because giving a public IP*.

o Just navigate on Internet pages, read emails…o Just download or receive funnies, cheat codes, …o …

* That is like a published phone number every body can callInstead of, MUST use a « pivate IP address » for your PC

02- Why is it the War?

• In the years 80, Hackers are “heroes” (like)o Joke programso Disruptives or destructives (for publicity)o For fun…

• Nowadays: Professional thieveso Money is the motivationo High technical skillso Underground activities on pirated PCs:

that is “Zombie”

What are the risks?

Image from Wikipedia.org (GNU licence)

SPAMbot 70+% Email = SPAM 70+% SPAM are

from ZombieFor commercial useFor commercial abuse… Or pure thievingFor « Phishing »…

Risk: Phishing sample

The threads from “bots”

• “Botnet” can also DOS attack or decrypto Deny Of Services, overload network/systems (2004: Microsoft, Google, was out during 2 hours)o Mass CPUs can crack crypted data…o …

• Hijacking the home PCo Masquerade user Web secured Ebanking & substitute transactions

to take your cash…*o Next generation phishing (will identify your bank…)

• … Never end story, we just start now…

* You can recover a bad use of your credit card number, not this piracy!

03- How we can fight ?

• Throw away USB internet connectivity• Do you… Windows update ?

o Or Microsoft update ?o Acrobat update? Winzip update? Altiris update?

Activate your SVS* layers & update them ?• Do you… keep on your PC at night?

Don’t forget to update also your Emule & co…• Do you… use admin to work on your PC ?

o Also to navigate the Web ? DO: runas /profile /user:simple “Firefox.exe”

*SVS = Altiris Software Virtualization Solution

How To protect – using tools

• Firewall, antiSpy, antiviruso Symantec SEP11 or a Free solution &:

DO: Close port 6667 (IRC)• VMware (GSX for free, VMplayer also)

Use NAT network option for LAN card Install your ebanking Never use for navigate elsewhere Microsoft update & protect like your PC

• Altiris SVS (for free at home) Internet Explorer - Reset On Close (18 Kb)

http://svsdownload.com/

Lab

• Activate “Microsoft update” versus “Windows update”

…

do it yourself at home !

http://update.microsoft.com

04- Conclusion

• It is you now to be part of the fighters ! Go now on most homes you can, and:1. Save important files & reinstall their PC from original CD/DVD• Update “offline” with latest SP*• Drop any “USB like” Internet access,

replace/plug with an “Ethernet” NAT Box• Apply all you learn before

• Thanks in advance for your involving in this war

*SP = Service Pack -current v3 for XP)

Thanks, Danke, Gracias, Merci !

• Pascal KOTTÉo Senior consultant, Altiris Certified Engineer & Trainero pk@adventis.ch, +41 79 309 28 86.

• www.bemore.ch• www.adventis.ch

Personal contact:• pascal@kotte.net

Please join the Fight:report your actions/track/feedbacks/KB at:

o NoZombie@kotte.net

Annexes

Do you think I am a joker or just alarming for a little?

« Up to a quarter of online computers are virus-infected components in botnet networks of PCs under the control of hackers, according to net luminary Vint Cerf. Cerf, who co-developed the TCP/IP protocol, compared the spread of botnets to a disease that has reached "pandemic" proportions. Cerf estimated that between 100 million and 150 million of the 600 million PCs on the internet are under the control of hackers. »« Hamadoun Toure, secretary general of the International Telecommunication Union said greater co-operation between regulators, government, security firms, telecom providers, and end users was needed. »

World Economic Forum in Davos, Switzerland, January 2007.

En FrançaisVous croyez que j’exagère ?

(Janvier 2007, Conférence à Davos)« Vinton Cerf, grand spécialiste du réseau, président de l'ICANN, et co-inventeur du protocole de communication Internet TCP/IP, estime que probablement ¼ des PCs connectés à Internet sont des Zombies, soit 100 à 150 Millions de PCs sur les 600 millions. »« Hamadoun Toure, le secrétaire général de l'UIT (Union internationale des télécommunications), a déclaré que la guerre contre les zombies ne serait gagnée que si les gouvernements, les fabricants informatiques, et les usagers faisaient alliance. »

Tools (Free)• Windows defender (Microsoft) • Spybot S&D

Spybot - Search & Destroy can detect and remove spyware of different kinds from your computer.

• Ad-Aware SE PersonalAd-Aware SE Personal is a tool freely available for personal use on Windows platform machines

• SpywareBlaster, HiJack This, X-Cleaner• XP-AntiSpy, (tools for quick disabling undesired services)• IE-SPYAD

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known advertisers, marketers, and spyware pushers to the Restricted sites zone of Internet Explorer

FireWall (that is an old list, sorry)

• ZoneAlarmMillions of users have selected ZoneAlarm as their trusted Internet security solution.

• Kerio Personal Firewall Kerio Personal Firewall 4 is FREE for home

• Omniquad Personal FirewallOmniquad Personal Firewall is freely available and contains the ability to monitor inbound and outbound traffic.

• Outpost Firewall FREEAgnitum makes a scaled down version of their Outpost Firewall Pro 2.5

• Sygate Personal Firewall, now integrated into Symantec Endpoint Protection (version 11 in 2007/2008)

• … not limitative list …

A few References• What Is A Bot? http://netsecurity.about.com/od/frequentlyaskedquestions/qt/pr_bot.htm• Bot Networks

http://www.schneier.com/blog/archives/2006/07/bot_networks.html • UK is top of the bots (03.2005)http://www.continuitycentral.com/news01804.htm• Zombie PC army responsible for big name web blackout (June 2004)

http://software.silicon.com/malware/0,3800003104,39121439,00.htm• Botnet 'pandemic' threatens to strangle the net

http://www.theregister.co.uk/2007/01/26/botnet_threat/ • Zombie computer (EN)

http://en.wikipedia.org/wiki/Zombie_computer • Machine zombie (FR)

http://fr.wikipedia.org/wiki/Machine_zombie

• Just google it!

Thanks

• Michael Desmond (About, NewYorkTime)• Tony Bradley (PCWorld, NewYorkTime)• Bruce Schneier (BT Counterpane)• And all others unknown warriors…

• Images from « Google image search » or Wikipedia project (should be free use ;-)