How to save home PCs for being Zombies ?(Test presentation for Altiris Certified Trainer January 2008)

Pascal KottéPascal.KOTTE@ICT-a.ch

(cc BY-SA) 2008 - Free usage as long name keep in there

Summary

•Be a fighter against Zombie PCs1.What ?

How this coming

2.Why ? Sources Risks

3.How fighting?

•Audience: IT professional (any job) people or « clever » PC users, at Home.

01- What is a PC Zombie?

•Botnet = Network of Zombiesoare build from hackers groupoZombie = Infected computers with a « bot »

(like a Trojan virus, not a simple “spyware”)

•How this curse is coming on PCs:oJust plug a PC on Internet with ADSL/Cable using USB cable,

because giving a public IP*.oJust navigate on Internet pages, read emails…oJust download or receive funnies, cheat codes, …o…

* That is like a published phone number every body can callInstead of, MUST use a « pivate IP address » for your PC

02- Why is it the War?

•In the years 80, Hackers are “heroes” (like)Joke programsoDisruptives or destructives (for publicity)oFor fun…

•Nowadays: Professional thievesoMoney is the motivationoHigh technical skillsoUnderground activities on pirated PCs:

that is “Zombie”

What are the risks?

Image from Wikipedia.org (GNU licence)

SPAMbot

70+% Email = SPAM70+% SPAM arefrom Zombie

For commercial useFor commercial abuse… Or pure thievingFor « Phishing »…

Risk: Phishing sample

The threads from “bots”

•“Botnet” can also DOS attack or decryptoDeny Of Services, overload network/systems(2004: Microsoft, Google, was out during 2 hours)oMass CPUs can crack crypted data…o…

•Hijacking the home PCoMasquerade user Web secured Ebanking

& substitute transactions to take your cash…*oNext generation phishing (will identify your bank…)

•… Never end story, we just start now…

* You can recover a bad use of your credit card number, not this piracy!

03- How we can fight ?

•Throw away USB internet connectivity

•Do you… Windows update ? (old XP OS context)oOr Microsoft update ?oAcrobat update? Winzip update? Altiris update?

•Do you… keep on your PC at night? Don’t forget to update also your Emule & co…

•Do you… use admin to work on your PC ?oAlso to navigate the Web ?

DO: runas /profile /user:simple “Firefox.exe” (old XP OS context)

How To protect – using tools

•Firewall, antiSpy, antivirusoSymantec SEP or a Free solution &:

DO: Close port 6667 (IRC)

•VMware (GSX for free, VMplayer also) Use NAT network option for LAN card Install your ebanking Never use for navigate elsewhere Microsoft update & protect like your PC

•Altiris SWV (for free at home, for GEEK users) to capture suspect installations on a virtual layer

Lab

•Activate “Microsoft update” versus “Windows update”

…

do it yourself at home !

http://update.microsoft.com

04- Conclusion

• It is you now to be part of the fighters ! Go now on most homes you can, and:

1.Save important files & reinstall their PC from original CD/DVD2.Update “offline” with latest SP*3.Drop any “USB like” Internet access,

replace/plug with an “Ethernet” NAT Box4.Apply all you learn before

•Thanks in advance for your involving in this war

*SP = Service Pack -current v3 for XP)

Thanks, Danke, Gracias, Merci !

•Pascal KOTTÉ (Suisse romande, French native)oSenior consultant, Altiris Certified Engineer & Trainer, Cloud

expert, ethical & sustainability in ICT…oPersonal request: job@kotte.net , +41 79 309 28 86oConsulting: info@ICT-a.ch

•Please join the Fight:report your actions/track/feedbacks/KB at:oNoZombie@kotte.net oRejoindre une communauté de veille technique francophone:

http://register.ict-a.ch (Révolution digitale, TIC en general)http://register.CloudReady.ch (spécifique Cloud computing)

Annexes

Do you think I am a joker or just alarming for a little?« Up to a quarter of online computers are virus-infected components in botnet networks of PCs under the control of hackers, according to net luminary Vint Cerf. Cerf, who co-developed the TCP/IP protocol, compared the spread of botnets to a disease that has reached "pandemic" proportions. Cerf estimated that between 100 million and 150 million of the 600 million PCs on the internet are under the control of hackers. »« Hamadoun Toure, secretary general of the International Telecommunication Union said greater co-operation between regulators, government, security firms, telecom providers, and end users was needed. »

World Economic Forum in Davos, Switzerland, January 2007.

En FrançaisVous croyez que j’exagère ?(Janvier 2007, Conférence à Davos)« Vinton Cerf, grand spécialiste du réseau, président de l'ICANN, et co-inventeur du protocole de communication Internet TCP/IP, estime que probablement ¼ des PCs connectés à Internet sont des Zombies, soit 100 à 150 Millions de PCs sur les 600 millions. »« Hamadoun Toure, le secrétaire général de l'UIT (Union internationale des télécommunications), a déclaré que la guerre contre les zombies ne serait gagnée que si les gouvernements, les fabricants informatiques, et les usagers faisaient alliance. »

Tools (Free)•Windows defender (Microsoft)

•Spybot S&DSpybot - Search & Destroy can detect and remove spyware of different kinds from your computer.

•Ad-Aware SE PersonalAd-Aware SE Personal is a tool freely available for personal use on Windows platform machines

•SpywareBlaster, HiJack This, X-Cleaner

•XP-AntiSpy, (tools for quick disabling undesired services)

• IE-SPYADIE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known advertisers, marketers, and spyware pushers to the Restricted sites zone of Internet Explorer

FireWall (that is an old list, sorry)•ZoneAlarm

Millions of users have selected ZoneAlarm as their trusted Internet security solution.

•Kerio Personal Firewall Kerio Personal Firewall 4 is FREE for home

•Omniquad Personal FirewallOmniquad Personal Firewall is freely available and contains the ability to monitor inbound and outbound traffic.

•Outpost Firewall FREEAgnitum makes a scaled down version of their Outpost Firewall Pro 2.5

•Sygate Personal Firewall, now integrated into Symantec Endpoint Protection (version 11 in 2007/2008)

•… not limitative list …

A few References•What Is A Bot? http://netsecurity.about.com/od/frequentlyaskedquestions/qt/pr_bot.htm

•Bot Networkshttp://www.schneier.com/blog/archives/2006/07/bot_networks.html http://askbobrankin.com/botnet_alert_are_you_vulnerable.html (2013-03 Bob Rankin)

•UK is top of the bots (03.2005)http://www.continuitycentral.com/news01804.htm

•Zombie PC army responsible for big name web blackout (June 2004)http://software.silicon.com/malware/0,3800003104,39121439,00.htm

•Botnet 'pandemic' threatens to strangle the nethttp://www.theregister.co.uk/2007/01/26/botnet_threat/

•Zombie computer (EN)http://en.wikipedia.org/wiki/Zombie_computer

•Machine zombie (FR)http://fr.wikipedia.org/wiki/Machine_zombie

•Just google it!

Thanks

•Michael Desmond (About, NewYorkTime)

•Tony Bradley (PCWorld, NewYorkTime)

•Bruce Schneier (BT Counterpane)

•And all others unknown warriors…

• Images from « Google image search » or Wikipedia project (should be free use ;-)