Tech Talk (09/01) Firewalls & Viruses

Sarasota PC Monitor

Tech Talk (09/01)

Firewalls & Viruses

by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.

This is not the topic I had originally considered for this month; however, I have been amazed recently by the number of computers I have worked on recently that are not protected by firewalls or current anti-virus software. I think it's time we as a PC user group do more with respect to the education of the computer user community. I am certain that every SPCUG member knows others who are not members of this organization. I would suggest that you provide them with the information that their computer is at risk and how to protect it.

I have been asked many times whether it is really necessary to install a firewall on a personal computer. I've been told by users, "my computer has no personal or financial information on it." My answer is that maybe that "hacker" or "script kiddie" isn't looking for that type of data. Maybe they are looking for an open machine that will accept a Trojan horse program. From there, they can reach out and invade other computers.

Let me give you an example. I use Zone Alarm Pro as my watchdog to prevent entry into my computer. During the period from last December, when I first installed my cable modem, I recorded about 20-30 TCP hits per day. Since my computer is on 12-16 hours per day, that's roughly two hits per hour, maximum. Some of those hits were from the @home technicians testing the line (IP 24.00.203). I usually get about four of those per day. However, things have changed drastically since the 4th of August. In the past six days I have been averaging over 275 TCP hits per day, not including the @home test series. Zone Alarm has also blocked some outgoing replies to ICMP pings. The data light on my modem is flickering constantly just as if I was downloading a large file.

I did contact ComCast and talked with a tech who suggested I notify abuse@home.com. That brought me an automated response saying I could submit only one IP address per e-mail. I did sort the IP addresses and found a few that were duplicated with up to eight pings from the same address. So I sent @home five emails with IP addresses. So far no indication that they even received them. Then, with the assistance of Dr. Goldstein, I obtained and installed trial copies of tracing software. These programs will trace IP addresses. However, they do not give you any evidence as to whether or not the originating computer is being used as "decoy" by some other computer. Anyway, the addresses I checked originated in locations such as Hong Kong, Montreal, New York State, Atlanta & Bartlett, GA, Union, NJ, Massachusetts, Baltimore and many others. Interestingly, the majority of the IP addresses started with 65, which seems to indicate the @home network. The details usually provided the ID for an @home user as the source. However, there were multiple locations such as in southern California and Canada (Sprint network) that appeared to have originated from dial-up or DSL networks.

So, what does this information imply? Mainly, that cable modem users who do not use a firewall may be easily invaded by hackers using Trojan horse software. This software will silently self-install and then can scan for other open systems. It also maintains an open port for sending information to the hackers computer. I doubt if the individuals whose addresses I obtained were the actual hackers. Now, I can hear those of you that use dial-up software saying, "it can't affect me!" If you are on-line for just a few minutes at a time that may be true. However, when the scanning is occurring at the rate of 17-20 hits per hour, anyone that is not protected is in danger. If you use the Internet for longer than just downloading email, then you can be invaded. Zone Alarm is still a free program for personal use. Anyone who surfs the Net without using it or another firewall is leaving their system wide open to become part of the problem.

One of things that the hackers are trying to do is to create very large networks of decoy machines that they can control. This gives them the power to overload the Internet with transmissions that can cause Internet systems to fail. The "denial of service" attacks that have occurred against Websites are one example of this. How would you like to be notified that your computer was one of thousands attempting to bring down the DOD computer system or that of a major corporation? So, please, protect yourself and the Internet, install a firewall!

Now, on to viruses. When you bought that new computer that came with anti-virus (A-V) software, did you realize that the software was out of date? Do you realize that you need to update your anti-virus software a minimum of once per week. I have had several instances during the past three weeks that demonstrate this problem. People that had A-V software installed, but had never updated the virus definitions. (That's Symantec's term, PC-cillin refers to these as pattern files and McAfee calls them DAT files)

A-V software scans files when they are opened, saved to disk and sometimes when downloaded or created. This scanning process involves reading the computer code in the file and comparing it to known virus "signatures." These signatures are the digital or hexadecimal codes stored within an application or document that identify a specific virus. So, if your A-V software reads a file and finds no match, it concludes that the file is virus-free. If you have set your A-V software to scan executable files only, then you will miss most of the newest viruses. Additionally, if you don't have the latest definition update, that file may contain a virus such as W32-SirCam worm which appeared in many emails the end of July and first week of August. This is a particularly nasty worm that comes as a document attached to an email, probably from someone you know. It does many things on your computer. It loads a command in your registry so it will run every time the computer is turned on; it attaches itself to files in the recycle bin and makes them hidden files. It also creates other hidden files on your hard drive. Then it will email itself to everyone in your address book. There is also a 1 in 20 chance that it will delete files and directories. Also, a 1 in 50 chance that it will fill your entire hard drive with random characters. Note that there is also a Spanish language version of this worm.

In several cases, I have had to clean this virus off home computers because the A-V software had never been updated. The virus definitions were 1-2 years out of date. So don't be complacent just because you have A-V software on your computer. You must keep the definitions updated and, about once a year, pay to update the actual software engine. Believe me, the cost of updating the software is a lot less than paying me to recover your hard drive from a virus infection!

Just this week I received an Infoworld Alert on a new virus that can attach itself to PDF files. This is the first time such files have been attacked. You may or may not realize that the PDF format is the most universal document format on the Web. It can be read by any computer using the free Acrobat Reader. Fortunately, this virus can only be activated by computers that have the complete Acrobat program and MS Outlook. The program was analyzed by Bernardo Quinteros, head of the Madrid, Spain-based security firm HispaSec Sistemas. Mr Quinteros identified the creator of this program as an Argentine hacker who calls himself "Zulu." The following quotation was extracted from the Infoworld article: "Zulu told Quinteros in a previous interview that he creates worms just for fun because he finds it an educational experience, that he does not feel guilty about doing it, and that his actions are not considered a crime yet under Argentine law. The worms written by Zulu do not usually carry a dangerous payload by themselves, although they can be adapted to malicious wrong doing by others, according to Quinteros." The complete article is available at: http://iwsun4.infoworld.com/articles/hn/xml/01/08/08/010808hnacr.xml?0808alert.

So protect yourself and your email correspondents from these "fun-loving, educational experimenters" by keeping your anti-virus software up to date.

*Dr. Lewis is a former University and Medical School professor. He is available to help you with your computer hardware and software problems. He may be contacted via e-mail at brian_klewis@hotmail.com or voice mail at (941) 925-3047.

Return to Brian Lewis' Index

Return to Columnist's Index

Copyright 2001. This article is from the September 2001 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org/ Web: http://www.spcug.org/
The Sarasota Personal Computer Users Group, Inc. has 1,300+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.

See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.