Sunday, 5. February 2006
PermaLink Unsafe at any speed
Want to know why the UK is usually somewhere near the top of the chart for the greatest number of trojan infested "zombie" PCs?

In my unofficial capacity as PC mender to friends, family and any third parties nominated by them, I was called upon yesterday to investigate a PC which had ceased to function correctly. The symptoms described over the 'phone were not sufficiently specific to pinpoint the issue so, having talked through a number of possible scenarios with the user, a home visit was indicated.

At this point I will generally retreat gracefully and point the user in the direction of the local PC repair shop, but I felt sorry for this chap for reasons which are not relevant in the context of this tale.

"It just stopped working a few days ago", quoth the user. "It was fine before that."

He was trying to use a newly installed copy of a popular P2P application. That application was reporting that it had been unsuccessful in joining the P2P network and that, perhaps, a firewall was to blame. User wanted to know how to turn off this firewall.

Indeed. Let's take a look.

We have here an installation entirely typical of a domestic PC/broadband installation in the UK. It comprises:

  1. A PC, running Windows XP Home Edition and unpatched since purchase (in this case perhaps 4 years ago). Forget SP2. No SP1 here. No patches at all.

  2. A device called an ADSL modem connected via a line filter to a 'phone socket at one side and via a USB cable to the PC at the other.

  3. That's it. Nothing else. No router. No NAT. No firewall (hardware or software). No AV.

The symptoms were interesting. User had also reported that web pages were not found and had initially suspected the ADSL modem - a hardware fault. Tech support at the ISP had investigated and found no such fault but had been unable or unwilling to probe further.

I found that IP connectivity was actually working fine. What was not working fine was name resolution. Being unable to resolve a name, the rest of the symptoms were indeed what you might expect from a total loss of connectivity.

Despite being configured to use the ISP's name servers automatically, the system appeared to be using some interesting name servers not controlled by the ISP but located in a large CIDR block allocated to domestic DSL service in France. This had been achieved by means of a registry hack which no amount of fiddling with settings in the UI would correct.

This type of hack is not widely documented, but does seem fairly widespread. Here's how it goes.

  1. Bad Guy wants to intercept certain classes of communication covertly. Typically these would involve Internet banking, eBay or Paypal.

  2. Bad Guy sets up name servers and uses them to serve up valid DNS with correct delegation and so on, but with a twist. For one or a very small number of domains, this new DNS does not return the correct address but returns an address also under the control of the bad guy.

  3. In order to get users to use this modified DNS, Bad Guy uses malware to hack registry settings. The infested system will appear correctly configured, but will go to Bad Guy's name servers. The precise delivery vector for this malware isn't clear. It may be via a mass mailing worm though I suspect not. I think it more likely that an existing IRC bot is used to install the new malware remotely. This could be done without leaving a trace of the malware on the infested system, so an AV scan would find nothing amiss.

  4. User continues happily using his Internet connection and everything appears normal. When he goes to a site which Bad Guy has chosen to intercept, the address bar in Internet Explorer will say the right thing, but User will actually be surfing Bad Guy's site and giving Bad Guy the information he wants (usernames, passwords, account numbers...).

  5. Some time later, Bad Guy is discovered and his bogus name servers are taken down. User loses name resolution services, hence any usable Internet connectivity, and calls muggins here to fix it.

There's no need to look further in this case to know that the system in question is positively bristling with other nasty pieces of malware, though most of them are no longer useful to their masters as they also rely on functional name resolution.

There's only one thing to do - flatten and rebuild - and so this is what we now do. So much for weekends off.

Knowing that this user feels no obligation to be a responsible 'net user and that his ISP similarly feels no obligation to assist him in this, I set the system to poll for and install updates automatically and also beg the user to purchase and install Symantec Norton Internet Security. There's simply no chance of persuading him to buy a NAT router/SPI firewall to use in place of the free ADSL modem.

A few hours later, I hear back from the family member who introduced me in the first place. User will not be buying the needed security package - he can't afford it. He can afford the perhaps £15 per month for 2Mbps broadband, but £50 for at least some measure of safety will break the bank.

Safe to say, I will not be returning to rebuild that system again when next it is compromised. And it has been already as it is now more than 20 minutes since I left.

Root cause of this madness? Here goes.

  • ISPs in this country are regulated, but the regulator does not impose any service standard. The regulator only demands a low price.

  • To achieve a low price, many ISPs eliminate non-essential elements of the package. These include anything that might enhance provide security.

  • Installation is also generally DiY to keep costs down with a kit comprising a free ADSL modem, 2 or 3 line filters and a CD-ROM being sent by post to each new subscriber.

  • The result is typically what I have documented here.

Is the user to blame? No. S/he is no more to blame than s/he would be having been thrown through the windscreen of a crashed car if that car had no seatbelt or airbag fitted.

Modern cars are designed and produced to meet or exceed statutory standards of safety as well as to be cost effective for both manufacturers and buyers. You have Ralph Nader to thank for that.

By contrast in this country ISPs have no duty of care to their consumers and so many routinely omit mandatory safety features.

Those of us who know what we're doing are perfectly safe. Everyone else plays Russian roulette with their Internet connection every time they turn on their PC.

In this form of Russian roulette however, every chamber contains a live round.

Category: Viruses and Worms
Technorati:

Comments :

1. MAria Helm06/02/2006 15:53:02


I can identify. My husband and I have the same 'responsiblity' within our circle of friends/family/neighbors, and are frequently called on for help with computer/user issues. Fortunately, my husband started a business of it several years back, so occasionally one of these people realizes he usually gets paid for this, and offers him beer or dinner or something in return.

You might direct this tightwad to the "AVG Anti-Virus program for download, including a free version of the product...From Grisoft.com". We've found this useful in cases where the user 'couldn't afford' anything else.

This is becoming such an epidemic, though, that it is frustrating. I've heard several people in businesses like my husbands agree that the MAJORITY of calls they get these days are adware/spyware infections, most of which could have been prevented if the user (or their children ) practiced safe surfing and avoided 'questionable' sites...



2. Richard Schwartz06/02/2006 16:04:06
Homepage: http://www.rhs.com/poweroftheschwartz


If you're feeling charitable, you may want to recommend the free version of AVG. It's been on my daughters' PC for about a month now, and so far it seems to be doing a better job than Symantec was.

http://www.grisoft.com/doc/289/lng/us/tpl/tpl01



3. Chris Linfoot06/02/2006 16:12:44


Thanks Rich and Maria. I may do that. However the reason I nominated Norton Internet Security was as much to provide some form of firewall capability as to provide AV.

I don't care for software firewalls but they are a whole lot better than no firewall.

Also, any 3rd party software firewall is likely to be better than Microsoft's firewall (even the one in SP2). Why? Because these 3rd party products look at outbound traffic in addition to inbound and will generally prevent a newly installed piece of malware from "phoning home". MS' firewall does not filter outbound traffic though that omission is rumoured to have been addressed in Vista. Looking forward to testing that, obviously.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Popular Categories
Blogs
Coffee and Cats
Computing Systems Fundamentals
DNSBLs
Domino Administration
Domino Whitelist
Dumb and Dumber
Flickr
SMTP AUTH
Show n Tell
Software
Spam
Spam Statistics
T'Internet
Trunk Monkeys
Viruses and Worms
Wallace and Gromit
Whitelisting
Wii
Monthly Archive
2008
2008
2008
2008
2008
2008
Full Archive
Other stuff
Anti-Spam Tools
Misc Links
Land banking information
ClustrMaps
Locations of visitors to this page
Contact Me
email - Chris Linfoot
skypeme
Meta
Proudly powered by IBM Lotus Domino 8 Proudly powered by IBM Lotus Domino 8

Subscribe to articles Subscribe to articles feed

Subscribe to comments Subscribe to comments feed

ROR info ROR info


My Amazon wish list Wishlist


Wikio - Top Blogs - Technology
Like what I do?
Research Autism Then please consider a donation to support the work of Research Autism.
Idea Jam
Planet Lotus
Dilbert