A description of this tale of woe
1. Our friend received a payment from his employer as a temporary worker for a series of projects he completed, part of this payment he placed in a building society account which can be accessed by online web browser based services only. The amount transferred was £4000
2. Within 8 hours of the payment arriving in the building society account, it was effectively stolen by online hackers by money being transferred in two £2000 lump sums
3. Also on his credit card, 5 items were purchased totalling £1800 in the same 24 hour period
4. On his other credit card an account was created using www.amazon.co.uk and attempted payments were placed for processing - only when amazon warned our friend did he discover the other transactions
Our friend and his wife suspected their computer was the root of the problem, I thought it sounded like someone had obtained their credit card and online banking details via their PC running Windows XP, they asked me to take a look, what i found was an insight into the poor security of Microsoft operating systems that are effected by certain exploits that are not patched.
How i found the problem
A) on first inspection the Microsoft XP computer seemed 100% ok
* Valid anti virus solution fully updated - Norton
* Valid anti spyware solution fully updated - Norton
* Microsoft firewall enabled and all microsoft updates seemed installed ok
* Separate ADSL router and with built in firewall supplied by their broadband supplier
B) I decided to run a separate virus and malware checker on this PC in Windows "SAFE MODE with networking" enabled, you can access this mode by pressing F8 during windows startup and selecting the appropriate menu option - the malwarebytes software I used is a very strong tool for discovering and fixing malware issues and runs well in safe mode -- www.malwarebytes.org - this took a long time to run (2 hours) but found 524 items of various spyware/malware that seemed fairly NON suspect, however this type of malware can act as a 'masking agent' for what is known as a ROOTKIT. A rootkit is a bit of software that HIDES software which allows a remote person can use to control your PC over the internet see here on wikipedia ( http://en.wikipedia.org/wiki/Rootkit )
C) I ran a rootkit discovery programme after using malwarebytes to remove the malware discovered above ( http://technet.microsoft.com/en-gb/sysinternals/bb897445.aspx ) which found a ROOTKIT on the system, Also using TCPVIEW from sysinternals i saw a system process connecting to differing addresses on the internet in thw far east and netherlands, i suspected this was a KEYLOGGER program ( http://en.wikipedia.org/wiki/Keylogger ), this program allows keystrokes on your keyboard to be intercepted and its smart enough to know when you are typing banking or credit card details.
Example of a normal TCPVIEW output window is below
D) The ONLY solution to this issue on which you can rely on to fix the issue in my opinion is a total wipe of the PC's hard disk and a re-install of the whole computer from scratch
How did this occur?
* This is the scary part, over the last year Microsoft have had issues with Internet Explorer, the remote hacker had used this exploit below in the URL, which was only fixed in July 2009 to take control of our friends computer and remotely install this software http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
* This exploit above can be activated by simply browsing to a website which has code embedded to use the exploit to compromise the security of your XP computer.
Why did the antivirus and firewall software not stop this?
* the antivirus/spyware software stops known virus's and malware, its does not plug holes in Internet explorer, thus a hacker writes a VERY simply bit of JAVASCRIPT on a web page that simply uses the exploit to take remote control of your XP PC, antivirus can't detect it as it has NO PRIOR knowledge of this code as a virus. the firewall can't block the traffic as it is in the traffic port that allows you to browse the internet, hence if you block that port you cant browse anything
Given the above how can this be prevented?
* Move to Linux or Unix on your home computer ( http://en.wikipedia.org/wiki/Desktop_Linux ) Our friend is swapping to Ubuntu Linux as a desktop operating system ( http://www.ubuntu.com ) after learning the hard way, its a learning curve but he and his wife want to trust their computer again, ubuntu supports almost 100% of the features of windows with FREE software - http://www.ubuntu.com/products/whatisubuntu/910features
* Consider moving to an Apple solution, apples operating system uses UNIX behind the pretty graphics, which is highly secure - http://www.apple.com/uk/mac/
However the above solutions are not for everyone, thus if you must stay with Microsoft Windows Products
* Upgrade to Windows 7 and load up the FREE security essentials pack http://www.microsoft.com/Security_Essentials/
* Even with Windows 7 Move your web browser to FIREFOX for Windows -- http://www.mozilla-europe.org/en/firefox/
* STILL ensure you have FIREWALL ON, AUTOMATIC UPDATES ENABLED and i would reccomnd this package which should try and prevent break in's of the type i have described -- http://www.threatfire.com/
If you must use Windows XP
* Install FIREFOX (This may not help with ALL exploits)
* Use an anti virus solution that is fully updated -- AVG is a ok choice, others like AVAST are also ok choices -- http://free.avg.com/gb-en/homepage
* use an anti spyware solution that is fully updated -- see item above
* Install threatfire (see above)
* Install a firewall that is of a high quality -- consider this free one -- http://personalfirewall.comodo.com/
* Enable automatic updates
* THIS ONE IS THE BEST PROTECTION -- but costs 26 euros -- Enable a SANDBOX for your browser - http://www.sandboxie.com/
What is Sandboxie (from the last item above)
Sandboxie runs your programs, like a web browser, in an isolated space which prevents them from making permanent changes to other programs and data in your computer. Take a look at the http://www.sandboxie.com/ website which explains more, you can try the software for free
Posts
