6.9 Preventing Trojans and Worms Preventing Trojans and worms takes end- user awareness, antivirus software, and prevention techniques. 6.9.1 Don't Run Unknown Executable ContentTo prevent Trojans and worms from compromising a PC, don't ever run unknown or untrusted executable content. Most Trojans and worms arrive via email these days. This means don't ever click or execute files with the following extensions: ( .EXE, .COM, .BAT, .CHM, .SHS, .VBS, or .JS ). There are even more potentially malicious extensions than this list, but they are the main ones used by Trojan writers today. The most common Trojan arrives as a joke executable. No matter how fun the sender says it is, don't run it. Send back a polite email telling them you never execute email attachments. So far, you can safely click on graphic or video files (e.g., .JPG, .MPG, .AVI, .GIF, .BMP , etc.) without the threat of executing malicious code. But be wary of graphic files that are embedded within executables or executables renamed to look like graphic files. Worms have arrived as an attachment called PICTURE.EXE . Some Trojans take advantage of the fact that Windows machines do not show known file extensions by default. Hence, PICTURE.JPG can really be PICTURE.JPG.EXE . Don't click on web links sent via email unless they point to known, safe sites. The link could be a short HTML file that downloads a malicious script file. Although covered in more detail in Chapter 14, if you are a network administrator, you can implement security policies and install programs that only allow certain executables and active content to be executed. Both NT and Novell networks come with software that can limit what executables are allowed to run. While difficult to correctly setup and install (one legitimate application like MS Word may have dozens of related executables), you can almost guarantee a Trojan and virus-free environment. 6.9.2 Scanners and Detector ProgramsI've purposely placed scanning and detector programs second on the prevention list in this chapter. So much new malicious code is becoming available that scanners and detectors cannot detect it all. New encrypted or compressed variants can easily bypass most of these tools. That said, you must implement a trusted scanning or detecting solution as a main line of defense. It is important to pick an antivirus solution that is active in memory and scans all incoming emails and Internet downloads. Without this feature, the worm can spread throughout your company before the first call to the help desk arrives. 6.9.3 Disable NetBIOS over TCP/IPBy default many Internet-connected Windows machines use two transport protocols: TCP/IP and NetBeui. NetBeui is included for local area network resource sharing, and for directories, printers, and remote administration. When NetBIOS over TCP/IP (NBT) is enabled on an Internet-connected machine it is possible for specific types of malicious mobile code, and crackers, to gain access to that machine. If a machine is not being used to share printers or folders, then it really should not be enabled anyway. You can enable or disable NBT by checking Network Neighborhood Properties. Disable any bindings between NetBIOS-based services and TCP/IP. If you need to leave NBT on, make sure a firewall prevents TCP/IP ports 137, 138, and 139 from interfacing with the Internet. 6.9.4 Download the Latest IE and OS PatchesAs new Trojans and worms reveal weaknesses in Internet Explorer's armor , Microsoft releases new patches. You can choose Start Windows Update to see what patches are available for Internet Explorer and your particular operating system. For most people, their first visit to Microsoft's Windows Update site is followed by an hour or longer download and install session. 6.9.5 Password-Protect Drive SharesIf you intend to share drives and folders on a Windows machine make sure the shares are password-protected. Windows NT Server will automatically protect shares if installed and configured correctly. Trojans that spread using unprotected drive shares often have more success with lesser-protected end user workstations. It is easy to set up a quick share for temporary use and later on forget "to un-share" the resource. So instead, password-protect all shares to prevent mischievous hackers and programs from gaining access.
6.9.6 Consider Limiting Email AttachmentsIf email Trojans are a problem, consider configuring or installing an email that limits or prevents email attachments. Obviously, not allowing any email attachments will severely hamper many legitimate email users, so carefully weigh the costs and benefits before completely disabling file attachments. Instead, consider preventing the most dangerous types of executables, like .VBS and .EXE . If you are an Outlook shop, consider installing Microsoft's Outlook Security Update (as covered in Chapter 12). 6.9.7 Rename or Remove Key ExecutablesAlthough certainly not a long- term solution, renaming normally unused system executables commonly used by Trojans and worms can decrease the risk of invasion. Usually you can delete or rename the following files without ill effects: WSCRIPT.EXE, CSCRIPT.EXE, REGEDIT.EXE ( REGEDT32.EXE in NT), FORMAT.COM , and DEBUG.EXE . With Windows NT and 2000 systems, consider removing security access permissions to prevent their execution. For safety reasons, I prefer renaming these files to any other name that will prevent Trojans or worms from directly using the program. For example, WSCRIPT.EXE can become WSCRIPT.EXX or REGEDIT.EXE can be renamed REGMOD.EXE . Computers with Windows 2000 or ME will automatically restore protected files, including most of those listed earlier. Luckily, there are a few ways around xFP protection. In Windows 2000, using the DOS command prompt, you can copy any protected file over another. For instance, I routinely copy NOTEPAD.EXE over WSCRIPT.EXE using the following command: COPY NOTEPAD.EXE WSCRIPT.EXE
This works because of a quirk in Windows File Protection. It will note that a change happened , but then find that the modified file contains a valid digital signature, thereby ignoring that the valid signature belongs to another file, and allowing the changed file to remain . Windows ME isn't as easy to fool. In order to keep System File Protection from restoring deleted or renamed protected files, you must manually disable their protection in the SFP's databases. Here's an example of how you would remove files from SFP in Windows ME:
6.9.8 Change File Associations of Potentially Harmful ProgramsAlong the same lines, consider reassociating dangerous file types, like .VBS or .JS , to nondangerous executables (see Chapter 4 or Chapter 12). 6.9.9 Use FirewallsAlthough most traditional firewalls won't stop a Trojan or worm from entering a protected network, they can prevent many remote access Trojans from contacting their originating hacker. Or even if the Trojan is able to email the hacker and announce its new invasion, the new Trojan port probably isn't one allowed off the local network, which is protected with a properly configured firewall. So, though a PC may get invaded with Back Orifice, the client portion will not be able to find the server program because the port is blocked. Finjan Software is one of a dozen industry leaders leading the push for a new way ( Common Content Inspection API ) for firewalls to interact with malware detectors. This is covered in Chapter 14. 6.9.10 Run Programs as a NonadminIf you've got Windows NT or 2000, run programs using a nonadministrative user account, whenever possible. Many Trojans will be unsuccessful in their install attempts if executed by a nonadministrative user. On Windows 2000, use Run As for executing trusted system utilities on an as-needed basis. If you follow these recommend steps, your exposure to Trojans and worms will be significantly minimized. |
Team-Fly |
Top |