A few months ago a neighbor (the mother of the family) asked me to take a look at their computer running Windows XP. It had slowed noticeably, and they had a nasty case of “pesky popups.” But to make matters worse, they had discovered a stash of really nasty porn on the machine. The real killer is their son is only six years old, and he was the one being fingered for the crime.
The first thing I did was take look at the machine, and sure enough it was choc full o’ p0rn, and popups where aplenty. Actually, that was the second thing I did, the first thing I did was accept a glass of very nice Washington merlot :) - not bad for $8 a bottle :))
Then I ran netstat on the box to see if there were any funky connections to the machine. I asked the mother if she had friends in Russia and Brazil. She said, “No” and I replied, “Well that’s bad, because someone in Russia and Brazil likes you!” There were two connections open to the machine, one each from the aforementioned countries.
I noted the IP addresses and then emailed the abuse aliases at the ISPs from my laptop. I know the machines may not be the owned by the perps, but the machines might be 0wned by the perps, so I let the ISPs know anyway.
At this point I enabled the firewall and rebooted the machine to shutdown any connections.
We had just released the beta of Microsoft AntiSpyware, and I had it along with Windows XP SP2 and Port Reporter on a USB thumbdrive. So I loaded the anti-spyware onto the machine and ran it – sure enough the tool removed a number of instances of malware.
I then accepted a second glass of merlot, and installed Windows XP SP2 and the Port Reporter. You’ll see why I installed Port Reporter in a moment.
Once that was done, I sat the mother down, and said (this is almost verbatim), “You’re the mother, this is your home computer, and this is under your control and no-one else’s. Not your kids and not your husband. Because if this, you’re the only admin on the box, all software is installed by you and no-one else. Oh, and at night, hit the standby key, bad guys can’t get to a machine that’s not running.” She nodded agreeably (like she had an option!) I then removed all the users, except her from the admin group.
That was about three months ago.
I visited the home the other day to see how things were going; they’ve seen no pop-ups, and no “weird stuff” whatsoever.
I then looked at the Port Reporter output to see if there were any odd outbound connections, there were none. I looked at installed software, nothing funky. I re-ran Microsoft AntiSpyware beta, again, nothing. I also ran RootkitRevealer 1.32 from sysinternals.com, and saw nothing out of the ordinary.
So I consider the machine clean.
I looked at the firewall log, and it looks like the machine is still seeing attacks! Of course, I expect that, but here's an important point, attacks happen and attacks will always happen, the real issue is the attacks are not leading to compromises with these defenses in place.
So here are my tips for protecting unmanaged home computers:
1) Install Windows XP SP2.2) Make sure the firewall is on!3) Enable AutoUpdates.4) Make the mother take ownership of the machine. This means she’s the only one that knows the admin account password and every software install goes through her.5) Make all other users non-admins.6) Force use of strong passwords. By strong, I don’t mean “stupidly long”, I mean “not simple.”7) Install an anti-spyware tool; in this case, I used the Microsoft beta offering.8) Hit Standby when you’re done with the computer at night.
In short: a little technology and a little education is all it takes to stay safe.
PS: Oh, if your wondering what the relationship is between the connections to Russia and Brazil and the porn, is this machine was being used to store porn for these folks. The son is exonerated!
Big thanks to Aaron Margosis and Peter Torr for their comments.