![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
All your computers are belong to us now
Background: when ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
morgan_dhu's employer set her up with VPN so that she could work from home, the company IT guy was very firm: we could not install a software firewall on the work computer, and we could not put the work computer behind a router. The reasons didn't make much sense to us, but it was their computer, so they got to make the rules (she was also told that due to licensing issues, she could not install Mozilla on her work machine -- no seriously).
So we paid the cable company an extra $20 per month for 2 extra IP addresses so we could connect all our computers to the internet using a hub, instead of a router. And ever since then, the work machine has been naked to the internet, totally unprotected save for the frail figleaves provided by Norton Antivirus and Windows Update.
Since that time, all of the tech support and IT people at the company have been replaced with new people. The new people have a somewhat different philosophy than the old people: for instance, it is now permitted to install Firefox on one's work computer.
For a couple of years, we had one IP for each machine (my computer,morgan_dhu's computer, and her work computer) and they were all connected to the cable modem with a hub. Our personal computers were and still are protected by software firewalls; in addition, a few months ago, I decided I was tired of sending ridiculous amounts of money to the cable company each month, and bought a router. That enabled me to cancel one of the two extra IP addresses. So for the past few months, we had connected our personal computers to the router, and connected the router and the work computer to a hub, which connected to the cable modem. Yes, there was an unholy mess of cables behind the desk; we suspect the cables of developing their own form of intelligence and plotting world domination.
So, anyway, this afternoon,morgan_dhu started experiencing weirdness on her work machine. The mouse started moving around by itself, downloading a file, installing something, clicking past some kind of "are you sure you want to install this thing" warning, and the like. In short, it had been taken over by some kind of remote control software, and someone out there was merrily installing their little rootkit on it. The only question, really, is why it took so freaking long (unless of course it had been suborned years ago and only today the hacker had the bad judgement to start doing stuff when she happened to be using it).
Once we realised what was happening, I pulled the power plug on the computer, unplugged its Ethernet cable, and then we called the tech support atmorgan_dhu's company. One of the first things he asked me to do was to plug the work machine into our router, enable VPN on the router, and reboot the work machine so that it would connect to the corporate network through the router.
Then he let me through several rounds of trying to find the freaking rootkit, to no avail. Ad-aware found zilch, msconfig.exe found zilch, and after he said goodbye, I downloaded a "rootkit revealer" from sysinternals.com, and that found zilch. Reviewing running processes also revealed nothing that didn't seem to belong. So Morgan's work computer is probably still suborned. Fortunately it's only turned on about 8 to 12 hours a day, so while it may be part of a zombie farm (although I'd think zombie farmers would really prefer to take over machines that are left on around the clock), it's at least not a very efficient zombie.
On the upside, we can now save ourselves another $10 a month by cancelling all the extra IPs and just going with basic highspeed service. We can also cut back the cable forest behind Morgan's desk, from "enough to stretch to the moon" to merely "enough to stretch around the block."
Advertisment: Anybody who can help me figure out where the rootkit/remote control malware is hiding onmorgan_dhu's work machine may claim a lightly used 4 port linksys hub, free.
morgan_dhu's employer set her up with VPN so that she could work from home, the company IT guy was very firm: we could not install a software firewall on the work computer, and we could not put the work computer behind a router. The reasons didn't make much sense to us, but it was their computer, so they got to make the rules (she was also told that due to licensing issues, she could not install Mozilla on her work machine -- no seriously).So we paid the cable company an extra $20 per month for 2 extra IP addresses so we could connect all our computers to the internet using a hub, instead of a router. And ever since then, the work machine has been naked to the internet, totally unprotected save for the frail figleaves provided by Norton Antivirus and Windows Update.
Since that time, all of the tech support and IT people at the company have been replaced with new people. The new people have a somewhat different philosophy than the old people: for instance, it is now permitted to install Firefox on one's work computer.
For a couple of years, we had one IP for each machine (my computer,
morgan_dhu's computer, and her work computer) and they were all connected to the cable modem with a hub. Our personal computers were and still are protected by software firewalls; in addition, a few months ago, I decided I was tired of sending ridiculous amounts of money to the cable company each month, and bought a router. That enabled me to cancel one of the two extra IP addresses. So for the past few months, we had connected our personal computers to the router, and connected the router and the work computer to a hub, which connected to the cable modem. Yes, there was an unholy mess of cables behind the desk; we suspect the cables of developing their own form of intelligence and plotting world domination.So, anyway, this afternoon,
morgan_dhu started experiencing weirdness on her work machine. The mouse started moving around by itself, downloading a file, installing something, clicking past some kind of "are you sure you want to install this thing" warning, and the like. In short, it had been taken over by some kind of remote control software, and someone out there was merrily installing their little rootkit on it. The only question, really, is why it took so freaking long (unless of course it had been suborned years ago and only today the hacker had the bad judgement to start doing stuff when she happened to be using it).Once we realised what was happening, I pulled the power plug on the computer, unplugged its Ethernet cable, and then we called the tech support at
morgan_dhu's company. One of the first things he asked me to do was to plug the work machine into our router, enable VPN on the router, and reboot the work machine so that it would connect to the corporate network through the router.Then he let me through several rounds of trying to find the freaking rootkit, to no avail. Ad-aware found zilch, msconfig.exe found zilch, and after he said goodbye, I downloaded a "rootkit revealer" from sysinternals.com, and that found zilch. Reviewing running processes also revealed nothing that didn't seem to belong. So Morgan's work computer is probably still suborned. Fortunately it's only turned on about 8 to 12 hours a day, so while it may be part of a zombie farm (although I'd think zombie farmers would really prefer to take over machines that are left on around the clock), it's at least not a very efficient zombie.
On the upside, we can now save ourselves another $10 a month by cancelling all the extra IPs and just going with basic highspeed service. We can also cut back the cable forest behind Morgan's desk, from "enough to stretch to the moon" to merely "enough to stretch around the block."
Advertisment: Anybody who can help me figure out where the rootkit/remote control malware is hiding on
morgan_dhu's work machine may claim a lightly used 4 port linksys hub, free.
Re: This was posted by someone else, but it's locked.
1. Spybot and SpywareBlaster both install a small amount of protection against reinfection. They're not going to stop everything, but it helps with known spyware. We already put in Spybot's protection. Run SpywareBlaster, update it, and enable all protection.
2. Download and install AVG ( http://free.grisoft.com/freeweb.php/doc/2/ ) a free and rather nice little anti-virus program that doesn't weigh down your system like Norton and McAfee do. KEEP IT UPDATED. Without updates, your software is useless.
3. Download and install ZoneAlarm ( http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp ) a free and rather nice little firewall program. You will have to configure it to allow your computer and software to connect to the internet, but it is worth the extra effort.
4. Do your Windows Updates. Yeah yeah, no excuses. They patch bad security holes, and this is Microsoft so there's a lot of those around.
5. Switch browsers. IE is a huge gaping hole of security flaws that are exploited by spyware programs. ANY other browser will be far more secure. Check out these very nice free/inexpensive browsers:
Opera: http://www.opera.com/download/
Firefox: http://www.mozilla.org/products/firefox/
Netscape: http://channels.netscape.com/ns/browsers/download.jsp
If your new browser software doesn't have it, get a pop-up blocker. If it does have a built-in one, turn that sucker on and leave it on. Pop-ups are not only evil, they often are the way spyware is delivered to your PC. Keep them away.
6. Be careful about installing free software. Weatherbug, Incredimail, Cursor and Smiley programs, filesharing (Kazaa, Limewire, etc) and other programs install spyware on your PC. If you find free software and you're not sure if it's safe, go to www.google.com and enter the name of the program and the word 'spyware'; the results will show if it contains anything malicious. If it does, don't use it and find an alternative.
7. Once a month, update and scan with Ad-aware and Spybot. This will catch any spyware that slips past your defenses. Scan more often if you frequent high-risk areas such as adult websites and filesharing.
Feel free to copy the contents of this entry and pass them around. You do not need to attach any credit.