Hacking: Diagnosis and Prevention Page: 1
The Reality
In this day and age virus's are the least of your worries: hackers and spyware are by far the most virulent and cunning of all online security threats. Let me show you how to declare war on the enemy, by first diagnosing you and your PC's threat, taking the correct course of action and then implementing preventative measures to minimise the risk of it happening again. Online threats are no longer restricted to just bringing down your PC; cybercriminals are now capable of tracking your every move and targeting web sites, such as those of banks, where you log personal data. Understanding the basics of how hackers work , is the first step in arming yourself against your system being compromised.

No PC - and no PC user - is safe from assault. Faster, always on internet connections, make it quick and easy to send or receive information, but the downside of broadband is that it increases the potential for net crime. Larger companies with a healthy bank balance are an obvious target for high-tech criminals, but such denials of service involves banks of computers sending out bogus requests simultaneously. To do this, the hackers need control of multiple PC's and are therefore constantly on the lookout for suitable hosts.
As well as exploiting your PC'sweb connection for destructive acts, hackers may also find the data stored on your PC invaluable. Malware in the form of keystroke-logging software hides itself within your PC and reports everything you type to the person that planted it there. If a hacker takes over your computer, they can have a rummage around for themselves, investigating any unencrypted files or folders, uncovering financial details and any personal data.

Most recently, there have been numerous scams to get you to reveal bank or credit card details (commonly known as 'phishing'). Data searches to find unencrypted passwords are very common too. In the wrong hands, such personal details can be used to 'impersonate' you, take out loans using your good credit rating and so on. There is, however, a number of ways you can protect your computer from virus's, scams and hackers. Lets look at the tools to help you clean up and protect your PC from trojans and other attacks designed to compromise your system.


How to diagnose if you've been hacked
If the icon for modem or network connections shows constant activity even when you are not actively using the internet, you are not necessarily being hacked: automatic updates for Windows and other programs often occur whenever you go online. However, updates that occur constantly are unlikely and, in such cases, your PC may be part of a DDoS. There are several ways to tell if you have been hacked.
1. Keep abreast of when you're online: to display modem/network connection details go to My Network Places and right click on the icons for Dial-up or LAN settings under View Network Connections. Select Properties and tick the box beside "Show icon in the notification area when connected".

Network connections and LAN settings

2. High CPU activity or services: A sluggish computer could be a sign that background applications or services are running, some of which may be malware. To check performance, press Ctrl-Alt-Del and click the Performance tab in Task Manager. When applications are running, the graph for CPU usage will peak quite regularly (mine is at 100%, due to my F@H programs running in the background). Leave the performance monitor on when nothings running. If CPU usage remains high, check under the Processes tab to see which services are running in the background. There is a really informative guide to the legitimate processes that should be running on your PC here - http://www.theeldergeek.com/services_guide.htm

3. Performance logging and alerts: Use Windows XP's more advanced tools to monitor your system. Go to Start-Settings-Control Panel, double click Administrative Tools and select Performance to load the appropriate Management Console. Click Performance Logs and Alert-Alerts, then right click in the empty pane and select New Alert Settings. Give your alert a name and, under the General tab, click Add to include a counter. In the dialogue box that is displayed, select RAS (Remote Access Services) Total and Bytes Transmitted and then, under General, set an alert when the value exceeds the amount you specify. Alerts will now be logged and you can see them by going to the Performance Management Console to view suspicious activity.

Performance logging and alerts


Hacking: Diagnosis and Prevention Page: 2
Closing the Gaps
Large companies should implement an IDS (Intrusion Detection System) - a line of defence that detects hostile activity on a network. While such systems are expensive, and sometimes hard to use, you can create an ad hoc IDS by combining a firewall, anti-virus software and vulnerability assessment utilities. It's possible to scan for potential security gaps using two processes that are commonly employed by hackers themselves. Port scanning checks against the some 65,000-plus ports a PC can use to communicate across networks. Packet sniffing software analyses data as it travels across networks and is used legitimately by network administrators to monitor network traffic and identify bottlenecks. Unfortunately, unencrypted usernames and passwords are also often transmitted across networks; hackers can use packet sniffing software to detect such important data.

1. Microsoft's scanner:

Most security scanner software is aimed at large companies with price tags to match, but there are a few free applications including the Microsoft Baseline Security Analyser 1.2.1, although it is quite difficult to use. You can download the security scanner (currently at vers. 2.00) here - http://www.microsoft.com/technet/security/tools/mbsahome.mspx

MBSA has the ability to scan multiple computers

MBSA gives a comprehensive security report

MBSA provides information on security vulnerabilities


Hacking: Diagnosis and Prevention Page: 3
2. No holes with NeWT 2.1:
Of the free tools available, this is by far the simplest to use if you can get yourself a copy. Tenable security have/ will discontinued support for NeWT, but they have a new product coming out to replace it. The upcoming version of Nessus 3 for Windows will replace NeWT and will not have any IP-based scanning limitations. Tenable expects to release Nessus 3 for the Windows platforms shortly, it can be downloaded from here - www.tenablesecurity.com/newt.html
Languard Network Security Scanner www.gfi.com/lannetscan is another good free package. After installing NeWT, go to Start-Programs-Tenable Network Security-Tenable NeWT-NeWT Security Scanner. This will check through more than 4000 common security vulnerabilities. To do this, click New Scan Task.
The free version can only check a local network and, for standalone users, you will see the name Localhost listed on the drop-down menu. Select this and click Next, then choose "Enable all but dangerous plugins" before starting your scan. Note that the report generated by NeWT will only be useful if you have advanced knowledge of ports and network connections.

The report generated by NeWT

3. Symantec Security Check:
Symantec offers a free online service to check the levels of protection on your PC. Log onto http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym and select the links that appear on the SSC (Symantec Security Check) page to see if your PC has been compromised by hackers or viruses. After you click each link you will be expected to install the Security Check applet (choose Yes when prompted), then a page will appear with your IP address. Click the scan button at the bottom of the page to start the check. If your PC is insecure, the SSC will tell you how and why. Unsurprisingly, the solution is to buy Symantec's Security software :D

Symantec Security check

Port scan results...all clear!!!




Hacking: Diagnosis and Prevention Page: 4
4. Open door policy:
A good firewall will protect you from inbound attacks, while also monitoring the applications running on your PC when they make outbound connections to remote systems. (Trojan horse programs, spyware and other malware that sneaks onto your PC often employ your internet link to connect clandestinely to remote servers.) Windows XP's firewall only monitors inbound connections, offering no protection from malware already on your PC. The latest versions of Sygate Personal Firewall or Zonealarm are effective. If you have a broadband internet connection, you may also wish to use a hardware based firewall in conjunction with a software version. Many cable and DSL modems and routers-wireless routers included-have a firewall that you can configure from your PC. Because these hardware firewalls are external to your system, they can't monitor which apps are opening outbound connections, so in reality they can't replace a software firewall running on your PC.
If you would like to see how well your firewall stands up against the nasties on the www, you can go and get yourself tested at some of the links below. Ultimately you need to have all ports blocked, stealthed or non-responsive to the tests. Some of the more reliable firewall testing sites on the web are:
Shields Up - https://www.grc.com/x/ne.dll?bh0bkyd2
Sygate Security Check - http://scan.sygatetech.com/
PC Flank - http://www.pcflank.com/
The Windows XP firewall is a very simple product. It provides basic protection in an effective and user-friendly manner, but it has a distinct lack of options, especially when it comes to adding extra security. About the only option that you might want to consider setting is to turn on logging, which is disabled by default.

Windows XP SP2 firewall

Go to start - control panel - network and Internet connections - network connections then right click on your Internet connection (which should be at the top of the page) and select properties. Now go to the advanced tab and click on the settings button.

Choose the security logging tab and enable the log for dropped packets and successful connections. Note the default location of the log at c:windowspfirewall.log. You can open this file with notepad to view recent failed and successful attempts to access your firewall.

# You need to patch to protect!!!
Most PC's become infected when files and apps sneak in via your web connection. To avoid future breaches, first ensure your browser abd email client are as secure as possible. Common techniques for compromising computers include spoofing a web address (passing off a dangerous site as one that is more respectable) or exploiting loopholes in Internet Explorer's security to pass protected information to sites that are not secure.

1. Detecting Trojans:
Install the latest Windows patches and fixes - that means SP2 if you're running XP. And remember, SP2 does not protect you from all future security flaws so you will still have to update your PC regularly with patches and security fixes. After you have installed SP2, go to Start-Windows Update to access the site: you will be prompted to download a new interface that, among other things, simplifies the process of installing critical security fixes.

Win XP automatic updates


Hacking: Diagnosis and Prevention Page: 5
2. Safer surfing:
Many loopholes in IE stem from the ActiveX applets the browser allows to run on your machine and, potentially, access your data. To make your surfing more secure, go to Tools-Internet Options and click on the Security tab. Next slide the security level up to High or click the Custom Level tab and disable the options next to various ActiveX controls. If you use Outlook Express, go to Tools-Options and, under the Security tab, check the options that do not allow IE to open possibly infected files via the preview pane or (with SP2) display images in HTML messages.

Internet Explorer settings

3. Firefox:
IE's popularity along with it's security flaws means it's an obvious attack target, so I recommend you use FireFox instead. FF is fast, responsive and compatable with most pages that IE will display. Common plug-ins such as Flash and Quicktime are not part of the standard installation, however. Some pages need ActiveX controls to display properly - but I've already recommended disabling those applets to surf safely. You can get the latest version of FF here - http://www.mozilla.com/firefox/
If you require anything else for FF, for example plug-ins, they can be found at the browsers home page here - https://addons.mozilla.org/?application=firefox

Detecting Trojans (further info)
Not all anti-virus software looks for Trojans. If such hacks are of concern, use a dedicated scanner such as TDS-3, Trojan Hunter or (a)squared.

(a)squared


Hacking: Diagnosis and Prevention Page: 6
Download and install a freeware version of (a) squared from http://www.emsisoft.com/en/software/free/ then click the Scan button to check your computer for nasties. Of the anti-Trojan apps mentioned, Trojan Hunter and (a) squared are probably the easiest to use, while TDS-3 probably has the largest anti-Trojan database available to any program. It's interface and complexity will be intimidating to new users, but I can highly recommend it for experts who want complete control over Trojans and malware.
If you require more info on other net nasties and how to prevent them, you can read my guide "Removing Browser Hijacks, virus's and spyware with an 'Hijack this' inclusion".
Well I hope this has given you a little more knowledge, if anything. First and foremost this guide was created to make you - the user aware, and not end up a victim.

PV5150