What is a Rootkit and How it Infects your PC

Everyone knows about computer viruses  – and people are rightly fearful of them. Many have also heard about (computer) worms, which are nasty programs designed to spread as much as they can to infect computers.

A rootkit, on the other hand, is devious in a different way. This unwanted code on your desktop is used to gain control over your desktop by hiding deep inside your system. Unlike most viruses, it is not directly destructive and unlike worms, its objective is not to spread infection as wide as possible.

So what does a Rookit  do?

What it does do, is provide access to all your folders – both private data and system files – to a remote user who, through administrative powers, can do whatever he wants with your computer. Needless to say, every user should be aware of the threat they pose.

Rootkits generally go much deeper than the average virus. They may even infect your BIOS – the part of your computer that’s independent of the Operating System – making them harder to remove. And they may not even be Windows-specific, even Linux or Apple machines could be affected. In fact, the first rootkit ever written was for Unix!

Image by Fristle

Is this a new phenomenon?

No, not at all. The earliest known rootkit is in fact two decades old.  However, now that every home and every work desk has a computer that is connected to the internet, the possibilities for using the full potential of a rootkit is only just being realized.

Possibly the most famous case so far was in 2005, when CDs sold by Sony BMG installed rootkits without user permission that allowed any user logged in at the computer to access the administrator mode. The purpose of that rootkit was to enforce copy protection (called “Digital Rights Management” or DRM) on the CDs, but it compromised the computer it was installed on. This process could easily be hijacked for malicious purposes.

What makes it different from a virus?

Most often, rootkits are used to control and not to destroy. Of course, this control could be used to delete data files, but it can also be used for more nefarious purposes.

More importantly, rootkits run at the same privilege levels as most antivirus programs. This makes them that much harder to remove as the computer cannot decide on which program has a greater authority to shut down the other.

So how I might get infected with a rootkit?

As mentioned above, a rootkit may piggyback along with software that you thought you trusted. When you give this software permission to install on your computer, it also inserts a process that waits silently in the background for a command. And, since to give permission you need administrative access, this means that your rootkit is already in a sensitive location on the computer.

Another way to get infected is by standard viral infection techniques – either through shared disks and drives with infected web content. This infection may not easily get spotted because of the silent nature of rootkits.

There have also been cases where rootkits came pre-installed on purchased computers. The intentions behind such software may be good – for example, anti-theft identification or remote diagnosis – but it has been shown that the mere presence of such a path to the system itself is a vulnerability.

http://www.guidingtech.com/4467/what-is-a-rootkit/

Registry hack allows Windows XP SP2 patching

–For computers running legacy software that aren’t compatible with SP3, Vista or Windows 7.

Computerworld – People still running the now-retired Windows XP Service Pack 2 (SP2) can trick the operating system into installing security updates, a researcher said Monday.

The hack requires an edit of a single key in the Windows registry, said Sean Sullivan, a security adviser with Helsinki, Finland-based antivirus vendor F-Secure, who spelled out the tweak in a blog post.

“It turns out that an SP2 system will think it’s [Service Pack 3] if you edit this key: ‘HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows,’ and edit the DWORD value ‘CSDVersion’ from 200 to 300, [then] reboot,” said Sullivan.

According to Microsoft, CSDVersion specifies the name of the most recent service pack installed on the PC.

In other words, Sullivan’s hack disguises XP SP2 as SP3 when Microsoft’s security updates determine whether the PC is eligible for a patch.

With the hack, Sullivan was able to force a Windows XP SP2 system to install the emergency patch Microsoft issued last week for a critical vulnerability in Windows’ parsing of shortcut files.

That “out-of-band” update was officially denied to Windows XP SP2 PCs because the service pack was retired from support on July 13. By Microsoft policy, retired products no longer receive security patches.

After hacking the registry, Sullivan installed the shortcut patch — which he had downloaded directly from Microsoft’s site rather than via the Windows Update patching service — and tested an exploit that has been used by attackers for several weeks to infect PCs.

“It did not infect the system after the patch,” said Sullivan. “Cool.”

The patch for the shortcut bug can be found on Microsoft’s Download Center site.

Sullivan cautioned users that the registry hack is risky.

“Remember, this update is not officially tested or supported by Microsoft for SP2,” Sullivan said. “Hacking the registry and applying updates is likely a very quick way to destabilize your system. You really should update to Service Pack 3 if at all possible.”

Most users, in fact, steer clear of the registry, since as Sullivan pointed out, an editing error can cripple the computer. “Do so at your own risk,” he added.

Sullivan admitted he had not come up with the registry tweak, but said he had remembered a similar hack touted by players of “Grand Theft Auto IV” a year and a half ago. A thread on the GTAForums.com site from December 2008 showed how the same hack could be used to fool the game into launching on a Windows XP SP2 system.

Microsoft has been pushing customers all year to upgrade from XP SP2 to SP3 — or to move to the new Windows 7 instead — and offers detailed instructions on how to get and install XP’s third service pack on its site.

http://www.computerworld.com/s/article/9180478/Registry_hack_allows_Windows_XP_SP2_patching

Virus Alert! Fake Microsoft Outlook Critical Update

Virus Alert! Beware of any emails you receive requesting or recommending you update your Microsoft Outlook email program. We have had numerous LANPRO customer’s call in verifying whether or not they should apply this new update. After in-depth research, we found that this to be a new virus/spyware threat floating around the Internet.

Use this link for more information on this latest malware release:  MX Logic SPAM News

Importance of Windows Updates – Are you up-to-date?

Microsoft regularly issues patches or updates to solve security problems in their software. The critical updates are the ones you should be concerned about. If these are not applied, it leaves your computer vulnerable to hackers. Service Packs are larger updates which upgrade and fix security problems.

The Windows Update feature built into Windows NT, 2000, XP, and Vista (including all Microsoft server operating systems) can check your PC against a common database of patches. You go to a Microsoft web site and your operating system is checked against critical updates and a suggested list shows for your PC so that you may download and install these. You should do this periodically.

A key benefit to LANPRO’s iManage Service offering is the fact that we automate and monitor these Microsoft updates at both the server and workstation level. There are several worms (see recent “Conficker” post below) floating around the Internet right now and without the recent Microsoft Updates applied to your key systems, you and your network are hugely susceptible to various security risks ranging from annoying spyware pop-up variants, to full fledged external/unauthorized control of your core servers and workstations.

Call LANPRO today to discuss the importance of Microsoft’s Windows Updates and how we can secure your entire computer network infrastructure today: 661.716.8324.

See another security expert’s comments on the importance of keeping your computer systems updated and patched:  Online CNN Video

Virus Alert!

The Conficker Worm (a.k.a. April Fool’s Day Worm)

A new worm called Conficker, sometimes called Downadup has generated a great deal of interest over the last couple of days. Many experts estimate that millions of computers have already been infected with this threat since January. We have only recently received updates and alerts stating the severity of the situation at-hand.  It’s HIGHLY recommended that you read this Blog post thoroughly and forward on to all of your friends, family, and colleagues for their review as well.

What does the Conficker worm do?

The Conficker/Downadup worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network. 

New variants of Downadup focus not so much on spreading as on protecting itself from being removed and protecting its communication with those who created it.   Further, it is believed that on April 1^st (April Fool’s Day),  infected computers (or zombie computers) can and will be hijacked by what is called a “Master Computer” causing issues ranging from keystroke monitoring, to overwhelming websites with bogus network traffic, to bombarding computers with pop-ups and adware. 

How does the worm infect a computer?

The Conficker/Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks. 

Who is at risk?

Clients and end-users that don’t run routine maintenance (security updates, operating system patches, etc.) on their workstations and servers are the most at risk at this point.  Those clients that DO NOT have a valid and working anti-virus solution installed are also a high-risk candidate in contracting this latest malware

If you are a LANPRO client and you are NOT currently under a iManaged Service (MSP) agreement, it is highly recommended that you schedule a site visit soon! During this visit, we will visit each workstation and server on your network, run the latest Microsoft security patches, verify that you have the latest service pack installed, and more importantly, verify that your anti-virus solution is current and updating accordingly.  Contact the LANPRO Help Desk to schedule your site visit. 

Who is NOT at risk?

Clients and end-users that have implemented and perform some form of routine maintenance (security updates, operating system patches, etc.) on their workstations and network servers and end-users that have a current and working anti-virus solution (AVG, Symantec, McAfee, etc.).  All LANPRO clients that are under a current iManage Service Plan (MSP clients) are protected by this latest release.  We already have monitoring and security updates in place network-wide at your facility and will use the next couple of days to check and double check that your entire infrastructure is secure and protected from this major security threat. 

More Information on the Conficker Worm

CNN -  http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html

CNN - http://www.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html?iref=newssearch

Or contact the LANPRO Support Team using one of the following methods:

Online Chat -  http://www.lanprosystems.com

Phone:  661.871.HELP (4357)

Email:  Support@lanprosystems.com

Password Complexity Tips

The Internet is full of criminals looking to steal passwords and other personal information. Having a strong, hard to decipher password is your first line of defense in protecting your personal and private information on the web today. Here are some useful password complexity tips that your friends at LANPRO recommend you using:

Remember that your best line of defense in keeping unauthorized users from accessing your account is to make your password strong. To do so, follow these simple steps:

• Make it at least six characters long
• Include at least one number and one special character (ex. ! @ # $ % )
• Vary between upper- and lower-case letters
• Don’t use common names (ex. your name, address, email, etc.)

It’s also a really good idea to change your password on a fairly frequent basis. At minimum, we at LANPRO change our personal passwords every 6 months or so and as cumbersome as it may seem, changing our passwords frequently combined with the complexity tips above helps keep our personal Internet based accounts protected and secure.

If you would like additional information on how to better protect your personal data on the web, please feel free to email us at your leisure:  Support@lanprosystems.com .