Book VI Chapter 1 Lock Down: Spies, Spams, Scams, and Slams 607 Am I Infected?  ✦ Someone tells you that you sent him an e-mail message with an attachment — and you didn’t send it. In fact, most e-mail malware these days is smart enough to spoof the From address, so any infected message that appears to come from you probably didn’t. Still, some dumb old viruses that aren’t capable of hiding your e-mail address are still around. And, if you receive an infected attachment from a friend, chances are good that both your e-mail address and his e-mail address are on an infected computer somewhere. Six degrees of separation and all that. If you receive an infected message, look at the header to see whether you can tell where it came from. In Outlook 2003 and earlier, open the message and then choose View➪Options. In Outlook 2007, you have to open the message and then click the tiny square with a downward, right-facing arrow in the lower right corner of the Options group. A box at the bottom may (or may not!) tell you who really sent the message, as shown in Figure 1-6. Figure 1-6: The box at the bottom contains the e-mail header, which may give you a clue to its origin.  ✦ You suddenly see files with two filename extensions scattered around your computer. Filenames such as kournikova.jpg.vbs (a VBScript file masquerading as a JPG image file) or somedoc.txt.exe (a Windows program that wants to appear to be a text file) should send you running for your antivirus software. Always, always, always have Windows show you filename extensions (see Book II, Chapter 1). 608 Am I Infected?  ✦ Your antivirus software suddenly stops working. If the icon for your antivirus product disappears from the notification area (near the clock), something killed it — and chances are very good that the culprit was a virus.  ✦ You can’t reach Web sites that are associated with antimalware manu- facturers. For example, Firefox or Internet Explorer works fine with most Web sites, but you can’t get through to Microsoft.com or Symantec.com or McAfee.com. This problem is a key giveaway for a Conficker infection, but other pieces of malware do it, too. What to do next If you think that your computer is infected, follow these steps: 1. Don’t panic. Chances are very good that you’re not infected. 2. DO NOT REBOOT YOUR COMPUTER. This advice is particularly important in Windows 7 because of the way it takes snapshots of Last Known Good system configurations. If your machine gets infected and you reboot, and then Windows 7 mistakenly thinks that your infected system is “good,” it may incorrectly update the Last Known Good configuration information. Resist the urge to press the Reset button until you exhaust all possibilities. 3. Update your antivirus software with the latest signature file from the manufacturer’s Web site; then run a full scan of your system. If you don’t have an antivirus package installed, run — don’t walk — to the next section, and download and install AVG Free antivirus, or follow the instructions there to install Microsoft Security Essentials, the free new kid on the antivirus block. 4. If your antivirus software doesn’t identify the problem, follow your antivirus software manufacturer’s instructions. If you can’t get into your manufacturer’s Web site, beg, borrow, or steal another PC and log on to the manufacturer’s Web site (see Table 1-1). All the major antivirus software manufacturers have detailed steps on their Web sites to take you through the scary parts. Note that some sites may have news posted hours before other sites — but it’s impossible to tell in advance which will get the story first. 5. If Step 4 still doesn’t solve the problem, go to Jim Eshelman’s AumHa site (aumha.net/viewtopic.php?t=4075) and post your problem on the Malware Removal forum. Make sure that you follow the instructions precisely. The good folks at AumHa are all volunteers. You can save them — and yourself — lots of headaches by following their instructions to the letter. Book VI Chapter 1 Lock Down: Spies, Spams, Scams, and Slams 609 Am I Infected? 6. Do not — I repeat — do not send messages to all your friends advising them of the new virus. Messages about a new virus can outnumber infected messages gener- ated by the virus itself — in some cases, causing more havoc than the virus itself. Try not to become part of the problem. Besides, you may be wrong. Table 1-1 Major Antivirus Software Vendors’ Sites Product Company Breaking News Web Site AVG Anti-Virus GRISoft grisoft.com F-Secure Antivirus F-Secure f-secure.com/virus-info Kaspersky Antivirus Kaspersky Lab kaspersky.com McAfee VirusScan Network Associates us.mcafee.com/virusInfo/default. asp Norton AntiVirus Symantec securityresponse.symantec.com Panda Antivirus Panda pandasecurity.com Trend PC-cillin Trend Micro antivirus.com/vinfo In recent years, I’ve come to view the mainstream press accounts of virus and malware outbreaks with increasing, uh, skepticism. The antivirus com- panies are usually slower to post news than the mainstream press, but the information they post tends to be much more reliable. Not infallible, mind you, but better. We also cover security problems at AskWoody.com. Shunning scareware A friend of mine brought me her computer the other day and showed me a giant warning about all the viruses residing on it (see Figure 1-7). She knew that she needed XP Antivirus, but she didn’t know how to install it. Thank heaven. Another friend brought me a computer that always booted to a Blue Screen of Death that said Error 0x00000050 PAGE_FAULT_IN_NON_PAGED_AREA It took a whole day to unwind all the junkware on that computer, but when I got to the bottom dreck, I found Vista Antivirus 2009. 610 Am I Infected? Figure 1-7: When is an antivirus product, in reality, a virus? I’ve received messages from all over the world from people who want to know about this fabulous new program, Antivirus 2009 (or Vista Antivirus or XP Antivirus or MS Antivirus Security Center or Micro AV or similar word- ing). Here’s what you need to know: It’s malware, plain and simple, and if you install it, you’re handing over your computer to some very sophisticated folks who will install key loggers, bot software, and the scummiest, dirtiest stuff you’ve ever seen on any PC. Here’s the crazy part: Most people install this kind of scareware voluntarily. One particular family of rogue antivirus products, named Win32/FakeSecSen, has infected more than a million computers; see Figure 1-8. Figure 1-8: Win32/ FakeSecSen scares you into thinking you have to pay to clean your computer. Book VI Chapter 1 Lock Down: Spies, Spams, Scams, and Slams 611 Getting Protected Typically you receive a spam message that invites you to install this wonder- ful new program named Antivirus something-or-another. You figure, hey, it couldn’t be any worse than the big-name antivirus program you have now — the one that’s no doubt bugging you every two days to cough up your credit card number to stay up-to-date — and figure it’s worth a try. Wrong. Some people pick up Antivirus 2009 by clicking a link on a decent, well- known Web site. They just don’t realize that people who run big Web sites frequently farm out their advertising, and sometimes the ads (which are delivered independently of the page itself) harbor threatening stuff. The SpywareRemove Web site reports (tinyurl.com/55pjnk) that, not long ago, Google was showing “sponsored” paid links that pointed directly to the Antivirus XP 2008 site. The exact method of infection can vary, as will the payloads. If you’ve got it, how do you remove it? For starters, don’t even bother with Windows Add or Remove Programs. Any company clever enough to call a piece of scum Antivirus 2009 won’t make it easy for you to zap it. The Bleeping Computer site has removal instructions at tinyurl.com/6xxhyz. One of my favorite antimalware industry pundits, Rob Rosenberger, has an insightful analysis of this type of scareware in the article “Two decades of virus hysteria contributes to the success of fake-AV scams,” at vmyths. com/2009/03/22/rogue-av. Microsoft has an excellent review of rogue antivirus products in its Security Intelligence Report Volume 6, available at microsoft.com/sir. Getting Protected The Internet is wild and woolly and wonderful — and, by and large, it’s unregulated, in a Wild West sort of way. Some would say it cannot be regu- lated, and I agree. Although some central bodies control basic Internet coordination questions — how the computers talk to each other, who doles out domain names such as dummies.com, and what a Web browser should do when it encounters a particular piece of HyperText Markup Language (HTML) — no central authority or Web Fashion Police exists. In spite of its Wild West lineage and complete lack of couth, the Internet doesn’t need to be a scary place. If you follow a handful of simple, common sense rules, you’ll go a long way toward making your Internet travels more like Happy Trails and less like Doom III. 612 Getting Protected Protecting against malware “Everybody” knows that the Internet breeds viruses. “Everybody” knows that really bad viruses can drain your bank account, break your hard drive, and give you terminal halitosis — just by looking at an e-mail message with Good Times in the Subject line. Right. In fact, botnets and keyloggers can hurt you, but hoaxes and lousy advice abound. Every Windows 7 user should follow these tips:  ✦ Don’t install weird programs, cute icons, automatic e-mail signers, or products that promise to keep your computer oh-so-wonderfully safe. Unless the software comes from a reputable manufacturer whom you trust, and you know precisely why you need it, you don’t want it. Don’t be fooled by products that claim to clean your Registry or clobber imagi- nary infections. You may think that you absolutely must synchronize the Windows clock (which Windows 7 does amazingly well, no extra program needed), tune up your computer (gimme a break), use those cute little smiley icons (gimme a bigger break), install a pop-up blocker (both Internet Explorer and Firefox already do that well), or install an automatic e-mail signer (your e-mail program already can sign your messages — read the manual, pilgrim!). What you end up with is an unending barrage of hassles and hustles.  ✦ Buy, install, update, and religiously use one of the major antivirus soft- ware packages and one of the major antispyware packages. It doesn’t matter which one — all of them are good. Personally, I like free — the free versions of several antivirus products work just as well as the big-name, big-buck alternatives. (See Book VI, Chapter 5 for more on antivirus and antispyware software.) In spite of its name, antivirus software frequently looks for more than just viruses. Many 0day exploits can be nipped in the bud, shortly after their appearance, by a recently updated antivirus scan.  ✦ Never, ever, open a file attached to an e-mail message until you con- tact the person who sent you the file and verify that she did, in fact, send you the file intentionally. After you contact the person who sent you the file, don’t open the file directly. Save it to your hard drive and run your antivirus software on it before you open it.  ✦ Follow the instructions in Book II, Chapter 1 to force Windows 7 to show you the full name of all the files on your computer. That way, if you see a file named something.cpl or iloveyou.vbs, you stand a fighting chance of understanding that it might be an infectious program waiting for your itchy finger. Book VI Chapter 1 Lock Down: Spies, Spams, Scams, and Slams 613 Getting Protected  ✦ Don’t trust e-mail. Every single part of an e-mail message can be faked, easily. The return address can be spoofed. Even the header information — which you don’t normally see — can be pure fiction. Links inside e-mail messages may not point where you think they point. Anything you put in a message can be viewed by anybody with even a nodding interest — to use the old analogy, sending unencrypted e-mail is a lot like sending a postcard.  ✦ Check your accounts. Look at your credit card and bank statements, and if you see a charge you don’t understand, question it. Log on to all your financial Web sites frequently, and if somebody changed your pass- word, scream bloody murder. Using your credit card safely online Many people who use the Web refuse to order anything online because they’re afraid that their credit card numbers will be stolen and they’ll be liable for enormous bills. Or they think the products will never arrive and they won’t get their money back. If your credit card was issued in the United States and you’re ordering from a U.S. company, that’s simply not the case. Here’s why:  ✦ The Fair Credit Billing Act protects you from being charged by a company for an item you don’t receive. It’s the same law that governs orders placed over the telephone or by mail. A vendor generally has 30 days to send the merchandise, or it has to give you a formal, written chance to cancel your order. For details, go to the Federal Trade Commission (FTC) Web site, ftc.gov/bcp/edu/pubs/consumer/ credit/cre28.shtm.  ✦ Your maximum liability for charges fraudulently made on the card is $50 per card. The minute you notify the credit card company that some- body else is using your card, you have no further liability. If you have any questions, the Federal Trade Commission can help. (See ftc.gov/ bcp/edu/pubs/consumer/tech/tec01.shtm.) The rules are different if you’re not dealing with a U.S. company and using a U.S. credit card. For example, if you buy something in an online auction from an individual, you don’t have the same level of protection. Make sure that you understand the rules before you hand out credit card information. Unfortunately, there’s no central repository (at least none I could find) of information about overseas purchase protection for U.S. credit card hold- ers: each credit card seems to handle cases individually. If you buy things overseas using a U.S. credit card, your relationship with your credit card company generally provides your only protection. 614 Getting Protected Some online vendors, such as Amazon.com, absolutely guarantee that your shopping will be safe. The Fair Credit Billing Act protects any charges fraud- ulently made in excess of $50, but Amazon says that it reimburses any fraud- ulent charges under $50 that occurred as a result of using its Web site. Many credit card companies now offer similar assurances. Regardless, you should still take a few simple precautions to make sure that you aren’t giving away your credit card information:  ✦ When you place an order online, make sure that you’re dealing with a company you know. In particular, don’t click a link in an e-mail mes- sage and expect to go to the company’s Web site. Type the company’s address into Internet Explorer or Firefox, or use a link that you stored in your Internet Explorer Favorites or the Firefox Bookmarks list.  ✦ Type your credit card number only when you’re sure that you’ve arrived at the company’s site and when the site is using a secure Web page. The easy way to tell whether a Web page is secure is to look in the lower-right corner of the screen for a picture of a lock (see Figure 1-9). Secure Web sites scramble data so that anything you type on the Web page is encrypted before it’s sent to the vendor’s computer. In addition, Firefox tells you a site’s registration and pedigree by clicking the icon to the left of the Web address. In Internet Explorer, the icon appears to the right of the address. Be aware that crafty Web programmers can fake the lock icon and show an https:// (secure) address to try to lull you into thinking that you’re on a secure Web page. To be safe, confirm the site’s address in the lower-left corner and click the icon to the left of the address at the top to show the full security certificate.  ✦ Don’t send your credit card number in an ordinary e-mail message. E-mail is just too easy to intercept. And for heaven’s sake, don’t give out any personal information when you’re chatting online.  ✦ If you receive an e-mail message requesting credit card information that seems to be from your bank, credit card company, Internet ser- vice provider, or even your sainted Aunt Martha, don’t send sensitive information back by way of e-mail. Insist on using a secure Web site and type the company’s address into Firefox or Internet Explorer. Identity theft continues to be a problem all over the world. Widespread availability of personal information online only adds fuel to the flame. If you think someone may be posing as you — to run up debts in your name, for example — see the U.S. government’s main Web site on the topic at consumer.gov/idtheft. Book VI Chapter 1 Lock Down: Spies, Spams, Scams, and Slams 615 Getting Protected Confirm a site’s address. The lock icon indicates a secure site. Click the icon to see the site’s security certificate. Defending your privacy “You have zero privacy anyway. Get over it.” That’s what Scott McNealy, CEO of Sun Microsystems, said to a group of reporters on January 25, 1999. He was exaggerating — Scott has been known to make provocative statements for dramatic effect — but the exaggeration comes awfully close to reality. (Actually, if Scott told me the sky was blue, I’d run outside and check. But I digress.) I continue to be amazed at Windows users’ odd attitudes toward privacy. People who wouldn’t dream of giving a stranger their telephone numbers fill out their mailing addresses for online service profiles. People who are scared to death at the thought of using their credit cards online to place an order with a major retailer (a very safe procedure, by the way) dutifully type their Social Security numbers on Web-based forms. Windows 7 — particularly through Microsoft Windows Live Essentials — gives you unprecedented convenience. That convenience comes at a price, though: Everything you do in Windows Live Mail, Messenger, Safety Center — or just Figure 1-9: Firefox can tell you a lot about a secure site. 616 Getting Protected about any commercial site on the Web, for that matter — ends up stored away in a database somewhere. And, as the technology becomes more and more refined, your privacy gets squeezed. I suggest that you follow these few important privacy points:  ✦ Use work systems only for work. Why use your company e-mail ID for personal messages? C’mon. Sign up for a free Web-based e-mail account, such as Gmail (www.gmail.com), Yahoo! Mail (http://mail.yahoo. com), or Hotmail (www.hotmail.com). In the United States, with few exceptions, anything you do on a company PC at work can be monitored and examined by your employer. E-mail, Web site history files, and even stored documents and settings are all fair game. At work, you have zero privacy anyway. Get over it.  ✦ Don’t give it away. Why use your real name when you sign up for a free e-mail account? Why tell a random survey that your annual income is between $20,000 and $30,000? (Or is it between $150,000 and $200,000?) All sorts of Web sites — particularly Microsoft — ask questions about topics that, simply put, are none of their dern business. Don’t put your personal details out where they can be harvested.  ✦ Know your rights. Although cyberspace doesn’t provide the same level of personal protection you have come to expect in meatspace (real life), you still have rights and recourses. Check out privacyrights.org for some thought-provoking notices. Keep your head low and your powder dry! Keeping cookies at bay A cookie is a text file that a Web site stores on your computer. Why would a Web site want to store a file on your computer? To identify you when you come back. It’s that simple. Consider the case of D. Dummy, D. Dummy’s computer, and a Web site that D. Dummy visits — my hometown newspaper’s site, www.phuketgazette. net, in this example. The Phuket (pronounced “poo-KET”) Gazette uses cook- ies to keep track of when readers last visited its Web site so that readers can click a button and see what has happened since the last time they looked at the site. Nifty feature. Here’s how cookies come into the picture: 1. D. Dummy decides that he wants to look at the Phuket Gazette site, so he types phuketgazette.net in Firefox (or Internet Explorer) and presses Enter. [...]... firewall, try to use the one in Windows 7, and when you (inevitably) throw your hands up in disgust, take a look at Microsoft’s competitors This chapter helps you through the minefield Comparing Firewalls The Windows 7 inbound firewall works reasonably well It lacks many of the fancy features you can find in competing firewalls, but for most folks, it’s good enough One big bonus: The Windows 7 inbound... to poke a hole in the inbound Windows Firewall: 1 Choose Start➪Control Panel Click the System and Security link; click Windows Firewall You see the main Windows Firewall control window, as shown in Figure 3-3 2 On the left, click the link labeled Allow a Program or Feature through Windows Firewall Windows Firewall presents you with a lengthy list of programs that you might want to allow (see Figure... about connecting to networks, setting the network type, and changing network types in Book VII, Chapter 1 Making Inbound Exceptions Firewalls can be absolutely infuriating You may have a program that has worked for a hundred years on all sorts of computers, but the minute you install it on a Windows 7 machine with Windows Firewall in action, it just stops working, for absolutely no apparent reason... Knowing when Windows Firewall causes problems — and how to get around them ✓ Struggling with the bare-bones outbound Windows Firewall ✓ Making Windows Firewall work the way you want A firewall is a program that sits between your computer and the Internet, protecting you from the big, mean, nasty gorillas riding around on the information superhighway An inbound firewall acts like a traffic cop that, in. .. through That way, rogues on the Internet can’t break in Windows 7 also has an outbound firewall, which is basically unusable The Network Firewall line in the Action Center says On even if you don’t have outbound firewall protection You may be using the Windows 7 Firewall, or you may have a third-party firewall installed It’s possible (but maddening) to run more than one firewall at the same time ✦ Virus... program designed to listen for incoming Internet traffic (Skype is a prime example, as are any instant messaging programs) adds its program to the list of designated exceptions when the program is installed Using Public and Private Networks Windows 7 helps simplify things a bit by providing three different collections of security settings — actually, inbound Windows Firewall settings — each identified... unexpected packets can come through for reasons discussed elsewhere in this chapter But a stateful firewall is quite a fast, reliable way to minimize your exposure to potentially destructive probes from out on the big, bad Internet Windows Firewall Understanding Windows 7 Firewall’s Basic Features Book VI Chapter 3 636 Understanding Windows 7 Firewall’s Basic Features In extremely unusual circumstances,... want it to allow packets to come in on a specific port and the Block All Incoming Connections check box isn’t selected, WF follows your orders You might need to open a port in this way for online gaming, for example Using Public and Private Networks 639 ✦ Windows Firewall allows packets to come into your computer if they’re sent to the Remote Assistance program (unless the Block All Incoming Connections... at Windows Firewall, but when you do, realize that at least part of the problem lies in the way the firewall has to work (See the “Peeking into Your Firewall” section, earlier in this Making Inbound Exceptions 641 chapter, for an explanation of what your firewall does behind the scenes.) It has to block packets that are trying to get in, unless you explicitly tell the firewall to allow them to get in. .. the Windows Firewall, you can tell WF to allow packets destined for that specific program — and only that program — in through the firewall You might want to do that with a game that needs to accept incoming traffic, for example, or for an Outlook extender program that interacts with mobile phones, or for a program that hooks directly into the Internet, like The Onion Ring (see Book V, Chapter 2 for . (I talk about Windows Firewall at length in Book VI, Chapter 3.) A firewall program insulates your PC (or network) from the Internet. At its heart, the Windows 7 inbound firewall keeps track. Rootkits 629 624 Entering the Action Center Entering the Action Center If you go out looking for it, the Windows 7 Action Center sits buried in an obscure corner of the Windows infrastructure. But. consolidates a wide range of settings from many different parts of Windows — indeed, from places outside of Windows — all in one place. Watching Security Settings To see the monitored Security