Andrés Valencia

PC Security

This page offers information and tools to keep your PC secure,
free of intrusions in the Internet.

- General Security Advice for Internet Users
- Anti-Spyware/Anti-Adware Online Scanners (including anti-Conficker)
- Expanded Threats: Spyware, Malicious Dialers, Rootkits, Malicious JavaScript
- Anti-Spyware/Anti-Adware Software
- A Final Warning

General Security Advice for Internet Users

The Internet is a dangerous environment as proven by the frequent "Denial of Service" attacks, the infection of legitimate Web sites, the "Worms" and "Trojan Horses" infecting computers to implement "remotely controlled" intrusions in networks by means of infected and enslaved PCs; "robots".
The computers with the highest risk of infection are those with a permanent connection to the Internet.

Your PC is not necessarily the final target in these attacks: If infected, it is used to attack other computers and disseminate the infection. The attempted dissemination activity congests the Internet, in particular e-mail transit.
The unavailability of the infected computers can cause damage to people and property. And you could be an involuntary co-responsible.

The most employed attack method is the exploitation of "vulnerabilities" in the operating system or networking software to install malignant non-authorized programs ("Malware") in your computer.

A Web site knows the IP (Internet Protocol) address of the PC from where you are viewing it, and could test your PC for vulnerabilities. If a vulnerability is found, an infected Web site could exploit it.
Once infected, a simple firewall (like the one in Windows XP) would not be a defense, as it is the Malware in your computer that will be requesting the traffic. A complete firewall would not be a defense either, if you grant permission to communicate to unknown software that has already infected your PC.

If your PC has a vulnerability, and you visit an infected site that can exploit it, your PC could be enslaved. Backdoor and key-logger programs could be installed, and a remote attack on another computer be launched from your PC.

If your Web browser has been infected by "Adware" so it makes automatic visits to unknown sites (pop-up advertising), its vulnerabilities could be exploited. See Spyware, further down in this page.

To eliminate your vulnerabilities keep your operating system and networking software updated (Web browser, mail program, etc.).
In the MS Internet Explorer menu: Tools, Windows Update. Or visit Microsoft Update.
Install all Critical and Security Updates as soon as possible. Microsoft releases them on the second Tuesday of every month. However, if a security threat occurs, such as a widespread virus or worm that affects Windows-based computers, Microsoft will release a corresponding update as soon as possible. Other types of updates can be released whenever they are ready. Service Packs SP1 and SP2 are free, but only available automatically to legitimate Windows XP users. Install all Service Packs.
If your PC clone came with an illegal copy of Windows, you can buy and install an original without loosing your installed programs or your documents.

If you can not install and update a legal copy of MS Windows on an Internet-connected PC, it is possible that your vulnerabilities will be exploited even if you use a complete firewall program.
Get your updates from The Software Patch (Download site for patches, upgrades, service packs and hardware drivers).
Do not use an unsupported version of Windows; its vulnerabilities represent a grave security risk.

Regularly update your Microsoft Office programs: visit Microsoft Office Online and select "Office Update", or visit Microsoft Update. Have your original MS Office installation disks on hand.

Use the Secunia Online Software Inspector (OSI) to detect the programs installed in your PC that contain vulnerabilities, so you can update them or to eliminate them (the Online version requires the Java Runtime).
This includes old vulnerable versions that are not uninstalled after updating the program, like for example, the Java Runtime and the Adobe Flash and Shockwave Players.
Home users should download and install the Secunia Personal Software Inspector (PSI).

Download and run the Microsoft Baseline Security Analyzer (MBSA), an easy-to-use tool that helps determine your security state in accordance with Microsoft recommendations and offers specific remediation guidance.
Improve your security management by using MBSA to detect common security misconfigurations and missing security updates on your computer.
The Microsoft Baseline Security Analyzer (MBSA) is free, but only available to legitimate Windows 2000, XP, 2003 o Vista users.

Considering that exposure to a single malicious site can turn your PC into a robot, a spam generator or a slow performer, and steal login information; securing your Web search activities is an important function.
Simply visiting a bad, hacked Web page can expose your machine. Vulnerabilities and exploits continue to permit hackers to spread rootkits and open backdoors on computers around the world.
AVG LinkScanner integrates with major search engines to check search results for a variety of online threats before you click.
AVG LinkScanner is free for personal use and integrates with major search engines (Google, Yahoo), that can be tricked to carry links to malicious sites. Internet Explorer and Firefox supported. Compatible with major anti-virus, anti-spyware, and firewall products.
AVG LinkScanner is now also part of the AVG Anti-Virus Free Edition.

Make sure your computer is not sharing anything over the Internet. This is especially important if you are using a permanent connection. Avoid printer sharing over a LAN running on the TCP/IP protocol, from the computers capable of directly connecting to the Internet.
(Control Panel, Network Connections, Local Area Connection Properties, General: Do not check "File and Printer sharing for Microsoft Networks")

But if you must share files over the Internet, do not share whole drives; only share expressly prepared, password-protected and "Read-only" folders with the required files. Password-protected folders are available in Windows XP Professional. In particular, never share the drive or the folder were the Operating System resides.
In Windows XP Home, share only temporarily, for the shortest period of time.

For example, create a folder named "Out" in "My Documents" and share it, but do not check "Allow network users to change my files" (Properties, Sharing).
Using this system, all network users will be able to download files from the others Out folders, but no one would be able to upload files to another computer.
This minimizes the possibilities of intrusion, but not of data theft. Password protection minimizes both and should be used additionally.
In Windows XP Home, share only temporarily, for the shortest period of time.

Consider that some e-mail viruses fake the sending address to gain your confidence and get you to execute an attached program, believing it to come from a known address.
Configure your e-mail program for high security.
In the MS Outlook Express menu: Tools, Options, Security: Restricted sites zone (More secure).
You should also select to "Warn me when other applications try to send mail as me".
Configure your antivirus program to examine the contents of your e-mail.
Never open or execute attachments before they are examined by your (recently updated) antivirus program!

No computer should be connected to the Internet without antivirus software of the highest quality, recently updated, and configured for maximum security, that is, checking all files on entry, from any source. Install an antivirus program, like the Comodo Internet Security, the PC Tools AntiVirus Free Edition, or the AVG Anti-Virus Free Edition from Grisoft (Free, in various languages).

If you use Windows Vista or Windows XP SP2, you can install a complete security program, like the Comodo Internet Security (Free), offering complete protection from Hackers, Virus, Spyware, Trojans and Identity theft, and a Host Intrusion Prevention System that stops malware from being installed. An extensive white list database of trusted applications helps reducing the number of initial alerts after installation. The Firewall and Antivirus components can be installed separately.
[Very Good results in the Matousec Firewall Challange]

For additional protection, also install the Comodo BOClean Anti Malware software (Free).
Internet trojan horse programs, spyware, keyloggers, rootkits, pseudorootkits, hijackers, adware, annoyware, email relays, spam proxies, spam relays, scam downloads and email/spam robots ("bots") are perhaps the greatest security threat to individuals and institutional networks in existence.

By installing malware (short for MALicious softWARE) on a machine, computer crackers can go anywhere, see and do anything they want with your computer, including banking records and your most intimate and personal documents. In addition to wreaking havoc with your machine and pillaging your personal property, some malware, specifically trojan horse servers, can even record your personal conversations if you have a microphone connected to your computer. Malware can invade your system without you ever knowing it and are designed to elude firewalls by using ports which are not blocked by network "firewall" security software or proxy servers. Many of them disable the most frequently used antivirus and software firewalls.

PC Tools ThreatFire Behavioral Virus and Spyware Protection (Free) is dramatically different to traditional antivirus software. Normal antivirus products usually need to have first identified and seen a threat before they can provide adequate protection against it. The protection is then provided via a signature or fingerprint update, which must first be written by an antivirus researcher. This creates a large window of time where threats are undetected and can therefore infect your PC even when you have antivirus software installed.
ThreatFire continually protects your PC against attacks by detecting malicious behavior, such as capturing your keystrokes or stealing your data, instead of only looking for known threats like normal antivirus software. By implementing sophisticated real-time behavioral analysis ThreatFire is able to stop never- before-seen "zero-day" threats solely by detecting their malicious activity.
ThreatFire's patent-pending ActiveDefense technology offers protection against all types of Internet threats - both known and unknown - spyware, adware, keyloggers, viruses, worms, Trojans, rootkits, buffer overflows, and other malware. ThreatFire uses its unparalleled protection to hunt down and paralyze those threats that are either too new or too clever to be recognized by traditional "signature-based" antivirus software. ThreatFire's ActiveDefense technology provides additional protection when combined with traditional antivirus products.
[See ThreatFire Technical Support to resolve some incompatibilities with other security software, like AVG and ZoneAlarm]

With PC Tools AntiVirus Free Edition you are protected against the most nefarious cyber-threats attempting to gain access to your PC and your personal information. Going online without protection against the latest fast-spreading virus and worms, such as Netsky, Mytob and MyDoom, can result in infections within minutes.

PC Tools Spyware Doctor (Free) detects and removes spyware, adware, trojans and keyloggers. It has been downloaded over 125 million times with millions more downloads every week. People worldwide use and trust Spyware Doctor to protect their PCs from spyware, adware and other online threats.

The PC Tools Firewall Plus (Free) is an easy-to-use personal firewall for Windows that helps protect your privacy by preventing unauthorized users from gaining access to your computer through a network or the Internet. [Very Good results in the Matousec Firewall Challange]

If you use Windows Vista or Windows XP SP2, you can activate the Internet Connection Firewall on the Internet connection of computers that connect directly to the Internet. It will protect you against external (from the Internet) unauthorized access. But this simple firewall does not fully protect you from exploitation of vulnerabilities.
Use: Control Panel, Internet Options, Connections, Settings, Properties, Advanced.

If you want a simple firewall that is very easy to configure, then you could use the Windows XP SP2 Internet Connection Firewall. But if you want more advanced control over the traffic that passes through your computer and you also want to block unauthorized outgoing traffic (traffic from your computer out to the Internet) then choose a complete personal firewall from another company.
See Security Essentials for Windows XP Service Pack 2.

Use only one firewall program and only one antivirus program at the same time in your PC. Two firewall programs, or two antivirus programs, can interfere with each other and block your PC.

Install all Windows Critical and Security Updates
Keep your antivirus software updated
Use a complete Firewall

Visit a security evaluation site on the Web, such as Steve Gibson's Gibson Research Corporation.
There you can run the ShieldsUP! tests to see how well your machine is protected (or not). (Free)

Also run the tests for vulnerabilities to Internet threats at PC Flank (Make sure you're protected on all sides).

Visit Secunia and SecurityFocus for Security News, Articles & Advisories.

Visit the DeepSight Threat Management System from Symantec to learn the global level of the threats.

Visit the site OnGuard Online of the U.S.A. Federal Government to read practical recommendations to help you be on guard against Internet fraud, secure your computer and protect your personal information.

See my Antivirus Information Section

Anti-Spyware/Anti-Adware Online Scanners

[Running an Online Scanner under Windows Vista in general requires accessing it with Microsoft Internet Explorer in Administrator mode: Select a start icon for Microsoft Internet Explorer with a right click, select Run as Administrator]

Analyze your PC with the BitDefender QuickScan: (Free)

Downadup (or Conficker) is a self-updatable network worm that takes advantage a Windows vulnerability to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites. Conficker disables the Microsoft Windows Firewall service.

Visit Microsoft Update and install all Critical and Security Updates.

See An Analysis of Conficker (SRI Malware Threat Center, February 4, 2009)

See Microsoft Security Bulletin MS08-067 - Critical: Vulnerability in Server Service Could Allow Remote Code Execution (October 23, 2008)

If you can see all three image links on the top row in this test page (at Conficker Work Group), your computer is NOT infected with Conficker. However, if one of the F-Secure, SecureWorks or Trend Micro logos appears broken, chances are your computer is part of the Conficker botnet.
The three image links on the bottom row just test the quality of your connection.

BitDefender is the first to offer a free online tool which disinfects all versions of Downadup. This domain is the first to serve a removal tool without being blocked by the e-threat.
Determine if it is infected with the Downadup worm (known also as Conficker or Kido):
Remove Downadup

Analyze your PC with the a-squared Free 4.0: (Free)

The Conficker Worm has shocked PC security experts. Millions of computers are supposed to be already infected.
The free program a-squared Free 4.0 checks whether Conficker is already present on the computer. In the worst case, the free program can immediately remove the security risk.

See Conficker Worm Alert! a-squared Free 4.0 removes the Worm free of charge!

Install a-squared EMSI Software Anti-Malware - Free malware scanner and remover software

The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.

You can download the MSRT from either of the following Microsoft Web sites:
update.microsoft.com and/or support.microsoft.com

See Virus alert about the Win32-Conficker.B worm (Microsoft Help and Support)

Analyze your PC Security with the Symantec Security Check: (Free)

The Web-based Security Scan and Virus Detection will help ensure a safe and productive Internet experience for you and your family. Security Scan determines whether your PC is protected from hackers, viruses, and privacy threats. Virus Detection uses Symantec's virus detection technology to check for virus infections. After analyzing your PC's current level of protection, we'll show you how you can enjoy the Internet and protect yourself at the same time.

System Requirements:

Microsoft Windows Vista, 95/98/XP or Windows NT/2000, or Mac OS 8.1 or newer
Microsoft Internet Explorer 5 or newer
[Macintosh: MS IE 4.5 or newer, or Safari 1.0 or newer]
Cookies must be enabled in your browser's security settings
ActiveX and JavaScript must be enabled in your browser's security settings
If you are going through a firewall, it must be configured to transmit browser information (user agent) to the Web server
If you use the AOL browser, please upgrade to the latest version [Keyword: Upgrade]

Analyze your PC with the ESET-NOD32 AntiVirus - Online Scanner: (Free)

The ESET Online Scanner is a good free virus scan in the Web. A user-friendly, powerful tool, the ESET online antivirus utility can remove malware - viruses, spyware, adware, worms, trojans, and more - from any PC utilizing only a web browser. The AntiVirus - Online Scanner uses the same ThreatSense technology and signatures as ESET NOD32 Antivirus, which means it is always up-to-date.

ESET Online Scanner requires the following minimum system components:

Hardware: 133MHz Intel Pentium processor or equivalent. At least 32MB of available RAM. At least 15MB of available disk space.
Operating System: Microsoft Windows 98/ME/NT 4.0/2000/XP and Windows Vista.
Software: Microsoft Internet Explorer (IE) 5.0 or later.
User Permissions: Administrator privileges required for Windows Vista installation.

Analyze and clean your PC with the Trend Micro HouseCall AntiVirus - Scan Online: (Free)

The Web-based HouseCall AntiVirus - Scan Online will help ensure a safe and productive Internet experience for you and your family. HouseCall uses Trend Micro's virus detection technology to check for and eliminate virus infections, spyware, worms and other malware.

System Requirements:

Microsoft Windows 95/98/XP or Windows NT/2000
Microsoft Internet Explorer 4.0, Netscape 3.01 or newer
ActiveX and JavaScript must be enabled in your browser's security settings

Analyze and clean your PC with the a-squared Online Malware Scanner: (Free)

Analyze and clean your system with the a-squared Online Malware Scanner for Trojans, Backdoors, Worms, Dialers, Spyware/Adware, Keyloggers, Rootkits, Hacking Tools, Riskware and Tracking Cookies. Completely free, directly from your web browser.

System Requirements:

Windows 98/ME/2000/XP or 2003 Server
Internet Explorer 5.0 or later with ActiveX enabled

Analyze and clean your PC with the F-Secure Online Scanner: (Free)

The Web-based F-Secure Online Virus Scanner will help ensure a safe and productive Internet experience for you and your family. The Online Virus Scanner uses F-Secure's virus detection technology to check for and eliminate virus infections, spyware and rootkits.

System Requirements:

Microsoft Windows XP or Windows 2000
Microsoft Internet Explorer 6.0 or newer
ActiveX and JavaScript must be enabled in your browser's security settings

Analyze and clean your PC with the BitDefender Online Scanner: (Free)

Analyze and clean your PC with the BitDefender Online Scanner for Virus and Spyware.

System Requirements:

Microsoft Windows Vista, XP, Me, 98, NT or Windows 2000, 2003
Microsoft Internet Explorer
ActiveX and JavaScript must be enabled in your browser's security settings

Expanded Threats

Expanded Threats exist outside of commonly known definitions of viruses, worms, and Trojan horses and may provide unauthorized access, and threats to system or data security, and other types of threats or nuisances.
Expanded Threats may be unknowingly downloaded from Web sites, email messages, or instant messengers. They can also be installed as a by-product of accepting the End User License Agreement from another software program related to or linked in some way to the Expanded Threat.

Consider that an e-mail can show a faked sending (From:) address to gain your confidence and get you to execute an attached program or visit a link, believing it comes from a known address or person.

See Symantec Security Response - Expanded Threats

"Spyware" (Spy Software):

"Spyware" programs are applications that send information via the Internet to the creator of the spyware, or the publisher. Spyware usually consists of core functionality and functionality for information gathering. The core functionality appeals to users and entices them to install and use the spyware. The End User License Agreement (EULA) informs users of the information-gathering actions, but most users overlook this information. Information that is sent to the publisher is normally used for improved direct marketing purposes. The type of sent information differs depending on the spyware program. In order for the publisher to properly digest the gathered data, some spyware programs send a unique identifier with the gathered information. Users often overlook the information-gathering functionality of spyware, leaving them unaware that the spyware publisher is gathering data from their computers.

See The Dangers of Spyware in Symantec Security Response - White Papers (.pdf, Adobe Acrobat Reader).

Generally, if your Web browser has been infected by "Adware" (advertisement software, a type of "Spyware"), it will make automatic visits to unknown sites (pop-up advertising), and its vulnerabilities could be exploited.

"Spyware" is a relatively new kind of threat that many common antivirus applications do not cover well. More and more spyware is emerging that is silently tracking your surfing behavior to create a marketing profile of you that will be sold to advertisement companies and used to force your browser to visit unknown sites automatically.

See Symantec Security Response - Expanded Threats (Spyware)

In response to this new area of risk (which Symantec termed expanded threats) Symantec began helping customers by enabling them to detect spyware and other undesirable programs on their computers using the Norton AntiVirus product.

Times have changed considerably and Symantec's approach to what were once referred to as expanded threats has evolved to meet the challenges posed by programs that are now broadly referred to as spyware.

See Symantec Enterprise Solutions - Symantec's Antispyware Approach

Anti-Spyware/Anti-Adware Software:

You can get rid of much of the Spyware/Adware in your PC by using:
Ad-Aware Free - Detection/Removal of Spyware (with Free version, from Lavasoft)
Spybot - Search&Destroy - Detect & Remove Spyware (Free, from Patrick M. Kolla),
a-squared Free EMSI Software Anti-Malware - Malware Scanner and Remover Software (Free)
Comodo Internet Security Protection against viruses, spyware, worms, adware and trojans (Free)
AVG Anti-Virus Free Edition Protection against viruses, spyware, worms, adware and trojans, with LinkScanner Active Surf-Shield (Free)
Microsoft Windows Defender Protects your computer against pop-ups, slow performance and security threats caused by spyware and other unwanted software (Free)
Free PC Tools Spyware Doctor Prevents, detects and eliminates intrusions
Free Norton Security Scan for Google Pack Detects and eliminates intrusions (Free, from Google Pack)
PC Tools ThreatFire Behavioral Virus and Spyware Protection (Free)

Ad-Aware Free blocks, detects and eliminates the intrusions already occurred and residing in your PC.
Spybot detects and eliminates the intrusions already occurred and residing in your PC, it can also inoculate your MS Internet Explorer against the more common.
a-squared Free (A2) detects and eliminates the intrusions already occurred and residing in your PC.
Comodo Internet Security is active protection against viruses, spyware, worms, adware and trojans.
AVG Anti-Virus Free Edition prevents, detects and eliminates intrusions in your PC.
Microsoft Windows Defender features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected. Microsoft Windows Defender is only available to legitimate Windows XP-SP2 users and is part of Windows Vista.
Free Spyware Doctor Starter Edition for Google Pack users detects and eliminates some intrusions in real time, and the intrusions already occurred and residing in your PC, it can also inoculate your MS Internet Explorer against the more common malicious Active-X programs.
The Google Pack version of Norton Security Scan removes all existing viruses, trojans and worms found on a user's PC and provides them with helpful tips on how they can further improve their PC security.
By implementing sophisticated real-time behavioral analysis ThreatFire is able to stop never- before-seen "zero-day" threats solely by detecting their malicious activity.
ThreatFire's patent-pending ActiveDefense technology offers protection against all types of Internet threats - both known and unknown - spyware, adware, keyloggers, viruses, worms, Trojans, rootkits, buffer overflows, and other malware.

SpywareBlaster anti-spyware protection (Free, Javacool Software).
SpywareBlaster doesn't scan for and clean spyware - it prevents it from being installed in the first place. This program prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE and Mozilla/Firefox, and restrict the actions of spyware/ad/tracking sites.
SpywareBlaster inoculates MS Internet Explorer against many intrusions, to prevent spyware from installing, and it can be deactivated in case of problems. Only after deactivation it should be uninstalled, if this is what is wanted.

These tools can all be installed in the same PC as they are basically scanners and will not interfere with each other or an antivirus program. This is recommendable as each specializes in a different kind of spyware.

Tracking Cookies:

The above tools will help you to get rid of "Tracking Cookies" (Third Party Cookies that use personally identifiable information) stored in your PC, but you should configure your browser to block them.
In the MS Internet Explorer menu: Tools, Internet Options, Privacy (Medium, at least).

A cookie is not a program, it is a very small text file with information that a Web site can store in your PC. A persistent cookie remains when you close your browser. A temporary or session cookie is stored only for your current browsing session, and is deleted from your computer when you close it.

First-party cookies originate on or are sent to the Web site you are currently viewing. If you do not allow first-party cookies, you may not be able to view some Web sites or take advantage of their customization features.

Third-party cookies either originate on or are sent to Web sites different from the one you are currently viewing. Third-party Web sites usually provide some content on the Web site you are viewing. For example, a site may use advertising from third-party Web sites and those third-party Web sites may use cookies. A common use for this type of cookie is to track your Web visits for advertising or other marketing purposes. Third-party cookies can either be persistent or temporary.

A Web site only has access to the personally identifiable information that you provide to it, such as your log-in and preferences when visiting that site. Normally, only the Web site that created a cookie can read it.

Your Internet Service Provider (ISP) assigns your PC an IP (Internet Protocol) address when you make a connection. An IP address is unique in the whole world at any time, and only your ISP can associate it with your PC at a particular time.

Local Shared Objects:

Adobe Flash Player is the standard for delivering high-impact, rich Web content.

Adobe recommends that all Adobe Flash Player users upgrade to the most recent version of the Player through the Adobe Flash Player Download Center to take advantage of security updates.

Users of Adobe Flash Player on all supported platforms can manually check whether their installed Flash Player is the latest, most secure version at Adobe Flash Player - Version Information.

A local shared object, sometimes referred to as a "Flash cookie", is a small data file that can be created on your computer by websites containing Adobe Flash Player.
See Adobe Flash Player - What Is a Local Shared Object?

The Adobe Flash Player Settings panels let you make decisions about privacy, data storage on your computer, security, notifications of updates, and the use of the camera and microphone installed on your computer. Use the links in the table of contents to learn how to make these decisions.
See Adobe Flash Player Help

Flash Player provides a number of ways you can manage a website's ability to store information in local shared objects. You can control storage space by individual websites or for all websites.
See Adobe Flash Player - TechNote - How to manage and disable Local Shared Objects

A third-party local shared object, sometimes referred to as a "third-party Flash cookie", is a shared object created by third-party content, content that is not actually from the site you are currently viewing. Third-party local shared objects may be important for privacy because they can be used to track your preferences or your usage across different websites that you visit.
See Adobe Flash Player - TechNote - How to disable third-party local shared objects

Delete Flash Local Shared Objects (Flash Cookies) with Objection [Trevor Hobson, from mozdev.org] (requires Mozilla Firefox)

.sol Editor opens, removes or creates a Macromedia Flash shared object file (.sol), displays the content of the file and allows you to change the values.
See .sol Editor (Flash Shared Object) (from SourceForge.net)

See Wikipedia - Local Shared Object

Malicious Dialers:

These are small malicious programs that connect over a telephone line a PC to a Dial-Up Network (DUN) at very high rates of cost to the user.

In general it is required to examine your PC with an updated antivirus program to detect and eliminate them. Some can be detected by a user by examining "Internet Connections" in the Windows Control Panel.

Malicious dialers are generally installed in your PC by visiting an infecting Website or by a new kind of virus that has one as a payload.

You can eliminate malicious dialers from your PC with the a-squared Anti-Dialer Freeware! - free of charge Dialer scanner and remover.

See Symantec Security Response - Expanded Threats (Dialers)

Rootkits:

A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on the machine. Actions performed by a rootkit, such as installation and any form of code execution, are done without end user consent or knowledge.

Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to provide an undetectable environment for malicious code to execute. To manually install rootkits, attackers will typically leverage vulnerabilities in the target machine, or use social engineering techniques.
In some cases, rootkits can be installed automatically upon execution of a virus or worm, or by browsing to a malicious website.

A virus, worm, backdoor or spyware program could remain active and undetected in a system for a long time if it uses a rootkit. The malware may remain undetected even if the computer is protected with state-of-the-art antivirus. And the antivirus can't remove something that it can't see.

The Sinowal Trojan, also known as Torpig and Mebroot, may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters. Dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as e-mail and FTP accounts from numerous websites, have also been compromised and stolen. Leading anti-virus vendors have indicated that the Sinowal Trojan is specific to Windows XP operating environments.

Once installed, an attacker can perform virtually any function on the system to include remote access, eavesdropping, as well as hide processes, files, registry keys and communication channels.

A good antivirus program, like the AVG Anti-Virus Free Edition from Grisoft, or the a-squared Free, should detect a rootkit not yet installed. To detect and eliminate one that has been able to install, you can use the Free F-Secure Blacklight, Sophos Anti-Rootkit, or the Trend Micro RootkitBuster.

See Rootkits - A New Malware Trend (a² Knowledgebase, EMSI Software),
Symantec Security Response - Windows Rootkit Overview (.pdf, Adobe Acrobat Reader),
F-Secure BlackLight: The Threat - Rootkits,
One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts (RSA FraudAction Research Lab on 10/31/2008 12:00:00 AM),
Taking over the Torpig botnet (The Computer Security Group at UCSB).

Malicious JavaScript:

Malicious scripting attacks are a threat to Web users. A Web site can use a scripting language, like JavaScript, to exploit security vulnerabilities that could allow it to perform installations of spyware or remote control programs.

Firefox, Internet Explorer 7 and Opera have some features to prevent these exploits, including pop-up warnings that let the user know when a Web site uses scripting. But these all/nothing controls are not flexible enough.
You should allow the execution of JavaScript only from trusted Web sites. But typically, a Web site will present scripts coming from other Web sites.

The NoScript Firefox extension provides extra protection for Firefox, and other Mozilla-based browsers: This free, open source add-on allows potentially dangerous JavaScript, Java, Flash and other plugins to be executed only from trusted Web sites of your choice (e.g. your online bank).

Cross Site Scripting:

Cross-site scripting (XSS) attacks occur when an attacker uses a Web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a Web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

See Cross Site Scripting Open Web Application Security Project (OWASP)

See Cross-site scripting Wikipedia, the free encyclopedia

Malicious HTML Tags Embedded in Client Web Requests:

None of the solutions that Web users can take are complete solutions. In the end, it is up to Web page developers to modify their pages to eliminate these types of problems.

However, Web users have two basic options to reduce their risk of being attacked through this vulnerability. The first, disabling scripting languages in their browser, provides the most protection but has the side effect for many users of disabling functionality that is important to them. Users should select this option when they require the lowest possible level of risk.
The second solution, being selective about how they initially visit a Web site, will significantly reduce a user's exposure while still maintaining functionality. Users should understand that they are accepting more risk when they select this option, but are doing so in order to preserve functionality that is important to them.

See Malicious HTML Tags Embedded in Client Web Requests CERT Advisory CA-2000-02

Security information is of a time critical nature.
The Symantec Security Advisories contain information about major security developments, including Symantec's response to the situation.

A Final Warning

Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on desktop computers.
The new threat landscape will likely be dominated by emerging threats such as robot networks (botnets), customizable modular malicious code, and targeted attacks on Web applications and Web browsers.

See Symantec Enterprise Solutions - Internet Security Threat Report

During 2007 the number of samples of malicious code has doubled, having taken 20 years to reach the size it was at the beginning of this year.

One of the most successful "botnets" of 2007 has been "Storm". The Storm botnet, estimated now to contain millions of compromised computers, has advanced defenses.

See Cracking open the cybercrime economy (Tech News on ZDNet, Dec 14, 2007)

The signature inventory of pests recognized by a-squared Free and a-squared Anti-Malware had somewhat more than 500,000 entries at the beginning of last year. At the beginning of 2008 this has already reached a record of 1.1 million Malware signatures.
Whereas 1.4 million Malware infections were reported by a-squared users in 2006, this rose to an unbelievable figure of 1.9 million last year. The shocking fact is: on average, every PC was infected with 8 different types of Malware!

Malware is no longer being built for self promotion purposes, or for fun, but rather with the primary aim of earning large amounts of money.
Most of the newly discovered Worms, Bots and Trojans no longer contain destructive routines. They are purely designed for the purpose of hijacking computers to allow them to be remote controlled.

Spammers use this computing power to anonymously send millions of e-mails. Other shadowy organizations use the storage capacity to store and distribute illegal data, such as child pornography or similar.
As the victim, you usually do not notice that your computer is being used as a trading place for this type of data. The only clear indications are usually only an Internet connection that becomes continuously slower and less computer performance for your own applications.

See Malware Annual Report 2007 (Emsi Software, 1/17/2008)

Spoofed e-mails (also known as Phishing) that appear to be from a supplier (showing a false From address) can put you in danger.

They normally ask you to navigate to a spoofed Web site (showing a false URL) to provide, update or confirm sensitive personal information. To attract you, they may refer to an urgent situation in your account or a very attractive offer.

Some information that Phishing scams are after:
- Credit or debit card numbers
- PINs or Passwords
- Account Numbers
- Personal ID numbers and other personal data (like names and addresses)

Even if you don't provide what they ask for, simply clicking on the link could subject you to "silent" installations of key logging software or backdoor programs.

Many of these sites open spoofing windows to obtain your authorization for an installation. Close them using the X in the upper-right corner of the window. Do not use the controls in these windows; a button can do anything, no matter how it is marked.

Consider that a Web page can spoof the contents of both the Address (URL) and Status Bar.

See PhishTank (operated by OpenDNS)

Don't follow links to your suppliers provided in unsolicited e-mail or untrusted Web sites. Write the known URL yourself and then navigate the supplier's Web site. Always do this for banks, financial services and on-line stores.

To navigate the Web, your browser requires access to a DNS (Domain Name Server) service that translates the URLs you type (i.e. www.somedomain.com) into a set of 4 numbers that is the actual IP (Internet Protocol) address of the Website.
But generally, DNS servers are only directly available from connections provided by the ISP to which they belong. This means you are generally limited to directly using the DNS server of your Internet Service Provider (ISP).
If your DNS service directs a certain URL to your own PC, this URL is blocked, and you get a 404 Error (page not found).
Avoiding the blockage requires using a public DNS service, like OpenDNS (Free), which also offers an anti-Phishing service.
Additionally, using OpenDNS guarantees your movements on the Web can not be tracked through the DNS use log at your ISP.

When OpenDNS is unable to determine how to resolve a URL (for example, a typo which is not in our "errors we can fix" list), then OpenDNS provides search results that are the best match for the information provided.

Security researcher Dan Kaminsky announced on July 8 '08 that a major bug affecs DNS software.

Here's a quick way to tell if your DNS servers are at risk:
While browsing from a PC in your network, head to DoxPara Research, Kaminsky's site, and look for a button on the right named "Check My DNS". Click it.
PC World - Business Center: Have You Fixed Your Company's DNS Servers?

If your DNS server appears safe, you should get:
Your name server, at ...., appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
Make sure that the listed ports do not follow an obvious pattern.

Multiple DNS implementations vulnerable to cache poisoning:
DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver.
US-CERT Vulnerability Note VU#800113

OpenDNS is proud to announce that they are one of the two DNS vendors / service providers that were not vulnerable when this issue was first discovered by Dan Kaminsky.
OpenDNS Blog: OpenDNS - Keeping you safe day after day

More news will be coming about this DNS vulnerability, and a major anouncement by Kaminsky was expected in August 6 '08 during the Black Hat conference in Las Vegas.

State of the Internet: Old worms live on; Delaware speediest state; South Korea a broadband king
ZDNet Blogs, May 29th, 2008. Posted by Larry Dignan @ 4:55 am

Akamai [a global server network that handles 20% of the world's total Web traffic] on Thursday [May 29 '08] released its first State of the Internet report and found attack traffic - viruses, worms, bots and such - derived from 125 countries, with 30% of that traffic coming from the United States and China. Some of these attacks, which occurred in the first quarter, were from worms like the Blaster back in 2003.

Of that attack traffic, the top 10 countries accounted for 75% of the attacks. The surprising hotspots for attacks included Venezuela, Argentina and Brazil - three places not exactly known for their hacking communities. Russia was a no-show.

Here's the chart from Akamai's report, which requires registration:

Attack Traffic

See Akamai Report: The State of the Internet - 1st Quarter 2008, 2nd Quarter 2008

My specialty is Personal Computing and I work as an independent consultant.

Updated: June 11 '09

Antivirus Information Section

Symantec and Trend Micro Security Alerts Boxes

PC Updating Section

Castellano: Sección sobre Seguridad de PCs

Back: Home Page (PC Security and Updating Service)

Messages:
Andrés Valencia: Communications