Sunday, July 31, 2005

Setting up a test computer

You CAN try THIS at home!

You can try this at home (or in an office or lab), but a certain amount of expertise and extra hardware is required. If you do not have expertise and extra hardware as described below, you would be well advised not try any of this -- at home or otherwise.

As for expertise, I would suggest performing your own malware experiments only if
  1. you know how to set the little master/slave jumpers on hard drives, and
  2. you have experience installing hard drives, including going into computer CMOS on startup.

As for extra hardware, if you have an extra, Win XP capable hard drive which you do not mind reformatting, you are set up to perform your own malware tests. The extra hard drive is already in an existing computer, all the better, but this is not necessary. An extra hard drive only needs to be 4 gigs or bigger, and these can typically be purchased for about $10-20 at used computer stores.

To perform malware tests with your extra hard drive ("test drive") on an existing computer, open up your computer, unplug the drive cables from your permanent hard drives, plug in the test drive as the primary master, and then install Win XP on the test drive. You do not need to permanently mount the test drive -- rather leave the permanent drives mounted, and just set the test drive in a convenient location that the length of the cables will allow. To determine whether you picked up any malware after performing the tests, plug your regular drive back in -- as far as it is concerned, it will be as if nothing happened. Plug in the test drive in instead of the CD drive, and then scan the test drive with your normal virus scanner.

When I first tried malware testing, I was visiting my parents, and used my mom's computer. (When I went to visit, I had brought along an extra hard drive -- doesn't everyone?) A picture of the setup is here.

In general, it is best to reformat the drive and reinstall Win XP before you begin. This is to insure you are testing a bare Win XP install only, without any anti-virus software -- you want to test least privilege, not anti-virus software. You would also reformat the drive to wipe clean any malware or spyware you might get in your tests. You should also start with a clean install if you want to do tests for spyware. Spyware scanners will detect "problems" even on a fresh Win XP install that has never been exposed to the Internet. So to scan for any spyware, you should first do a "baseline" scan, perform your tests, do an "after" scan, then compare the after against the baseline.

If the test system is on a network with other computers, make sure the workgroup on the test system is not the same as any other computer on the network. Clever malware might be able to propagate to other computers through the network connection. To check or change the workgroup, from an administrator account, click on Start, and you will see "My Computer" about half way down the right column. Click right, and then choose Properties. Click on the Computer Name tab. The workgroup is identified on the line half way down. Use the "Change" on the last line to change the workgroup. After rebooting, using Windows Explorer, verify that you cannot access the files on any other network computer.

And after all that, you are ready to test malware.

Setting Up Least Privilege

In Win XP, accounts come in two flavors, Administrator and "Limited". You must have at least one administrator account to install/remove software, install/remove hardware drivers, install "Critical Updates" from Microsoft, and apply virus definition updates. To protect a Win XP computer against most all malware and spyware, create a "Limited" account, and use that account to surf the web and access your email (the two activities with the greatest malware exposure). One can use the administrator account(s) for all other tasks (although for convenience, you may want to explore performing other tasks from within a "Limited" account, in addition to surfing and email). On one level, that is all there is to it.

The word "Limited" is in quotes because the label is unfortunate -- superficially, who wants to be "limited"? In Linux and Unix, the same kind of account has a more neutral label: "regular user". One can look at the "Limited" label this way: use of a "Limited" account will limit the damage malware and spyware can inflict on your computer.

Microsoft has recently decided to downplay the term "Limited" by referring to the least privilege account by its initials, "LUA", for Limited User Account, and pronouncing the initials as "loo-ah".

Before creating a "Limited" account for surfing and email, it would be best to have already chosen the names for your Administrator and "Limited" accounts. Ideally, you should choose names that make it easy to remember whether an account is Administrator or "Limited". I would personally recommend that you covert any account with a person's name to a "Limited" account, and set up one or more administrator accounts with functional names. Putting the name "Administrator" on an account would be OK (although I use "Grand Wizard" for the administrator accounts on the machines that I administer). In many situations, it would generally be better to keep the issue of who gets administrator access separate from the naming issue, and to do this by making all accounts with any person's name equal and "Limited".

Also note that some information from Microsoft implies that each person can have one and only one account -- this is not so. Each person that uses a computer can have more; for example, can have two accounts, one administrator and one "Limited" account. To get the most out of least privilege, every user of a computer should surf the web and access your email from a "Limited" account, as malware and spyware that can get on the computer through one account affects the whole computer, including everybody else who uses that computer.

Naming decisions here are not set in concrete -- you can always add more accounts later. You can rename existing accounts, but this makes for inelegant subdirectory names under "Documents and Settings" -- see the section below "Win XP User Files". I personally prefer to create a new account and delete the old account rather than rename. If you take this approach, be extra careful to copy all files and "favorites" settings from the old account to the new account before deleting the old account.

To create a new account, go to the Control Panel, select User Accounts, and click on "Create a new account". The screen will prompt you to give the account a name. The name does not need to be a person's name, but can be. (All the Win XP machines that I administer have a "Limited" account called "Surfer", for -- you guessed it -- surfing the web.) As stated above, it is better to decide on a naming plan that makes sense for you before launching into this.

There is an option here, you can either keep the new account as an Administrator or make it "Limited". The default choice is Administrator under Win XP. You can choose to make the new account a "Limited" account by clicking on that option. Later, you can come back to the User Accounts dialog (accessed through the Control Panel) and change the account type, from administrator to "Limited" or vice versa. In actual practice, it is sometimes necessary to do this.

People who already have two or more accounts on a Win XP system will know the initial screen that says, "To begin, click your user name". If your Win XP system has a single account only, Windows bypasses the initial screen. So after setting up a "Limited" account, you must make a choice after turning on your computer. Once you are in an account, you can tell which account you are in by clicking on the Start button -- the name of the account is at the top of the Start Menu.

I would also recommend protecting all administrator accounts with passwords. This will prevent some future, clever malware from getting administrator privileges even though you are using least privilege account. Without password protection, malware would be theoretically able to access administrator privileges and install itself even though the person is using a least privilege account. On a shared computer, it would be OK for all users who get administrator access to know the single password for a single administrator account (that is the way it works in my office, but my office is small). Different arrangements would work in different settings, but leaving any administrator account without password protection is inviting trouble down the road.

One possible incentive system that could work in some homes and office settings would be to password protect all administrator accounts, while not password protecting some or all least privilege accounts. From the user's perspective, getting into a least privilege account is easy (no password required), while getting into an administrator account requires putting in a password. Hence the incentive for using a least privilege account.

Using a Least-Privileged User Account

Win XP is fully least-privilege capable. There are only two rubs,
  • Microsoft does not support the use of least-privilege on Win XP; you are basically on your own, and
  • Deploying least privilege in Win XP may be more or less convenient, depending on the applications used on each computer.
With respect to the "convenience factor", many applications today are not least-privilege compatible. However, there are three items of good news:
  1. As far as we are aware, of the many applications out there that are NOT least-privilege compatible, none block the use of least privilege. Rather, they just make the use of least privilege protection less convenient for the end users of such applications. For everyone else, it is clear sailing.
  2. The highest risk activities are surfing the web and opening email, and the applications most commonly used (Internet Explorer and Outlook/Outlook Express) are least-privilege compatible. (FireFox is also least-privilege compatible.) So today, every Win XP user can apply least-privilege protection where it is needed most. (Internet Explorer and Firefox are least-privilege compatible right out of the box, while Outlook might require some setup steps, namely moving the Outlook data files to a new directory -- see the section "Win XP User Files".)
  3. Trying least privilege is risk free, and zero cost. This is the worst-case scenario: you go back to using the computer exactly as you are using it now -- without least privilege protection (for the vast majority of Windows XP users).
The only bad news is that setting up least privilege definitely requires some setup in the Control Panel, and may require moving files from one location to another. If you are not comfortable with tackling such tasks on your own, it would be better for you to pass, or get help if you really want least privilege protection for your computer.

Malware testing 1.01 -- the Virtual Bouncer test

One test for starters is the "Virtual Bouncer site test". Virtual Bouncer tricks unsuspecting surfers into installing it, applies a restriction that slows the Internet connection to a crawl, and offers a "subscription" for a price to remove the restriction. It has been termed "extortion ware", and is described on Spyware Guide here:

http://www.spywareguide.com/product_show.php?id=514

Here is the "Virtual Bouncer site" test (but do not try this until you are ready, as described above):

Go here,

http://www.spywarelabs.com/downloads.html

Click on "CLICK HERE TO TRY VIRTUAL BOUNCER NOW".

In our tests, a "Limited" account on a machine with the NTFS file system passes the test -- Virtual Bouncer cannot install.

Try it from an Administrator account and, after the next reboot, you will experience Virtual Bouncer.

Then reformat the hard drive, and reinstall Win XP.

DO NOT TRY ANY OF THIS UNLESS YOU HAVE READ ALL THE POSTS ON THIS BLOG.

Spyware testing

To test for Spyware, we have used "SpyBot", available here as a free download:

http://www.safer-networking.org/en/index.html

Install SpyBot, but do NOT turn on SpyBot protection for the PC. Go without to test the effectiveness of just least privilege. (And of course, I did not install anti-virus software on the test drive.)

SpyBot considers some cookies to be spyware. Cookies may be spyware by some definitions, but cookies are not the most malicious spyware. Also, whether you accept cookies is determined by your browser settings, not by whether you are running under a "Limited" account on an NTFS install.

You can wipe all cookies with the click of a single button -- almost. There are several ways to get to the button. The easiest way to explain is go into IE, click on Tools, Internet Options. A dialog will appear. Half way down toward the left is a button "Delete cookies". The button does what it says.

I ran SpyBot before and after clicking the button. After showed less "spyware" by about 75% or so.

This would be a step to cut down the noise in tests for the more malicious spyware. So before running SpyBot, I recommend deleting all cookies.

An alternative is to adjust the "Advanced" SpyBot settings to ignore cookies. PC World put out instructions here:

http://www.pcworld.com/howto/article/0,aid,116990,00.asp

To test for Spyware, I used the list of spyware/malware sites available here:

http://www.mvps.org/winhelp2002/hosts.txt

I selected some of the sites listed as spyware, when to several, and pressed all the wrong buttons. Afterwards, a spyware scan showed no new spyware, other than cookies and what was originally there in the baseline scan.

DO NOT TRY THIS UNLESS YOU HAVE READ ALL THE POSTS ON THIS BLOG.

The purpose of the hosts.txt file (link above) is to block access to all the sites listed -- suposedly, they are all known malware/spyware sites. Some have comments indicating the exact malware/spyware that one can contract from the site.

Testing worms -- advanced!

Testing worms is more involved, for two reasons, 1) you have to get the worms, and 2) worms can send out worm-infested emails without you, the user knowing it. So you need to ask for volunteers to be in the Outlook address book of the test system. Obviously, your volunteers will need to either be on non-Windows computers, or have solid malware protection. Even then, many ISP's will filter worms out of the recipient's email. So one must "qualify" the volunteers -- see whether they can receive a worm that you send to them directly. In my experience, people on some ISP's never get worms. The upshot is you need lots of voluteers, and you may find that only a few of them will be able to receive worms and thus participate in the tests.

I tested two worms, a Netsky and a Beagle. Least privilege stopped the Beagle cold. On the other hand, Netsky was able to send out emails to the addresses listed in the Outlook address book, complete with spoofed "from" addresses. Logging off effectively flushed both Netsky and Beagle.

DO NOT TRY THIS UNLESS YOU HAVE READ ALL THE POSTS ON THIS BLOG.

System Requirements

Least privilege protection is available in Windows XP systems installed on NTFS hard drives. The other hard drive option for Win XP is the Fat32 file system, but Fat32 offers no protection against malware and spyware. Luckily, 1) checking for NTFS is easy, 2) if you are on Fat32, converting to NTFS is easy, and 3) most Win XP systems are on NTFS in the first place. To check your file system, go to Windows Explorer, right click on your C: drive, and choose Properties. The "File System" is on the third line down, and it says "File System:". On most Win XP systems, it will say NTFS.

If your File System is Fat32, you can convert to NTFS by closing all applications, going to a Command Prompt (Start, All Programs, Accessories, Command Prompt) and typing this command:

convert c: /fs:ntfs

Where c: is the drive you want to convert (normally, that would be c:).

The conversion process will start after reboot. FAT32 will be converted to NTFS "without of data loss", but the wise would do a complete backup, "just in case".