A couple of days ago Microsoft came with a new free Anti-Virus product – Microsoft Security Essentials

I will not comment on Microsoft ability to create security products, my opinion could be based of course. I’d like to write a bit about the whole idea of those Free Anti-Virus.

Currently it’s not just a GNU-like projects, made by open source enthusiasts to make world better. Big serious companies are making those product and distributing millions of copies. Here are the leaders:

• AVG
• Avast!
• Avira
• PCTools Anti-Virus

Their marketshare is huge (although it’s very hard to measure. Most market share measuring technologies measure products, something which is bought and sold). They’re very high in Organic google resutls for the best keywords, like “antivirus”. They’re also spending hundreds of thousands on paid google campaigns and download seeding via affiliate networks. Why all of those? Just to deliver you a nice present?

Of course not. Their business model is  - first get a huge portion of market, get very strong recognition from home users around the globe. And then sell them something.

You can visit their sites and see their business models. It’s mostly Online Sales, so everything is open, no hidden distribution agreement or union contracts. You’re told that “Just Anti-Virus is not enough” to protect your computer and then they ask you to buy “full Internet Security version” where normally you can find firewall, anti-spam and a lot of different components.

Share on Facebook

Already many years Identity theft considered as a crime in USA and EU countries. Of course, it’s not a act of stealing, which is prosecuted, identity can not be stolen, just copied. It’s the act of using this information for criminal purposes, like obtaining credit, writing cheques, paying with credit card via Internet, etc.

Free email services, also called webmail providers, provide opportunity for identity theft, which could be used by anybody in a couple of minutes. If I have an email serguei.alleko@gmail.com, then somebody can just create sergueialleko@gmail.com and start sending email from my name. The protection level is almost zero.

Currently people don’t care much about this particular identity theft, because, again, it’s not the stealing, its using somebody’s identity which is important. If you can send emails from my name, you can’t earn much money. A con-artist, looking for a random victim in order to steal something using his identity doesn’t need an email address.

You can try to trash somebody’s reputation, sending insulting emails from (supposedly) their emails. Let’s look at this case closely. First of all, let’s consider we’re not talking about IT-engineers, who know how it works. If you’re a professional, you can protect your privacy or steal identities without being caught for a long time. But email is available to much wider audience. 95% of Internet population(and 9% of potential identity thieves) don know all the technical details. How does it usually happen?

Your ex-colleague or ex-friend has some strong negative feelings about you and want to do you some harm. So, he registered an email account with email address looking like your name and start sending porn to all your work contacts or friends. The email from this person must pass through a number of steps before reaching somebody.

A Person must use Computer to connect to and ISP and send email via one or more of Mail servers.

For example an identity thief is sitting at home and trying to use a bogus Gmail account to send emails

• Person: identity thief
• Computer: his home PC
• ISP: his Internet Provider at home
• Mail server: Google mail servers

Let’s try to track the email to you in reverse order:

Mail server

Normally all mailservers are identifying themselves  via headers in your email like this:

Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.174]) 
Received: by wf-out-1314.google.com with SMTP id 27so770877wfd.15

It’s quite easy to identify the mail servers and track down all of them, from the first one to the last one. But, if a person used some webmail service, the last mail server will still be from  Google. And only Google knows the IP-address of the computer from the ISP.  

ISP

The next step will be to find which ISP and which IP-address your computer is using to connect to Internet. This is the most difficult step. Google will probably not tell us the IP-address of a person, who is sending emails via gmail. Google is not evil. But some others may well let us know. For example, this is the email headers, which were send via Yahoo account:

Here we have  a header X-Originating-IP with the IP-address of the person, who has sent us the email! This header is not mandatory and could be altered by a smart engineer. It’s not a proof, but it’s a lead.

If you don’t have this information in the email, you’re stuck. You can go to authorities, but, unless it’s about terrorism or child pornography, I doubt they’ll help you.

Computer

If we did find the IP-address of the computer, we can use WHOIS service trying to find out more about it. You can find that:

• IP-address belongs to an organization or office
• IP-address belongs to an Internet cafe
• IP-address belongs to the pool of ADSL, cable or modem addresses from a provider

In all those situations you still have to find out the person

Person

Even if we narrowed down our search to and Internet Cafe or an office, we still have to find out the actual person. There we may be lucky if the Internet Cafe has a surveillance cameras and is going to share the record. Or may be you find that only one person was at the office, when the email was send. But in most situations the possibilities are endless.

Conclusion

If you’re a victim of an identity theft via e-mail, it’s quite hard to find the thief  by yourself. Even if he made a lot of technical mistakes, there is information, which is only available to authorities. In this situation it’s better always report the incident to the police.  And let it known, of course. If the criminal is somebody you know, he’ll find out about the police and may be scared.

Share on Facebook

I’ve been working  for many years in a anti-virus company. Of course my view on computer viruses and incidents  is biased, but this angle could be interesting anyway. 

Currently the anti-virus coverage within corporate networks is close to 100%. Within home users it’s estimated from 70% to 90%.  How exactly does infeactions happen in real life and how could they be disinfected.

Start of the infection

Modern viruses are like vampires. If you don’t invite them in your house, they can not pass the door. If, however, the undead manages to trick you and get in, then you’re in real trouble. 

In 99% of the situations the infection is coming via Internet.  Look at Virus Top list for December 2008  Almost always user has  to let the virus in yourself:

• user opens an email with a virus
• user opens a web-page with a virus

In Windows XP and Vista there are some security measures, which are trying to warn you. And it does help. Actually I believe, Microsoft has greatly decrease the possibility for external infection. But it’s sill not enough.

Even if a user has an anti-virus, it must be working. First of all, it must be ON. A lot of users turn it off because it eats the system resources. Second, anti-virus must be updated, basically every day. You have to let it to get the latest updates via Internet.  These two problems are the reasons, why home users get infected even with the anti-virus installed. I beleive if you get those two things right, you can be protected with any of the top 5 Anti-Viruses: Symantec, Mcaffee, TrendMicro, Kaspersky, Sophos.

In the corporate environment normally you have professionals, who can manage the installations of the anti-virus software. That’s why normally within corporate networks you have much less infection rate, than at home. I say normally, because it happens anyway. I’ve seen only 3 major security incidents within large corporate networks and in 2 cases the reason was that anti-virus software was not properly  installed. These are the most common reasons for IT-managers not to  install Anti-virus:

• we run those servers on VMWare, they don’t have enough resources for real-time anti-virus protection
• we don’t have anti-virus in our standard image for a workplace
• we just don’t have a standard disk image for a workplace
• we never had anti-virus problems before, so we for us performance is more important
• we hired a new guy, how didn’t have time yet to catch on with your anti-virus stuff.

You don’t have an Anti-Virus and you get a virus. This is as simple as that! As you can see, the most underlying reasons are not security related, but rather general IT-management related.

Infection is spreading

Once in, a vampire can use a formidable array of superpowers – inhuman strength, speed, invisibility, mist, hypnosis, etc, etc.  In corporate networks normally there is not much protection inside the perimeter. Once run on a PC with domain admin rights, a virus can copy itself to any other computer, put itself in the autoexec-batch file from Windows Domain Logon, attach itself to a lot of Microsoft Office files. Almost always if some of the computers do have the anti-virus protection, they can resist. Viruses are deleted at the moment they’re entering the protected computer. But in a network with thousands of computers even a small fracture of unprotected PCs can easily jam connections or servers. All computers must be protected.

Fortunately, vampires are not just savage killers, they’re sophisticated creatures (at least according to Bram Stocker). They don’t just kill, they suck your blood slowly and trying to convert you. The same is true about modern computer viruses. They don’t destroy your files or wipe your hard drive. They’re slowly and carefully trying to use your resources for some commercial purpose. Making your computer a zombie, sending spam, starting DDOS-attacks, stealing passwords. That’s why there is still a possibility to clean the computer and eliminate the infection.

Cleaning the infection

Just let professor Van Helsing to do his job and he’ll succeed. Currently modern anti-virus programs are very powerful tools. They’re self-protected, they’re smart and they can do their job good. In most situations it’s enough to install the Anti-virus, get the latest updates and perform the scan of the whole hard drive. 

Here lies the biggest issue for the corporate networks. Anti-virus vendors provide their own solutions for the remote protection. Microsoft Windows contain useful technology like RPC. Other vendors also have solutions like Novell Zenworks.  However you need to know where to install!

The problem is that all those systems are quite democratic: “if computer comes and asks for service, the system provides is”. An opposite approach would be totalitarian: “the system must know everything about all computers and enforce the service”. In case of cleaning the infection from the corporate network you need to be a dictator and install the anti-virus on all computers. These are the major obstacles you find on your way:

• not all computers in the company are online during the day
• nobody knows how many computers are really there, not stolen, broken or thrown away
• nobody cleans the list of registered computers in Active Directory, there are always a lot of very old ones
• often central IT department sends a bunch of PCs to a local IT-team and they connect them when they need
• often the names of thousands of computers have flat structure, like PC2022345,  you don’t know where they’re located

You don’t have to be despot in normal life. If you’re talking about the business needs of your company, a democratic approach works just fine. But if you’re at war, you need to change it.

I found the approach which works the best to clean this mess:

1.  Start with list of registered PCs from Active Directory, put them in one group called “Not Clean“
2. Try to ask the customer to remove obviously old names. It’s not always possible, because there are hundreds of them
3. In most cases you can remove names, which don’t have IP-address in the Windows DNS anymore. This means they haven’t been online for a long time
4. Put all those computers in the list in your Anti-virus control Center and try to install the protection on all of them
5. When the initial installation finishes, move the computers with successfully installed anti-virus to another group, called “Clean“
6. Repeat steps 4 and 5 next day. And the day after next. And further. Your goal to move everything from “Not Clean” to “Clean“.
7. If there are some computers still left, try to find their location and clean them manually

In this situation the biggest problems are again, not security related, but IT-related. In order to perform the cleaning you don’t have to be an anti-virus expert, you just need to have good understanding of Windows infrastructure and networking.

Conclusion

The solution against viruses is just simply installation of Anti-virus. When you get infection, in most cases it means you didn’t have protection. If you need to clean the infection – install Anti-Virus. It sounds a bit boring, doesn’t it?

Share on Facebook