Other > General Topics

User's FAQ

<< < (3/34) > >>

Trojan Horse Behavior

Trojans are nothing more than programs using a port to transmit data to an attacker. They hold a port open, e.g. Port 31337. The attacker connects to the trojan and sends requests to do a certain task, for example to make a screenshot. The trojan makes the screenshot and sends the image via the port to the attacker. On newer trojans, the port number is quite freely configurable, which makes identifying the trojan by the port number difficult. There are no control mechanisms available which can prevent a trojan from using an specific port. If a trojan does use the port 80, for instance, a novice user could imagine the program is a webserver, and may even simply ignore the port.

Services. Are programs which are automatically run at the system startup without any visible window. They work in the background. Open the service manager at the Control Panel > Administrative Tasks.

How to close a port. Close the program holding the port open. But there are also more advanced methods for preventing communication over specific ports. Important: An open port is not necessarily dangerous! You are only at risk if the program using the port contains harmful code. So there is no reason to close all ports in your system. In fact without your ports being open, the internet simply wouldn't work! An open port is not an autonomous object, and should not be considered as something which can be destroyed by closing it. If a port is open on your computer, it means that there is an active program using this port number to communicate with other computers on the web. A port isn't opened by the operating system, it's opened by a specific program wanting to use it.

To close a port, it's usually only necessary to shut down the program holding the port open. On some ports it's enough to tell the program or service that the port should not be opened. A good example is the Microsoft Internet Information Services in Windows 2000 and Windows XP. If installed, they open three ports automatically: 21, 25 and 80. Port 21 is the FTP server, port 25 the SMTP server (email server) and port 80 the webserver for http.

The FTP server enables other internet users to download shared files from your system. They can also upload files to you, if you choose to permit this. The SMTP server is used to send emails directly to the recipient's mailbox without the use of an external mailserver. The webserver allows you to run a website on your PC. But this is only reachable on your IP address. If you wish to make this accessible to the public, you need a domain name that redirects to a static IP address. If however you don't need all these servers, simply shut them down and the ports will be closed automatically.
However it is not always as easy to find out why a port is open. One example is port 5000 which is opened by Windows ME and XP by default. For this, there is no service which you can turn off. To close this port, it is necessary to actually uninstall a certain system component. Port 5000 is used for plug and play with network devices. If you close this port the network plug and play is no longer available.

Firewalls. Even if a port can't be closed by shutting down a program or service, there are still other options for blocking communication to the port. Firewalls can prevent connections on specific ports. They work on the principle that data packages which use a specific port on a network are filtered. However, firewalls only provide passive security. Meaning you may have a trojan installed on your computer, but it can't connect to the attacker because the firewall is blocking the connection.
There are different firewall concepts. On the one side there are Desktop-Firewalls like ZoneAlarm or Tiny Personal Firewall, which are installed locally on the PC they protect. These firewalls are located upon the network driver layer of the operating system, and prevent connections to or from specific blocked ports. But there's also an obstacle here. Programs or trojans which don't use the network driver of the operating system can't be prevented from making a connection to outside the computer. If an attacker can install a trojan with it's own network driver on your PC, a desktop firewall would not help.

A more secure technique is to install a firewall on a second computer. Usually a whole network of computers can only send data to the internet over a firewall server. The computers in the network don't have a direct connection to the internet. All data is transmitted by the firewall, and can therefore be blocked as and when required. Most of such firewalls are also able to analyze the data packages. So for example if a harmless email is transferred, the firewall can check that there are no viruses attached to the email, and filter the attachment before sending the mail to the target PC. In general however, good firewalls tend to be fairly expensive and usually require special hardware.

Windows 2000/XP boot troubleshotting

Try several tactics to get a reluctant Windows to load; plus, keep XP's Start menu under control.

1) If Windows XP (or 2000) refuses to start, press F8 right after you turn on your PC but before the Windows logon appears (it may take a few attempts to get the timing right). At the resulting menu: select Last Known Good Configuration to restore your Registry to an earlier date.

2) If this doesn't get your PC working, reboot and press F8 again, but this time select Safe Mode, and then choose Start > All Programs > Accessories > System Tools > System Restore. Follow the wizard's instructions and pick an appropriate backup. If that approach doesn't work either, or if you can't even get to this menu, use your emergency boot floppy.

3) If your hard drive's boot sector or Windows' basic boot files have been corrupted, this disk will circumvent the problem and boot you into Windows. If you don't have an emergency boot floppy, you may be able to use one created on another PC running Windows XP or Windows 2000, but there's no guarantee that it will boot your machine. To make one, insert a blank floppy disk into drive A:, select Start > All Programs > Accessories > Command Prompt, type format a:, and press Enter. When asked if you want to format another disk, type n and press Enter. Type the following commands, pressing Enter after each one.

xcopy c:\boot.ini a: /h
xcopy c:\ntdetect.com a: /h
xcopy c:\ntldr a: /h

Now type exit and press Enter to close the window. Remove the floppy disk and label it Windows XP boot floppy. Put this emergency disk in the floppy drive of your inoperable machine and boot up. Windows should run with no problems. You could simply keep the floppy in the drive all the time, but to truly fix the problem, launch the command prompt as described above, type xcopy a:*.* c:\ /h, and press Enter.

4) If the emergency boot floppy doesn't work, try the Recovery Console, a Windows utility that provides a DOS-like command line from which you can run some repair programs. It's tricky to use if you're not accustomed to command lines, and you can damage your data, so be careful.
If you have a Microsoft Windows CD-ROM, you can get to the Recovery Console by booting from that CD and pressing any key when you're told to 'Press any key to boot from CD'. At the 'Welcome to Setup' screen, press r for Repair.

If Windows XP or 2000 came with your computer and you don't have a Microsoft Windows CD-ROM, the Recovery Console might be on one of the CDs the vendor bundled with your PC. But it might not. Fortunately, the Recovery Console is hidden in a free, downloadable Microsoft program called Setup Disks for Floppy Boot Install. Visit Microsoft's site to download the setup-disk file that works with XP Professional; available too is the XP Home version, which will also work for Windows 2000, Me, and 98.

When you run the download, it puts the XP installation program, including the Recovery Console, onto a set of six floppy disks. To get to the Recovery Console, boot from the first floppy, and then swap disks as prompted until you reach the 'Welcome to Setup' screen. Press r to open the Recovery Console. The Recovery Console most useful commands are:

Command - Function
Chkdsk - Checks disks for errors. If you load the Recovery Console from floppy disks, chkdsk may complain that it can't locate autochk.exe. When it asks for that file's location, point it to c:\windows\system32.
Diskpart - Creates and deletes partitions.
Extract - Extracts files from compressed .cab archives. Extract is not available if you load the Recovery Console from floppy disks.
Fixboot - Writes a new boot sector.
Fixmbr - Writes a new master boot record.
Help - Lists the Recovery Console commands.

For detailed information on a particular command, type the command followed by a space and /?. (Not all the commands will be available if you don't have a Windows CD-ROM.)

What is a Cookie?

A cookie is a file created by an Internet site to store information on your computer, such as your preferences when visiting that site. For example, if you inquire about a flight schedule at an airline's Web site, the site might create a cookie that contains your itinerary. Or it might only contain a record of the pages you looked at within the site you visited, to help the site customize the view for you the next time you visit.

Cookies can also store personally identifiable information. Personally identifiable information is information that can be used to identify or contact you, such as your name, e-mail address, home or work address, or telephone number. However, a Web site only has access to the personally identifiable information that you provide. For example, a Web site cannot determine your e-mail name unless you provide it. Also, a Web site cannot gain access to other information on your computer.
Once a cookie is saved on your computer, only the Web site that created the cookie can read it.

Can Cookies send information?

Absolutely Not!  They are simple text files and incapable of performing any action whatsoever.  They can be read and modified by the site that installed them but cannot send anything.

Are all Cookies bad?

Cookies are not always bad, and can be used for things like personalizing a site, setting personal preferences, or speeding things up on the web. For instance, the ones that remember your user name and password when you return to a site.


Microsoft's DCOM security patch leaves DCOM running, open, and waiting for malicious exploit. DCOMbobulator by Gibson Research Corporation is a 26 bytes application that allows any Windows user to quickly check their system's DCOM vulnerability, then simply shut down the unnecessary DCOM security risk.

The history of DCOM: Many years ago, Microsoft began modularizing Windows and their applications by breaking them into functional components with well-defined, "version safe" interfaces. The idea was to allow pieces of Windows and applications to inter-operate. The name first given to this effort was OLE, which stood for Object Linking and Embedding. OLE suffered nearly terminal birthing pains and developed a reputation for being a bad idea. Undaunted, Microsoft renamed it COM for Component Object Model. This was still the same old OLE, but Microsoft appeared to hope no one would notice. COM fared somewhat better, but it wasn't until Microsoft gave it the name ActiveX, and built it into virtually everything, that developers finally gave up trying not to use it. Sometime after, Microsoft's industry competitors began working on a distributed object system called CORBA. Microsoft's object system was not distributed, but as we know, Microsoft quickly stuck a "D" (for Distributed) in front of COM to create DCOM, their Distributed Component Object Model. Then they crammed it into every version of Windows starting with Windows 98, even though no one needed it, wanted it, or was using it. That way they could say Windows already had a distributed component system built in.

What does DCOM do for the user?: It attracts Internet worms and permits your system to be remotely compromised by malicious hackers. There may be some custom corporate application developers who have managed to make some use of it, but mostly no one ever has. Nonetheless, it's there in Windows so that the competitors' CORBA isn't. DCOM serves no practical purpose for almost anyone and, as the entire world now knows, it creates a huge and unwarranted security risk. Therefore, it's crazy to leave DCOM running. Microsoft's DCOM vulnerability patch does fix this latest problem with DCOM. But this was not the first problem with DCOM, so there's little support for the hope that this was the last problem.

What does the DCOMbobulator do? The DCOMbobulator will help everyone to perform two tasks:

1) Verify the effectiveness of Microsoft's DCOM patch. Even though DCOM should be shut down altogether, Windows systems need all the security they can get. So verifying that the known DCOM vulnerability is not still threatening any Windows systems is important. For information about Microsoft's DCOM vulnerability patch, please see this page on Microsoft's site or search Microsoft's site for the phrase "MS03-026" to find references and help about this significant security vulnerability.

2) Shut down DCOM completely. Since no typical Windows user has ever needed to have DCOM enabled, it should be shut down immediately and disabled (after first making sure that it's safely patched when it's enabled and running). The DCOMbobulator makes this as easy as pressing a single "Disable DCOM" button. You can then restart Windows and verify that DCOM has been safely taken out of service.

Closing TCP Port 135. Three systems within Windows NT/2000/XP/2003 share TCP port 135: DCOM, Task Scheduler, and Distributed Transaction Coordinator (MSDTC). Since running any of these services will hold TCP port 135 open to accept incoming connections, they must all be stopped and disabled in order to close port 135. The DCOMbobulator disables and "unbinds" DCOM from port 135, but it does not take any responsibility for dealing with the other two services.

Under Windows 95/98/ME, disabling DCOM with the DCOMbobulator will close port 135 since the Windows Task scheduler does not use port 135 and those systems don't have the Distributed Transaction Coordinator.[/me]

Any personal firewall or NAT router will isolate a system's open ports from external intrusion, so leaving port 135 open is not a problem if your system has additional intrusion protection in place. At the same time, the best security is obtained with multi-layered security where each layer is as secure as possible. If you can determine that you do not need the Windows Task Scheduler, or that you can live without its services, you can probably arrange to completely close your TCP port 135.

MSDTC — As with DCOM, typical Windows users have no need for the Distributed Transaction Coordinator service. If it is running, it can be stopped and disabled without any negative impact on the system. But unfortunately, as we'll see, the same may not be true of the Windows Task Scheduler service: Task Scheduler — Users of Windows XP who wish to use XP's "Prefetch" system for startup performance enhancement must leave the Task Scheduler running. Many people also depend upon Task Scheduler for timely anti-virus and other updates. For these reasons it may not be practical for you to shut down and disable the Task Scheduler. However, I wanted to provide the information for users of other Windows versions who care enough about permanently and finally closing port 135.

Settings that cannot be saved

Configure your settings how you want them, right click on tray icon and select Stop On-Access Protection and Exit, now restart your computer and see if it has saved your settings. Some services could be wrongly ended (killed) and then the settings were not saved.


[0] Message Index

[#] Next page

[*] Previous page

Go to full version