Protect Your PC from 6 Unknown Threats

Underrated computing threats you need to know about

There's the danger you know, and then there's the danger you don't know.

Most of us are rightfully wary of downloading and running programs that have no pedigree, or of performing day-to-day operations as an administrative user. But with each passing year, new security threats march in to eclipse the old — many of them not getting their share of attention until it's too late.

Threats go unappreciated for various reasons. Some seem too obscure or unlikely to be valid until they actually materialize in the wild (such as the .PDF exploits we document later on). Others are overshadowed by more widely publicized problems (e.g., the way Firefox's issues take a backseat to Internet Explorer's).

Here we'll be giving a tour of a number of lesser-advertised security issues that can bite you when you least expect it, and offering some advice on how to defend yourself.

Adobe's Vulnerabilities

The threat

Apart from Microsoft, Adobe may well be the one software maker whose programs run on every Windows-based PC out there. Nearly everyone has Flash, Acrobat Reader and/or Shockwave — and they are used by malware as delivery mechanisms. (Of course, Adobe's applications run on other operating systems as well, but it's the Windows PCs that are being targeted.) The danger comes when you use outdated versions of those programs, or current versions with unpatched bugs that are exploited as security holes.

The mechanism

One common manifestation comes when the user visits a Web site with a Flash-powered banner ad. No clicking required: as soon as the ad comes up, it delivers its payload. Sometimes it also comes in the form of one of Adobe's other products — for example, an infected .PDF document, which opens spontaneously upon visiting an ad.

The prevention

Keep Adobe products updated and don't run your system as Administrator or root if you can possibly help it — that gives malware possible access to your system settings. (Not running as an admin for day-to-day work in Windows is good advice anyway, and could easily be appended to any of the other threats listed in this article.)

Adobe does have an auto-updater for its products, but its behavior is weirdly spotty; it tends to only report updates for whatever product is currently active. If you run the updater within Acrobat, for instance, you aren't informed about updates to other Adobe products, so a certain amount of manual research is needed to make sure Flash, for instance, is current.

Another possible safety measure: Disable thumbnail previews for Acrobat documents. The thumbnail previews in Explorer generated by Acrobat were part of how one proof-of-concept exploit worked, so turning off that functionality or upgrading to a version known to be safe removes another potential source of attacks.

We would like to say that moderating one's browsing habits or visiting only "known good" sites (via mechanisms like Web of Trust) is a good idea, but we're not sure anymore. The syndication systems that serve up these types of infected ads now run on all sorts of sites. We've been hit with drive-by malware from sites that we visit regularly and which have good ratings from site-review services, so it's no longer a question of simply keeping away from the Web's poorly-lit side streets.

Some people take additional steps, such as blocking ads entirely by running a plugin like Adblock Plus, or selectively disabling scripting for sites they're dubious about by using the NoScript plugin.

Firefox's Underbelly

The threat

Firefox add-ons are a potential security hazard — not as bad as IE ActiveX plug-ins, but still a potential threat. Many Web-based attacks that target Firefox don't aim for the program executable itself. Rather, they seek to undermine add-ons — files which may not be binaries and so may not be assumed to be at risk — and the support structure for the program.

The mechanism

Most of the danger comes from add-ons that pretend to be legitimate. For example, one add-onpretended to be the Adobe Flash Player, insisted on "updating" itself and dropped malware into the system.

Attacking Firefox through its supporting files is not as well understood, though, and for that reason it's that much more dangerous. Some of the files that Firefox uses to render elements in the browser's GUI are plain-text JavaScript files, so they can be edited by any program with write access to those files. One recent hijack in this vein edits the overlay.xul file to force Web searches to be redirected.

The prevention

One would think that antivirus programs would be a good first line of defense, but they have a spotty record of detecting things like this. For instance, the overlay.xul attack described above was still being ignored by many prominent antivirus engines (Symantec, Panda, Kaspersky, Trend Micro) even after a month of being in the wild. The SANS researchers who examined this threat ran it through an online virus-scanning service and were dismayed at how few applications flagged it as malicious.

One possible workaround is to use a non-installed version of Firefox such as Mozilla Firefox Portable Edition, which can run in any directory or even from a removable drive. If the program becomes infected, it can be kept segregated from the rest of your applications, and is easier to clean up and reset without damaging your user data. (Another possible workaround is to use a different browser entirely, but that might be more effort than it's worth.)

QuickTime Concerns

The threat

We sometimes forget that there are Apple products on the Windows PC — and those need to be regarded with the same sort of scrutiny as any other application. A big part of the concern is, again, ubiquity: Many PCs have QuickTime or iTunes installed, and most of us don't think of those things as potential security holes. However, various exploits have been documented in both the Mac and PC versions of QuickTime.

The mechanism

Two examples: In 2007, a nasty buffer overflow exploit affected just about every extant version of QuickTime in both Windows and Mac machines. And another bug was found in 2008 with similar properties. (Want more examples? Search US-CERT using the keyword "QuickTime" to see many more such exploits.)

The prevention

Apple does have an automatic updater for its software in Windows, so PC users should keep QuickTime updated. Also, keep the number of file types associated with QuickTime itself to a minimum — most people just use it to play QuickTime files and nothing else anyway, so this helps limit the available attack surface.

Obfuscated URLs

The threat

URL-shortening services like bit.ly or is.gd have become all the rage with the rise of Twitter and Facebook. They're also a great way to slip someone a digital Mickey Finn: What better way to hide an attack than to not even let people know the actual URL they're clicking on?

The mechanism

URL shorteners generally perform no safety checking on the links they process. Also, shortened URLs tend to be passed around from user to user without much thought for whether or not they've been sanitized. Consequently, someone can pass you a direct link to malware or to an infected site, and folks with a blind click-first reflex may end up taken somewhere they don't want to go.

The prevention

LongURL is a site that lets you paste in a short URL and expand it to see if you're dealing with something malicious. If copy-and-paste is too much hassle, they also provide an add-on version of the service for Firefox, which shows you the long version of the URL when you hover over a shortened link. LongURL also offers a set of APIs that can be integrated with things like jQuery, so people who integrate link-shortening tools into their own sites or programs can make use of such tools, too.

In addition, many Twitter clients — such as TweetDeck and Mixero, to name two — have a preview function that shows the long form of a shortened URL so that you can see what you're about to click on.

DNS Poisoning

The threat

DNS servers translate raw Internet addresses (such as 12.94.65.175) into human-friendly domain names (www.myfunsite.com). With a little work, the information provided by some DNS servers can be hijacked or misdirected — "poisoned" — allowing an attacker to send someone to any Web site they choose.

The mechanism

The most common DNS poisoning attacks exploit flaws in DNS server software to allow fake name-resolution data to be sent to clients. One of the worst examples of DNS poisoning surfaced in 2008, when computer researcher Dan Kaminsky demonstrated how domains could be redirected with the then-current version of BIND, the software that most servers use to perform DNS resolution. The end result: You can hijack an entire domain — including its subdomains, its mail servers (MX entries), its SPF records and everything else that can be stuffed into its DNS resources.

The prevention

In this case, prevention is mostly up to the people running domain name services. Admins should update to the most recent version of BIND, which is much more skeptical about the data it receives and performs more thorough cross-checking to prevent poisoning.

If you have doubts about the validity of your DNS hosting, you can test it through the DNSStuff.com toolset. Its DNSreport Demo (free for regular users; the full non-demo version is for-pay) lets you check the results of DNS resolution for common domain names from your servers. If you suspect your DNS servers are dodgy or compromised, you can always use a different one by editing your TCP/IP settings or by setting your in-house router (if you use one) to resolve to another server. The Google Public DNS service might come in handy here, since Google claims its DNS is less vulnerable to poisoning.

In-house Router Attacks

The threat

Attacks on home networking hardware have been rare, but are garnering more attention. Back in 2006, a couple of Indiana University researchers talked about how home routers could be attacked and used to steal personal information. Since then, the attack they described has shown up in the wild.

A simple attack might consist of nothing more than changing the DNS server used by the router — which in itself can be used to leverage a whole slew of other attacks. A more complex attack could involve modifying the programming in the router to forward encrypted traffic, log passwords or make changes to the machines attached to the router by exploiting known security issues there.

The mechanism

Home routers are designed to be plugged in and used with minimal interaction. That makes any bugs in their design less obvious to casual users — and all the more enticing to crackers, who pound on such devices constantly to find ways in.

The most malicious home router attacks require some degree of user participation to be pulled off. The word "participation" in this context simply means all a user has to do is be tricked into clicking on the wrong link. Other attacks may be much simpler — e.g., guessing the router's password or forcing a denial-of-service attack that knocks the user offline.

The prevention

When you set up a new router, do four things:

1. Reset it to its factory state, even if you think it's fresh out of the box.
2. Update it with the latest firmware available for the device.
3. Reset the default password (and use a secure password that doesn't just consist of a single word that can be found in the dictionary or easily guessed).
4. Turn off all features that allow the device to be administered from anything other than another device plugged directly into the router.

The above advice goes double if you pick up a used router from someone else — those should be flushed and reconfigured from scratch. Also, any wireless router that doesn't support WPA or WPA2 should be taken out of service if at all possible, or used for wired connections only. WEP passwords can be cracked in minutes; full tutorials for how to do this are readily available. WPA should also be toughened by setting the key interval to a relatively short period of time (20 minutes or less).

Finally, bear in mind that your router's firmware should be checked for updates the same as any other piece of software. And because this typically isn't something that can be automated, end users have to make the time to do it themselves. It's a good idea to set a reminder in your calendar to check for updates every three or four months.