"Better"
is not the same thing as foolproof. The procedures just described will
work well for getting rid of most if not all spyware on your system,
detecting hidden hardcore spyware (shivas), and providing basic
protection against ordinary forms of online break-ins. However, it will
not prevent the more persistent forms of hacking whose goal is to plant
new spyware on your computer. In a Windows system in early 2005, it is
not uncommon for a system in which all of the measures in this
procedure have bee taken to get serious attempts at break-ins every one
to two weeks.
Unfortunately,
if you use your home or small business to high-value information such
as financial transfers, patent applications, confidential corporate
data, or official-use-only government data, even such "occasional"
break-ins by spyware are likely to be unacceptable. If you fall into
one of these high-value categories, you should consider additional
measures for bringing your security up to the highest level possible.
Alternative A: Switch to a
Different Operating System
One such option is to abandon Windows and replace it with an operating
system such as Macintosh, Linux, or OpenBSD, all of which are (at least at
present) significantly less subject to spyware threats. A Macintosh,
which uses the OS X operating system, is an exceptionally friendly
alternative for users who want an easy-to-use, minimal-hassle computer
environment capable of executing all major business software
applications. OS X is based on Apple's open source Darwin operating system,
which is in turn based on the popular FreeBSD,
thus making OS X a distant cousin of OpenBSD. Linux is a good
option for those who want extensive support and prefer detailed control
of their systems. OpenBSD, which its developers claim with good
evidence to be one of the most
carefully checked-over Unix-like operating systems in existence, is
an option for expert Unix technophiles who want maximum security, even
if it means greatly reduced application variety and a need for detailed
knowledge of Unix internals.
One
caution: While alternative operating systems typically have a good
selection of firewalls, including some outstanding ones, they are
usually much weaker on virus and spyware checkers, largely because they
have had so much fewer problems with spyware. Ironically, this could
mean that if one of these systems does get infected, it will be harder
to detect than a comparable level of infection on a Windows system.
Balancing this is the observation that if you make good use of
firewalls on non-Windows systems, you can reduce your risk of spyware
getting into your system to a level that nicely approximates zero.
Alternative
B: Maximize
Windows Resistance to Hacking
The other alternative is to maximize your Windows security by (1)
ensuring that you are free of spyware, (2)
fully updating Windows and Internet Explorer, (3)
removing any unnecessary communication
programs, (4)
making sure you system is
invisible, or stealthed, to
anyone looking at it from the Internet, (5)
adding active guards to watch for changes characteristic of spyware
insertions, (6)
maximizing firewall protection,
and (7)
ensuring that every system in your local
network is comparably well protected.
Step 1 is provided by the spyware removal procedure
you have just completed. Remember a simple once-over with a spyware
checker is flatly not sufficient for this, since that will not remove
the most deeply hidden forms of spyware (shivas).
Step 2, fully updating Windows and
Internet Explorer, was completed earlier in this spyware removal
procedure.
Step 3, removing unnecessary communication programs,
is a bit of no-brainer for critical systems. Even simple, practical
programs such as time synchronization programs can cause problems, as
can widely used auto-updating programs such as automated screen savers
with thousands of available images. Multimedia programs, which often
include their own softcore spyware, can also be problems when used
online. While harmless in themselves, such programs provide well-known
forms of communication that a hacker can hijack and use for alternative
purposes.
Another
deeper form of removal is to use your firewall to block certain types
of Windows services that are intended primarily for use between small
groups of people who trust each other completely. Such trust is utterly
unwarranted on the modern Internet, where such services are far more
likely to be used against you than for you. Examples of services that
show up in the Sygate firewall list and can be shut off unless you know
specifically that you need them are listed under Applications. For a
simple system that lacks any special software applications, examples of
Windows services that can usually be shut off from the Internet without
causing problems include Win32 Kernel core component, Spooler Sub
System Process, Distributed COM Services, and WIN32 Network Interface
Service Process.
An
interesting problem area for communications is Virtual Private
Networks, or VPNs. VPNs are a very popular technique for providing
secure access to business networks while using only the public
Internet. VPNs increase security by encrypting (indecipherably
scrambling) the data that is over the Internet, but they can also
provide holes by which determined hackers can break into a system --
e.g., by leaving a communications process running in your computer. The
best general advice for using VPNs is to make sure you have the latest
possible software, and that you do not leave such tempting targets
running when you are not actually using them.
For Step 4, stealthing your system, I highly recommend the Shields Up! web site, a free service by the Gibson Research Corporation. Another very good site is Sygate Online Services (SOS), which is looks for many of the same issues as Shields Up! and adds testing for Trojans hidden within your system. Both of the Gibson and the Sygate testing sites look for tell-tale responses when your system is queried in various ways over the Internet. It's important to realize that until you achieve a perfect score on such tests, your system is still responding to remote software and remains acutely at risk of revealing itself to the wrong people at the wrong time. A non-stealthed answer is roughly equivalent to hiding behind a bush while continuing to answer anyone who asks you the right question. With automated break-in software, it's possible to ask a lot of questions in a hurry, making even a single non-stealthed response glaringly obvious to automated hackers. The full details of stealthing are beyond the scope of this procedure, but the above two web sites will provide powerful starting points for determining where your particular system may have problems, and on what steps you should take next to resolve them.
Step 5 was accomplished three times over by this
procedure, since three of the spyware checkers you installed -- Spybot
Search & Destroy with TeaTimer, GIANT AntiSpyware, and Webroot Spy
Sweeper -- provide active spyware guards that look for the kinds of
changes to your internal Windows setting that could indicate the
insertion of spyware. Since as of early 2005 these three guards
are closely comparable in fundamental capabilities, it is only
necessary to keep one of them running in your system. I
personally prefer to use multiple guards, but such an approach results
in annoying repetitions of the same confirmation questions by all three
guards whenever software changes are made to your system. The TeaTimer
guard in Spybot Search & Destroy is free, and so is an easy choice
for low cost. The GIANT guard is the most intelligent, figuring out
many new answers based on your previous ones. While no longer available
for purchase since Microsoft bought GIANT, its features should
hopefully become standard in Windows XP and, hopefully, other versions
of Windows in the near future. Finally, Webroot Spy Sweeper has fully
effective guards, although its user interface s a bit more intrusive
and annoying -- e.g., it leaves a window up even after you have have
approved a change, rather than disappearing promptly as the other
guards do.
It is Step 6, the choice of a firewall, that is the single
most critical to bringing break-ins down to negligible levels. With a
good to very good firewall such as the free Sygate Personal Firewall,
partially successful attempts to hack hardcore spyware such as
CoolWebSearch, a keylogger, or a RAT into your system can be reduced to
once every week or so, which is still a frighteningly high rate for
high-value targets. Nightly scans can generally catch such
break-ins, but not if the hacker manages to get enough control of your
system to transform the spyware into fully stealthed shivas, you may
not realize you have been hacked until the characteristic odd behaviors
of keyloggers and RATs begin to show up. (An even more drastic partial
solution is to temporarily hamstring Windows by shutting down the DLLs
most often used when such break-ins occur. However, this makes a very
poor long-term solution because it cripples the normal operation of
Windows.)
A better
approach is to find a firewall that closes even the briefest
opportunities for attack, such as when the firewall is started or shut
down. It also needs anti-hijacking features that confuse or identify
attempts to take over your communications with a legitimate site.
Based
both on features and the success I've seen so far at cutting down
residual break-ins to my own systems, my recommendation for this
particularly critical step is that high-value users download the 30-day demo
version of Sygate Personal Firewall Pro, which is a for-purchase
version of the Sygate Firewall that includes several critical features
not available in the free version. After installing Pro, activate all of the features listed under
the Options->Security tab. You may have to temporarily deactivate
some of these features for performing tasks such as VPN, since, for
example anti-IP spoofing is not compatible with some Cisco VPN login
procedures. However, keeping such features active as your default
results in much higher overall security and, from what I've seen so far
at least, a very significant reduction in break-in attempts. If your
experience with the 30-day demo version provides you with comparable
results on a high-value system plagued by break-in attempts, the
moderate cost (under US$50) of buying the full version of Pro be well
worth it.
I would
expect that other firewalls perform similarly well, but Sygate Pro is a
cost effective way of getting features that directly address problem
I've observed directly, such as spyware-related activities that occur
during the security gap the firewall is starting up or shutting down.
(Examples?
On multiple occasions I've seen well-cleaned Windows systems behave
normally until
the owner initiates a shutdown. Since during a full shutdown the
firewall
must also shut down at some point, a particularly "sticky" process
hidden
deep in the bowels of the Windows kernel can refuse to shutdown until
all firewalls and all logging software are down. The hidden process can
then dispatch a short burst -- say less than a tenth of a second -- of
selected high-priority data to a remote receiver. The giveaway to
this subtle ploy is that the Windows shutdown process hangs if your
system has been disconnected from the Internet. If you reconnect it,
you can then watch the activity lights see a short burst of data go
out, followed by your system finally shutting down. Check your logs,
though, and you will find nothing at all, because the event did not
occur until all such logs were deactivated.)