December 4, 2010
The highest number of spam-spewing
computers is in the U.S. -- Is yours one of them?
If you're like most people, despite spam filters,
your inbox is full of spam advertising fake Rolexes, fake pills
from fake Canadians, fake diplomas, fake girlfriends who want to
have fake sex, etc. It's all illegal. How do they get away with
breaking the law so flagrantly?
Part of the reason is that "they" are
usually in countries like Russia, where spamming and scamming is
legal, as long as the victims aren't Russian. But how much spam
can they send before people stop accepting email from their computers?
Can't everybody get together and block them?
We can, and we do, using "blocklists"
like those maintained by groups like Spamhaus,
Honey Pot. So why hasn't it stopped the spam?
The problem is that spammers don't have to mail
from their own computers. They can mail from other people's computers.
They can mail from yours.
How do they do that? By using malware (bad software,
like computer viruses). The malware they usually use is called a
horse. Like the famous gift from the Greek army, the victim
has to allow it past their defenses. Once inside, it opens the doors
from the inside and allows in all its little friends.
Trojans also may be "root kits." That
means they insert themselves into the Windows system files that
launch early in the boot process, so early that they are already
running before your antivirus program launches. They can then evade
detection and even inactivate the antivirus.
Having an up-to-date antivirus program is an important
way to prevent getting a Trojan, because they are a huge pain to
remove once they are installed. But even the very best antivirus
cannot detect all malware. The malware authors are constantly changing
their code to vary the parts that are detected by AV programs. For
an AV program to detect 95% of trojans on the first day they are
released is an excellent record, and most
don't do that well. But even 95% success means that 1 in 20
new infections slip in unnoticed.
Using common sense, being suspicious about things
that arrive in email, being careful about the source of downloaded
files (and avoiding illegal downloading), avoiding
the use of the Internet Explorer browser and using a browser
unless you specifically enable them -- all those measures help.
But even the most astute person can be fooled if a spammer knows
personal details about him, or if the spammer just gets lucky guessing.
You have to consider the possiblity that your computer is already
infected with a Trojan.
Wouldn't you be able to tell? Wouldn't it be running
slow? Actually, it may not. The criminals trying to seize control
of computers don't want you to get suspicious. They don't want you
to get your computer checked for trouble. They may even remove other
people's malware to prevent your computer slowing down. They want
to have more control over your computer than you do.
Some malware can make itself invisible by removing
itself from directories and concealing itself from programs. But
some of the most common ones prey on people that don't know how
to look for malware. They can be detected easily if you know how
One of the most important ways is to look for attempts
to make internet connections to outside computers. A Trojan can't
send spam, steal your passwords or identity data, or receive instructions
from the criminals controlling it unless it can make an internet
connection to another computer.
PC users are used to their computers doing things
automagically. They just launch a program and see websites from
all around the world. But there are a lot of background processes
going on, and there are ways to reveal what is actually happening.
Microsoft distributes a free program called TCPview.exe
that will show the internet connections your computer is making.
That means that except for the cleverest Trojans, you can watch
the Trojan actually contacting outside computers and receiving instructions
from "command and control" centers.
To use it, download the tcpview.zip file to your
desktop. Then shut down your browser and as many other programs
as you can, as even programs you aren't using may be keeping internet
connections in the background to check for updates. Launch tcpview.zip
and tell it to run. (If it tells you you need to buy a program like
WinZip or WinRAR to open it, right-click the zipped folder instead
and choose "Extract all" to use the decompression utility
built into Windows.) You'll have to click "yes" to a few
more dialog boxes, but it is safe to do so.
Once it launches, you will see a list of all the
internet connections open on your computer. As new ones open, they
will be green, and as they close they will remain visible in red
for a while.
If you have shut down all the usual internet programs,
there shouldn't be too much activity. There may be some persistent
connections to things like Facebook and Google after your browser
has closed, but you don't want to see connections to computers in
countries in eastern Europe and Asia, you don't want to see connections
that use port 25 or smtp, and you don't want to see a lot of ongoing
green and red activity when the computer should be dormant.
How do you know where the "remote" computers
are located? Copy their IP addresses (numbers that are four sets
of numbers from 0-255, for example "22.214.171.124") and
paste it into the whois lookup at LACNIC.
Don't worry about anything that starts with "192.168.xxx.xxx"
or "127.0.xxx.xxx," as those are numbers given to your
own computer or computers inside your own network.
Suppose your tcpview lights up like Times Square
on New Years Eve? How do you make it stop? The first thing you can
do is install a firewall. Although Windows includes one, it only
stops incoming traffic, and it won't stop anything the Trojan has
invited in. You need one that stops outgoing traffic, like the free
download from Comodo.
Then you can get help from a site like Spywarehammer.com
where experts will guide you through the Trojan removal process.
Be prepared for it to take time, as they are far more difficult
to remove than to prevent.
Example of TCPview.exe screen: Green entries are new connections.
Remote address 126.96.36.199 is Naunet.ru, in Russia. The port
is "http" since I have it open in my browser, Firefox.
(Port 80 is also a browser.) Port 25 or smtp would mean outgoing
email. If you don't recognize the programs on the left, you can
right-click and look at properties. If I hadn't had my browser open,
there would still be connections, but only occasional green lines
showing new connections opening.