Computer Security Case Study and Recommendations (Part 2)
Part 1 available at: http://en.minghui.org/emh/articles/2008/7/23/99177.html
(Clearwisdom.net) Many practitioners, particularly those living outside China, have not paid enough attention to computer security. Accordingly, many of our computers have become infected with a virus created by the Chinese Communist Party (CCP); a virus that targets us directly. As a result, much data has been stolen. Some e-mail accounts have been compromised for long periods of time without being noticed. Key-logger Trojans were installed on some computers as well, resulting in the passwords and other sensitive information being logged and stolen. This has caused huge losses.
Following up from Part 1 of this series, a second case study is presented in Section Three, below, followed by a summary of recommended solutions for Windows computer users in Section Four.
Computer security issues are key aspects in our efforts during Fa rectification. All practitioners who use computers to do Dafa work should deal with these issues seriously. Let us also truly keep righteous thoughts and righteous actions.
Section Three: Case Study #2: Opening Email Attachments
The wide use of email has made email a target for attacks by CCP authorities. A common way of attacking email is to include seemingly innocent links in email messages which lead to websites containing malicious code. If you click on the links your computer could be infected. This was discussed somewhat in our last article.
Another common attack is sending an email with an attachment that contains a virus. We have found that documents in Word (DOC, RTF) or Adobe Reader (PDF) formats can carry viruses, and other less-common documents such as Excel (XLS) and PowerPoint (PPT) can also carry virus Trojans. Once an infected attachment is opened, under certain conditions the virus in the document will be executed immediately. This results in a Trojan being installed on the computer and used to steal the user's information. Let's now take a look at some cases and see what we can to do to prevent such attacks.
Attachments with viruses usually have a subject that is carefully crafted to gain widespread attention. The following are some examples:
Unnecessary DOC/RTF Attachments
From: "Feng Yubao"
Subject: Breakthrough in the Canadian Falun Gong practitioners' lawsuit against Jiang Zemin
Attachment: MHReport 1.doc
This email took advantage of the fact that we were all concerned about the progress of the lawsuit. This kind of email is relatively easy to identify, because you don't know the sender and may ask yourself, "Why would this person send me the attached document? If the news is true, it would be posted on a Dafa website, so why would I need to read the attachment?" This suggests that the attachment probably contains a virus and you should delete it.
The following is a recent case:
From: <familiar name>
Subject: Urgent notice: Practitioners back from Flushing, please keep record of the violent atrocities!
Date: Thu, 19 Jun 2008 08:43:14 +0800
Attachment: Urgent notice.doc
This email is very deceptive, because the spoofed sender is someone everyone knows, and everyone also knows that this person was indeed in Flushing.
There have been many emails similar to this one. CCP hackers often pretend to be a well known practitioners, often those widely known to represent our media organizations, and send out virus-infected emails with subjects that practitioners are concerned about.
There is however, a common questionable point about such emails. Short notices can be spelled out clearly in the body of the email, so there is rarely any need for an attachment. Even if an attachment is needed, the size of the document should be rather small. In this case the virus-infected attachment was relatively large, as the virus itself was contained in the document.
Even if you are not aware of these questionable points, practitioners who have not been to Flushing have no need to open an attachment so-labelled, out of mere curiosity.
AntiVir anti-virus can detect the virus in the attachment. If you have updated your Microsoft Word software (Office 2003 Service Pack 3 or Office 2007 Service Pack 1 from Microsoft Update), the virus in the attachment would not be effective. If you were using a non-administrator Windows account, the virus in the attachment would also not be effective.
Unnecessary PDF Attachments
In the past, PDF (Adobe Reader) documents did not contain viruses, but this is no longer the case. PDF documents now may be infected with Trojan horse viruses. CCP hackers have taken advantage of our trust in PDF documents, and many PDF documents on a particular website were once even replaced with virus-laden versions.
The following is a pdf email example:
From: <media person>
Subject: Urgent notice: NY urgently needs reporters from other places
Date: Tue, 3 Jun 2008 11:46:16 -0800
The email appears to be from a responsible media person, while in fact the email "From:" address was falsified. The content of the notice conforms with the focal news at the time that everyone was concerned about. Although the message seems legitimate on the surface, there is nonetheless a suspicious point: Such a notice does not need an attachment. Practitioners should not open such messages.
AntiVir can detect the virus in the attachment, and if you had installed the latest Adobe Reader software update, the virus in the attachment would not be effective. If you were using a non-administrator Windows account, the virus in the attachment would also not be effective.
If you are not sure if the attachment has a virus, you can contact the sender to verify that he/she actually sent the email. You can also upload the attachment to http://www.virustotal.com/ for a check-up. This website uses 32 anti-virus software tools to check the uploaded document for viruses.
Let's assume the following conditions exist: Adobe Reader has not been upgraded (this is quite common), you are using a Windows administrator account (the vast majority of users are using administrator accounts), and AntiVir anti-virus has not been installed. Then, when the PDF document is opened, you will notice the computer freeze up, it may show an almost empty document, or the screen may flash a few times. When this happens, the virus contained in the document has in fact become active. It will produce a temporary Trojan horse installation program in the system directory and execute it. The result of the execution is that more documents will be created in the system directory, and a Trojan horse service program will be installed, so that each time the computer is switched on, a Trojan horse program will monitor the user's keystrokes.
If you were simply using a non-administrator Windows account, all these Trojan horse operations would fail.
If the Trojan is installed successfully, it will monitor the user's keyboard, recording every keystroke, and all the sites visited, as well as user names and passwords used for logging into email accounts, and credit card numbers used for online transactions, such as buying airline tickets. We recently found a Trojan that had recorded the full process of looking for and buying airline tickets. It recorded all of the user's keystrokes, including two credit card numbers, home address, and email account information. It also recorded how this user logged into a website editor's account, which led to leakage of information from that site.
We believe it is very likely that the hacked computer was used to attack other Dafa websites and data servers.
Therefore, especially for those who are engaged in Dafa projects and directly log into project servers, raising your security awareness and taking relevant prevention and emergency measures is not only a matter of individual cultivation.
If you are too busy with the work at hand, please realize that this is a matter that directly affects the security of Dafa websites as a whole. It is, in fact an issue of being responsible to Dafa. Please pay attention to the issue!
Section Four: Summary of Recommendations Regarding Email Attachments
Based on the above analysis, we would like to emphasize the following three points:
1. Email attachments can be very dangerous, and the attachments sent by CCP hackers are very deceptive. Don't open any attachment that has nothing to do with you.
If unsure, please contact the sender to verify that he/she sent the email. You can also upload the attachment to http://www.virustotal.com/ for a check-up.
2. The following simple protection measures are recommended to avoid losses due to email attachments:
A. Use a non-administrator Windows account to perform daily work. The Windows operating system will then prevent viruses and Trojans from modifying or adding system files.
B. Install anti-virus software (such as AntiVir) to block virus-infested documents.
C. Update the Windows system and software such as Office and Adobe Reader (with Microsoft Update and Secunia PSI).
For more detail on how to implement these measures, refer to Part 1 of this series.
3. What to do if your computer has already been infected
The techniques used by modern Trojans are very complex. For most of us, re-installing the operating system, including formatting the hard disk, is the only feasible way to ensure complete recovery.
In the articles to be published later, we will continue analyzing typical Internet security cases and provide some common measures for dealing with intrusion incidents. We welcome more feedback from the readers.