Falun Dafa Minghui.org www.minghui.org PRINT

Computer Security Case Study and Recommendations (Part 1)

July 23, 2008 |   By overseas Dafa practitioners

(Clearwisdom.net) Editor's Note: The following article discusses security issues that are of concern to all of us. While the article suggests a course of action that anyone using a Microsoft Windows computer can use to help thwart these security threats, it should also be pointed out that the best approach may be to stop using Windows as your operating system. Apple Computer systems running Mac OS X are inherently much more secure than Windows based systems, and don't require the steps recommended below to be implemented to remain secure. The same can be said for systems running Linux. Linux can be run on virtually any computer that currently runs Windows, while Mac OS X will run only on computers manufactured by Apple. It should also be noted that for most users, implementing the switchover from Windows to Linux can be difficult, time consuming and frustrating. Hopefully the more technically savvy practitioners out there will consider this issue, and suggest some helpful time-saving guidelines for those of us considering a switch to Linux.

Many practitioners, particularly those living outside China, have not paid enough attention to computer security. Accordingly, many of our computers have become infected with a virus created by the Chinese Communist Party (CCP); a virus that targets us directly. As a result, much data has been stolen. Some e-mail accounts have been compromised for long periods of time without being noticed. Key-logger Trojans were installed on some computers as well, resulting in the passwords and other sensitive information being logged and stolen. This has caused huge losses.

A case study is presented in Section One, below, followed by a summary of recommended solutions for Windows computer users in Section Two.

Computer security issues are key aspects in our efforts during Fa rectification. All practitioners who use computers to do Dafa work should deal with these issues seriously. Let us also truly keep righteous thoughts and righteous actions.

Section One: Case Study: Infections on a Windows Computer Due to Visiting a Web Page Containing Malicious Code

There is a popular news site where some of the web pages were infected with malicious code. Under certain conditions the malicious code is executed on the visitor's computer. As a result, the computers of many people visiting the site were infected with Trojans, and the computer users' information was captured and stolen. Let's take a look at the entire process, as it provides hints about how we should guard against similar attacks.

This malicious code uses a Microsoft Internet Explorer browser loophole (described in Microsoft bulletin MS06-014). Many malicious code infections found in web pages target the vulnerabilities in Microsoft's Internet Explorer browser. For this reason we recommend the Firefox browser (its latest version can be downloaded for free from http://www.mozilla.com).This security vulnerability has been patched by Microsoft's Windows Update. If the latest Microsoft Windows updates were installed on your computer, no harm would be possible, as the malicious code could not run.

We therefore urge everyone to keep their Microsoft Windows computers updated and all critical patches installed. Selecting "download and install updates automatically" in your computer's Control Panel is the easiest way to ensure that Windows updates are installed in a timely fashion. (see below for more on updating Microsoft Office products)

When executed, this malicious code downloads a Trojan installation file from a hacker's web page. If an adequate firewall has been installed, it will alert when a new program attempts to connect to the Internet. This is how the malicious code in certain popular websites was originally discovered.

We therefore recommend everyone install a software firewall and pay close attention to firewall alert messages.

This piece of malicious code will save the downloaded Trojan installation file into the system directory (C:\Windows\System32\) and executes it there. If the current Windows user is not an "administrator" of the system, the system will reject attempts to save this file to the system directory. In such cases, it will fail in this step, and the Trojan installation will be stopped.

We therefore recommend everyone use non-administrator user accounts for everyday work, and only switch to an administrator account to perform those tasks that require administrator privileges. This can be conveniently set up by establishing a new account with administrator privileges, and then removing administrator privileges from your existing account login. You may then continue to use your existing account login (and its familiar settings) for everyday work.

Now suppose the Trojan installation files were successfully saved. If the user's computer had Avira AntiVir ("red umbrella") anti-virus software installed, AntiVir would prompt with an alert that this file was a Trojan installer.

AntiVir is a free anti-virus software. It uses very few system resources. We recommend that everyone install this software.

AntiVir can detect many viruses embedded in Word documents and PDF files. The latest version of AntiVir can be downloaded from http://free-av.com/.

If the Trojan program is successfully installed, it will then attempt to install another Trojan program and a system service. The Trojan program will be installed in the program files directory (normally C:\Program Files\). Installing aprogram in this directory requires administrator privileges. If the user is using a non-administrator account, as recommended above, the Trojan program would fail to install at this step. Creating a system service also requires administrator privileges. If the user is using a non-administrator account, this will also fail, resulting in failure of the Trojan installation. AntiVir can detect the Trojan program, so if AntiVir was installed, the Trojan program would also fail to install.

If the Trojan is installed successfully, it will monitor the user's keyboard, recording every keystroke, and all the sites visited, as well as user names and passwords used for logging into email accounts, and credit card numbers used for online transactions such as buying airline tickets. We recently found a Trojan that had recorded the full process of looking for and buying airline tickets. It recorded all of the user's keystrokes, including two credit card numbers, home address, and email account information. It also recorded how this user logged into another web site's editor account, which led to leakage of information from that site.

Section Two: Summary of Recommendations

Based on the case study above, the following points should be emphasized for all users of computers running the Microsoft Windows operating system.

1. Many public web sites we visit have been compromised, so we must protect our computers at all times


Over the last several years, such invasions have been reported every few months on average.

2. Preventative measures to be taken

The following measures can prevent computers from being compromised.

A. Use a non-administrator account to perform daily work. The operating system will prevent viruses and Trojans from modifying or adding system files.

B. Install an adequate software firewall (such as ZoneAlarm) and anti-virus program (such as AntiVir, etc.). They can block unfamiliar network access attempts, and prevent those programs from modifying system files.

C. Keep your operating system (Windows) and other software (such as Office and Adobe) updated in a timely manner. Most security holes will then be patched before viruses and Trojans can take advantage of them.

How can we easily determine which software needs to be updated? Secunia PSI is a well-known free security program. It can help track the software patches as they are issued, and help you patch the programs. Clearwisdom.net had an article on this topic: "Find and Correct Security Gaps in the Software on Your Windows Computer With Secunia PSI" (http://en.minghui.org/emh/articles/2008/7/9/98815.html)

In addition, automatic updates are available for some programs. For example, Microsoft offers two automatic update systems, named "Windows Update" and "Microsoft Update." "Windows Update" will only update the Windows operating system, while "Microsoft Update" updates all Microsoft software, including the Windows operating system, and all Office products (Word, Excel, etc.), etc. Please be sure to use Microsoft Update to keep all Microsoft software up to date.

D. The Firefox browser and Thunderbird e-mail software are recommended in lieu of Microsoft Internet Explorer (IE) browser and Outlook e-mail software. They are much more secure.

Measures A, B, and C (above) are all compulsory to ensure adequate security. Measure D is strongly recommended.

3. What to do if your computer has already been compromised.

The techniques used by modern Trojans are very complex. For most of us, re-installing the operating system, including formatting the hard disk, is the only feasible way to ensure complete recovery.

In subsequent articles, we will continue to analyze some typical cases of network security. We will recommend technical measures to prevent security compromises and how to deal with them if they occur. Feedback is welcome.

(Part 2 available at: http://en.minghui.org/emh/articles/2008/7/24/99202.html