There IS an Intruder in My Computer—What Now?

NEWS AT SEI

Author

Larry Rogers

This library item is related to the following area(s) of work:

Security and Survivability

This article was originally published in News at SEI on: December 1, 2003

The day’s chores are done and you’re ready to sit down at your home computer to do a little recreational web surfing and to catch up with your online friends. As you log in, you notice that your modem’s transmit and receive lights are on almost all the time. You soon discover that almost everything is running slower and slower with each new program you start. And some of those programs don’t seem to be working as they once did. What’s going on here?

Chances are your home computer system has suffered a break-in. And the changes made by the intruders probably won’t go away by themselves--you need to fix your computer. So much for a relaxing evening!

Before you begin to tackle the task of fixing your broken computer, you first need to answer some questions. The answers will help to guide the repair process.

  1. What changed? Intruders broke into your computer and probably changed it in some way. You need to figure out what they changed so that you can undo those changes.
  2. How did they get in? Intruders took advantage of one or more weaknesses--vulnerabilities--in your computer. You need to figure out how they got in so that you can fix those vulnerabilities. It’s important to know how they got in because if you don’t, they may come back.
  3. What do I need to change? Intruders may have been able to take advantage of vulnerabilities because of the way your computer is set up. You may need to make changes to thwart another attack. Examples are installing patches, installing and using a virus checker, and installing and using software and hardware firewalls.

To help you to think about how to answer these questions, imagine that your house was broken into instead of your computer. You’re probably a lot more familiar with your house, so let’s use this analogy to apply what you already know to the task of repairing your computer.

1. What changed? To answer the What changed? question about your house, you and those you live with have a pretty good idea of what it looked like before the break-in. Since you already know this, you can more easily figure out what changed.

With your computer, it’s a lot harder to know what it looked like before the break-in, that is, what files and folders were on your hard disk and what they contained. And your computer is much more sensitive to the locations of files and folders and their contents than is your house and its contents. For example, if your television were stolen, you could replace it with another television. But you don’t need to replace it with exactly the same television, and you don’t need to put it in exactly the same place.

In contrast, with your computer you do have to replace moved, deleted, and changed files and folders with exactly what was there before, in most cases, and put them in the same place. Anything less might prevent your computer from working correctly.

And it’s not just the files and folders you’ve created. Your computer came with many files and folders that are part of the operating system (Windows® for example) and its applications (Microsoft® Word, Excel, Outlook, and others that you may have added, such as Intuit® Quicken). It is these files more so than your personal files and folders that must be in the same location and have the same content as before the break-in.

So, what did those files and folders look like before the break-in, and where were they? Chances are you’re not really sure. Not only that, it’s hard to tell unless you’ve taken steps to record the kind of information that can help you decide what changed.

To help you keep track of the files and folders on your computer and their content, you need to purchase or download a free version of a program called an integrity monitor. An integrity monitor checks files and folders to see what’s changed since they were last inspected. These programs use advanced mathematics so that even the smallest of changes can be detected. You run an integrity monitor when you first set up your computer and then run it periodically to see what changed since the last time you checked. Sounds easy, doesn’t it?

Unfortunately, it’s not as easy as it sounds. The challenge is to know what changes to files and folders can be expected as part of the routine operation of your computer. Unexpected changes are likely to be the result of something else, an intruder’s activities for example.

How do you know what changes to expect? The vendors could tell you but they don’t, so you’ll have to figure that out for yourself. One way to do this is to run the integrity monitor once to determine what files and folders are there and what they contain. This process is called baselining. After you’ve baselined your computer, use it for a while and then run the monitor again. The changes you see should be expected. Over time, you’ll learn what’s okay and what’s not. And yes, it is a time-consuming and tedious process. But if you want to know what’s changed, that’s what it takes.

Now, what do you do if you haven’t baselined your computer, so you can’t figure out what the intruder changed? The safest thing to do is to start all over again by formatting your hard drives, reinstalling your system and applications, and restoring important files from your backups. (You do have backups, don’t you?) Otherwise, you will be relying on files and folders that an intruder may have changed that are still on your hard disk. It’s a risk to use these files but a risk you might decide to accept. Nonetheless, when you don’t know for sure what files were changed, it’s safest to start all over again.

2. How did they get in?  Back at your house, there may be obvious signs such as a broken window or a pried-open door. However, if the intruder used an unlocked door and then locked it on the way out, there may be no break-in signs. The point is sometimes it’s easy to figure out and other times it’s nearly impossible.

Figuring how the intruders got into your computer presents the same problems. If intruders took advantage of a vulnerability in a program, there may no signs that that’s what they did. But if they sent an email message with a virus attached and text that belittles its reader for poor email security, then it’s more obvious how the break-in occurred. This type of computer intrusion analysis--called computer forensics--can be more art than science at times. Clues may be hard to come by.

But a little detective work might reveal what happened to your computer. For example, if you use an integrity monitor, you might be able to determine how the intruders got in based on the files they changed. Since viruses are a popular method intruders use to break into computer systems, you may be able to relate the set of files changed on your computer to a virus the intruders used. Visit the anti-virus web sites to get information about viruses and the files they change. This may give you the clues you need to figure out how the intruders got in.

There may be other clues lying around. For example, your computer might run slower and slower, as mentioned in the first paragraph. This could be an indication that one or more programs are running constantly, perhaps sending traffic to other computers. Review the programs that are running on your computer and see which are using the most CPU time. Use this information as you used the “files changed” information from your integrity monitor to try to learn how the intruders broke in to your computer.

3. What do I need to change? Answering the What do I need to change? question about your house may be easy. You may keep a key to the front door under the flower pot on your front porch. A passerby who happens to see that there is a key there could use it to enter your house. This is a case where you need to change the way you set up your house to improve its security.

Now back to your computer. If you can figure out how the intruders got in, you can more easily decide what you need to change to try to keep them out. For example, if they took advantage of a vulnerability and you don’t routinely install patches that would have fixed the vulnerability, then you need to start installing patches routinely. Or, if you use your home computer to read email and you aren’t running a virus scanner, you should install anti-virus software and use it, especially when working with email. For a list of tasks you should routinely do to your home computer, read Home Computer Security.

The message is that you might need to change how your computer is set up so that it is more resistant to intruders.

Many home computers have been broken into, perhaps even yours. Knowing what to do after the break-in requires some advanced planning to reduce your repair effort and can greatly improve the chances that you’ve completely rid your computer of the intruder. It’s time well spent.

About the Author

Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.

This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.

The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.

Find Us Here

Find us on Youtube  Find us on LinkedIn  Find us on twitter  Find us on Facebook

Share This Page

Share on Facebook  Send to your Twitter page  Save to del.ico.us  Save to LinkedIn  Digg this  Stumble this page.  Add to Technorati favorites  Save this page on your Google Home Page 

For more information

Contact Us

info@sei.cmu.edu

412-268-5800

Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.