I recently allowed a tech from a VOIP voice router company to remotely take over my
computer in order to try and fix a router problem. I was amazed at how quickly
he manipulated things within my computer and router, but I have been thinking,
although I gave permission, which was only protocol from his company to ask
for, how easy it must be for a pro hacker to do the very same without any
permission. Then I’m thinking how good was my firewall, etc. It didn’t even seem
to have a clue as to what was going on; I would have thought that I might have
needed to shut down my firewall for him to get access to my computer, but no,
it was just too easy. I wonder what your thoughts are on this. I’m using Windows 7
Home Premium 64 bit.
This is a wonderful example of how even the best, most securely protected
computers can still get infected.
No, I’m not saying that you got infected. Chances are what you allowed was above
board and without malicious intent.
But understanding how it happened (that your firewall wasn’t involved) is
pretty key to understanding how malware can still spread.
You invite it in.
]]>
Vampire at the door
When your computer is behind a firewall – including your router acting as a firewall – malware becomes much like the mythical vampire: it can come to your door, but it cannot enter until you actually invite it in.
That, by itself, stops a lot of malware from ever reaching your machine. There are active botnets and infected machines on the internet that are tirelessly searching for unprotected machines; upon finding one, they will gain entry and install malware.
With your firewall in place, that won’t happen.
Because you won’t invite them in.
That remote access was probably by your invite
Most remote access – including what you described – is not initiated by the remote technician.
Chances are the technician first had you run a program on your computer or visit a website that installed some software on your machine. That software then initiated the connection from your machine to that of the technician. Essentially, that invited him in. Once the connection was established, the software on his computer could use it to remotely access yours.
Because the connection was an outgoing connection, established from your computer to his and not the other way around, your firewall was OK with it. The firewall might not even be paying attention to outbound connections.
In this case, the connection was established for a legitimate purpose.
Sadly, it’s not always legitimate.
Inviting in malware
Hopefully, you can see now that while a firewall protects you from one class of malicious software, it cannot protect you from everything.
Specifically, it cannot protect you from malicious software that you explicitly invite on to your machine.
What do those “invitations” look like?
-
Email you download that contains malicious attachments. When you download email, your computer requests it – meaning it’s an outgoing connection to your email server that invites it to deliver email to your machine. Once on your machine, running or opening a malicious attachment can in turn infect your machine.
-
Web pages that you visit that contain malicious content. When you visit a web page, your computer requests the contents of that page – meaning it makes an outgoing connection to the web server and requests that it download the contents of the page to your computer, so that it can be displayed. Malicious web pages can then cause malware to be installed, often by establishing their own outgoing connection to their own servers where they “invite” the download of spyware and/or viruses.
Outgoing Firewalls
While a firewall’s primary purpose is to block uninvited guests, software firewalls (including Windows’ own) will often monitor outgoing connections as well.
In other words, some firewalls can keep an eye on those outgoing invitations.
Now, I’m not a huge fan of outgoing firewalls, but there are many who disagree with me. My take is that by the time the outgoing firewall has something to catch, it’s too late – malware already has its hooks into your machine, making that outgoing request. The outgoing firewall can prevent things from getting worse, but the fact is there’s already something going on.
I prefer to focus on prevention; before there’s ever a chance to make those malicious requests, you should be aware of how visiting malicious sites and opening malicious attachments are basically inviting malware on to your machine.
I thought that Windows 7 Home Premium did not support Remote Desktop Connections, so how did the technician connect? I would like to be able to help my friends by connecting to their computer so how was it done?
03-Mar-2012
A third party app like “TeamViewer” was installed.
@Lou,
Here’s an article with lots of info on remote desktop:
What is remote desktop?
The article provided useful information an how infection occurs, but the article implies the answer is “Don’t visit malicious sites.”? We never know which sites are malicious, maybe even after infection. So, should we avoid browsing the web at all? How about an article on how we can know if sites are malicious?
03-Mar-2012
OK leo, So every body knows if you click on a link that’s infected your done for. But the problem is, in order to move around on the web, you have to click a link. I had occasion to do just that, click a link, and get socked. Fortunately, I’ve read Leo, and lots of other stuff about malware, and after a bout getting RKILL running using a pseudo name, and Malwarebytes, I was able to regain control. So using a test machine I went thru the same steps as before to get to the poisoned page and it was OK. I had saved the link (original) so I revisited the link directly by clicking on it, and that one was still corrupt. I know there was something different in the links, but never figured it out. I assume how I got to the link had some bearing in getting to the bad one. The point here is; There was no flag saying this is a bad link. It can be (was) an innocent enough site , nothing in my firewall, antivirus, anti spyware stopped it. ”My’ conclusion is there is no guarantee there is such a thing as a “safe web”? And do we (the public) belong on it?
Other than running on a live CD, or other stand alone environment what are our options?
@daffey, run sandboxie. everything in the sandbox. I tried that for a few months and it was too much trouble. At the time I was adjusting to Wins7 and dual booting OSs. So needed to download lots of troubleshooting and tips. Also downloading drivers and files. The experience was something like hitting oneself in the arm hard as you can. And I agree with Leo. If a file or program is dialing out it’s already on the computer. Run antimalware weekly and rootkits occasionally if anything strange appears to be happening on your computer. That’s another reason Wins update has to ask me if it’s okay to download and install. A busily running harddrive and hard drive light to me is a cause for suspicion. And yes, Verizon techsupport in India did the same thing with me a few years ago. Bewildering. But I got a laugh from it when they couldn’t navigate well while I was using a desktop replacement program and my 32″ lcdtv as a monitor.
My firewall alerts me to any ‘phone-home’ attempts. That tells me something is happening that it thinks I want to know about, which is the idea. If there’s nothing obvious that needs to do this I KNOW I have something to look for.
about letting a technician access your machine.
simply put as already mentioned there Has to be a high level of Trust whether it be VOIP or any security suite.my focus will be on the latter.I had a suite that featured the option to talk to a ”technician”’
let’s just say they do have a good reputation for their firewall But if you need to uninstall the suite for any reason you have to allow them to access your machine as they do not have a way to uninstall even in add/remove or in safe mode with a downloaded zip package.however as usual there are workarounds for this such as revo uninstaller,ccleaner,ect.
to the matter at hand:
a machine in my network with said suite installed on it suddenly just stopped working and would not update itself as it was supposed to.came to find out later the machine was ridden with viruses.it belonged to a female in the network so long story shorter a local tech and myself put it through a battery of tests to find out why what happened did.at first we could not pinpoint the problem then finally tested for malware,trojans,etc.at last we had an ah ha moment.after the suite was removed everything worked but when the vendor was contacted (they had a guarantee) they asked for a sample to test.no one even suspected some things got through so samples wetre out of the question.
windup was MSE was installed instead with the free ZA firewall because from my understanding both Microsoft essentials and Windows firewall were limited in what they can and can’t do.
word to the wise.
NOT everything works as advertised even some HIPS programs.
as an example one time said tech from them was allowed on my main machine to attempt to rectify something wrong.shortly after the same machine was telling me my network adapters were not any good however when bypassing the Vista OS(now Win7) with Umbutu that proved false.needless to say they became history and were replaced with another security suite that is highly recommended .no problems to date and the only vendor out there besides Microsoft that offers Lifetime subscriptions for about what others renewal cost.
plus their technicians are right here in the states not in India someplace IF you ever need them.
NO this is not an endorsement of any kind for anyone nor do I work for them.it is just a situation that relates to others accessing your computer.
Discretion is the better part of valor.The keyword is trust.If you have ANY doubt,do not allow.Do additional “homework” until trust is verified.