What You Need To Protect Yourself

In addition to the above software you'll need a few things:

Software firewall - Windows XP's built-in firewall isn't enough. 3rd party firewalls offer protection and configurations that Windows Firewall doesn't. Did you know that Windows Firewall only protects inbound communications and not outbound?

DiamondCS Process Guard and Systernal RootkitRevealer - While we have tried to recommend freeware products in this paper, we are not aware of any  freeware products available at the time this paper was written that will prevent the installation of rootkits, dll injections or global hooks.  Process Guard is a relatively mature and inexpensive shareware product that has this ability.   It is very important to realize that ProcessGuard can only prevent the installation of new rootkits, dll injection or global hooks, it cannot remove those that are already present at the time it is installed.  Process Guard also depends on the weakest security link of all, user decisions.  Users must decide, often with inadequate information, whether to permit or deny the use and/or installation of a global hook, dll or service.  An excellent review and description of the current version of Process Guard (v3.150) can be found at the ABXLabs Forum of ABXZone.com.

Freeware RootkitRevealer can be used to find most known, but probably not all, rootkits that have previously been installed on a system.  RootkitRevealer does not have the capability to reveal dll injections or global hooks, nor can it clean a system after it has become compromised.

So, what are "rootkits", "dll injection" and "global hooks", and why are they so dangerous?

• Rootkits: A rootkit is a software package of programs and/or scripts that a cracker can install on any system they can gain access to, even if the current user lacks administrative rights.  It is actually an old UNIX attack  technique, recently updated to attack Windows, UNIX and Linux based operating systems.  It replaces real operating system or common application  files with cracker modified ones, generally using the correct date, hash and size of the real file, so it is very hard if not impossible to distinguish from the real version.  The modified file may do one of several things:  it may act as a keylogger, a packet sniffer, etc., but the goal is to capture confidential information at a very low, administrative level in the operating system, many times at the kernal or root level.  One valid way to think of a rootkit is to consider it an "invisible" trojan.  Once it has captured something of value to the cracker, it will send that information back to them.  A normal firewall cannot stop this from happening, even with outbound program protection , because as far as the firewall is concerned, the sending program is indistinguishable from the real version.
• dll injection: dlls are non-user executable files.  They are generally system files and drivers, although many applications use dlls for executing parts of their main application.  Most user executable files (typically .exe files) reference dlls that it uses, and contain a list of required system files for proper execution of the application within the main or secondary executable files.  You can see the list of required executable files that a program requires by using tools like Dependency Walker (originally developed by Microsoft) or FileAlyzer (from the developers of Spybot S&D), which is easier and more convenient to use than Dependency Walker, and installs a right click context menu item you can use to analyze any type file.  What a malware dll injector does is install one or more malware dll(s) in some hard to find place, and then "inject" a dependency into a legitimate system or application file or files.  When the system or application file is executed, the operating system sees the dependency and depending on how the dependency is used, either executes it or simply checks that the required dll exists on the system.  Remember, dll injection is a legitimate and necessary programming technique, and is required in order for the system to properly execute system and program files, except that in this case, the executable file does something nasty.  dll injectors often install one or more main files, which check for the existance of other dlls it installs, and if they are not present, recreates them, usually with a different name.  Malware dll injectors are thus one of the main sources of "morphing" malware.  They also usually make changes to the Windows registry files.
  
• Global Hooks:  A global hook is a program call generally to drivers or services for required hardware, commonly your keyboard or mouse, but often for specialized video, sound, etc., driver components.  For example, if a video application such as a game or A/V player uses hardware acceleration, the software has to install a "hook" to the hardware via the hardware's drivers.  In a similar manner, malware can install a driver or service, and create hooks to a malware installed driver or service.  Again, these are very hard to find and clean, and practically must be prevented from installing in the first place.

Firewall router - If you connect to the Internet via a broadband connection, buy a good hardware firewall router. Most quality cable/DSL routers have firewalls built-in today. Many people buy these to share an Internet connection, not knowing the built-in protection that these devices offer. Even if you only have one computer connected to the Internet via a broadband connection you should have a good hardware firewall router. Configured correctly, it is an excellent first layer of defense against crackers (more on this later). Basic firewall routers are not expensive; many on-line shops sell name-brand ones for as little as $50 (US).

Router options should include:

• Network Address Translation (NAT): This hides the IP address of the computer you are on to computers outside your home network. Please understand that NAT is not, and never was, intended to be a "firewall". It was designed to provide "many to one" Internet access for a LAN with one or more systems to connect to the Internet using a single IP address.
• Port Blocking: blocks access to Internet ports and protocols that are either unused or unnecessary. Even better, higher quality firewall routers offer port stealthing, but more on that later.
• Stateful Packet Inspection (SPI): A more advanced form of packet inspection. Knows which information to filter out.
• Virtual Private Network (VPN): If you connect to your computers at home while at another location, this is a must. VPN creates a tunnel between 2 computers so that no other computers can listen in.

A Brief Explanation of SPI

In order to use the Internet, you do have to open some ports and protocols on your firewall router to outbound packets. In return, you need to be able to receive return packets back from the Internet in order to say, get your email. That means that there is an open vulnerability to attack via those open ports and protocols that can be exploited IF a cracker is sophisticated enough to be able to break through your NAT protections, and there are some that certainly can do exactly that.

What SPI does is create a "one way door" so to speak. It "remembers" requests that have been made, again say for your email, and will permit entry only for those packets which are being received in response to that request. So, unrequested packets, spoofing a response to a request for email for example will not be permitted entry because there was no corresponding outbound request. Thus, it protects necessary open ports and protocols from inbound attacks.

Anti Virus (AV) Software

This is critical. Virus and Trojan outbreaks are a daily occurrence, and statistics show that an unprotected system will become infected by a virus or Trojan in an average of 16 minutes. This time is called "Survival Time" and is tracked by SANS - Internet Storm Center. An excellent "white paper", published by SANS, on this subject is Windows XP: Surviving the First Day. This frightening statistic means that a totally unprotected system may not have enough time to download critical security-based Windows updates before becoming fatally infected.